Attention Shorewall-perl 4.2 Users |
Attention Users of Shorewall's Multi-ISP Feature |
Attention Users of BRIDGING=Yes |
Attention Kernel 2.4 Users |
patch /usr/share/shorewall-perl/Shorewall/Rules.pm < forward.patch
A bug in Shorewall versions 3.2.0-3.2.10, 3.4.0-3.4.6 and Shorewall-shell 4.0.0-4.0.2 prevents proper handling of PREROUTING marks when HIGH_ROUTE_MARKS=No and the track option is specified. Patches are available to correct this problem:
Shorewall version 3.2.0-3.2.10, 3.4.0-3.4.3: http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.10/errata/patches/Shorewall/patch-3.2.10-2.diff
Shorewall version 3.4.4-3.4.6: http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.66/errata/patches/Shorewall/patch-3.4.6-1.diff
Shorewall-shell version 4.0.0-4.0.2: http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.2/errata/patches/Shorewall-shell/patch-shell-4.0.2-2.diff
Note that a patch may succeed with an offset when applied to a release other than the one for which it was specifically prepared. For example, when the patch for 3.2.0-3.2.10, 3.4.0-3.4.3 (which was prepared for release 3.2.10) is applied to release 3.4.3, the following is the result:
root@wookie:~# cd /usr/share/shorewall root@wookie/usr/share/shorewall#: patch < ~/shorewall/tags/3.2.10/Shorewall.updated/patch-3.2.10-2.diff
patching file compiler
Hunk #1 succeeded at 958 (offset -1669 lines).
root@wookie:/usr/share/shorewall#
A second bug in Shorewall versions 3.2.0-3.2.11, 3.4.0-3.4.7 and 4.0.0-4.0.5 can cause improper handing of PREROUTING and OUTPUT marks when HIGH_ROUTE_MARKS=Yes. Patches are also available to correct this problem:
Shorewall version 3.2.3-3.2.11: http://www1.shorewall.net/pub/shorewall/3.2/shorewall-3.2.11/errata/patches/Shorewall/patch-3.2.11-1.diff
Shorewall version 3.4.0-3.4.7: http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.7/errata/patches/Shorewall/patch-3.4.7-1.diff
Shorewall version 4.0.0-4.0.5: http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-shell/patch-shell-4.0.5-1.diff and http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.5/errata/patches/Shorewall-perl/patch-perl-4.0.5-4.diff.
In Linux Kernel version 2.6.20, the Netfilter team changed Physdev Match so that it is no longer capable of supporting BRIDGING=Yes. The solutions available to users are to either:
The first approach allows you to switch back and forth between kernels older and newer than 2.6.20. The second approach is a better long-term solution.