forked from extern/shorewall_code
Add FAQ 77 issue to upgrade issues
This commit is contained in:
Tom Eastep
parent
b9fb023208
commit
f9c920dc87
@ -4,7 +4,7 @@
|
|||||||
<!-- $Id$ -->
|
<!-- $Id$ -->
|
||||||
<article id="upgrade_issues">
|
<article id="upgrade_issues">
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<title>ss rUpgrade Issues</title>
|
<title>Upgrade Issues</title>
|
||||||
|
|
||||||
<author>
|
<author>
|
||||||
<firstname>Tom</firstname>
|
<firstname>Tom</firstname>
|
||||||
@ -77,11 +77,67 @@
|
|||||||
<section>
|
<section>
|
||||||
<title>Versions >= 4.3.5</title>
|
<title>Versions >= 4.3.5</title>
|
||||||
|
|
||||||
<para>If you are using Shorewall-perl, there are no additional upgrade
|
<orderedlist>
|
||||||
issues. If you are using Shorewall-shell or are upgrading from a Shorewall
|
<listitem>
|
||||||
version earlier than 4.0.0 then you will need to <ulink
|
<para>If you are using Shorewall-perl, there are no additional upgrade
|
||||||
url="Shorewall-perl.html">migrate to Shorewall-perl</ulink>.
|
issues. If you are using Shorewall-shell or are upgrading from a
|
||||||
Shorewall-4.3.5 and later only use the perl-based compiler.</para>
|
Shorewall version earlier than 4.0.0 then you will need to <ulink
|
||||||
|
url="Shorewall-perl.html">migrate to Shorewall-perl</ulink>.
|
||||||
|
Shorewall-4.3.5 and later only use the perl-based compiler.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The <command>shorewall stop</command>, <command>shorewall
|
||||||
|
clear</command>, <command>shorewall6 stop</command> and
|
||||||
|
<command>shorewall6 clear</command> commands no longer read the
|
||||||
|
<filename>routestopped</filename> file. The
|
||||||
|
<filename>routestopped</filename> file used is the one that was
|
||||||
|
present at the last <command>start</command>,
|
||||||
|
<command>restart</command> or <command>restore</command> command.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>The old macro parameter syntax (e.g., SSH/ACCEPT) is now
|
||||||
|
deprecated in favor of the new syntax (e.g., SSH(ACCEPT)). The 4.3
|
||||||
|
documentation uses the new syntax exclusively, although the old syntax
|
||||||
|
continues to be supported. </para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Support for the SAME target in /etc/shorewall/masq and
|
||||||
|
/etc/shorewall/rules has been removed, following the removal of the
|
||||||
|
underlying support in the Linux kernel. </para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Supplying an interface name in the SOURCE column of
|
||||||
|
/etc/shorewall/masq is now deprecated. Entering the name of an
|
||||||
|
interface there will result in a compile-time warning:</para>
|
||||||
|
|
||||||
|
<para>WARNING: Using an interface as the masq SOURCE requires the
|
||||||
|
interface to be up and configured when Shorewall
|
||||||
|
starts/restarts</para>
|
||||||
|
|
||||||
|
<para>To avoid this warning, replace interface names by the
|
||||||
|
corresponding network addresses (e.g., 192.168.144.0/24). </para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para> Previously, Shorewall has treated traffic shaping class IDs as
|
||||||
|
decimal numbers (or pairs of decimal numbers). That worked fine until
|
||||||
|
IPMARK was implemented. IPMARK requires Shorewall to generate class
|
||||||
|
Ids in numeric sequence. In 4.3.9, that didn't work correctly because
|
||||||
|
Shorewall was generating the sequence "..8,9,10,11..." when the
|
||||||
|
correct sequence was "...8,9,a,b,...". Shorewall now treats class IDs
|
||||||
|
as hex, like 'tc' and 'iptables' do.</para>
|
||||||
|
|
||||||
|
<para>This should only be an issue if you have more than 9 interfaces
|
||||||
|
defined in <filename>/etc/shorewall/tcdevices</filename> and if you
|
||||||
|
use class IDs in <filename>/etc/shorewall/tcrules</filename>. You will
|
||||||
|
need to renumber the class IDs for devices 10 and greater. </para>
|
||||||
|
</listitem>
|
||||||
|
</orderedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -175,7 +231,7 @@
|
|||||||
and you select replacement of shorewall.conf during upgrade to
|
and you select replacement of shorewall.conf during upgrade to
|
||||||
Shorewall 4.2, you will want to change IMPLICIT_CONTINUE back to 'Yes'
|
Shorewall 4.2, you will want to change IMPLICIT_CONTINUE back to 'Yes'
|
||||||
if you have nested zones that rely on IMPLICIT_CONTINUE=Yes for proper
|
if you have nested zones that rely on IMPLICIT_CONTINUE=Yes for proper
|
||||||
operation. </para>
|
operation.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
@ -266,6 +322,13 @@ shorewall restart</command></programlisting> The RPMs are set up so that if
|
|||||||
tunnels. Tunnels that use AH (protocol 51) must specify
|
tunnels. Tunnels that use AH (protocol 51) must specify
|
||||||
<option>ipsec:ah</option> in the TYPE column.</para>
|
<option>ipsec:ah</option> in the TYPE column.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Users upgrading from Debian Etch (Shorewall 3.2.6) to Debian
|
||||||
|
Lenny (Shoreall 4.0.15) report finding an issue with VOIP (Asterisk)
|
||||||
|
traffic. See <ulink url="FAQ.htm#faq77">Shorewall FAQ 77</ulink> for
|
||||||
|
details.</para>
|
||||||
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user