diff --git a/STABLE2/changelog.txt b/STABLE2/changelog.txt index 703322ec4..91101461d 100644 --- a/STABLE2/changelog.txt +++ b/STABLE2/changelog.txt @@ -93,3 +93,5 @@ Changes in 2.0.12 3) Implement variable expansion in INCLUDE directives 4) Split restore-base into two files. + +5) Correct dynamic zone OUTPUT handling. diff --git a/STABLE2/firewall b/STABLE2/firewall index a625ab975..779f63314 100755 --- a/STABLE2/firewall +++ b/STABLE2/firewall @@ -5228,7 +5228,7 @@ add_common_rules() { run_iptables -A $(input_chain $interface) -j $chain run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface) - run_iptables -A OUTPUT -j $(dynamic_out $interface) + run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface) done fi diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt index 1ac49c040..30ed7ded4 100644 --- a/STABLE2/releasenotes.txt +++ b/STABLE2/releasenotes.txt @@ -220,6 +220,12 @@ Problems corrected in 2.0.12 /var/lib/shorewall/restore-tail -- commands to be executed after the Netfilter configuration is restored. +4) Previously, traffic from the firewall to a dynamic zone member host + did not need to match the interface specified when the host was + added to the zone. For example, if eth0:1.2.3.4 is added to dynamic + zone Z then traffic out of any firewall interface to 1.2.3.4 will + obey the fw->Z policies and rules. This has been corrected. + ----------------------------------------------------------------------- New Features in 2.0.12 diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index f9fffb27e..0d28563a7 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -164,3 +164,5 @@ Changes since 2.0.3 79) More fixes for "shorewall delete" with bridging. 80) Split restore-base into two files. + +81) Correct OUTPUT handling of dynamic zones. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index b5f6f5f2c..69bed79a9 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -6122,7 +6122,7 @@ add_common_rules() { run_iptables -A $(input_chain $interface) -j $chain run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface) - run_iptables -A OUTPUT -j $(dynamic_out $interface) + run_iptables -A OUTPUT -o $interface -j $(dynamic_out $interface) done fi diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 4f2363486..5be9d1f84 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -169,6 +169,12 @@ Problems corrected since 2.2.0 Beta 6: /var/lib/shorewall/restore-tail -- commands to be executed after the Netfilter configuration is restored. +3) Previously, traffic from the firewall to a dynamic zone member host + did not need to match the interface specified when the host was + added to the zone. For example, if eth0:1.2.3.4 is added to dynamic + zone Z then traffic out of any firewall interface to 1.2.3.4 will + obey the fw->Z policies and rules. This has been corrected. + ----------------------------------------------------------------------- Issues when migrating from Shorewall 2.0 to Shorewall 2.1: