Merge branch '5.2.7'

2020-08-17 16:33:58 -07:00 · 2020-08-17 16:33:58 -07:00 · 11aa92c5fc
commit 11aa92c5fc
parent 0b80856eb6 68c0897352
4 changed files with 30 additions and 9 deletions
--- a/docs/ISO-3661.xml
+++ b/docs/ISO-3661.xml
@ -57,11 +57,8 @@
 </programlisting>

    <para>Using this feature requires the <firstterm>GeoIP Match</firstterm>
-    capability in your iptables and kernel. As of this writing, that
-    capability requires installing <ulink
-    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink> 1.33
-    or later and <ulink
-    url="http://xtables-addons.sourceforge.net/geoip.php">creating a
+    capability in your iptables and kernel. That capability requires <ulink
+    url="https://dev.maxmind.com/geoip/geoip2/geolite2/">creating a
    country-code database</ulink>.</para>

    <para>The Shorewall compiler uses the geoip country-code database to
@ -84,10 +81,18 @@
    any future ability to install the database at another location, Shorewall
    supports a GEOIPDIR option in <ulink
    url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and <ulink
-    url="manpages/shorewall.conf.html">shorewall6.conf</ulink> (5). The
-    default value of that option is
+    url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5). The default
+    value of that option is
    <filename>/usr/share/xt_geoip/LE</filename>.</para>

+    <important>
+      <para>Recent versions of the country-code database are installed in
+      <filename>/usr/share/xt_geoip/, regardless of endian convention. This
+      requires modifying the setting of GEOIPDIR in <ulink
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
+      url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</filename></para>
+    </important>
+
    <para>The country codes at the time of this writing are shown in the
    following two sections.</para>
  </section>
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@ -145,7 +145,8 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
    <para>Beginning with Shorewall 4.4.14, multiple source or destination
    matches may be specified by placing multiple set names in '+[...]' (e.g.,
    +[myset,myotherset]). When so enclosed, the set names need not be prefixed
-    with a plus sign.</para>
+    with a plus sign. When such a list of sets is specified, matching packets
+    must match all of the listed sets.</para>

    <para>Shorewall can save/restore your ipset contents with certain
    restrictions:</para>
--- a/docs/simple_traffic_shaping.xml
+++ b/docs/simple_traffic_shaping.xml
@ -93,6 +93,13 @@
    qdisc but seems to provide a benefit when the actual link output
    temporarily drops below the limit imposed by tbf or when tbf allows a
    burst of traffic to be released.</para>
+
+    <caution>
+      <para>IPSec traffic passes through traffic shaping twice - once en clair
+      and once encrypted and encapsulated. As a result, throughput may be
+      significantly less than configured if IPSEC packets form a significant
+      percentage of the traffic being shaped.</para>
+    </caution>
  </section>

  <section>
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@ -385,6 +385,14 @@
            The default burst is 10kb, but on my 50mbit line, I specify 200kb.
            (50mbit:200kb).</para>
          </note>
+
+          <caution>
+            <para>Incoming IPSec traffic traverses traffic shaping twice -
+            firs as encrypted and encapsulated ESP packets and then en clair.
+            As a result, incoming bandwidth can be significantly less than
+            specified if IPSEC packets form a significant part of inoming
+            traffic.</para>
+          </caution>
        </listitem>

        <listitem>