1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/changelog.txt shorewall-4.4.7.1/changelog.txt
--- shorewall-4.4.7/changelog.txt 2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/changelog.txt 2010-02-13 07:28:22.000000000 -0800
@@ -1,3 +1,7 @@
+Changes in Shorewall 4.4.7-1
+
+1) Don't apply rate limiting twice in NAT rules.
+
Changes in Shorewall 4.4.7
1) Backport optimization changes from 4.5.
diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/install.sh shorewall-4.4.7.1/install.sh
--- shorewall-4.4.7/install.sh 2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/install.sh 2010-02-13 07:28:22.000000000 -0800
@@ -22,7 +22,7 @@
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
-VERSION=4.4.7
+VERSION=4.4.7.1
usage() # $1 = exit status
{
diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/known_problems.txt shorewall-4.4.7.1/known_problems.txt
--- shorewall-4.4.7/known_problems.txt 2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/known_problems.txt 2010-02-13 07:28:22.000000000 -0800
@@ -1 +1,5 @@
-There are no known problems in Shorewall 4.4.7.
+1) All versions of Shorewall-perl mishandle per-IP rate limiting in
+ REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
+ the values given in the rule.
+
+ Corrected in 4.4.7.1
diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/Perl/Shorewall/Config.pm shorewall-4.4.7.1/Perl/Shorewall/Config.pm
--- shorewall-4.4.7/Perl/Shorewall/Config.pm 2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/Perl/Shorewall/Config.pm 2010-02-13 07:28:22.000000000 -0800
@@ -337,7 +337,7 @@
TC_SCRIPT => '',
EXPORT => 0,
UNTRACKED => 0,
- VERSION => "4.4.7",
+ VERSION => "4.4.7.1",
CAPVERSION => 40407 ,
);
diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/Perl/Shorewall/Rules.pm shorewall-4.4.7.1/Perl/Shorewall/Rules.pm
--- shorewall-4.4.7/Perl/Shorewall/Rules.pm 2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/Perl/Shorewall/Rules.pm 2010-02-13 07:28:22.000000000 -0800
@@ -1182,13 +1182,25 @@
#
# Generate Fixed part of the rule
#
- $rule = join( '',
- do_proto($proto, $ports, $sports),
- do_ratelimit( $ratelimit, $basictarget ) ,
- do_user( $user ) ,
- do_test( $mark , $globals{TC_MASK} ) ,
- do_connlimit( $connlimit ),
- do_time( $time ) );
+ if ( ( $actiontype & ( NATRULE | NATONLY ) ) == NATRULE ) {
+ #
+ # Don't apply rate limiting twice
+ #
+ $rule = join( '',
+ do_proto($proto, $ports, $sports),
+ do_user( $user ) ,
+ do_test( $mark , $globals{TC_MASK} ) ,
+ do_connlimit( $connlimit ),
+ do_time( $time ) );
+ } else {
+ $rule = join( '',
+ do_proto($proto, $ports, $sports),
+ do_ratelimit( $ratelimit, $basictarget ) ,
+ do_user( $user ) ,
+ do_test( $mark , $globals{TC_MASK} ) ,
+ do_connlimit( $connlimit ),
+ do_time( $time ) );
+ }
unless ( $section eq 'NEW' ) {
fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/releasenotes.txt shorewall-4.4.7.1/releasenotes.txt
--- shorewall-4.4.7/releasenotes.txt 2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/releasenotes.txt 2010-02-13 07:28:22.000000000 -0800
@@ -1,4 +1,4 @@
-Shorewall 4.4.7
+Shorewall 4.4.7 Patch Release 1.
----------------------------------------------------------------------------
R E L E A S E 4 . 4 H I G H L I G H T S
@@ -184,7 +184,15 @@
one from the release (not recommended).
----------------------------------------------------------------------------
- P R O B L E M S C O R R E C T E D I N 4 . 4 . 7
+ P R O B L E M S C O R R E C T E D I N 4 . 4 . 7 . 1
+----------------------------------------------------------------------------
+
+1) All versions of Shorewall-perl mishandle per-IP rate limiting in
+ REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
+ the values given in the rule.
+
+----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 4 . 4 . 7
----------------------------------------------------------------------------
1) The tcinterfaces and tcpri files are now installed by the
@@ -211,12 +219,19 @@
5) Previously, specifying a TYPE in /etc/shorewall/tcinterfaces would
cause start/restart to fail on systems lacking 'flow' classifier
- support. While we currently know of no safe way to test for that
- support, in Shorewall 4.4.7 we use other hints to surmise that the
- installed toolset is likely to be too old to support 'flow' and
- simply ignore the TYPE setting. In particular, RHEL5 and
- derivatives no lonter experience a startup failure when TYPE is
- specified.
+ support. In Shorewall 4.4.7, we detect the ability of the 'tc'
+ utility to support that classifier.
+
+ There are two caveats:
+
+ - 'tc' may support 'flow' but the kernel does not. In that case,
+ start/restart will still fail.
+
+ - If you use a capabilities file, you will need to regenerate the
+ file using shorewall-lite 4.4.7 in order for 'flow' to be
+ accurately detected. If you do not regenerate the file, the
+ compiler will use other hints to try to determine if 'flow' is
+ available.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/shorewall.spec shorewall-4.4.7.1/shorewall.spec
--- shorewall-4.4.7/shorewall.spec 2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/shorewall.spec 2010-02-13 07:28:22.000000000 -0800
@@ -1,6 +1,6 @@
%define name shorewall
%define version 4.4.7
-%define release 0base
+%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
Name: %{name}
@@ -107,6 +107,10 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog
+* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-1
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0base
* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0base
* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
diff -Naur -X /usr/local/bin/exclude.txt shorewall-4.4.7/uninstall.sh shorewall-4.4.7.1/uninstall.sh
--- shorewall-4.4.7/uninstall.sh 2010-02-11 07:29:41.000000000 -0800
+++ shorewall-4.4.7.1/uninstall.sh 2010-02-13 07:28:22.000000000 -0800
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.7
+VERSION=4.4.7.1
usage() # $1 = exit status
{
|