Updated release documentation

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-05-16 14:27:07 -07:00
parent 511aa7bdc0
commit 6d29a974dd
3 changed files with 48 additions and 2 deletions

View File

@ -8,6 +8,8 @@ Changes in Shorewall 4.4.19.4
4) Issue warning on missing ipset.
5) Fix logging and exclusion vs 'refresh'.
Changes in Shorewall 4.4.19.3
1) Eliminate issue with 'gawk'.

View File

@ -73,3 +73,27 @@
Corrected in Shorewall 4.4.19.3.
6) The compiler allow degenerate entries (only the BAND column
specified) in /etc/shorewall/tcpri. Such entries cause a run-time
failure during start/restart.
7) It is possible to specify tcfilters and tcrules that classify
traffic with the class-id of a non-leaf HFSC class. Such
classes are not capabable of handling packets.
If a non-leaf class is specified as the default class, then
a run-time start/restart failure occurs.
8) Shorewall does not check for the existance of ipsets mentioned in
the configuration, potentially resulting in a run-time
start/restart failure.
9) As currently implemented, the 'refresh' command could fail or
can result in a ruleset other than what was intended. If there
have been changes in the ruleset since it was originally
started/restarted/restored that added or deleted sequenced chains
(chains such as ~lognnn and ~exclnnn), the resulting ruleset can
jump to the wrong such chains or can fail to 'refresh'
successfully.
Workaround: Use 'restart' rather than 'refresh'

View File

@ -23,7 +23,8 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
classified traffic with the class-id of a non-leaf HFSC class. Such
classes are not capabable of handling packets.
Shorewall now generates a compile-time warning in this case.
Shorewall now generates a compile-time warning in this case and
ignores the entry.
If a non-leaf class is specified as the default class, then
Shorewall now generates a compile-time error since that
@ -38,7 +39,26 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
b) The compilation isn't producing a script to run on a remote
system under a -lite product.
c) An ipset appearing in the configuration does not exist on the
local system.
local system.
4) As previously implemented, the 'refresh' command could fail or
could result in a ruleset other than what was intended. If there
had been changes in the ruleset since it was originally
started/restarted/restored that added or deleted sequenced chains
(chains such as ~lognnn and ~exclnnn), the resulting ruleset could
jump to the wrong such chains or could fail to 'refresh'
successfully.
This issue has been corrected as follows. When a 'refresh' is done
and individual chains are involved, then each table that contains
both sequenced chains and one of the chains being refreshed is
refreshed in its entirety.
For example, if 'shorwall refresh foo' is issued and the filter
table (which is the default) contains any sequenced chains, then
the entire table is reloaded. Note that this reload operation is
atomic so no packets are passed through an inconsistent
configuration.
4.4.19.3