From e0ae48f4c461510c3d40496ed24b78e7b926639a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 15 Jul 2010 13:32:10 -0700 Subject: [PATCH] Document fix for IPv6 shorecap program Signed-off-by: Tom Eastep --- Shorewall/changelog.txt | 4 ++ Shorewall/releasenotes.txt | 124 +++++++++++++++++++++---------------- 2 files changed, 73 insertions(+), 55 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index ea23538a9..3562f3b6b 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in Shorewall 4.4.12 + +1) Fix IPv6 shorecap program. + Changes in Shorewall 4.4.11 1) Apply patch from Gabriel. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 4182cd918..08aa18bd0 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,5 +1,5 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 1 1 + S H O R E W A L L 4 . 4 . 1 2 ---------------------------------------------------------------------------- I. RELEASE 4.4 HIGHLIGHTS @@ -218,6 +218,29 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +1) Previously, the Shoreall6-lite version of shorecap was using + iptables rather than ip6tables, with the result that many capabilities + that are only available in IPv4 were being reported as available. + +---------------------------------------------------------------------------- + I V. K N O W N P R O B L E M S R E M A I N I N G +---------------------------------------------------------------------------- + +None. + +---------------------------------------------------------------------------- + V. N E W F E A T U R E S I N T H I S R E L E A S E +---------------------------------------------------------------------------- + +None. + +---------------------------------------------------------------------------- +V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S + I N P R I O R R E L E A S E S +---------------------------------------------------------------------------- + P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 1 +---------------------------------------------------------------------------- + 1) The IPv6 allowBcast action generated an invalid rule. 2) If IPSET= was specified in shorewall.conf, then when an @@ -269,60 +292,6 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ERROR: Invalid IPv6 address (224.0.0.0) : /etc/shorewall6/interfaces (line 16) ----------------------------------------------------------------------------- - I V. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------- - -None. - ----------------------------------------------------------------------------- - V. N E W F E A T U R E S I N T H I S R E L E A S E ----------------------------------------------------------------------------- - -1) Beginning with this release, Shorewall supports a 'vserver' - zone type. This zone type is used with Shorewall running on a - Linux-vserver host system and allows you to define zones that - represent a set of Linux-vserver hosts. - - See http://www.shorewall.net/Vserver.html for details. - -2) A new FORWARD_CLEAR_MARK option has been added to shorewall.conf - and shorewall6.conf. - - Traditionally, Shorewall has cleared the packet mark in the first - rule in the mangle FORWARD chain. This behavior is maintained with - the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is - set to No, packet marks set in the PREROUTING chain are retained in - the FORWARD chains. - - As part of this change, a new "fwmark route mask" capability has - been added. If your version of iproute2 supports this capability, - fwmark routing rules may specify a mask to be applied to the mark - prior to comparison with the mark value in the rule. The presence - of this capability allows Shorewall to relax the restriction that - small mark values may not be set in the PREROUTING chain when - HIGH_ROUTE_MARKS is in effect. If you take advantage of this - capability, be sure that you logically OR mark values in PREROUTING - makring rules rather then simply setting them unless you are able - to set both the high and low bits in the mark in a single rule. - - As always when a new capability has been introduced, be sure to - regenerate your capabilities file(s) after installing this release. - -3) A new column (NET3) has been added to the /etc/shorewall/netmap - file. This new column can qualify the INTERFACE column by - specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule) - associated with the interface. - -4) To accomodate systems with more than one version of Perl installed, - the shorewall.conf and shorewall6.conf files now support a PERL - option. If the program specified by that option does not exist or - is not executable, Shorewall (and Shorewall6) fall back to - /usr/bin/perl. - ----------------------------------------------------------------------------- -V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S - I N P R I O R R E L E A S E S ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 1 0 ---------------------------------------------------------------------------- @@ -371,6 +340,51 @@ V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S This configuration now works correctly. +---------------------------------------------------------------------------- + N E W F E A T U R E S I N 4 . 4 . 1 1 +---------------------------------------------------------------------------- + +1) Beginning with this release, Shorewall supports a 'vserver' + zone type. This zone type is used with Shorewall running on a + Linux-vserver host system and allows you to define zones that + represent a set of Linux-vserver hosts. + + See http://www.shorewall.net/Vserver.html for details. + +2) A new FORWARD_CLEAR_MARK option has been added to shorewall.conf + and shorewall6.conf. + + Traditionally, Shorewall has cleared the packet mark in the first + rule in the mangle FORWARD chain. This behavior is maintained with + the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is + set to No, packet marks set in the PREROUTING chain are retained in + the FORWARD chains. + + As part of this change, a new "fwmark route mask" capability has + been added. If your version of iproute2 supports this capability, + fwmark routing rules may specify a mask to be applied to the mark + prior to comparison with the mark value in the rule. The presence + of this capability allows Shorewall to relax the restriction that + small mark values may not be set in the PREROUTING chain when + HIGH_ROUTE_MARKS is in effect. If you take advantage of this + capability, be sure that you logically OR mark values in PREROUTING + makring rules rather then simply setting them unless you are able + to set both the high and low bits in the mark in a single rule. + + As always when a new capability has been introduced, be sure to + regenerate your capabilities file(s) after installing this release. + +3) A new column (NET3) has been added to the /etc/shorewall/netmap + file. This new column can qualify the INTERFACE column by + specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule) + associated with the interface. + +4) To accomodate systems with more than one version of Perl installed, + the shorewall.conf and shorewall6.conf files now support a PERL + option. If the program specified by that option does not exist or + is not executable, Shorewall (and Shorewall6) fall back to + /usr/bin/perl. + ---------------------------------------------------------------------------- N E W F E A T U R E S I N 4 . 4 . 1 0 ----------------------------------------------------------------------------