shorewall_code/Shorewall/releasenotes.txt

Shorewall 4.5.0

----------------------------------------------------------------------------
               R E L E A S E  4 . 5  H I G H L I G H T S
----------------------------------------------------------------------------

None.

----------------------------------------------------------------------------
                    M I G R A T I O N   I S S U E S
----------------------------------------------------------------------------

1)  The change which removed the 15 port limitation on
    /etc/shorewall/routestopped was incomplete. The result was that if
    more than 15 ports are listed, an error was generated.

2)  If any interfaces have the 'bridge' option specified, compilation
    fails with the error:

    Undefined subroutine &Shorewall::Rules::match_source_interface called 
    at /usr/share/shorewall/Shorewall/Rules.pm line 2319.

3)  The compiler now flags port number 0 as an error. Previously, port
    0 was allowed with the result that invalid iptables-restore input
    could be generated.

----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 5 . 0
----------------------------------------------------------------------------

None.

----------------------------------------------------------------------------
             K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------

1)  Shorewall now allows DNAT rules that change only the destination
    port.

    Example:

	DNAT	loc	net::456	udp	234

    That rule will modify the destination port in UDP packets received
    from the 'loc' zone from 456 to 234. Note that if the destination
    is the firewall itself, then the destination port will be rewritten
    but that no ACCEPT rule from the loc zone to the $FW zone will have
    been created to handle the request. So such rules should probably
    exclude the firewall's IP addresses in the ORIGINAL DEST column.

2)  Previously, the following sequence of policies would produce a
    'Duplicate Policy' error:

    	     $FW             all             ACCEPT
    	     $FW             dmz             REJECT          info

    Begining with 4.4.5, this sequence produces the same result as this
    one:

    	     $FW             dmz             REJECT          info
    	     $FW             all             ACCEPT

----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 5 . 0
----------------------------------------------------------------------------

1)  Previously, the following sequence of policies would produce a
    'Duplicate Policy' error:

    	     $FW             all             ACCEPT
    	     $FW             dmz             REJECT          info

    Begining with 4.5.0, this sequence produces the same result as this
    one:

    	     $FW             dmz             REJECT          info
    	     $FW             all             ACCEPT

2)  Shorewall now allows DNAT rules that change only the destination
    port.

    Example:

	DNAT	loc	net::456	udp	234

    That rule will modify the destination port in UDP packets received
    from the 'loc' zone from 456 to 234. Note that if the destination
    is the firewall itself, then the destination port will be rewritten
    but that no ACCEPT rule from the loc zone to the $FW zone will have
    been created to handle the request. So such rules should probably
    exclude the firewall's IP addresses in the ORIGINAL DEST column.
Open the 4.5.0 Thread 2009-11-21 20:41:10 +01:00			`Shorewall 4.5.0`
Copy 4.2 -common to trunk git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8937 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-07 19:17:26 +01:00
Merge 4.3 and 4.2 changelog and release notes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9100 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-17 22:06:30 +01:00			`----------------------------------------------------------------------------`
Open the 4.5.0 Thread 2009-11-21 20:41:10 +01:00			`R E L E A S E 4 . 5 H I G H L I G H T S`
Merge 4.3 and 4.2 changelog and release notes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9100 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-17 22:06:30 +01:00			`----------------------------------------------------------------------------`
Use <> rather than [] to delineate addresses git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9036 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-13 21:45:23 +01:00
Open the 4.5.0 Thread 2009-11-21 20:41:10 +01:00			`None.`
Extend release notes and correct typos 2009-08-11 17:02:36 +02:00
Initial 4.3.7 changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9572 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2009-03-01 20:46:30 +01:00			`----------------------------------------------------------------------------`
			`M I G R A T I O N I S S U E S`
			`----------------------------------------------------------------------------`
Document the deprecation of the old parameter macro syntax. Signed-off-by: Tom Eastep <teastep@shorewall.net> git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9696 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2009-03-16 19:01:42 +01:00
Apply bridge fix to 4.4 2009-11-22 17:18:23 +01:00			`1) The change which removed the 15 port limitation on`
			`/etc/shorewall/routestopped was incomplete. The result was that if`
			`more than 15 ports are listed, an error was generated.`

			`2) If any interfaces have the 'bridge' option specified, compilation`
			`fails with the error:`

			`Undefined subroutine &Shorewall::Rules::match_source_interface called`
			`at /usr/share/shorewall/Shorewall/Rules.pm line 2319.`
Allow wide MARK values in tcclasses when WIDE_TC_MARKS=Yes 2009-11-21 16:54:42 +01:00
Generate error on port == 0 2009-11-22 17:39:03 +01:00			`3) The compiler now flags port number 0 as an error. Previously, port`
			`0 was allowed with the result that invalid iptables-restore input`
			`could be generated.`
Make 'track' the default 2009-10-20 21:24:28 +02:00
Initial 4.3.7 changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9572 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2009-03-01 20:46:30 +01:00			`----------------------------------------------------------------------------`
Open the 4.5.0 Thread 2009-11-21 20:41:10 +01:00			`P R O B L E M S C O R R E C T E D I N 4 . 5 . 0`
Initial 4.3.7 changes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9572 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2009-03-01 20:46:30 +01:00			`----------------------------------------------------------------------------`
Update release documents git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9181 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2008-12-28 18:52:28 +01:00
Open 4.4.5 2009-11-21 20:08:50 +01:00			`None.`
Allow wide MARK values in tcclasses when WIDE_TC_MARKS=Yes 2009-11-21 16:54:42 +01:00
Fix logging NAT rules -- fix release notes 2009-08-05 22:00:10 +02:00			`----------------------------------------------------------------------------`
			`K N O W N P R O B L E M S R E M A I N I N G`
			`----------------------------------------------------------------------------`

Allow <zone>::<serverport> in the rules file DEST column 2009-11-23 18:56:15 +01:00			`1) Shorewall now allows DNAT rules that change only the destination`
			`port.`

			`Example:`

			`DNAT loc net::456 udp 234`

			`That rule will modify the destination port in UDP packets received`
			`from the 'loc' zone from 456 to 234. Note that if the destination`
			`is the firewall itself, then the destination port will be rewritten`
			`but that no ACCEPT rule from the loc zone to the $FW zone will have`
			`been created to handle the request. So such rules should probably`
			`exclude the firewall's IP addresses in the ORIGINAL DEST column.`
Implement an '-l' option to the 'show' command 2009-11-17 00:14:24 +01:00
Allow specific policy to supersede a wildcard policy 2009-11-23 19:02:04 +01:00			`2) Previously, the following sequence of policies would produce a`
			`'Duplicate Policy' error:`

			`$FW all ACCEPT`
			`$FW dmz REJECT info`

			`Begining with 4.4.5, this sequence produces the same result as this`
			`one:`

			`$FW dmz REJECT info`
			`$FW all ACCEPT`
Fix logging NAT rules -- fix release notes 2009-08-05 22:00:10 +02:00
Add support for 'persistent' 2009-08-15 17:15:38 +02:00			`----------------------------------------------------------------------------`
Open the 4.5.0 Thread 2009-11-21 20:41:10 +01:00			`N E W F E A T U R E S I N 4 . 5 . 0`
Add support for 'persistent' 2009-08-15 17:15:38 +02:00			`----------------------------------------------------------------------------`

Make 'expanded' apply to all wildcard policies 2009-11-21 23:18:01 +01:00			`1) Previously, the following sequence of policies would produce a`
			`'Duplicate Policy' error:`
Allow specific policy to supersede an expanded one 2009-11-21 22:56:40 +01:00
			`$FW all ACCEPT`
			`$FW dmz REJECT info`

			`Begining with 4.5.0, this sequence produces the same result as this`
			`one:`

			`$FW dmz REJECT info`
			`$FW all ACCEPT`

Allow <zone>::<serverport> in the rules file DEST column 2009-11-23 18:33:16 +01:00			`2) Shorewall now allows DNAT rules that change only the destination`
			`port.`

			`Example:`

			`DNAT loc net::456 udp 234`

			`That rule will modify the destination port in UDP packets received`
			`from the 'loc' zone from 456 to 234. Note that if the destination`
			`is the firewall itself, then the destination port will be rewritten`
			`but that no ACCEPT rule from the loc zone to the $FW zone will have`
			`been created to handle the request. So such rules should probably`
			`exclude the firewall's IP addresses in the ORIGINAL DEST column.`

Allow specific policy to supersede an expanded one 2009-11-21 22:56:40 +01:00