From 88dabde9c99c45bea16ffc1fcfbfe78e5b6fa182 Mon Sep 17 00:00:00 2001 From: Tom Eastep <teastep@shorewall.net> Date: Tue, 7 Aug 2012 09:10:21 -0700 Subject: [PATCH] Update upgrade-issues doc Signed-off-by: Tom Eastep <teastep@shorewall.net> --- docs/upgrade_issues.xml | 85 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 84 insertions(+), 1 deletion(-) diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index be0b3f66d..4216dc37d 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -35,7 +35,7 @@ <holder>Thomas M. Eastep</holder> - <holder/> + <holder></holder> </copyright> <legalnotice> @@ -111,6 +111,89 @@ /var/lib/shorewall[6][-lite]/interface.status files used by SWPING and by LSM.</para> </listitem> + + <listitem> + <para>Beginning with Shorewall 4.5.2, using /etc/shorewall-lite/vardir + and /etc/shorewall6-lite/vardir to specify VARDIR is deprecated in + favor of the VARDIR setting in shorewallrc.</para> + + <para>NOTE: While the name of the variable remains VARDIR, the meaning + is slightly different. When set in shorewallrc, each product + (shorewall-lite, and shorewall6-lite) will create a directory under + the specified path name to hold state information.</para> + + <para>Example: </para> + + <blockquote> + <para>VARDIR=/opt/var/</para> + + <para>The state directory for shorewall-lite will be + /opt/var/shorewall-lite/ and the directory for shorewall6-lite will + be /opt/var/shorewall6-lite.</para> + </blockquote> + + <para>When VARDIR is set in /etc/shorewall[6]/vardir, the product will + save its state directly in the specified directory.</para> + </listitem> + + <listitem> + <para>Begining with Shorewall 4.5.6, the tcrules file is processed if + MANGLE_ENABLED=Yes, independent of the setting of TC_ENABLED. This + allows actions like TTL and TPROXY to be used without enabling traffic + shaping. If you have rules in your tcrules file that you only want + processed when TC_ENABLED is other than 'No', then enclose them + in</para> + + <blockquote> + <para>?IF $TC_ENABLED</para> + + <para>...</para> + + <para>?ENDIF</para> + </blockquote> + + <para> If they are to be processed only if TC_ENABLED=Internal, then + enclose them in</para> + + <blockquote> + <para>?IF TC_ENABLED eq 'Internal'</para> + + <para> ...</para> + + <para>?ENDIF.</para> + </blockquote> + + <para> </para> + </listitem> + + <listitem> + <para>Beginning with Shorewall 4.5.7, the deprecated + /etc/shorewall[6]/blacklist files are no longer installed. Existing + files are still processed by the compiler.</para> + + <para>Note that blacklist files may be converted to equivalent blrules + files using <command>shorewall[6] update -b</command>. </para> + </listitem> + + <listitem> + <para> In Shorewall 4.5.7, the + <filename>/etc/shorewall[6]/notrack</filename> file was renamed + <filename>/etc/shorewall[6]/conntrack</filename>. When upgrading to a + release >= 4.5.7, the <filename>conntrack</filename> file will be + installed along side of an existing <filename>notrack</filename> file. + When both files exist, a compiler warning is generated:</para> + + <blockquote> + <para>WARNING: Both /etc/shorewall/notrack and + /etc/shorewall/conntrack exist; /etc/shorewall/conntrack is + ignored</para> + </blockquote> + + <para>This warning may be eliminated by moving any entries in the + <filename>notrack</filename> file to the + <filename>conntrack</filename> file and removing the + <filename>notrack</filename> file. </para> + </listitem> </orderedlist> </section>