The Shorewall team is pleased to announce the availability of Shorewall
4.4.0 Beta 1.
The release notes are available at
http://www.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt
The release is available at:
http://www.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/
ftp://ftp.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/
----------------------------------------------------------------------------
R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------
1) Support for Shorewall-shell has been discontinued. Shorewall-perl
has been combined with Shorewall-common to produce a single
Shorewall package.
2) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing
discipline has been added. HFSC is superior to the "Hierarchical
Token Bucket" queuing discipline where realtime traffic such as
VOIP is being used.
3) Support for the "flow" traffic classifier has been added. This
classifier can help prevent multi-connection applications such as
BitTorrent from using an unfair amount of bandwidth.
4) The Shorewall documentation and man pages have been purged of
information about earlier Shorewall releases. The documentation
describes only the behavior of Shorewall 4.4 and later versions.
5) The interfaces file OPTIONs have been extended to largely remove the
need for the hosts file.
6) It is now possible to define PREROUTING and OUTPUT marking rules
that cause new connections to use the same provider as an existing
connection of the same kind.
7) Dynamic Zone support is once again available for IPv4; ipset support
is required in your kernel and in iptables.
8) A new AUTOMAKE option has been added to shorewall.conf and
shorewall6.conf. Setting this option will allow Shorewall to skip
the compilation phase during start/restart if no configuration
changes have occurred since the last start/restart.
9) The LIMIT:BURST column in /etc/shorewall/policy
(/etc/shorewall6/policy) and the RATE LIMIT column in
/etc/shorewall/rules (/etc/shorewall6/rules) may now be used to
limit on a per source IP or per destination IP basis.
10) Support for per-IP traffic shaping classes has been added.
----------------------------------------------------------------------------
M I G R A T I O N I S S U E S
----------------------------------------------------------------------------
1) The ''shorewall stop'', ''shorewall clear'',
''shorewall6 stop'' and
''shorewall6 clear'' commands no longer read the
''routestopped''
file. The ''routestopped'' file used is the one that was
present at
the last ''start'', ''restart'' or
''restore'' command.
2) The old macro parameter syntax (e.g., SSH/ACCEPT) is now deprecated
in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.4
documentation uses the new syntax exclusively, although the old
syntax continues to be supported.
3) Support for the SAME target in /etc/shorewall/masq and
/etc/shorewall/rules has been removed, following the removal of the
underlying support in the Linux kernel.
4) Supplying an interface name in the SOURCE column of
/etc/shorewall/masq is now deprecated. Entering the name of an
interface there will result in a compile-time warning:
WARNING: Using an interface as the masq SOURCE requires the
interface to be up and configured when Shorewall
starts/restarts
To avoid this warning, replace interface names by the corresponding
network addresses (e.g., 192.168.144.0/24).
5) Previously, Shorewall has treated traffic shaping class IDs as
decimal numbers (or pairs of decimal numbers). That worked fine
until IPMARK was implemented. IPMARK requires Shorewall to generate
class Ids in numeric sequence. In 4.3.9, that didn''t work correctly
because Shorewall was generating the sequence "..8,9,10,11..."
when
the correct sequence was "...8,9,a,b,...". Shorewall now treats
class IDs as hex, as do ''tc'' and
''iptables''.
This should only be an issue if you have more than 9 interfaces
defined in /etc/shorewall/tcdevices and if you use class IDs in
/etc/shorewall/tcrules or /etc/shorewall/tcfilters. You will need
to renumber the class IDs for devices 10 and greater.
6) Jozsef Kadlecsik has removed the set binding capability from ipset
3.1. As a consequence, Shorewall 4.4 no longer supports set
binding.
9) Support for the ''norfc1918'' interface and host option has
been
removed. If ''norfc1918'' is specified for an entry in
either the
interfaces or the hosts file, a warning is issued and the option is
ignored.
Similarly, if RFC1918_STRICT=Yes or a non-empty RFC1918_LOG_LEVEL
is given in shorewall.conf, a warning will be issued and the option
will be ignored.
Users who currently use ''norfc1918'' are encouraged to
consider
using NULL_ROUTE_RFC1918=Yes instead.
The complete release notes are available at
http://www.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects