Oops -- omitted the last bullet. On Sun, 20 Dec 2009 09:23:50 -0800 Tom Eastep <[email protected]> wrote:
>
> As I mentioned in a post yesterday, I'm releasing Shorewall 4.4.5.1 to
> work around the reverse path filtering change in kernel 2.6.31.
>
> ----------------------------------------------------------------------------
> P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 . 1
> ----------------------------------------------------------------------------
> 1) In kernel 2.6.31, the handling of the rp_filter interface option
> was changed incompatibly. Previously, the effective value was
> determined by the setting of net.ipv4.config.<dev>.rp_filter
> logically ANDed with the setting of net.ipv4.config.all.rp_filter.
>
> Beginning with kernel 2.6.31, the value is the arithmetic MAX of
> those two values.
>
> Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
> there are any interfaces specifying 'routefilter', specifying
> 'routefilter' on any interface has the effect of setting the
> option on all interfaces.
>
> To allow Shorewall to handle this issue, a number of changes were
> necessary:
>
> a) There is no way to safely determine if a kernel supports the
> new semantics or the old so the Shorewall compiler uses the
> kernel version reported by uname.
>
> b) This means that the kernel version is now recorded in
> the capabilities file. So if you use capabilities files, you
> need to regenerate the files with Shorewall[-lite] 4.4.5.1.
>
> c) If the capabilities file does not contain a kernel version,
> the compiler assumes version 2.6.30 (the old rp_filter
> behavior).
>
> d) The ROUTE_FILTER option in shorewall.conf now accepts the
> following values:
>
> 0 or No - Shorewall sets net.ipv4.config.all.rp_filter to 0.
> 1 or Yes - Shorewall sets net.ipv4.config.all.rp_filter to 1.
> 2 - Shorewall sets net.ipv4.config.all.rp_filter to 2.
> Keep - Shorewall does not change the setting of
> net.ipv4.config.all.rp_filter if the kernel version
> is 2.6.31 or later.
>
> The default remains Keep.
e) The 'routefilter' interface option can have values 0,1 or 2. If
'routefilter' is specified without a value, the value 1 is
assumed.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
