From 5e629bbb797f840337577f20d139e5624fe5efa0 Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 6 Apr 2008 17:10:07 +0000 Subject: [PATCH] Bring News page up to date git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8393 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- web/News.htm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/web/News.htm b/web/News.htm index f1396ab2b..0fd5193e2 100644 --- a/web/News.htm +++ b/web/News.htm @@ -26,9 +26,12 @@ license is included in the section entitled GNU Free Documentation License".

-

February 23, 2008
+

March 29, 2008

+

2008-03-29 Shorewall 4.0.10

+

+
Problems corrected in Shorewall-perl 4.0.10.

1)  Shorewall-perl 4.0.9 erroneously reported an error message when a
    bridge port was defined in /etc/shorewall/interfaces:

     ERROR: Your iptables is not recent enough to support bridge ports

2)  Under Shorewall-perl, if an empty action was invoked or was named
    in one of the DEFAULT_xxx options in shorewall.conf, an
    iptables-restore error occured.

3)  If $ADMIN was empty, then the rule:

        ACCEPT loc:$ADMIN all

     became

        ACCEPT loc   net

     It is now flagged as an error.

4)  Previously, Shorewall-perl would reject an IP address range in the
    ecn and routestopped files.

5)  A POLICY of ":" in /etc/shorewall/policy would produce Perl
    run-time errors.

6)  An INTERFACE of ":" in /etc/shorewall/interfaces would produce Perl
    run-time errors.

7)  A MARK of ":" in /etc/shorewall/tcrules would produce Perl
    run-time errors.

Problems corrected in Shorewall-shell 4.0.10.

1)  Specifying a value for ACCEPT_DEFAULT or QUEUE_DEFAULT resulted in
    a fatal error at compile time.

Known Problems Remaining.

1)  The 'refresh' command doesn't refresh the mangle table. So changes
    made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may
    not be reflected in the running ruleset.

Other changes in 4.0.10.

1)  The Sample configurations have been updated to set
    LOG_MARTIANS=keep. In 4.2, this will be changed to
    LOG_MARTIANS=Yes.

2)  Shorewall-perl now generates a fatal error if a non-existant shell
    variable is used in any configuration file (except
    /etc/shorewall/params).

3)  Shorewall-perl now supports an 'l2tp' tunnel type. It opens UDP
    port 1701 in both directions and assumes that the source port will
    also be 1701. Some implementations (particularly OS X) use a
    different source port. In that case, you should use
    'generic:udp:1701' rather than 'l2tp'.

2008-03-01 Shorewall 3.4.8

1)  Shorewall now removes any default bindings of ipsets before
    attempting to reload them. Previously, default bindins were not
    removed with the result that the ipsets could not be destroyed.


2)  When HIGH_ROUTE_MARKS=Yes, unpredictable results could occur when
    marking in the PREROUTING or OUTPUT chains. When a rule specified a
    mark value > 255, the compiler was using the '--or-mark' operator
    rather than the '--set-mark' operator with the result that when a
    packet matched more than one rule, the resulting routing mark was
    the logical product of the mark values in the rules.


    Example:


        0x100   192.168.1.44    0.0.0.0/0
        0x200   0.0.0.0/0       0.0.0.0/0       tcp     25


    A TCP packet from 192.168.1.44 with destination port 25 would end
    up with a mark value of 0x300.


3)  Shorewall now properly parses comma separated SOURCE (formerly
    SUBNET) values in the masq configuration file.  Previously, the comma
    separated list was not split up into its components, resulting in an
    invalid address being passed to the iptables command.


    Example:


        # /etc/shorewall/masq
        #INTERFACE  SUBNET                   ADDRESS  PROTO  PORT(S)  IPSEC
        eth0        192.168.2.1,192.168.2.3


4)  Previously, specifying both an interface and a MAC address in the
    SOURCE column of the tcrules file caused a failure at runtime.
    Thanks to Justin Joseph for the patch.


5)  Previously, specifying both an interface and an address in the
    tcrules DEST column would cause an incomplete rule to be generated.


    Example:


    1   192.168.1.4     eth2:206.124.146.177    tcp     22


    The resulting tcrule would be as if this had been specified:


    1   0.0.0.0/0       eth2:206.124.146.177    tcp     22


6)  When HIGH_ROUTE_MARKS=Yes, the routing rules generated to match
    fwmarks to routing tables overflowed the designated range for such
    marks (10000 - 11000).