thr3ads.net - Shorewall users - Shorewall 4.0.11 [May 2008]

If this information is useful, please help other people find it:
Share via:
Tom Eastep
2008-May-19 22:41 UTC
Shorewall 4.0.11

This release just fixes a few bugs.

Problems corrected in Shorewall 4.0.11.

1)  Previously, when IP_FORWARDING=Yes in shorewall.conf, Shorewall
     would enable ip forwarding before instantiating the rules. This
     could lead to incorrect connection tracking entries being created
     between the time that forwarding was enabled and when the nat table
     rules were instantiated.

     Beginning with Shorewall 4.0.11, enabling of forwarding is deferred
     until after the rules are in place.

2)  If /etc/shorewall/vardir is used to move Shorewall''s state
     directory from /var/lib/shorewall, then the ''stop'' will
not delete
     IP addresses added by ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes
     nor will it delete proxy ARP entries.

3)  The init script on Debian now reads and utilizes the value of the
     OPTIONS variable from /etc/default/shorewall[-lite].  Previously,
     the value of that variable was not passed to the shorewall[-lite]
     command.

Problems corrected in Shorewall-perl 4.0.11.

1)  If both the ESTABLISHED and RELATED sections were present then
     each connection through chains controlled by a RATE/LIMIT in
     /etc/shorewall/policies was counted twice toward the limit.

2)  If DYNAMIC_ZONES=Yes and an entry in /etc/shorewall/hosts for an
     IPv4 zone specified ''ipsec'', dynamic IPSEC zone members
were
     mis-handled by the generated ruleset.

3)  Previously, Shorewall-perl did not handle rates expressed in
     bytes/second properly:

     - The ''bps'' suffix was not recognized
     - The result was not rounded to the nearest kbit

4)  If ADMINISABSENTMINDED=No, entries in /etc/shorewall/routestopped
     are mis-handled.

5)  Shorewall-perl now accepts upper case A through F in the MARK
     column of the tcclasses file when the mark value is expressed in
     hex.  Previously, only lower-case A through F were accepted.

Problems corrected in Shorewall-shell 4.0.11.

None.

Known Problems Remaining.

1)  The ''refresh'' command doesn''t refresh the mangle
table. So changes
     made to /etc/shorewall/providers and/or /etc/shorewall/tcrules may
     not be reflected in the running ruleset.

Other changes in 4.0.11.

None.

-The Shorewall Team



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Shorewall users - May 2008 - Shorewall 4.0.11

Shorewall 4.0.11
