From 8ea3e53154d1aaae8369badfcf91c2cd47a81f1f Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sat, 28 Jul 2007 00:23:52 +0000
Subject: [PATCH] News update for 4.0.1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6977 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 web/News.htm | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 90 insertions(+), 2 deletions(-)

diff --git a/web/News.htm b/web/News.htm
index 88ad47d09..e2ba1f139 100644
--- a/web/News.htm
+++ b/web/News.htm
@@ -24,8 +24,96 @@ href="GnuCopyright.htm" target="_self">GNU Free Documentation
 License</a></span>”.<br>
 </p>
 
-<p>July 15, 200<br>
-</p>
+<p>July 20, 2007</p>
+<hr style="width: 100%; height: 2px;">
+
+<p><strong>2007-07-27 Shorewall 4.0.1</strong></p>
+<pre>Problems corrected in 4.0.1.
+
+1)  The Shorewall Lite installer was producing an empty shorewall-lite
+    manpage. Since the installer runs as part of creating the RPM, the
+    RPM also suffered from this problem. The 4.0.0 Shorewall-lite 
+    packages were re-uploaded with this problem corrected.
+
+2)  The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall
+    rather than /sbin/shorewall-lite.
+
+3)  Both the Shorewall and Shorewall Lite uninstallers did a "shorewall
+    clear" if Shorewall [Lite] was running. Now, the Shorewall Lite
+    uninstaller correctly does "shorewall-lite clear" and both
+    uninstallers only perform the 'clear' operation if the other
+    product is not installed. This prevents the removal of one of the
+    two products from clearing the firewall configuration established
+    by the other one.
+
+4)  The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by
+    Shorewall-perl. If the zone type was changed to 'ipsec' or
+    'ipsec4' and the 'ipsec' option removed from the hosts file entry,
+    the configuration worked properly.
+
+5)  If a CLASSID was specified in a tcrule and TC_ENABLED=No, then
+    Shorewall-perl produced the following:
+
+    Compiling...
+    Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, &lt;$currentfile&gt; line 18.
+       ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18)
+
+6)  If IPTABLES was not specified in shorewall.conf, Shorewall-perl was
+    locating the binary using the PATH environmental variable rather
+    than the PATH setting in shorewall.conf.  If no PATH was available
+    when Shorewall-perl was run and IPTABLES was not set in
+    shorewall.conf, the following messages were issued:
+
+    Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054.
+       ERROR: Can't find iptables executable
+       ERROR: Shorewall restart failed
+
+7)  If the "Mangle FORWARD Chain" capability was supported, entries in
+    the /etc/shorewall/ecn file would cause invalid iptables commands
+    to be generated. This problem occurred with both compilers.
+
+8)  Shorewall now starts at reboot after an upgrade from shorewall &lt;
+    4.0.0. Previously, Shorewall was not started automatically at
+    reboot after an upgrade using the RPMs.
+
+9)  Shorewall-perl was generating invalid iptables-restore input when a
+    log level was specified with the dropBcast and allowBcast builtin
+    actions and when a log level followed by '!' was used with any
+    builtin actions.
+
+Other changes in Shorewall 4.0.1.
+
+1)  A new EXPAND_POLICIES option is added to shorewall.conf. The
+    option is recognized by Shorewall-perl and is ignored by
+    Shorewall-shell.
+
+    Normally, when the SOURCE or DEST columns in shorewall-policy(5)
+    contains 'all', a single policy chain is created and the policy is
+    inforced in that chain. For example, if the policy entry is
+
+             #SOURCE DEST POLICY LOG
+             #                   LEVEL
+             net     all  DROP   info
+
+    then the chain name is 'net2all' which is also the chain named in
+    Shorewall log messages generated as a result of the policy. If
+    EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
+    chain for each pair of zones covered by the policy. This makes the
+    resulting log messages easier to interpret since the chain in the
+    messages will have a name of the form 'a2b' where 'a' is the SOURCE
+    zone and 'b' is the DEST zone. See
+    http://linuxman.wikispaces.com/PPPPPPS for more information.
+
+2)  The Shorewall-perl dependency on the "Address Type Match"
+    capability has been relaxed. This allows Shorewall 4.0.1 to be used
+    on releases like RHEL4 that don't support that capability.
+
+3)  Shorewall-perl now detects dead policy file entries that result
+    when an entry is masked by an earlier entry. Example:
+
+         all     all      REJECT    info
+         loc     net      ACCEPT
+</pre>
 <hr style="width: 100%; height: 2px;">
 
 <p><strong>2007-07-20 Shorewall 4.0.0</strong></p>