From ec28bdb5a056246e1fe0107c540ec5cc6cb3f0e3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 20 Jun 2011 14:33:49 -0700 Subject: [PATCH] Document Shorewall6 support for dynamic zones. Signed-off-by: Tom Eastep --- Shorewall/releasenotes.txt | 13 ++++++++- manpages6/shorewall6.xml | 55 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+), 1 deletion(-) diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 1a8c498fc..f34c5d4bc 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -113,6 +113,17 @@ None. If you configure Shorewall-init to save/restore ipsets, be sure to set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf. + + As part of this change, Shorewall and Shorewall6 will only restore + saved ipsets if SAVE_IPSETS=Yes in shorewall.conf + (shorewall6.conf). + +6) Shorewall6 now supports dynamic zones: + + 1) The nets=dynamic option is allowed in /etc/shorewall6/interfaces + 2) The HOSTS column of /etc/shorewall6/hosts may now contain + :dynamic. + 3) /sbin/shorewall6 now supports the 'add' and 'delete' commands. ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S @@ -3628,7 +3639,7 @@ None. 8) The generated script now uses iptables[6]-restore to instantiate the Netfilter ruleset during processing of the 'stop' command. As a - consequence, the 'critical' option in /etc/shorewall/route_stopped + consequence, the 'critical' option in /etc/shorewall/routestopped is no longer needed and will result in a warning. 9) A new AUTOMAKE option has been added to shorewall.conf and diff --git a/manpages6/shorewall6.xml b/manpages6/shorewall6.xml index 7c2beb505..5a7d05033 100644 --- a/manpages6/shorewall6.xml +++ b/manpages6/shorewall6.xml @@ -16,6 +16,22 @@ + + shorewall6 + + | + + -options + + + + interface[:host-list] + + zone + + shorewall6 @@ -583,6 +599,29 @@ The available commands are listed below. + + add + + + Added in Shorewall 4.4.21. Adds a list of hosts or subnets to + a dynamic zone usually used with VPN's. + + The interface argument names an interface + defined in the shorewall6-interfaces(5) + file. A host-list is comma-separated list whose + elements are host or network addresses. + The add command is not very robust. If + there are errors in the host-list, + you may see a large number of error messages yet a subsequent + shorewall show zones command will indicate + that all hosts were added. If this happens, replace + add by delete and run the + same command again. Then enter the correct command. + + + + allow @@ -677,6 +716,22 @@ + + delete + + + Added in Shorewall 4.4.21. The delete command reverses the + effect of an earlier add + command. + + The interface argument names an interface + defined in the shorewall6-interfaces(5) + file. A host-list is comma-separated list whose + elements are a host or network address. + + + drop