extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-26 01:23:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
479e4e323a
shorewall_code/Shorewall/known_problems.txt
Tom Eastep db39402e75 Correct handling of NFQUEUE(queue-num) in a policy 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-02-25 08:46:20 -08:00

73 lines
2.7 KiB
Plaintext
Raw Blame History

1) All versions of Shorewall-perl mishandle per-IP rate limiting in
REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
the values given in the rule.
Corrected in 4.4.7.1
2) Detection of the 'Old hashlimit match' capability was broken in
/sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of
shorecap. This problem only affects users of older distributions
such as RHEL5 and derivatives.
Corrected in 4.4.7.2
3) On older distributions such as RHEL5 and derivatives, when
LOAD_HELPERS_ONLY=No, Shorewall would fail to start if a TYPE was
specified in /etc/shorewall/tcinterfaces.
Corrected in 4.4.7.2
4) On older distributions such as RHEL5 and derivatives, when
LOAD_HELPERS_ONLY=Yes, Shorewall would fail to start if a TYPE was
specified in /etc/shorewall/tcinterfaces.
Corrected in 4.4.7.3
5) A CONTINUE rule specifying a log level will cause the compiler to
generate an incorrect rule sequence. The packet will be logged but
the CONTINUE action will not occur.
To work around the problem break the rule into two rules; a logging
rule and a CONTINUE rule.
Corrected in 4.4.7.5.
6) If multiple entries are present in /etc/shorewall/tcdevices and
globally unique class numbers are not explicitly specified in
/etc/shorewall/tcclasses, then 'shorewall start' will fail with a
diagnostic such as:
Setting up Traffic Control...
RTNETLINK answers: File exists
ERROR: Command "tc qdisc add dev eth1 parent 2:2 handle 2: sfq quantum
1500 limit 127 perturb 10" Failed
Processing /etc/shorewall/stop ...
Corrected in 4.4.7.5.
7) If a low per-IP rate limit (such as 1/hour) is specified, the
effective enforced rate is much higher (approximately 6/min). The
Shorewall compiler now configures the hashlimit table idle timeout
based on the rate units (min, hour, ...) so that the rate is more
accurately enforced.
Corrected in 4.4.7.5.
As part of this change, a unique hash table name is assigned to
each per-IP rate limiting rule that does not specify a table name
in the rule. The assigned names are of the form 'shorewallN' where
N is an integer. Previously, all such rules shared a single
'shorewall' table which lead to unexpected results.
8) All prior versions of Shorewall-perl mishandle per-IP rate limiting
in REDIRECT, DNAT and ACCEPT+ rules. The effective rate and burst
are 1/2 of the values given in the rule.
Corrected in 4.4.7.5.
9) If a queue-number is specified in an NFQUEUE policy (e.g.,
NFQUEUE(0)), invalid iptables-restore input is generated.
10) The Debian init scripts return exit status 0, even when the command
fails.
Reference in New Issue View Git Blame Copy Permalink