The Shorewall team is pleased to announce the availability of Shorewall 4.5.10.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release includes all defect repair included in
4.5.9.1-4.5.9.3.
2) Under rare circumstances, optimize level 16 could produce invalid
iptables-restore input which would cause start/restart to fail.
3) Before this release, the 'started' script was run prior to copying
the temporary script file (e.g., /var/lib/shorewall/.start) to
/var/dir/shorewall/firewall. If the script failed, the copy would
not take place even though the firewall had started
successfully. The script is now copied before running the 'started'
script.
If you compare the script generated by this release with one
generated by a prior release, We suggest that you ignore whitespace
changes (e.g., use the '-w' option in diff); that way, you can see
the actual change more clearly.
4) AUTOCOMMENT=No now works correctly; previously, it behaved the same
as AUTOCOMMENT=Yes.
5) A harmless extraneous comma has been deleted from the rule
generated by action.RST.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Shorewall now treats optional non-provider interfaces in a manner
similar to provider interfaces.
- They may have entries in /etc/shorewall/routes.
- They may be enabled/disabled using the 'enable' and 'disable'
commands.
- Shorewall-init will simply enable an optional interface when it
comes up and disable it when it goes down.
2) The /etc/shorewall/secmarks and /etc/shorewall6/secmarks files now
support the UNTRACKED state. See the manpages for details.
3) The /etc/shorewall/conntrack and /etc/shorewall6/conntrack files
now support a DROP target.
It is now possible to specify 'all-' in the SOURCE column which
generates rules for all zones that are outside of the firewall
itself.
4) A SWITCH column has been added to the /etc/shorewall/conntrack and
/etc/shorewall/conntrack6 files.
5) In a SWITCH column, the character '@' is replaced by the chain
name (non-alphanumeric characters other than '-' and '_' are
suppressed).
6) An AUDIT action has been added to the /etc/shorewall/rules and
/etc/shorewall6/rules.
7) The audited targets (A_ACCEPT, A_DROP, etc.) are now supported in
/etc/shorewall6/rules.
8) An additional format (3) has been added to the conntrack file. In
this format, zone names are not used in the SOURCE column; rather,
a suffix in the ACTION column determines which raw-table chain the
generated Netfilter rule will be placed in. See the manpages for
details.
9) A ULOG ACTION has been added to /etc/shorewall/rules.
10) Within an action body, the variable $0 now expands to the action
chain name (including leading '%' if present).
11) 'In-line' actions are now available. An action is designated as
in-line within /etc/shorewall[6]/actions; that file has a
new OPTIONS column and specifying 'inline' in that column
designates the action as in-line.
Normally, actions are expanded into their own chain with a
unique chain being created for each unique invocation (considering
log level, tag and parameters). An in-line actions is expanded
inline within the chain that invokes it. In that sense,
in-line actions are very similar to macros.
In-line actions differ from macros in several ways:
a) A zone may be specified in the SOURCE and DEST columns of a
macro, while zone names are disallowed in these columns within
an in-line action (same as in a regular action).
b) The name of the current chain is available in $0 within the body
of an in-line action (also within a regular action beginning with
Beta 3).
c) In-line actions accept multiple parameters which are available
in$1, $2, etc (as they are in a regular action).
d) PARAM has no special meaning in the body of an in-line action
($1 serves the same purpose in an in-line action).
e) Only FORMAT 2 is available in an in-line action.
f) In-line actions must be defined in
/etc/shorewall[6]/actions. Those files have been extended to
include an OPTIONS column. The only option currently supported
is 'in-line'.
In-line actions differ from normal actions in that:
a) Obviously, they are expanded in-line like a macro rather than
being in their own chain. That means that columns in the
invocation are merged with those in the action body in the same
way as they are in a macro.
b) When AUTOCOMMENT=Yes, each generated rule is commented with the
name of an in-line action.
c) Within an in-line action, ?BEGIN PERL ... ?END PERL does not
have access to the special features available in action a normal
action body.
The compiler allows overriding the setting of 'inline' on the
Shorewall standard actions within
/etc/shorewall[6]/actions. Beware, however, that some of them
don't work when in-lined so the compiler will ignore the 'inline'
option with a warning for those actions:
Broadcast
DropSmurfs
Invalid
NonSyn
RST
TCPFlags
12) In SWITCH columns, the named switch can now be initialized by the
'start' command (other commands do not change switch values).
Initialization is accomplished by adding '=0' or '=1' to the
switch name.
Example (using alternative rule column specification):
#ACTION SOURCE DEST ...
NFLOG all all ; switch:logall=1
The above will cause the 'logall' switch
(/proc/net/nf_condition/logall) to be initialized to 1 (on). Note
that netfilter provides no atomic way to define and initialize a
switch so the loading of the ruleset and the initialization of the
switches are distinct operations.
13) Also in SWITCH columns, the name of the current Netfilter chain
will be substituted for '@0' and '@{0}'.
Example (using alternative rule column specification):
#ACTION SOURCE DEST ...
NFLOG net fw ; switch:@{0}_logall
The name of the switch will be 'net2fw_logall'.
Note 1: Non-alphanumeric characters other than '_' and '-' will be
deleted from the chain name before substitution.
Note 2: The chain name substituted is the one to which the rule is
initially added. The rule may end up in a different chain due to
optimization.
14) Optimization level 16 now suppresses duplicate rules in chains from
all tables (it previously only suppressed duplicates in the 'raw'
table).
Non-adjacent rules containing 'mark', 'connmark', 'dscp', 'ecn',
'set', 'tos' or 'u32' matches are not suppressed:
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
