diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml
index 81e4a93a2..d4aedcae5 100644
--- a/docs/CompiledPrograms.xml
+++ b/docs/CompiledPrograms.xml
@@ -15,7 +15,7 @@
- 2006-03-24
+ 2006-03-29
2006
@@ -214,7 +214,8 @@ CONNMARK_MATCH=Yes # Connmark Match
RAW_TABLE=Yes # Raw Table
IPP2P_MATCH= # IPP2P Match
CLASSIFY_TARGET=Yes # CLASSIFY Target
-ENHANCED_REJECT=Yes # Extended REJECT
+ENHANCED_REJECT=Yes # Extended REJECT
+KLUDGEFREE= # iptables accepts multiple "-m iprange" or "-m physdev" in a single command
As you can see, the file contains a simple list of shell variable
diff --git a/docs/images/Xen5.dia b/docs/images/Xen5.dia
index 075ea6bf7..292b0a408 100644
Binary files a/docs/images/Xen5.dia and b/docs/images/Xen5.dia differ
diff --git a/docs/images/Xen5.png b/docs/images/Xen5.png
index d16cf1979..8bc8ebc65 100644
Binary files a/docs/images/Xen5.png and b/docs/images/Xen5.png differ
diff --git a/docs/upgrade_issues.xml b/docs/upgrade_issues.xml
index bc352c55b..162b236a2 100644
--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@@ -21,7 +21,13 @@
2004
- 2005 Thomas M. Eastep
+ 2005
+
+ 2006
+
+ Thomas M. Eastep
+
+
@@ -62,9 +68,134 @@
- Version >= 3.0.0
+ Version >= 3.2.0
-
+
+
+ If you are upgrading from version 2.4 or earlier, please read
+ the 3.0.0 upgrade considerations below.
+
+
+
+ A number of macros have been split into two. The macros affected
+ are:
+
+
+ IMAP
+
+ LDAP
+
+ NNTP
+
+ POP3
+
+ SMTP
+
+
+ Each of these macros now handles only traffic on the native
+ (plaintext) port. There is a corresponding macro with S added to the
+ end of the name for the SSL version of the same protocol. Thus each
+ macro results in the insertion of only one port per invocation. The
+ Web macro has not been split, but two new macros, HTTP and HTTPS have
+ been created. The Web macro is deprecated in favour of these new
+ macros, and may be removed from future Shorewall releases.
+
+ These changes have been made to ensure no unexpected ports are
+ opened due to the use of macros.
+
+
+
+ In previous Shorewall releases, DNAT and REDIRECT rules
+ supported a special syntax for exclusion of a subnet from the effect
+ of the rule.
+
+ Example:
+
+
+ Z2 is a subzone of Z1:
+
+ DNAT Z1!Z2 loc:192.168.1.4 ...
+
+
+ That feature has never worked correctly when Z2 is a dynamic
+ zone. Furthermore, now that Shorewall supports exclusion lists, the
+ capability is redundant since the above rule can now be written in the
+ form:
+
+ DNAT Z1:!<list of exclusions> loc:192.168.1.4 ...
+
+ Beginning with Shorewall 3.2.0, the special exclusion syntax
+ will no longer be supported.
+
+
+
+ Important if you use the QUEUE target.
+
+ In the /etc/shorewall/rules file and in actions, you may now
+ specify 'tcpsyn' in the PROTO column. 'tcpsyn' is equivalent to 'tcp'
+ but also requires that the SYN flag is set and the RST, FIN and ACK
+ flags be off ("--syn" is added to the iptables rule).
+
+ As part of this change, Shorewall no longer adds the "--syn"
+ option to TCP rules that specify QUEUE as their target.
+
+
+
+ Extension Scripts may require change
+
+ In previous releases, extension scripts were executed during
+ [re]start by using the Bourne Shell "." operator.
+ In addition to executing commands during [re]start,
+ these scripts had to "save" the commands to be executed during
+ shorewall restore.
+
+ This clumsiness has been eliminated in Shorewall 3.2. In
+ Shorewall 3.2, extension scripts are copied in-line into the compiled
+ program and are executed in-line during start,
+ restart and restore.
+
+ This new approach has two implications for existing
+ scripts.
+
+
+
+ It is no longer necessary to save the commands; so functions
+ like 'save_command', 'run_and_save_command' and
+ 'ensure_and_save_command' need no longer be called. The generated
+ program will contain functions with these names:
+
+
+ save_command() - does nothing
+
+ run_and_save_command() - runs the passed
+ command
+
+ ensure_and_save_command() - runs the passed command and
+ stops the firewall if the command fails.
+
+
+ These functions should provide for transparent migration of
+ scripts that use them until you can get around to eliminating
+ their use completely.
+
+
+
+ When the extension script is copied into the compiled
+ program, it is indented to line up with the surrounding code. If
+ you have 'awk' installed on your system, the Shorewall compiler
+ will correctly handle line continuation (last character on the
+ line = "\"). If you do not have awk, it will not be possible to
+ use line-continuation in your extension scripts. In no case is it
+ possible to continue a quoted string over multiple lines without
+ having additional whitespace inserted into the string.
+
+
+
+
+
+
+
+ Version >= 3.0.0
@@ -156,7 +287,7 @@
- In previous versions of Shorewall, the rules generated by
+ In previous versions of Shorewall, the rules generated by
entries in /etc/shorewall/tunnels preceded those
rules generated by entries in
/etc/shorewall/rules. Beginning with this
@@ -905,4 +1036,4 @@ error: failed dependencies:iproute is needed by shorewall-1.4.0-1
-
+
\ No newline at end of file