From 1d59d1ce261f3b00cda04e62fa93d4a4d401a151 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 23 Jun 2007 17:08:26 +0000 Subject: [PATCH] Doc updates git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6654 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/Actions.xml | 26 +++++++++++ docs/Shorewall-4.xml | 6 ++- docs/Shorewall-perl.xml | 98 ++++++++++++++++++++--------------------- docs/fallback.xml | 24 +++++++++- 4 files changed, 103 insertions(+), 51 deletions(-) diff --git a/docs/Actions.xml b/docs/Actions.xml index e3d354b20..f65b6157a 100644 --- a/docs/Actions.xml +++ b/docs/Actions.xml @@ -401,6 +401,32 @@ Reject:REJECT #Default Action for REJECT policy 2.6.14). + + + MARK (Added in Shorewall 3.4.4) + + + [!]<value>[/<mask>][:C] + + + Defines a test on the existing packet or connection mark. The + rule will match only if the test returns true. + + If you don’t want to define a test but need to specify anything + in the following columns, place a "-" in this field. + ! — Inverts the test (not equal) + + <value> — Value of the packet + or connection mark. + + <mask> —A mask to be applied to + the mark before testing. + + :C — Designates a connection mark. If omitted, the packet + mark’s value is tested. This option is only supported by + Shorewall-perl + + Omitted column entries should be entered using a dash ("-"). diff --git a/docs/Shorewall-4.xml b/docs/Shorewall-4.xml index 94f1b5dd1..3d8fd686d 100644 --- a/docs/Shorewall-4.xml +++ b/docs/Shorewall-4.xml @@ -141,6 +141,10 @@ Perl File::Temp Module + + + Perl Getopt::Long Module + @@ -411,7 +415,7 @@ fi eth0 eth1!192.168.4.9 ...Shorewall-perl uses syntax that is consistent with the rest of Shorewall:#INTERFACE SOURCE ADDRESSES -eth0 eth1:!192.168.4.9 ... +eth0 eth1:!192.168.4.9 ... diff --git a/docs/Shorewall-perl.xml b/docs/Shorewall-perl.xml index 8fe46e594..5e16ed487 100644 --- a/docs/Shorewall-perl.xml +++ b/docs/Shorewall-perl.xml @@ -38,10 +38,10 @@ Shorewall-perl - What is it? Shorewall-perl is a companion product to Shorewall. It requires - Shorewall 3.4.2 or later. + Shorewall 3.4.2 or later (Shorewall 3.4.4 or later recommended). Shorewall-perl contains a re-implementation of the Shorewall - compiler written in Perl. The advantages of using Shorewall-perl are over + compiler written in Perl. The advantages of using Shorewall-perl over Shorewall-shell (the shell-based compiler included in earlier Shorewall 3.x releases) are: @@ -119,7 +119,9 @@ BRIDGING=Yes is not supported. The kernel code necessary to - support this option was removed in Linux kernel 2.6.20. + support this option was removed in Linux kernel 2.6.20. Alternative bridge + support is provided by Shorewall-perl. @@ -129,16 +131,6 @@ addrtype match requirement is relaxed. - - Because the compiler is now written in Perl, your - compile-time extension scripts from earlier versions will no - longer work. For now, if you want to use extension scripts, you - will need to read the Perl code to see how the compiler operates - internally. I will produce documentation before the first official - release. Compile-time extension scripts are executed using the - Perl 'do FILE' mechanism. - - The 'refresh' command is now synonymous with 'restart'. @@ -207,20 +199,21 @@ There is only a single "pass as-is to iptables" argument - (so you must quote that par + (so you must quote that part). Example: - log_rule_limit - 'info' , - $chainref , - $chainref->{name}, - 'DROP' , - '', #Limit - '' , #Log tag - 'add'; + log_rule_limit( + 'info' , + $chainref , + $chainref->{name}, + 'DROP' , + '', #Limit + '' , #Log tag + 'add', #Command + '-p tcp'); #Added 'as-is' to the generated rule @@ -254,13 +247,14 @@ - Currently, support for ipsets is untested. That will change - with future pre-releases but one thing is certain -- Shorewall is - now out of the ipset load/reload business. With scripts generated - by the Perl-based Compiler, the Netfilter ruleset is never - cleared. That means that there is no opportunity for Shorewall to - load/reload your ipsets since that cannot be done while there are - any current rules using ipsets. + Currently, support for ipsets is only lightly tested (any + volunteers?). That will change with future pre-releases but one + thing is certain -- Shorewall is now out of the ipset load/reload + business. With scripts generated by the Perl-based Compiler, the + Netfilter ruleset is never cleared. That means that there is no + opportunity for Shorewall to load/reload your ipsets since that + cannot be done while there are any current rules using + ipsets. So: @@ -311,9 +305,10 @@ fi the Shorewall-perl compiler rather than by the shell, only the basic forms of Shell expansion ($variable and ${variable}) are supported. The more exotic forms such as ${variable:=default} are - not supported. Both variables defined in /etc/shorewall/params and - environmental variables (exported by the shell) can be used in - configuration files. + not supported. Both variables defined in + /etc/shorewall/params and environmental + variables (exported by the shell) can be used in configuration + files. @@ -324,8 +319,8 @@ fi DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset - is atomically loaded with one execution of - iptables-restore. + (with the exception of the dynamic blacklist) is atomically loaded + with one execution of iptables-restore. @@ -347,7 +342,7 @@ fi Shorewall-perl has a single rule generator that is used for - all rule-oriented files. So it is important that the syntax is + all rule-oriented files. So it is important that the syntax be consistent between files. With shorewall-shell, there is a special syntax in the @@ -393,6 +388,10 @@ eth0 eth1:!192.168.4.9 ... Perl File::Temp Module + + + Perl Getopts::Long Module + @@ -407,24 +406,26 @@ eth0 eth1:!192.168.4.9 ... Either - tar -jxf shorewall-perl-3.9.x.tar.bz2 -cd shorewall-perl-3.9.x + tar -jxf shorewall-perl-4.0.0-Betax.tar.bz2 +cd shorewall-perl-4.0.0-Betax ./install.sh or - rpm -ivh shorewall-pl-3.9.x-1.noarch.rpm + rpm -ivh shorewall-pl-4.0.0-0Betax.noarch.rpm - Note that you can also install the Shorewall 3.9.x version of - Shorewall. If you do that and still want access to the legacy shell-based - compiler, you must also install the Shorewall-shell package. + Note that you can also install the current Shorewall 4.0.0 Beta + version of Shorewall. If you do that and still want access to the legacy + shell-based compiler, you must also install the Shorewall-shell + package.
Using Shorewall-perl
- Using Shorewall-perl under Shorewall 3.4.x + Using Shorewall-perl under Shorewall 3.4.2 and Shorewall + 3.4.3 By default, the Shorewall-shell compiler will be used. @@ -435,10 +436,7 @@ eth0 eth1:!192.168.4.9 ... If you add this setting to /etc/shorewall/shorewall.conf then by default, the - new compiler will be used on the system. If you add it to - shorewall.conf in a separate directory (such as a - Shorewall-lite export directory) then the new compiler will only be used - when you compile from that directory. + new compiler will be used on the system. Regardless of the setting of SHOREWALL_COMPILER, there is one change in Shorewall operation that is triggered simply by installing @@ -451,7 +449,8 @@ eth0 eth1:!192.168.4.9 ...
- Using Shorewall-perl under Shorewall 3.9.x + Using Shorewall-perl under Shorewall 3.4.4/4.0.0 Beta and + later. If you only install one compiler, then that compiler will be used. @@ -468,12 +467,13 @@ eth0 eth1:!192.168.4.9 ... new compiler will be used on the system. If you add it to shorewall.conf in a separate directory (such as a Shorewall-lite export directory) then the new compiler will only be used - when you compile from that directory. + when you compile from that directory (4.0.0 Beta6 and later + only). If you only install one compiler, it is suggested that you do not set SHOREWALL_COMPILER. - If you install Shorewall-perl under Shorewall 3.9.2 or later, you + If you install Shorewall-perl under Shorewall 3.4.4 or later, you can select the compiler to use on the command line using the 'C option: '-C shell' means use the shell compiler diff --git a/docs/fallback.xml b/docs/fallback.xml index 2bea5caf3..8e8c25536 100644 --- a/docs/fallback.xml +++ b/docs/fallback.xml @@ -43,7 +43,7 @@ - cd to the distribution directory for the version of Seattle + cd to the distribution directory for the version of Shoreline Firewall that you are currently running (NOT the version that you want to fall back to). @@ -91,4 +91,26 @@ If you installed using an rpm, at a root shell prompt type rpm -e shorewall.
+ +
+ Shorewall-shell and Shorewall-perl + + Shorewall-shell and Shoreall-perl have no configuration files and + all of their released files are installed in a single directory. To + fallback to a prior release of one of these products using the tarballs, + simple re-install the older version. + + To uninstal these products when they have been installed using the + tarballs: + + + + rm -rf /usr/share/shorewall-shell + + + + rm -rf /usr/share/shorewall-perl + + +
\ No newline at end of file