2010-08-17 16:34:21 +02:00
|
|
|
1) On systems running Upstart, Shorewall-init cannot reliably close
|
|
|
|
|
the firewall before interfaces come up.
|
2010-08-24 00:47:05 +02:00
|
|
|
|
|
|
|
|
2) Under rare circumstances where COMMENT is used to attach comments
|
|
|
|
|
to rules, OPTIMIZE 8 through 15 can result in invalid
|
|
|
|
|
iptables-restore (ip6tables-restore) input.
|
|
|
|
|
|
2010-08-26 20:22:39 +02:00
|
|
|
Corrected in Shorewall 4.4.12.1.
|
2010-08-24 00:47:05 +02:00
|
|
|
|
|
|
|
|
3) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15
|
|
|
|
|
canresult in invalid iptables-restore (ip6tables-restore) input.
|
|
|
|
|
|
2010-08-26 20:22:39 +02:00
|
|
|
Corrected in Shorewall 4.4.12.1.
|
|
|
|
|
|
|
|
|
|
4) The change in 4.4.12 to detect and use the new ipset match syntax
|
|
|
|
|
broke the ability to detect the old ipset match capability.
|
|
|
|
|
|
|
|
|
|
Corrected in Shorewall 4.4.12.1.
|
|
|
|
|
|
|
|
|
|
5) If REQUIRE_INTERFACE=Yes then start/restart will fail
|
|
|
|
|
if the last optional interface tested is not available.
|
|
|
|
|
|
|
|
|
|
Corrected in Shorewall 4.4.12.1.
|
|
|
|
|
|
|
|
|
|
6) The fix for COMMENT and optimization in 4.4.12.1 is incomplete.
|
|
|
|
|
|
2010-09-04 15:56:39 +02:00
|
|
|
Corrected in Shorewall 4.4.12.2
|
2010-08-26 20:22:39 +02:00
|
|
|
|
|
|
|
|
7) Exclusion in the blacklist file is correctly validated but is then
|
|
|
|
|
ignored when generating iptables (ip6tables) rules.
|
|
|
|
|
|
2010-09-04 15:56:39 +02:00
|
|
|
Corrected in Shorewall 4.4.12.2.
|
2010-09-04 16:10:41 +02:00
|
|
|
|
|
|
|
|
8) Shorewall allows CONTINUE rules with exclusion. These rules
|
|
|
|
|
generate valid but incorrect iptables (ip6tables) input.
|
|
|
|
|
|
|
|
|
|
Corrected in Shorewall 4.4.12.2 -- these rules are now disallowed.
|
