Happy New Year everyone.
Shorewall 4.6.0 Beta 1 is now available for testing. Given that this is
a new major release, the Beta releases should be treated as RFCs;
nothing is cast in stone at this point.
Please note that updated documentation is available only on the web
sites hosting the new site layout:
http://www.shorewall.org (both IPv4 and IPv6)
http://www.shorewall.fi (both IPv4 and IPv6)
http://www.shorewall.net (IPv6 only -- the IPv4 site is still hosting
the old layout).
New Features:
1) SECTION entries in the accounting and rules files now allow
"SECTION" to be immediately preceded by "?" (e.g.,
?SECTION). The
new form is preferred and if any SECTION entries do not have the
question mark, a warning is issued (see Migration Issues below).
2) The default setting for ZONE2ZONE has been changed from '2' to
'-'
for increased readability when zone names contain '2'.
3) The 'tcrules' file has been superceded by the 'mangle'
file. Existing 'tcrules' files will still be processed, with the
restriction that TPROXY is no longer supported in FORMAT 1.
If your 'tcrules' file has non-commentary entries, the following
warning message is issued:
WARNING: Non-empty tcrules file (...); please move its contents
to the mangle file.
4) Prior to now, the ability to specify raw iptables matches has been
tied to the INLINE action. Beginning with this release, the two can
be separated by specifying INLINE_MATCHES=Yes.
When INLINE_MATCHES=Yes, then inline matches may be specified after
a semicolon in the following files:
action files
macros
rules
mangle
masq
Note that semicolons are not allowed in any other files. If you
want to use the alternative input format in those files, then you
must inclosed the specifications in curly brackets ({...}). The -i
option of the 'check' command will warn you of lines that need to
be changed from using ";" to using "{...}".
6) The 'conntrack', 'raw', 'mangle' and 'rules'
files now support an
IPTABLES (IP6TABLES) action. This action is similar to INLINE in
that it allows arbitrary ip[6]tables matches to be specified after a
semicolon (even when INLINE_MATCHES=No). It differs in that the
parameter passed is an iptables target with target options.
Example (rules file):
#ACTION SOURCE DEST PROTO
IPTABLES(TARPIT --honeypot) net pot
If the particular target that you wish to use is unknown to
Shorewall, you will get this error message:
ERROR: Unknown TARGET (<target>)
You can eliminate that error by adding your target as a builtin
action in /etc/shoreawll[6]/actions.
As part if this change, the /etc/shorewall[6]/actions file options
have been extended to allow you to specify the Netfilter table(s)
where the target is accepted. When 'builtin' is specified, you can
also include the following options:
filter
nat
mangle
raw
If no table is given, 'filter' is assumed for backward
compatibility.
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk