shorewall_code/New/releasenotes.txt

Shorewall 3.9.0

This release includes a complete rewrite of the compiler in Perl. 

The good news:

a) The compiler is small.
b) The compiler is very fast.
c) The compiler generates a firewall script that uses iptables-restore;
so the script is very fast.

The bad news:

There are a number of incompatibilities between 3.9.0 and earlier
versions.

a) This version requires the addrtype match capability in your kernel
   and iptables. This capability is in current distributions.

b) The BROADCAST column in the interfaces file is essentailly unused;
   if you enter anything in this column but '-' or 'detect', you will
   receive a warning.

c) Because the compiler is now written in Perl, your compile-time
   extension scripts for earlier version will no longer work.

d) The 'refresh' command is now synonamous with 'restart'.

e) Some run-time extension scripts are no longer supported because they
   make no sense (iptables-restore instantiates the new configuration
   atomically).

	continue
	initdone
	continue
	refresh
	refreshed

f) Currently, 3.9.0 has no support for ipsets. That will change with
   future releases but one thing is certain -- Shorewall is out of the
   ipset load/reload business. If the Netfilter ruleset is never cleared,
   then there is no opportunity for Shorewall to load/reload your
   ipsets.

   So:
	
	i)   Your ipsets must be loaded before Shorewall starts.
	
	ii)  Your ipsets may not be reloaded until Shorewall is stopped or
	     cleared.

	iii) If you specify ipsets in your routestopped file then
	     Shorewall must be cleared in order to reload your ipsets.
first version of release notes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5651 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb 2007-03-24 01:52:30 +01:00			`Shorewall 3.9.0`

			`This release includes a complete rewrite of the compiler in Perl.`

			`The good news:`

			`a) The compiler is small.`
			`b) The compiler is very fast.`
			`c) The compiler generates a firewall script that uses iptables-restore;`
			`so the script is very fast.`

			`The bad news:`

			`There are a number of incompatibilities between 3.9.0 and earlier`
			`versions.`

			`a) This version requires the addrtype match capability in your kernel`
			`and iptables. This capability is in current distributions.`

			`b) The BROADCAST column in the interfaces file is essentailly unused;`
			`if you enter anything in this column but '-' or 'detect', you will`
			`receive a warning.`

			`c) Because the compiler is now written in Perl, your compile-time`
			`extension scripts for earlier version will no longer work.`

			`d) The 'refresh' command is now synonamous with 'restart'.`

			`e) Some run-time extension scripts are no longer supported because they`
			`make no sense (iptables-restore instantiates the new configuration`
			`atomically).`

			`continue`
			`initdone`
			`continue`
			`refresh`
			`refreshed`

			`f) Currently, 3.9.0 has no support for ipsets. That will change with`
			`future releases but one thing is certain -- Shorewall is out of the`
			`ipset load/reload business. If the Netfilter ruleset is never cleared,`
			`then there is no opportunity for Shorewall to load/reload your`
			`ipsets.`

			`So:`

			`i) Your ipsets must be loaded before Shorewall starts.`

			`ii) Your ipsets may not be reloaded until Shorewall is stopped or`
			`cleared.`

			`iii) If you specify ipsets in your routestopped file then`
			`Shorewall must be cleared in order to reload your ipsets.`