From 7630d3cdb15b4639f08bcb47a20374a9af3faa8d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 10 Apr 2018 10:00:52 -0700 Subject: [PATCH] Update Shorewall 5 Article Signed-off-by: Tom Eastep --- docs/Shorewall-5.xml | 76 ++++++++++++++++++++++++++++++++++++-------- 1 file changed, 63 insertions(+), 13 deletions(-) diff --git a/docs/Shorewall-5.xml b/docs/Shorewall-5.xml index dd6741edf..40cbecbb8 100644 --- a/docs/Shorewall-5.xml +++ b/docs/Shorewall-5.xml @@ -135,6 +135,21 @@ CHAIN_SCRIPTS (Removed in Shorewall 5.1). + + + MODULE_SUFFIX (Removed in Shorewall 5.1.7). Shorewall can now + locate modules independent of their suffix (extension). + + + + INLINE_MATCHES (Removed in Shorewall 5.2). Inline matches are + now separated from column-oriented input by two adjacent semicolons + (";;"). + + + + MAPOLDACTIONS (Removed in Shorewall 5.2). + A compilation warning is issued when any of these options are @@ -173,17 +188,18 @@ Obsolete Configuration Files Support has been removed for the 'blacklist', 'tcrules', - 'routestopped', 'notrack' and 'tos' files. + 'routestopped', 'notrack', 'tos' and 'masq' files. - The and options of the - update command are still available to convert the - 'tcrules' and 'tos' files to the equivalent 'mangle' file and to convert - the 'blacklist' file into an equivalent 'blrules' file. + The update command is available to convert the + 'tcrules' and 'tos' files to the equivalent 'mangle' file, to convert + the 'blacklist' file into an equivalent 'blrules' file, and to convert + the 'masq' file to the equivalent 'snat' file. - As in Shorewall 4.6.12, the option is - available to convert the 'routestopped' file into the equivalent - 'stoppedrules' file and the option is available to - convert a 'notrack' file to the equivalent 'conntrack' file. + As in Shorewall 4.6.12, the update command + converts the 'routestopped' file into the equivalent 'stoppedrules' file + and converts a 'notrack' file to the equivalent 'conntrack' file. + + Note that in Shorewall 5.2, the update command
@@ -367,6 +383,33 @@ equivalent RESTART setting.
+ +
+ refresh + + Given the availability of ipset-based blacklisting, the + refresh command was eliminated in Shorewall + 5.2. + + Some users may have been using refresh as a + lightweight form of reload. The most common of these + uses seem to be for reloading traffic shaping after an interface has + gone down and come back up. The best way to handle this situation under + 5.2 is to make the interface 'optional' in your + /etc/shorewall[6]/interfaces file, then either: + + + + Install Shorewall-init and enable IFUPDOWN; or + + + + Use the reenable command when the interface + comes back up in place of the refresh + command. + + +
@@ -423,9 +466,14 @@
Upgrading to Shorewall 5 - It is strongly recommended that you first upgrade your installation - to a 4.6 release that supports the option to the - update command; 4.6.13.2 or later is preferred. + + For detailed upgrade information, please consult the 'Migration + Issues' section of the release notes for the version that you are + upgrading to. + It is strongly recommended that you first upgrade your + installation to a 4.6 release that supports the option + to the update command; 4.6.13.2 or later is + preferred. Once you are on that release, execute the shorewall update -A command (and shorewall6 update -A if you @@ -445,7 +493,9 @@ have been removed -- the updates triggered by those options are now performed unconditionally. The and options have been retained - both enable checking for issues that - could result if INLINE_MATCHES were to be set to Yes. + could result if INLINE_MATCHES were to be set to Yes. The -i option was + removed in Shorewall 5.2, given that the INLINE_MATCHES option was also + removed.
CHAIN_SCRIPTS Removal