The Shorewall Team is pleased to announce the availability of Shorewall 5.2.0.
Problems Corrected: 1) This release includes defect repair through Shorewall 5.1.12.3. 2) Previously, optimize category 8 (combine identical chains) was applied before optimize category 16 (eliminate duplicate rules, ...). This could (and has) resulted in uncombined identical chains in the final ruleset. Beginning with this release: a) Optimize category 16 will be applied before optimize category 8. b) If optimize category 8 combined any chains, then optimize category 16 will be applied again. This change ensures that the final ruleset has no duplicate chains and that all combatible adjacent port and state rules are combined. 3) Previously, use of &lo would result in an error: ERROR: Can't determine the IP address of lo: Firewall state not changed That problem has been corrected such that &lo always expands to 127.0.0.1 (IPv4) or ::1 (IPv6). New Features: 1) The MAPOLDACTIONS option in shorewall.conf has been removed. This option provided compatibility with releases prior to Shorewall 3.0. 'shorewall update' will remove the setting of this option from shorewall.conf. 2) The INLINE_MATCH option has been removed. Shorewall now behaves as if INLINE_MATCH=No had been specified: - A single semicolon (';') is used to separate column-oriented input from column-name/value input. - The preferred method of specifying column-name/value input is to enclose such input in curly braces ("{....}"). - A pair of semicolons (';;') is used to introduce raw IP[6]TABLES input. This is true in INLINE and IP[6]TABLES rules as well as rules with other targets. As part of this change, 'shorewall update' will replace ';' with ';;' in INLINE and IP[6]TABLES rules. 3) With the wide availability of ipset-based blacklisting, the need for the 'refresh' command has been largely eliminated. As a result, that command has been removed. Some users may have been using 'refresh' as a lightweight form of reload. The most common of these uses seem to be for reloading traffic shaping after an interface has gone down and come back up. The best way to handle this situation under 5.2 is to make the interface 'optional' in your /etc/shorewall[6]/interfaces file, then either: - Install Shorewall-init and enable IFUPDOWN; or - Use the 'reenable' command when the interface comes back up in place of the 'refresh' command. 4) The following deprecated macros and actions have been removed: Action A_AllowICMPs - use AllowICMPs(A_ACCEPT) Action A_Drop - see below Action A_Reject - see below Action Drop - see below Action Reject - see below Macro SNMPTrap - use SNMPtrap The [A_]Drop and [A_]Reject actions are used primarily as policy actions. As part of this change, 'shorewall update' will update DROP_DEFAULT=[A_]Drop and REJECT_DEFAULT=[A_]Reject as follows: IPv4 DROP_DEFAULT=Drop becomes Broadcast(DROP),Multicast(DROP) DROP_DEFAULT=A_Drop becomes Broadcast(A_DROP),Multicast(A_DROP) REJECT_DEFAULT=Reject becomes Broadcast(DROP),Multicast(DROP) REJECT_DEFAULT=A_Reject becomes Broadcast(A_DROP),Multicast(A_DROP) IPv6 DROP_DEFAULT=Drop becomes AllowICMPs,Broadcast(DROP),Multicast(DROP) DROP_DEFAULT=A_Drop becomes AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP) REJECT_DEFAULT=Reject becomes AllowICMPs,Broadcast(DROP),Multicast(DROP) REJECT_DEFAULT=A_Reject becomes AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP) See the Migration Issues for additional information. 5) A 'show saves' command has been added to list the snapshots created using the 'save' command. Example: root@gateway:~# shorewall show saves Shorewall 5.2.0 Saves at gateway - Thu Feb 15 11:58:37 PST 2018 Saved snapshots are: Feb 15 10:08 foo Feb 14 12:34 restore (default) root@gateway:~# The snapshots are listed by creation time from latest to earliest. If the name of one matches the RESTOREFILE setting, that snapshot is marked as the default for the 'restore' command. 6) For installing into a Sandbox, the file shorewallrc.sandbox has been added to Shorewall-core. See http://www.shorewall.net/install.htm#idm327. 7) The "Use Pkttype Match (USEPKTTYPE)" capability is no longer used and has been deleted. This removal has introduced a new capabilities version. 8) When a log message is issued from a chain that relates to a pair of zones (e.g, 'fw-net'), the chain name normally appears in the log message (unless LOGTAGONLY=Yes and a log tag is specified). This can prevent OPTIMIZE category 8 from combining chains which are identical except for chain names in logging rules. The new LOG_ZONE option in shorewall[6].conf allows for only the source or destination zone to appear in the messages by setting LOG_ZONE to 'src' or 'dst' respectively. If LOG_ZONE=both (the default), then the full chain name is included in log messages Setting LOG_ZONE=src has been shown to decrease the size of the generated ruleset by more than 10 prcent in some cases. Your results may vary. 9) Traditionally, when OPTIMIZE category 8 is enabled, identical chains are combined under a name beginning with '~comb' or '~blacklist'. Beginning with this release, setting RENAME_COMBINED=Yes (the default) in shorewall[6].conf retains that behavior. If RENAME_COMBINED=No, identical chains are combined under the original name of one of the chains. 10) When AUTOMAKE=Yes, each directory in the CONFIG_PATH was originally searched recursively for files newer than the compiled script. That was changed in Shorewall 5.1.10.2 such that only the listed directories themselves were searched. That broke some configurations that played tricks with embedded SHELL such as: SHELL cat /etc/shorewall/rules.d/loc/*.rules Prior to 5.1.10.2, a change to a file in or adding a file to /etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning with 5.1.10.2, such changes would not trigger recompilation. Beginning with this release, the pre-5.1.10.2 behavior can be obtained by setting AUTOMAKE=recursive. Also beginning with this release, AUTOMAKE may be set to a numeric <depth> which specifies how deeply each listed directory is to be searched. AUTOMAKE=1 only searches each directory itself and is equivalent to AUTOMAKE=Yes. AUTOMAKE=2 will search each directory and its immediate sub-directories; AUTOMAKE=3 will search each diretory, each of its immediate sub-directories, and each of their immediate sub-directories, etc. 11) Previously, the maximum depth of INCLUDEs was four (although the documentation gave the limit as three). Beginning with this release, that limit has been raised to 20. 12) Support for the deprecated 'masq' file has been deleted. Any existing 'masq' file will automatically be converted to the equivalent 'snat' file. 13) Three new shorewall commands have been implemented: a) show rc Displays the contents of the shorewallrc file ($SHAREDIR/shorewall/shorewallrc). b) getcaps Generates a capabilities file on a remote system and copies it to a directory on the local system. c) getrc Copies the shorewallrc file from a remote system to a directory on the local system. See shorewall(8) for details. Implemented by Matt Darfeuille Thank you for using Shorewall, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users