extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-03 03:59:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update the Shorewall 5 article for 4.6.13.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-08-31 11:04:00 -07:00
parent b0bf726c7e
commit 377e2037ca
1 changed files with 8 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
docs/Shorewall-5.xml
View File

@ -81,7 +81,7 @@
<para>Over the years, a number of workarounds have been added to <para>Over the years, a number of workarounds have been added to
Shorewall to work around defects in other products. In current Shorewall to work around defects in other products. In current
distributions, those defects have been corrected and in 4.6.11, a distributions, those defects have been corrected, and in 4.6.11, a
WORKAROUNDS configuration option was added to disable those workarounds. WORKAROUNDS configuration option was added to disable those workarounds.
In Shorewall 5, the WORKAROUNDS setting is still available in the In Shorewall 5, the WORKAROUNDS setting is still available in the
shorewall[6].conf files but:</para> shorewall[6].conf files but:</para>
@ -96,6 +96,9 @@
eliminated.</para> eliminated.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>If there is a need to add new workarounds in the future, those
workarounds will be enabled by WORKAROUNDS=Yes.</para>
</section> </section>
<section> <section>
@ -148,7 +151,7 @@
<para>A fatal compilation error is emitted if any of these options are <para>A fatal compilation error is emitted if any of these options are
present in the .conf file, and the <command>shorewall[6] present in the .conf file, and the <command>shorewall[6]
update</command> command will replace these options with equivalent update</command> command will replace these options with equivalent
setting for the options that supersede them.</para> setting of the options that supersede them.</para>
</section> </section>
<section> <section>
@ -159,17 +162,13 @@
<para>The <option>-t</option> and <option>-b</option> options of the <para>The <option>-t</option> and <option>-b</option> options of the
<command>update</command> command are still available to convert the <command>update</command> command are still available to convert the
'tcrules' file to the equivalent 'mangle' file and to convert the 'tcrules' and 'tos' files to the equivalent 'mangle' file and to convert
'blacklist' file into an equivalent 'blrules' file. </para> the 'blacklist' file into an equivalent 'blrules' file.</para>
<para>As in Shorewall 4.6.12, the <option>-s</option> option is <para>As in Shorewall 4.6.12, the <option>-s</option> option is
available to convert the 'routestopped' file into the equivalent available to convert the 'routestopped' file into the equivalent
'stoppedrules' file and the <option>-n</option> option is available to 'stoppedrules' file and the <option>-n</option> option is available to
convert a 'notrack' file to the equivalent 'conntrack' file.</para> convert a 'notrack' file to the equivalent 'conntrack' file.</para>
<para> No update option is available to update the 'tos' file. Its
entries must be manually converted to TOS rules in the 'mangle'
file.</para>
</section> </section>
<section> <section>
@ -350,16 +349,12 @@
<para>It is stongly recommended that you first upgrade your installation <para>It is stongly recommended that you first upgrade your installation
to a 4.6 release that supports the <option>-A</option> option to the to a 4.6 release that supports the <option>-A</option> option to the
<command>update</command> command; 4.6.12 or later is preferred.</para> <command>update</command> command; 4.6.13 is preferred.</para>
<para>Once you are on that release, execute the <command>shorewall update <para>Once you are on that release, execute the <command>shorewall update
-A</command> command (and <command>shorewall6 update -A</command> if you -A</command> command (and <command>shorewall6 update -A</command> if you
also have Shorewall6).</para> also have Shorewall6).</para>
<para>If you have a non-empty 'tos' file, it is also suggested that you
manually convert its entries to equivalent TOS entries in the 'mangle'
file.</para>
<para>Finally, add ?FORMAT 2 to each of your macro and action files and be <para>Finally, add ?FORMAT 2 to each of your macro and action files and be
sure that the check command does not produce errors -- if it does, you can sure that the check command does not produce errors -- if it does, you can
shuffle the columns around to make them work on both Shorewall 4 and shuffle the columns around to make them work on both Shorewall 4 and
@ -368,42 +363,4 @@
<para>These steps can also be taken after you upgrade, but your firewall <para>These steps can also be taken after you upgrade, but your firewall
likely won't start or work correctly until you do.</para> likely won't start or work correctly until you do.</para>
</section> </section>
<section>
<title>Potential Upgrade Issues</title>
<para>There are several potential problems with using the <command>update
-A</command> command. These are described in the following
sections.</para>
<section>
<title>Sparse /etc/shorewall[6] Directory</title>
<para>If you run a Debian-based distribution or another once that does
not fully populate /etc/shorewall[6] and you include a fully-populated
directory in your CONFIG_PATH, then an additional step is required
before running<command> update -A</command>. You must copy skeleton
'blrules', 'mangle' and 'conntrack' files into /etc/shorewall[6] or
<command>update -A</command> will update the files in the fully
populated directory rather than creating new files in
/etc/shorewall[6].</para>
</section>
<section>
<title>Old Multi-ISP Configurations</title>
<para>If you have an old Multi-ISP configuration that does not include
USE_DEFAULT_RT in shorewall.conf, then you need to add USE_DEFAULT_RT=No
in that file prior to running <command>update -A</command>. Otherwise,
the <command>update</command> command will fail with the error:</para>
<simplelist>
<member>ERROR: The COPY column must be empty when
USE_DEFAULT_RT=Yes</member>
</simplelist>
<para>If you receive this error, modify the setting of USE_DEFAULT_RT to
No and rerun the command.</para>
</section>
</section>
</article> </article>