shorewall_code/New/releasenotes.txt

Shorewall 3.9.0

This release includes a complete rewrite of the compiler in Perl. 

The good news:

a) The compiler is small.
b) The compiler is very fast.
c) The compiler generates a firewall script that uses iptables-restore;
so the script is very fast.
d) Use of the perl compiler is optional! The old slow clunky
   Bourne-shell compiler is still there.

The bad news:

There are a number of incompatibilities between 3.9.0 using the
Perl-based compiler and earlier versions.

a) This version requires the following capabilities in your kernel
   and iptables. 

   - addrtype match
   - conntrack match
   - extended multiport match

   These capabilities are in current distributions.

b) BRIDGING=Yes is not supported. The kernel code necessary to
   support this option was removed in Linux kernel 2.6.20. 

c) The BROADCAST column in the interfaces file is essentailly unused;
   if you enter anything in this column but '-' or 'detect', you will
   receive a warning.

d) Because the compiler is now written in Perl, your compile-time
   extension scripts for earlier version will no longer work.

e) The 'refresh' command is now synonamous with 'restart'.

f) Some run-time extension scripts are no longer supported because they
   make no sense (iptables-restore instantiates the new configuration
   atomically).

	continue
	initdone
	continue
	refresh
	refreshed

g) Currently, support for ipsets is untested. That will change with
   future releases but one thing is certain -- Shorewall is now out of the
   ipset load/reload business. If the Netfilter ruleset is never cleared,
   then there is no opportunity for Shorewall to load/reload your
   ipsets.

   So:
	
	i)   Your ipsets must be loaded before Shorewall starts.
	
	ii)  Your ipsets may not be reloaded until Shorewall is stopped or
	     cleared.

	iii) If you specify ipsets in your routestopped file then
	     Shorewall must be cleared in order to reload your ipsets.