Due to the number of patches that have been released for 3.2, I''ve
decided to
release 3.2.6 a little early.
Problems Corrected in 3.2.6.
1) When using a light-weight shell (e.g., ash) with multiple
providers, the /etc/iproute2/rt_tables database may become corrupted.
2) A startup error occurred when the LENGTH or TOS column was
non-empty in /etc/shorewall/tcrules.
3) A startup error resulted when whitespace as included in LOGFORMAT.
4) Previously, when conntrack match support was not available, the
''norfc1918'' option on an interface or host group was
incorrectly
filtering IPSEC traffic whose source IP address was reserved by RFC
1918.
5) If a DNAT or REDIRECT rule was used where the effective policy
between the source and final destination zones is ACCEPT, the ACCEPT
part of the rule was not generated. This was intended as an
optimizaiton but it could lead to confusing results if there was a
DROP or REJECT rule following.
This optimization has been removed. You may always use DNAT- and
REDIRECT- to suppress generation of the ACCEPT rule.
6) Shorewall[-lite] previously would return an error exit status to a
"start" command where Shorewall was already running. It not
returns
a "success" status.
7) The install.sh scripst have been corrected to work properly when
used to create packages on Slackware and Arch Linux.
5) A change in version 3.2.5 broke Mac Filtration in some
cases. Result was:
Setting up MAC Filtration -- Phase 1...
iptables v1.3.6: policy match: invalid policy `--dir''
Try `iptables -h'' or ''iptables --help'' for more
information.
ERROR: Command "/sbin/iptables -A eth1_fwd -s 0.0.0.0/0 -m state
--state NEW -m policy --pol --dir in -j eth1_mac" Failed
6) At VERBOSITY 1 and higher, the ''shorewall add'' and
''shorewall
delete'' commands generated a fractured message. The message
contents depended in the setting of IPSECFILE as follows:
IPSECFILE=ipsec
ipsec...
IPSECFILE=zones
IPSEC...
The messages have been corrected and are only produced at VERBOSITY
2 and higher as follows:
IPSECFILE=ipsec
Processing /etc/shorewall/ipsec...
IPSECFILE=zones
Processing IPSEC...
7) Previously, when <action>:none appeared in a rule, the name of the
action chain created was preceded by "%" and might have a one- or
two-digit number appended. If both <action> and <action>:none
appeared, then two chains were created. This has been corrected
such that <action> and <action>:none are treated identically.
8) If SAVE_IPSETS=Yes in shorewall.conf, the "shorewall[-lite] save"
command produced error messages as follows:
Dynamic Rules Saved
Currently-running Configuration Saved to /var/lib/shorewall/restore
grep: /var/lib/shorewall/restore-base: No such file or directory
grep: /var/lib/shorewall/restore-base: No such file or directory
Current Ipset Contents Saved to
/var/lib/shorewall/restore-ipsets
9) If BRIDGING=No in shorewall.conf, then an attempt to define a zone
using ipsets fails as follows:
ERROR: BRIDGING=Yes is needed for this zone definition: z eth0:+iset
Other Changes in 3.2.6.
1) The "shorewall [re]load" command now supports a "-c"
option.
Example:
shorewall reload -c gateway
When -c is given, Shorewall will capture the capabilities of the
remote system to a file named "capabilities" in the export
directory before compiling the configuration.
If the file "capabilities" does not currently exist in the
export directory then "-c" is automatically assumed.
2) If 0 (zero) is specified for the IN-BANDWIDTH in
/etc/shorewall/tcdevices then no ingress qdisc will be created for
the device.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV