forked from extern/shorewall_code
93 lines
3.0 KiB
Plaintext
93 lines
3.0 KiB
Plaintext
1) The IPv6 allowBcast built-in action generates an invalid ip6tables
|
|
rule. This defect is present in all versions of Shorewall that
|
|
support IPv6.
|
|
|
|
Fixed in Shorewall 4.4.10.1.
|
|
|
|
2) If IPSET=<pathname> is specified in shorewall.conf, then when an
|
|
ipset is used in a configuration file entry, the following fatal
|
|
compilation error occurs:
|
|
|
|
ERROR: ipset names in Shorewall configuration files require Ipset
|
|
Match in your kernel and iptables : /etc/shorewall/rules (line nn)
|
|
|
|
You can work around this problem by executing the following at a
|
|
root shell prompt:
|
|
|
|
shorewall show -f capabilities > /etc/shorewall/capabilities
|
|
|
|
Fixed in Shorewall 4.4.10.1. After installing this fix, if you
|
|
executed the above command to work around the problem, we recommend
|
|
that you remove /etc/shorewall/capabilities.
|
|
|
|
3) The new REQUIRE_INTERFACE option was not added to shorewall.conf
|
|
and shorewall6.conf.
|
|
|
|
You can simply add it if you need it.
|
|
|
|
Fixed in Shorewall 4.4.10.2.
|
|
|
|
4) Under Perl 5.12.1, a harmless Perl run-time diagnostic is
|
|
produced when options are omitted from shorewall.conf or
|
|
shorewall6.conf.
|
|
|
|
Example:
|
|
|
|
Use of uninitialized value
|
|
$Shorewall::Config::config{"REQUIRE_INTERFACE"} in lc at
|
|
/usr/share/shorewall/Shorewall/Config.pm line 1902.
|
|
|
|
Fixed in Shorewall 4.4.10.2.
|
|
|
|
5) On Debian and Debian-based systems, the start/stop priorities of
|
|
Shorewall products may be incorrect when the insserv package is
|
|
installed.
|
|
|
|
You may correct this problem by running insserv (as root).
|
|
|
|
Fixed in Shorewall 4.4.10.2.
|
|
|
|
6) If 'trace' or 'debug' is specified on a command that runs the
|
|
compiled script, an invalid command line is passed to that script
|
|
resulting in a failure:
|
|
|
|
Shorewall configuration compiled to /var/lib/shorewall/.start
|
|
Usage: /var/lib/shorewall/.start [ options ] [ start|stop|clear|down|reset|
|
|
refresh|restart|status|up|version ]
|
|
|
|
Options are:
|
|
|
|
-v and -q Standard Shorewall verbosity controls
|
|
-n Don't unpdate routing configuration
|
|
-p Purge Conntrack Table
|
|
-t Timestamp progress Messages
|
|
-V <verbosity> Set verbosity explicitly
|
|
-R <file> Override RESTOREFILE setting
|
|
|
|
This issue affects Shorewall and Shorewall6 4.4.8 and later.
|
|
|
|
To work around the problem (IPv4 'debug restart' command):
|
|
|
|
shorewall compile /var/lib/shorewall/.restart
|
|
/var/lib/shorewall/.restart debug restart
|
|
|
|
7) If the following options are specified in /etc/shorewall/interfaces
|
|
for an interface with '-' in the ZONE column, then these options
|
|
will be ignored if there is an entry in the hosts file for the
|
|
interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
|
|
implied when the host list begins with '!').
|
|
|
|
blacklist
|
|
maclist
|
|
nosmurfs
|
|
tcpflags
|
|
|
|
You can work around this issue by specifying these options in the
|
|
hosts file entry rather than in the interfaces file.
|
|
|
|
Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
|
|
|
|
|
|
|
|
|