mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-16 04:33:17 +01:00
199aa48ee3
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5651 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
62 lines
1.6 KiB
Plaintext
62 lines
1.6 KiB
Plaintext
Shorewall 3.9.0
|
|
|
|
This release includes a complete rewrite of the compiler in Perl.
|
|
|
|
The good news:
|
|
|
|
a) The compiler is small.
|
|
b) The compiler is very fast.
|
|
c) The compiler generates a firewall script that uses iptables-restore;
|
|
so the script is very fast.
|
|
|
|
The bad news:
|
|
|
|
There are a number of incompatibilities between 3.9.0 and earlier
|
|
versions.
|
|
|
|
a) This version requires the addrtype match capability in your kernel
|
|
and iptables. This capability is in current distributions.
|
|
|
|
b) The BROADCAST column in the interfaces file is essentailly unused;
|
|
if you enter anything in this column but '-' or 'detect', you will
|
|
receive a warning.
|
|
|
|
c) Because the compiler is now written in Perl, your compile-time
|
|
extension scripts for earlier version will no longer work.
|
|
|
|
d) The 'refresh' command is now synonamous with 'restart'.
|
|
|
|
e) Some run-time extension scripts are no longer supported because they
|
|
make no sense (iptables-restore instantiates the new configuration
|
|
atomically).
|
|
|
|
continue
|
|
initdone
|
|
continue
|
|
refresh
|
|
refreshed
|
|
|
|
f) Currently, 3.9.0 has no support for ipsets. That will change with
|
|
future releases but one thing is certain -- Shorewall is out of the
|
|
ipset load/reload business. If the Netfilter ruleset is never cleared,
|
|
then there is no opportunity for Shorewall to load/reload your
|
|
ipsets.
|
|
|
|
So:
|
|
|
|
i) Your ipsets must be loaded before Shorewall starts.
|
|
|
|
ii) Your ipsets may not be reloaded until Shorewall is stopped or
|
|
cleared.
|
|
|
|
iii) If you specify ipsets in your routestopped file then
|
|
Shorewall must be cleared in order to reload your ipsets.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|