holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update release notes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6250 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-05-05 19:26:39 +00:00
parent 94086440b8
commit f8048b61cf
1 changed files with 55 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
Shorewall-common/releasenotes.txt
View File

@ -31,6 +31,51 @@ Problems corrected in 3.9.6.
5) Previously, use of CONTINUE in the tcrules file would cause
generation of invalid iptables-restore input.
6) If a chain's only reference is in the ACTION column of an
accounting rule, a run-time error would occur:
iptables-restore v1.3.6: Couldn't load target
`SJS':/lib/iptables/libipt_SJS.so: cannot open shared object file: No such
file or directory
7) A problem with merging the log level and tag in macro or action
invocations has been corrected.
8) An empty action body no longer results in a run-time error.
9) Shorewall-perl now traps the case where an action invokes itself.
10) Shorewall-perl now traps COMMENT followed by a colon (":") and a
log level.
11) COMMENT in an action body is now properly handled.
12) LOG rules in macros are now handled correctly.
13) Parsing of 'ipp2p' rules has been corrected.
14) Inversion is now handled correctly in packet/connection mark tests.
15) Parsing errors in RATE/BURST and USER/GROUP columns have been
eliminated.
16) ipsets have now been tested and several bugs in their handling have
been corrected.
17) Errors in handling the SOURCE and DEST column during macro
expansion have been corrected.
18) The correct mask is now used when testing HIGH_ROUTE_MARK marks.
19) Shorewall-perl now correctly handles the COPY column in provider
definitions.
20) A number of cases where Shorewall-perl did not handle undefined
zones have been corrected.
21) A number of bugs relating to parsing the tunnels file have been
corrected.
Other changes in Shorewall 3.9.6.
@ -72,6 +117,10 @@ Other changes in Shorewall 3.9.6.
similar to the column of the same name in the tcrules file. This
column allows filtering by MARK and CONNMARK value.
3) SOURCE and DEST are now reserved zone names to avoid problems with
bi-directional macro definisions which use these as names as key
words.
Migration Considerations:
1) You cannot simply upgrade your existing Shorewall package. You must
@ -269,13 +318,11 @@ Migration Considerations:
requiring change to existing files. In particular, it will
handle the tos file released with Shorewall 1.4 and earlier.
i) Currently, support for ipsets is untested. That will change with
future pre-releases but one thing is certain -- Shorewall is now
out of the ipset load/reload business. With scripts generated by
the Perl-based Compiler, the Netfilter ruleset is never
cleared. That means that there is no opportunity for Shorewall
to load/reload your ipsets since that cannot be done while there
are any current rules using ipsets.
i) Shorewall is now out of the ipset load/reload business. With
scripts generated by the Perl-based Compiler, the Netfilter
ruleset is never cleared. That means that there is no
opportunity for Shorewall to load/reload your ipsets since that
cannot be done while there are any current rules using ipsets.
So:
@ -451,58 +498,5 @@ with the shell's '-a' option which causes any variables that you set
or create in that file to be automatically exported. Since the params
file is processed before shorewall.conf, using -a insures that the
settings of your params variables are available to the new compiler
should it's use be specified in shorewall.conf.
----------------------------------------------------------------------------
C H A N G E H I S T O R Y
----------------------------------------------------------------------------
Problems corrected in Shorewall 3.9.3
1) If a rule specified a source or destination port of 0 for TCP or UDP it was
ignored.
The test for the presence of a source or destination port if the protocol is
not specified also ignored port 0.
Patch courtesy of Steven Springl.
2) An entry in the USER/GROUP column no longer generates a corrupted rule.
3) The value zero (0) is no longer ignored in the USER/GROUP column.
4) A number of problems associated with detected addresses and routed
networks were corrected. These problems surfaced only when the same
interface required more than one of the following to be detected:
- First address
- All addresses
- Routed networks
5) The 'dropInvalid' built-in action now correctly generates a DROP
rule rather than a REJECT rule.
6) The Shorewall-perl compiler was not treating 'none' in the SOURCE
or DEST column of the rules file correctly.
7) The Shorewall-perl compiler did not accept 'tcp:syn' in the PROTO
column.
8) The Shorewall-perl compiler generated an invalid rule when
$FW was the SOURCE of a SAME rule (iptables/netfilter do not
support SAME in the OUTPUT chain).
9) When 'all' appeared in the SOURCE column and there were any NONE
policies, then a compilation error occurred.
ERROR: Rules may not override a NONE policy
10) The reserved zone names 'all' and 'none' were not being flagged
when used as the name of a zone.
11) The Shorewall-perl compiler now raises an error if there is no
firewall zone declared.
12) If 'all' appeared in the SOURCE column and an undefined zone was
specified in the DEST column of /etc/shorewall/rules, then a Perl
run-time diagnostic was produced.
should its use be specified in shorewall.conf.