shorewall_code/Shorewall/known_problems.txt
2010-07-23 13:24:07 -07:00

42 lines
1.6 KiB
Plaintext

1) In all versions of Shorewall6 lite, the 'shorecap' program is
using the 'iptables' program rather than the 'ip6tables' program.
This causes many capabilities that are not available in IPv6 to
be incorrectly reported as available.
This results in errors such as:
ip6tables-restore v1.4.2: Couldn't load match `addrtype':
/lib/xtables/libip6t_addrtype.so: cannot open shared
object file: No such file or directory
To work around this problem, on the administrative system:
a) Remove the incorrect capabilties file.
b) In shorewall6.conf, set the IP6TABLES option to the
path name of ip6tables on the firewall (example:
IP6TABLES=/sbin/ip6tables).
c) 'shorewall6 load <firewall>'.
2) In a number of cases, Shorewall6 generates incorrect rules
involving the IPv6 multicast network. The rules specify
ff00::/10 where they should specify ff00::/8. Also, rules
instantiated when the IPv6 firewall is stopped use ff80::/10 rather
than fe80::/10 (IPv6 link local network).
3) Using a destination port-range with :random produces a fatal
compilation error in REDIRECT rules.
4) Shorewall-init is not reliable in bringing up interfaces during
boot on Ubuntu systems that use upstart.
Suggested workaround is to set startup=1 in your
/etc/default/shorewall* files.
5) /sbin/shorewall and /sbin/shorewall6 sometimes fail to honor the
'nolock' option. In other cases, this option is incorrectly passed
on to the compiled script, causing the script to issue a usage
synopsis and to terminate.