shorewall_code/Shorewall/known_problems.txt
2010-04-23 15:48:13 -07:00

85 lines
2.6 KiB
Plaintext

Known problems in Shorewall 4.4.8
1) Logical interface names in the EXTERNAL column of
/etc/shorewall/proxyarp were previously not mapped to their
corresponding physical interface names. This could cause 'start' or
'restart' to fail.
Corrected in Shorewall 4.4.8.1
2) If find_first_interface_address() cannot determine the address of
the passed interface, the following message is issued and the
process continues:
/usr/share/shorewall/lib.common: line 438:
startup_error: command not found
Corrected in Shorewall 4.4.8.1
3) If LOG_VERBOSITY=0 in shorewall.conf, then when the compiled script
is executed, messages such as the following will be issued:
/var/lib/shorewall6/.restart: line 65: [: -gt: unary operator
expected
Corrected in Shorewall 4.4.8.1
4) With optimize 4, if an unnecessary NONAT rule is included in
/etc/shorewall/rules, 'shorewall start' and/or 'shorewall restart'
can fail with invalid iptables-restore input.
Corrected in Shorewall 4.4.8.2
5) The -lite products are inconsistent in how they referred to their
startup log. Some references included '-lite' where some did
not. This was particularly bad in the case of the Shorewall-lite
logrotate file which duplicated the name used by the Shorewall
package. This inconsistency could cause logrotate to fail if both
packages were installed.
Corrected in Shorewall 4.4.8.2
6) Wildcard interface names (those ending in '+') can result in
iptables-restore failure with optimize 4.
Corrected in Shorewall 4.4.8.3
7) Invalid iptables-restore input involving the 'tcpre'
mangle chain is possible with optimize 4.
Corrected in Shorewall 4.4.8.3
8) A couple of fixes to the 4.4.8.2 change for startup log naming are
included. The main symptom occurred on Debian systems where perl
reported that /etc/shorewall.conf did not exist.
Corrected in Shorewall 4.4.8.3
9) If OPTIMIZE 2 and there are no OUTPUT rules and the only effective
output policy is $FW->all ACCEPT, then the OUTPUT chain is empty
and no packets can be sent.
Corrected in Shorewall 4.4.8.4
10) If find_first_interface_address() is called in the params file, a
startup error occurs.
Workaround 1:
Surround the code that calls find_first_interface_address() with:
if [ -n "$IP" ]; then
<code that calls find_first_interface_address()>
fi
Workaround 2:
At the top of /etc/shorewall/params, place this line:
[ -n "${IP:=$(which ip)" ]
Corrected in Shorewall 4.4.8.4