Beta 4 is now available for testing.] Problems Corrected since Beta 3:
1) If a chain consisted of a single RETURN rule, optimize level 4
would handle it incorrectly by moving the RETURN rule to the
chain(s) that jumped to the single-rule chain. The optimizer now
simply eliminate the chain and rule.
New in Beta 4:
As part of this change, the optimizer now deletes trailing RETURN
rules from chains.
New Features since Beta 3:
1) There are now 'Related', 'Untracked' and 'Established' actions that
match packets in the RELATED and UNTRACKED states respectively.
These actions are in-line and have a single parameter that
specifies the action to be taken. The action may be anything that
is valid in the ACTION column of the rules file.
As part of this change, action.Invalid, action.NotSyn and
action.RST are also inline and can accept an arbitrary action as an
argument. The 'audit' parameter, while still accepted, is
deprecated in favor of passing 'A_ACCEPT' etc. directly to the
inline.
2) The preceding enhancement required infrastructure for allowing
BEGIN PERL...END PERL to function in the body of an inline action.
use Shorewall::Rules;
perl_action_helper( $target, $matches )
$target is the target of the rule and may include log level and
tag (e.g, 'DROP:info:foo').
$matches is a string containing one or more ip[6]tables
matches. The string must end with a space.
Example: "-m conntrack --state ESTABLISHED ".
The function returns true.
This function may be called in both inline and regular actions. In
an inline action, the matches from the invoking rule (SOURCE, DEST,
etc) are applied (in addition to the match(s) passed). In a regular
action only the passed matches are applied to the rule.
3) To allow finer-grained selection of the connection-tracking states
that are passed through blacklists (both dynamic and static), a
BLACKLIST option has been added in shorewall.conf and
shorewall6.conf.
The BLACKLISTNEWONLY option is now deprecated. A 'shorewall update'
( 'shorewall6 update' ) will replace the BLACKLISTNEWONLY option
with the equivalent BLACKLIST option.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
