diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml index 01b3c3b70..3d7b856d3 100644 --- a/docs/upgrade_issues.xml +++ b/docs/upgrade_issues.xml @@ -4,7 +4,7 @@
- ss rUpgrade Issues + Upgrade Issues Tom @@ -77,11 +77,67 @@
Versions >= 4.3.5 - If you are using Shorewall-perl, there are no additional upgrade - issues. If you are using Shorewall-shell or are upgrading from a Shorewall - version earlier than 4.0.0 then you will need to migrate to Shorewall-perl. - Shorewall-4.3.5 and later only use the perl-based compiler. + + + If you are using Shorewall-perl, there are no additional upgrade + issues. If you are using Shorewall-shell or are upgrading from a + Shorewall version earlier than 4.0.0 then you will need to migrate to Shorewall-perl. + Shorewall-4.3.5 and later only use the perl-based compiler. + + + + The shorewall stop, shorewall + clear, shorewall6 stop and + shorewall6 clear commands no longer read the + routestopped file. The + routestopped file used is the one that was + present at the last start, + restart or restore command. + + + + + The old macro parameter syntax (e.g., SSH/ACCEPT) is now + deprecated in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.3 + documentation uses the new syntax exclusively, although the old syntax + continues to be supported. + + + + Support for the SAME target in /etc/shorewall/masq and + /etc/shorewall/rules has been removed, following the removal of the + underlying support in the Linux kernel. + + + + Supplying an interface name in the SOURCE column of + /etc/shorewall/masq is now deprecated. Entering the name of an + interface there will result in a compile-time warning: + + WARNING: Using an interface as the masq SOURCE requires the + interface to be up and configured when Shorewall + starts/restarts + + To avoid this warning, replace interface names by the + corresponding network addresses (e.g., 192.168.144.0/24). + + + + Previously, Shorewall has treated traffic shaping class IDs as + decimal numbers (or pairs of decimal numbers). That worked fine until + IPMARK was implemented. IPMARK requires Shorewall to generate class + Ids in numeric sequence. In 4.3.9, that didn't work correctly because + Shorewall was generating the sequence "..8,9,10,11..." when the + correct sequence was "...8,9,a,b,...". Shorewall now treats class IDs + as hex, like 'tc' and 'iptables' do. + + This should only be an issue if you have more than 9 interfaces + defined in /etc/shorewall/tcdevices and if you + use class IDs in /etc/shorewall/tcrules. You will + need to renumber the class IDs for devices 10 and greater. + +
@@ -175,7 +231,7 @@ and you select replacement of shorewall.conf during upgrade to Shorewall 4.2, you will want to change IMPLICIT_CONTINUE back to 'Yes' if you have nested zones that rely on IMPLICIT_CONTINUE=Yes for proper - operation. + operation. @@ -266,6 +322,13 @@ shorewall restart The RPMs are set up so that if tunnels. Tunnels that use AH (protocol 51) must specify in the TYPE column. + + + Users upgrading from Debian Etch (Shorewall 3.2.6) to Debian + Lenny (Shoreall 4.0.15) report finding an issue with VOIP (Asterisk) + traffic. See Shorewall FAQ 77 for + details. +