Tom Eastep
2016-10-27 19:31:48 UTC
Shorewall 5.0.14 Beta 2 is now available for testing.
Problems Corrected since Beta 1:
1) When the address variable for an optional interface was used, and
the interface did not have an IP address when the firewall was
started, then enabling the interface did not previously
create/alter the rules that use the address variable. Also, if the
IP address of a disabled interface changed, enabling the interface
did not update/add rules using the interface's gateway address
variable.
Now, if the IP address of a disabled optional interface
changes from its value (if any) when the netfilter ruleset was
instantiated, then after a successful 'enable', the ruleset is
automatically reloaded if the interface's address variable was
used.
Similarly, if 'detect' is specified as the GATEWAY for an optional
provider, then if the gateway at the time that the provider is
successfully enabled is different from that (if any) when the
netfilter ruleset was instantiated, then the ruleset is
automatically reloaded if the provider interface's run-time gateway
variable was used.
As part of this change, if an IP address is specified as the
GATEWAY for a provider, then the run-time gateway variable for the
provider's interface is expanded at compile time rather than at
runtime.
Example:
#PROVIDER NUMBER MARK DUPLICATE INTRFACE GATEWAY OPTIONS COPY
foo 1 1 - eth0 1.2.3.4 primary -
Then %eth0 will be expanded at compile time to '1.2.3.4'.
2) Several problems reported against Beta 1:
a) MASQUERADE+ was mis-handled in the snat file.
b) NONAT masq rules were translated incorrectly.
The fix for incorrect translation of +INLINE will be in the next
pre-release.
Thank you for testing,
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Problems Corrected since Beta 1:
1) When the address variable for an optional interface was used, and
the interface did not have an IP address when the firewall was
started, then enabling the interface did not previously
create/alter the rules that use the address variable. Also, if the
IP address of a disabled interface changed, enabling the interface
did not update/add rules using the interface's gateway address
variable.
Now, if the IP address of a disabled optional interface
changes from its value (if any) when the netfilter ruleset was
instantiated, then after a successful 'enable', the ruleset is
automatically reloaded if the interface's address variable was
used.
Similarly, if 'detect' is specified as the GATEWAY for an optional
provider, then if the gateway at the time that the provider is
successfully enabled is different from that (if any) when the
netfilter ruleset was instantiated, then the ruleset is
automatically reloaded if the provider interface's run-time gateway
variable was used.
As part of this change, if an IP address is specified as the
GATEWAY for a provider, then the run-time gateway variable for the
provider's interface is expanded at compile time rather than at
runtime.
Example:
#PROVIDER NUMBER MARK DUPLICATE INTRFACE GATEWAY OPTIONS COPY
foo 1 1 - eth0 1.2.3.4 primary -
Then %eth0 will be expanded at compile time to '1.2.3.4'.
2) Several problems reported against Beta 1:
a) MASQUERADE+ was mis-handled in the snat file.
b) NONAT masq rules were translated incorrectly.
The fix for incorrect translation of +INLINE will be in the next
pre-release.
Thank you for testing,
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________