Happy New Year everyone. Shorewall 4.6.0 Beta 1 is now available for testing. Given that this is a new major release, the Beta releases should be treated as RFCs; nothing is cast in stone at this point.
Please note that updated documentation is available only on the web sites hosting the new site layout: http://www.shorewall.org (both IPv4 and IPv6) http://www.shorewall.fi (both IPv4 and IPv6) http://www.shorewall.net (IPv6 only -- the IPv4 site is still hosting the old layout). New Features: 1) SECTION entries in the accounting and rules files now allow "SECTION" to be immediately preceded by "?" (e.g., ?SECTION). The new form is preferred and if any SECTION entries do not have the question mark, a warning is issued (see Migration Issues below). 2) The default setting for ZONE2ZONE has been changed from '2' to '-' for increased readability when zone names contain '2'. 3) The 'tcrules' file has been superceded by the 'mangle' file. Existing 'tcrules' files will still be processed, with the restriction that TPROXY is no longer supported in FORMAT 1. If your 'tcrules' file has non-commentary entries, the following warning message is issued: WARNING: Non-empty tcrules file (...); please move its contents to the mangle file. 4) Prior to now, the ability to specify raw iptables matches has been tied to the INLINE action. Beginning with this release, the two can be separated by specifying INLINE_MATCHES=Yes. When INLINE_MATCHES=Yes, then inline matches may be specified after a semicolon in the following files: action files macros rules mangle masq Note that semicolons are not allowed in any other files. If you want to use the alternative input format in those files, then you must inclosed the specifications in curly brackets ({...}). The -i option of the 'check' command will warn you of lines that need to be changed from using ";" to using "{...}". 6) The 'conntrack', 'raw', 'mangle' and 'rules' files now support an IPTABLES (IP6TABLES) action. This action is similar to INLINE in that it allows arbitrary ip[6]tables matches to be specified after a semicolon (even when INLINE_MATCHES=No). It differs in that the parameter passed is an iptables target with target options. Example (rules file): #ACTION SOURCE DEST PROTO IPTABLES(TARPIT --honeypot) net pot If the particular target that you wish to use is unknown to Shorewall, you will get this error message: ERROR: Unknown TARGET (<target>) You can eliminate that error by adding your target as a builtin action in /etc/shoreawll[6]/actions. As part if this change, the /etc/shorewall[6]/actions file options have been extended to allow you to specify the Netfilter table(s) where the target is accepted. When 'builtin' is specified, you can also include the following options: filter nat mangle raw If no table is given, 'filter' is assumed for backward compatibility. Thank you for testing, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
