The Shorewall team is pleased to announce the availability of Shorewall 4.5.12.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release contains the defect repairs from Shorewall 4.5.11.1
and 4.5.11.2.
2) Two defects associated with 'update -D' have been corrected.
- shorewall.conf.bak is no longer deleted.
- files that are not changed no longer have their mtime updated.
3) Inline actions in the RELATED and ESTABLISHED sections now work
correctly.
4) The 'dropInvalid' built-in function now works correctly.
5) The compiler now generates an error when a protocol list is used in
a context where only a single protocol name/number is accepted.
6) The generated script now correctly deletes Traffic Control
configurations when CLEAR_TC=Yes. Previously, the configurations on
interfaces with a '@xxxxxx' suffix in their names were not cleared.
7) Under very rare circumstances, optimize level 4 could leave a rule
that jumped to a non-existant chain, causing iptables-restore to
fail.
8) If an error was raised while compiling a default action, a Perl
diagnostic could appear and the Shorewall error message would not
be printed.
9) It is once again possible to use DNS names in rules without an
interface name.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) The rules compiler has traditionally issued a warning when the
version of /etc/shorewall[6]/capabilities is less than the version
supported by the compiler. This warning may be suppressed by
setting the new option 'WARNOLDCAPVERSION' to 'No' in
shorewall[6].conf.
2) The compiler now ignores '-m comment' differences when deleting
duplicate rules under optimization level 16.
3) Support has been added for the FQ CODEL (Fair-queuing
Controlled-delay) queuing discipline. See shorewall-tcclasses (5)
and shorewall6-tcclasses (5) for details.
4) Support for arptables has been added to Shorewall and Shorewall
Lite.
- Both classic arptables and arptables_jf (fork maintained by Jay
Fenlason)
- There is now an ARPTABLES option in the shorewall.conf file to
specify the path to the arptables binary.
- An arprules file has been added to allow specification of
arptables rules. See shorewall-arprules (5) for details.
- A 'show arptables' command has been added to show the active
arptables rules.
- arptables rules are saved and restored by the save and restore
commands if the new option SAVE_ARPTABLES is set to Yes in
shorewall.conf.
- arptables rules are displayed in the 'dump' command.
As part of this change, a new capability ('Arptables JF') has been
added. If you use a capabilities file, you should regenerate it
after installing this version.
5) The interpretation of the log tag when LOGTAGONLY=Yes is changed.
Previously, the log tag replaced the chain name in the generated
log prefix. Now, the tag is interpreted as a chain name and a
disposition separated by a comma.
So this rule:
LOG:info:foo,bar
will generate the following log prefix when using the default
LOGFORMAT setting:
Shorewall:foo:bar:
Similarly,
LOG:info:,bar net fw
will generate
Shorewall:net2fw:bar:
6) Rules generated by the RELATED section of the rules file are now in
separate chains. For each pair of zones (za,zb), RELATED
connections are handled by a chain whose name is "+za2zb"
(ZONE_SEPARATOR=2) or "+za-zb" (ZONE_SEPARATOR='-'). This results
in only one state match to jump to the new chain rather than a
state match for every rule in the section.
7) Protocol lists are now supported in the PROTO columns of the
following additional files:
accounting
conntrack
masq
secmarks
stoppedrules
tcfilters
tcpri
tcrules
8) When an terminating rule is added to the end of a chain, the
Compiler now marks that chain as 'complete' and inhibits the
appending of any additional rules.
A terminating rule is one that has no matches and either uses '-g'
(goto) or is a jump to one of the following:
ACCEPT
DROP
RETURN
QUEUE
CLASSIFY
CT
DNAT
MASQUERADE
NETMAP
NFQUEUE
NOTRACK
REDIRECT
RAWDNAT
RAWSNAT
REJECT
SAME
SNAT
TPROXY
A chain with no RETURN statements and whose last rule is
terminating.
Additionally, when optimize level 4 is selected, chains that
contain a single RETURN rule are optimized away.
9) Eric Teeter has contributed macro.ActiveDir, a macro that handles
Samba 4 active directory.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122912
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
