forked from extern/shorewall_code
Updated release documentation
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
511aa7bdc0
commit
6d29a974dd
@ -8,6 +8,8 @@ Changes in Shorewall 4.4.19.4
|
||||
|
||||
4) Issue warning on missing ipset.
|
||||
|
||||
5) Fix logging and exclusion vs 'refresh'.
|
||||
|
||||
Changes in Shorewall 4.4.19.3
|
||||
|
||||
1) Eliminate issue with 'gawk'.
|
||||
|
@ -73,3 +73,27 @@
|
||||
|
||||
Corrected in Shorewall 4.4.19.3.
|
||||
|
||||
6) The compiler allow degenerate entries (only the BAND column
|
||||
specified) in /etc/shorewall/tcpri. Such entries cause a run-time
|
||||
failure during start/restart.
|
||||
|
||||
7) It is possible to specify tcfilters and tcrules that classify
|
||||
traffic with the class-id of a non-leaf HFSC class. Such
|
||||
classes are not capabable of handling packets.
|
||||
|
||||
If a non-leaf class is specified as the default class, then
|
||||
a run-time start/restart failure occurs.
|
||||
|
||||
8) Shorewall does not check for the existance of ipsets mentioned in
|
||||
the configuration, potentially resulting in a run-time
|
||||
start/restart failure.
|
||||
|
||||
9) As currently implemented, the 'refresh' command could fail or
|
||||
can result in a ruleset other than what was intended. If there
|
||||
have been changes in the ruleset since it was originally
|
||||
started/restarted/restored that added or deleted sequenced chains
|
||||
(chains such as ~lognnn and ~exclnnn), the resulting ruleset can
|
||||
jump to the wrong such chains or can fail to 'refresh'
|
||||
successfully.
|
||||
|
||||
Workaround: Use 'restart' rather than 'refresh'
|
||||
|
@ -23,7 +23,8 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
classified traffic with the class-id of a non-leaf HFSC class. Such
|
||||
classes are not capabable of handling packets.
|
||||
|
||||
Shorewall now generates a compile-time warning in this case.
|
||||
Shorewall now generates a compile-time warning in this case and
|
||||
ignores the entry.
|
||||
|
||||
If a non-leaf class is specified as the default class, then
|
||||
Shorewall now generates a compile-time error since that
|
||||
@ -38,7 +39,26 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
b) The compilation isn't producing a script to run on a remote
|
||||
system under a -lite product.
|
||||
c) An ipset appearing in the configuration does not exist on the
|
||||
local system.
|
||||
local system.
|
||||
|
||||
4) As previously implemented, the 'refresh' command could fail or
|
||||
could result in a ruleset other than what was intended. If there
|
||||
had been changes in the ruleset since it was originally
|
||||
started/restarted/restored that added or deleted sequenced chains
|
||||
(chains such as ~lognnn and ~exclnnn), the resulting ruleset could
|
||||
jump to the wrong such chains or could fail to 'refresh'
|
||||
successfully.
|
||||
|
||||
This issue has been corrected as follows. When a 'refresh' is done
|
||||
and individual chains are involved, then each table that contains
|
||||
both sequenced chains and one of the chains being refreshed is
|
||||
refreshed in its entirety.
|
||||
|
||||
For example, if 'shorwall refresh foo' is issued and the filter
|
||||
table (which is the default) contains any sequenced chains, then
|
||||
the entire table is reloaded. Note that this reload operation is
|
||||
atomic so no packets are passed through an inconsistent
|
||||
configuration.
|
||||
|
||||
4.4.19.3
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user