The Shorewall Team is pleased to announce the availability of Shorewall 4.4.7.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 7
----------------------------------------------------------------------------
1) The tcinterfaces and tcpri files are now installed by the
installer and are included in the rpm.
2) An invalid octal number (e.g., 080) appearing in a port list
resulted in a perl error message.
As part of this fix, both hex and octal numbers are now accepted
for protocol and port numbers.
3) In 4.4.6, if a system:
a) Had mangle table support.
b) Had a FORWARD chain in the mangle table.
c) Did not have MARK Target support.
then 'shorewall start' would fail.
4) Previously, the 'nosmurfs' option was ignored in IPv6
compilations. As part of this fix, 'nosmurfs' handling when
SMURF_LOG_LEVEL is specified has been improved for both IPv4 and
IPv6.
5) Previously, specifying a TYPE in /etc/shorewall/tcinterfaces would
cause start/restart to fail on systems lacking 'flow' classifier
support. In Shorewall 4.4.7, we detect the ability of the 'tc'
utility to support that classifier.
There are two caveats:
- 'tc' may support 'flow' but the kernel does not. In that case,
start/restart will still fail.
- If you use a capabilities file, you will need to regenerate the
file using shorewall-lite 4.4.7 in order for 'flow' to be
accurately detected. If you do not regenerate the file, the
compiler will use other hints to try to determine if 'flow' is
available.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 7
----------------------------------------------------------------------------
1) The OPTIMIZE option value is now a bit-map with each bit
controlling a separate set of optimizations.
- The low-order bit (value 1) controls optimizations available in
earlier releases. We refer to this optimization as "optimization
1".
- The next bit (value 2) suppresses superfluous ACCEPT rules in a
policy chain that implements an ACCEPT policy. Any ACCEPT rules
that immediately preceed the final blanket ACCEPT rule in the
chain are now omitted. We refer to this optimization as
"optimization 2".
- The next bit (value 4 or "optimization 4") enables the following
additional optimizations:
a) Empty chains are optimized away.
b) Chains with one rule are optimized away.
c) If a built-in chain has a single rule that branches to a
second chain, then the rules from the second chain are moved
to the built-in chain and the target chain is omitted.
d) Chains with no references are deleted.
e) Accounting chains are subject to optimization if the new
OPTIMIZE_ACCOUNTING option is set to 'Yes' (default is 'No').
f) If a chain ends with an unconditional branch to a second chain
(other than to 'reject'), then the branch is deleted from the
first chain and the rules from the second chain are appended
to it.
The following chains are exempted from optimization 4:
action chains (user-created).
accounting chains (unless OPTIMIZE_ACCOUNTING=Yes)
dynamic
forwardUPnP
logdrop
logreject
rules chains (those of the form zonea2zoneb or zonea-zoneb).
UPnP (nat table).
To enable all possible optimizations, set OPTIMIZE to 7 (1 + 2 +
4).
2) Shorewall now combines identical logging chains. Previously, a
separate chain was created for each logging rule.
3) Beginning with Shorewall 4.4.7, accounting can be disabled by
setting ACCOUNTING=No in shorewall.conf. This allows you to keep a
set of accounting rules configured in /etc/shorewall/accounting and
to then enable and disable them by simply toggling the setting of
ACCOUNTING.
Similarly, dynamic blacklisting can be disabled by setting
DYNAMIC_BLACKLIST=No. This saves a jump rule in the INPUT
and FORWARD filter chains..
4) Shorewall can now automatically assign mark values to providers in
cases where 'track' is specified (or TRACK_PROVIDERS=Yes) but
packet marking is otherwise not used for directing connections to a
particular provider. Simply specify '-' in the MARK column and
Shorewall will automatically assign a mark value.
5) Support for TPROXY has been added. See
http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY.
6) Traditionally, Shorewall has loaded all modules that could possibly
be needed twice; once in the compiler, and once when the generated
script is initialized. The latter can be a time-consuming process
on slow hardware.
Beginning with 4.4.7, there is a LOAD_HELPERS_ONLY option in
shorewall.conf. For existing users, LOAD_HELPERS_ONLY=No is the
default.
For new users that employ the sample configurations,
LOAD_HELPERS_ONLY=Yes will be the default. That setting causes only
a small subset of modules to be loaded; it is assumed that the
remaining modules will be autoloaded. Additionally, capability
detection in the compiler is deferred until each capability is
actually used. As a consequence, no modules are autoloaded
unnecessarily.
Modules loaded when LOAD_HELPERS_ONLY=Yes are the protocol
helpers. These cannot be autoloaded.
In addition, the nf_conntrack_sip module is loaded with
sip_direct_media=0. This setting is slightly less secure than
sip_direct_media=1, but it solves many VOIP problems that users
routinely encounter.
-The Shorewall Team
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
