diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index f061312f8..44d7f30b9 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -126,7 +126,7 @@ Other changes in Shorewall 4.2.1 causes connections to match when the number of current connections exceeds . - When specified in the policy file, the limit is envorced on all + When specified in the policy file, the limit is enforced on all connections that are subject to the given policy (just like LIMIT:BURST). The limit is checked on new connections before the connection is passed through the rules in the NEW section of the @@ -174,10 +174,16 @@ Other changes in Shorewall 4.2.1 Beginning November 1, 2008 at noon LCT. + Use of this feature requires the time match capability in your + kernel and iptables. If you use a capabilities file when compiling + your Shorewall configuration(s), then you need to regenerate the + file using Shorewall or Shorewall-lite 4.2.1. + 3) If your kernel and iptables support "-m conntrack --ctorigdstport" then Shorewall will utilize that capability to ensure that when you do port mapping (change the destination port but not the - destination IP address), the final destination port is not open. + destination IP address), the final destination port is not opened + as a side effect. Example: