holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Bring News page up to date

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8393 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-04-06 17:10:07 +00:00
parent 2ef0a32b7c
commit 5e629bbb79
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
web/News.htm
View File

@ -26,9 +26,12 @@ license is included in the section entitled <span
href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>".
</p>
<p>February 23, 2008<br>
<p>March 29, 2008<br>
</p>
<hr style="width: 100%; height: 2px;">
<p><strong>2008-03-29 Shorewall 4.0.10</strong></p>
<p><strong></strong></p>
<pre>Problems corrected in Shorewall-perl 4.0.10.<br><br>1)&nbsp; Shorewall-perl 4.0.9 erroneously reported an error message when a<br>&nbsp;&nbsp;&nbsp; bridge port was defined in /etc/shorewall/interfaces:<br><br>&nbsp;&nbsp;&nbsp;&nbsp; ERROR: Your iptables is not recent enough to support bridge ports<br><br>2)&nbsp; Under Shorewall-perl, if an empty action was invoked or was named<br>&nbsp;&nbsp;&nbsp; in one of the DEFAULT_xxx options in shorewall.conf, an<br>&nbsp;&nbsp;&nbsp; iptables-restore error occured.<br><br>3)&nbsp; If $ADMIN was empty, then the rule:<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT loc:$ADMIN all<br><br>&nbsp;&nbsp;&nbsp;&nbsp; became<br><br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ACCEPT loc&nbsp;&nbsp; net<br><br>&nbsp;&nbsp;&nbsp;&nbsp; It is now flagged as an error.<br><br>4)&nbsp; Previously, Shorewall-perl would reject an IP address range in the<br>&nbsp;&nbsp;&nbsp; ecn and routestopped files.<br><br>5)&nbsp; A POLICY of ":" in /etc/shorewall/policy would produce Perl<br>&nbsp;&nbsp;&nbsp; run-time errors.<br><br>6)&nbsp; An INTERFACE of ":" in /etc/shorewall/interfaces would produce Perl<br>&nbsp;&nbsp;&nbsp; run-time errors.<br><br>7)&nbsp; A MARK of ":" in /etc/shorewall/tcrules would produce Perl<br>&nbsp;&nbsp;&nbsp; run-time errors.<br><br>Problems corrected in Shorewall-shell 4.0.10.<br><br>1)&nbsp; Specifying a value for ACCEPT_DEFAULT or QUEUE_DEFAULT resulted in<br>&nbsp;&nbsp;&nbsp; a fatal error at compile time.<br><br>Known Problems Remaining.<br><br>1)&nbsp; The 'refresh' command doesn't refresh the mangle table. So changes<br>&nbsp;&nbsp;&nbsp; made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may<br>&nbsp;&nbsp;&nbsp; not be reflected in the running ruleset.<br><br>Other changes in 4.0.10.<br><br>1)&nbsp; The Sample configurations have been updated to set<br>&nbsp;&nbsp;&nbsp; LOG_MARTIANS=keep. In 4.2, this will be changed to<br>&nbsp;&nbsp;&nbsp; LOG_MARTIANS=Yes.<br><br>2)&nbsp; Shorewall-perl now generates a fatal error if a non-existant shell<br>&nbsp;&nbsp;&nbsp; variable is used in any configuration file (except<br>&nbsp;&nbsp;&nbsp; /etc/shorewall/params).<br><br>3)&nbsp; Shorewall-perl now supports an 'l2tp' tunnel type. It opens UDP<br>&nbsp;&nbsp;&nbsp; port 1701 in both directions and assumes that the source port will<br>&nbsp;&nbsp;&nbsp; also be 1701. Some implementations (particularly OS X) use a<br>&nbsp;&nbsp;&nbsp; different source port. In that case, you should use<br>&nbsp;&nbsp;&nbsp; 'generic:udp:1701' rather than 'l2tp'.<br></pre>
<p><strong>2008-03-01 Shorewall 3.4.8</strong></p>
<pre>1) Shorewall now removes any default bindings of ipsets before<br> attempting to reload them. Previously, default bindins were not<br> removed with the result that the ipsets could not be destroyed.<br><br><br>2) When HIGH_ROUTE_MARKS=Yes, unpredictable results could occur when<br> marking in the PREROUTING or OUTPUT chains. When a rule specified a<br> mark value &gt; 255, the compiler was using the '--or-mark' operator<br> rather than the '--set-mark' operator with the result that when a<br> packet matched more than one rule, the resulting routing mark was<br> the logical product of the mark values in the rules.<br><br><br> Example:<br><br><br> 0x100 192.168.1.44 0.0.0.0/0<br> 0x200 0.0.0.0/0 0.0.0.0/0 tcp 25<br><br><br> A TCP packet from 192.168.1.44 with destination port 25 would end<br> up with a mark value of 0x300.<br><br><br>3) Shorewall now properly parses comma separated SOURCE (formerly<br> SUBNET) values in the masq configuration file. Previously, the comma<br> separated list was not split up into its components, resulting in an<br> invalid address being passed to the iptables command.<br><br><br> Example:<br><br><br> # /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC<br> eth0 192.168.2.1,192.168.2.3<br><br><br>4) Previously, specifying both an interface and a MAC address in the<br> SOURCE column of the tcrules file caused a failure at runtime.<br> Thanks to Justin Joseph for the patch.<br><br><br>5) Previously, specifying both an interface and an address in the<br> tcrules DEST column would cause an incomplete rule to be generated.<br><br><br> Example:<br><br><br> 1 192.168.1.4 eth2:206.124.146.177 tcp 22<br><br><br> The resulting tcrule would be as if this had been specified:<br><br><br> 1 0.0.0.0/0 eth2:206.124.146.177 tcp 22<br><br><br>6) When HIGH_ROUTE_MARKS=Yes, the routing rules generated to match<br> fwmarks to routing tables overflowed the designated range for such<br> marks (10000 - 11000).</pre>
<hr>