diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 7ab43d8ff..ae2d67a8e 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,6 +6,8 @@ Changes in Shorewall 4.4.21 Beta 3 3) Rename read_action_param and change signature. +4) Add DEFAULT to macro files. + Changes in Shorewall 4.4.21 Beta 2 1) Implement the 'update' command. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index f34c5d4bc..ed99830d2 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -33,14 +33,25 @@ None. 2) FORMAT-2 actions may now specify default parameter values using the DEFAULTS directive. - DEFAULTS ,,... + DEFAULTS ,,... Where is the default value for the first parameter, is the default value for the second parameter and so on. To specify an empty default, use '-'. -3) The standard Drop and Reject actions are now parameterized. Each - has three parameters: +3) Macros may now specify a default parameter value using the DEFAULT + directive. + + DEFAULT + + Example macro.Foo -- by default, accepts connections on ficticous + tcp port 'foo'. + + DEFAULT ACCEPT + PARAM - - tcp foo + +4) The standard Drop and Reject actions are now parameterized. Each + has 5 parameters: 1) Pass 'audit' if you want all ACCEPTs, DROPs and REJECTs audited. Pass '-' otherwise. @@ -62,6 +73,21 @@ None. Reject audit A_REJECT Drop audit A_DROP + 4) The action to be applied to accepted ICMP packets. + + FIRST PARAMETER DEFAULT + + - ACCEPT + audit A_ACCEPT + + 5) The action to be applied to UPnP (udp port 1900) and late DNS + replies (udp source port 53) + + FIRST PARAMETER DEFAULT + + - DROP + audit A_DROP + The parameters can be passed in the POLICY column of the policy file. @@ -80,7 +106,7 @@ None. DROP_DEFAULT=Drop(-,DROP) -4) An 'update' command has been added to /sbin/shorewall and +5) An 'update' command has been added to /sbin/shorewall and /sbin/shorewall6. The command validates the configuration and then updates the shorewall.conf (shorewall6.conf) file. The updated file will set any new options with their default values and will move @@ -95,7 +121,7 @@ None. '-a' option that causes the updated file to be annotated with documentation. -5) Shorewall6 now supports ipsets. +6) Shorewall6 now supports ipsets. Unlike iptables, which has separate configurations for IPv4 and IPv6, ipset has a single configuration that handles both. This @@ -118,7 +144,7 @@ None. saved ipsets if SAVE_IPSETS=Yes in shorewall.conf (shorewall6.conf). -6) Shorewall6 now supports dynamic zones: +7) Shorewall6 now supports dynamic zones: 1) The nets=dynamic option is allowed in /etc/shorewall6/interfaces 2) The HOSTS column of /etc/shorewall6/hosts may now contain diff --git a/docs/Actions.xml b/docs/Actions.xml index 207db8b60..a7fadc37d 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -174,7 +174,7 @@ ACCEPT - - tcp 135,139,445 Beginning with Shorewall 4.4.21, the standard Drop and Reject - options are parameterized. Each has three parameters as follows: + options are parameterized. Each has five parameters as follows: @@ -254,6 +254,30 @@ ACCEPT - - tcp 135,139,445 REJECT or A_REJECT depending on the setting of parameter 1 + + + Both + + 4 + + Determines what to do with accepted critical ICMP + packets. + + ACCEPT or A_ACCEPT depending on the setting of parameter + 1 + + + + Both + + 5 + + Determines what to do with late-arriving DNS replies + (source port 53) or UPnP (udp port 1900). + + DROP or A_DROP depending on the setting of parameter + 1. +