RC 1 is now available for testing.
Problems corrected since Beta 3:
1) Added some missing VARDIR handling to the installers to handle the
case where a new install is being done and root's ~/.shorewallrc
is pre-2.5.8.
2) The legacy blacklist chains are no longer created when there is
no 'blacklist' file.
Enhancements since Beta 3:
1) A PRIORITY column has been added to the tcfilter files. See
shorewall-tcfilters(5) and shorewall6-tcfilters(5) for details.
As part of this change, the method of assigning priorities to
filters where the PRIORITY is not specified has
changed. Previously, all ipv4 filters were assigned priority 10
while all ipv6 filters were assigned priority 11. Now, a priority
high-water priority is maintained for each interface; the high-water
priority is initialized to 1. Each rule without an explicit
PRIORITY is assigned the high-water priority and the high-water
priority is incremented by one.
If an explicit PRIORITY is specified and that value is >= the
high-water value, then the high-water value is set to the specified
PRIORITY plus 1. A fatal error is raised if the high-water value
exceeds 65535.
2) It is now possible to explicitly assign priorities to
classification filters created by shorewall for the following:
- Filter that classifies packets based on their firewall mark
value.
- Filter that classifies ACK packets via the 'tcp-ack' class
option.
- Filter that classifies packets based on TOS value.
Example:
#DEVICE MARK RATE: CEIL PRIORITY OPTIONS
# DMAX:UMAX
eth0 1:50 5*full/10 full 1 tcp-ack:15,\
tos-minimize-delay:20
In this example, the classifier filters would be evaluated in this
order:
- tcp-ack (priority 15)
- tos-minimize-delay (priority 20)
- Mark value 1 (priority 50)
In other words, the filters are evaluated in ascending priority
order. If one filter doesn't match, the packet is passed to the
next filter.
See shorewall-tcclasses(5) and shorewall6-tcclasses(5) for
additional information.
3) The PRIORITY column in the tcclasses file is now optional for HFSC
classes. If that priority is omitted, then an explicit priority
must be specified for the MARK value and for the 'tcp-ack' and
'tos*' options.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
