diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index cab76434b..8b65659a4 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -13,6 +13,8 @@ Changes in 3.2.0 Beta 5 6) Fix deletion of SNAT ip addresses. +7) Accomodate ancient kernel's with no FORWARD or POSTROUTING in mangle. + Changes in 3.2.0 Beta 4 1) Fix 'routeback' with bridge ports. diff --git a/Shorewall/compiler b/Shorewall/compiler index 9e33b86ab..7a4bf9a73 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -3470,9 +3470,13 @@ setup_tc1() { # createmanglechain tcpre - [ -n "$MANGLE_FORWARD" ] && createmanglechain tcfor + + if [ -n "$MANGLE_FORWARD" ]; then + createmanglechain tcfor + createmanglechain tcpost + fi + createmanglechain tcout - createmanglechain tcpost # # Process the TC Rules File # @@ -3498,8 +3502,10 @@ setup_tc1() { run_iptables -t mangle -A PREROUTING $mark_part -j tcpre run_iptables -t mangle -A OUTPUT $mark_part -j tcout - [ -n "$MANGLE_FORWARD" ] && run_iptables -t mangle -A FORWARD -j tcfor - run_iptables -t mangle -A POSTROUTING -j tcpost + if [ -n "$MANGLE_FORWARD" ]; then + run_iptables -t mangle -A FORWARD -j tcfor + run_iptables -t mangle -A POSTROUTING -j tcpost + fi if [ -n "$HIGH_ROUTE_MARKS" ]; then for chain in INPUT FORWARD; do diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 4864e6925..acbc5efcf 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -46,6 +46,15 @@ Problems Corrected in 3.2.0 Beta 5 4) Regardless of the setting of ADD_SNAT_IPADDRS, Shorewall will delete the ADDRESS in an SNAT rule (/etc/shorewall/masq) during [re]start. +5) Previously, if your kernel did not supply the mangle table FORWARD chain + then "shorewall [re]start" would fail. Now, if your mangle table does + not supply this chain, Shorewall will avoid using that either that chain or + the mangle table POSTROUTING chain. This change is strictly to stop Shorewall + from blowing up during [re]start on very old kernels (such as 2.4.17 + running on a PS2); if your kernel does not support these chains and you + try to mark packets in either of them using entries in + /etc/shorewall/tcrules, [re]start will fail. + Other changes in 3.2.0 Beta 5 1) The "shorewall refresh" command no longer refreshes traffic shaping.