Shorewall 5.1.6 RC 1 is now available for testing. Problems Corrected since 5.1.6 Beta 2:
1) Previously, Shorewall's treatment of wildcard interfaces differed
from Netfilter's. Shorewall did not consider 'eth' to match 'eth+'
while Netfilter did. Beginning with this release, Shorewall is
consistent with Netfilter.
2) Previously, systemd could attempt to start the IPv4 and IPv6
firewalls simultaneously, which might lead to iptables-restore and
ip6tables-restore being run at the same time resulting in a failure
to start one of the firewalls.
Beginning with this release, Shorewall and Shorwall6 will be
started serially as will Shorewall-lite and Shorewall6-lite.
3) To prevent other init systems from starting the IPv4 and IPv6
firewalls in parallel, the ip[6]-tables '--wait' option, if
available, is used. This change introduces a new
RESTORE_WAIT_OPTION capability.
Note: If the new capability is not available on your system, and
you don't run systemd, you can still avoid the parallel start
problem by configuring the same LOCKFILE in both your
shorewall.conf and shorewall6.conf files.
New Features since 5.1.6 Beta 2:
1) When a zone (z1) is defined to be a sub-zone of another zone (z2),
the compiler now verifies that the two zones have at least one
interface in common. If they do not, a warning message is
generated:
WARNING: Zone z1 is defined to be a sub-zone of z2, yet the two
zones have no interface in common
2) Runtime address variables may now be used as the server IP address
in DNAT rules.
Example:
DNAT net $FW:ð1 tcp 9999
3) Previously, systemd could attempt to start the IPv4 and IPv6
firewalls simultaneously, which might lead to iptables-restore and
ip6tables-restore being run at the same time resulting in a failure
to start one of the firewalls.
Beginning with this release, Shorewall and Shorwall6 will be
started serially as will Shorewall-lite and Shorewall6-lite.
4) To prevent other init systems from starting the IPv4 and IPv6
firewalls in parallel, the ip[6]-tables '--wait' option, if
available, is used. This change introduces a new
RESTORE_WAIT_OPTION capability.
Note: If the new capability is not available on your system, and
you don't run systemd, you can still avoid the parallel start
problem by configuring the same LOCKFILE in both your
shorewall.conf and shorewall6.conf files.
Thank you for testing,
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
