Shorewall 5.2.1 is now available for download. Problems Corrected:
1) This release contains defect repair up through Shorewall 5.2.0.5.
2) Previously, if:
a) IP[6]TABLES was not set in shorewall[6].conf; and
b) The ip[6]tables binary was not found on the PATH.
then a shell 'not found' error was generated on 'fatal-error'. That
has been corrected (Matt Darfeuille)
3) A number of files in the Shorewall-common package have had their
heading version updated to version 5.2 (Matt Darfeuille).
4) Previously, if statistical load balancing ('load=<load-factor>' in
provider OPTIONS) was configured on providers that shared an
interface, then the compiler would fail with an assertion
failure. That has been corrected so that this combination now works
as expected.
5) Where two or more providers share a network interface, the
'optional' interface/provider option has never worked correctly.
Beginning with this release, the 'optional' option is disallowed
on such interfaces and providers.
6) Previously, when rate limiting was applied to a DNAT or
REDIRECT rule, rate limiting was applied to the accompanying
ACCEPT rule. Since logging is applied in the DNAT/REDIRECT rule, if
the connection failed the rate limit then the connection attempt
could be logged twice - once in the nat table and once when the
applicable policy was applied. Beginning with this release, rate
limiting is applied to the DNAT/REDIRECT so that no nat-table
logging occurs if the connection attempt exceeds the rate limit.
7) Some regular expressions used in Shorewall's Perl code will be
disallowed by Perl version 5.23. These have been changed to be
acceptable to that version of Per.
8) Previously, if SNAT(detect) was used on an optional interface and
the resulting ip[6]tables rule was unreachable, then invalid shell
code was generated similar to:
if [ "$SW_PPP1_ADDRESS" != 0.0.0.0 ]; then
fi
That has been corrected such that the above code is not generated
and a warning message is issued indicating that the rule generated
no ip[6]tables rule.
New Features:
1) New macros for IPFS (https://ipfs.io/) have been contributed by
Răzvan Sandu.
2) Several new man pages have been added:
- shorewall-addresses(5) describes specification of addresses in
shorewall configuration files.
- shorewall-files(5) describes the shorewall configuration files
together with features common to multiple files.
- shorewall-logging(5) describes shorewall's logging facilities.
- shorewall-names(5) describes restrictions on names used in
Shorewall configuration files.
Additional man pages will be included in future 5.2.1 pre-releases.
3) In the SOURCE and DEST columns, it is now possible to exclude an
interface by preceding the interface name with '!'. This is useful
for excluding the loopback interface (lo).
Example from the mangle file:
#ACTION SOURCE DEST
DROP:T 127.0.0.0/8 !lo
4) The MARK, CONNMARK, SAVE and RESTORE commands may now be placed in
the nat table through used of new chain designators in the mangle
file:
NP - nat table PREROUTING chain
NI - nat table INPUT chain
NO - nat table OUTPUT chain
NT - nat table POSTROUTING chain
5) When TC_EXPERT=Yes, it is now possible to specify any mark/mask
values that are displayed by the 'show marks' command, including
the Exclusion and TPROXY values.
6) The configure and install scripts now support ALT Linux (Alexey
Shabalin).
7) The verbosity of the 'remote-*' CLI commands has been increased
(Matt Darfeuille).
8) You may now specify a VLSM in the RATE columns of the policy and
rules files, when per-IP limiting is used. This results in one hash
table entry per subnet rather than one entry per hosts, and applies
the limit to the subnet. See shorewall-policy(5) and
shorewall-rules(5) for details. This provides a means for reducing
the size of the hash tables.
9) You man now specify the number of hash table buckets and the
maximum number of hash table entries in the RATE columns of the
policy and rules files, when per-IP limiting is used. This allows
you to increase the size of the tables to more fully handle DDOS
attacks. See shorewall-policy(5) and shorewall-rules(5) for
details.
10) Eric Teeter has contributed a macro for Cockpit.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
