2010-02-13 16:26:49 +01:00
|
|
|
1) All versions of Shorewall-perl mishandle per-IP rate limiting in
|
|
|
|
|
REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
|
|
|
|
|
the values given in the rule.
|
|
|
|
|
|
|
|
|
|
Corrected in 4.4.7.1
|
2010-02-14 16:55:41 +01:00
|
|
|
|
|
|
|
|
2) Detection of the 'Old hashlimit match' capability was broken in
|
|
|
|
|
/sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of
|
|
|
|
|
shorecap. This problem only affects users of older distributions
|
2010-02-14 17:53:31 +01:00
|
|
|
such as RHEL5 and derivatives.
|
2010-02-14 16:55:41 +01:00
|
|
|
|
|
|
|
|
Corrected in 4.4.7.2
|
|
|
|
|
|
2010-02-14 21:11:11 +01:00
|
|
|
3) On older distributions such as RHEL5 and derivatives, when
|
2010-02-14 16:55:41 +01:00
|
|
|
LOAD_HELPERS_ONLY=No, Shorewall would fail to start if a TYPE was
|
|
|
|
|
specified in /etc/shorewall/tcinterfaces.
|
|
|
|
|
|
|
|
|
|
Corrected in 4.4.7.2
|
2010-02-14 21:11:11 +01:00
|
|
|
|
|
|
|
|
4) On older distributions such as RHEL5 and derivatives, when
|
|
|
|
|
LOAD_HELPERS_ONLY=Yes, Shorewall would fail to start if a TYPE was
|
|
|
|
|
specified in /etc/shorewall/tcinterfaces.
|
|
|
|
|
|
|
|
|
|
Corrected in 4.4.7.3
|
2010-02-15 23:48:40 +01:00
|
|
|
|
|
|
|
|
5) A CONTINUE rule specifying a log level will cause the compiler to
|
|
|
|
|
generate an incorrect rule sequence. The packet will be logged but
|
|
|
|
|
the CONTINUE action will not occur.
|
|
|
|
|
|
|
|
|
|
To work around the problem break the rule into two rules; a logging
|
|
|
|
|
rule and a CONTINUE rule.
|
|
|
|
|
|
|
|
|
|
Corrected in 4.4.7.5.
|
|
|
|
|
|
