Document fix for IPv6 shorecap program

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-07-15 13:32:10 -07:00
parent 4768b0890e
commit e0ae48f4c4
2 changed files with 73 additions and 55 deletions

View File

@ -1,3 +1,7 @@
Changes in Shorewall 4.4.12
1) Fix IPv6 shorecap program.
Changes in Shorewall 4.4.11
1) Apply patch from Gabriel.

View File

@ -1,5 +1,5 @@
----------------------------------------------------------------------------
S H O R E W A L L 4 . 4 . 1 1
S H O R E W A L L 4 . 4 . 1 2
----------------------------------------------------------------------------
I. RELEASE 4.4 HIGHLIGHTS
@ -218,6 +218,29 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Previously, the Shoreall6-lite version of shorecap was using
iptables rather than ip6tables, with the result that many capabilities
that are only available in IPv4 were being reported as available.
----------------------------------------------------------------------------
I V. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
None.
----------------------------------------------------------------------------
V. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
None.
----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 1
----------------------------------------------------------------------------
1) The IPv6 allowBcast action generated an invalid rule.
2) If IPSET=<pathname> was specified in shorewall.conf, then when an
@ -269,60 +292,6 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
ERROR: Invalid IPv6 address (224.0.0.0) :
/etc/shorewall6/interfaces (line 16)
----------------------------------------------------------------------------
I V. K N O W N P R O B L E M S R E M A I N I N G
----------------------------------------------------------------------------
None.
----------------------------------------------------------------------------
V. N E W F E A T U R E S I N T H I S R E L E A S E
----------------------------------------------------------------------------
1) Beginning with this release, Shorewall supports a 'vserver'
zone type. This zone type is used with Shorewall running on a
Linux-vserver host system and allows you to define zones that
represent a set of Linux-vserver hosts.
See http://www.shorewall.net/Vserver.html for details.
2) A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
and shorewall6.conf.
Traditionally, Shorewall has cleared the packet mark in the first
rule in the mangle FORWARD chain. This behavior is maintained with
the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
set to No, packet marks set in the PREROUTING chain are retained in
the FORWARD chains.
As part of this change, a new "fwmark route mask" capability has
been added. If your version of iproute2 supports this capability,
fwmark routing rules may specify a mask to be applied to the mark
prior to comparison with the mark value in the rule. The presence
of this capability allows Shorewall to relax the restriction that
small mark values may not be set in the PREROUTING chain when
HIGH_ROUTE_MARKS is in effect. If you take advantage of this
capability, be sure that you logically OR mark values in PREROUTING
makring rules rather then simply setting them unless you are able
to set both the high and low bits in the mark in a single rule.
As always when a new capability has been introduced, be sure to
regenerate your capabilities file(s) after installing this release.
3) A new column (NET3) has been added to the /etc/shorewall/netmap
file. This new column can qualify the INTERFACE column by
specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
associated with the interface.
4) To accomodate systems with more than one version of Perl installed,
the shorewall.conf and shorewall6.conf files now support a PERL
option. If the program specified by that option does not exist or
is not executable, Shorewall (and Shorewall6) fall back to
/usr/bin/perl.
----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 0
----------------------------------------------------------------------------
@ -371,6 +340,51 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
This configuration now works correctly.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 1 1
----------------------------------------------------------------------------
1) Beginning with this release, Shorewall supports a 'vserver'
zone type. This zone type is used with Shorewall running on a
Linux-vserver host system and allows you to define zones that
represent a set of Linux-vserver hosts.
See http://www.shorewall.net/Vserver.html for details.
2) A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
and shorewall6.conf.
Traditionally, Shorewall has cleared the packet mark in the first
rule in the mangle FORWARD chain. This behavior is maintained with
the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
set to No, packet marks set in the PREROUTING chain are retained in
the FORWARD chains.
As part of this change, a new "fwmark route mask" capability has
been added. If your version of iproute2 supports this capability,
fwmark routing rules may specify a mask to be applied to the mark
prior to comparison with the mark value in the rule. The presence
of this capability allows Shorewall to relax the restriction that
small mark values may not be set in the PREROUTING chain when
HIGH_ROUTE_MARKS is in effect. If you take advantage of this
capability, be sure that you logically OR mark values in PREROUTING
makring rules rather then simply setting them unless you are able
to set both the high and low bits in the mark in a single rule.
As always when a new capability has been introduced, be sure to
regenerate your capabilities file(s) after installing this release.
3) A new column (NET3) has been added to the /etc/shorewall/netmap
file. This new column can qualify the INTERFACE column by
specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
associated with the interface.
4) To accomodate systems with more than one version of Perl installed,
the shorewall.conf and shorewall6.conf files now support a PERL
option. If the program specified by that option does not exist or
is not executable, Shorewall (and Shorewall6) fall back to
/usr/bin/perl.
----------------------------------------------------------------------------
N E W F E A T U R E S I N 4 . 4 . 1 0
----------------------------------------------------------------------------