-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The Shorewall team is pleased to announce the availability of
Shorewall 5.1.0.
Problems Corrected:
1) This release includes defect repair through Shorewall 5.0.15.2.
2) A defect associated with CHAIN_SCRIPTS=Yes previously prevented
some of the optimizations associated with optimize level 4 from
being applied. Removal of the CHAIN_SCRIPT option (see below) has
eliminated the defect.
3) The install.sh and uninstall.sh have had some minor cleanup (Matt
Darfeuille).
4) Previously, when SAVE_IPSETS=Yes or SAVE_IPSETS=ipv4, the restore
phase of a rejected safe-restart would fail. That has been
corrected.
5) It is now possible to include compact IPv6 addresses (those with
"::") in IP6TABLES() parameters. Previously, such addresses
resulted in an "INVALID ACTION..." error.
New Features:
1) Shorewall 5.1 now has a single CLI program, ${SBINDIR}/shorewall
(normally /sbin/shorewall). This program performs all of the same
functions previously performed by /sbin/shorewall,
/sbin/shorewall6, /sbin/shorewall-lite and /sbin/shorewall6-lite
and is installed as part of the Shorewall-core package. It's
default 'personality' is determined by the Shorewall packages
installed:
a) If the Shorewall package is installed, then by default,
/sbin/shorewall behaves as in prior versions.
b) If the Shorewall package is not installed, but the
Shorewall-lite package is present, then /sbin/shorewall behaves
as did /sbin/shorewall-lite in prior versions.
c) If neither the Shorewall nor Shorewall-lite packages are
installed, but the Shorewall6-lite package is installed, then
/sbin/shorewall behaves as did /sbin/shorewall6-lite in prior
versions.
The program's personality can be altered through use of two new
options.
-6 When specified, changes the personality from Shorewall to
Shorewall6 or from Shorewall-lite to Shorewall6-lite.
-l When specified, changes the personality from Shorewall to
Shorewall-lite or from Shorewall6 to Shorewall6-lite. This
option is only required when both the standard package
(Shorewall or Shorewall6) and the corresponding -lite package
are installed on the system.
The following is a comparison of Shorewall 5.0 and Shorewall 5.1
with respect to the CLI invocation:
All four packages installed:
Shorewall 5.0 Shorewall 5.1
shorewall shorewall
shorewall6 shorewall -6
shorewall-lite shorewall -l
shorewall6-lite shorewall -6l
Only Shorewall-lite and Shorewall6-lite installed:
Shorewall 5.0 Shorewall 5.1
shorewall-lite shorewall
shorewall6-lite shorewall -6
A single shorewall(8) manpage now describes the CLI.
The shorewall6(8), shorewall-lite(8) and shorewall6-lite(8)
manpages are now minimal and refer the reader to shorewall(8).
For backward compatibility, Shorewall6, Shorewall-lite and
Shorewall6-lite install symlinks $SBINDIR/shorewall6,
$SBINDIR/shorewall-lite and
$SBINDIR/shorewall6-lite respectively. When the shorewall program
is invoked through one of these symlinks, it adopts the appropriate
personality.
2) Several settings in the default/sample .conf files have been
modified:
a) The LOGFORMAT setting has been changed from "Shorewall:%s:%s:"
to "%s %s " to enable longer zone names.
b) The LOGLIMIT setting has been changed from empty to
"s:1/sec:10", to enable log trottling by default.
c) The AUTOMAKE setting has been changed from "No" to "Yes", to
avoid unnecessary recompilation.
d) The IP_FORWARDING setting has been changed from "On" to "Keep"
in shorewall.conf to accomodate cases where forwarding has been
configured before installing Shorewall.
e) The OPTIMIZE setting has been changed to "All", to create more
compact rulesets by default.
f) TC_CLEAR has been set to "No" in the shorewall6.conf files.
3) The allowed syntax in the SOURCE and DEST columns in the rules file
has been extended to allow multiple comma-separated
<zone>:[<interface>:][<address-list>] tupples in a single
rule. Where the <address-list> lists mulitiple addresses separated
by commas, the <address-list> must be enclosed in parentheses.
Example: net:(1.2.3.4,2.3.4.5),dmz:(5.6.7.8,6.7.8.9)
See shorewall[6]-rules(5) for details.
A similar change has been made to the conntrack and mangle files,
where multiple <interface>:<address-lists> groups can be specified:
Example: eth0:(1.2.3.4,2.3.4.5),eth1(5.6.7.8,6.7.8.9)
See shorewall[6]-conntrack(5) and shorewall[6]-mangle(5) for
details.
5) The CHAIN_SCRIPTS option in the .conf files has been eliminated,
and the compiler no longer looks for script files with the same
name as a chain or action.
If you are using such files, you will need to convert them into
equivalent ?begin perl .... ?end perl text or to use the
IP[6]TABLES target and/or inline matches.
See http://www.shorewall.org/Shorewall-5.html#idp41228128.
5) The --queue-cpu-fanout NFQUEUE option is now supported in NFQUEUE
rules and policies. It is enabled by following the high queue
number with the letter 'c' (e.g., NFQUEUE(0:3c)). This option
requires 'NFQUEUE CPU Fanout' support in your kernel and
ip[6]tables.
6) A SWITCH column has been added to the mangle files. See
shorewall[6]-mangle(5) for details.
7) A 'show ipsec' command has been added. This command displays the
contents of the IPSEC "Security Policy Database" (SPD) and
"Security Association Database" (SAD). SAD keys are not shown.
8) The Netfilter team have removed support for the rawpost table, so
Shorewall no longer supports features requiring that table
(stateless netmapping in the netmap file). The good news is that,
since kernel 3.7, Netfilter supports stateful IPv6 network mapping
which is now also supported in Shorewall6 (see
shorewall6-netmap(5)).
9) In the released tarballs, the action.* files now reside in a
separate Actions/ directory.
10) The 'echo' builtin in recent versions of the dash shell does not
support the -n option. To accomodate that version, Shorewall no
longer uses either the -e or -n options.
11) When LOAD_HELPERS_ONLY=No, additional modules required for NAT are
now loaded.
12) The (undocumented) Makefiles haven't been maintained for many
releases and have been removed.
Thank you for using Shorewall.
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYcbGHAAoJEJbms/JCOk0QhKgP/i0FQ5iN5L4pBzSMy6vlFFOB
M9uc3ZRh2kuDI7UHBaIXVqCMhzGa3hslK/wFF/Z6lGA6MUYZCu1IaANw7m5c88Xi
7R7RiaEAZ75Yum6YOB3TnAh3CprXo/cZMYvjBjmc+VuYqiu/iTSmhqoXYvMhxDw9
vfpz5F2vzd5aZUu+L3zyve72IlYxGidfj+hsvveajASNgUK8IViFIoSGYiQ7sEpc
A2Ip7v3yE+MMCM0Cm13zqGMiURhz7f5QbrLtg2popI6ty5Sn6BxmHqfdZf6oxiRP
yTa0+WyqTdJZeEM5DsSkdfU6yJexAtk1cUA1/tV3Y5+ngo1+bJUaFocoMpPVLwt0
/eFv8tFz9gQdO5OZHtqjOkHz6vCQ9xQk/nMU+Km8uRE0bOPze1JSo47TH3fgX4M8
lgc0Hb5/GfgCkuM6b2CFy56mrv86rxYH2tT4PK6VIaFYvcqLnZGGDamuaiJYR2XF
mEKILf+VY8FJYczwHJN7mCC4M5Nl6uYnqD5o2G1/eukgOpIErq0rHgj1/VjbNeT8
WIox47qCyMq7xZcj630pAn+wjS7By4C2b8AOlhSWV0vIYp5c9zgucIlImYIMm9E2
FEx1qpxLxvWZ1VGCqVN0G8C017OMIXA2SBXz9uthn6W5ruRh+M4NtJHANHFH3xdl
Ahl6Oiyp9dsNcWgSNwrU
=eZHE
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
