holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Extend release notes and correct typos

Browse Source
This commit is contained in:
Tom Eastep 2009-08-11 08:02:36 -07:00
parent 49554c5d7d
commit 51e7bcdaf4
1 changed files with 42 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
Shorewall/releasenotes.txt
View File

@ -43,6 +43,10 @@ Shorewall 4.4.0
10) Support for per-IP traffic shaping classes has been added.
11) Support for netfilter's TRACE facility has been added. TRACE allows
you to trace selected packets through Netfilter, including marking
by tcrules.
----------------------------------------------------------------------------
M I G R A T I O N I S S U E S
----------------------------------------------------------------------------
@ -65,20 +69,26 @@ Shorewall 4.4.0
http://www.shorewall.net/Shorewall-perl.html#Incompatibilities
and make changes to your configuration as necessary.
We strongly recommend that you migrate to Shorewall-perl on your
current Shorewall version before upgrading to Shorewall 4.4.0. That
way, you can have both Shorewall-shell and Shorewall-perl available
until you are certain that Shorewall-perl is working correctly for
you.
2) The 'shorewall stop', 'shorewall clear', 'shorewall6 stop' and
'shorewall6 clear' commands no longer read the 'routestopped'
file. The 'routestopped' file used is the one that was present at
the last 'start', 'restart' or 'restore' command.
IMPORTANT: If you modify the routestopped file, you must restart
Shorewall before the changes to that file take effect.
IMPORTANT: If you modify the routestopped file, you must refresh or
restart Shorewall before the changes to that file take effect.
3) The old macro parameter syntax (e.g., SSH/ACCEPT) is now deprecated
in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.4 documentation
uses the new syntax exclusively, although the old syntax
continues to be supported.
The sample configuration also use the new syntax.
The sample configurations also use the new syntax.
4) Support for the SAME target in /etc/shorewall/masq and
/etc/shorewall/rules has been removed, following the removal of the
@ -208,7 +218,7 @@ None.
IPv6 firewall scripts generated by Shorewall6.
2) The interfaces file supports a new 'nets=' option. This option
allows users to restrict a zone's definition to particular networks
allows you to restrict a zone's definition to particular networks
through an interface without having to use the hosts file.
Example interfaces file:
@ -262,7 +272,7 @@ None.
the connection over which that last packet was sent.
When used in the OUTPUT chain, it causes all matching connections
to an individual remote system to all use the same provider.
to an individual remote system to use the same provider.
For example:
@ -285,10 +295,17 @@ None.
executed the command copies itself to
/var/lib/shorewall[6]/firewall.
As always, /var/lib/shorewall[6] is the default directory which may
be overridden using the /etc/shorewall[6]/vardir file.
5) Dynamic zone support is once again available for IPv4. This support
is built on top of ipsets so you must have the xtables-addons
installed on the firewall system.
See http://www.shorewall.net/Dynamic.html for information about
this feature and for instructions for installing xtables-addons on
your firewall.
Dynamic zones are available when Shorewall-lite is used as well.
You define a zone as having dynamic content in one of two ways:
@ -316,7 +333,7 @@ None.
/etc/shorewall/vardir (/etc/shorewall-lite/vardir).
b) During 'start', 'restart' and 'restore' processing, Shorewall
will then attempt to create an ipset named <zone>_<interface>
will attempt to create an ipset named <zone>_<interface>
for each zone/interface pair that has been specified as
dynamic. The type of ipset created is 'iphash' so that only
individual IPv4 addresses may be added to the set.
@ -343,11 +360,12 @@ None.
These commands are supported by shorewall-lite as well.
6) The generated program now attempts to detect all dynamic
information when it first starts. If any of those steps fail, an
error message is generated and the state of the firewall is not
changed.
information when it first starts. Dynamic information includes IP
addresses, default gateways, networks routed through an interface,
etc. If any of those steps fail, an error message is generated and
the state of the firewall is not changed.
7) To improve readability of the configuration files, Shorewall now
7) To improve the readability of configuration files, Shorewall now
allows leading white space in continuation lines when the continued
line ends in ":" or ",".
@ -461,7 +479,7 @@ None.
...
-A log0 -j LOG --log-level 6
--log-prefix "Shorewall:loc2net:REJECT:"
-A log0 -p 6 --dport 25 -j reject
-A log0 -j reject
Notice that now there is only a single rule generated in the
'loc2net' chain where before there were two. Packets for other than
@ -566,7 +584,7 @@ None.
For example, suppose that your internal network is 192.168.1.0/29
(host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion
might be to use IPMARK(src,0xFF,0x10000) so as to produce class IDs
1:1 through 1:6. But 1:1 is the class ID if the base HTB class on
1:1 through 1:6. But 1:1 is the class ID of the base HTB class on
interface 1. So you might chose instead to use
IPMARK(src,0xFF,0x10100) as shown in the example above so as to
avoid minor class 1.
@ -614,8 +632,8 @@ None.
class number when none is given.
- Prior to this change, the class number was constructed by concatinating
the mark value with the either '1' or '10'. '10' is used when
there are more than 10 devices defined in /etc/shorewall/tcdevices.
the mark value with the either '1' or '10'. '10' was used when
there were more than 10 devices defined in /etc/shorewall/tcdevices.
- Beginning with this change, a new method is added; class numbers
are assigned sequentially beginning with 2.
@ -632,9 +650,10 @@ None.
column) must be >= 65536 (0x10000) and must be a multiple of 65536
(0x1000, 0x20000, 0x30000, ...).
16) In the 'shorewall compile' command, the filename '-' now causes
the compiled script to be written to Standard Out. As a side
effect, the effective VERBOSITY is set to -1 (silent).
16) In the 'shorewall compile' and 'shorewall6 compile' commands, the
filename '-' now causes the compiled script to be written to
Standard Out. As a side effect, the effective VERBOSITY is set to
-1 (silent).
Examples:
@ -647,7 +666,8 @@ None.
17) Supplying an interface name in the SOURCE column of
/etc/shorewall/masq is now deprecated. Entering the name of an
interface there will result in a compile-time warning.
interface there will result in a compile-time warning (see the
Migration Considerations above).
18) Shorewall now supports nested HTB traffic shaping classes. The
nested classes within a class can borrow from their parent class in
@ -688,13 +708,12 @@ None.
Local traffic (that coming from the firewall and from the DMZ
server) is placed in the effectively unrestricted class 1:10. The
default class is guaranteed half of the download capacity and my
work system (172.20.1.107) is guarandeed the other half.
work system (172.20.1.107) is guarandeed the other half.
19) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing
discipline has been added. HFSC is superior to the "Hierarchical
Token Bucket" queuing discipline where realtime traffic such as
VOIP is being used.
discipline has been added. HFSC is claimed to be superior to the
"Hierarchical Token Bucket" queuing discipline where realtime
traffic such as VOIP is being used.
An excellent overview of HFSC on Linux may be found at
http://linux-ip.net/articles/hfsc.en/.