The Shorewall Team is pleased to announce the availability of Shorewall 5.0.6.
Problems Corrected:
1) This release includes defect repair through Shorewall 5.0.5.1.
2) Previously, the generated function define_firewall() contained
logic for handling the 'stop' and 'clear' commands. Beginning with
this release, the function will no longer include that logic, since
define_firewall() is not called when processing those commands.
3) The 'persistent' option on a provider previously resulted in
a duplicate routing rule was created each time that the provider
was disabled. This has been corrected so that duplicate rules are
not created.
New Features:
1) The GATEWAY column in /etc/shorewall[6]/providers may now contain
the keyword 'none'. This will create a routing table with no
default route, to allow handling policy-routing senarios where a
default route is not required.
2) Previously, when both Shorewall and Docker were used on the same
system, one of two approaches had to be followed:
a) Run docker with --iptables=false and use Shorewall to
configure Netfilter.
b) Run docker with ---iptables=true and use extension scripts to
save/restore the Docker-generated rules.
The first is complex and the second is difficult to do in a way
that insures that changes to the Shorewall configuration aren't
lost during restart/reload.
In this release, a new DOCKER option is available in
shorewall.conf. When DOCKER=Yes, the generated script takes
responsibility for saving and restoring the Docker-generated rules.
The Shorewall implementation assumes that the default 'docker0'
bridge is being used.
It is recommended that docker0 be assigned to a zone in
/etc/shorewall/interfaces. When you do that, the setting
of 'routeback' for that interface determines whether
inter-container communication is allowed. If docker0 is not listed
in the interfaces file, then the generated script will save/restore
the FORWARD chain rules for that interface.
If you are using Docker's network features where bridges with names
of the form br-xxxxxxxxxxxx are created, those bridges should not
be defined to Shorewall.
Note that DOCKER=Yes is currently supported only in Shorewall and
not in Shorewall6.
3) A new SNMPtrap macro has been added and is intended to supersede
SNMPTrap. The latter is now deprecated, but is still available for
use.
4) As an alternative to entries in the ecn file, the IPv4 mangle file
now supports an ECN target for clearing the ECN flags in the TCP
header. See shorewall-mangle(8) for details.
5) The remainder of the documentation has been updated to use the new
column headings.
6) Beginning with this release, voluminous CLI output to terminals
from 'show' and 'dump' commands may be automatically paged using a
program like 'less' or 'more'. The pager program to be used, if
any, is specified using the PAGER option in shorewall[6].conf.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://makebettercode.com/inteldaal-eval
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
