mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Document fix for IPv6 shorecap program
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
4768b0890e
commit
e0ae48f4c4
@ -1,3 +1,7 @@
|
||||
Changes in Shorewall 4.4.12
|
||||
|
||||
1) Fix IPv6 shorecap program.
|
||||
|
||||
Changes in Shorewall 4.4.11
|
||||
|
||||
1) Apply patch from Gabriel.
|
||||
|
@ -1,5 +1,5 @@
|
||||
----------------------------------------------------------------------------
|
||||
S H O R E W A L L 4 . 4 . 1 1
|
||||
S H O R E W A L L 4 . 4 . 1 2
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
I. RELEASE 4.4 HIGHLIGHTS
|
||||
@ -218,6 +218,29 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) Previously, the Shoreall6-lite version of shorecap was using
|
||||
iptables rather than ip6tables, with the result that many capabilities
|
||||
that are only available in IPv4 were being reported as available.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I V. K N O W N P R O B L E M S R E M A I N I N G
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
None.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
V. N E W F E A T U R E S I N T H I S R E L E A S E
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
None.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
I N P R I O R R E L E A S E S
|
||||
----------------------------------------------------------------------------
|
||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 1
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) The IPv6 allowBcast action generated an invalid rule.
|
||||
|
||||
2) If IPSET=<pathname> was specified in shorewall.conf, then when an
|
||||
@ -269,60 +292,6 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
|
||||
ERROR: Invalid IPv6 address (224.0.0.0) :
|
||||
/etc/shorewall6/interfaces (line 16)
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
I V. K N O W N P R O B L E M S R E M A I N I N G
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
None.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
V. N E W F E A T U R E S I N T H I S R E L E A S E
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) Beginning with this release, Shorewall supports a 'vserver'
|
||||
zone type. This zone type is used with Shorewall running on a
|
||||
Linux-vserver host system and allows you to define zones that
|
||||
represent a set of Linux-vserver hosts.
|
||||
|
||||
See http://www.shorewall.net/Vserver.html for details.
|
||||
|
||||
2) A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
|
||||
and shorewall6.conf.
|
||||
|
||||
Traditionally, Shorewall has cleared the packet mark in the first
|
||||
rule in the mangle FORWARD chain. This behavior is maintained with
|
||||
the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
|
||||
set to No, packet marks set in the PREROUTING chain are retained in
|
||||
the FORWARD chains.
|
||||
|
||||
As part of this change, a new "fwmark route mask" capability has
|
||||
been added. If your version of iproute2 supports this capability,
|
||||
fwmark routing rules may specify a mask to be applied to the mark
|
||||
prior to comparison with the mark value in the rule. The presence
|
||||
of this capability allows Shorewall to relax the restriction that
|
||||
small mark values may not be set in the PREROUTING chain when
|
||||
HIGH_ROUTE_MARKS is in effect. If you take advantage of this
|
||||
capability, be sure that you logically OR mark values in PREROUTING
|
||||
makring rules rather then simply setting them unless you are able
|
||||
to set both the high and low bits in the mark in a single rule.
|
||||
|
||||
As always when a new capability has been introduced, be sure to
|
||||
regenerate your capabilities file(s) after installing this release.
|
||||
|
||||
3) A new column (NET3) has been added to the /etc/shorewall/netmap
|
||||
file. This new column can qualify the INTERFACE column by
|
||||
specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
|
||||
associated with the interface.
|
||||
|
||||
4) To accomodate systems with more than one version of Perl installed,
|
||||
the shorewall.conf and shorewall6.conf files now support a PERL
|
||||
option. If the program specified by that option does not exist or
|
||||
is not executable, Shorewall (and Shorewall6) fall back to
|
||||
/usr/bin/perl.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
I N P R I O R R E L E A S E S
|
||||
----------------------------------------------------------------------------
|
||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 0
|
||||
----------------------------------------------------------------------------
|
||||
@ -371,6 +340,51 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
|
||||
This configuration now works correctly.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S I N 4 . 4 . 1 1
|
||||
----------------------------------------------------------------------------
|
||||
|
||||
1) Beginning with this release, Shorewall supports a 'vserver'
|
||||
zone type. This zone type is used with Shorewall running on a
|
||||
Linux-vserver host system and allows you to define zones that
|
||||
represent a set of Linux-vserver hosts.
|
||||
|
||||
See http://www.shorewall.net/Vserver.html for details.
|
||||
|
||||
2) A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
|
||||
and shorewall6.conf.
|
||||
|
||||
Traditionally, Shorewall has cleared the packet mark in the first
|
||||
rule in the mangle FORWARD chain. This behavior is maintained with
|
||||
the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
|
||||
set to No, packet marks set in the PREROUTING chain are retained in
|
||||
the FORWARD chains.
|
||||
|
||||
As part of this change, a new "fwmark route mask" capability has
|
||||
been added. If your version of iproute2 supports this capability,
|
||||
fwmark routing rules may specify a mask to be applied to the mark
|
||||
prior to comparison with the mark value in the rule. The presence
|
||||
of this capability allows Shorewall to relax the restriction that
|
||||
small mark values may not be set in the PREROUTING chain when
|
||||
HIGH_ROUTE_MARKS is in effect. If you take advantage of this
|
||||
capability, be sure that you logically OR mark values in PREROUTING
|
||||
makring rules rather then simply setting them unless you are able
|
||||
to set both the high and low bits in the mark in a single rule.
|
||||
|
||||
As always when a new capability has been introduced, be sure to
|
||||
regenerate your capabilities file(s) after installing this release.
|
||||
|
||||
3) A new column (NET3) has been added to the /etc/shorewall/netmap
|
||||
file. This new column can qualify the INTERFACE column by
|
||||
specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
|
||||
associated with the interface.
|
||||
|
||||
4) To accomodate systems with more than one version of Perl installed,
|
||||
the shorewall.conf and shorewall6.conf files now support a PERL
|
||||
option. If the program specified by that option does not exist or
|
||||
is not executable, Shorewall (and Shorewall6) fall back to
|
||||
/usr/bin/perl.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
N E W F E A T U R E S I N 4 . 4 . 1 0
|
||||
----------------------------------------------------------------------------
|
||||
|
Loading…
Reference in New Issue
Block a user