Due to the number of patches that have been released for 3.2, I''ve decided to release 3.2.6 a little early. Problems Corrected in 3.2.6. 1) When using a light-weight shell (e.g., ash) with multiple providers, the /etc/iproute2/rt_tables database may become corrupted. 2) A startup error occurred when the LENGTH or TOS column was non-empty in /etc/shorewall/tcrules. 3) A startup error resulted when whitespace as included in LOGFORMAT. 4) Previously, when conntrack match support was not available, the ''norfc1918'' option on an interface or host group was incorrectly filtering IPSEC traffic whose source IP address was reserved by RFC 1918. 5) If a DNAT or REDIRECT rule was used where the effective policy between the source and final destination zones is ACCEPT, the ACCEPT part of the rule was not generated. This was intended as an optimizaiton but it could lead to confusing results if there was a DROP or REJECT rule following. This optimization has been removed. You may always use DNAT- and REDIRECT- to suppress generation of the ACCEPT rule. 6) Shorewall[-lite] previously would return an error exit status to a "start" command where Shorewall was already running. It not returns a "success" status. 7) The install.sh scripst have been corrected to work properly when used to create packages on Slackware and Arch Linux. 5) A change in version 3.2.5 broke Mac Filtration in some cases. Result was: Setting up MAC Filtration -- Phase 1... iptables v1.3.6: policy match: invalid policy `--dir'' Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Command "/sbin/iptables -A eth1_fwd -s 0.0.0.0/0 -m state --state NEW -m policy --pol --dir in -j eth1_mac" Failed 6) At VERBOSITY 1 and higher, the ''shorewall add'' and ''shorewall delete'' commands generated a fractured message. The message contents depended in the setting of IPSECFILE as follows: IPSECFILE=ipsec ipsec... IPSECFILE=zones IPSEC... The messages have been corrected and are only produced at VERBOSITY 2 and higher as follows: IPSECFILE=ipsec Processing /etc/shorewall/ipsec... IPSECFILE=zones Processing IPSEC... 7) Previously, when <action>:none appeared in a rule, the name of the action chain created was preceded by "%" and might have a one- or two-digit number appended. If both <action> and <action>:none appeared, then two chains were created. This has been corrected such that <action> and <action>:none are treated identically. 8) If SAVE_IPSETS=Yes in shorewall.conf, the "shorewall[-lite] save" command produced error messages as follows: Dynamic Rules Saved Currently-running Configuration Saved to /var/lib/shorewall/restore grep: /var/lib/shorewall/restore-base: No such file or directory grep: /var/lib/shorewall/restore-base: No such file or directory Current Ipset Contents Saved to /var/lib/shorewall/restore-ipsets 9) If BRIDGING=No in shorewall.conf, then an attempt to define a zone using ipsets fails as follows: ERROR: BRIDGING=Yes is needed for this zone definition: z eth0:+iset Other Changes in 3.2.6. 1) The "shorewall [re]load" command now supports a "-c" option. Example: shorewall reload -c gateway When -c is given, Shorewall will capture the capabilities of the remote system to a file named "capabilities" in the export directory before compiling the configuration. If the file "capabilities" does not currently exist in the export directory then "-c" is automatically assumed. 2) If 0 (zero) is specified for the IN-BANDWIDTH in /etc/shorewall/tcdevices then no ingress qdisc will be created for the device. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV