Document fix for IPv6 shorecap program

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-01-10 15:48:13 +01:00 · 2010-07-15 13:32:10 -07:00 · 2010-07-15 13:32:10 -07:00 · e0ae48f4c4
commit e0ae48f4c4
parent 4768b0890e
2 changed files with 73 additions and 55 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,3 +1,7 @@
 Changes in Shorewall 4.4.12
 1)  Fix IPv6 shorecap program.
 Changes in Shorewall 4.4.11
 1)  Apply patch from Gabriel.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 1
+                      S H O R E W A L L  4 . 4 . 1 2
 ----------------------------------------------------------------------------
 I.    RELEASE 4.4 HIGHLIGHTS
@ -218,6 +218,29 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 1)  Previously, the Shoreall6-lite version of shorecap was using
    iptables rather than ip6tables, with the result that many capabilities
    that are only available in IPv4 were being reported as available.
 ----------------------------------------------------------------------------
           I V.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
 None.
 ----------------------------------------------------------------------------
         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 None.
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
 ----------------------------------------------------------------------------
 1)  The IPv6 allowBcast action generated an invalid rule.
 2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
@ -269,60 +292,6 @@ I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
                /etc/shorewall6/interfaces (line 16)
 ----------------------------------------------------------------------------
           I V.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
 None.
 ----------------------------------------------------------------------------
         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 1)  Beginning with this release, Shorewall supports a 'vserver'
    zone type. This zone type is used with Shorewall running on a
    Linux-vserver host system and allows you to define zones that
    represent a set of Linux-vserver hosts.
    See http://www.shorewall.net/Vserver.html for details.
 2)  A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
    and shorewall6.conf. 
    Traditionally, Shorewall has cleared the packet mark in the first
    rule in the mangle FORWARD chain. This behavior is maintained with
    the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
    set to No, packet marks set in the PREROUTING chain are retained in
    the FORWARD chains.
    As part of this change, a new "fwmark route mask" capability has
    been added. If your version of iproute2 supports this capability,
    fwmark routing rules may specify a mask to be applied to the mark
    prior to comparison with the mark value in the rule. The presence
    of this capability allows Shorewall to relax the restriction that
    small mark values may not be set in the PREROUTING chain when
    HIGH_ROUTE_MARKS is in effect. If you take advantage of this
    capability, be sure that you logically OR mark values in PREROUTING
    makring rules rather then simply setting them unless you are able
    to set both the high and low bits in the mark in a single rule.
    As always when a new capability has been introduced, be sure to
    regenerate your capabilities file(s) after installing this release.
 3)  A new column (NET3) has been added to the /etc/shorewall/netmap
    file. This new column can qualify the INTERFACE column by
    specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
    associated with the interface.
 4)  To accomodate systems with more than one version of Perl installed,
    the shorewall.conf and shorewall6.conf files now support a PERL
    option. If the program specified by that option does not exist or
    is not executable, Shorewall (and Shorewall6) fall back to
    /usr/bin/perl.
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 0
 ----------------------------------------------------------------------------
@ -371,6 +340,51 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    This configuration now works correctly.
 ----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 4 . 1 1
 ----------------------------------------------------------------------------
 1)  Beginning with this release, Shorewall supports a 'vserver'
    zone type. This zone type is used with Shorewall running on a
    Linux-vserver host system and allows you to define zones that
    represent a set of Linux-vserver hosts.
    See http://www.shorewall.net/Vserver.html for details.
 2)  A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
    and shorewall6.conf. 
    Traditionally, Shorewall has cleared the packet mark in the first
    rule in the mangle FORWARD chain. This behavior is maintained with
    the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
    set to No, packet marks set in the PREROUTING chain are retained in
    the FORWARD chains.
    As part of this change, a new "fwmark route mask" capability has
    been added. If your version of iproute2 supports this capability,
    fwmark routing rules may specify a mask to be applied to the mark
    prior to comparison with the mark value in the rule. The presence
    of this capability allows Shorewall to relax the restriction that
    small mark values may not be set in the PREROUTING chain when
    HIGH_ROUTE_MARKS is in effect. If you take advantage of this
    capability, be sure that you logically OR mark values in PREROUTING
    makring rules rather then simply setting them unless you are able
    to set both the high and low bits in the mark in a single rule.
    As always when a new capability has been introduced, be sure to
    regenerate your capabilities file(s) after installing this release.
 3)  A new column (NET3) has been added to the /etc/shorewall/netmap
    file. This new column can qualify the INTERFACE column by
    specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
    associated with the interface.
 4)  To accomodate systems with more than one version of Perl installed,
    the shorewall.conf and shorewall6.conf files now support a PERL
    option. If the program specified by that option does not exist or
    is not executable, Shorewall (and Shorewall6) fall back to
    /usr/bin/perl.
 ----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 4 . 1 0
 ----------------------------------------------------------------------------