Shorewall users - Mar 2008 - Shorewall 3.4.8

Problems Corrected in 3.4.8

1)  Shorewall now removes any default bindings of ipsets before
    attempting to reload them. Previously, default bindins were not
    removed with the result that the ipsets could not be destroyed.

2)  When HIGH_ROUTE_MARKS=Yes, unpredictable results could occur when
    marking in the PREROUTING or OUTPUT chains. When a rule specified a
    mark value > 255, the compiler was using the
''--or-mark'' operator
    rather than the ''--set-mark'' operator with the result that
when a
    packet matched more than one rule, the resulting routing mark was
    the logical product of the mark values in the rules.

    Example:

        0x100   192.168.1.44    0.0.0.0/0
        0x200   0.0.0.0/0       0.0.0.0/0       tcp     25

    A TCP packet from 192.168.1.44 with destination port 25 would end
    up with a mark value of 0x300.

3)  Shorewall now properly parses comma separated SOURCE (formerly
    SUBNET) values in the masq configuration file.  Previously, the comma
    separated list was not split up into its components, resulting in an
    invalid address being passed to the iptables command.

    Example:

        # /etc/shorewall/masq
        #INTERFACE  SUBNET                   ADDRESS  PROTO  PORT(S)  IPSEC
        eth0        192.168.2.1,192.168.2.3

4)  Previously, specifying both an interface and a MAC address in the
    SOURCE column of the tcrules file caused a failure at runtime.
    Thanks to Justin Joseph for the patch.

5)  Previously, specifying both an interface and an address in the
    tcrules DEST column would cause an incomplete rule to be generated.

    Example:

    1   192.168.1.4     eth2:206.124.146.177    tcp     22

    The resulting tcrule would be as if this had been specified:

    1   0.0.0.0/0       eth2:206.124.146.177    tcp     22

6)  When HIGH_ROUTE_MARKS=Yes, the routing rules generated to match
    fwmarks to routing tables overflowed the designated range for such
    marks (10000 - 11000). 


-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/