Shorewall 4.6.10 is now available for download. Problems Corrected:
1) On some distributions, Shorewall-init would fail if one of the
configured products had a problem. Now, Shorewall-init goes on to
the next product rather than stopping.
2) Previously, when startup was disabled (STARTUP_ENABLED=No or no
compiled firewall on a -lite system), exit status 2 was
returned. Now, exit status 6 is returned.
3) Previously, if SAVE_IPSETS=ipv4 (or ipv6) but the configuration did
not use ipsets, then a superfluous warning message was issued:
WARNING: Invalid value (ipv4) for SAVE_IPSETS
That warning is now suppressed.
4) Previously, the algorithm used to normalize the probabilities
defined in the 'load' provider option was incorrect and could
result in probabilities > 1.0. When this occurred, the firewall
would fail to start.
New Features:
1) Previously, the 'ctevents' and 'expevents' options could only be
specified in the conntrack file if a helper was named. That is no
longer necessary.
Example:
#ACTION SOURCE DESTINATION PROTO DEST ...
# PORT(S) ...
#
CT:ctevents:assured,destroy\
all - -
2) Two new options have been added to the NFQUEUE target.
- By default, if no userspace program is listening on an NFQUEUE,
then all packets that are to be queued are dropped. When the new
'bypass' option is used, the NFQUEUE rule is silently bypassed
instead. The packet will move on to the next rule.
Examples:
NFQUEUE(bypass)
NFQUEUE(3,bypass)
- Now, a queue range of the form n:m may be specified. Packets are
then balanced across the given queues. This is useful for
multicore systems: start multiple instances of the userspace
program on queues x, x+1, .. x+n and use "x:x+n". Packets
belonging to the same connection are put into the same nfqueue.
Examples:
NFQUEUE(4:6)
NFQUEUE(4:6,bypass)
Queue ranges are also permitted in an NFQUEUE policy; the
'bypass' option is not permitted there.
3) The 'call' command is now documented. It provides a way to call
shell functions in the Shorewall libraries or in the generated
script.
call <function> [ <parameter> ... ]
<function> must name a shell function in one of the Shorewall
libraries or in the generated script. The function is first
searched for in lib.base, lib.common, lib.cli and lib.cli-std
(lib.cli-std is not searched by the '-lite' products). If the
function is found, it is called with any supplied <parameter>s.
If the function is not found in the libraries, the call command
is passed to the generated script for processing.
4) Several changes have been made to the processing of the 'load'
option in provider files:
- load values are normalized to 8-digit precision and 10-byte
length.
- a warning is issued if the sum of the loads is not 1.000000.
- if the normalized probability for an interface is >=
1.000000 then the probability match part of the generated rule is
omitted.
5) There is now an ipv6 'findgw' skeleton file.
6) The 'disable' and 'enable' commands now succed if the interface is
already disabled or enabled respectively. Tuomo Soini.
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
