---------------------------------------------------------------------------- S H O R E W A L L 4 . 6 . 1 3 . 4 ------------------------------ J a n u a r y 0 2 , 2 0 1 6 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE II. KNOWN PROBLEMS REMAINING III. NEW FEATURES IN THIS RELEASE IV. MIGRATION ISSUES V. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES ---------------------------------------------------------------------------- N O T I C E Shorewall 4.6.13 is scheduled to be the last 4.6 release. In the fall of 2015, Shorewall 5.0.0 will be available. Please see http://www.shorewall.org/Shorewall-5.html for information about preparing to migrate to Shorewall 5. ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 4.6.13.4 1) This release includes a couple of additional configure/install fixes from Matt Darfeuille. 2) The DROP command was previously rejected in the mangle file. That has been corrected. 4.6.13.3 1) Previously, Shorewall6 rejected rules in which the SOURCE contained both an interface name and a MAC address (in Shorewall format). That defect has been corrected so that such rules are now accepted. 2) A number of corrections have been made to the install, uninstall and configure scripts (Matt Darfeuille). 3) Previously, optional interfaces were not enabled during 'start' and 'restart' unless there was at least one entry in the 'providers' file. This resulted in these interfaces not appearing in the output of 'shorewall[6] status -i'. 4) The check for use of a circular kernel log buffer (as opposed to a log file) has been improved. 5) Previously, if a circular log buffer was being used, the output of various commands still displayed '/var/log/messages' as the log file. Now, it is displayed as 'logread'. 6) When processing the 'dump' command, the CLI now uses 'netstat' to print socket information when the 'ss' utility is not installed. 4.6.13.2 1) Previously, if statistical load balancing was used in the providers file, the default route in the main table was not deleted during firewall start/restart. That route is now correctly deleted. 4.6.13.1 1) Previously, the 'reset' command would fail if chain names were included. Now, the command succeeds, provided that all of the specified chains exist in the filter table. 2) The TCP meta-connection is now supported by the Tinc macro and tunnel type. Previously, only the UDP data connection was supported. 4.6.13 Final 1) The 'rules' file manpages have been corrected regarding the packets that are processed by rules in the NEW section. 2) Parsing of IPv6 address ranges has been corrected. Previously, use of ranges resulted in 'Invalid IPv6 Address' errors. 3) The shorewall6-hosts man page has been corrected to show the proper contents of the HOST(S) column. 4) Previously, INLINE statements in the mangle file were not recognized if a chain designator (:F, :P, etc.) followed INLINE(...). As a consequence, additional matches following a semicolon were interpreted as column/value pairs unless INLINE_MATCHES=Yes, resulting in compilation failure. 5) Inline matches on IP[6]TABLE rules could be ignored if INLINE_MATCHES=No. They are now recognized. 6) Specifying an action with a logging level in one of the _DEFAULT options in shorewall[6].conf (e.g., REJECT_DEFAULT=Reject:info) produced a compilation error: ERROR: Invalid value (:info) for first Reject parameter /usr/share/shorewall/action.Reject (line 52) That has been corrected. Note, however, that specifying logging with a default action tends to defeat one of the main purposes of default actions which is to suppress logging. 7) Previously, it was necessary to set TC_EXPERT=Yes to have full access to the user mark in fw marks. That has been corrected so that any place that a mark or mask can be specified, both the TC mark and the User mark are accessible. ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ---------------------------------------------------------------------------- 1) On systems running Upstart, shorewall-init cannot reliably secure the firewall before interfaces are brought up. ---------------------------------------------------------------------------- I I I. N E W F E A T U R E S I N T H I S R E L E A S E ---------------------------------------------------------------------------- 4.6.13.3 1) Support for OpenWRT versions BB and later has been added. Included in this support are: - The log display commands (show log, logwatch, etc.) no longer depend on the 'tac' utility (although it will be used if it is installed). - Shorewall-core's 'configure' script detects OpenWRT and accepts HOST=openwrt as an argument. - Shorewall-core, Shorewall-lite and Shoreawll6-lite installers support openwrt. Additionally, those installers no longer depend on the 'install' utility. - Shorewall[6]-lite will use OpenWRT's 'lock' utility to create the LOCKFILE. A special thanks to Matt Darfeuille for his help in making this support possible. 4.6.13 1) 'update -t' now converts both the tcrules and tos files. 2) 'second' and 'minute' are now allowed in the LOGLIMIT specification in place of 'sec' and 'min' respectively. 3) The 'update' command now converts additional deprecated option settings: - LOGRATE/LOGBURST are converted to the equivalent LOGLIMIT setting. - BLACKLISTNEWONLY is now converted to the equivalent BLACKLIST setting. 4) Two settings now have more reasonable defaults if they don't appear in the .conf file being updated: - USE_DEFAULT_RT now defaults to No - EXPORTMODULES now defaults to No. 5) When the 'update' command is converting a deprecated file, it now makes additional checks when it finds a target file (mangle, stoppedrules or blrules) to append the converted rules to: - If the file is in the directory $SHAREDIR/$product/configfiles/, the file is not opened. - If the file is in the directory $SHAREDIR/doc/$product/default-config/, the file is not opened. - If the file is not writable, the file is not opened. When the file isn't opened because of one of these checks, an attempt is made to create a new file in either the directory specified on the command line (if any) or in the first directory listed in the CONFIG_PATH setting. ---------------------------------------------------------------------------- I V. M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- 1) If you are migrating from Shorewall 4.4.x or earlier, please see http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt 2) Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in favor of the VARDIR setting in shorewallrc. NOTE: While the name of the variable remains VARDIR, the meaning is slightly different. When set in shorewallrc, each product (shorewall-lite, and shorewall6-lite) will create a directory under the specified path name to hold state information. Example: VARDIR=/opt/var/ The state directory for shorewall-lite will be /opt/var/shorewall-lite/ and the directory for shorewall6-lite will be /opt/var/shorewall6-lite. When VARDIR is set in /etc/shorewall[6]/vardir, the product will save its state directly in the specified directory. In Shorewall 4.5.8, a VARLIB variable was added to the shorewallrc file and the meaning of VARDIR is once again consistent. The default setting of VARDIR for a particular product is ${VARLIB}/$product. There is an entry of that form in the shorewallrc file. Because there is a single shorewallrc file for all installed products, the /etc/shorewall[6]-lite/vardir file provides the only means for overriding this default. 3) Begining with Shorewall 4.5.6, the tcrules file is processed if MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This allows actions like TTL and TPROXY to be used without enabling traffic shaping. If you have rules in your tcrules file that you only want processed when TC_ENABLED is other than 'No', then enclose them in ?IF $TC_ENABLED ... ?ENDIF If they are to be processed only if TC_ENABLED=Internal, then enclose them in ?IF TC_ENABLED eq 'Internal' ... ?ENDIF 4) Beginning with Shorewall 4.5.7, the deprecated /etc/shorewall[6]/blacklist files are no longer installed. Existing files are still processed by the compiler. Note that blacklist files may be converted to equivalent blrules files using 'shorewall[6] update -b'. 5) In Shorewall 4.5.7, the /etc/shorewall[6]/notrack file was renamed /etc/shorewall[6]/conntrack. When upgrading to a release >= 4.5.7, the conntrack file will be installed along side of an existing notrack file. When both files exist, a compiler warning is generated: WARNING: Both notrack and conntrack exist; conntrack is ignored This warning may be eliminated by moving any entries in the notrack file to the conntrack file and removing the notrack file. 6) In Shorewall 4.5.8, the /etc/shorewall[6]/routestopped files were deprecated if favor of new /etc/shorewall[6]/stoppedrules counterparts. The new files have much more familiar and straightforward semantics. Once a stoppedrules file is populated, the compiler will process that file and will ignore the corresponding routestopped file. 7) In Shorewall 4.5.8, a new variable (VARLIB) was added to the shorewallrc file. This variable assumes the role formerly played by VARDIR, and VARDIR now designates the configuration directory for a particular product. This change should be transparent to all users: a) If VARDIR is set in an existing shorewallrc file and VARLIB is not, then VARLIB is set to ${VARDIR} and VARDIR is set to ${VARLIB}/${PRODUCT}. b) If VARLIB is set in a shorewallrc file and VARDIR is not, then VARDIR is set to ${VARLIB}/${PRODUCT}. The Shorewall-core installer will automatically update ~/.shorewallrc and save the original in ~/.shorewallrc.bak 8) Previously, the macro.SNMP macro opened both UDP ports 161 and 162 from SOURCE to DEST. This is against the usual practice of opening these ports in the opposite direction. Beginning with Shorewall 4.5.8, the SNMP macro opens port 161 from SOURCE to DEST as before, and a new SNMPTrap macro is added that opens port 162 (from SOURCE to DEST). 9) Beginning with Shorewall 4.5.11, ?FORMAT is preferred over FORMAT for specifying the format of records in these configuration files: action.* files conntrack interface macro.* files tcrules While deprecated, FORMAT (without the '?') is still supported. Also, ?COMMENT is preferred over COMMENT for attaching comments to generated netfilter rules in the following files. accounting action.* files blrules files conntrack masq nat rules secmarks tcrules tunnels When one of the deprecated forms is encountered, a warning message is issued. Examples: WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' - consider running 'shorewall update -D'. WARNING: 'COMMENT' is deprecated in favor of '?COMMENT' - consider running 'shorewall update -D'. As the warnings indicate, 'update -D' will traverse the CONFIG_PATH replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT directives respectively. The original version of modified files will be saved with a .bak suffix. During the update, .bak files are skipped as are files in ${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6. 10) To allow finer-grained selection of the connection-tracking states that are passed through blacklists (both dynamic and static), a BLACKLIST option was added to shorewall.conf and shorewall6.conf in Shorewall 4.5.13. The BLACKLISTNEWONLY option was deprecated at that point. A 'shorewall update' ( 'shorewall6 update' ) will replace the BLACKLISTNEWONLY option with the equivalent BLACKLIST option. 11) In Shorewall 4.5.14, the BLACKLIST_LOGLEVEL option was renamed BLACKLIST_LOG_LEVEL to be consistent with the other log-level option names. BLACKLIST_LOGLEVEL continues to be accepted as a synonym for BLACKLIST_LOG_LEVEL, but a 'shorewall update' or 'shorewall6 update' command will replace BLACKLIST_LOGLEVEL with BLACKLIST_LOG_LEVEL in the new .conf file. 12) Beginning with Shorewall 4.6.0, the default setting for 'ZONE2ZONE' is '-' rather than '2'. If you prefer to keep your pre-4.6.0 chain names, then specify ZONE2ZONE=2 in shorewall[6].conf. 13) Beginning with Shorewall 4.6.0, section headers are now preceded by '?' (e.g., '?SECTION ...'). If your configuration contains any bare 'SECTION' entries, the following warning is issued: WARNING: 'SECTION' is deprecated in favor of '?SECTION' - consider running 'shorewall update -D' ... As mentioned in the message, running 'shorewall[6] update -D' will eliminate the warning. 14) Beginning with Shorewall 4.6.0, the 'tcrules' file has been superceded by the 'mangle' file. Existing 'tcrules' files will still be processed, with the restriction that TPROXY is no longer supported in FORMAT 1. If your 'tcrules' file has non-commentary entries, the following warning message is issued: WARNING: Non-empty tcrules file (...); consider running 'shorewall update -t' See shorewall6(8) for limitations of 'update -t'. 15) The default value of LOAD_HELPERS_ONLY is now 'Yes'. 16) Beginning with Shorewall 4.6.0, FORMAT-1 actions and macros are deprecated and a warning will be issued for each FORMAT-1 action or macro found. WARNING: FORMAT-1 actions are deprecated and support will be dropped in a future release. WARNING: FORMAT-1 macros are deprecated and support will be dropped in a future release. To eliminate these warnings, add the following line before the first rule in the action or macro: ?FORMAT 2 and adjust the columns appropriately. FORMAT-1 actions have the following columns: TARGET SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) RATE/LIMIT USER/GROUP MARK while FORMAT-2 actions have these columns: TARGET SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) ORIGINAL DEST RATE/LIMIT USER/GROUP MARK CONNLIMIT TIME HEADERS (Used in IPv6 only) CONDITION HELPER FORMAT-1 macros have the following columns: TARGET SOURCE DEST PROTO DEST PORT(S) SOURCE PORTS(S) RATE/LIMIT USER/GROUP while FORMAT-2 macros have these columns: TARGET SOURCE DEST PROTO DEST PORT(S) SOURCE PORT(S) ORIGINAL DEST RATE/LIMIT USER/GROUP MARK CONNLIMIT TIME HEADERS (Used in IPv6 only) CONDITION HELPER 17) Prior to Shorewall 4.6.4, the stoppedrules file did not work properly when ADMINISABSENTMINDED=No. - A warning message was issued stating that the file would be processed as if ADMINISABSENTMINDED=Yes, and it was. - Unfortunately, part of the surrounding rule-generating logic proceded as if ADMINISABSENTMINDED=No, leading to an unusable ruleset. In Shorewall 4.6.4, this problem was corrected by changing the way that stoppedrules works with ADMINISABSENTMINDED=No. In the new implementation: - All existing connections continue to work. - Response packets and related connection requests to new accepted connections are accepted (in other words, the resulting ruleset is stateful). See shorewall[6].conf(5) for additional details. ---------------------------------------------------------------------------- V. N O T E S F R O M O T H E R 4 . 6 R E L E A S E S ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 2 ---------------------------------------------------------------------------- 4.6.12.1 1) Beginning with Shorewall 4.6.10, a fatal error during a start or restart operation can leave the firewall in an indeterminent state. That problem has been corrected so that the intended action takes place: - If there is a current executable RESTOREFILE, then the firewall is restored using that file. - Otherwise, the firewall is placed in the stopped state. 2) Previously, if 'none' were passed as the log level argument to the AutoBL action, compilation failed silently. Now, the intended behavior (no logging) is produced. 4.6.12 1) This release includes defect repair up through Shorewall 4.6.11.1. 2) Previously, when Perl 5.18.0 or later was used with Shorewall, multiple compilations of an unchanging configuration could produce different but equivalent script files. Now, the script files produced will be identical (except for dates and times) for any given Shorewall version. 3) Previously, if a binary interface option (those that have a value of zero or 1) was specified with a value of zero on such an interface, compilation failed. For example, this interface definition: - eth2 arp_filter=0,routeback=0,tcpflags=0,proxyarp=0 would generate the following error message: ERROR: The "routeback" option may not be specified on a multi-zone interface Now, the option is allowed. 4) Several issues with 'update -b' have been corrected. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 1 2 ---------------------------------------------------------------------------- 1) The initial 'Compiling...', 'Checking...' and 'Updating..." progress messages now include the Product name and version. 2) Debian-specific .service files have been added. 3) There are now two shorewallrc files for Debian - one for sysvinit and one for systemd. The configure and configure.pl scrips determine which to use by examining /sbin/init. 4) Two new options are available for the 'update' command: -r converts a routestopped file to an equivalent stoppedrules file. -n converts a notrack file to an equivalent conntrack file. If there is already an existing conntrack file, the converted rules are appended to the existing file. WARNING: If you include /usr/share/shorewall/configfiles (or wherever your distro places empty files) in your CONFIG_FILE setting and there is no new file in your config directory (such as /etc/shorewall), then the 'update' command will update the copy of the file in /usr/share/shorewall/configfiles. This is probably not what you want, since files in that directory (or your distro's corresponding directory) will be overwritten by the next upgrade. 5) Shorewall now uses NYTProf as its profiler rather than the deprecated DProf. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 1 ---------------------------------------------------------------------------- 1. This release includes defect repair up to and including Shorewall 4.6.10.1. 2. Previously, when the -c option was given to the 'compile' command, the progress message "Compiling..." was issued before it was determined if compilation was necessary. Now, that message is suppressed when re-compilation is not required. 3. Previously, when the -c option was given to the 'compile' command, the 'postcompile' extension script was executed even when there was no (re-)compilation. Now, the 'postcompile' script is only invoked when a new script is generated. 4. If CONFDIR was other than /etc, then ordinary users would not receive a clear error message when they attempted to execute one of the commands that change the firewall state. 5. Previously, IPv4 DHCP client broadcasts were blocked by the 'rpfilter' interface option. That has been corrected. 6) The 'update' command incorrectly added the INLINE_MATCHES option to shorewall6.conf with a default value of 'Yes'. This caused 'start' to fail with invalid ip6tables rules when the alternate input format using ';' is used. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 1 1 ---------------------------------------------------------------------------- 1) Over the years, a number of changes have been added to Shorewall that work around defects in other products. When running a current distribution, these workarounds are unnecessary and add to the time required for normal Shorewall operations. Beginning in this release, those workarounds may be disabled by setting WORKAROUNDS=No in shorewall.conf. 2) Previously, both lib.cli and lib.cli-std included nearly-identical usage() functions. Now, only lib.cli includes the function which produces its output based on which product's CLI is invoking it. 3) To accomodate compiled scripts produced by Shorewall versions before 4.4.8, Shorewall products from 4.4.8 onward have run scripts twice. The first time is simply to capture the output of the 'version' command. Based on the script's version, it is then invoked to execute the requested command. Beginning in this release, scripts will only be run once if: - WORKAROUNDS=No, or - the script was compiled as part of executing the command, or - AUTOMAKE=Yes and it was determined that re-compilation was not required. 4) When the 'conntrack' utility program is installed, the 'show connections' command can now display a subset of the entire conntrack table by simply following the 'connections' keyword with one or more conntrack filter parameters. For example, to display all http connections: shorewall show connections -p tcp --dport 80 See conntrack(8) for a description of the available parameters. 5) To ensure that the compiler has an adequate PATH, the default Shorewall PATH is now appended to the compiler's active PATH. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 0 ---------------------------------------------------------------------------- 1) On some distributions, Shorewall-init would fail if one of the configured products had a problem. Now, Shorewall-init goes on to the next product rather than stopping. 2) Previously, when startup was disabled (STARTUP_ENABLED=No or no compiled firewall on a -lite system), exit status 2 was returned. Now, exit status 6 is returned. 3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did not use ipsets, then a superfluous warning message was issued: WARNING: Invalid value (ipv4) for SAVE_IPSETS That warning is now suppressed. 4) Previously, the algorithm used to normalize the probabilities defined in the 'load' provider option was incorrect and could result in probabilities > 1.0. When this occurred, the firewall would fail to start. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 1 0 ---------------------------------------------------------------------------- 1) Previously, the 'ctevents' and 'expevents' options could only be specified in the conntrack file if a helper was named. That is no longer necessary. Example: #ACTION SOURCE DESTINATION PROTO DEST ... # PORT(S) ... # CT:ctevents:assured,destroy\ all - - 2) Two new options have been added to the NFQUEUE target. - By default, if no userspace program is listening on an NFQUEUE, then all packets that are to be queued are dropped. When the new 'bypass' option is used, the NFQUEUE rule is silently bypassed instead. The packet will move on to the next rule. Examples: NFQUEUE(bypass) NFQUEUE(3,bypass) - Now, a queue range of the form n:m may be specified. Packets are then balanced across the given queues. This is useful for multicore systems: start multiple instances of the userspace program on queues x, x+1, .. x+n and use "x:x+n". Packets belonging to the same connection are put into the same nfqueue. Examples: NFQUEUE(4:6) NFQUEUE(4:6,bypass) Queue ranges are also permitted in an NFQUEUE policy; the 'bypass' option is not permitted there. 3) The 'call' command is now documented. It provides a way to call shell functions in the Shorewall libraries or in the generated script. call [ ... ] must name a shell function in one of the Shorewall libraries or in the generated script. The function is first searched for in lib.base, lib.common, lib.cli and lib.cli-std (lib.cli-std is not searched by the '-lite' products). If the function is found, it is called with any supplied s. If the function is not found in the libraries, the call command is passed to the generated script for processing. 4) Several changes have been made to the processing of the 'load' option in provider files: - load values are normalized to 8-digit precision and 10-byte length. - a warning is issued if the sum of the loads is not 1.000000. - if the normalized probability for an interface is >= 1.000000 then the probability match part of the generated rule is omitted. 5) There is now an ipv6 'findgw' skeleton file. 6) The 'disable' and 'enable' commands now succed if the interface is already disabled or enabled respectively. Tuomo Soini. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 9 ---------------------------------------------------------------------------- 1) This release contains defect repair from Shorewall 4.6.8.1 and earlier releases. 2) The means for preventing loading of helper modules has been clarified in the documentation. 3) The SetEvent and ResetEvent actions previously set/reset the event even if the packet did not match the other specified columns. This has been corrected. 4) Previously, the 'show capabilities' command was ignoring the HELPERS setting. This resulted in unwanted modules being autoloaded and, when the -f option was given, an incorrect capabilities file was generated. 6) Previously, when 'wait' was specified for an interface, the generated script erroneously checked for required interfaces on all commands rather than just start, restart and restore. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 9 ---------------------------------------------------------------------------- 1) There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your iptables and kernel must support this capability in order to use the CLAMPMSS option in shorewall.conf and the 'mss=' option in the zones, interfaces and hosts files. This capability was added when it was learned that Debian on ARM doesn't provide the feature. When using a capabilities file from at earlier release, the compiler assumes that this capability is available, since most distributions have traditionally provided the capability. 2) The CLI manpages now state explicitly that 'list' and 'ls' are synonyms for 'show' and refer the reader to the description of 'show'. 3) The complete syntax of each CLI command is now repeated in the detailed description of the command in the man pages. 4) Tuomo Soini has contributed a QUIC macro. 5) The JabberSecure macro is now deprecated. Configure Jabber to use TLS and use the Jabber macro instead. (Tuomo Soini). 6) The enable and disable commands now execute more quickly on slow hardware. 7) The CLI programs now support a 'reenable' command. This command is logically equivalent to a 'disable' command followed by an 'enable' command, with the exception that no error is generated if the specified interface or provider is disabled at the time the command is given. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 8 ---------------------------------------------------------------------------- 1) This release includes defect repair from Shorewall 4.6.6.2 and earlier releases. 2) Previously, when the -n option was specified and NetworkManager was installed on the target system, the Shorewall-init installer would still create ${DESTDIR}etc/NetworkManager/dispatcher.d/01-shorewall, regardless of the setting of $CONFDIR. That has been corrected such that the directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall is created instead. 3) Previously, handling of the IPTABLES and IP6TABLES actions in the conntrack file was broken. nfw provided a fix on IRC. 4) The Shorewall-core and Shorewall6 installers would previously report incorrectly that the product release was not installed. Matt Darfeuille provided fixes. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 8 ---------------------------------------------------------------------------- 1) The CLI programs (shorewall, shorewall6, etc) now support 'open' and 'close' commands. The 'open' command temporarily opens the firewall for a specified type of connection; the syntax is: open [ [ ] ] The and may be any of the following: - a host IP address - a network IP address - a valid DNS name (usual warnings apply) - the word 'all', indicating that the or is not restricted The protocol may be specified by number or by a name. Same with . Example: Open SSH connections to 1.2.3.4 in Shorewall: shorewall open all 1.2.3.4 tcp ssh The 'close' command reverses the effect of an earlier 'open' command and has two forms: close close [ is the number displayed in the 'num' column of the 'shorewall list opens' command (see below). In the second form, the parameters must match those of the earlier 'open' command to be reversed. All temporary connections opens may be deleted by simply restarting the firewall. Both commands require that the firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in the active configuration. The iptables rules created via 'open' commands can be displayed using the 'show opens' command. Example (after the above open command was executed): Shorewall 4.6.8 Temporarily opened connections at gateway - Fri Mar 6 09:47:06 PST 2015 Chain dynamic (14 references) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 1.2.3.4 multiport dports 22 root@gateway:~# 2) A 'safesets' command is now available to proactively save changes to ipset contents. Using this command can guard against accidental loss of ipset changes in the event of a system failure before a 'stop' command has been completed. The exact action taken by the command depends on the setting of SAVE_IPSETS in shorewall[6].conf. 3) The SOURCE and DEST columns in the rtrules file may now contains comma-separated lists of addresses. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 7 ---------------------------------------------------------------------------- None. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 7 ---------------------------------------------------------------------------- 1) The 'tunnels' file now supports 'tinc' tunnels. 2) Previously, the SAME action in the mangle file had a fixed timeout of 300 seconds (5 minutes). That action now allows specification of a different timeout. 3) It is now possible to add or delete addresses from an ipset with entries in the mangle file. The ADD and DEL actions have the same behavior in the mangle file as they do in the rules file. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 6 ---------------------------------------------------------------------------- 1) This release includes defect repair from Shorewall 4.6.5.5 and earlier releases. 2) Previously, a line beginning with 'shell' was interpreted as a shell script. Now, the line must begin with 'SHELL' (case-sensitive). Note that ?SHELL and BEGIN SHELL are still case-insensitive. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 6 ---------------------------------------------------------------------------- 4.6.6.2 1) The compiler failed to parse the construct +[n] where n is an integer (e.g., +bad[2]). 2) Orion Paplawski has provided a patch that adds 'ko.xz' to the default MODULE_SUFFIX setting. This change deals with recent Fedora releases where the module names now end with ".ko.xz". In addition to Orion's patch, the sample configurations have been modified to specify MODULE_SUFFIX="ko ko.xz". 4.6.6.1 1) Previously the SAVE and RESTORE actions were erroneously disallowed in the INPUT chain within the mangle file. 2) The manpage descriptions of the mangle SAVE and RESTORE actions incorrectly required a slash (/) prior to the mask value. 3) Race conditions could previously occur between the 'start' command and the 'enable' and 'disable' commands. 4) The 'update' command incorrectly added the INLINE_MATCHES option to shorewall.conf with a default value of 'Yes'. This caused 'start' to fail with invalid iptables rules when the alternate input format using ';' is used. 6) Previously the LOCKFILE setting was not propagated to the generated script. So when the script was run directly, the script unconditionally used ${VARDIR}/lock. 1) Previously, the firewall products (Shorewall, Shorewall6 and *-lite) specified "After=network.target" in their .service files. Beginning with this release, those products specify "After=network-online.target" like the service.214 files. This change is intended to delay firewall startup until after network initialization is complete. 2) The 'TARPIT' target is now supported in the rules file. Using this target requires the appropriate support in your kernel and iptables. This feature implements a new "TARPIT Target" capability, so if you use a capabilities file, then you need to regenerate the file after installing this release. TARPIT captures and holds incoming TCP connections using no local per-connection resources. TARPIT only works with the PROTO column set to tcp (6), and is totally application agnostic. This module will answer a TCP request and play along like a listening server, but aside from sending an ACK or RST, no data is sent. Incoming packets are ignored and dropped. The attacker will terminate the session eventually. This module allows the initial packets of an attack to be captured by other software for inspection. In most cases this is sufficient to determine the nature of the attack. This offers similar functionality to LaBrea but does not require dedicated hardware or IPs. Any TCP port that you would normally DROP or REJECT can instead become a tarpit. The target accepts a single optional parameter: tarpit (default) This mode completes a connection with the attacker but limits the window size to 0, thus keeping the attacker waiting long periods of time. While he is maintaining state of the connection and trying to continue every 60-240 seconds, we keep none, so it is very lightweight. Attempts to close the connection are ignored, forcing the remote side to time out the connection in 12-24 minutes. honeypot This mode completes a connection with the attacker, but signals a normal window size, so that the remote side will attempt to send data, often with some very nasty exploit attempts. We can capture these packets for decoding and further analysis. The module does not send any data, so if the remote expects an application level response, the game is up. reset This mode is handy because we can send an inline RST (reset). It has no other function. 3) A 'loopback' option has been added to the interfaces files to designate the interface as the loopback device. This option is assumed if the device's physical name is 'lo'. Only one interface may specify 'loopback'. If no interface has physical name 'lo' and no interface specifies the 'loopback' option, then the compiler implicitly defines an interface as follows: #ZONE INTERFACE OPTIONS - lo ignore,loopback 4) The compiler now takes advantage of the iptables 'iface' match capability for identifying loopback traffic. 5) The 'primary' provider option has been added as a synonym for 'balance=1'. The rationale for this addition is that 'balance' seems inappropriate when only a single provider specifies that option. For example, if there are two providers and one specifies 'fallback', then the other would specify 'primary' rather than 'balance'. 6) Two new Macros have been contributed: Zabbix - Tuomo Soini Tinc - Răzvan Sandu ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 5 ---------------------------------------------------------------------------- 4.6.5.5 1) The Shorewall-init ifupdown scripts were looking for the firewall script in the wrong directory. Correction was provider by Tuomo Soini. 4.6.5.4 1) The '-c' option of the 'dump' and 'show routing' commands is now documented. 2) The handling of the 'DIGEST' environmental variable has been corrected in the Shorewall installer. Previously, specifying that option would not correctly update the Chains module which led to a Perl compilation failure. 3) Handling of ipset names on PORT columns has been corrected. Previously, such usage resulted in an invalid iptables rule being generated. 4.6.5.3 1) The Shorewall-init scripts were using the incorrect variable to set the state directory. 2) For normal dynamic zones, the 'add' command failed with a diagnostic such as: ERROR: Zone ast, interface net0 does not have a dynamic host list 3) When a mark range was used in the marks (tcrules) file, a run-time error occured while attempting to load the generated ruleset. 4.6.5.2 1) LOG_BACKEND=LOG failed at run-time for all but the most recent kernels. 4.6.5.1 1) The generated script can now detect an gateway address assigned by later versions of that program (Alan Barrett). 2) In 4.6.5, the bash-based configure script would issue the following diagnostic if SERVICEDIR was not specified in the shorewallrc file: ./configure: line 199: [SERVICEDIR]=: command not found This was compounded by the fact that all of the released shorewallrc files still specified SYSTEMDDIR rather than SERVICEDIR (Evangelos Foutras) 3) The shorewallrc.archlinux file now reflects a change in SBINDIR that occurred in Arch Linux in mid 2013 (Evangelos Foutras). 4.6.5 1) This release includes defect repair through release 4.6.4.3. 2) On kernel 3.17, LOG_BACKEND=LOG previously failed with the diagnostics: Setting up log backend /var/lib/shorewall/.restart: line 2075: echo: write error: No such file or directory WARNING: Unable to set log backend to ipt_LOG 3) A number of corrections have been made to the manpages (Thomas D). 4) Previously, if $OPTIONS was set in /etc/sysconfig/shorewall-init, then servicd failed to start/stop Shorewall-init. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 5 ---------------------------------------------------------------------------- 1) The configure scripts and installers now support SERVICEDIR as an alternative to SYSTEMD. For compatability, SERVICED is an alias for SERVICEDIR. 2) The installers now offer a choice of .service files, selected by the SERVICEFILE option. The default remains $PRODUCT.service. Each product supplying a .service file now supplies a .service.214. The differences between the standard .service files and the service.214 files are: a) They specify 'after=network-online.target' rather than 'after=network.target'. b) The file shorewall-init.service.214 specifies 'before=network-pre.target' rather than 'before=network.target'. That file requires serviced 214 or later, hence the names of the new files. Regardless of which file is selected, it is installed in $SERVICEDIR/$PRODUCT.service. 3) The RATE LIMIT column of the rules files now allows specification of both a per-source and per-destination limit. See shorewall[6]-rules(5) for details. 4) Previously, /bin/sh was used unconditionally to process the helper script 'getparams'. That shell script reads the params file and passes back the (variable,value) pairs to the compiler. Beginning with this release, $SHOREWALL_SHELL is used to process that script, unless the compilation is for export, in which case /bin/sh is still used. Note that the default value of $SHOREWALL_SHELL is /bin/sh, so unless your configuration sets that variable, this enhancement will have no effect. Similarly, on an administrative system, this enhancement has no effect on the processing of the 'compile -e', 'load', 'reload' and 'export' commands. 5) A -C option has been added to several commands to allow the ip[6]tables packet and byte counters to be preserved. - save command Causes the packet and byte counters to be saved along with the chains and rules. - restore command Causes the packet and byte counters (if saved) to be restored along with the chains and rules. - start command With Shorewall and Shorewall6, the -C option only has an effect if the -f option is also specified. If a previously-saved configuration is restored, then the packet and byte counters (if saved) will be restored along with the chains and rules. - restart command If an existing compiled script is used (no recompilation required) and if that script generated the current running configuration, then the current netfilter configuration is reloaded as is so as to preserve the current packet and byte counters. If you wish to (approximately) preserve the counters over a possibly unexpected reboot, then: - Create a cron job that periodically does 'shorewall save -C' - Specify the -C and -f option in the STARTOPTIONS variable in either /etc/default/shorewall[6][-lite] or /etc/sysconfig/shorewall[6][-lite], whichever is supported by your distribution. Note that some distributions do not distribute these files so you may have to create the one(s) you need (such as /etc/sysconfig/shorewall). ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 4 ---------------------------------------------------------------------------- 4.6.4.1 1) Confusing 'usage' output was produced under the following conditions: a) 4.6.4 installed b) The running firewall was compiled on an earlier release. c) A 'safe-start', 'save-restart', 'save' or 'try' command is executed. This problem has been corrected. 2) The 'optional' option has been removed from the IPv4 Universal interfaces file, as that option caused startup failures. 4.6.4 Final. 1) This release includes defect repair through release 4.6.3.4. 2) Two corrections have been made to the .service files: - The .service files now correctly specify WantedBy=basic.target - Conflicting services have been added. 3) A warning message generated during stoppedrules processing previously referred to the file as routestopped. 4) Previously, the stoppedrules file did not work properly when ADMINISABSENTMINDED=No. - A warning message was issued stating that the file would be processed as if ADMINISABSENTMINDED=Yes, and it was. - Unfortunately, part of the surrounding rule-generating logic proceded as if ADMINISABSENTMINDED=No, leading to an unusable ruleset. This problem has been corrected by changing the way that stoppedrules works with ADMINISABSENTMINDED=No. In the new implementation: - All existing connections continue to work. - Response packets and related connection requests to new accepted connections are accepted (in other words, the resulting ruleset is stateful). See shorewall[6].conf(5) for additional details. 5) The .spec files now set SBINDIR correctly. 6) The -lite installers now create INITDIR if it doesn't exist. 7) The installers no longer attempt to create a symbolic link to the init script when no init script is installed. 8) A large number of defects in the uninstallers have been corrected. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 4 ---------------------------------------------------------------------------- 1) Install support for Centos 7 and Foobar 7 has been added (Tuomo Soini). 2) A 'terminating' option has been added to shorewall[6].actions. this option, when used with the 'builtin' option, indicates to the compiler that the built-in action is terminating. This allows the optimizer to omit rules after an unconditional jump to the built-in. 3) A LOG_BACKEND option has been added to allow specification of the default logging backends. See shorewall.conf(5) and shorewall6.conf(5) for details. 4) The SAVE_IPSETS option may now specify a list of ipsets to be saved. When such a list is specified, only those ipsets together with the ipsets supporting dynamic zones are saved. Shorewall6 now supports the SAVE_IPSETS option. When SAVE_IPSETS=Yes, only ipv6 ipsets are saved. For Shorewall, if SAVE_IPSETS=ipv4, then only ipv4 ipsets are saved. Both features require ipset version 5 or later. Note that shorewall.conf and shorewall6.conf may now both specify SAVE_IPSETS. 5) The SBINDIR setting for SuSE now defaults to /usr/sbin/. 6) With the exception of Shorewall-core, the tarball installers and uninstallers now support a -n option which inhibits any attempt to change the startup configuration. The -n option can be automatically invoked by setting the SANDBOX variable to a non-empty value, either in the environment or in your shorewallrc file. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 3 ---------------------------------------------------------------------------- 4.6.3.1 1) The DNSAmp action released in 4.6.3 matched more packets than it should have. That has now been corrected. 4.6.3 1) This release contains defect repair up through release 4.6.2.5. 2) The SAVE_IPSETS option in the Debian version of Shorewall-init now works correctly. Thomas D. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 3 ---------------------------------------------------------------------------- 1) A new 'run' command has been implemented. This command allows you to run an arbitrary command in the context of the generated script. shorewall[6][-lite] run [ ... ] Normally, will be a function declared in lib.private. 2) A DNSAmp action has been added. This action matches recursive UDP DNS queries. The default disposition is DROP which can be overridden by the single action parameter (e.g, 'DNSAmp(REJECT)' will reject these queries). Recursive DNS queries are the basis for 'DNS Amplification' attacks; hence the action name. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 2 ---------------------------------------------------------------------------- 4.6.2.5 1) Previously, when an interface specified the 'physical=' option and the physical interface name was specified in the INTERFACES column of the providers file, compilation would fail with diagnostics similar to the following: Use of uninitialized value $physical in pattern match (m//) at /usr/lib/perl5/vendor_perl/5.18.1/ Shorewall/Providers.pm line 463, <$currentfile> line 2. ERROR: A provider interface must have at least one associated zone /opt/etc/shorewall/providers (line 2) 2) Shorewall-init now works correctly on systems with systemd. By Louis Lagendijk. 4.6.2.4 1) Previously, inline matches were incorrectly disallowed in action files. These matches are now allowed. 4.6.2.3 1) Previously, the compiler would fail with a Perl diagnostic if: - Optimize Level 8 was enabled. - Perl 5.20 was being used. This is the current Perl version on Arch Linux. The diagnostic was: Can't use string ("nat") as a HASH ref while "strict refs" in use at /usr/share/shorewall/Shorewall/Chains.pm line 3486. 4.6.2.2 1) The compiler now correctly detects the IPv6 "Header Match" capability when LOAD_MODULES_ONLY=No. 2) The compiler now correctly detects the IPv6 "Ipset Match" capability on systems running a 3.14 or later kernel. 3) The compiler now correctly detects "Arptables JF" capability when LOAD_MODULES_ONLY=No. 3) The tcfilter manpages previously failed to mention that BASIC_FILTERS=Yes is required to use ipsets in the tcfilters files. 4.6.2.1 1) Two issues with tcrules processing have been corrected: - SAVE and RESTORE generated fatal compilation errors. - '|' and '&' were ignored. 4.6.2 1) The DSCP match in the mangle and tcrules files didn't work with service class names such as EF, BE, CS1, ... (Thibaut Chèze) 2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in tcrules and mangle; this was a regression from 4.5.21. 3) Additional ports required by Asus, Supermicro and Dell have been added to the IPMI macro (Tuomo Soini). 4) Some issues regarding install under Cygwin64 have been addressed. - configure.pl did not understand CYGWIN returned from `uname` - Shorewall-core install.sh did not understand CYGWIN returned from `uname`. - The Shorewall and Shorewall6 installers tried to run the command 'mkdir -p //etc/shorewall[6]' which is broken in the current Cygwin64. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 2 ---------------------------------------------------------------------------- 1) The 'status' command now allows a -i option which causes the state of all optional and provider interfaces to be displayed. Example: root@gateway:/etc/shorewall# shorewall status -i Shorewall-4.6.1 Status at gateway - Wed Jun 18 14:27:19 PDT 2014 Shorewall is running State:Started (Wed Jun 18 09:50:01 PDT 2014) from /etc/shorewall/ (/var/lib/shorewall/firewall compiled by Shorewall version 4.6.1) Interface eth0 is Enabled Interface eth1 is Enabled Interface lo is Enabled 2) A 'shorewall show blacklists' command has been implemented. The abbreviation 'bl' may be used in place of 'blacklists'. The command displays the output of the 'dynamic' chain together with the chains created by entries in the blrules file. 3) A TIME column has been added to the mangle file. It has the same use in that file as the corresponding column in the rules file. 4) A stateful port knocking example has been added to the Events article (http://www.shorewall.net/Events.html). This example allows a sequence of knocking ports to be defined (Gerhard Weisinger). 5) A macro supporting HP's Integrated Lights Out (ILO) has been added (Tuomo Soini). 6) It is now possible to specify the MAC address of a provider GATEWAY. This is useful when there are multiple providers serviced by a single interface as it avoids the need for the generated script to detect the MAC during start/restart. 7) The copyrights in the sample configuration files have been updated. ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 1 ---------------------------------------------------------------------------- 4.6.1.4 1) The DSCP match in the mangle and tcrles files didn't work with service class names such as EF, BE, CS1, ... 2) The SAVE and RESTORE actions were disallowed in the OUTPUT chain in tcrules and mangle; this was a regression from 4.6.21. 4.6.1.3 1) Use of the 'IfEvent' action resulted in a compilation failure: ERROR: -j is only allowed when the ACTION is INLINE with no parameter /usr/share/shorewall/action.IfEvent (line 139) from /etc/shorewall/action.SSHKnock (line 8) from /etc/shorewall/rules (line 31) 4.6.1.2 1) The shorewall-masq(5) and shorewall6-masq(5) manpages had a mangled heading for the description of the SOURCE column, leading some readers to assert the that description was missing. 2) When INLINE_MATCHES=Yes and AUTOHELPERS=No, start or restart could fail during script execution with this diagnostic: Running /sbin/iptables-restore... Bad argument `helper=netbios-ns' Error occurred at line: nnn Try `iptables-restore -h' or 'iptables-restore --help' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input 4.6.1.1 1) An improved error message is generatred when a server address list is specified in the DEST colume of a DNAT or REDIRECT rule. At one time, iptables supported such lists, but now only a single address or an address range is supported. The previous error message was: ERROR: Unkknown Host (192.168.1.4,192.168.1.22) The new error message is: ERROR: An address list (192.168.1.4,192.168.1.22) is not allowed in the DEST column of a xxx RULE where xxx is DNAT or REDIRECT as appropriate. 2) Two problems have been corrected in the Shorewall-init Debian init script. a) A cosmetic problem which resulted in 'echo_notdone' being displayed on failure rather than 'not done'. b) More seriously, the test for the existance of compiled firewall scripts was incorrect, with the result that the firewall scripts were not executed. These defects, introduced in Shorewall 4.5.17, have now been corrected. 4.6.1 1) When the 'rpfilter' option is specified on all interfaces, no references to the 'dynamic' chain were created and that chain was optimized away. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 1 ---------------------------------------------------------------------------- 1) Tuomo Soini has provided new macros for AMOP, MongoDB, Redis, Sieve and IPMI (RMCP). ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 6 . 0 ---------------------------------------------------------------------------- 4.6.0.3 1) The Shorewall-init package now installs correctly on RHEL7. 2) 1:1 NAT is now enabled in IPv6. 3) A subtle interaction between NAT and sub-zones is explained in shorewall-nat. 4) The 'show filters' command now works with Simple TC. 4.6.0.2 1) The 'upgrade -A' command now converts the tcrules file to a mangle file. Previously, that didn't happen. 2) The install components now support RHEL7. 3) Whitespace issues in the skeleton configuration files have been corrected (Tuomo Soini). 4) The install components now support RHEL7. 5) FAQ 2e has been added which describes additional steps required to achieve hairpin NAT on a bridge where the modified packets are to go out the same bridge port as they entered. 6) shorewall-masq(5) has been corrected to include the word SOURCE on the description of that column. Previously, the description read '(formerly called SUBNET)'. 7) The output of 'shorewall show filters' once again shows ingress (policing) filters. This works around undocumented changes to the behavior of the 'tc' utility. 4.6.0.1 1) The CHECKSUM target in the tcrules and mangle files was broken and resulted in this error diagnostic: Running /sbin/iptables-restore... iptables-restore v1.4.7: CHECKSUM target: Parameter --checksum-fill is required Error occurred at line: 41 Try `iptables-restore -h' or 'iptables-restore --help' for more information. ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input The compiler is now generating the correct rule. 2) Some cosmetic issues in the 'mangle' files have been resolved. 3) When an invalid chain designator was supplied in 'tcrules' or 'mangle', the compiler's error message was garbled and a Perl diagnostic was issued. 4.6.0 This release includes all defect repair from releases up through 4.5.21.9. 1) The tarball installers, now install .service files with mode 644 rather than mode 600. ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 6 . 0 ---------------------------------------------------------------------------- 1) SECTION entries in the accounting and rules files now allow "SECTION" to be immediately preceded by "?" (e.g., ?SECTION). The new form is preferred and if any SECTION entries do not have the question mark, a warning is issued (see Migration Issues below). 2) The default setting for ZONE2ZONE has been changed from '2' to '-' for increased readability when zone names contain '2'. 3) The 'tcrules' file has been superceded by the 'mangle' file. Existing 'tcrules' files will still be processed, with the restriction that TPROXY is no longer supported in FORMAT 1. You can convert your tcrules file into the equivalent mangle file using the command: shorewall update -t See shorewall(8) and shorewall6(8) for important restrictions of the -t option. 4) Prior to now, the ability to specify raw iptables matches has been tied to the INLINE action. Beginning with this release, the two can be separated by specifying INLINE_MATCHES=Yes. When INLINE_MATCHES=Yes, then inline matches may be specified after a semicolon in the following files: action files macros rules mangle masq Note that semicolons are not allowed in any other files. If you want to use the alternative input format in those files, then you must inclosed the specifications in curly brackets ({...}). The -i option of the 'check' command will warn you of lines that need to be changed from using ";" to using "{...}". 5) The 'conntrack', 'raw', 'mangle' and 'rules' files now support an IPTABLES (IP6TABLES) action. This action is similar to INLINE in that it allows arbitrary ip[6]tables matches to be specified after a semicolon (even when INLINE_MATCHES=No). It differs in that the parameter passed is an iptables target with target options. Example (rules file): #ACTION SOURCE DEST PROTO IPTABLES(TARPIT --honeypot) net pot If the particular target that you wish to use is unknown to Shorewall, you will get this error message: ERROR: Unknown TARGET () You can eliminate that error by adding your target as a builtin action in /etc/shorewall[6]/actions. As part if this change, the /etc/shorewall[6]/actions file options have been extended to allow you to specify the Netfilter table(s) where the target is accepted. When 'builtin' is specified, you can also include the following options: filter nat mangle raw If no table is given, 'filter' is assumed for backward compatibility. 6) The 'tcpflags' option is now set by default. To disable the option, specify 'tcpflags=0' in the OPTIONS column of the interface file. 7) You may now use ipset names (preceded by '+') in PORT columns, allowing you to take advantage of bitmap:port ipsets. 8) The counter extensions to ipset matches have been implemented. See shorewall[6]-ipsets for details. 9) DROP is now a valid action in the stoppedrules files. DROP occurs in the raw table PREROUTING chain which avoids conntrack entry creation. 10) A new BASIC_FILTERS option is now supported. When set to 'Yes', this option causes the compiler to generate basic TC filters from tcfilters entries rather than u32 filters. Basic filters are more straight-forward than u32 filters and, in later iptables/kernel versions, basic filters support ipset matches. Please note that Shorewall cannot reliably detect whether your iptables/kernel support ipset matches, so an error-free compilation does not guarantee that the firewall will start successfully when ipset names are specified in tcfilters entries. 11) The update command now supports an -A option. This is intended to perform all available updates to the configuration and is currently equivalent to '-b -D -t'. 12) Beginning with this release, FORMAT-1 actions and macros are deprecated and a warning will be issued for each FORMAT-1 action or macro found. See the Migration Issues for further information. 13) To facilitate creation of ipsets with characteristics different from what Shorewall generates, the 'init' user exit is now executed before Shorewall creates ipsets that don't exist.