commit crap for now

2009-11-23 11:13:57 -08:00 · 2009-11-23 11:13:57 -08:00 · c17ac8f23f
commit c17ac8f23f
parent 99a35c1bf0 532105ec39
2 changed files with 50 additions and 2 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,6 +1,18 @@
 Changes in 4.5.0

+<<<<<<< HEAD:Shorewall/changelog.txt
 1)  Allow specific policy to supersede a wildcard policy.
+=======
+1)  Fix 15-port limit removal change.
+
+2)  Fix handling of interfaces with the 'bridge' option.
+
+3)  Generate error for port number 0
+
+4)  Allow zone::serverport in rules DEST column.
+
+5)  Allow specific policy to supersede a wildcard policy.
+>>>>>>> 4.4:Shorewall/changelog.txt

 2)  Fix 15-port limit removal change.

--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -10,7 +10,19 @@ None.
                    M I G R A T I O N   I S S U E S
 ----------------------------------------------------------------------------

-None.
+1)  The change which removed the 15 port limitation on
+    /etc/shorewall/routestopped was incomplete. The result was that if
+    more than 15 ports are listed, an error was generated.
+
+2)  If any interfaces have the 'bridge' option specified, compilation
+    fails with the error:
+
+    Undefined subroutine &Shorewall::Rules::match_source_interface called 
+    at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
+
+3)  The compiler now flags port number 0 as an error. Previously, port
+    0 was allowed with the result that invalid iptables-restore input
+    could be generated.

 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 5 . 0
@ -22,7 +34,31 @@ None.
             K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------

-None.
+1)  Shorewall now allows DNAT rules that change only the destination
+    port.
+
+    Example:
+
+	DNAT	loc	net::456	udp	234
+
+    That rule will modify the destination port in UDP packets received
+    from the 'loc' zone from 456 to 234. Note that if the destination
+    is the firewall itself, then the destination port will be rewritten
+    but that no ACCEPT rule from the loc zone to the $FW zone will have
+    been created to handle the request. So such rules should probably
+    exclude the firewall's IP addresses in the ORIGINAL DEST column.
+
+2)  Previously, the following sequence of policies would produce a
+    'Duplicate Policy' error:
+
+    	     $FW             all             ACCEPT
+    	     $FW             dmz             REJECT          info
+
+    Begining with 4.4.5, this sequence produces the same result as this
+    one:
+
+    	     $FW             dmz             REJECT          info
+    	     $FW             all             ACCEPT

 ----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 5 . 0