The Shorewall Team is pleased to announce that Shorewall 4.5.9 is now
available for download.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) This release contains all defect repair from Shorewall 4.5.8.2.
2) A typo has been corrected in the shorewallrc.default file.
3) Beginning with Shorewall 4.5.7.2, Shorewall unconditionally
restores the provider mark as the first rule in the mangle table
OUTPUT and PREROUTING chains. Previously, the provider mark was
restored only if it was non-zero.
It has become clear that some users need it one way while others
need it the other way. To resolve this issue, a RESTORE_ROUTEMARKS
option has been added to shorewall.conf and shorewall6.conf. When
this option is set to Yes (the default), the 4.5.7.2 approach is
used (always restore the mark, even if it is zero); when it is set
to No, the pre-4.5.7.2 behavior is retained (only restore the mark
if it is non-zero).
4) Two error messages produced by the RST action have been
corrected. They previously referred to errors in the NotSyn action
rather than RST.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Prior to this release, if a dynamic zone was associated with more
than one interface, then Shorewall created a separate ipset for
each interface. This meant that multiple 'add' and 'delete'
commands might be required to change the zone composition.
This release introduces a 'dynamic_shared' zone option. When that
option is specified, a single ipset is generated regardless of the
number of entries the zone has in the hosts file.
The 'dynamic_shared' option may only be specified in the OPTIONS
column of the zones file.
The syntax of the 'add' and 'delete' commands is changed for zones
having the 'dynamic_shared' option:
add <zone> <address>[,<address> ... ]
delete <zone> <address>[,<address> ... ]
Example:
shorewall add direct 172.20.1.99
The syntax for 'add' and 'delete' for zones not having the
'dynamic_shared' option is unchanged.
2) Puppet and Teredo macros have been contributed by Paul Gear.
3) The 'show' command now supports a -b (brief) option that suppresses
listing of rules that have zero packet count and omits chains that
have no rules listed (Paul Gear).
4) A CHECKSUM action has been added to the tcrules files. This action
computes and fills in the checksum in a packet that lacks one.
This is particularly useful if you need to work around old
applications, such as dhcp clients, that do not work well with
checksum offloads, but you don't want to disable checksum offload
in your device.
As part of this change, a new 'Checksum Target' capability has been
added, so if you use a capabilities file, it needs to be
re-generated after you install this release.
5) The 'shorewall6 show routing' command now sorts the contents of
each routing table in the same way as 'shorewall show routing'.
6) It is now possible to specify a mark range in the ACTION column of
the tcrules file. This causes the generated ruleset to assign marks
in the range in round-robin fashion. As part of this change, a
STATE column is also added that allows marks to be assigned only to
packets that are in one of the specified states (NEW, RELATED,
ESTABLISHED, etc.). Specifying NEW in this column along with
a range in the ACTION column allows for load-balancing SNAT rules
over a number of different external addresses.
Example:
/etc/shorewall/tcrules
#ACTION SOURCE DEST ...
1-3:CF eth1 172.20.1.0/24 ; state=NEW
/etc/shorewall/masq
#INTERFACE SOURCE ADDRESS ...
eth0 192.168.1.0/24 1.1.1.1 ; mark=1:C
eth0 192.168.1.0/24 1.1.1.5 ; mark=2:C
eth0 192.168.1.0/24 1.1.1.9 ; mark=3:C
Specifying a mark range require the 'Statistics Match' capability
in your iptables and kernel.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
