Attention Users of Shorewall's Multi-ISP Feature
 Attention Users of BRIDGING=Yes
 Attention Kernel 2.4 Users
2009-01-15

Attention Users of Shorewall's Multi-ISP Feature

A bug in Shorewall versions 3.2.0-3.2.10, 3.4.0-3.4.6 and Shorewall-shell 4.0.0-4.0.2 prevents proper handling of PREROUTING marks when HIGH_ROUTE_MARKS=No and the track option is specified. Patches are available to correct this problem:

Shorewall version 3.2.0-3.2.10, 3.4.0-3.4.3: http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.10/errata/patches/Shorewall/patch-3.2.10-2.diff

Shorewall version 3.4.4-3.4.6: http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.66/errata/patches/Shorewall/patch-3.4.6-1.diff

Shorewall-shell version 4.0.0-4.0.2: http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/errata/patches/Shorewall-shell/patch-shell-4.0.2-2.diff

Note that a patch may succeed with an offset when applied to a release other than the one for which it was specifically prepared. For example, when the patch for 3.2.0-3.2.10, 3.4.0-3.4.3 (which was prepared for release 3.2.10) is applied to release 3.4.3, the following is the result:

root@wookie:~# cd /usr/share/shorewall
root@wookie/usr/share/shorewall#: patch < ~/shorewall/tags/3.2.10/Shorewall.updated/patch-3.2.10-2.diff 
patching file compiler
Hunk #1 succeeded at 958 (offset -1669 lines).
root@wookie:/usr/share/shorewall#

Update -- 7 November 2007

A second bug in Shorewall versions 3.2.0-3.2.11, 3.4.0-3.4.7 and 4.0.0-4.0.5 can cause improper handing of PREROUTING and OUTPUT marks when HIGH_ROUTE_MARKS=Yes. Patches are also available to correct this problem:

Shorewall version 3.2.3-3.2.11: http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.11/errata/patches/Shorewall/patch-3.2.11-1.diff

Shorewall version 3.4.0-3.4.7: http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.7/errata/patches/Shorewall/patch-3.4.7-1.diff

Shorewall version 4.0.0-4.0.5: http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-shell/patch-shell-4.0.5-1.diff and http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-perl/patch-perl-4.0.5-4.diff.

Attention Users of BRIDGING=Yes

In Linux Kernel version 2.6.20, the Netfilter team changed Physdev Match so that it is no longer capable of supporting BRIDGING=Yes. The solutions available to users are to either:

  1. Switch to using the technique described at http://www.shorewall.net/3.0/NewBridge.html; or
  2. Upgrade to Shorewall 4.0, migrate to using Shorewall-perl, and follow the instructions at http://www1.shorewall.net/bridge-Shorewall-perl.html.

The first approach allows you to switch back and forth between kernels older and newer than 2.6.20. The second approach is a better long-term solution.

Attention Users of Kernel 2.4

The Shorewall developers do not test Shorewall running on Kernel 2.4 and we make no representation about the functionality of Shorewall on that Kernel. Any failure of Shorewall on Kernel 2.4 will not be investigated by the Shorewall team.
Copyright © 2001-2009 Thomas M. Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".