-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Shorewall 5.1.0 Beta 1 is now available for testing.
Problems Corrected:
1) This release includes defect repair through Shorewall 5.0.15.1.
2) A defect associated with CHAIN_SCRIPTS=Yes previously prevented
some of the optimizations associated with optimize level 4 from
being applied. Removal of the CHAIN_SCRIPT option (see below) has
eliminated the defect.
New Features:
1) Shorewall 5.0 now has a single CLI program, ${SBINDIR}/shorewall
(normally /sbin/shorewall). This program performs all of the same
functions previously performed by /sbin/shorewall,
/sbin/shorewall6, /sbin/shorewall-lite and /sbin/shorewall6-lite
and is installed as part of the Shorewall-core package. It's
default 'personality' is determined by the Shorewall packages
installed:
a) If the Shorewall package is installed, then by default,
/sbin/shorewall behaves as in prior versions.
b) If the Shorewall package is not installed, but the
Shorewall-lite package is present, then /sbin/shorewall behaves
as did /sbin/shorewall-lite in prior versions.
c) If neither the Shorewall nor Shorewall-lite packages are
installed, but the Shorewall6-lite package is installed, then
/sbin/shorewall behaves as did /sbin/shorewall6-lite in prior
versions.
The program's personality can be altered through use of two new
options.
-6 When specified, changes the personality from Shorewall to
Shorewall6 or from Shorewall-lite to Shorewall6-lite.
-l When specified, changes the personality from Shorewall to
Shorewall-lite or from Shorewall6 to Shorewall6-lite. This
option is only required when both the standard package
(Shorewall or Shorewall6) and the corresponding -lite package
are installed on the system.
The following is a comparison of Shorewall 5.0 and Shorewall 5.1
with respect to the CLI invocation:
All four packages installed:
Shorewall 5.0 Shorewall 5.1
shorewall shorewall
shorewall6 shorewall -6
shorewall-lite shorewall -l
shorewall6-lite shorewall -6l
Only Shorewall-lite and Shorewall6-lite installed:
Shorewall 5.0 Shorewall 5.1
shorewall-lite shorewall
shorewall6-lite shorewall -6
A single shorewall(8) manpage now describes the CLI.
2) Several settings in the default/sample .conf files have been
modified:
a) The LOGFORMAT setting has been changed from "Shorewall:%s:%s:"
to "%s %s " to enable longer zone names.
b) The LOGLIMIT setting has been changed from empty to
"s:1/sec:10", to enable log trottling by default.
c) The AUTOMAKE setting has been changed from "No" to "Yes", to
avoid unnecessary recompilation.
d) The IP_FORWARDING setting has been changed from "On" to "Keep"
in shorewall.conf to accomodate cases where forwarding has been
configured before installing Shorewall.
e) The OPTIMIZE setting has been changed to "All", to create more
compact rulesets by default.
f) TC_CLEAR has been set to "No" in the shorewall6.conf files.
3) The allowed syntax in the SOURCE and DEST columns in the rules file
has been extended to allow multiple comma-separated
<zone>:[<interface>:][<address-list>] tupples in a single
rule. Where the <address-list> lists mulitiple addresses separated
by commas, the <address-list> must be enclosed in parentheses.
Example: net:(1.2.3.4,2.3.4.5),dmz:(5.6.7.8,6.7.8.9)
See shorewall[6]-rules(5) for details.
A similar change has been made to the conntrack and mangle files,
where multiple <interface>:<address-lists> groups can be specified:
Example: eth0:(1.2.3.4,2.3.4.5),eth1(5.6.7.8,6.7.8.9)
See shorewall[6]-conntrack(5) and shorewall[6]-mangle(5) for
details.
5) The CHAIN_SCRIPTS option in the .conf files has been eliminated,
and the compiler no longer looks for script files with the same
name as a chain or action.
If you are using such files, you will need to convert them into
equivalent ?begin perl .... ?end perl text.
For the common case where you have an action xxx with an empty
action.xxx file and have perl code in a file named xxx, place the
following in the action.xxx file.
?begin perl
use strict;
use Shorewall::Config;
use Shorewall::Chains;
my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging;
< Insert your existing xxx perl script here >
?end perl
5) The --queue-cpu-fanout NFQUEUE option is now supported in NFQUEUE
rules and policies. It is enabled by following the high queue
number with the letter 'c' (e.g., NFQUEUE(0:3c)). This option
requires 'NFQUEUE CPU Fanout' support in your kernel and
ip[6]tables.
6) A SWITCH column has been added to the mangle files. See
shorewall[6]-mangle(5) for details.
Thank you for testing,
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYTzm8AAoJEJbms/JCOk0QRdAP/jZCBJC4HpIJGbXmvjjIM4PE
TxjeU3kUcehY5pzQpX+tERysVLJyMO+Zz8FaWik03s0uIekzRnKpyyhpV/vnC06M
5e4lacYhWA2orvLnYJ2D15oQL6XdD5On/j3/RfcRSmJw8Ci7vrOeY3dxaUf6nybd
5DnCpf0N/iIprPLo+JIhXGWalJZ/jxj40HK/pFWuFCrUD3vVu6Pk96+Rlk/NSXRO
OTZdLt7VDkWBhAlsIh1IJgksk72o5rLtZ2hXmZdkIgXUK+MuAVQZmc9BhnpRF0Cw
oOIgbNfSx+70LsevyCW2paiOmPVYPww7GccWaUfjph/tf9ajkpYjGAIjc+myfM/h
qUgMDxU4czndQb4VN/RMTafQ1GoAzdoZ7JgTSBSFPz4/vh0RLg7YdRec1qpK1QRV
fTd1LV8R6CWZ55dXQtJUFCVpoxdvB7gyFjJm4XbHYaAYev9OmppzdG95LFiWOu0T
RQM/JMZFFu4aRfa4++dRko8pZ2j43T0dRXWaF1UNtErzGuzThUMfHYSZUhUMlT7C
XaQcydqiEEKA8oz38t8qm/5aGZ5Aet84wJEnd+j3HbE6Cj24zrQUVNvL/8PDxcX5
U2hB4WQkXZAhomhMCW1sfq+8gMS1U/w0Z+ze9r87CfTIf7+S1Rgb9iMwgljJ1b+o
DVGOsB5qF4TzG/bai5WU
=cRjf
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
