forked from extern/shorewall_code
Update release notes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6250 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
94086440b8
commit
f8048b61cf
@ -32,6 +32,51 @@ Problems corrected in 3.9.6.
|
|||||||
5) Previously, use of CONTINUE in the tcrules file would cause
|
5) Previously, use of CONTINUE in the tcrules file would cause
|
||||||
generation of invalid iptables-restore input.
|
generation of invalid iptables-restore input.
|
||||||
|
|
||||||
|
6) If a chain's only reference is in the ACTION column of an
|
||||||
|
accounting rule, a run-time error would occur:
|
||||||
|
|
||||||
|
iptables-restore v1.3.6: Couldn't load target
|
||||||
|
`SJS':/lib/iptables/libipt_SJS.so: cannot open shared object file: No such
|
||||||
|
file or directory
|
||||||
|
|
||||||
|
7) A problem with merging the log level and tag in macro or action
|
||||||
|
invocations has been corrected.
|
||||||
|
|
||||||
|
8) An empty action body no longer results in a run-time error.
|
||||||
|
|
||||||
|
9) Shorewall-perl now traps the case where an action invokes itself.
|
||||||
|
|
||||||
|
10) Shorewall-perl now traps COMMENT followed by a colon (":") and a
|
||||||
|
log level.
|
||||||
|
|
||||||
|
11) COMMENT in an action body is now properly handled.
|
||||||
|
|
||||||
|
12) LOG rules in macros are now handled correctly.
|
||||||
|
|
||||||
|
13) Parsing of 'ipp2p' rules has been corrected.
|
||||||
|
|
||||||
|
14) Inversion is now handled correctly in packet/connection mark tests.
|
||||||
|
|
||||||
|
15) Parsing errors in RATE/BURST and USER/GROUP columns have been
|
||||||
|
eliminated.
|
||||||
|
|
||||||
|
16) ipsets have now been tested and several bugs in their handling have
|
||||||
|
been corrected.
|
||||||
|
|
||||||
|
17) Errors in handling the SOURCE and DEST column during macro
|
||||||
|
expansion have been corrected.
|
||||||
|
|
||||||
|
18) The correct mask is now used when testing HIGH_ROUTE_MARK marks.
|
||||||
|
|
||||||
|
19) Shorewall-perl now correctly handles the COPY column in provider
|
||||||
|
definitions.
|
||||||
|
|
||||||
|
20) A number of cases where Shorewall-perl did not handle undefined
|
||||||
|
zones have been corrected.
|
||||||
|
|
||||||
|
21) A number of bugs relating to parsing the tunnels file have been
|
||||||
|
corrected.
|
||||||
|
|
||||||
Other changes in Shorewall 3.9.6.
|
Other changes in Shorewall 3.9.6.
|
||||||
|
|
||||||
1) Eariler generations of Shorewall Lite required that remote root
|
1) Eariler generations of Shorewall Lite required that remote root
|
||||||
@ -72,6 +117,10 @@ Other changes in Shorewall 3.9.6.
|
|||||||
similar to the column of the same name in the tcrules file. This
|
similar to the column of the same name in the tcrules file. This
|
||||||
column allows filtering by MARK and CONNMARK value.
|
column allows filtering by MARK and CONNMARK value.
|
||||||
|
|
||||||
|
3) SOURCE and DEST are now reserved zone names to avoid problems with
|
||||||
|
bi-directional macro definisions which use these as names as key
|
||||||
|
words.
|
||||||
|
|
||||||
Migration Considerations:
|
Migration Considerations:
|
||||||
|
|
||||||
1) You cannot simply upgrade your existing Shorewall package. You must
|
1) You cannot simply upgrade your existing Shorewall package. You must
|
||||||
@ -269,13 +318,11 @@ Migration Considerations:
|
|||||||
requiring change to existing files. In particular, it will
|
requiring change to existing files. In particular, it will
|
||||||
handle the tos file released with Shorewall 1.4 and earlier.
|
handle the tos file released with Shorewall 1.4 and earlier.
|
||||||
|
|
||||||
i) Currently, support for ipsets is untested. That will change with
|
i) Shorewall is now out of the ipset load/reload business. With
|
||||||
future pre-releases but one thing is certain -- Shorewall is now
|
scripts generated by the Perl-based Compiler, the Netfilter
|
||||||
out of the ipset load/reload business. With scripts generated by
|
ruleset is never cleared. That means that there is no
|
||||||
the Perl-based Compiler, the Netfilter ruleset is never
|
opportunity for Shorewall to load/reload your ipsets since that
|
||||||
cleared. That means that there is no opportunity for Shorewall
|
cannot be done while there are any current rules using ipsets.
|
||||||
to load/reload your ipsets since that cannot be done while there
|
|
||||||
are any current rules using ipsets.
|
|
||||||
|
|
||||||
So:
|
So:
|
||||||
|
|
||||||
@ -451,58 +498,5 @@ with the shell's '-a' option which causes any variables that you set
|
|||||||
or create in that file to be automatically exported. Since the params
|
or create in that file to be automatically exported. Since the params
|
||||||
file is processed before shorewall.conf, using -a insures that the
|
file is processed before shorewall.conf, using -a insures that the
|
||||||
settings of your params variables are available to the new compiler
|
settings of your params variables are available to the new compiler
|
||||||
should it's use be specified in shorewall.conf.
|
should its use be specified in shorewall.conf.
|
||||||
----------------------------------------------------------------------------
|
|
||||||
C H A N G E H I S T O R Y
|
|
||||||
----------------------------------------------------------------------------
|
|
||||||
Problems corrected in Shorewall 3.9.3
|
|
||||||
|
|
||||||
1) If a rule specified a source or destination port of 0 for TCP or UDP it was
|
|
||||||
ignored.
|
|
||||||
|
|
||||||
The test for the presence of a source or destination port if the protocol is
|
|
||||||
not specified also ignored port 0.
|
|
||||||
|
|
||||||
Patch courtesy of Steven Springl.
|
|
||||||
|
|
||||||
2) An entry in the USER/GROUP column no longer generates a corrupted rule.
|
|
||||||
|
|
||||||
3) The value zero (0) is no longer ignored in the USER/GROUP column.
|
|
||||||
|
|
||||||
4) A number of problems associated with detected addresses and routed
|
|
||||||
networks were corrected. These problems surfaced only when the same
|
|
||||||
interface required more than one of the following to be detected:
|
|
||||||
|
|
||||||
- First address
|
|
||||||
- All addresses
|
|
||||||
- Routed networks
|
|
||||||
|
|
||||||
5) The 'dropInvalid' built-in action now correctly generates a DROP
|
|
||||||
rule rather than a REJECT rule.
|
|
||||||
|
|
||||||
6) The Shorewall-perl compiler was not treating 'none' in the SOURCE
|
|
||||||
or DEST column of the rules file correctly.
|
|
||||||
|
|
||||||
7) The Shorewall-perl compiler did not accept 'tcp:syn' in the PROTO
|
|
||||||
column.
|
|
||||||
|
|
||||||
8) The Shorewall-perl compiler generated an invalid rule when
|
|
||||||
$FW was the SOURCE of a SAME rule (iptables/netfilter do not
|
|
||||||
support SAME in the OUTPUT chain).
|
|
||||||
|
|
||||||
9) When 'all' appeared in the SOURCE column and there were any NONE
|
|
||||||
policies, then a compilation error occurred.
|
|
||||||
|
|
||||||
ERROR: Rules may not override a NONE policy
|
|
||||||
|
|
||||||
10) The reserved zone names 'all' and 'none' were not being flagged
|
|
||||||
when used as the name of a zone.
|
|
||||||
|
|
||||||
11) The Shorewall-perl compiler now raises an error if there is no
|
|
||||||
firewall zone declared.
|
|
||||||
|
|
||||||
12) If 'all' appeared in the SOURCE column and an undefined zone was
|
|
||||||
specified in the DEST column of /etc/shorewall/rules, then a Perl
|
|
||||||
run-time diagnostic was produced.
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user