shorewall_code/Shorewall/known_problems.txt
Tom Eastep 68165acd20 Update known problems (exclusion with CONTINUE).
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-08-26 08:48:07 -07:00

110 lines
4.0 KiB
Plaintext

1) In all versions of Shorewall6 lite, the 'shorecap' program is
using the 'iptables' program rather than the 'ip6tables' program.
This causes many capabilities that are not available in IPv6 to
be incorrectly reported as available.
This results in errors such as:
ip6tables-restore v1.4.2: Couldn't load match `addrtype':
/lib/xtables/libip6t_addrtype.so: cannot open shared
object file: No such file or directory
To work around this problem, on the administrative system:
a) Remove the incorrect capabilties file.
b) In shorewall6.conf, set the IP6TABLES option to the
path name of ip6tables on the firewall (example:
IP6TABLES=/sbin/ip6tables).
c) 'shorewall6 load <firewall>'.
Corrected in Shorewall 4.4.11.1
2) In a number of cases, Shorewall6 generates incorrect rules
involving the IPv6 multicast network. The rules specify
ff00::/10 where they should specify ff00::/8. Also, rules
instantiated when the IPv6 firewall is stopped use ff80::/10 rather
than fe80::/10 (IPv6 link local network).
Corrected in Shorewall 4.4.11.1
3) Using a destination port-range with :random produces a fatal
compilation error in REDIRECT rules unless the firewall zone is
explicitly specified (e.g., $FW::2000-2010:random).
Corrected in Shorewall 4.4.11.1
4) /sbin/shorewall and /sbin/shorewall6 sometimes fail to honor the
'nolock' option. In other cases, this option is incorrectly passed
on to the compiled script, causing the script to issue a usage
synopsis and to terminate.
Corrected in Shorewall 4.4.11.1
5) On systems that use the Upstart init system (such as Ubuntu and
Fedora), Shorewall-init is not reliable at starting the firewall
during boot when normal firewall startup is disabled and UPDOWN=1
is specified in /etc/default/shorewall-init.
Suggested workaround is to not disable normal startup (e.g., do not
set startup=0 on Debian-based systems and do not 'checkconfig
--del...' on Fedora).
Corrected in Shorewall 4.4.11.2
6) A typo in /sbin/shorewall6-lite version 4.4.11.1 causes the
stop, reset and clear commands to hang for one minute after the
command had been executed and causes the next shorewall6-lite
command to similarly hang for one minute.
Corrected in Shorewall 4.4.11.2.
7) A typo in the Shorewall install.sh script prevents the Makefile from
being installed in /usr/share/shorewall/configfiles/Makefile.
Corrected in Shorewall 4.4.11.2.
8) On systems running Upstart, Shorewall-init cannot reliably close
the firewall before interfaces come up.
9) When 'any' is used in the SOURCE column of /etc/shorewall[6]/rules,
a duplicate rule is generated in all "fw2*" ("fw-* if
ZONE2ZONE="-"). If 'any' is used in the DEST column, then a
duplicate rule appears in all "*2fw" (*-fw) chains.
Corrected in Shorewall 4.4.11.3.
10) A port range that omits the first port number (e.g., ":80") is
rejected with the following error:
ERROR: Invalid/Unknown tcp port/service (0) : ......
A workaround is to specify the first port as 1 (e.g., "1:80").
Corrected in Shorewall 4.4.11.3.
11) AUTOMAKE=Yes is broken -- don't use it.
Corrected in Shorewall 4.4.11.3.
12) Under rare circumstances where COMMENT is used to attach comments
to rules, OPTIMIZE 8 through 15 can result in invalid
iptables-restore (ip6tables-restore) input.
Workaround: Don't use optimizaiton levels greater than 7.
13) Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
can result in invalid iptables-restore (ip6tables-restore) input.
Workaround: Don't use optimizaiton levels greater than 7.
14) When REQUIRE_INTERFACE=Yes, start/restart will fail unless the last
optional interface defined in the interfaces file is available.
Workaround: None available.
15) The compiler erroneously allows exclusion in CONTINUE rules
(tcrules and rules files). The generated iptables (ip6tables) rules
do not work as expected.
Workaround: Do not use exclusion with CONTINUE.