The Shorewall Team is pleased to announce the availability of Shorewall

Problems Corrected:

1)  This release includes defect repair through Shorewall

2)  Previously, optimize category 8 (combine identical chains) was
    applied before optimize category 16 (eliminate duplicate rules,
    ...).  This could (and has) resulted in uncombined identical chains
    in the final ruleset. Beginning with this release:

    a) Optimize category 16 will be applied before optimize category 8.
    b) If optimize category 8 combined any chains, then optimize
       category 16 will be applied again.

    This change ensures that the final ruleset has no duplicate chains
    and that all combatible adjacent port and state rules are combined.

3)  Previously, use of &lo would result in an error:

       ERROR: Can't determine the IP address of lo: Firewall state not

    That problem has been corrected such that &lo always expands to (IPv4) or ::1 (IPv6).

New Features:

1)  The MAPOLDACTIONS option in shorewall.conf has been removed. This
    option provided compatibility with releases prior to Shorewall 3.0.
    'shorewall update' will remove the setting of this option from

2)  The INLINE_MATCH option has been removed. Shorewall now behaves as
    if INLINE_MATCH=No had been specified:

    - A single semicolon (';') is used to separate column-oriented
      input from column-name/value input.

    - The preferred method of specifying column-name/value input is to
      enclose such input in curly braces ("{....}").

    - A pair of semicolons (';;') is used to introduce raw IP[6]TABLES
      input. This is true in INLINE and IP[6]TABLES rules as well as
      rules with other targets.

    As part of this change, 'shorewall update' will replace ';' with
    ';;' in INLINE and IP[6]TABLES rules.

3)  With the wide availability of ipset-based blacklisting, the need
    for the 'refresh' command has been largely eliminated. As a result,
    that command has been removed.

    Some users may have been using 'refresh' as a lightweight form of
    reload. The most common of these uses seem to be for reloading
    traffic shaping after an interface has gone down and come back up.
    The best way to handle this situation under 5.2 is to make the
    interface 'optional' in your /etc/shorewall[6]/interfaces file,
    then either:

    - Install Shorewall-init and enable IFUPDOWN; or
    - Use the 'reenable' command when the interface comes back up
      in place of the 'refresh' command.

4)  The following deprecated macros and actions have been removed:

        Action A_AllowICMPs  - use AllowICMPs(A_ACCEPT)
        Action A_Drop        - see below
        Action A_Reject      - see below
        Action Drop          - see below
        Action Reject        - see below
        Macro SNMPTrap       - use SNMPtrap

     The [A_]Drop and [A_]Reject actions are used primarily as policy
     actions. As part of this change, 'shorewall update' will update
     DROP_DEFAULT=[A_]Drop and REJECT_DEFAULT=[A_]Reject as follows:


         DROP_DEFAULT=Drop becomes Broadcast(DROP),Multicast(DROP)
         DROP_DEFAULT=A_Drop becomes
         REJECT_DEFAULT=Reject becomes Broadcast(DROP),Multicast(DROP)
         REJECT_DEFAULT=A_Reject becomes


         DROP_DEFAULT=Drop becomes
         DROP_DEFAULT=A_Drop becomes
         REJECT_DEFAULT=Reject becomes
         REJECT_DEFAULT=A_Reject becomes

   See the Migration Issues for additional information.

5) A 'show saves' command has been added to list the snapshots
   created using the 'save' command.


      root@gateway:~# shorewall show saves
      Shorewall 5.2.0 Saves at gateway - Thu Feb 15 11:58:37 PST 2018
      Saved snapshots are:

      Feb 15 10:08 foo
      Feb 14 12:34 restore (default)


    The snapshots are listed by creation time from latest to
    earliest. If the name of one matches the RESTOREFILE setting, that
    snapshot is marked as the default for the 'restore' command.

6)  For installing into a Sandbox, the file shorewallrc.sandbox has
    been added to Shorewall-core. See

7)  The "Use Pkttype Match (USEPKTTYPE)" capability is no longer used
    and has been deleted. This removal has introduced a new
    capabilities version.

8)  When a log message is issued from a chain that relates to a pair of
    zones (e.g, 'fw-net'), the chain name normally appears in the log
    message (unless LOGTAGONLY=Yes and a log tag is specified). This
    can prevent OPTIMIZE category 8 from combining chains which are
    identical except for chain names in logging rules. The new
    LOG_ZONE option in shorewall[6].conf allows for only the source or
    destination zone to appear in the messages by setting LOG_ZONE to
    'src' or 'dst' respectively. If LOG_ZONE=both (the default), then
    the full chain name is included in log messages

    Setting LOG_ZONE=src has been shown to decrease the size of the
    generated ruleset by more than 10 prcent in some cases. Your
    results may vary.

9)  Traditionally, when OPTIMIZE category 8 is enabled, identical
    chains are combined under a name beginning with '~comb' or
    '~blacklist'. Beginning with this release, setting
    RENAME_COMBINED=Yes (the default) in shorewall[6].conf retains that
    behavior. If RENAME_COMBINED=No, identical chains are combined
    under the original name of one of the chains.

10) When AUTOMAKE=Yes, each directory in the CONFIG_PATH was originally
    searched recursively for files newer than the compiled script. That
    was changed in Shorewall such that only the listed
    directories themselves were searched. That broke some
    configurations that played tricks with embedded SHELL such as:

       SHELL cat /etc/shorewall/rules.d/loc/*.rules

    Prior to, a change to a file in or adding a file to
    /etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning
    with, such changes would not trigger

    Beginning with this release, the pre- behavior can be
    obtained by setting AUTOMAKE=recursive.

    Also beginning with this release, AUTOMAKE may be set to a numeric
    <depth> which specifies how deeply each listed directory is to be
    searched. AUTOMAKE=1 only searches each directory itself and is
    equivalent to AUTOMAKE=Yes. AUTOMAKE=2 will search each directory
    and its immediate sub-directories; AUTOMAKE=3 will search each
    diretory, each of its immediate sub-directories, and each of their
    immediate sub-directories, etc.

11) Previously, the maximum depth of INCLUDEs was four (although the
    documentation gave the limit as three). Beginning with this
    release, that limit has been raised to 20.

12) Support for the deprecated 'masq' file has been deleted. Any
    existing 'masq' file will automatically be converted to the
    equivalent 'snat' file.

13) Three new shorewall commands have been implemented:

    a)  show rc

        Displays the contents of the shorewallrc file

    b)  getcaps

        Generates a capabilities file on a remote system and copies it
        to a directory on the local system.

    c)  getrc

        Copies the shorewallrc file from a remote system to a directory
        on the local system.

    See shorewall(8) for details.

    Implemented by Matt Darfeuille

Thank you for using Shorewall,

Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't \   understand

Attachment: signature.asc
Description: OpenPGP digital signature

Check out the vibrant tech community on one of the world's most
engaging tech sites,!
Shorewall-users mailing list

Reply via email to