Shorewall 5.1.6 is now available for download. Problems Corrected:
1) This release contains defect repair through Shorewall 5.1.5.2. 2) http://www.shorewall.net/shorewall_extension_scripts.htm states that $SHAREDIR and $CONFDIR can be used in extension scripts, that has not been true for some time. Beginning with this release, those variables are once again available in the generated script. 3) Under very rare circumstances, when OPTIMIZE level 8 was used, messages such as the following could be issued during compilation: Use of uninitialized value in hash element at /usr/share/shorewall/Shorewall/Rules.pm line 818. Use of uninitialized value in concatenation (.) or string at /usr/share/shorewall/Shorewall/Rules.pm line 823. That has been corrected. 4) Previously, Shorewall's treatment of wildcard interfaces differed from Netfilter's. Shorewall did not consider 'eth' to match 'eth+' while Netfilter did. Beginning with this release, Shorewall is consistent with Netfilter. 5) Previously, systemd could attempt to start the IPv4 and IPv6 firewalls simultaneously, which might lead to iptables-restore and ip6tables-restore being run at the same time resulting in a failure to start one of the firewalls. Beginning with this release, Shorewall and Shorwall6 will be started serially as will Shorewall-lite and Shorewall6-lite. 6) To prevent other init systems from starting the IPv4 and IPv6 firewalls in parallel, the ip[6]-tables-restore '--wait' option, if available, is used. This change introduces a new RESTORE_WAIT_OPTION capability. Note: If the new capability is not available on your system, and you don't run systemd, you can still avoid the parallel start problem by configuring the same LOCKFILE in both your shorewall.conf and shorewall6.conf files. 7) Previously, the RDP macro only allowed TCP traffic, even though RDP also requires UDP. That has been corrected so that both protocols are allowed. New Features: 1) The SPARSE option in shorewallrc originally caused only shorewall[6].conf to be installed in /etc/shorewall[6], but later the conntrack and params files were also installed. To prevent these additional files from being installed, SPARSE may now be set to 'Very', either by editing the file directly or by using the configure or configure.pl scripts. This setting is recommended if you wish to use a single set of configuration files for both IPv4 and IPv6 as described at http://www.shorewall.org/SharedConfig.html. 2) Two new run-time extensions scripts have been added: - enabled Invoked when an optional interface has been successfully enabled using the 'enable' command. - disabled Invoked when an optional interface has been successfully disabled using the 'disable' command. Like all run-time extension scripts, the contents of each script are placed in a function body. In the case of these new scripts, the function is passed arguments: $1 = the physical name of the interface $2 = the logical name of the interface $3 = the name of the Provider, if any, associated with the interface. 3) When a zone (z1) is defined to be a sub-zone of another zone (z2), the compiler now verifies that the two zones have at least one interface in common. If they do not, a warning message is generated: WARNING: Zone z1 is defined to be a sub-zone of z2, yet the two zones have no interface in common 4) Runtime address variables may now be used as the server IP address and Runtime port variables may be used as the server port in DNAT rules. Example: DNAT net $FW:ð1:%{PORT} tcp 9999 5) Previously, systemd could attempt to start the IPv4 and IPv6 firewalls simultaneously, which might lead to iptables-restore and ip6tables-restore being run at the same time resulting in a failure to start one of the firewalls. Beginning with this release, Shorewall and Shorwall6 will be started serially as will Shorewall-lite and Shorewall6-lite. 6) To prevent problems when other init systems start the IPv4 and IPv6 firewalls in parallel, the ip[6]-tables '--wait' option, if available, is used. The amount of time to wait is determined by the setting of MUTEX_TIMEOUT (default 60 seconds). This change introduces a new RESTORE_WAIT_OPTION capability. Note: If the new capability is not available on your system, and you don't run systemd, you can still avoid the parallel start problem by configuring the same LOCKFILE in both your shorewall.conf and shorewall6.conf files. 7) Previously, the sample configuration files specified MODULE_SUFFIX="ko ko.xz", whereas the default .conf files specified MODULE_SUFFIX=ko. The latter no longer works on RHEL7-based systems. Beginning with this release, the default .conf files also specify MODULE_SUFFIX=:ko ko.xz". Thank you for using Shorewall, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
