Beta 4 is now available for testing. Problems Corrected:
1) Previously, if a zone had two or more interfaces, then the
interfaces' option rules (DHCP, dynamic blacklisting, etc.) could
be moved into the fw->zone chain without being restricted to their
respective interfaces. This could result in needless duplication of
rules. These rules are now kept in separate chains which, if they
are identical, will be combined by the optimizer if OPTIMIZE level 8
is enabled.
2) Beta 4 broke IPv6 because of the order in which the common Drop
and Reject actions handled ICMP and Broadcast. The order has been
reversed for both IPv4 and IPv6 to corrct this problem.
New Features:
1. The compiler now uses the iptables goto (-g) parameter rather than
the jump (-j) parameter, when the target is a terminating chain
(does not have any rules with the RETURN target and the last rule
in the chain is an unconditional jump to a terminating target or
chain).
2. The compiler now raises an error if the target of a chain's rule is
the chain itself.
3. The compiler now raises an error if the action specified in
REJECT_ACTION contains a RETURN (CONTINUE) jump or if the last rule
in the action is not an unconditional jump to a terminating target.
4. The Drop and Reject default actions now accept a sixth parameter
that specifies the action to be taken on UPnP packets. Previously,
the same action was performed on UPnP as was performed on late DNS
replies. The default is DROP in both cases.
5. Heretofore, when DYNAMIC_BLACKLISTING=Yes, blacklists were checked
on packets arriving and leaving on all interfaces. Now, individual
interfaces may be exempted from dynamic blacklisting through use of
the "nodbl" interface option.
6. Prior to this release, dynamic blacklisting has been implemented
using rules in an ip[6]tables chain. This scales poorly when there
are a large number of blacklisted addresses.
Beginning with this release, dynamic blacklisting can be ipset-
based. See DYNAMIC_BLACKLIST in shorewall.conf(5) and
shorewall6.conf(5) and the 'blacklist' command in shorewall(8) and
shorewall6(8).
As part of this change, ipsets created by Shorewall are now of type
hash:net with the 'timeout 0 counters' options, rather than
hash:ip with no options. This allows both network and individual
host addresses to be added to these ipset, a timeout to be
specified when addresses are added to the sets, and visibility into
matches on individual members of the ipset.
7. New new Redis macros have been added, one for Redis Cluster and the
other for Redis Sentinal (Tuomo Soini).
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
