Document DROPINVALID

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1810 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -174,3 +174,5 @@ Changes since 2.0.3
 85) Continue determining capabilities when fooX1234 already exists.
 
 86) Corrected typo in interfaces file.
+
+97) Add DROPINVALID option.

Shorewall2/releasenotes.txt

@@ -785,3 +785,24 @@ New Features:
     exceeded the specified rate was silently dropped. Now, if a log
     level is given in the entry (LEVEL column) then drops are logged at
     that level at a rate of 5/min with a burst of 5.
+
+35) Recent 2.6 kernels include code that evaluates TCP packets based on
+    TCP Window analysis. This can cause packets that were previously
+    classified as NEW or ESTABLISHED to be classified as INVALID.
+
+    The new kernel code can be disabled by including this command in
+    your /etc/shorewall/init file:
+
+    echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
+
+    Additional kernel logging about INVALID TCP packets may be
+    obtained by adding this command to /etc/shorewall/init:
+
+    echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
+
+    Traditionally, Shorewall has dropped INVALID TCP packets early. The
+    new DROPINVALID option allows INVALID packets to be passed through
+    the normal rules chains by setting DROPINVALID=No.
+
+    If not specified or if specified as empty (e.g., DROPINVALID="")
+    then DROPINVALID=Yes is assumed.