From f2645107296e7d9b639f8d223fbad982154f3106 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 27 Jun 2009 10:27:30 -0700 Subject: [PATCH] Minor corrections to release notes --- Shorewall/releasenotes.txt | 54 ++++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 29 deletions(-) diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 185b61306..e25473fda 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -103,7 +103,7 @@ Shorewall 4.4.0 Beta 3 8) The install.sh scripts in the Shorewall and Shorewall6 packages no longer create a backup copy of the existing configuration. If you - want your configuration backed up prior to upgradeing, you will + want your configuration backed up prior to upgrading, you will need to do that yourself. As part of this change, the fallback.sh scripts are no longer @@ -114,7 +114,7 @@ Shorewall 4.4.0 Beta 3 ---------------------------------------------------------------------------- 1) Previously, if Address Type Match was not available and an - interface on the firewall was (mis-)configured as follows, then + interface on the firewall was (mis-)configured as shown below, then REJECT policies in Shorewall-perl would drop packets addressed to the interface rather than reject them. @@ -265,7 +265,7 @@ None. Note that the dynamic zone support built into Shorewall provides no additional functionality over what is provided by simply defining a zone in terms of an ipset (see - http://www1.shorewall.net/ipsets.html#Dynamic). + http://www.shorewall.net/ipsets.html#Dynamic). You define a zone as having dynamic content in one of two ways: @@ -279,7 +279,7 @@ None. Shorewall (Shorewall-lite) will: a) Execute the following commands during 'shorewall start' or - 'shorewall-lite start'. + 'shorewall-lite start'. ipset -U :all: :all: ipset -U :all: :default: @@ -291,7 +291,6 @@ None. (/var/lib/shorewall-lite) but may be modified by /etc/shorewall/vardir (/etc/shorewall-lite/vardir). - b) During 'start', 'restart' and 'restore' processing, Shorewall will then attempt to create an ipset named _ for each zone/interface pair that has been specified as @@ -324,11 +323,7 @@ None. error message is generated and the state of the firewall is not changed. -7) Shorewall will now attempt to detect a dynamic gateway by reading - the dhclient lease file for the interface - (/var/run/dhcp/dhclient-.lease). - -8) To improve readability of the configuration files, Shorewall now +7) To improve readability of the configuration files, Shorewall now allows leading white space in continuation lines when the continued line ends in ":" or ",". @@ -346,12 +341,12 @@ None. address is ignored so the SOURCE column effectively contains "net:206.124.146.177,206.124.147.178,206.124.146.180". -9) The generated script now uses iptables[6]-restore to instantiate +8) The generated script now uses iptables[6]-restore to instantiate the Netfilter ruleset during processing of the 'stop' command. As a consequence, the 'critical' option in /etc/shorewall/route_stopped is no longer needed and will result in a warning. -10) A new AUTOMAKE option has been added to shorewall.conf and +9) A new AUTOMAKE option has been added to shorewall.conf and shorewall6.conf. When set to 'Yes', this option causes new behavior during processing of the 'start' and 'restart' commands; if no files in /etc/shorewall/ (/etc/shorewall6) have changed since the last @@ -366,7 +361,7 @@ None. Note that the 'make' utility must be installed on the firewall system in order for AUTOMAKE=Yes to work correctly. -11) The 'compile' command now allows you to omit the . When +10) The 'compile' command now allows you to omit the . When you do that, the defaults to /var/lib/shorewall/firewall (/var/lib/shorewall6/firewall) unless you have overridden VARDIR using /etc/shorewall/vardir (/etc/shorewall6/vardir). @@ -386,7 +381,7 @@ None. In other words, you can compile the current configuration then install it at a later time. -12) Thanks to I. Buijs, it is now possible to rate-limit connections by +11) Thanks to I. Buijs, it is now possible to rate-limit connections by source IP or destination IP. The LIMIT:BURST column in /etc/shorewall/policy (/etc/shorewall6/policy) and the RATE LIMIT column /etc/shorewall/rules (/etc/shorewall6/rules) have been @@ -415,7 +410,7 @@ None. ACCEPT net fw tcp 25,587 - - s:mail:3/min -13) Rules that specify a log level with a target other than LOG or NFLOG +12) Rules that specify a log level with a target other than LOG or NFLOG are now implemented through a separate chain. While this may increase the processing cost slightly for packets that match these rules, it is expected to reduce the overall cost of such rules because each @@ -446,15 +441,16 @@ None. Notice that now there is only a single rule generated in the 'loc2net' chain where before there were two. Packets for other than + TCP port 25 had to be processed by both rules. Notice also that the new LOG rule reflects the original action ("REJECT") rather than what Shorewall maps that to ("reject"). -14) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and +13) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and hence will now start successfully when running on that kernel. -15) Three new options (IP, TC and IPSET) have been added to +14) Three new options (IP, TC and IPSET) have been added to shorewall.conf and shorwall6.conf. These options specify the name of the executable for the 'ip', 'tc' and 'ipset' utilities respectively. @@ -468,7 +464,7 @@ None. In other words, the utilities will be located via the current PATH setting. -16) There has been a desire in the user community to limit traffic by +15) There has been a desire in the user community to limit traffic by IP address using Shorewall traffic shaping. Heretofore, that has required a very inefficient process: @@ -609,7 +605,7 @@ None. column) must be >= 65536 (0x10000) and must be a multiple of 65536 (0x1000, 0x20000, 0x30000, ...). -17) In the 'shorewall compile' command, the filename '-' now causes +16) In the 'shorewall compile' command, the filename '-' now causes the compiled script to be written to Standard Out. As a side effect, the effective VERBOSITY is set to -1 (silent). @@ -626,11 +622,11 @@ None. issued by /sbin/shorewall (/sbin/shorewall6) when a compilation begins. -18) Supplying an interface name in the SOURCE column of +17) Supplying an interface name in the SOURCE column of /etc/shorewall/masq is now deprecated. Entering the name of an interface there will result in a compile-time warning. -19) Shorewall now supports nested HTB traffic shaping classes. The +18) Shorewall now supports nested HTB traffic shaping classes. The nested classes within a class can borrow from their parent class in the same way as the first level classes can borrow from the root class. @@ -672,7 +668,7 @@ None. work system (172.20.1.107) is guarandeed the other half. -20) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing +19) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing discipline has been added. HFSC is superior to the "Hierarchical Token Bucket" queuing discipline where realtime traffic such as VOIP is being used. @@ -716,10 +712,10 @@ None. OUT-BANDWIDTH. Maximum delay is 10ms. Maximum packet size is 1500 bytes. -21) Support for ipset bindings has been removed. Jozsef Kadlecsik has +20) Support for ipset bindings has been removed. Jozsef Kadlecsik has already removed such support from ipset itself. -22) Optional TOS and LENGTH fields have been added to the tcfilters +21) Optional TOS and LENGTH fields have been added to the tcfilters file. The TOS field may contain any of the following: @@ -738,10 +734,10 @@ None. inclusive. Packets with a total length that is strictly less that the specified value will match the rule. -23) Support for 'norfc1918' has been removed. See the Migration +22) Support for 'norfc1918' has been removed. See the Migration Considerations above. -22) A 'upnpclient' option has been added to +23) A 'upnpclient' option has been added to /etc/shorewall/interfaces. This option is intended for laptop users who always run Shorewall on their system yet need to run UPnP-enabled client apps such as Transmission (BitTorrent client). @@ -751,7 +747,7 @@ None. that, like all aspects of UPnP, this is a security hole so use this option at your own risk. -23) 'iptrace' and 'noiptrace' commands have been added to both +24) 'iptrace' and 'noiptrace' commands have been added to both /sbin/shorewall and /sbin/shorewall6. These are low-level debugging commands that cause @@ -778,10 +774,10 @@ None. shorewall noiptrace -d 206.124.146.176 -24) A USER/GROUP column has been added to /etc/shorewall/masq. The +25) A USER/GROUP column has been added to /etc/shorewall/masq. The column works similarly to USER/GROUP columns in other Shorewall configuration files. Only locally-generated traffic is matched. -25) A new extension script, 'lib.private' has been added. This file is +26) A new extension script, 'lib.private' has been added. This file is intended to include declarations of shell functions that will be called by the other run-time extension scripts.