Problems Corrected in 3.4.8 1) Shorewall now removes any default bindings of ipsets before attempting to reload them. Previously, default bindins were not removed with the result that the ipsets could not be destroyed. 2) When HIGH_ROUTE_MARKS=Yes, unpredictable results could occur when marking in the PREROUTING or OUTPUT chains. When a rule specified a mark value > 255, the compiler was using the ''--or-mark'' operator rather than the ''--set-mark'' operator with the result that when a packet matched more than one rule, the resulting routing mark was the logical product of the mark values in the rules. Example: 0x100 192.168.1.44 0.0.0.0/0 0x200 0.0.0.0/0 0.0.0.0/0 tcp 25 A TCP packet from 192.168.1.44 with destination port 25 would end up with a mark value of 0x300. 3) Shorewall now properly parses comma separated SOURCE (formerly SUBNET) values in the masq configuration file. Previously, the comma separated list was not split up into its components, resulting in an invalid address being passed to the iptables command. Example: # /etc/shorewall/masq #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 192.168.2.1,192.168.2.3 4) Previously, specifying both an interface and a MAC address in the SOURCE column of the tcrules file caused a failure at runtime. Thanks to Justin Joseph for the patch. 5) Previously, specifying both an interface and an address in the tcrules DEST column would cause an incomplete rule to be generated. Example: 1 192.168.1.4 eth2:206.124.146.177 tcp 22 The resulting tcrule would be as if this had been specified: 1 0.0.0.0/0 eth2:206.124.146.177 tcp 22 6) When HIGH_ROUTE_MARKS=Yes, the routing rules generated to match fwmarks to routing tables overflowed the designated range for such marks (10000 - 11000). -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/