-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Shorewall 5.1.1 is now available for download.
Problems Corrected:
1) This release contains defect repair up through Shorewall 5.1.0.1.
2) Previously, expanded variables would be enclosed in single quotes
in ?ERROR, ?WARNING and ?INFO directive output. That has been
corrected.
3) The obsolete Drop and Reject macros have been removed (Drop and
Reject are now actions rather than macros).
4) A typo has been corrected in the parameter descriptions in
action.Drop and action.Reject.
New Features:
1) Previously, the compiler did not check for routefilter/provider
issues. Now, a fatal compilation error is raised in the following
cases:
a) USE_DEFAULT_RT=Yes, ROUTE_FILTER=Yes in shorewall.conf and a
regular provider (not tproxy) is defined in the
providers file.
b) USE_DEFAULT_RT=Yes and a provider interface specifies a
non-zero value for the 'routefilter' option in the interfaces
file.
c) USE_DEFAULT_RT=No, ROUTE_FILTER=Yes in shorewall.conf, and
a provider interface doesn't specify the 'balance' or 'primary'
option in the providers file.
d) USE_DEFAULT_RT=No, a provider interface specifies the non-zero
value for the 'routefilter' option in the interfaces file but
does not specify the 'balance' or 'primary' option in the
providers file.
2) When 'routefilter' is specified by itself or with a non-zero value
(e.g., routefilter=1), the 'logmartians' option is now also set
implicitly when LOG_MARTIANS=No. If you actually want route
filtering without logging, then you must also include
'logmartians=0'.
3) Since the creation of the USE_DEFAULT_RT option, when
USE_DEFAULT_RT=Yes, 'balance=1' is assumed on all provider
interfaces unless 'fallback', 'load', 'primary', 'loose' or
'tproxy' is specified. This makes it awkward to define a provider
that does not generate a default route in either the 'balance' or
'default' routing tables; it is necessary to specify 'loose' then
add the routing rules that are suppressed by that option.
To address this issue, it is now possible to specify
BALANCE_PROVIDERS=No. When BALANCE_PROVIDERS=No and none of the
above-listed options is specified, the provider will generate no
entry in the 'balance' or 'default routing tables irrespective of
the setting of USE_DEFAULT_RT.
All of the released shorewall[6].conf files now specify
BALANCE_PROVIDERS=No. The default value is the effective setting of
USE_DEFAULT_RT to provide backward compatibility with earlier
releases.
4) When using ipset-based dynamic blacklisting, it is now possible to
specify BLACKLIST in the POLICY column of policy files. When
BLACKLIST is specified, the source IP address is automatically
added to the dynamic blacklist ipset and then the packet is
dropped. This new policy adds BLACKLIST_DEFAULT to
shorewall[6].conf; the default setting is "Drop".
5) A BLACKLIST action has been added; the action adds the sender to
the dynamic blacklist IPSET.
BLACKLIST accepts two optional argument:
1 - Action to take after adding the sender to the ipset. Default is
DROP.
2 - specifies the timeout for the added/updated entry.
If no timeout is passed, the one specified in
DYNAMIC_BLACKLIST, if any, is used. Otherwise, the one specified
when the ipset was created, if any, is used.
6) Given that there was already a BLACKLIST macro which implemented
the BLACKLIST action in blrules, the preceding change required that
BLACKLIST behave differently when invoked from the blrules file and
when invoked from the rules file. Because BLACKLIST invoked from
the rules file normally generates two rules, an action (not
inlined) is more appropriate there than is a macro. When it is
invoked from the blrules file, it only generates a single rule so
the optimizer will inline it anyway.
For historical reasons, the compiler treats the blrules file as if
it were the section BLACKLIST in the rules file. So, to implement
this dual behavior in the BLACKLIST action, a new 'section' option
has been added in the action file. When 'section' is specified, the
name of the current section and a comma are prepended to the
argument list passed when invoking the action. The action.BLACKLIST
file then has the following structure:
?if @1 eq 'BLACKLIST'
<logic to generate rule from the blrules file>
?else
<logic to generate rules from the rules file>
?endif
7) There is now a 'show action <action>' command for Shorewall and
Shorewall6. The command displays the action file for the specified
<action>.
Thank you for using Shorewall.
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYj8MGAAoJEJbms/JCOk0QiHwP/AzFv0E/l1YXUXMGxg8ygqgp
+VvALFfOwy0XNhLJdYnevcCp3LZT3tJNJIwfUd3G7AD9cXiu7fxYyIWsJoEouPQA
WGvwp3+Rffb+bhsoX6++s75QoKvQllFXO6rvh27PTfnQ5euwOWq8Q1S1UBJgVt6a
hJ8+gIvvkibMJd7Ifw6xJ9ukBT4g0C/Gi2GUJZdltRqu1tfHx7aGmYZvklN6eMQQ
I9Rnh404H9Too+SLard3QW22GFed/pnIoM2XWKhbBoUsvA4EUEpp0Qbs/yS2esnc
au60wmG/xavFtGENmJyYQUAzSvFz1T6qBpCQ7aViImZGsNXZ7CKQNV46ooiOHGxe
oWm1s+KrGQeWJ2dPaJL6/dsiTIVbZxq9KzJtcnQ/qTgXkiqqmATTlRm7U4j8S2c4
hJskjwmHvEqQYiFSyhQFe8sg0dmnEiJgsONsBEFgoL4y+EYkefCjRZLxPzLdpLhr
1kN939XKEFlW1oxNMf5IHoHbMb5OGjZnVtRzmJHkxzW9f3TWMzY5iiW874y3by63
PFgGi8NMBmskVjv15oemxU9TFzfrL3nX21ptiu6Y5kOmwqXDv/I7aFARAocneDCi
nWGZVviv/HTz+ugU1aND2zzt5C2IcgjJvZABAqLD1mqVf1PFQOjfFcfEEqATXmxx
mrsYMTeRWTe6ZmzSFxgB
=mazd
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
