New in version 4.6.5
November 15th, 2014
- The configure scripts and installers now support SERVICEDIR as an alternative to SYSTEMD. For compatability, SERVICED is an alias for SERVICEDIR.
- The installers now offer a choice of .service files, selected by the SERVICEFILE option. The default remains $PRODUCT.service. Each product supplying a .service file now supplies a .service.214. The differences between the standard .service files and the service.214 files are: a) They specify 'after=network-online.target' rather than 'after=network.target'. b) The file shorewall-init.service.214 specifies 'before=network-pre.target' rather than 'before=network.target'. That file requires serviced 214 or later, hence the names of the new files. Regardless of which file is selected, it is installed in $SERVICEDIR/$PRODUCT.service.
- The RATE LIMIT column of the rules files now allows specification of both a per-source and per-destination limit. See shorewall-rules(5) for details.
- Previously, /bin/sh was used unconditionally to process the helper script 'getparams'. That shell script reads the params file and passes back the (variable,value) pairs to the compiler. Beginning with this release, $SHOREWALL_SHELL is used to process that script, unless the compilation is for export, in which case /bin/sh is still used. Note that the default value of $SHOREWALL_SHELL is /bin/sh, so unless your configuration sets that variable, this enhancement will have no effect. Similarly, on an administrative system, this enhancement has no effect on the processing of the 'compile -e', 'load', 'reload' and 'export' commands.
- A -C option has been added to several commands to allow the iptables packet and byte counters to be preserved.
New in version 18.104.22.168 (September 15th, 2014)
- Including a PREROUTING SECTION in the accounting file unconditionally resulted in a fatal error: ERROR: The PREROUTING SECTION is not allowed when ACCOUNTING_TABLE=filter
- Previously, the compiler could generate many superfluous rules to enforce the 'tcpflags', 'nosmurfs' and 'maclist' interface options.
New in version 22.214.171.124 (February 8th, 2014)
- When a non-terminating target specified logging, the compiler would erroneously generate a 'goto' (-g) iptables command rather than a 'jump' (-j) command. This caused the wrong set of rules to be traversed, usually the catchall 'REJECT' rule at the end of the INPUT or FORWARD chain. The compiler now generates a 'jump' rule in these cases.
- When an interface containing a period (such as a VLAN interface) was used in an 'add' or 'delete' command, the wrong ipset name was generated, resulting in failure of the command.
New in version 126.96.36.199 (December 20th, 2013)
- A number of minor updates have been made to the documentation and manpages.
- The 'postcompile' extension script is now documented at http://www.shorewall.org/shorewall_extension_scripts.htm
- The 'add' command previously failed if 'IPSET=' appeared in the shorewall.conf file. This has been corrected.
New in version 188.8.131.52 (November 26th, 2013)
- The Broadcast actions have been corrected:
- --dst-type BROADCAST has been removed from the IPv6 version
- A superfluous DROP rule in the IPv4 version has been suppressed.
- Previously, if an HFSC class was specified with dmax but not umax, then the firewall would fail to start with the messages:
- Nov 14 13:42:42 Setting up Traffic Control...
- HFSC: Illegal "umax"
- HFSC: Illegal "sc"
- ERROR: Command "tc class add dev eth1 parent 1:1 classid 1:110 hfsc sc
- umax b dmax 150ms rate 1575kbit ul rate 3150kbit" Failed
- That problem has been corrected.
New in version 4.2.5 (January 28th, 2009)
- In addition to correcting several problems, this release offers additional options for handling multiple WAN interfaces as well as providing transparent support for the xtables-addons version of ipp2p.
New in version 4.2.4 (January 2nd, 2009)
- This release supports creation of IPv6 firewalls as well as IPv4.
New in version 4.2.1 (October 25th, 2008)
- Added CONNBYTES to tcrules manpage. Flesh out description of HELPER.
- Fixed minor CONNBYTES editing issue.
- Add CONNLIMIT to policy and rules.
- Allow use of iptables-1.4.1.
- Add time match support.
- Applied Lennart Sorensen's patch for length match.
- Take advantage --ctorigdstport
- Fix syntax error in 'export'