From 4a4d74b52b3b2c4d72b1467e26d087e955fbd995 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 29 Apr 2011 07:25:42 -0700 Subject: [PATCH] Document fix for IPSETs and ORIGINAL DEST Signed-off-by: Tom Eastep --- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 13 +++++++++++++ 2 files changed, 15 insertions(+) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 8a2d22f6f..b1d2d60c8 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -2,6 +2,8 @@ Changes in Shorewall 4.4.20 Beta 1 1) Apply Togan's patch for installation flexibility. +2) Restore use of IPSETS in the ORIGINAL DEST column. + Changes in Shorewall 4.4.19.1 1) Eliminate silly duplicate rule when stopped. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 6d8440cdd..e0e4d0b24 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -39,6 +39,19 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES DNAT and REDIRECT rules. That capability, inadvertently dropped in Shorewall-perl, has now been restored. + Please note, however, that using an IPSET in this way will open the + server port from the SOURCE zone. + + Example: + + This rule: + + DNAT net dmz:10.1.10.2 tcp 80 - +foo + + will implicitly add this rule: + + ACCEPT net dmz:10.1.10.2 tcp 80 + ---------------------------------------------------------------------------- I I. K N O W N P R O B L E M S R E M A I N I N G ----------------------------------------------------------------------------