Update release documents

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6472 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-06-06 16:02:53 +00:00
parent 173f63b00b
commit fa86a2dc39
2 changed files with 58 additions and 12 deletions

View File

@ -8,6 +8,8 @@ Changes in 4.0.0 Beta 3
4) Clean up generation of user-exit jacket functions.
5) Add new bridge code.
Changes in 4.0.0 Beta 2
1) Fix screwup in get_routed_networks().

View File

@ -1,4 +1,4 @@
Shorewall 4.0.0 Beta 3
Shorewall 4.0.0 Beta 4
----------------------------------------------------------------------------
R E L E A S E H I G H L I G H T S
----------------------------------------------------------------------------
@ -15,21 +15,65 @@ Shorewall 4.0.0 Beta 3
You must install Shorewall and at least one of the compiler packages
(you may install them both).
Problems corrected in 4.0.0 Beta 3.
Problems corrected in 4.0.0 Beta 4.
1) The 'Modules' output of the 'shorewall[-lite] dump command now
works correctly with 2.6.20 and later Kernels.
2) Setting FW in shorewall.conf to something other than 'fw' now works
again with IPSECFILE=ipsec.
3) Wildcard entries in /etc/shorewall/rules (those with 'all' in the
SOURCE and/or DEST column) were previously attempting to override
NONE policies, resulting in a compilation error.
1) Wildcard rules (with 'all' in the SOURCE and/or DEST columns)
attempt to override NONE policies with the result that the compile
phase fails (Shorewall-perl only).
Other changes in Shorewall 4.0.0 Beta 3.
None.
1) Shorewall-perl has a new implementation of bridging code that works
with kernels 2.6.20 and later. This new implementation may be used
where it is desired to control traffic through a bridge.
The new implementation includes the following features:
a) A new "Bridge Port" zone type is defined. Specify 'bport' or
'bport4' in the TYPE column of /etc/shorewall/zones.
Bridge Port zones must be a sub-zone of a regular ipv4 zone
that represents all hosts attached to the bridge.
b) A new 'bridge' option is defined for entries in
/etc/shorewall/interfaces. Bridges should have this option
specified if traffic through the bridge is to be controlled
with rules/policies.
c) Bridge ports must now be defined in
/etc/shorewall/interfaces. The INTERFACE column contains both
the bridge name and the port name separated by a colon (e.g.,
"br0:eth1"). No OPTIONS are allowed for bridge ports. The
bridge must be defined before its ports.
Bridge Port (BP) zones have a number of limitations:
a) Each BP zone may only be associated with ports on a single
bridge.
b) BP zones may not be associated with interfaces that are not
bridge ports.
c) You may not have policies or rules where the DEST is a BP zone
but the source is not a BP zone. If you need such rules, you
must use the BP zone's parent zone as the DEST.
Example (Bridge br0 with ports eth1 and tap0):
/etc/shorewall/zones:
fw firewall
net ipv4
loc ipv4
lan:loc bport
vpn:loc bport
/etc/shorewall/interfaces:
net eth0 - ...
loc br0 - ...
lan eth1
vpn tap0
Migration Considerations: