Shorewall 5.2.3.7 is now available for download. Problems Corrected:
1) When DOCKER=Yes, if both the DOCKER-ISOLATE and
DOCKER-ISOLATE-STAGE-1 existed then the DOCKER-ISOLATE-STAGE-*
chains were not preserved through shorewall state changes.
That has been corrected so that both chains are preserved if
present.
2) Previously, the compiler always detected the OLD_CONNTRACK_MATCH
capability as being available in IPv6. When OLD_CONNTRACK_MATCH
was available, the compiler also mishandled inversion ('!') in the
ORIGDEST columns, leading to an assertion failure:
Shorewall::Config::fatal_error("Internal error in
Shorewall::Chains::set_rule_option at /usr/"...) called at
/usr/share/shorewall/Shorewall/Config.pm line 1619
Both the incorrect capability detection and the mishandled
inversion have been corrected.
3) During 'enable' processing, if address variables associated with
the interface have values different than those when the firewall
was last started/restarted/reloaded, then a 'reload' is performed
rather than a simple 'enable'. The logic that checks for those
changes was incorrect in some configurations, leading to unneeded
reload operations. That has been corrected.
4) When MANGLE_ENABLED=No in shorewall[6].conf, some features
requiring use of the mangle table can be allowed, even though the
mangle table is not updated. That has been corrected such that use
of such features will raise an error.
5) When the IfEvent(...,reset) action was invoked, the compiler
previously emitted a spurious "Resetting..." message. That message
has been suppressed.
Known Problems Remaining:
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
2) The 'enable', 'reenable' and 'disable' commands do not work
correctly in configurations with USE_DEFAULT_RT=No and optional
providers listed in the DUPLICATE column.
3) While the 'ip' utility now accepts IPv6 routes with multiple
'nexthop' destinations, these routes are not balanced. They are
rather instantiated as a sequence of single routes with different
metrics. Furthermore, the 'ip route replace' command fails on
such routes. Beginning with Shorewall6 5.0.15, the generated script
uses a "delete..add.." sequence on these routes rather than a
single "replace" command.
4) On Debian-derived systems, when DOCKER=Yes, the 'systemctl restart
shorewall' command looses Docker rules.
Workaround (courtesy of J Cliff Armstrong):
Type (as root):
`systemctl edit shorewall.service`.
This will open the default terminal editor to a blank file in
which you can paste the following:
[Service]
# reset ExecStop
ExecStop=
# set ExecStop to "stop" instead of "clear"
ExecStop=/sbin/shorewall $OPTIONS stop
Then type `systemctl daemon-reload` to activate the changes. This
change will survive future updates of the shorewall package from apt
repositories. The override file itself will be saved to
`/etc/systemd/system/shorewall.service.d/`.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
