shorewall_code/Shorewall/known_problems.txt
2010-07-04 11:43:25 -07:00

96 lines
3.1 KiB
Plaintext

1) The IPv6 allowBcast built-in action generates an invalid ip6tables
rule. This defect is present in all versions of Shorewall that
support IPv6.
Fixed in Shorewall 4.4.10.1.
2) If IPSET=<pathname> is specified in shorewall.conf, then when an
ipset is used in a configuration file entry, the following fatal
compilation error occurs:
ERROR: ipset names in Shorewall configuration files require Ipset
Match in your kernel and iptables : /etc/shorewall/rules (line nn)
You can work around this problem by executing the following at a
root shell prompt:
shorewall show -f capabilities > /etc/shorewall/capabilities
Fixed in Shorewall 4.4.10.1. After installing this fix, if you
executed the above command to work around the problem, we recommend
that you remove /etc/shorewall/capabilities.
3) The new REQUIRE_INTERFACE option was not added to shorewall.conf
and shorewall6.conf.
You can simply add it if you need it.
Fixed in Shorewall 4.4.10.2.
4) Under Perl 5.12.1, a harmless Perl run-time diagnostic is
produced when options are omitted from shorewall.conf or
shorewall6.conf.
Example:
Use of uninitialized value
$Shorewall::Config::config{"REQUIRE_INTERFACE"} in lc at
/usr/share/shorewall/Shorewall/Config.pm line 1902.
Fixed in Shorewall 4.4.10.2.
5) On Debian and Debian-based systems, the start/stop priorities of
Shorewall products may be incorrect when the insserv package is
installed.
You may correct this problem by running insserv (as root).
Fixed in Shorewall 4.4.10.2.
6) If 'trace' or 'debug' is specified on a command that runs the
compiled script, an invalid command line is passed to that script
resulting in a failure:
Shorewall configuration compiled to /var/lib/shorewall/.start
Usage: /var/lib/shorewall/.start [ options ] [ start|stop|clear|down|reset|
refresh|restart|status|up|version ]
Options are:
-v and -q Standard Shorewall verbosity controls
-n Don't unpdate routing configuration
-p Purge Conntrack Table
-t Timestamp progress Messages
-V <verbosity> Set verbosity explicitly
-R <file> Override RESTOREFILE setting
This issue affects Shorewall and Shorewall6 4.4.8 and later.
To work around the problem (IPv4 'debug restart' command):
shorewall compile /var/lib/shorewall/.restart
/var/lib/shorewall/.restart debug restart
Fixed in Shorewall 4.4.10.3.
7) If the following options are specified in /etc/shorewall/interfaces
for an interface with '-' in the ZONE column, then these options
will be ignored if there is an entry in the hosts file for the
interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
implied when the host list begins with '!').
blacklist
maclist
nosmurfs
tcpflags
You can work around this issue by specifying these options in the
hosts file entry rather than in the interfaces file.
Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
Fixed in Shorewall 4.4.10.3.