forked from extern/shorewall_code
Update release documents
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6472 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
173f63b00b
commit
fa86a2dc39
@ -8,6 +8,8 @@ Changes in 4.0.0 Beta 3
|
||||
|
||||
4) Clean up generation of user-exit jacket functions.
|
||||
|
||||
5) Add new bridge code.
|
||||
|
||||
Changes in 4.0.0 Beta 2
|
||||
|
||||
1) Fix screwup in get_routed_networks().
|
||||
|
@ -1,4 +1,4 @@
|
||||
Shorewall 4.0.0 Beta 3
|
||||
Shorewall 4.0.0 Beta 4
|
||||
----------------------------------------------------------------------------
|
||||
R E L E A S E H I G H L I G H T S
|
||||
----------------------------------------------------------------------------
|
||||
@ -15,21 +15,65 @@ Shorewall 4.0.0 Beta 3
|
||||
You must install Shorewall and at least one of the compiler packages
|
||||
(you may install them both).
|
||||
|
||||
Problems corrected in 4.0.0 Beta 3.
|
||||
Problems corrected in 4.0.0 Beta 4.
|
||||
|
||||
1) The 'Modules' output of the 'shorewall[-lite] dump command now
|
||||
works correctly with 2.6.20 and later Kernels.
|
||||
|
||||
2) Setting FW in shorewall.conf to something other than 'fw' now works
|
||||
again with IPSECFILE=ipsec.
|
||||
|
||||
3) Wildcard entries in /etc/shorewall/rules (those with 'all' in the
|
||||
SOURCE and/or DEST column) were previously attempting to override
|
||||
NONE policies, resulting in a compilation error.
|
||||
1) Wildcard rules (with 'all' in the SOURCE and/or DEST columns)
|
||||
attempt to override NONE policies with the result that the compile
|
||||
phase fails (Shorewall-perl only).
|
||||
|
||||
Other changes in Shorewall 4.0.0 Beta 3.
|
||||
|
||||
None.
|
||||
1) Shorewall-perl has a new implementation of bridging code that works
|
||||
with kernels 2.6.20 and later. This new implementation may be used
|
||||
where it is desired to control traffic through a bridge.
|
||||
|
||||
The new implementation includes the following features:
|
||||
|
||||
a) A new "Bridge Port" zone type is defined. Specify 'bport' or
|
||||
'bport4' in the TYPE column of /etc/shorewall/zones.
|
||||
|
||||
Bridge Port zones must be a sub-zone of a regular ipv4 zone
|
||||
that represents all hosts attached to the bridge.
|
||||
|
||||
b) A new 'bridge' option is defined for entries in
|
||||
/etc/shorewall/interfaces. Bridges should have this option
|
||||
specified if traffic through the bridge is to be controlled
|
||||
with rules/policies.
|
||||
|
||||
c) Bridge ports must now be defined in
|
||||
/etc/shorewall/interfaces. The INTERFACE column contains both
|
||||
the bridge name and the port name separated by a colon (e.g.,
|
||||
"br0:eth1"). No OPTIONS are allowed for bridge ports. The
|
||||
bridge must be defined before its ports.
|
||||
|
||||
Bridge Port (BP) zones have a number of limitations:
|
||||
|
||||
a) Each BP zone may only be associated with ports on a single
|
||||
bridge.
|
||||
|
||||
b) BP zones may not be associated with interfaces that are not
|
||||
bridge ports.
|
||||
|
||||
c) You may not have policies or rules where the DEST is a BP zone
|
||||
but the source is not a BP zone. If you need such rules, you
|
||||
must use the BP zone's parent zone as the DEST.
|
||||
|
||||
Example (Bridge br0 with ports eth1 and tap0):
|
||||
|
||||
/etc/shorewall/zones:
|
||||
|
||||
fw firewall
|
||||
net ipv4
|
||||
loc ipv4
|
||||
lan:loc bport
|
||||
vpn:loc bport
|
||||
|
||||
/etc/shorewall/interfaces:
|
||||
|
||||
net eth0 - ...
|
||||
loc br0 - ...
|
||||
lan eth1
|
||||
vpn tap0
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user