doc/userguide: upgrade notes for Lua

- Sandboxed Lua for rules
- Search path changes for Lua output scripts

doc/userguide/output/lua-output.rst

@@ -75,6 +75,8 @@ Example:
       file:close(file)
   end
 
+.. _lua-output-yaml:
+
 YAML
 ----
 
@@ -87,6 +89,15 @@ scripts like so:
     - lua:
         enabled: yes
         scripts-dir: /etc/suricata/lua-output/
+
+        # By default the Lua module search paths are empty. If you plan
+        # to use external modules these paths will need to be set. The
+        # examples below are likely suitable for finding modules
+        # installed with a package manager on a 64 bit Linux system, but
+        # may need tweaking.
+        #path: "/usr/share/lua/5.4/?.lua;/usr/share/lua/5.4/?/init.lua;/usr/lib64/lua/5.4/?.lua;/usr/lib64/lua/5.4/?/init.lua;./?.lua;./?/init.lua"
+        #cpath: "/usr/lib64/lua/5.4/?.so;/usr/lib64/lua/5.4/loadall.so;./?.so"
+
         scripts:
           - tcp-data.lua
           - flow.lua

doc/userguide/upgrade.rst

@@ -89,6 +89,12 @@ Major changes
   Suricata 8.0, ``stream.checksum-validation`` no longer affects the checksum rule keywords.
   E.g., ``ipv4-csum: valid`` will only match if the check sum is valid, even when engine
   checksum validations are disabled.
+- Lua detection scripts (rules) now run in a sandboxed
+  environment. See :ref:`lua-detection`.
+- Lua output scripts have no default module search path, a search path
+  will need to be set before external modules can be loaded. See the
+  new default configuration file or :ref:`lua-output-yaml` for more
+  details.
 
 Removals
 ~~~~~~~~