Shorewall 4.4.19.2 is now available for download.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
4.4.19.2
1) In Shorewall-shell, there was the ability to specify IPSET names in
the ORIGINAL DEST column of DNAT and REDIRECT rules. That ability,
inadvertently dropped in Shorewall-perl, has been restored.
CAUTION: When an IPSET is used in this way, the server port is
opened from the SOURCE zone.
Example:
DNAT net dmz:10.1.1.2 tcp 80 - +foo
will implicitly add this rule
ACCEPT net dmz:10.1.1.2 tcp 80
2) Several problems with complex TC have been corrected:
a) The following entry in /etc/shorewall/tcclasses
A:1 - 10*full/100:50ms 20*full/100 1 tcp-ack
produced this error:
ERROR: Unknown INTERFACE (A) : /etc/shorewall/tcclasses
This has been corrected.
b) Shorewall reserves class number 1 for the root class of the
queuing discipline. Definining class 1 in
/etc/shorewall/tcclasses was previoulsly escaping detection by
the compiler, resulting in a run-time error.
c) The compiler did not complain if a CLASSID specified in the MARK
column of tcrules referred to an IFB class. Such a rule would be
nonsensical since packets are passed through the IFB before
they are passed through any marking rules. Such a configuration
now results in a compilation error.
d) Where there are more than 10 tcdevices, tcfilter entries could
generate invalid rules.
3) Double exclusion involving ipset lists was previously not detected,
resulting in anomalous behavior.
Example:
ACCEPT:info $FW net:!10.1.0.7,10.1.0.9,+[!my-host[src]]]
Such cases now result in a compilation error.
-Tom
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
PGP.sig
Description: This is a digitally signed message part
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
