2010-02-13 16:26:49 +01:00
|
|
|
1) All versions of Shorewall-perl mishandle per-IP rate limiting in
|
|
|
|
REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
|
|
|
|
the values given in the rule.
|
|
|
|
|
|
|
|
Corrected in 4.4.7.1
|
2010-02-14 16:55:41 +01:00
|
|
|
|
|
|
|
2) Detection of the 'Old hashlimit match' capability was broken in
|
|
|
|
/sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of
|
|
|
|
shorecap. This problem only affects users of older distributions
|
2010-02-14 17:53:31 +01:00
|
|
|
such as RHEL5 and derivatives.
|
2010-02-14 16:55:41 +01:00
|
|
|
|
|
|
|
Corrected in 4.4.7.2
|
|
|
|
|
2010-02-14 21:11:11 +01:00
|
|
|
3) On older distributions such as RHEL5 and derivatives, when
|
2010-02-14 16:55:41 +01:00
|
|
|
LOAD_HELPERS_ONLY=No, Shorewall would fail to start if a TYPE was
|
|
|
|
specified in /etc/shorewall/tcinterfaces.
|
|
|
|
|
|
|
|
Corrected in 4.4.7.2
|
2010-02-14 21:11:11 +01:00
|
|
|
|
|
|
|
4) On older distributions such as RHEL5 and derivatives, when
|
|
|
|
LOAD_HELPERS_ONLY=Yes, Shorewall would fail to start if a TYPE was
|
|
|
|
specified in /etc/shorewall/tcinterfaces.
|
|
|
|
|
|
|
|
Corrected in 4.4.7.3
|
2010-02-15 23:48:40 +01:00
|
|
|
|
|
|
|
5) A CONTINUE rule specifying a log level will cause the compiler to
|
|
|
|
generate an incorrect rule sequence. The packet will be logged but
|
|
|
|
the CONTINUE action will not occur.
|
|
|
|
|
|
|
|
To work around the problem break the rule into two rules; a logging
|
|
|
|
rule and a CONTINUE rule.
|
|
|
|
|
|
|
|
Corrected in 4.4.7.5.
|
|
|
|
|
2010-02-18 19:10:38 +01:00
|
|
|
6) If multiple entries are present in /etc/shorewall/tcdevices and
|
|
|
|
globally unique class numbers are not explicitly specified in
|
|
|
|
/etc/shorewall/tcclasses, then 'shorewall start' will fail with a
|
|
|
|
diagnostic such as:
|
|
|
|
|
|
|
|
Setting up Traffic Control...
|
|
|
|
RTNETLINK answers: File exists
|
|
|
|
ERROR: Command "tc qdisc add dev eth1 parent 2:2 handle 2: sfq quantum
|
|
|
|
1500 limit 127 perturb 10" Failed
|
|
|
|
Processing /etc/shorewall/stop ...
|
|
|
|
|
|
|
|
Corrected in 4.4.7.5.
|
|
|
|
|
|
|
|
7) If a low per-IP rate limit (such as 1/hour) is specified, the
|
|
|
|
effective enforced rate is much higher (approximately 6/min). The
|
|
|
|
Shorewall compiler now configures the hashlimit table idle timeout
|
|
|
|
based on the rate units (min, hour, ...) so that the rate is more
|
|
|
|
accurately enforced.
|
|
|
|
|
|
|
|
Corrected in 4.4.7.5.
|
|
|
|
|
|
|
|
As part of this change, a unique hash table name is assigned to
|
|
|
|
each per-IP rate limiting rule that does not specify a table name
|
|
|
|
in the rule. The assigned names are of the form 'shorewallN' where
|
|
|
|
N is an integer. Previously, all such rules shared a single
|
|
|
|
'shorewall' table which lead to unexpected results.
|
|
|
|
|
|
|
|
8) All prior versions of Shorewall-perl mishandle per-IP rate limiting
|
2010-02-19 23:13:12 +01:00
|
|
|
in REDIRECT, DNAT and ACCEPT+ rules. The effective rate and burst
|
|
|
|
are 1/2 of the values given in the rule.
|
2010-02-18 19:10:38 +01:00
|
|
|
|
|
|
|
Corrected in 4.4.7.5.
|
2010-02-25 17:46:20 +01:00
|
|
|
|
|
|
|
9) If a queue-number is specified in an NFQUEUE policy (e.g.,
|
|
|
|
NFQUEUE(0)), invalid iptables-restore input is generated.
|
|
|
|
|
2010-03-08 16:36:51 +01:00
|
|
|
Corrected in 4.4.7.6.
|
|
|
|
|
2010-02-25 17:46:20 +01:00
|
|
|
10) The Debian init scripts return exit status 0, even when the command
|
|
|
|
fails.
|
2010-03-08 16:36:51 +01:00
|
|
|
|
|
|
|
Corrected in 4.4.7.6.
|
|
|
|
|
2010-03-08 16:41:09 +01:00
|
|
|
11) Previously, with optimization 4, users of ipsec on older releases
|
|
|
|
such as RHEL5 and CentOS, could encounter an error similar to this
|
|
|
|
one:
|
|
|
|
|
|
|
|
Running /sbin/iptables-restore...
|
|
|
|
iptables-restore v1.3.5: Unknown arg `out'
|
|
|
|
Error occurred at line: 93
|
|
|
|
Try `iptables-restore -h' or 'iptables-restore --help' for more
|
|
|
|
information.
|
|
|
|
ERROR: iptables-restore Failed. Input is in
|
|
|
|
/var/lib/shorewall/.iptables-restore-input
|
|
|
|
|
|
|
|
Corrected in 4.4.7.6.
|
2010-03-22 16:10:25 +01:00
|
|
|
|
|
|
|
12) If optimization 4 is enabled, the 'blacklst' chain may be optimized
|
|
|
|
away. If that occurs, then if the 'blacklist' file is subsequently
|
|
|
|
updated, the 'shorewall refresh' command will succeed but the
|
|
|
|
changes will not be included in the active ruleset.
|
|
|
|
|
|
|
|
Workaround: Use 'shorewall restart' to install the changes.
|
|
|
|
|
|
|
|
Will be corrected in 4.4.8.
|
|
|
|
|
|
|
|
|