Fix CONTINUE policy bug and document other changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5525 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-14 19:33:31 +00:00
parent f107620ef8
commit 6cc17e8a32
3 changed files with 41 additions and 9 deletions

View File

@ -2,6 +2,12 @@ Changes in 3.4.1
1) Add rest of proxy arp fix. 1) Add rest of proxy arp fix.
2) Fix two problems with log-prefix handling.
3) Nested Zones produced shell errors.
4) CONTINUE policies generated invalid iptables input.
Changes in 3.4.0 Final Changes in 3.4.0 Final
1) Add missing logic for "!" rules. 1) Add missing logic for "!" rules.

View File

@ -486,7 +486,7 @@ validate_policy()
eval parents=\$${zone}_parents eval parents=\$${zone}_parents
if [ -n "$parents" ]; then if [ -n "$parents" ]; then
for zone1 in $ZONES $FW; do for zone1 in $ZONES $FW; do
if $zone != $zone1; then if [ $zone != $zone1 ]; then
chain=${zone}2${zone1} chain=${zone}2${zone1}
eval ${chain}_is_policy=Yes eval ${chain}_is_policy=Yes
eval ${chain}_is_optional=Yes eval ${chain}_is_optional=Yes
@ -3067,6 +3067,8 @@ policy_rules() # $1 = chain to add rules to
REJECT) REJECT)
run_iptables -A $1 -j reject run_iptables -A $1 -j reject
;; ;;
CONTINUE)
;;
*) *)
run_iptables -A $1 -j $target run_iptables -A $1 -j $target
;; ;;

View File

@ -30,14 +30,38 @@ Release Highlights
Problems Corrected in 3.4.1 Problems Corrected in 3.4.1
1) The "shorewall-[lite] [re]start and stop" commands reset the 1) The "shorewall-[lite] [re]start and stop" commands reset the
proxy_arp flag on all interfaces on the system making it impossible proxy_arp flag on all interfaces on the system making it impossible
to control proxy arp manually with Shorewall installed. There was a to control proxy arp manually with Shorewall installed. There was a
partial fix included in 3.4.0; unfortunately, it did not correct the partial fix included in 3.4.0; unfortunately, it did not correct the
problem completely. Shorewall 3.4.1 includes the rest of the change problem completely. Shorewall 3.4.1 includes the rest of the change
necessarey to only clear proxy arp if there were entries in necessarey to only clear proxy arp if there were entries in
/etc/shorewall/proxyarp the last time that Shorewall was /etc/shorewall/proxyarp the last time that Shorewall was
[re]started. [re]started.
2) If the log-prefix in a log message exceeded 29 characters,
'shorewall restart' fails with 'truncate: command not found' and a
possible segmentation fault in iptables.
3) Log messages specifying a log tag had two spaces appended to the
log prefix. This could cause mysterious "log-prefix truncated"
messages.
4) When nested zones were defined in the /etc/shorewall/zones file,
shell error messages ( usually '<zone>: not found' ) during
compilation resulted.
5) Use of CONTINUE policies lead to startup errors with a message
such as the following:
Applying Policies...
iptables v1.3.7: Couldn't load target
`CONTINUE':/usr/local/lib/iptables/libipt_CONTINUE.so: cannot open
shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
ERROR: Command "/sbin/iptables -A net2c148 -j CONTINUE" Failed
Migration Considerations: Migration Considerations: