May 18, 2020
What’s new
Simpler syntax for excluding subnets
A new NOT (!) operator simplifies the syntax for defining subnets to ignore.
Let’s imagine we wanted to exclude 10.0.0.0/8 and 11.0.0.0/8.
We can accomplish this in the Networking pane of an enforcer profile, using any of the following fields: Managed TCP Networks, Managed UDP Networks, or Excluded Networks.
Previously, we would have had to resort to the following binary expansion.
0.0.0.0/5 {0.0.0.0/8 .. 7.0.0.0/8}
8.0.0.0/7 {8.0.0.0/8 .. 9.0.0.0/8}
12.0.0.0/6 {12.0.0.0/8 ..15.0.0.0/8}
16.0.0.0/4 {16.0.0.0/8 .. 31.0.0.0/8}
32.0.0.0/3 {32.0.0.0/8 .. 63.0.0.0/8}
64.0.0.0/2 {64.0.0.0/8 .. 127.0.0.0/8}
128.0.0.0/1 {128.0.0.0/8 .. 255.0.0.0/8}
Now we can use the new NOT (!) operator for a much briefer and more readable expression.
0.0.0.0/0 !10.0.0.0/8 !11.0.0.0/8
Ability to forward packets unmodified
Aporeto forwards packets as is, without making any modifications, for IP addresses:
- In Excluded Networks
- Excluded from the Managed TCP Networks or Managed UDP Networks
Easier enforcer deployment
apoctl offers a new protect command that makes it a lot easier to deploy the Aporeto enforcer to a Kubernetes/OpenShift cluster and Linux hosts.
Learn how to use protect in the Linux and Kubernetes/OpenShift installation sections.
We also recommend reviewing the protect reference documentation.
Resolved issues
- #137: Spurious duplicate enforcer alerts no longer occasionally appear after upgrading.
Known issues
#146: RHEL 8 and RHEL CoreOS 8 (used by OpenShift 4) have deprecated
iptablesin favor ofnftables. Before installing Aporeto in these environments, you must enableiptables, such as via the following commands:modprobe ip_tables modprobe iptable_nat#1302: RHEL 8+ requires special configuration to work with the SSH access control feature. If you require this distribution, contact us for assistance.