From: Tom E. <te...@sh...> - 2005-08-27 15:12:39
|
Because of the amount of change and the breadth of the change in the current 2.5 development branch, we have decided that when the code is released as a stable release, it will be called Shorewall 3.0.0. One of the changes in 3.0.0 is as follows (from the release notes): 9) In previous versions of Shorewall, the rules generated by entries in /etc/shorewall/tunnels preceded those rules generated by entries in /etc/shorewall/rules. Beginning with this release, the rules generated by entries in the tunnels file will appear *AFTER* the rules generated by the rules file. This may cause you problems if you have REJECT, DENY or CONTINUE rules in your rules file that would cause the tunnel transport packets to not reach the rules that ACCEPT them. See http://www.shorewall.net/VPNBasics.html for information on the rules generated by entries in the tunnels file. As I'm sure that many of you are aware, I have been dissatisfied for some time with the notion of the tunnels file. I believe that it prevents users from understanding the basics of VPN handling in Netfilter and makes it harder for user's to troubleshoot VPN problems. I wrote the article referred to in the above note to try to illustrate that there is nothing magic about the tunnels file and that it is perfectly possible to define VPN connections using the rules file alone. Given that we're calling the new release "Shorewall 3", it seems like a good time to retire the tunnels file altogether. I can create a "shorewall convert" command (or some such) that will read the tunnels file and create a macro called "macro.tunnels" (for example). Existing users with entries in the tunnels file can then simple add one line to the front of their rules file to obtain the same behavior as in prior releases: #ACTION SOURCE DEST ... tunnels My concern, as always, is that people upgrade blindly between releases then come whining to the mailing list or IRC channel when "it doesn't work". Example: I just upgraded from Shorewall 1.0.4-RC2 to Shorewall 3.2.4 and now nothing works. Can someone help me? Of course, usually the poster is clueless about what version they were running before the upgrade which makes it even more difficult. One idea I've had to try to slap them in the face ahead of time is to create a file named 0READ_THIS_BEFORE_UPGRADING_TO_THIS_RELEASE in the download directory (including at Sourceforge). I suspect that maybe one in 10 might bother to read it. I welcome your input on this issue. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |