mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-20 09:47:51 +02:00
News update for 4.0.1
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6977 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
3dfc4bf0ef
commit
8ea3e53154
92
web/News.htm
92
web/News.htm
@ -24,8 +24,96 @@ href="GnuCopyright.htm" target="_self">GNU Free Documentation
|
|||||||
License</a></span>”.<br>
|
License</a></span>”.<br>
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p>July 15, 200<br>
|
<p>July 20, 2007</p>
|
||||||
</p>
|
<hr style="width: 100%; height: 2px;">
|
||||||
|
|
||||||
|
<p><strong>2007-07-27 Shorewall 4.0.1</strong></p>
|
||||||
|
<pre>Problems corrected in 4.0.1.
|
||||||
|
|
||||||
|
1) The Shorewall Lite installer was producing an empty shorewall-lite
|
||||||
|
manpage. Since the installer runs as part of creating the RPM, the
|
||||||
|
RPM also suffered from this problem. The 4.0.0 Shorewall-lite
|
||||||
|
packages were re-uploaded with this problem corrected.
|
||||||
|
|
||||||
|
2) The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall
|
||||||
|
rather than /sbin/shorewall-lite.
|
||||||
|
|
||||||
|
3) Both the Shorewall and Shorewall Lite uninstallers did a "shorewall
|
||||||
|
clear" if Shorewall [Lite] was running. Now, the Shorewall Lite
|
||||||
|
uninstaller correctly does "shorewall-lite clear" and both
|
||||||
|
uninstallers only perform the 'clear' operation if the other
|
||||||
|
product is not installed. This prevents the removal of one of the
|
||||||
|
two products from clearing the firewall configuration established
|
||||||
|
by the other one.
|
||||||
|
|
||||||
|
4) The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by
|
||||||
|
Shorewall-perl. If the zone type was changed to 'ipsec' or
|
||||||
|
'ipsec4' and the 'ipsec' option removed from the hosts file entry,
|
||||||
|
the configuration worked properly.
|
||||||
|
|
||||||
|
5) If a CLASSID was specified in a tcrule and TC_ENABLED=No, then
|
||||||
|
Shorewall-perl produced the following:
|
||||||
|
|
||||||
|
Compiling...
|
||||||
|
Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18.
|
||||||
|
ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18)
|
||||||
|
|
||||||
|
6) If IPTABLES was not specified in shorewall.conf, Shorewall-perl was
|
||||||
|
locating the binary using the PATH environmental variable rather
|
||||||
|
than the PATH setting in shorewall.conf. If no PATH was available
|
||||||
|
when Shorewall-perl was run and IPTABLES was not set in
|
||||||
|
shorewall.conf, the following messages were issued:
|
||||||
|
|
||||||
|
Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054.
|
||||||
|
ERROR: Can't find iptables executable
|
||||||
|
ERROR: Shorewall restart failed
|
||||||
|
|
||||||
|
7) If the "Mangle FORWARD Chain" capability was supported, entries in
|
||||||
|
the /etc/shorewall/ecn file would cause invalid iptables commands
|
||||||
|
to be generated. This problem occurred with both compilers.
|
||||||
|
|
||||||
|
8) Shorewall now starts at reboot after an upgrade from shorewall <
|
||||||
|
4.0.0. Previously, Shorewall was not started automatically at
|
||||||
|
reboot after an upgrade using the RPMs.
|
||||||
|
|
||||||
|
9) Shorewall-perl was generating invalid iptables-restore input when a
|
||||||
|
log level was specified with the dropBcast and allowBcast builtin
|
||||||
|
actions and when a log level followed by '!' was used with any
|
||||||
|
builtin actions.
|
||||||
|
|
||||||
|
Other changes in Shorewall 4.0.1.
|
||||||
|
|
||||||
|
1) A new EXPAND_POLICIES option is added to shorewall.conf. The
|
||||||
|
option is recognized by Shorewall-perl and is ignored by
|
||||||
|
Shorewall-shell.
|
||||||
|
|
||||||
|
Normally, when the SOURCE or DEST columns in shorewall-policy(5)
|
||||||
|
contains 'all', a single policy chain is created and the policy is
|
||||||
|
inforced in that chain. For example, if the policy entry is
|
||||||
|
|
||||||
|
#SOURCE DEST POLICY LOG
|
||||||
|
# LEVEL
|
||||||
|
net all DROP info
|
||||||
|
|
||||||
|
then the chain name is 'net2all' which is also the chain named in
|
||||||
|
Shorewall log messages generated as a result of the policy. If
|
||||||
|
EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
|
||||||
|
chain for each pair of zones covered by the policy. This makes the
|
||||||
|
resulting log messages easier to interpret since the chain in the
|
||||||
|
messages will have a name of the form 'a2b' where 'a' is the SOURCE
|
||||||
|
zone and 'b' is the DEST zone. See
|
||||||
|
http://linuxman.wikispaces.com/PPPPPPS for more information.
|
||||||
|
|
||||||
|
2) The Shorewall-perl dependency on the "Address Type Match"
|
||||||
|
capability has been relaxed. This allows Shorewall 4.0.1 to be used
|
||||||
|
on releases like RHEL4 that don't support that capability.
|
||||||
|
|
||||||
|
3) Shorewall-perl now detects dead policy file entries that result
|
||||||
|
when an entry is masked by an earlier entry. Example:
|
||||||
|
|
||||||
|
all all REJECT info
|
||||||
|
loc net ACCEPT
|
||||||
|
</pre>
|
||||||
<hr style="width: 100%; height: 2px;">
|
<hr style="width: 100%; height: 2px;">
|
||||||
|
|
||||||
<p><strong>2007-07-20 Shorewall 4.0.0</strong></p>
|
<p><strong>2007-07-20 Shorewall 4.0.0</strong></p>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user