Given the size of the changes included in this version, I decided to have one more Beta before RC1.
Problems Corrected:
1) Previously, under very rare circumstances, a chain would be
optimized away while there were still jumps to the chain. This
caused Shorewall start/restart to fail during iptables-restore.
2) Previously, the setting of BLACKLIST_DISPOSITION was not
validated. Now, an error is raised unless the value is DROP or
REJECT.
New Features:
1) (Updated) Action processing has been largely re-implemented in this
release. The prior implementation contained a lot of duplicated
code which made maintenance difficult. The old implementation
pre-processed all action files early in the compilation process and
then post-processed the ones that had been actually used after the
rules file had been read. The new algorithm generates the chain for
each unique action invocation at the time that the invocation is
encountered in the rules file.
Consideration was given to eliminating the
/usr/share/shorewall/actions.std and /etc/shorewall/actions files,
since it is possible to discover actions "on the fly" in the same
way as macros are discovered. That change was ultimately rejected
because it could cause migration issues for users with macros and
actions with the same name (e.g., action.xxx and macro.xxx). If a
new major release of Shorewall (e.g., 4.6) is created, that change
will be reconsidered for inclusion at that time.
There is now support for parameterized actions. The parameters are
a comma-separated list enclosed in parentheses following the
action name (e.g., ACT(REDIRECT,192.168.1.4)). Within the action
body, the parameter values are available in $1, $2, etc.
You can 'omit' a parameter in the list by using '-' (e,g,
REDIRECT,-.info) would omit the second parameter (within the action
body, $2 would expand to nothing). If you want to specify '-' as a
parameter value, use '--'.
Parameter values are also available to extensions scripts. See
http://www.shorewall.net/Actions.html#Extension for more
information.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
