diff --git a/docs/Actions.xml b/docs/Actions.xml
index e3d354b20..f65b6157a 100644
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -401,6 +401,32 @@ Reject:REJECT #Default Action for REJECT policy
2.6.14).
+
+
+ MARK (Added in Shorewall 3.4.4)
+
+
+ [!]<value>[/<mask>][:C]
+
+
+ Defines a test on the existing packet or connection mark. The
+ rule will match only if the test returns true.
+
+ If you don’t want to define a test but need to specify anything
+ in the following columns, place a "-" in this field.
+ ! — Inverts the test (not equal)
+
+ <value> — Value of the packet
+ or connection mark.
+
+ <mask> —A mask to be applied to
+ the mark before testing.
+
+ :C — Designates a connection mark. If omitted, the packet
+ mark’s value is tested. This option is only supported by
+ Shorewall-perl
+
+
Omitted column entries should be entered using a dash ("-").
diff --git a/docs/Shorewall-4.xml b/docs/Shorewall-4.xml
index 94f1b5dd1..3d8fd686d 100644
--- a/docs/Shorewall-4.xml
+++ b/docs/Shorewall-4.xml
@@ -141,6 +141,10 @@
Perl File::Temp Module
+
+
+ Perl Getopt::Long Module
+
@@ -411,7 +415,7 @@ fi
eth0 eth1!192.168.4.9 ...Shorewall-perl
uses syntax that is consistent with the rest of
Shorewall:#INTERFACE SOURCE ADDRESSES
-eth0 eth1:!192.168.4.9 ...
+eth0 eth1:!192.168.4.9 ...
diff --git a/docs/Shorewall-perl.xml b/docs/Shorewall-perl.xml
index 8fe46e594..5e16ed487 100644
--- a/docs/Shorewall-perl.xml
+++ b/docs/Shorewall-perl.xml
@@ -38,10 +38,10 @@
Shorewall-perl - What is it?
Shorewall-perl is a companion product to Shorewall. It requires
- Shorewall 3.4.2 or later.
+ Shorewall 3.4.2 or later (Shorewall 3.4.4 or later recommended).
Shorewall-perl contains a re-implementation of the Shorewall
- compiler written in Perl. The advantages of using Shorewall-perl are over
+ compiler written in Perl. The advantages of using Shorewall-perl over
Shorewall-shell (the shell-based compiler included in earlier Shorewall
3.x releases) are:
@@ -119,7 +119,9 @@
BRIDGING=Yes is not supported. The kernel code necessary to
- support this option was removed in Linux kernel 2.6.20.
+ support this option was removed in Linux kernel 2.6.20. Alternative bridge
+ support is provided by Shorewall-perl.
@@ -129,16 +131,6 @@
addrtype match requirement is relaxed.
-
- Because the compiler is now written in Perl, your
- compile-time extension scripts from earlier versions will no
- longer work. For now, if you want to use extension scripts, you
- will need to read the Perl code to see how the compiler operates
- internally. I will produce documentation before the first official
- release. Compile-time extension scripts are executed using the
- Perl 'do FILE' mechanism.
-
-
The 'refresh' command is now synonymous with
'restart'.
@@ -207,20 +199,21 @@
There is only a single "pass as-is to iptables" argument
- (so you must quote that par
+ (so you must quote that part).
Example:
- log_rule_limit
- 'info' ,
- $chainref ,
- $chainref->{name},
- 'DROP' ,
- '', #Limit
- '' , #Log tag
- 'add';
+ log_rule_limit(
+ 'info' ,
+ $chainref ,
+ $chainref->{name},
+ 'DROP' ,
+ '', #Limit
+ '' , #Log tag
+ 'add', #Command
+ '-p tcp'); #Added 'as-is' to the generated rule
@@ -254,13 +247,14 @@
- Currently, support for ipsets is untested. That will change
- with future pre-releases but one thing is certain -- Shorewall is
- now out of the ipset load/reload business. With scripts generated
- by the Perl-based Compiler, the Netfilter ruleset is never
- cleared. That means that there is no opportunity for Shorewall to
- load/reload your ipsets since that cannot be done while there are
- any current rules using ipsets.
+ Currently, support for ipsets is only lightly tested (any
+ volunteers?). That will change with future pre-releases but one
+ thing is certain -- Shorewall is now out of the ipset load/reload
+ business. With scripts generated by the Perl-based Compiler, the
+ Netfilter ruleset is never cleared. That means that there is no
+ opportunity for Shorewall to load/reload your ipsets since that
+ cannot be done while there are any current rules using
+ ipsets.
So:
@@ -311,9 +305,10 @@ fi
the Shorewall-perl compiler rather than by the shell, only the
basic forms of Shell expansion ($variable and ${variable}) are
supported. The more exotic forms such as ${variable:=default} are
- not supported. Both variables defined in /etc/shorewall/params and
- environmental variables (exported by the shell) can be used in
- configuration files.
+ not supported. Both variables defined in
+ /etc/shorewall/params and environmental
+ variables (exported by the shell) can be used in configuration
+ files.
@@ -324,8 +319,8 @@ fi
DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset
- is atomically loaded with one execution of
- iptables-restore.
+ (with the exception of the dynamic blacklist) is atomically loaded
+ with one execution of iptables-restore.
@@ -347,7 +342,7 @@ fi
Shorewall-perl has a single rule generator that is used for
- all rule-oriented files. So it is important that the syntax is
+ all rule-oriented files. So it is important that the syntax be
consistent between files.
With shorewall-shell, there is a special syntax in the
@@ -393,6 +388,10 @@ eth0 eth1:!192.168.4.9 ...
Perl File::Temp Module
+
+
+ Perl Getopts::Long Module
+
@@ -407,24 +406,26 @@ eth0 eth1:!192.168.4.9 ...
Either
- tar -jxf shorewall-perl-3.9.x.tar.bz2
-cd shorewall-perl-3.9.x
+ tar -jxf shorewall-perl-4.0.0-Betax.tar.bz2
+cd shorewall-perl-4.0.0-Betax
./install.sh
or
- rpm -ivh shorewall-pl-3.9.x-1.noarch.rpm
+ rpm -ivh shorewall-pl-4.0.0-0Betax.noarch.rpm
- Note that you can also install the Shorewall 3.9.x version of
- Shorewall. If you do that and still want access to the legacy shell-based
- compiler, you must also install the Shorewall-shell package.
+ Note that you can also install the current Shorewall 4.0.0 Beta
+ version of Shorewall. If you do that and still want access to the legacy
+ shell-based compiler, you must also install the Shorewall-shell
+ package.
Using Shorewall-perl
- Using Shorewall-perl under Shorewall 3.4.x
+ Using Shorewall-perl under Shorewall 3.4.2 and Shorewall
+ 3.4.3
By default, the Shorewall-shell compiler will be used.
@@ -435,10 +436,7 @@ eth0 eth1:!192.168.4.9 ...
If you add this setting to
/etc/shorewall/shorewall.conf then by default, the
- new compiler will be used on the system. If you add it to
- shorewall.conf in a separate directory (such as a
- Shorewall-lite export directory) then the new compiler will only be used
- when you compile from that directory.
+ new compiler will be used on the system.
Regardless of the setting of SHOREWALL_COMPILER, there is one
change in Shorewall operation that is triggered simply by installing
@@ -451,7 +449,8 @@ eth0 eth1:!192.168.4.9 ...
- Using Shorewall-perl under Shorewall 3.9.x
+ Using Shorewall-perl under Shorewall 3.4.4/4.0.0 Beta and
+ later.
If you only install one compiler, then that compiler will be
used.
@@ -468,12 +467,13 @@ eth0 eth1:!192.168.4.9 ...
new compiler will be used on the system. If you add it to
shorewall.conf in a separate directory (such as a
Shorewall-lite export directory) then the new compiler will only be used
- when you compile from that directory.
+ when you compile from that directory (4.0.0 Beta6 and later
+ only).
If you only install one compiler, it is suggested that you do not
set SHOREWALL_COMPILER.
- If you install Shorewall-perl under Shorewall 3.9.2 or later, you
+ If you install Shorewall-perl under Shorewall 3.4.4 or later, you
can select the compiler to use on the command line using the 'C
option:
'-C shell' means use the shell compiler
diff --git a/docs/fallback.xml b/docs/fallback.xml
index 2bea5caf3..8e8c25536 100644
--- a/docs/fallback.xml
+++ b/docs/fallback.xml
@@ -43,7 +43,7 @@
- cd to the distribution directory for the version of Seattle
+ cd to the distribution directory for the version of Shoreline
Firewall that you are currently running (NOT the version that you want
to fall back to).
@@ -91,4 +91,26 @@
If you installed using an rpm, at a root shell prompt type
rpm -e shorewall
.
+
+
+ Shorewall-shell and Shorewall-perl
+
+ Shorewall-shell and Shoreall-perl have no configuration files and
+ all of their released files are installed in a single directory. To
+ fallback to a prior release of one of these products using the tarballs,
+ simple re-install the older version.
+
+ To uninstal these products when they have been installed using the
+ tarballs:
+
+
+
+ rm -rf /usr/share/shorewall-shell
+
+
+
+ rm -rf /usr/share/shorewall-perl
+
+
+
\ No newline at end of file