From 9ff5fc30c1bd5893df153611d7b0ecb991a5de8b Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 26 Dec 2003 20:39:06 +0000 Subject: [PATCH] Convert errata.htm to Docbook XML git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@980 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/errata.htm | 349 ------------------------------- Shorewall-docs/errata.xml | 426 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 426 insertions(+), 349 deletions(-) delete mode 100644 Shorewall-docs/errata.htm create mode 100644 Shorewall-docs/errata.xml diff --git a/Shorewall-docs/errata.htm b/Shorewall-docs/errata.htm deleted file mode 100644 index 28233320c..000000000 --- a/Shorewall-docs/errata.htm +++ /dev/null @@ -1,349 +0,0 @@ - - - - - Shorewall 1.4 Errata - - - - - - -

-

Shorewall Errata
-

-

IMPORTANT

-
    -
  1. -

    If you use a Windows system to download -a corrected script, be sure to run the script through dos2unix after you have moved -it -to your Linux system.

    -
    2. -
  2. -

    If you are installing Shorewall for the first -time and plan to use the .tgz and install.sh script, you can untar the -archive, replace the 'firewall' script in the untarred directory with -the one you downloaded below, and then run install.sh.

    -
    3. -
  3. -

    When the instructions say to install a -corrected firewall script in /usr/share/shorewall/firewall, you may -rename the existing file before copying in the new file.

    -
    4. -
  4. -

    DO NOT INSTALL CORRECTED -COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER -BELOW. For example, do NOT install the 1.3.9a firewall script if you -are -running 1.3.7c.
    -

    -
    5. -
- -
-

Problems in Version 1.4

-

-

1.4.8

- -This problem has been corrected in this firewall -script which may be installed in /usr/share/shorewall/firewall as -described above.
-

1.4.7

- -These problems have been corrected in this firewall -script which may be installed in /usr/share/shorewall/firewall as -described above.
-

1.4.6

- -

1.4.4b

- -

1.4.4-1.4.4a

- -

1.4.4
-

- -

1.4.3

- -

1.4.2

- -

1.4.1a, 1.4.1 and 1.4.0

- -

1.4.1

- -

1.4.0

- -
-

Upgrade Issues

-

The upgrade issues have moved to a separate page.

-
-

Problem -with iptables version 1.2.3

-
-

There are a couple of serious bugs in iptables 1.2.3 -that prevent it from working with Shorewall. Regrettably, RedHat -released this buggy iptables in RedHat 7.2. 

-

I have built a -corrected 1.2.3 rpm which you can download here  and I have -also -built an -iptables-1.2.4 rpm which you can download here. If you are -currently -running RedHat 7.1, you can install either of these RPMs before - you -upgrade to RedHat 7.2.

-

Update 11/9/2001: RedHat -has released an iptables-1.2.4 RPM of their own which you can download -from http://www.redhat.com/support/errata/RHSA-2001-144.html.I -have installed this RPM on my firewall and it works fine.

-

If you would like to patch iptables 1.2.3 yourself, -the patches are available for download. This patch -which corrects a problem with parsing of the --log-level specification -while this patch -corrects a problem in handling the  TOS target.

-

To install one of the above patches:

- -
-

Problems with kernels >= 2.4.18 and RedHat -iptables

-
-

Users who use RedHat iptables RPMs and who upgrade to kernel -2.4.18/19 may experience the following:

-
- 
# shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
-
-

The RedHat iptables RPM is compiled with debugging enabled but the -user-space debugging code was not updated to reflect recent changes in -the Netfilter 'mangle' table. You can correct the problem by installing - -this iptables RPM. If you are already running a 1.2.5 version of -iptables, you will need to specify the --oldpackage option to rpm -(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

-
-

Problems installing/upgrading RPM on SuSE

-

If you find that rpm complains about a conflict with kernel <= -2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps" -option to rpm.

-

Installing: rpm -ivh --nodeps <shorewall rpm>

-

Upgrading: rpm -Uvh --nodeps <shorewall rpm>

-

Problems with iptables version 1.2.7 and -MULTIPORT=Yes

-

The iptables 1.2.7 release of iptables has made an incompatible -change to the syntax used to specify multiport match rules; as a -consequence, if you install iptables 1.2.7 you must be running -Shorewall -1.3.7a or later or:

- -

Problems with RH Kernel 2.4.18-10 and NAT
-

-/etc/shorewall/nat entries of the following form will result in -Shorewall being unable to start:
-
-
#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
192.0.2.22      eth0            192.168.9.22    yes                     yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
-Error message is:
-
Setting up NAT...
iptables: Invalid argument
Terminated

-The solution is to put "no" in the LOCAL column. Kernel support for -LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The -2.4.19 kernel contains corrected support under a new kernel -configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT
-
-

Problems with RH Kernels after 2.4.20-9 -and -REJECT (also applies to 2.4.21-RC1)

-Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with -tcp-reset" is broken. The symptom most commonly seen is that REJECT -rules act just like DROP rules when dealing with TCP. A kernel patch -and -precompiled modules to fix this problem are available at ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel.
-
-

Last updated 12/17/2003 - Tom -Eastep

-

Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-

-
-
- - diff --git a/Shorewall-docs/errata.xml b/Shorewall-docs/errata.xml new file mode 100644 index 000000000..af2da271d --- /dev/null +++ b/Shorewall-docs/errata.xml @@ -0,0 +1,426 @@ + + +
+ + + + Shorewall Errata + + + + Tom + + Eastep + + + + 2003-12-17 + + + 2001-2003 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. + + + + + + + If you use a Windows system to download a corrected script, be + sure to run the script through dos2unix + after you have moved it to your Linux system. + + + + If you are installing Shorewall for the first time and plan to + use the .tgz and install.sh script, you can untar the archive, replace + the 'firewall' script in the untarred directory with the one + you downloaded below, and then run install.sh. + + + + When the instructions say to install a corrected firewall script + in /usr/share/shorewall/firewall, you may rename the existing file + before copying in the new file. + + + + DO NOT INSTALL CORRECTED COMPONENTS ON A + RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. + For example, do NOT install the 1.3.9a firewall script if you are + running 1.3.7c. + + + + +
+ Problems in Version 1.4 + +
+ Shorewall 1.4.8 + + + + When a DNAT rules specifies SNAT (e.g., when <original + dest addr>:<SNAT addr> is given in the ORIGINAL DEST + column), the SNAT specification is effectively ignored in some + cases. + + + + This problem has been corrected in this + firewall script which may be installed in + /usr/share/shorewall/firewall as described above. +
+ +
+ Shorewall 1.4.7 + + + + Using some versions of 'ash' (such as from RH8) as the + SHOREWALL_SHELL causes "shorewall [re]start" to fail with:    local: --limit: bad variable name +    iptables v1.2.8: Couldn't load match `-j':/lib/iptables/libipt_-j.so: +    cannot open shared object file: No such file or directory +    Try `iptables -h' or 'iptables --help' for more information. + + + + When more than one ICMP type is listed in a rule and your + kernel includes multiport match support,  the firewall fails + to start. + + + + Regardless of the setting of LOGUNCLEAN, the value + LOGUNCLEAN=info was used. + + + + After the following error message, Shorewall was left in an + inconsistent state: Error: Unable to determine the routes through interface xxx + + + + When a DNAT rules specifies SNAT (e.g., when <original + dest addr>:<SNAT addr> is given in the ORIGINAL DEST + column), the SNAT specification is effectively ignored in some + cases. + + + + These problems have been corrected in this + firewall script which may be installed in + /usr/share/shorewall/firewall as described above. +
+ +
+ Shorewall 1.4.6 + + + + If TC_ENABLED is set to yes in shorewall.conf then Shorewall + would fail to start with the error "ERROR:  Traffic + Control requires Mangle"; that problem has been corrected in + this + firewall script which may be installed in + /use/share/shorewall/firewall as described above. This problem is + also corrected in bugfix release 1.4.6a. + + + + This problem occurs in all versions supporting traffic + control. If a MAC address is used in the SOURCE column, an error + occurs as follows: + + iptables v1.2.8: Bad mac adress `00:08:B5:35:52:E7-d`For + Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected in + this + firewall script which may be installed in + /usr/share/shorewall/firewall as described above. For all other + versions, you will have to edit your 'firewall' script (in + versions 1.4.*, it is located in /usr/share/shorewall/firewall). + Locate the function add_tcrule_() and in that function, replace this + line:   r=`mac_match $source` with      r="`mac_match $source` "Note + that there must be a space before the ending quote! + + +
+ +
+ Shorewall 1.4.4b + + + + Shorewall is ignoring records in /etc/shorewall/routestopped + that have an empty second column (HOSTS). This problem may be + corrected by installing this + firewall script in /usr/share/shorewall/firewall as + described above. + + + + The INCLUDE directive doesn't work when placed in the + /etc/shorewall/zones file. This problem may be corrected by + installing this + functions script in /usr/share/shorewall/functions. + + +
+ +
+ Shorewall 1.4.4-1.4.4a + + + + Log messages are being displayed on the system console even + though the log level for the console is set properly according to + FAQ 16. This problem may be corrected by installing this + firewall script in /usr/share/shorewall/firewall as + described above. + + +
+ +
+ Shorewall 1.4.4 + + + + If you have zone names that are 5 characters long, you may + experience problems starting Shorewall because the --log-prefix in a + logging rule is too long. Upgrade to Version 1.4.4a to fix this + problem.. + + +
+ +
+ Shorewall 1.4.3 + + + + The LOGMARKER variable introduced in version 1.4.3 was + intended to allow integration of Shorewall with Fireparse + (http://www.firewparse.com). Unfortunately, LOGMARKER only solved + part of the integration problem. I have implimented a new LOGFORMAT + variable which will replace LOGMARKER which has completely solved + this problem and is currently in production with fireparse here at + shorewall.net. The updated files may be found at ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/. + See the 0README.txt file for details. + + +
+ +
+ Shorewall 1.4.2 + + + + When an 'add' or 'delete' command is executed, + a temporary directory created in /tmp is not being removed. This + problem may be corrected by installing this + firewall script in /usr/share/shorewall/firewall as + described above. + + +
+ +
+ Shorewall 1.4.1a, 1.4.1 and 1.4.0 + + + + Some TCP requests are rejected in the 'common' chain + with an ICMP port-unreachable response rather than the more + appropriate TCP RST response. This problem is corrected in this + updated common.def file which may be installed in + /etc/shorewall/common.def. + + +
+ +
+ Shorewall 1.4.1 + + + + When a "shorewall check" command is executed, each + "rule" produces the harmless additional message:     /usr/share/shorewall/firewall: line 2174: [: =: unary operator expectedYou + may correct the problem by installing this + corrected script in /usr/share/shorewall/firewall as + described above. + + +
+ +
+ Shorewall 1.4.0 + + + + When running under certain shells Shorewall will attempt to + create ECN rules even when /etc/shorewall/ecn is empty. You may + either just remove /etc/shorewall/ecn or you can install this + correct script in /usr/share/shorewall/firewall as described + above. + + +
+
+ +
+ Upgrade Issues + + The upgrade issues have moved to a + separate page. +
+ +
+ Problem with iptables version 1.2.3 + + There are a couple of serious bugs in iptables 1.2.3 that prevent it + from working with Shorewall. Regrettably, RedHat released this buggy + iptables in RedHat 7.2.  + + I have built a corrected + 1.2.3 rpm which you can download here  and I have also + built an iptables-1.2.4 + rpm which you can download here. If you are currently running + RedHat 7.1, you can install either of these RPMs before you upgrade to + RedHat 7.2. + + Update 11/9/2001: RedHat has + released an iptables-1.2.4 RPM of their own which you can download from + http://www.redhat.com/support/errata/RHSA-2001-144.html.I + have installed this RPM on my firewall and it works fine. + + If you would like to patch iptables 1.2.3 yourself, the patches are + available for download. This patch + which corrects a problem with parsing of the --log-level specification + while this patch + corrects a problem in handling the  TOS target. + + To install one of the above patches: cd iptables-1.2.3/extensions + patch -p0 < the-patch-file +
+ +
+ Problems with kernels >= 2.4.18 and RedHat iptables + + Users who use RedHat iptables RPMs and who upgrade to kernel + 2.4.18/19 may experience the following: + +
+ # shorewall start +Processing /etc/shorewall/shorewall.conf ... +Processing /etc/shorewall/params ... +Starting Shorewall... +Loading Modules... +Initializing... +Determining Zones... +Zones: net +Validating interfaces file... +Validating hosts file... +Determining Hosts in Zones... +Net Zone: eth0:0.0.0.0/0 +iptables: libiptc/libip4tc.c:380: do_check: Assertion +`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed. +Aborted (core dumped) +iptables: libiptc/libip4tc.c:380: do_check: Assertion +`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed. +Aborted (core dumped) +
+ + The RedHat iptables RPM is compiled with debugging enabled but the + user-space debugging code was not updated to reflect recent changes in the + Netfilter 'mangle' table. You can correct the problem by + installing this + iptables RPM. If you are already running a 1.2.5 version of + iptables, you will need to specify the --oldpackage option to rpm (e.g., + "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm"). +
+ +
+ Problems with iptables version 1.2.7 and MULTIPORT=Yes + + The iptables 1.2.7 release of iptables has made an incompatible + change to the syntax used to specify multiport match rules; as a + consequence, if you install iptables 1.2.7 you must be running Shorewall + 1.3.7a or later or: + + + + set MULTIPORT=No in /etc/shorewall/shorewall.conf; or + + + + If you are running Shorewall 1.3.6 you may install this + firewall script in /usr/lib/shorewall/firewall as described + above. + + +
+ +
+ Problems with RH Kernel 2.4.18-10 and NAT + + /etc/shorewall/nat entries of the following form will result in + Shorewall being unable to start: + + #EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL + 192.0.2.22    eth0    192.168.9.22   yes     yes + #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + + Error message is: + + Setting up NAT... + iptables: Invalid argument + Terminated + + The solution is to put "no" in the LOCAL column. Kernel + support for LOCAL=yes has never worked properly and 2.4.18-10 has disabled + it. The 2.4.19 kernel contains corrected support under a new kernel + configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT. +
+ +
+ Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to + 2.4.21-RC1) + + Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with + tcp-reset" is broken. The symptom most commonly seen is that REJECT + rules act just like DROP rules when dealing with TCP. A kernel patch and + precompiled modules to fix this problem are available at ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel. +
+
\ No newline at end of file