Beta 2 is now available for testing.
Problems Corrected since Beta 1:
1) References to the obsolete USE_ACTIONS option have been removed
from the manpages.
2) NFLOG has been documented for some time as a valid ACTION in the
rules files but support for that action was never implemented
until this release.
3) The Checksum Target capability detection in the rules compiler was
broken with the result that the presence of the capability was not
detected.
4) If an interface named in the INTERFACE column was not defined in
tcdevices and if the REDIRECTED column for that entry was
non-empty, then compile-time Perl diagnostics were generated and an
invalid firewall script was generated.
5) When LOAD_HELPERS_ONLY=No, the 'compile' command previously left
behind a temporary chain in the raw table.
6) Under very rare circumstances involving exclusion in multiple
Netfilter tables, optimization level 8 could result in
start/restart failure or jumps to the wrong exclusion chain.
7) 4.5.9.2 broke multi-ISP on RHEL5-based systems. This release
includes a patch from Tuomo Soini that corrects the problem.
8) The 'debug' keyword is no longer ignored by the 'try', 'stop' and
'clear' command executors.
9) Using the 'NOTRACK' action in the stoppedrules file was previously
broken when $FW was specified in the SOURCE column. In such cases,
the generated rule was being placed incorrectly in the filter table
rather than in the raw table which resulted in a failure of the
'stop' and 'clear' commands.
New Features added since Beta 1:
1) The /etc/shorewall/secmarks and /etc/shorewall6/secmarks files now
support the UNTRACKED state. See the manpages for details.
2) The /etc/shorewall/conntrack and /etc/shorewall6/conntrack files
now support a DROP target.
As part of this change, the handling of 'all' has been improved in
these files. When 'all' is specified in the SOURCE column, the
resulting rule is added directly to the PREROUTING and OUTPUT
chains. Additionally, 'all' may be qualified with network/host
addresses, ipsets, etc. Rules specifying $FW in the SOURCE column
are added directly to the OUTPUT chain.
It is now possible to specify 'all-' in the SOURCE column which
causes the rule to be added directly in the PREROUTING chain.
A consequence of this change is that 'all', 'all-' and '$FW' rules
will be processed after rules naming a specific zone.
3) A SWITCH column has been added to the /etc/shorewall/conntrack and
/etc/shorewall/conntrack6 files.
4) An AUDIT action has been added to the /etc/shorewall/rules and
/etc/shorewall6/rules.
5) The audited targets (A_ACCEPT, A_DROP, etc.) are now supported in
/etc/shorewall6/rules.
6) An additional format (3) has been added to the conntrack files. In
this format, zone names are not used in the SOURCE column; rather,
a suffix in the ACTION column determines which raw-table chain the
generated Netfilter rule will be placed in. See the manpages for
details.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
