diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 1c9d65460..548262367 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -2,6 +2,10 @@ Changes in 4.0.0 RC 1 1) shorewall-perl RPM no longer installable under shorewall 3.4. +2) Fix limited broadcast and detectnets/routeback interfaces. + +3) Use optimized 'split' for faster compilation. + Changes in 4.0.0 Beta 6 1) First step to adding compiler debugging facility. diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 9353cd093..ae68d2e1b 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -12,8 +12,9 @@ Shorewall 4.0.0 RC 1 - Shorewall-shell ( the shell-based compiler ) - Shorewall-perl (the Perl-based compiler ) -You must install Shorewall-common and at least one of the compiler -packages (you may install them both). + You must install Shorewall-common and at least one of the compiler + packages (you may install them both). See the Migration + Considerations below for further information. 3) The facilities for supporting bridge/firewalls under earlier releases are deprecated and their documentation is omitted from the @@ -23,17 +24,30 @@ packages (you may install them both). Problems corrected in 4.0.0 Beta 7. -None. +1) If 'routeback' and 'detectnets' were specified on an interface, + limited broadcasts (to 255.255.255.255) were dropped when forwarded + through the interface. This could cause broadcast-based + applications to fail when running through a bridge with + 'detectnets'. Other changes in Shorewall 4.0.0 RC 1. 1) The shorewall-perl RPM may no longer be installed under Shorewall 3.4. It requires shorewall_common. +2) The compiler's CPU utilization has been reduced further. + Migration Considerations: -1) You cannot simply upgrade your existing Shorewall package. You must - also install one or both of the compilers. +1) Beginning with Shorewall 4.0.0, there is no single 'shorewall' + package. Rather there are two compiler packages (shorewall-shell + and shorewall-perl) and a set of base files (shorewall-common) + required by either compiler package. + + Although the names of the packages are changing, you can upgrade + without having to uninstall/reinstall. + + To repeat: YOU DO NOT NEED TO UNINSTALL ANY EXISTING PACKAGE. If you attempt to upgrade using the shorewall-common RPM, you get this result: @@ -45,12 +59,12 @@ Migration Considerations: You must either: - rpm -U shorewall-shell-4.0.0.noarch.rpm \ + rpm -Uvh shorewall-shell-4.0.0.noarch.rpm \ shorewall-common-4.0.0.noarch.rpm or - rpm -U shorewall-shell-4.0.0.noarch.rpm \ + rpm -Uvh shorewall-shell-4.0.0.noarch.rpm \ shorewall-perl-4.0.0.noarch.rpm \ shorewall-common-4.0.0.noarch.rpm @@ -68,6 +82,33 @@ Migration Considerations: the tarball in the expected way; untar the package, and run the install.sh script. + Example 1: You have 'shorewall' installed and you want to continue + to use the shorewall-shell compiler. + + tar -jxf shorewall-common-4.0.0.tar.bz2 + tar -jxf shorewall-shell-4.0.0.tar.bz2 + + cd shorewall-shell-4.0.0 + ./install.sh + cd ../shorewall-common-4.0.0 + ./install.sh + shorewall check + shorewall restart + + Example 2: You have shorewall 3.4.4 and shorewall-perl 4.0.0-Beta7 + installed and you want to upgrade to 4.0. You do not need the + shell-based compiler. + + tar -jxf shorewall-common-4.0.0.tar.bz2 + tar -jxf shorewall-perl-4.0.0.tar.bz2 + + cd shorewall-perl-4.0.0 + ./install.sh + cd ../shorewall-common-4.0.0 + ./install.sh + shorewall check + shorewall restart + 2) The ROUTE_FILTER and LOG_MARTIANS options in shorewall.conf work slightly differently in Shorewall 4.0.0. In prior releases, leaving these options empty was equivalent to setting them to 'No' which diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 45488b7a6..5749a336c 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -1661,7 +1661,7 @@ sub generate_matrix() { while ( my ($interface, $sourceref) = ( each %needbroadcast ) ) { if ( get_interface_option( $interface, 'bridge' ) ) { for my $source ( keys %$sourceref ) { - add_rule $filter_table->{forward_chain $interface} , "-o $interface ${source}-m addrtype --dst-type BROADCAST -j $chain3"; + add_rule $filter_table->{forward_chain $interface} , "-o $interface ${source}-d 255.255.255.255 -j $chain3"; } } } diff --git a/docs/Install.xml b/docs/Install.xml index da57d8e7c..21e5ffc98 100644 --- a/docs/Install.xml +++ b/docs/Install.xml @@ -360,10 +360,16 @@ Pin-Priority: 700Then package, it probably won't work. + + If you are upgrading from a 2.x or 3.x version to a 4.x version + or later, please see the upgrade + issues for specific instructions. + + Upgrade the RPM - rpm -Uvh <shorewall rpm file> <compiler rpm file> ... + rpm -Uvh <shorewall-common rpm file> <compiler rpm file> ... Some SUSE users have encountered a @@ -371,7 +377,7 @@ Pin-Priority: 700Then though a 2.4 kernel is installed. If this happens, simply use the --nodeps option to rpm. - rpm -Uvh --nodeps <shorewall rpm> <compiler rpm> ... + rpm -Uvh --nodeps <shorewall-common rpm> <compiler rpm> ... @@ -407,6 +413,12 @@ Pin-Priority: 700Then
Upgrade using tarball + + If you are upgrading from a 2.x or 3.x version to a 4.x version + or later, please see the upgrade + issues for specific instructions. + + If you already have Shorewall installed and are upgrading to a new version using the tarball: diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index 9ddba3a8b..1acfb2ca5 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -70,54 +70,60 @@
- Versions >= 4.0.0-Beta1 + Versions >= 4.0.0-Beta7 - This is the first Shorewall release that fully integrates the - new Shorewall-perl compiler. You are now offered a choice as to which - compiler(s) you install. In Shorewall 4.0.0, there are the following - packages: - - Shorewall-common ( common files ) - + Beginning with Shorewall 4.0.0, there is no single 'shorewall' + package. Rather there are two compiler packages (shorewall-shell and + shorewall-perl) and a set of base files (shorewall-common) required by + either compiler package. - - Shorewall-shell ( the shell-based compiler ) - + Although the names of the packages are changing, you can upgrade + without having to uninstall/reinstall. - - Shorewall-perl (the Perl-based compiler ) - + To repeat: You do not need to uninstall + any existing package. - - Shorewall-lite - - You must install Shorewall-common and at least one of - the compiler packages (you may install them both). - - You cannot simply upgrade your existing Shorewall package. You - must upgrade Shorewall-common and - install one or both of the compilers. - - If you attempt to upgrade using the common RPM, you get this - result:gateway:~ # rpm -Uvh shorewall-common-4.0.0.noarch.rpm + If you attempt to upgrade using the shorewall-common RPM, you + get this result:gateway:~ # rpm -Uvh shorewall-common-4.0.0.noarch.rpm error: Failed dependencies: shorewall_compiler is needed by shorewall-common-4.0.0-1.noarch -gateway:~ # You must either:rpm -U shorewall-shell-4.0.0.noarch.rpm shorewall-common-4.0.0.noarch.rpmorrpm -U shorewall-shell-4.0.0.noarch.rpm shorewall-perl-4.0.0.noarch.rpm shorewall-common-4.0.0.noarch.rpmIf - you are upgrading using the tarball, you must install either - shorewall-shell or shorewall-perl before you upgrade Shorewall using - the Shorewall-common tarball. Otherwise, the install.sh script fails - with: +gateway:~ #You must either:rpm -Uvh shorewall-shell-4.0.0.noarch.rpm shorewall-common-4.0.0.noarch.rpmorrpm -Uvh shorewall-shell-4.0.0.noarch.rpm shorewall-perl-4.0.0.noarch.rpm shorewall-common-4.0.0.noarch.rpmIf + you don't want shorewall-shell, use the second command + thenrpm -e shorewall-shellIf + you are upgrading using the tarball, you must install shorewall-shell + and/or shorewall-perl before you upgrade using shorewall-common. + Otherwise, the install.sh script fails with: ERROR: No Shorewall compiler is installed The shorewall-shell and shorewall-perl packages are installed from the tarball in the expected way; untar the package, and run the install.sh script. - The RPMs are set up so that if you upgrade an existing Shorewall - installation as part of a distribution upgrade and you have not - already installed shorewall-perl, then you will end up with - Shorewall-common and Shorewall-shell installed. + Example 1: You have 'shorewall' installed and you want to + continue to use the shorewall-shell compiler.tar -jxf shorewall-common-4.0.0.tar.bz2 +tar -jxf shorewall-shell-4.0.0.tar.bz2 + +cd shorewall-shell-4.0.0 +./install.sh +cd ../shorewall-common-4.0.0 +./install.sh +shorewall check +shorewall restartExample 2: You have shorewall + 3.4.4 and shorewall-perl 4.0.0-Beta7 installed and you want to upgrade + to 4.0. You do not need the shell-based compiler.tar -jxf shorewall-common-4.0.0.tar.bz2 +tar -jxf shorewall-perl-4.0.0.tar.bz2 + +cd shorewall-perl-4.0.0 +./install.sh +cd ../shorewall-common-4.0.0 +./install.sh +shorewall check +shorewall restart The RPMs are set up so that if + you upgrade an existing Shorewall installation as part of a + distribution upgrade and you have not already installed + shorewall-perl, then you will end up with Shorewall-common and + Shorewall-shell installed.