Document wildcard interface sfilter exemption.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-06-14 06:51:17 -07:00 · 2011-06-14 06:51:17 -07:00 · f04321592c
commit f04321592c
parent 4d08ad0eea
3 changed files with 28 additions and 0 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -2,6 +2,8 @@ Changes in Shorewall 4.4.20.3

 1)  Remove deprecated options from the .conf files.

+2)  Exempt wildcard interfaces from sfilter.
+
 Changes in Shorewall 4.4.20.2

 1)  Reject degenerate tcpri entries.
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@ -5,9 +5,13 @@
    (unannotated) version of shorewall6.conf, regardless of the '-p'
    option.

+    Corrected in 4.4.20.1
+
 3)  Fixed item 1 from 4.4.19.4 was inadvertently omitted from
    4.4.20.

+    Corrected in 4.4.20.2
+
 2)  A defect introduced in 4.4.20 can cause the following failure at
    start/restart:

@ -18,12 +22,18 @@
    /etc/shorewall/tcdevices and the default HTB queuing discipline is
    used.

+    Corrected in 4.4.20.2
+
 3)  The 'sfilter' interface option introduced in 4.4.20 is not applied
    to traffic addressed to the firewall itself.

+    Corrected in 4.4.20.2
+
 4)  IPSEC traffic is incorrectly included in the rules generated by
    sfiltering.

+    Corrected in 4.4.20.2
+
 5)  Shorewall 4.4.20 can, under some circumstances, fail during
    iptables-restore with a message such as the following:

@ -38,6 +48,18 @@
    ERROR: iptables-restore Failed. Input is in
    	   /var/lib/shorewall/.iptables-restore-input

+    Corrected in 4.4.20.2
+
 6)  The following extraneous warning message may be ignored:

    	WARNING: sfilter is ineffective with FASTACCEPT=Yes
+
+    Corrected in 4.4.20.2
+
+7)  A simple configuration like the 'Universal' sample that includes a
+    single wildcard interface ('+' in the INTERFACE column) produces a
+    ruleset that blocks all incoming packets.
+
+    Workaround: Add the 'routeback' option to the entry in
+    /etc/shorewall/interfaces.
+ 
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -18,6 +18,10 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 1)  Deprecated options have been removed from the .conf files. 
    They remain in the man pages.

+2)  A simple configuration like the 'Universal' sample that includes a
+    single wildcard interface ('+' in the INTERFACE column) produces a
+    ruleset that blocks all incoming packets.
+
 4.4.20.2

 1)  Problem Corrected #1 from 4.4.19.4 was inadvertently omitted from