mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-24 15:18:53 +01:00
Fix CONTINUE policy bug and document other changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5525 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
f107620ef8
commit
6cc17e8a32
@ -2,6 +2,12 @@ Changes in 3.4.1
|
|||||||
|
|
||||||
1) Add rest of proxy arp fix.
|
1) Add rest of proxy arp fix.
|
||||||
|
|
||||||
|
2) Fix two problems with log-prefix handling.
|
||||||
|
|
||||||
|
3) Nested Zones produced shell errors.
|
||||||
|
|
||||||
|
4) CONTINUE policies generated invalid iptables input.
|
||||||
|
|
||||||
Changes in 3.4.0 Final
|
Changes in 3.4.0 Final
|
||||||
|
|
||||||
1) Add missing logic for "!" rules.
|
1) Add missing logic for "!" rules.
|
||||||
|
@ -486,7 +486,7 @@ validate_policy()
|
|||||||
eval parents=\$${zone}_parents
|
eval parents=\$${zone}_parents
|
||||||
if [ -n "$parents" ]; then
|
if [ -n "$parents" ]; then
|
||||||
for zone1 in $ZONES $FW; do
|
for zone1 in $ZONES $FW; do
|
||||||
if $zone != $zone1; then
|
if [ $zone != $zone1 ]; then
|
||||||
chain=${zone}2${zone1}
|
chain=${zone}2${zone1}
|
||||||
eval ${chain}_is_policy=Yes
|
eval ${chain}_is_policy=Yes
|
||||||
eval ${chain}_is_optional=Yes
|
eval ${chain}_is_optional=Yes
|
||||||
@ -3067,6 +3067,8 @@ policy_rules() # $1 = chain to add rules to
|
|||||||
REJECT)
|
REJECT)
|
||||||
run_iptables -A $1 -j reject
|
run_iptables -A $1 -j reject
|
||||||
;;
|
;;
|
||||||
|
CONTINUE)
|
||||||
|
;;
|
||||||
*)
|
*)
|
||||||
run_iptables -A $1 -j $target
|
run_iptables -A $1 -j $target
|
||||||
;;
|
;;
|
||||||
|
@ -30,14 +30,38 @@ Release Highlights
|
|||||||
|
|
||||||
Problems Corrected in 3.4.1
|
Problems Corrected in 3.4.1
|
||||||
|
|
||||||
1) The "shorewall-[lite] [re]start and stop" commands reset the
|
1) The "shorewall-[lite] [re]start and stop" commands reset the
|
||||||
proxy_arp flag on all interfaces on the system making it impossible
|
proxy_arp flag on all interfaces on the system making it impossible
|
||||||
to control proxy arp manually with Shorewall installed. There was a
|
to control proxy arp manually with Shorewall installed. There was a
|
||||||
partial fix included in 3.4.0; unfortunately, it did not correct the
|
partial fix included in 3.4.0; unfortunately, it did not correct the
|
||||||
problem completely. Shorewall 3.4.1 includes the rest of the change
|
problem completely. Shorewall 3.4.1 includes the rest of the change
|
||||||
necessarey to only clear proxy arp if there were entries in
|
necessarey to only clear proxy arp if there were entries in
|
||||||
/etc/shorewall/proxyarp the last time that Shorewall was
|
/etc/shorewall/proxyarp the last time that Shorewall was
|
||||||
[re]started.
|
[re]started.
|
||||||
|
|
||||||
|
2) If the log-prefix in a log message exceeded 29 characters,
|
||||||
|
'shorewall restart' fails with 'truncate: command not found' and a
|
||||||
|
possible segmentation fault in iptables.
|
||||||
|
|
||||||
|
3) Log messages specifying a log tag had two spaces appended to the
|
||||||
|
log prefix. This could cause mysterious "log-prefix truncated"
|
||||||
|
messages.
|
||||||
|
|
||||||
|
4) When nested zones were defined in the /etc/shorewall/zones file,
|
||||||
|
shell error messages ( usually '<zone>: not found' ) during
|
||||||
|
compilation resulted.
|
||||||
|
|
||||||
|
5) Use of CONTINUE policies lead to startup errors with a message
|
||||||
|
such as the following:
|
||||||
|
|
||||||
|
Applying Policies...
|
||||||
|
iptables v1.3.7: Couldn't load target
|
||||||
|
`CONTINUE':/usr/local/lib/iptables/libipt_CONTINUE.so: cannot open
|
||||||
|
shared object file: No such file or directory
|
||||||
|
|
||||||
|
Try `iptables -h' or 'iptables --help' for more information.
|
||||||
|
|
||||||
|
ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE" Failed
|
||||||
|
|
||||||
Migration Considerations:
|
Migration Considerations:
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user