shorewall_code/Shorewall/known_problems.txt
2009-12-28 10:45:14 -08:00

57 lines
2.0 KiB
Plaintext

1) In kernel 2.6.31, the handling of the rp_filter interface option was
changed incompatibly. Previously, the effective value was determined
by the setting of net.ipv4.config.dev.rp_filter logically ANDed with
the setting of net.ipv4.config.all.rp_filter.
Beginning with kernel 2.6.31, the value is the arithmetic MAX of
those two values.
Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
there are any interfaces specifying 'routefilter', specifying
'routefilter' on any interface has the effect of setting the option
on all interfaces.
A workaround for this problem is included in Shorewall 4.4.5.1.
2) When using an up-to-date capabilities file with Shorewall 4.4.5.1, the
following warning messages were issued.
WARNING: Unknown capability (KERNELVERSION)
ignored : /etc/shorewall2/capabilities (line 49)
WARNING: Your capabilities file does not contain a Kernel Version --
using 2.6.30
This defect was corrected in 4.4.5.2.
3) 'shorewall6 start' on Shorewall 4.4.5.2 generates a Perl run-time
error. Also, handling of ROUTE_FILTER on kernel 2.6.31 and later
was broken.
This was fixed in 4.4.5.3.
4) With Shorewall 4.4.5.3, using a capabilities file with Shorewall6
will result in the following warnings during compilation:
WARNING: Your capabilities file is out of date -- it does not
contain all of the capabilities defined by Shorewall6 version
4.4.5.3
WARNING: Your capabilities file does not contain a Kernel
Version -- using 2.6.30
Corrected in 4.4.5.4.
5) The change in Shorewall 4.4.5.1 broke the 'forward' interface
option in Shorewall6.
Corrected in 4.4.5.4.
6) Under rare and not fully-understood circumstances, the Netfilter
ruleset generated by Shorewall can include jumps to non-exitent
chains. This problem was apparently introduced between 4.4.0 and
4.4.5.
Corrected in 4.4.5.5.