The Shorewall Team is pleased to announce the availability of Shorewall 4.5.11.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release includes the defect repair from Shorewall 4.5.10.1.
----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release expands upon the concept of 'Shorewall Variables'
that was introduced in 4.5.10 with the creation of '@0' in SWITCH
columns. Beginning with 4.5.10, '@0' (or '@{0}') in a SWITCH column
expands to the name of the current chain.
In this release, the Shorewall variables @loglevel and @logtag
are added. These variables are only available within action bodies
(both regular and in-line).
Their contents are:
@loglevel
The log level specified when the action was invoked. If no
level was specified, @loglevel expands to 'none'.
@logtag
The log tag specified when the action was invoked. If no tag
was specified, @logtag expands to an empty string.
@1, @2, ...
Same as $1, $2, ...
Additionally, @chain has been added as a synonym for @0. Remember
that, unlike $0, non-alphanumeric charaters other than '_' have
been removed from @0.
2) Action variables ($0, $1,...$n) and Shorewall variables are now
available in ?IF and ?ELSIF directives.
3) A 'nolog' option has been added to /etc/shorewall[6]/actions. This
option causes the compiler to forego adding the log level and log
tag from the action invocation to those rules within the body that
do not specify a tag and/or level.
3) An 'IGNOREUNKNOWNVARIABLES' option has been added to
/etc/shorewall[6]/shorewall[6].conf. When set to 'Yes', this option
instructs the compiler to expand unknown shell variables and
action parameters to an empty string rather than raising an error.
4) ?SET and ?RESET directives are now available:
?SET <variable> <value>
?RESET <variable>
To cater to both Shell and Perl programmers, the <variable> may
be entered with or without leading '$'.
The ?SET command sets the named <variable> to the specified
<value> where <value> is a Perl-compatible expression.
The ?RESET command deletes the named <variable> from the compiler's
variable table.
Shorewall variables (@chain, @loglevel,...) and action parameters
($1, $2,...) are read-only and their values may not be changed
(although action parameter values may be changed using Embedded
Perl).
5) This release introduces user-defined address variables. Address
variables are used at run-time rather than at compile-time. Prior
to this release, two types of address variables were available:
&<interface> Expands to the primary IP address of
<interface>
%<interface> Expands to the IP address of the default
gateway out of <interface>
The two new types added in this release are distinguished by the
use of "{....}".
&{<variable>} Address contained in run-time variable
<variable>. The named shell variable must
contain a valid IP address, either from the
generated script's environment or from having
been set in the generated script's 'init'
extension script. If the variable is empty or
if its contents are not a valid IP address, an
error is raised and the state of the firewall
is not changed.
%{<variable>} Address contained in run-time variable
<variable>. If the named variable is empty,
the generated script sets it to the all-zeros
address (0.0.0.0 in IPv4 and :: in IPv6). When
this variable appears in a SOURCE or
DESTINATION column of any configuration file,
or if it appears in the ADDRESSES column of
the masq file, then no rule is generated when
the address variable is empty. Otherwise, the
rule is generated with the all-zeros address
replacing the variable. As above, if the
variable is non-empty and if it does not
contain a valid IP address, an error is raised
and the firewall state is unchanged.
6) The output of 'show [-f] capabities' is now sorted to make
individual capabities easier to find.
7) Beginning with this release, ?FORMAT is preferred over FORMAT for
specifying the format of records in these configuration files:
action.* files
conntrack
interface
macro.* files
tcrules
While deprecated, FORMAT (without the '?') is still supported.
Also, ?COMMENT is preferred over COMMENT for attaching comments to
generated netfilter rules in the following files.
accounting
action.* files
blrules files
conntrack
macro.* files
masq
nat
rules
secmarks
tcrules
tunnels
When one of the deprecated forms is encountered, a warning message
is issued.
Example:
WARNING: 'FORMAT' is deprecated in favor of '?FORMAT' -
consider running 'shorewall update -D'.
As the warning indicates, 'update -D' will traverse the CONFIG_PATH
replacing FORMAT and COMMENT lines with ?FORMAT and ?COMMENT
directives respectively. The original version of modified files
will be saved with a .bak suffix.
During the update, .bak files are skipped as are files in
${SHAREDIR}/shorewall and ${SHAREDIR}/shorewall6.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
