diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 09bb8d7ac..5fc2433e3 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -43,6 +43,10 @@ Shorewall 4.4.0 10) Support for per-IP traffic shaping classes has been added. +11) Support for netfilter's TRACE facility has been added. TRACE allows + you to trace selected packets through Netfilter, including marking + by tcrules. + ---------------------------------------------------------------------------- M I G R A T I O N I S S U E S ---------------------------------------------------------------------------- @@ -65,20 +69,26 @@ Shorewall 4.4.0 http://www.shorewall.net/Shorewall-perl.html#Incompatibilities and make changes to your configuration as necessary. + We strongly recommend that you migrate to Shorewall-perl on your + current Shorewall version before upgrading to Shorewall 4.4.0. That + way, you can have both Shorewall-shell and Shorewall-perl available + until you are certain that Shorewall-perl is working correctly for + you. + 2) The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and 'shorewall6 clear' commands no longer read the 'routestopped' file. The 'routestopped' file used is the one that was present at the last 'start', 'restart' or 'restore' command. - IMPORTANT: If you modify the routestopped file, you must restart - Shorewall before the changes to that file take effect. + IMPORTANT: If you modify the routestopped file, you must refresh or + restart Shorewall before the changes to that file take effect. 3) The old macro parameter syntax (e.g., SSH/ACCEPT) is now deprecated in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.4 documentation uses the new syntax exclusively, although the old syntax continues to be supported. - The sample configuration also use the new syntax. + The sample configurations also use the new syntax. 4) Support for the SAME target in /etc/shorewall/masq and /etc/shorewall/rules has been removed, following the removal of the @@ -208,7 +218,7 @@ None. IPv6 firewall scripts generated by Shorewall6. 2) The interfaces file supports a new 'nets=' option. This option - allows users to restrict a zone's definition to particular networks + allows you to restrict a zone's definition to particular networks through an interface without having to use the hosts file. Example interfaces file: @@ -262,7 +272,7 @@ None. the connection over which that last packet was sent. When used in the OUTPUT chain, it causes all matching connections - to an individual remote system to all use the same provider. + to an individual remote system to use the same provider. For example: @@ -285,10 +295,17 @@ None. executed the command copies itself to /var/lib/shorewall[6]/firewall. + As always, /var/lib/shorewall[6] is the default directory which may + be overridden using the /etc/shorewall[6]/vardir file. + 5) Dynamic zone support is once again available for IPv4. This support is built on top of ipsets so you must have the xtables-addons installed on the firewall system. + See http://www.shorewall.net/Dynamic.html for information about + this feature and for instructions for installing xtables-addons on + your firewall. + Dynamic zones are available when Shorewall-lite is used as well. You define a zone as having dynamic content in one of two ways: @@ -316,7 +333,7 @@ None. /etc/shorewall/vardir (/etc/shorewall-lite/vardir). b) During 'start', 'restart' and 'restore' processing, Shorewall - will then attempt to create an ipset named _ + will attempt to create an ipset named _ for each zone/interface pair that has been specified as dynamic. The type of ipset created is 'iphash' so that only individual IPv4 addresses may be added to the set. @@ -343,11 +360,12 @@ None. These commands are supported by shorewall-lite as well. 6) The generated program now attempts to detect all dynamic - information when it first starts. If any of those steps fail, an - error message is generated and the state of the firewall is not - changed. + information when it first starts. Dynamic information includes IP + addresses, default gateways, networks routed through an interface, + etc. If any of those steps fail, an error message is generated and + the state of the firewall is not changed. -7) To improve readability of the configuration files, Shorewall now +7) To improve the readability of configuration files, Shorewall now allows leading white space in continuation lines when the continued line ends in ":" or ",". @@ -461,7 +479,7 @@ None. ... -A log0 -j LOG --log-level 6 --log-prefix "Shorewall:loc2net:REJECT:" - -A log0 -p 6 --dport 25 -j reject + -A log0 -j reject Notice that now there is only a single rule generated in the 'loc2net' chain where before there were two. Packets for other than @@ -566,7 +584,7 @@ None. For example, suppose that your internal network is 192.168.1.0/29 (host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion might be to use IPMARK(src,0xFF,0x10000) so as to produce class IDs - 1:1 through 1:6. But 1:1 is the class ID if the base HTB class on + 1:1 through 1:6. But 1:1 is the class ID of the base HTB class on interface 1. So you might chose instead to use IPMARK(src,0xFF,0x10100) as shown in the example above so as to avoid minor class 1. @@ -614,8 +632,8 @@ None. class number when none is given. - Prior to this change, the class number was constructed by concatinating - the mark value with the either '1' or '10'. '10' is used when - there are more than 10 devices defined in /etc/shorewall/tcdevices. + the mark value with the either '1' or '10'. '10' was used when + there were more than 10 devices defined in /etc/shorewall/tcdevices. - Beginning with this change, a new method is added; class numbers are assigned sequentially beginning with 2. @@ -632,9 +650,10 @@ None. column) must be >= 65536 (0x10000) and must be a multiple of 65536 (0x1000, 0x20000, 0x30000, ...). -16) In the 'shorewall compile' command, the filename '-' now causes - the compiled script to be written to Standard Out. As a side - effect, the effective VERBOSITY is set to -1 (silent). +16) In the 'shorewall compile' and 'shorewall6 compile' commands, the + filename '-' now causes the compiled script to be written to + Standard Out. As a side effect, the effective VERBOSITY is set to + -1 (silent). Examples: @@ -647,7 +666,8 @@ None. 17) Supplying an interface name in the SOURCE column of /etc/shorewall/masq is now deprecated. Entering the name of an - interface there will result in a compile-time warning. + interface there will result in a compile-time warning (see the + Migration Considerations above). 18) Shorewall now supports nested HTB traffic shaping classes. The nested classes within a class can borrow from their parent class in @@ -688,13 +708,12 @@ None. Local traffic (that coming from the firewall and from the DMZ server) is placed in the effectively unrestricted class 1:10. The default class is guaranteed half of the download capacity and my - work system (172.20.1.107) is guarandeed the other half. - + work system (172.20.1.107) is guarandeed the other half. 19) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing - discipline has been added. HFSC is superior to the "Hierarchical - Token Bucket" queuing discipline where realtime traffic such as - VOIP is being used. + discipline has been added. HFSC is claimed to be superior to the + "Hierarchical Token Bucket" queuing discipline where realtime + traffic such as VOIP is being used. An excellent overview of HFSC on Linux may be found at http://linux-ip.net/articles/hfsc.en/.