13
13
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
14
14
----------------------------------------------------------------------------
18
1) The changes in 4.4.19.1 that corrected long-standing issues with
19
default route save/restore were incompatible with 'gawk'. When
20
'gawk' was installed (rather than 'mawk'), awk syntax errors having
21
to do with the symbol 'default' were issued.
23
This incompatibility has been corrected.
25
2) Previously, an entry in the USER/GROUP column in the rules and
26
tcrules files could cause run-time start/restart failures if the
27
rule(s) being added did not have the firewall as the source or was
28
being added to the POSTROUTING chain. This error is now caught by
31
3) Shorewall now insures that a route to a default gateway exists in
32
the main table before it attempts to add a default route through
33
that gateway to a provider table. This prevents start/restart
34
failures in the rare event that such a route does not exist.
36
4) CLASSIFY TC rules can apply to traffic exiting only the interface
37
associated with the class-id specified in the first column. In a
38
Multi-ISP configuration, a naive user might create this TC rule:
42
This will work fine when 1.2.3.4 can only be routed out of a single
43
interface. However, if we assume that eth0 is interface 1, then the
44
above rule only works for traffic leaving via eth0.
46
Beginning with this release, the Shorewall compiler will interpret
47
the above rule as this one:
53
1) In Shorewall-shell, there was the ability to specify IPSET names in
54
the ORIGINAL DEST column of DNAT and REDIRECT rules. That ability,
55
inadvertently dropped in Shorewall-perl, has been restored.
57
CAUTION: When an IPSET is used in this way, the server port is
58
opened from the SOURCE zone.
62
DNAT net dmz:10.1.1.2 tcp 80 - +foo
64
will implicitly add this rule
66
ACCEPT net dmz:10.1.1.2 tcp 80
68
2) Several problems with complex TC have been corrected:
70
a) The following entry in /etc/shorewall/tcclasses
72
A:1 - 10*full/100:50ms 20*full/100 1 tcp-ack
76
ERROR: Unknown INTERFACE (A) : /etc/shorewall/tcclasses
78
This has been corrected.
80
b) Shorewall reserves class number 1 for the root class of the
81
queuing discipline. Definining class 1 in
82
/etc/shorewall/tcclasses was previoulsly escaping detection by
83
the compiler, resulting in a run-time error.
85
c) The compiler did not complain if a CLASSID specified in the MARK
86
column of tcrules referred to an IFB class. Such a rule would be
87
nonsensical since packets are passed through the IFB before
88
they are passed through any marking rules. Such a configuration
89
now results in a compilation error.
91
d) Where there are more than 10 tcdevices, tcfilter entries could
92
generate invalid rules.
94
3) Double exclusion involving ipset lists was previously not detected,
95
resulting in anomalous behavior.
99
ACCEPT:info $FW net:!10.1.0.7,10.1.0.9,+[!my-host[src]]]
101
Such cases now result in a compilation error.
18
105
1) A duplicate ACCEPT rule in the INPUT chain has been eliminated when
added
removed
releasenotes.txt
