The Shorewall Team is pleased to announce the availability of Shorewall 5.2.0.
Problems Corrected:
1) This release includes defect repair through Shorewall 5.1.12.3.
2) Previously, optimize category 8 (combine identical chains) was
applied before optimize category 16 (eliminate duplicate rules,
...). This could (and has) resulted in uncombined identical chains
in the final ruleset. Beginning with this release:
a) Optimize category 16 will be applied before optimize category 8.
b) If optimize category 8 combined any chains, then optimize
category 16 will be applied again.
This change ensures that the final ruleset has no duplicate chains
and that all combatible adjacent port and state rules are combined.
3) Previously, use of &lo would result in an error:
ERROR: Can't determine the IP address of lo: Firewall state not
changed
That problem has been corrected such that &lo always expands to
127.0.0.1 (IPv4) or ::1 (IPv6).
New Features:
1) The MAPOLDACTIONS option in shorewall.conf has been removed. This
option provided compatibility with releases prior to Shorewall 3.0.
'shorewall update' will remove the setting of this option from
shorewall.conf.
2) The INLINE_MATCH option has been removed. Shorewall now behaves as
if INLINE_MATCH=No had been specified:
- A single semicolon (';') is used to separate column-oriented
input from column-name/value input.
- The preferred method of specifying column-name/value input is to
enclose such input in curly braces ("{....}").
- A pair of semicolons (';;') is used to introduce raw IP[6]TABLES
input. This is true in INLINE and IP[6]TABLES rules as well as
rules with other targets.
As part of this change, 'shorewall update' will replace ';' with
';;' in INLINE and IP[6]TABLES rules.
3) With the wide availability of ipset-based blacklisting, the need
for the 'refresh' command has been largely eliminated. As a result,
that command has been removed.
Some users may have been using 'refresh' as a lightweight form of
reload. The most common of these uses seem to be for reloading
traffic shaping after an interface has gone down and come back up.
The best way to handle this situation under 5.2 is to make the
interface 'optional' in your /etc/shorewall[6]/interfaces file,
then either:
- Install Shorewall-init and enable IFUPDOWN; or
- Use the 'reenable' command when the interface comes back up
in place of the 'refresh' command.
4) The following deprecated macros and actions have been removed:
Action A_AllowICMPs - use AllowICMPs(A_ACCEPT)
Action A_Drop - see below
Action A_Reject - see below
Action Drop - see below
Action Reject - see below
Macro SNMPTrap - use SNMPtrap
The [A_]Drop and [A_]Reject actions are used primarily as policy
actions. As part of this change, 'shorewall update' will update
DROP_DEFAULT=[A_]Drop and REJECT_DEFAULT=[A_]Reject as follows:
IPv4
DROP_DEFAULT=Drop becomes Broadcast(DROP),Multicast(DROP)
DROP_DEFAULT=A_Drop becomes
Broadcast(A_DROP),Multicast(A_DROP)
REJECT_DEFAULT=Reject becomes Broadcast(DROP),Multicast(DROP)
REJECT_DEFAULT=A_Reject becomes
Broadcast(A_DROP),Multicast(A_DROP)
IPv6
DROP_DEFAULT=Drop becomes
AllowICMPs,Broadcast(DROP),Multicast(DROP)
DROP_DEFAULT=A_Drop becomes
AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
REJECT_DEFAULT=Reject becomes
AllowICMPs,Broadcast(DROP),Multicast(DROP)
REJECT_DEFAULT=A_Reject becomes
AllowICMPs(A_ACCEPT),Broadcast(A_DROP),Multicast(A_DROP)
See the Migration Issues for additional information.
5) A 'show saves' command has been added to list the snapshots
created using the 'save' command.
Example:
root@gateway:~# shorewall show saves
Shorewall 5.2.0 Saves at gateway - Thu Feb 15 11:58:37 PST 2018
Saved snapshots are:
Feb 15 10:08 foo
Feb 14 12:34 restore (default)
root@gateway:~#
The snapshots are listed by creation time from latest to
earliest. If the name of one matches the RESTOREFILE setting, that
snapshot is marked as the default for the 'restore' command.
6) For installing into a Sandbox, the file shorewallrc.sandbox has
been added to Shorewall-core. See
http://www.shorewall.net/install.htm#idm327.
7) The "Use Pkttype Match (USEPKTTYPE)" capability is no longer used
and has been deleted. This removal has introduced a new
capabilities version.
8) When a log message is issued from a chain that relates to a pair of
zones (e.g, 'fw-net'), the chain name normally appears in the log
message (unless LOGTAGONLY=Yes and a log tag is specified). This
can prevent OPTIMIZE category 8 from combining chains which are
identical except for chain names in logging rules. The new
LOG_ZONE option in shorewall[6].conf allows for only the source or
destination zone to appear in the messages by setting LOG_ZONE to
'src' or 'dst' respectively. If LOG_ZONE=both (the default), then
the full chain name is included in log messages
Setting LOG_ZONE=src has been shown to decrease the size of the
generated ruleset by more than 10 prcent in some cases. Your
results may vary.
9) Traditionally, when OPTIMIZE category 8 is enabled, identical
chains are combined under a name beginning with '~comb' or
'~blacklist'. Beginning with this release, setting
RENAME_COMBINED=Yes (the default) in shorewall[6].conf retains that
behavior. If RENAME_COMBINED=No, identical chains are combined
under the original name of one of the chains.
10) When AUTOMAKE=Yes, each directory in the CONFIG_PATH was originally
searched recursively for files newer than the compiled script. That
was changed in Shorewall 5.1.10.2 such that only the listed
directories themselves were searched. That broke some
configurations that played tricks with embedded SHELL such as:
SHELL cat /etc/shorewall/rules.d/loc/*.rules
Prior to 5.1.10.2, a change to a file in or adding a file to
/etc/shorewall/rules.d/loc/ would trigger recompilation. Beginning
with 5.1.10.2, such changes would not trigger
recompilation.
Beginning with this release, the pre-5.1.10.2 behavior can be
obtained by setting AUTOMAKE=recursive.
Also beginning with this release, AUTOMAKE may be set to a numeric
<depth> which specifies how deeply each listed directory is to be
searched. AUTOMAKE=1 only searches each directory itself and is
equivalent to AUTOMAKE=Yes. AUTOMAKE=2 will search each directory
and its immediate sub-directories; AUTOMAKE=3 will search each
diretory, each of its immediate sub-directories, and each of their
immediate sub-directories, etc.
11) Previously, the maximum depth of INCLUDEs was four (although the
documentation gave the limit as three). Beginning with this
release, that limit has been raised to 20.
12) Support for the deprecated 'masq' file has been deleted. Any
existing 'masq' file will automatically be converted to the
equivalent 'snat' file.
13) Three new shorewall commands have been implemented:
a) show rc
Displays the contents of the shorewallrc file
($SHAREDIR/shorewall/shorewallrc).
b) getcaps
Generates a capabilities file on a remote system and copies it
to a directory on the local system.
c) getrc
Copies the shorewallrc file from a remote system to a directory
on the local system.
See shorewall(8) for details.
Implemented by Matt Darfeuille
Thank you for using Shorewall,
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
