From 799d579a159c30ad59ca26f1f757c444b2fed87a Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 10 Oct 2005 14:57:56 +0000 Subject: [PATCH] Fix some problems in the Release Notes git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2844 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/releasenotes.txt | 48 +++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 26 deletions(-) diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 1a146df02..6c114365b 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -207,7 +207,7 @@ Migration Considerations: TC_ENABLED=internal then tc4shorewall will be used. If the option is set to Yes then Shorewall will continue to look for a 'tcstart' script. -New Features in Shorewall 2.5.* +New Features in Shorewall 3.0.* 1) Error and warning messages are made easier to spot by using capitalization (e.g., ERROR: and WARNING:). @@ -349,9 +349,9 @@ New Features in Shorewall 2.5.* 7) A new FASTACCEPT option has been added to shorewall.conf. - Normally, Shorewall accepting ESTABLISHED/RELATED packets until - these packets reach the chain in which the original connection was - accepted. So for packets going from the 'loc' zone to the 'net' + Normally, Shorewall defers accepting ESTABLISHED/RELATED packets + until these packets reach the chain in which the original connection + was accepted. So for packets going from the 'loc' zone to the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net' chain. @@ -385,19 +385,15 @@ New Features in Shorewall 2.5.* That rule would allow loc->net HTTP access from the local network 10.0.0.0/24 except for hosts 10.0.0.4 and 10.0.0.22. -10) You may now specify "!" followed by a list of addresses in the - SOURCE and DEST columns of entries in /etc/shorewall/tcrules and - Shorewall will generate the rule that you expect. - -11) Tunnel types "openvpnserver" and "openvpnclient" have been added +10) Tunnel types "openvpnserver" and "openvpnclient" have been added to reflect the introduction of client and server OpenVPN configurations in OpenVPN 2.0. -12) The COMMAND variable is now set to 'restore' in restore +11) The COMMAND variable is now set to 'restore' in restore scripts. The value of this variable is sometimes of interest to programmers providing custom /etc/shorewall/tcstart scripts. -13) Previously, if you defined any intra-zone rule(s) then any traffic +12) Previously, if you defined any intra-zone rule(s) then any traffic not matching the rule(s) was subject to normal policies (which usually turned out to involve the all->all REJECT policy). Now, the intra-zone ACCEPT policy will still be in effect in the presense of @@ -417,7 +413,7 @@ New Features in Shorewall 2.5.* #SOURCE DEST POLICY LOG LEVEL loc loc ACCEPT info -14) Prior to Shorewall 2.5.3, the rules file only controlled packets in +13) Prior to Shorewall 2.5.3, the rules file only controlled packets in the Netfilter states NEW and INVALID. Beginning with this release, the rules file can also deal with packets in the ESTABLISHED and RELATED states. @@ -456,12 +452,12 @@ New Features in Shorewall 2.5.* /etc/shorewall.shorewall.conf then the ESTABLISHED and RELATED sections must be empty. -15) The value 'ipp2p' is once again allowed in the PROTO column of +14) The value 'ipp2p' is once again allowed in the PROTO column of the rules file. It is recommended that rules specifying 'ipp2p' only be included in the ESTABLISHED section of the file. -16) Shorewall actions lack a generalized way to pass parameters to an +15) Shorewall actions lack a generalized way to pass parameters to an extension script associated with an action. To work around this lack, some users have used the log tag as a parameter. This works but requires that a log level other than 'none' be specified when @@ -484,17 +480,17 @@ New Features in Shorewall 2.5.* Now, $1 = these, $2 = are and $3 = parameters -17) The "shorewall check" command now checks the /etc/shorewall/masq, +16) The "shorewall check" command now checks the /etc/shorewall/masq, /etc/shorewall/blacklist, /etc/shorewall/proxyarp, /etc/shorewall/nat and /etc/shorewall/providers files. -18) Arne Bernin's "tc4shorewall" package has been integrated into +17) Arne Bernin's "tc4shorewall" package has been integrated into Shorewall. Arne will be providing documentation and support for this part of Shorewall. Thanks, Arne! -19) When /usr/share/shorewall/functions is loaded it now sets +18) When /usr/share/shorewall/functions is loaded it now sets SHOREWALL_LIBRARY=Loaded @@ -502,7 +498,7 @@ New Features in Shorewall 2.5.* variable to determine if the library has been loaded into the current shell process. -20) The install.sh script now does a much cleaner job of backing up the +19) The install.sh script now does a much cleaner job of backing up the current installation. It copies the directories /etc/shorewall, /usr/share/shorewall and /var/lib/shorewall to a directory of the same name with "-$VERSION.bkout" appended. The init script and @@ -514,7 +510,7 @@ New Features in Shorewall 2.5.* rm -rf /usr/share/shorewall-*.bkout rm -rf /var/lib/shorewall-*.bkout -21) A new '-n' option has been added to the "start", "restart", +20) A new '-n' option has been added to the "start", "restart", "restore", "stop" and "try" commands. This option instructs Shorewall to not alter the routing in any way. @@ -522,27 +518,27 @@ New Features in Shorewall 2.5.* it prevents the route cache from being flushed which preserves the mapping of end-point address pairs to routes. -22) The output of "shorewall dump" now includes a capabilities report +21) The output of "shorewall dump" now includes a capabilities report such as the one produced by "shorewall show capabilities". -23) The "plain" zone type has been replaced by "ipv4". The types +22) The "plain" zone type has been replaced by "ipv4". The types "IPv4" and "IPV4" are synonyms for "ipv4". In addition, "IPSEC", "ipsec4" and "IPSEC4" are recognized synonyms for "ipsec". -24) The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have been +23) The NEWNOTSYN and LOGNEWNOTSYN options in shorewall.conf have been removed as have the 'newnotsyn' options in /etc/shorewall/interfaces and /etc/shorewall/hosts. See the Migration Considerations for instructions if you wish to block "new-not-syn" TCP packets. -25) The "shorewall show zones" command now displays the zone type. You +24) The "shorewall show zones" command now displays the zone type. You must have restarted Shorewall using this release before this feature will work correctly. -26) The multi-ISP code now requires that that you set MARK_IN_FORWARD_CHAIN=Yes +25) The multi-ISP code now requires that that you set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This is done to ensure that "shorewall refresh" will work correctly. -27) Shorewall now supports UDP IPP2P matching. In addition to the "ipp2p" +26) Shorewall now supports UDP IPP2P matching. In addition to the "ipp2p" keyword in the PROTOCOL column of the relevant files, the following values may be specified: @@ -552,7 +548,7 @@ New Features in Shorewall 2.5.* ipp2p:all Matches both UDP and TCP traffic. You may not specify a SOURCE PORT with this PROTOCOL. -28) Normally MAC verification triggered by the 'maclist' interface and host +27) Normally MAC verification triggered by the 'maclist' interface and host options is done out of the INPUT and FORWARD chains of the filter table. Users have reported that under some circumstances, MAC verification is failing for forwarded packets when the packets are being forwarded out