From c936cbeab282f1f9b35a3d461b720ca67e6449da Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 27 Mar 2011 11:20:41 -0700
Subject: [PATCH] Document fix for mis-configured ipsec host group on a bridge

---
 Shorewall/changelog.txt      |  4 ++++
 Shorewall/known_problems.txt | 12 ++++++++++++
 Shorewall/releasenotes.txt   |  9 ++++++++-
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 64f744cf3..157fce4ab 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,3 +1,7 @@
+Changes in Shorewall 4.4.18.2
+
+1)  Handle mis-configured ipsec host group on a bridge.
+
 Changes in Shorewall 4.4.18.1
 
 1)  Fix params processing bug.
diff --git a/Shorewall/known_problems.txt b/Shorewall/known_problems.txt
index 092e6e180..73a2f3a04 100644
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -24,3 +24,15 @@
     run-time error occurs.
 
     Corrected in Shorewall 4.4.18.1
+
+5)  If a bridge interface has subordinate ports defined in
+    /etc/shorewall/interface, then an ipsec entry (either ipsec zone or
+    the 'ipsec' option specified) in /etc/shorewall/hosts results in
+    the compiler generating an incorrect Netfilter configuration.
+
+    Workaround: Change the hosts entry to specify one of the bridge
+    ports. If the specified network spans more than one port, then
+    replicate for each port.
+
+    Will be corrected in Shorewall 4.4.18.2 or 4.4.19, whichever occurs
+    first.
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 2ef4c4d94..1f4f3d9ea 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                     S H O R E W A L L  4 . 4 . 1 8 . 1
+                     S H O R E W A L L  4 . 4 . 1 8 . 2
 ----------------------------------------------------------------------------
 
 I.    PROBLEMS CORRECTED IN THIS RELEASE
@@ -13,6 +13,13 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
   I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
+4.4.18.2
+
+1)  If a bridge interface had subordinate ports defined in
+    /etc/shorewall/interface, then an ipsec entry (either ipsec zone or
+    the 'ipsec' option specified) in /etc/shorewall/hosts resulted in
+    the compiler generating an incorrect Netfilter configuration.
+
 4.4.18.1
 
 1)  An issue with params processing on RHEL6 has been corrected. The