---------------------------------------------------------------------------- S H O R E W A L L 4 . 6 . 1 . 4 ------------------------------------ J u l y 0 4 , 2 0 1 4 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE II. KNOWN PROBLEMS REMAINING III. NEW FEATURES IN THIS RELEASE IV. MIGRATION ISSUES V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 4.6.1.4 1) The DSCP match in the mangle and tcrles files didn't work with service class names such as EF, BE, CS1, ... 2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in tcrules and mangle; this was a regression from 4.5.21. 4.6.1.3 1) Use of the 'IfEvent' action resulted in a compilation failure: ERROR: -j is only allowed when the ACTION is INLINE with no parameter /usr/share/shorewall/action.IfEvent (line 139) from /etc/shorewall/action.SSHKnock (line 8) from /etc/shorewall/rules (line 31) 4.6.1.2 1) The shorewall-masq(5) and shorewall6-masq(5) manpages had a mangled heading for the description of the SOURCE column, leading some readers to assert the that description was missing. 2) When INLINE_MATCHES=Yes and AUTOHELPERS=No, start or restart could fail during script execution with this diagnostic: Running /sbin/iptables-restore... Bad argument `helper=netbios-ns' Error occurred at line: nnn Try `iptables-restore -h' or 'iptables-restore --help' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input 4.6.1.1 1) An improved error message is generatred when a server address list is specified in the DEST colume of a DNAT or REDIRECT rule. At one time, iptables supported such lists, but now only a single address or an address range is supported. The previous error message was: ERROR: Unkknown Host (192.168.1.4,192.168.1.22) The new error message is: ERROR: An address list (192.168.1.4,192.168.1.22) is not allowed in the DEST column of a xxx RULE where xxx is DNAT or REDIRECT as appropriate. 2) Two problems have been corrected in the Shorewall-init Debian init script. a) A cosmetic problem which resulted in 'echo_notdone' being displayed on failure rather than 'not done'. b) More seriously, the test for the existance of compiled firewall scripts was incorrect, with the result that the firewall scripts were not executed. These defects, introduced in Shorewall 4.5.17, have now been corrected. 4.6.1 1) When the 'rpfilter' option is specified on all interfaces, no references to the 'dynamic' chain were created and that chain was optimized away. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve and IPMI (RMCP). ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- 1) If you are migrating from Shorewall 4.4.x or earlier, please see http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt 2) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in favor of the VARDIR setting in shorewallrc. NOTE: While the name of the variable remains VARDIR, the meaning is slightly different. When set in shorewallrc, each product (shorewall-lite, and shorewall6-lite) will create a directory under the specified path name to hold state information. Example: VARDIR=/opt/var/ The state directory for shorewall-lite will be /opt/var/shorewall-lite/ and the directory for shorewall6-lite will be /opt/var/shorewall6-lite. When VARDIR is set in /etc/shorewall[6]/vardir, the product will save its state directly in the specified directory. In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc file and the meaning of VARDIR is once again consistent. The default setting of VARDIR for a particular product is ${VARLIB}/$product. There is an entry of that form in the shorewallrc file. Because there is a single shorewallrc file for all installed products, the /etc/shorewall[6]-lite/vardir file provides the only means for overriding this default. 3) Begining with Shorewall 4.5.6, the tcrules file is processed if MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This allows actions like TTL and TPROXY to be used without enabling traffic shaping. If you have rules in your tcrules file that you only want processed when TC_ENABLED is other than 'No', then enclose them in ?IF $TC_ENABLED ... ?ENDIF If they are to be processed only if TC_ENABLED=Internal, then enclose them in ?IF TC_ENABLED eq 'Internal' ... ?ENDIF 4) Beginning with Shorewall 4.5.7, the deprecated /etc/shorewall[6]/blacklist files are no longer installed. Existing files are still processed by the compiler. Note that blacklist files may be converted to equivalent blrules files using 'shorewall[6] update -b'. 5) In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed /etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7, the conntrack file will be installed along side of an existing notrack file. When both files exist, a compiler warning is generated: WARNING: Both notrack and conntrack exist; conntrack is ignored This warning may be eliminated by moving any entries in the notrack file to the conntrack file and removing the notrack file. 6) In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were deprecated if favor of new /etc/shorewall[6]/stoppedrules counterparts. The new files have much more familiar and straightforward semantics. Once a stoppedrules file is populated, the compiler will process that file and will ignore the corresponding routestopped file. 7) In Shorewall 4.5.8, a new variable (VARLIB) was added to the shorewallrc file. This variable assumes the role formerly played by VARDIR, and VARDIR now designates the configuration directory for a particular product. This change should be transparent to all users: a) If VARDIR is set in an existing shorewallrc file and VARLIB is not, then VARLIB is set to ${VARDIR} and VARDIR is set to ${VARLIB}/${PRODUCT}. b) If VARLIB is set in a shorewallrc file and VARDIR is not, then VARDIR is set to ${VARLIB}/${PRODUCT}. The Shorewall-core installer will automatically update ~/.shorewallrc and save the original in ~/.shorewallrc.bak 8) Previously, the macro.SNMP macro opened both UDP ports 161 and 162 from SOURCE to DEST. This is against the usual practice of opening these ports in the opposite direction. Beginning with Shorewall 4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before, and a new SNMPTrap macro is added that opens port 162 (from SOURCE to DEST). 9) Beginning with Shorewall 4.5.11, ?FORMAT is preferred over FORMAT for specifying the format of records in these configuration files: action.* files conntrack interface macro.* files tcrules While deprecated, FORMAT (without the '?') is still supported. Also, ?COMMENT is preferred over COMMENT for attaching comments to generated netfilter rules in the following files. accounting action.* files blrules files conntrack masq nat rules secmarks tcrules tunnels When one of the deprecated forms is encountered, a warning message is issued. Examples: WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - consider running 'shorewall update -D'. WARNING: 'COMMENT' is deprecated in favor of '?COMMENT' - consider running 'shorewall update -D'. As the warnings indicate, 'update -D' will traverse the CONFIG_PATH replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT directives respectively. The original version of modified files will be saved with a .bak suffix. During the update, .bak files are skipped as are files in ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. 10) To allow finer-grained selection of the connection-tracking states that are passed through blacklists (both dynamic and static), a BLACKLIST option was added to shorewall.conf and shorewall6.conf in Shorewall 4.5.13. The BLACKLISTNEWONLY option was deprecated at that point. A 'shorewall update' ( 'shorewall6 update' ) will replace the BLACKLISTNEWONLY option with the equivalent BLACKLIST option. 11) In Shorewall 4.5.14, the BLACKLIST_LOGLEVEL option was renamed BLACKLIST_LOG_LEVEL to be consistent with the other log-level option names. BLACKLIST_LOGLEVEL continues to be accepted as a synonym for BLACKLIST_LOG_LEVEL, but a 'shorewall update' or 'shorewall6 update' command will replace BLACKLIST_LOGLEVEL with BLACKLIST_LOG_LEVEL in the new .conf file. 12) Beginning with Shorewall 4.6.0, the default setting for 'ZONE2ZONE' is '-' rather than '2'. If you prefer to keep your pre-4.6.0 chain names, then specify ZONE2ZONE=2 in shorewall[6].conf. 13) Beginning with Shorewall 4.6.0, ection headers are now preceded by '?' (e.g., '?SECTION ...'). If your configuration contains any bare 'SECTION' entries, the following warning is issued: WARNING: 'SECTION' is deprecated in favor of '?SECTION' - consider running 'shorewall update -D' ... As mentioned in the message, running 'shorewall[6] update -D' will eliminate the warning. 14) Beginning with Shorewall 4.6.0, the 'tcrules' file has been superceded by the 'mangle' file. Existing 'tcrules' files will still be processed, with the restriction that TPROXY is no longer supported in FORMAT 1. If your 'tcrules' file has non-commentary entries, the following warning message is issued: WARNING: Non-empty tcrules file (...); consider running 'shorewall update -t' See shorewall6(8) for limitations of 'update -t'. 15) The default value LOAD_HELPERS_ONLY is now 'Yes'. 16) Beginning with Shorewall 4.6.0, FORMAT-1 actions and macros are deprecated and a warning will be issued for each FORMAT-1 action or macro found. WARNING: FORMAT-1 actions are deprecated and support will be dropped in a future release. WARNING: FORMAT-1 macros are deprecated and support will be dropped in a future release. To eliminate these warnings, add the following line before the first rule in the action or macro: ?FORMAT 2 and adjust the columns appropriately. FORMAT-1 actions have the following columns: TARGET SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) RATE/LIMIT USER/GROUP MARK while FORMAT-2 actions have these columns: TARGET SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) ORIGINAL DEST RATE/LIMIT USER/GROUP MARK CONNLIMIT TIME HEADERS (Used in IPv6 only) CONDITION HELPER FORMAT-1 macros have the following columns: TARGET SOURCE DEST PROTO DEST PORT(S) SOURCE PORTS(S) RATE/LIMIT USER/GROUP while FORMAT-2 macros have these columns: TARGET SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) ORIGINAL DEST RATE/LIMIT USER/GROUP MARK CONNLIMIT TIME HEADERS (Used in IPv6 only) CONDITION HELPER ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4.6.0 ---------------------------------------------------------------------------- 4.6.0.3 1) The Shorewall-init package now installs correctly on RHEL7. 2) 1:1 NAT is now enabled in IPv6. 3) A subtle interaction between NAT and sub-zones is explained in shorewall-nat. 4) The 'show filters' command now works with Simple TC. 4.6.0.2 1) The 'upgrade -A' command now converts the tcrules file to a mangle file. Previously, that didn't happen. 2) The install components now support RHEL7. 3) Whitespace issues in the skeleton configuration files have been corrected (Tuomo Soini). 4) The install components now support RHEL7. 5) FAQ 2e has been added which describes additional steps required to achieve hairpin NAT on a bridge where the modified packets are to go out the same bridge port as they entered. 6) shorewall-masq(5) has been corrected to include the word SOURCE on the description of that column. Previously, the description read '(formerly called SUBNET)'. 7) The output of 'shorewall show filters' once again shows ingress (policing) filters. This works around undocumented changes to the behavior of the 'tc' utility. 4.6.0.1 1) The CHECKSUM target in the tcrules and mangle files was broken and resulted in this error diagnostic: Running /sbin/iptables-restore... iptables-restore v1.4.7: CHECKSUM target: Parameter --checksum-fill is required Error occurred at line: 41 Try `iptables-restore -h' or 'iptables-restore --help' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input The compiler is now generating the correct rule. 2) Some cosmetic issues in the 'mangle' files have been resolved. 3) When an invalid chain designator was supplied in 'tcrules' or 'mangle', the compiler's error message was garbled and a Perl diagnostic was issued. 4.6.0 This release includes all defect repair from releases up through 4.5.21.9. 1) The tarball installers, now install .service files with mode 644 rather than mode 600. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 0 ---------------------------------------------------------------------------- 1) SECTION entries in the accounting and rules files now allow "SECTION" to be immediately preceded by "?" (e.g., ?SECTION). The new form is preferred and if any SECTION entries do not have the question mark, a warning is issued (see Migration Issues below). 2) The default setting for ZONE2ZONE has been changed from '2' to '-' for increased readability when zone names contain '2'. 3) The 'tcrules' file has been superceded by the 'mangle' file. Existing 'tcrules' files will still be processed, with the restriction that TPROXY is no longer supported in FORMAT 1. You can convert your tcrules file into the equivalent mangle file using the command: shorewall update -t See shorewall(8) and shorewall6(8) for important restrictions of the -t option. 4) Prior to now, the ability to specify raw iptables matches has been tied to the INLINE action. Beginning with this release, the two can be separated by specifying INLINE_MATCHES=Yes. When INLINE_MATCHES=Yes, then inline matches may be specified after a semicolon in the following files: action files macros rules mangle masq Note that semicolons are not allowed in any other files. If you want to use the alternative input format in those files, then you must inclosed the specifications in curly brackets ({...}). The -i option of the 'check' command will warn you of lines that need to be changed from using ";" to using "{...}". 5) The 'conntrack', 'raw', 'mangle' and 'rules' files now support an IPTABLES (IP6TABLES) action. This action is similar to INLINE in that it allows arbitrary ip[6]tables matches to be specified after a semicolon (even when INLINE_MATCHES=No). It differs in that the parameter passed is an iptables target with target options. Example (rules file): #ACTION SOURCE DEST PROTO IPTABLES(TARPIT --honeypot) net pot If the particular target that you wish to use is unknown to Shorewall, you will get this error message: ERROR: Unknown TARGET () You can eliminate that error by adding your target as a builtin action in /etc/shorewall[6]/actions. As part if this change, the /etc/shorewall[6]/actions file options have been extended to allow you to specify the Netfilter table(s) where the target is accepted. When 'builtin' is specified, you can also include the following options: filter nat mangle raw If no table is given, 'filter' is assumed for backward compatibility. 6) The 'tcpflags' option is now set by default. To disable the option, specify 'tcpflags=0' in the OPTIONS column of the interface file. 7) You may now use ipset names (preceded by '+') in PORT columns, allowing you to take advantage of bitmap:port ipsets. 8) The counter extensions to ipset matches have been implemented. See shorewall[6]-ipsets for details. 9) DROP is now a valid action in the stoppedrules files. DROP occurs in the raw table PREROUTING chain which avoids conntrack entry creation. 10) A new BASIC_FILTERS option is now supported. When set to 'Yes', this option causes the compiler to generate basic TC filters from tcfilters entries rather than u32 filters. Basic filters are more straight-forward than u32 filters and, in later iptables/kernel versions, basic filters support ipset matches. Please note that Shorewall cannot reliably detect whether your iptables/kernel support ipset matches, so an error-free compilation does not guarantee that the firewall will start successfully when ipset names are specified in tcfilters entries. 11) The update command now supports an -A option. This is intended to perform all available updates to the configuration and is currently equivalent to '-b -D -t'. 12) Beginning with this release, FORMAT-1 actions and macros are deprecated and a warning will be issued for each FORMAT-1 action or macro found. See the Migration Issues for further information. 13) To facilitate creation of ipsets with characteristics different from what Shorewall generates, the 'init' user exit is now executed before Shorewall creates ipsets that don't exist.