We are pleased to announce that Shorewall 4.4.22 is now available for
download.
----------------------------------------------------------------------------
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Under rare conditions, long port lists (>15 ports) could result in
the following failure when optimization level 4 was enabled.
Use of uninitialized value in numeric gt (>)
at /usr/share/shorewall/Shorewall/Chains.pm line 1264.
ERROR: Internal error in
Shorewall::Chains::decrement_reference_count at
/usr/share/shorewall/Shorewall/Chains.pm line 1264
2) All corrections included in Shorewall 4.4.21.1.
----------------------------------------------------------------------------
I I. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
1) On systems running Upstart, shorewall-init cannot reliably secure
the firewall before interfaces are brought up.
----------------------------------------------------------------------------
I I I. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Three new parameterized standard actions are included in this
release.
Invalid - Packets in the INVALID connection tracking state
Broadcast - Broadcast and Multicast Packets
NotSyn - TCP packets that have the SYN flag set and all
other flags reset.
The standard default Drop and Reject actions have been modified to
use these new actions.
Each accepts two parameters:
a) Action to perform on matching packets. Must be ACCEPT, DROP or
REJECT. Default is DROP.
b) ''audit'' flag. If ''audit'', then the
action will be audited.
The new actions deprecate the following built-in actions:
allowBcast - use Broadcast(ACCEPT)
allowInvalid - use Invalid(ACCEPT)
dropInvalid - use Invalid(DROP)
dropBroadcast - use Broadcast(DROP)
dropNotSyn - use NotSyn(DROP)
rejNotSyn - use NotSyn(REJECT)
2) Up to this point, the Perl-based compiler has stored rules
internally in iptables/ip6tables command strings. This has
made the optimizing the ruleset difficult and has made the
optimizer the most defect-dense part of the code.
This release marks to first step toward converting the compiler to
use an internal rule representation that is easier to optimize and
that is easy to convert to iptables/ip6tables commands effeciently.
The parser still generates iptables/ip6table rules which are then
converted into the internal form.
3) Optimize level 8 causes chains that are identical to another chain
to be deleted, and their references are replace by references to
the other chain. This can lead to confusion when looking at the
generated ruleset. For example, traffic going from the
''loc'' zone
to the ''dmz'' zone may now be passing through a chain named
''wan2dmz''!
To eliminate this confusion, the compiler now generates a
synthetic name for the combined chains, consisting of "~comb"
followed by an integer (e.g., "~comb1", "~comb2", etc.).
Thank you for using Shorewall.
-The Shorewall Team
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1