extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 17:28:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Finish release note cleanup

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6785 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-07-04 19:39:49 +00:00
parent 9b8d097a6a
commit fbb69ec909
1 changed files with 93 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

188
Shorewall-common/releasenotes.txt
View File

@ -282,7 +282,10 @@ Migration Considerations:
- Otherwise, if the DEST in the rule is any or all or 0.0.0.0/0,
then the rule is added to both accounting and accountout.
- Otherwise, the rule is added to accounting only.
- Otherwise, the rule is added to accounting only.
See http://www.shorewall.net/4.0/bridge-Shorewall-perl.html for
additional information about the new bridge support.
d) The BROADCAST column in the interfaces file is essentially unused;
if you enter anything in this column but '-' or 'detect', you will
@ -358,23 +361,6 @@ Migration Considerations:
'-p tcp' #Pass as-is
);
See http://www.shorewall.net/4.0/shorewall_extension_scripts.htm
for further information about extension scripts under
Shorewall-perl.
f) The 'refresh' command now works like 'restart' with the
following exceptions:
- The refresh command is rejected if Shorewall is not running.
- The refresh command only rebuilds the 'blacklst' chain.
- A directory name may not be specified in the refresh command.
g) Some run-time scripts have been converted to compile time
scripts:
initdone
maclog
Note that in the 'initdone' script, there is no default chain
($chainref). You can objtain a reference to a standard chain by:
@ -388,7 +374,18 @@ Migration Considerations:
allow you to add special rules during [re]start. Shorewall-perl
doesn't need such rules.
h) The /etc/shorewall/tos file now has zone-independent SOURCE and
See http://www.shorewall.net/4.0/shorewall_extension_scripts.htm
for further information about extension scripts under
Shorewall-perl.
f) The 'refresh' command now works like 'restart' with the
following exceptions:
- The refresh command is rejected if Shorewall is not running.
- The refresh command only rebuilds the 'blacklst' chain.
- A directory name may not be specified in the refresh command.
g) The /etc/shorewall/tos file now has zone-independent SOURCE and
DEST columns as do all other files except the rules and policy
files.
@ -409,7 +406,7 @@ Migration Considerations:
requiring change to existing files. In particular, it will
handle the tos file released with Shorewall 1.4 and earlier.
i) Shorewall is now out of the ipset load/reload business. With
h) Shorewall is now out of the ipset load/reload business. With
scripts generated by the Perl-based Compiler, the Netfilter
ruleset is never cleared. That means that there is no
opportunity for Shorewall to load/reload your ipsets since that
@ -446,7 +443,7 @@ Migration Considerations:
will ignore /etc/shorewall/ipsets and will issue a warning if
you set SAVE_IPSETS=Yes in shorewall.conf.
j) Because the configuration files (with the exception of
i) Because the configuration files (with the exception of
/etc/shorewall/params) are now processed by the Perl-based
compiler rather than by the shell, only the basic forms of Shell
expansion ($variable and ${variable}) are supported. The more
@ -455,24 +452,24 @@ Migration Considerations:
environmental variables (exported by the shell) can be used in
configuration files.
h) USE_ACTIONS=No is not supported. That option is intended to
j) USE_ACTIONS=No is not supported. That option is intended to
minimize Shorewall's footprint in embedded applications. As a
consequence, Default Macros are not supported.
i) DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is
k) DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is
atomically loaded with one execution of iptables-restore.
j) MAPOLDACTIONS=Yes is not supported. People should have converted
to using macros by now.
l) MAPOLDACTIONS=Yes is not supported. People should have converted
to using macros by now.
k) The pre Shorewall-3.0 format of the zones file is not supported;
m) The pre Shorewall-3.0 format of the zones file is not supported;
neither is the /etc/shorewall/ipsec file.
l) BLACKLISTNEWONLY=No is not permitted with FASTACCEPT=Yes. This
n) BLACKLISTNEWONLY=No is not permitted with FASTACCEPT=Yes. This
combination doesn't work in previous versions of Shorewall so
the Perl-based compiler simply rejects it.
m) Shorewall-perl has a single rule generator that is used for all
o) Shorewall-perl has a single rule generator that is used for all
rule-oriented files. So it is important that the syntax is
consistent between files.
@ -491,11 +488,11 @@ Migration Considerations:
#INTERFACE SOURCE ADDRESSES
eth0 eth1:!192.168.4.9 ...
n) The 'allowoutUPnP' built-in action is no longer supported. The
p) The 'allowoutUPnP' built-in action is no longer supported. The
Netfilter team have removed support for '-m owner --owner-cmd'
which that action depended on.
o) The treatment of the following interface options has changed under
q) The treatment of the following interface options has changed under
Shorewall-perl.
- arp_filter
@ -517,40 +514,70 @@ Migration Considerations:
A fatal compilation error is also generated if you specify one of
these options with a wildcard interface (one ending with '+').
p) The LOG_MARTIANS and ROUTE_FILTER options are now tri-valued in
r) The LOG_MARTIANS and ROUTE_FILTER options are now tri-valued in
Shorewall-perl.
Yes - Same as before
No - Same as before except that it applies regardless of
whether any interfaces have the logmartians/routefilter
option
Keep - Shorewall ignores the option entirely.
Keep - Shorewall ignores the option entirely (which is the
default).
2) An 'optional' option has been added to
/etc/shorewall/interfaces. This option is recognized by
Shorewall-perl but not by Shorewall-shell. When 'optional' is
specified for an interface, Shorewall will be silent when:
s) Shorewall-perl support nn 'optional' option has been added to
/etc/shorewall/interfaces. This option is recognized by
Shorewall-perl but not by Shorewall-shell. When 'optional' is
specified for an interface, Shorewall will be silent when:
- a /proc/sys/net/ipv4/conf/ entry for the interface cannot be
modified (including for proxy ARP).
- a /proc/sys/net/ipv4/conf/ entry for the interface cannot be
modified (including for proxy ARP).
- The first address of the interface cannot be obtained.
- The first address of the interface cannot be obtained.
I specify 'optional' on interfaces to Xen virtual machines that may
or may not be running when Shorewall is [re]started.
I specify 'optional' on interfaces to Xen virtual machines that
may or may not be running when Shorewall is [re]started.
CAUTION: Use 'optional' at your own risk. If you [re]start
Shorewall when an 'optional' interface is not available and then do
a 'shorewall save', subsequent 'shorewall restore' and 'shorewall -f
start' operations will instantiate a ruleset that does not support
that interface, even if it is available at the time of the
restore/start.
CAUTION: Use 'optional' at your own risk. If you [re]start
Shorewall when an 'optional' interface is not available and then
do a 'shorewall save', subsequent 'shorewall restore' and
'shorewall -f start' operations will instantiate a ruleset that
does not support that interface, even if it is available at the
time of the restore/start.
3) Thanks to Paul Gear, an IPPServer macro has been added. Be sure to
t) Shorewall-perl validates all IP addresses and addresses ranges
in rules. DNS names are resolved and an error is issued for any
name that cannot be resolved.
u) Shorewall-perl checks configuration files for the presense of
characters that can cause problems if they are allowed into the
generated firewall script:
- Double Quotes. These are prohibited except in the
shorewall.conf and params files.
- Single Quotes. These are prohibited except in the
shorewall.conf and params files and in COMMENT lines.
- Single back quotes. These are prohibited except in the
shorewall.conf and params files.
- Backslash. Probibited except as the last character on a line
to denote line continuation.
v) Under Shorewall-perl, macros may invoke other macros with the
restriction that such macros may not be invoked within an action
body.
When marcros are invoked recursively, the parameter passed to an
invocation are automatically propagated to lower level macros.
Macro invocations may be nested to a maximum level of 5.
2) Thanks to Paul Gear, an IPPServer macro has been added. Be sure to
read the comments in the macro file before trying to use this
macro.
4) Eariler generations of Shorewall Lite required that remote root
3) Eariler generations of Shorewall Lite required that remote root
login via ssh be enabled in order to use the 'load' and 'reload'
commands.
@ -584,45 +611,16 @@ Migration Considerations:
destination - The directory on the remote system that the files
are to be copied into.
5) The accounting, masq, rules and tos files now have a 'MARK' column
4) The accounting, masq, rules and tos files now have a 'MARK' column
similar to the column of the same name in the tcrules file. This
column allows filtering by MARK and CONNMARK value (CONNMARK is
only accepted under Shorewall Perl).
6) SOURCE and DEST are now reserved zone names to avoid problems with
5) SOURCE and DEST are now reserved zone names to avoid problems with
bi-directional macro definitions which use these as names as key
words.
7) Shorewall-perl validates all IP addresses and addresses ranges
in rules. DNS names are resolved and an error is issued for any
name that cannot be resolved.
8) Shorewall-perl checks configuration files for the presense of
characters that can cause problems if they are allowed into the
generated firewall script:
- Double Quotes. These are prohibited except in the
shorewall.conf and params files.
- Single Quotes. These are prohibited except in the
shorewall.conf and params files and in COMMENT lines.
- Single back quotes. These are prohibited except in the
shorewall.conf and params files.
- Backslash. Probibited except as the last character on a line to
denote line continuation.
9) Under Shorewall-perl, macros may invoke other macros with the
restriction that such macros may not be invoked within an action
body.
When marcros are invoked recursively, the parameter passed to an
invocation are automatically propagated to lower level macros.
Macro invocations may be nested to a maximum level of 5.
12) The "shorewall show zones" command now flags zone members that have
6) The "shorewall show zones" command now flags zone members that have
been added using "shorewall add" by preceding them with a plus sign
("+").
@ -649,16 +647,16 @@ Migration Considerations:
versions, any entry could be deleted although the ruleset was only
changed by deleting entries that had been added dynamically.
13) The 'shorewall version' command now lists the version of the
installed compiler(s):
7) The 'shorewall version' command now lists the version of the
installed compiler(s) if the -a option is used:
gateway:/bulk/backup # shorewall version
gateway:/bulk/backup # shorewall version -a
4.0.0-Beta1
Shorewall-shell 4.0.0-Beta1
Shorewall-perl 4.0.0-Beta1
gateway:/bulk/backup #
14) The Perl compiler is externalized. Both the compiler.pl program
8) The Perl compiler is externalized. Both the compiler.pl program
and the Perl Module interface are documented.
The compiler program is /usr/share/shorewall-perl/compiler.pl:
@ -751,11 +749,11 @@ Migration Considerations:
The compiler function can be called repeatedly with different
inputs.
15) When TC_ENABLED=Internal, Shorewall-perl now validates classids in
9) When TC_ENABLED=Internal, Shorewall-perl now validates classids in
the MARK/CLASSIFY column of /etc/shorewall/tcrules against the
classes generated by /etc/shorewall/tcclasses.
16) During installation, Shorewall generates the Perl module
10) During installation, Shorewall generates the Perl module
/usr/share/shorewall-perl/Shorewall/Ports.pm, using your
/etc/protocols and /etc/services as input.
@ -817,11 +815,11 @@ Example:
shorewall restart -C perl
Regardless of the setting of SHOREWALL_COMPILER, there is one change in
Shorewall operation that is triggered simply by installing
shorewall-perl. Your params file will be processed during compilation
with the shell's '-a' option which causes any variables that you set
or create in that file to be automatically exported. Since the params
file is processed before shorewall.conf, using -a insures that the
settings of your params variables are available to the new compiler
should its use be specified in shorewall.conf.
When the Shorewall-perl compiler is used, your params file will be
processed during compilation with the shell's '-a' option which causes
any variables that you set or create in that file to be automatically
exported. Since the params file is processed before shorewall.conf,
using -a insures that the settings of your params variables are
available to the new compiler should its use be specified in
shorewall.conf.