Document LOAD_HELPERS_ONLY=Yes

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-01-21 20:17:25 -08:00
parent 8f85c75264
commit 8def4d03c3
2 changed files with 26 additions and 0 deletions

View File

@ -8,6 +8,8 @@ Changes in Shorewall 4.4.7
4) Add TC_PRIOMAP to shorewall*.conf
5) Implement LOAD_HELPERS_ONLY
Changes in Shorewall 4.4.6
1) Fix for rp_filter and kernel 2.6.31.

View File

@ -259,6 +259,30 @@ None.
5) Support for TPROXY has been added. See
http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY.
6) Traditionally, Shorewall has loaded all modules that could possibly
be needed twice; once in the compiler, and once when the generated
script is initialized. The latter can be a time-consuming process
on slow hardware.
Beginning with 4.4.7, there is a LOAD_HELPERS_ONLY option in
shorewall.conf. For existing users, LOAD_HELPERS_ONLY=No is the
default.
For new users that employ the sample configurations,
LOAD_HELPERS_ONLY=Yes will be the default. That setting causes only
a small subset of modules to be loaded; it is assumed that the
remaining modules will be autoloaded.
Modules loaded when LOAD_HELPERS_ONLY=Yes are:
- Protocol helpers. These cannot be autoloaded.
- Traffic shaping modules.
In addition, the nf_conntrack_sip module is loaded with
sip_direct_media=0. This setting is slightly less secure than
sip_direct_media=1, but it solves many VOIP problems that users
routinely encounter.
----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 6
----------------------------------------------------------------------------