With 4.4.5.4, I have hopefully corrected all of the breakage from 4.4.5.1. I apologize to the user community and to the distribution maintainers for the series of incomplete fixes.
For those who have had a hard time following this mess, here is the fix
history...
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 . 4
----------------------------------------------------------------------------
1) With Shorewall 4.4.5.3, using a capabilities file with Shorewall6
will result in the following warnings during compilation:
WARNING: Your capabilities file is out of date -- it does not
contain all of the capabilities defined by Shorewall6 version
4.4.5.3
WARNING: Your capabilities file does not contain a Kernel
Version -- using 2.6.30
2) The change in Shoreawll 4.4.5.1 broke the 'forward' interface
option in Shorewall6.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 . 3
----------------------------------------------------------------------------
1) 'shorewall6 start' on Shorewall 4.4.5.2 generates a Perl run-time
error. Also, handling of ROUTE_FILTER on kernel 2.6.31 and later
was broken.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 . 2
----------------------------------------------------------------------------
1) When using an up-to-date capabilities file with Shorewall 4.4.5.1, the
following warning messages were issued.
WARNING: Unknown capability (KERNELVERSION)
ignored : /etc/shorewall2/capabilities (line 49)
WARNING: Your capabilities file does not contain a Kernel Version --
using 2.6.30
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 5 . 1
----------------------------------------------------------------------------
1) In kernel 2.6.31, the handling of the rp_filter interface option was
changed incompatibly. Previously, the effective value was determined
by the setting of net.ipv4.config.dev.rp_filter logically ANDed with
the setting of net.ipv4.config.all.rp_filter.
Beginning with kernel 2.6.31, the value is the arithmetic MAX of
those two values.
Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
there are any interfaces specifying 'routefilter', specifying
'routefilter' on any interface has the effect of setting the option
on all interfaces.
To allow Shorewall to handle this issue, a number of changes were
necessary:
a) There is no way to safely determine if a kernel supports the
new semantics or the old so the Shorewall compiler uses the
kernel version reported by uname.
b) This means that the kernel version is now recorded in
the capabilities file. So if you use capabilities files, you
need to regenerate the files with Shorewall[-lite] 4.4.5.1.
c) If the capabilities file does not contain a kernel version,
the compiler assumes version 2.6.30 (the old rp_filter
behavior).
d) The ROUTE_FILTER option in shorewall.conf now accepts the
following values:
0 or No - Shorewall sets net.ipv4.config.all.rp_filter to 0.
1 or Yes - Shorewall sets net.ipv4.config.all.rp_filter to 1.
2 - Shorewall sets net.ipv4.config.all.rp_filter to 2.
Keep - Shorewall does not change the setting of
net.ipv4.config.all.rp_filter if the kernel version
is 2.6.31 or later.
The default remains Keep.
e) The 'routefilter' interface option can have values 0,1 or 2. If
'routefilter' is specified without a value, the value 1 is
assumed.
Happy Holidays to all and a Happy and Prosperous New Year,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
