Shorewall 5.1.6 RC 1 is now available for testing. Problems Corrected since 5.1.6 Beta 2:
1) Previously, Shorewall's treatment of wildcard interfaces differed from Netfilter's. Shorewall did not consider 'eth' to match 'eth+' while Netfilter did. Beginning with this release, Shorewall is consistent with Netfilter. 2) Previously, systemd could attempt to start the IPv4 and IPv6 firewalls simultaneously, which might lead to iptables-restore and ip6tables-restore being run at the same time resulting in a failure to start one of the firewalls. Beginning with this release, Shorewall and Shorwall6 will be started serially as will Shorewall-lite and Shorewall6-lite. 3) To prevent other init systems from starting the IPv4 and IPv6 firewalls in parallel, the ip[6]-tables '--wait' option, if available, is used. This change introduces a new RESTORE_WAIT_OPTION capability. Note: If the new capability is not available on your system, and you don't run systemd, you can still avoid the parallel start problem by configuring the same LOCKFILE in both your shorewall.conf and shorewall6.conf files. New Features since 5.1.6 Beta 2: 1) When a zone (z1) is defined to be a sub-zone of another zone (z2), the compiler now verifies that the two zones have at least one interface in common. If they do not, a warning message is generated: WARNING: Zone z1 is defined to be a sub-zone of z2, yet the two zones have no interface in common 2) Runtime address variables may now be used as the server IP address in DNAT rules. Example: DNAT net $FW:ð1 tcp 9999 3) Previously, systemd could attempt to start the IPv4 and IPv6 firewalls simultaneously, which might lead to iptables-restore and ip6tables-restore being run at the same time resulting in a failure to start one of the firewalls. Beginning with this release, Shorewall and Shorwall6 will be started serially as will Shorewall-lite and Shorewall6-lite. 4) To prevent other init systems from starting the IPv4 and IPv6 firewalls in parallel, the ip[6]-tables '--wait' option, if available, is used. This change introduces a new RESTORE_WAIT_OPTION capability. Note: If the new capability is not available on your system, and you don't run systemd, you can still avoid the parallel start problem by configuring the same LOCKFILE in both your shorewall.conf and shorewall6.conf files. Thank you for testing, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel