From 436ec8559d6ebe77ddb5e7200c50af3ecca6b1e6 Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 19 May 2007 14:41:19 +0000 Subject: [PATCH] Update documentation git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6408 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/releasenotes.txt | 6 +-- docs/Shorewall-4.xml | 68 +++++++++++++++++++++++-------- docs/Shorewall-perl.xml | 32 ++++++++++++++- 3 files changed, 84 insertions(+), 22 deletions(-) diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index 9748be308..eaec48f97 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -1,4 +1,4 @@ -Shorewall 3.9.8 +Shorewall 4.0.0 Beta 1 ---------------------------------------------------------------------------- R E L E A S E H I G H L I G H T S ---------------------------------------------------------------------------- @@ -15,7 +15,7 @@ Shorewall 3.9.8 You must install Shorewall and at least one of the compiler packages (you may install them both). -Problems corrected in 3.9.8. +Problems corrected in 4.0.0 Beta 1. 1) The commands "shorewall add/delete " no longer case lots of error messages to be issued. @@ -26,7 +26,7 @@ Problems corrected in 3.9.8. 3) A run-time error no longer occurs when an IP address is specified in the GATEWAY column of /etc/shorewall/providers. -Other changes in Shorewall 3.9.8. +Other changes in Shorewall 4.0.0 Beta 1. 1) The "shorewall show zones" command now flags zone members that have been added using "shorewall add" by preceding them with a plus sign diff --git a/docs/Shorewall-4.xml b/docs/Shorewall-4.xml index a1e94e24d..94f1b5dd1 100644 --- a/docs/Shorewall-4.xml +++ b/docs/Shorewall-4.xml @@ -38,7 +38,7 @@ Introduction Shorewall version 4 is currently in development and is available for - testing as the 3.9.x series. + beta testing. Shorewall version 4 represents a substantial shift in direction for Shorewall. Up to now @@ -85,7 +85,7 @@ You can download the development version of Shorewall Version 4 from any of the download sites with the exception of SourceForge. It is contained in the /pub/shorewall/development/3.9/ + class="directory">/pub/shorewall/development/4.0 directory. Shorewall 4 contains four packages: @@ -98,7 +98,7 @@ Shorewall-perl - the new Perl-based compiler. May be installed - under Shorewall 3.4.2 or later or 3.9.x. + under Shorewall 3.4.2 or later or 4.0.x. @@ -397,6 +397,28 @@ fi combination doesn't work in previous versions of Shorewall so the Perl-based compiler simply rejects it. + + + Shorewall-perl has a single rule generator that is used for all + rule-oriented files. So it is important that the syntax is consistent + between files. + + With shorewall-shell, there is a special syntax in the SOURCE + column of /etc/shorewall/masq to designate "all traffic entering the + firewall on this interface except...". + + Example:#INTERFACE SOURCE ADDRESSES +eth0 eth1!192.168.4.9 ...Shorewall-perl + uses syntax that is consistent with the rest of + Shorewall:#INTERFACE SOURCE ADDRESSES +eth0 eth1:!192.168.4.9 ... + + + + The 'allowoutUPnP' built-in action is no longer supported. In + kernel 2.6.14, the Netfilter team have removed support for '-m owner + --owner-cmd' which that action depended on. + @@ -408,24 +430,36 @@ fi If you install both compilers, then the compiler actually used depends on the SHOREWALL_COMPILER setting in - shorewall.conf. The value of this new option can be - either 'perl' or 'shell'. + shorewall.conf. - If you add 'SHOREWALL_COMPILER=shell' to + The value of this new option can be either 'perl' or 'shell'. + + If you add 'SHOREWALL_COMPILER=perl' to /etc/shorewall/shorewall.conf then by default, the new compiler will be used on the system. If you add it to shorewall.conf in a separate directory (such as a Shorewall-lite export directory) then the new compiler will only be used - when you compile from that directory. If you only install one compiler, it - is suggested that you do not set SHOREWALL_COMPILER. Regardless of the - setting of SHOREWALL_COMPILER, there is one change in Shorewall operation - that is triggered simply by installing shorewall-perl. Your - params file will be processed during compilation with - the shell's '-a' option which causes any variables that you set or create - in that file to be automatically exported. Since the params file is - processed before shorewall.conf, using -a insures - that the settings of your params variables are available to the new - compiler should it's use be specified in - shorewall.conf. + when you compile from that directory. + + If you only install one compiler, it is suggested that you do not + set SHOREWALL_COMPILER. + + You can select the compiler to use on the command line using the 'C + option: + '-C shell' means use the shell compiler + + '-C perl' means use the perl compiler + The -C option overrides the setting in + shorewall.conf. + + Example:shorewall restart -C perlRegardless + of the setting of SHOREWALL_COMPILER, there is one change in Shorewall + operation that is triggered simply by installing shorewall-perl. Your + params file will be processed during compilation with the shell's '-a' + option which causes any variables that you set or create in that file to + be automatically exported. Since the params file is processed before + shorewall.conf, using -a insures that the settings of your params + variables are available to the new compiler should its use be specified in + shorewall.conf. \ No newline at end of file diff --git a/docs/Shorewall-perl.xml b/docs/Shorewall-perl.xml index 3d64a7a15..8fe46e594 100644 --- a/docs/Shorewall-perl.xml +++ b/docs/Shorewall-perl.xml @@ -338,6 +338,34 @@ fi supported; neither is the /etc/shorewall/ipsec file. + + + BLACKLISTNEWONLY=No is not permitted with FASTACCEPT=Yes. + This combination doesn't work in previous versions of Shorewall so + the Perl-based compiler simply rejects it. + + + + Shorewall-perl has a single rule generator that is used for + all rule-oriented files. So it is important that the syntax is + consistent between files. + + With shorewall-shell, there is a special syntax in the + SOURCE column of /etc/shorewall/masq to designate "all traffic + entering the firewall on this interface except...". + + Example:#INTERFACE SOURCE ADDRESSES +eth0 eth1!192.168.4.9 ...Shorewall-perl + uses syntax that is consistent with the rest of + Shorewall:#INTERFACE SOURCE ADDRESSES +eth0 eth1:!192.168.4.9 ... + + + + The 'allowoutUPnP' built-in action is no longer supported. + In kernel 2.6.14, the Netfilter team have removed support for '-m + owner --owner-cmd' which that action depended on. + @@ -451,8 +479,8 @@ fi '-C shell' means use the shell compiler '-C perl' means use the perl compiler - The -C option overrides the setting in shorewall.conf. - + The -C option overrides the setting in + shorewall.conf. Example:shorewall restart -C perlRegardless of the setting of SHOREWALL_COMPILER, there is one change in Shorewall