Update for 2.1.3

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1526 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

LrpN/etc/shorewall/accounting

@@ -1,5 +1,5 @@
 #
-# Shorewall version 2.0 - Accounting File
+# Shorewall version 2.1 - Accounting File
 #
 # /etc/shorewall/accounting
 #

LrpN/etc/shorewall/actions

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/actions
+# Shorewall 2.1 /etc/shorewall/actions
 #
 #	This file allows you to define new ACTIONS for use in rules 
 #	(/etc/shorewall/rules). You define the iptables rules to

LrpN/etc/shorewall/ecn

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - /etc/shorewall/ecn
+# Shorewall 2.1 - /etc/shorewall/ecn
 #
 #	Use this file to list the destinations for which you want to
 #	disable ECN.

LrpN/etc/shorewall/hosts

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - /etc/shorewall/hosts
+# Shorewall 2.1 - /etc/shorewall/hosts
 #
 #	THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
 #	ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
@@ -124,5 +124,8 @@
 #				       This option has no effect if 
 #				       NEWNOTSYN=Yes.
 #
+#			ipsec        - The zone is accessed over a
+#				       kernel 2.6 ipsec tunnel
+#
 #ZONE		HOST(S)				OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

LrpN/etc/shorewall/interfaces

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 -- Interfaces File
+# Shorewall 2.1 -- Interfaces File
 #
 # /etc/shorewall/interfaces
 #

LrpN/etc/shorewall/maclist

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - MAC list file
+# Shorewall 2.1 - MAC list file
 #
 # /etc/shorewall/maclist
 #

LrpN/etc/shorewall/masq

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - Masquerade file
+# Shorewall 2.1 - Masquerade file
 #
 # /etc/shorewall/masq
 #
@@ -35,6 +35,10 @@
 #			+eth0:192.0.2.32/27
 #			+eth0:2
 #
+#		     This feature should only be required if you need to 
+#		     insert rules in this file that preempt entries in
+#		     /etc/shorewall/nat.
+#
 #	SUBNET -- Subnet that you wish to masquerade. You can specify this as
 #		  a subnet or as an interface. If you give the name of an
 #		  interface, you must have iproute installed and the interface

LrpN/etc/shorewall/nat

@@ -24,6 +24,10 @@
 #			see the alias with ifconfig. THAT IS THE ONLY THING
 #			THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
 #			ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
+#
+#			If you want to override ADD_IP_ALIASES=Yes for a
+#			particular entry, follow the interface name with
+#			":" and no digit (e.g., "eth0:").
 #	INTERNAL	Internal Address (must not be a DNS Name).
 #       ALL INTERFACES  If Yes or yes, NAT will be effective from all hosts.
 #                       If No or no (or left empty) then NAT will be effective

LrpN/etc/shorewall/params

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/params
+# Shorewall 2.1 /etc/shorewall/params
 #
 # Assign any variables that you need here.
 #

LrpN/etc/shorewall/policy

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 -- Policy File
+# Shorewall 2.1 -- Policy File
 #
 # /etc/shorewall/policy
 #
@@ -82,8 +82,4 @@ net		all		DROP		ULOG
 # remove the comment from the following line.
 #fw             net             ACCEPT
 
-#
-# THE FOLLOWING POLICY MUST BE LAST
-#	
-all		all		REJECT		ULOG
 #LAST LINE -- DO NOT REMOVE

LrpN/etc/shorewall/proxyarp

@@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 2.0 -- Proxy ARP
+# Shorewall 2.1 -- Proxy ARP
 #
 # /etc/shorewall/proxyarp
 #

LrpN/etc/shorewall/routestopped

@@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 2.0 -- Hosts Accessible when the Firewall is Stopped
+# Shorewall 2.1 -- Hosts Accessible when the Firewall is Stopped
 #
 # /etc/shorewall/routestopped
 #

LrpN/etc/shorewall/rules

@@ -1,5 +1,5 @@
 #
-# Shorewall version 2.0 - Rules File
+# Shorewall version 2.1 - Rules File
 #
 # /etc/shorewall/rules
 #
@@ -72,6 +72,20 @@
 #			DNAT:debug). This causes the packet to be
 #			logged at the specified level.
 #
+#			If the ACTION names an action devined in
+#			/etc/shorewall/actions or in
+#			/usr/share/shorewall/actions.std then:
+#
+#			- If the log level is followed by "!' then all rules
+#			  in the action are logged at the log level.
+#
+#			- If the log level is not followed by "!" then only
+#			  those rules in the action that do not specify 
+#			  logging are logged at the specified level.
+#
+#			- The special log level 'none!' suppresses logging
+#			  by the action.
+#
 #			You may also specify ULOG (must be in upper case) as a
 #			log level.This will log to the ULOG target for routing
 #			to a separate log through use of ulogd
@@ -310,7 +324,6 @@
 ####################################################################################################
 #ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE		USER/
 #                       	        	PORT    PORT(S)    DEST		LIMIT		GROUP
-#                                               PORT    PORT(S)    DEST         LIMIT
 #      Accept DNS connections from the firewall to the network
 #
 ACCEPT          fw              net             tcp     53

LrpN/etc/shorewall/shorewall.conf

@@ -1,5 +1,5 @@
 ##############################################################################
-#  /etc/shorewall/shorewall.conf V2.0 - Change the following variables to
+#  /etc/shorewall/shorewall.conf V2.1 - Change the following variables to
 #  match your setup
 #
 #  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@@ -7,6 +7,14 @@
 #  This file should be placed in /etc/shorewall
 #
 #  (c) 1999,2000,2001,2002,2003,2004 - Tom Eastep (teastep@shorewall.net)
+##############################################################################
+#                      S T A R T U P   E N A B L E D
+##############################################################################
+# Once you have configured Shorewall, you may change the setting of
+# this variable to 'Yes'
+
+STARTUP_ENABLED=No
+
 ##############################################################################
 #                              L O G G I N G
 ##############################################################################

LrpN/etc/shorewall/start

@@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.0 -- /etc/shorewall/start
+# Shorewall 2.1 -- /etc/shorewall/start
 #
 # Add commands below that you want to be executed after shorewall has
 # been started or restarted.

LrpN/etc/shorewall/stop

@@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.0 -- /etc/shorewall/stop
+# Shorewall 2.1 -- /etc/shorewall/stop
 #
 # Add commands below that you want to be executed at the beginning of a
 # "shorewall stop" command.

LrpN/etc/shorewall/stopped

@@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.0 -- /etc/shorewall/stopped
+# Shorewall 2.1 -- /etc/shorewall/stopped
 #
 # Add commands below that you want to be executed at the completion of a
 # "shorewall stop" command.

LrpN/etc/shorewall/tcrules

@@ -1,5 +1,5 @@
 #
-# Shorewall version 2.0 - Traffic Control Rules File
+# Shorewall version 2.1 - Traffic Control Rules File
 #
 # /etc/shorewall/tcrules
 #

LrpN/etc/shorewall/tos

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 -- /etc/shorewall/tos
+# Shorewall 2.1 -- /etc/shorewall/tos
 #
 #	This file defines rules for setting Type Of Service (TOS)
 #
@@ -43,10 +43,4 @@
 #
 ##############################################################################
 #SOURCE DEST		PROTOCOL	SOURCE PORTS	DEST PORTS	TOS
-all	all		tcp		-		ssh		16
-all	all		tcp		ssh		-		16
-all	all		tcp		-		ftp		16
-all	all		tcp		ftp		-		16
-all	all		tcp		ftp-data	-		8
-all	all		tcp		-		ftp-data	8
 #LAST LINE -- Add your entries above -- DO NOT REMOVE

LrpN/etc/shorewall/tunnels

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 - /etc/shorewall/tunnels
+# Shorewall 2.1 - /etc/shorewall/tunnels
 #
 #	This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
 #

LrpN/etc/shorewall/zones

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/zones
+# Shorewall 2.1 /etc/shorewall/zones
 #
 # This file determines your network zones. Columns are:
 #

LrpN/usr/share/shorewall/action.AllowAuth

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowAuth
+# Shorewall 2.1 /usr/share/shorewall/action.AllowAuth
 #
 #	This action accepts Auth (identd) traffic.
 #

LrpN/usr/share/shorewall/action.AllowDNS

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowDNS
+# Shorewall 2.1 /usr/share/shorewall/action.AllowDNS
 #
 #	This action accepts DNS traffic.
 #

LrpN/usr/share/shorewall/action.AllowFTP

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowFTP
+# Shorewall 2.1 /usr/share/shorewall/action.AllowFTP
 #
 #	This action accepts FTP traffic. See
 #	http://www.shorewall.net/FTP.html for additional considerations.

LrpN/usr/share/shorewall/action.AllowIMAP

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowIMAP
+# Shorewall 2.1 /usr/share/shorewall/action.AllowIMAP
 #
 #	This action accepts IMAP traffic (secure and insecure):
 #

LrpN/usr/share/shorewall/action.AllowNNTP

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowNNTP
+# Shorewall 2.1 /usr/share/shorewall/action.AllowNNTP
 #
 #	This action accepts NNTP traffic (Usenet).
 #

LrpN/usr/share/shorewall/action.AllowNTP

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowNTP
+# Shorewall 2.1 /usr/share/shorewall/action.AllowNTP
 #
 #	This action accepts NTP traffic (ntpd).
 #

LrpN/usr/share/shorewall/action.AllowPCA

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowPCA
+# Shorewall 2.1 /usr/share/shorewall/action.AllowPCA
 #
 #	This action accepts PCAnywere (tm)
 #

LrpN/usr/share/shorewall/action.AllowPOP3

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowPOP3
+# Shorewall 2.1 /usr/share/shorewall/action.AllowPOP3
 #
 #	This action accepts POP3 traffic (secure and insecure):
 #

LrpN/usr/share/shorewall/action.AllowPing

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowPing
+# Shorewall 2.1 /usr/share/shorewall/action.AllowPing
 #
 #	This action accepts 'ping' requests.
 #

LrpN/usr/share/shorewall/action.AllowRdate

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowRdate
+# Shorewall 2.1 /usr/share/shorewall/action.AllowRdate
 #
 #	This action accepts remote time retrieval (rdate).
 #

LrpN/usr/share/shorewall/action.AllowSMB

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowSMB
+# Shorewall 2.1 /usr/share/shorewall/action.AllowSMB
 #
 #	Allow Microsoft SMB traffic. You need to invoke this action in
 #	both directions.

LrpN/usr/share/shorewall/action.AllowSMTP

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowSMTP
+# Shorewall 2.1 /usr/share/shorewall/action.AllowSMTP
 #
 #	This action accepts SMTP (email) traffic.
 #

LrpN/usr/share/shorewall/action.AllowSNMP

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowSNMP
+# Shorewall 2.1 /usr/share/shorewall/action.AllowSNMP
 #
 #	This action accepts SNMP traffic (including traps):
 #

LrpN/usr/share/shorewall/action.AllowSSH

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowSSH
+# Shorewall 2.1 /usr/share/shorewall/action.AllowSSH
 #
 #	This action accepts secure shell (SSH) traffic.
 #

LrpN/usr/share/shorewall/action.AllowTelnet

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowTelnet
+# Shorewall 2.1 /usr/share/shorewall/action.AllowTelnet
 #
 #	This action accepts Telnet traffic. For traffic over the
 #	internet, telnet is inappropriate; use SSH instead

LrpN/usr/share/shorewall/action.AllowTrcrt

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowTrcrt
+# Shorewall 2.1 /usr/share/shorewall/action.AllowTrcrt
 #
 #	This action accepts Traceroute (for up to 20 hops):
 #

LrpN/usr/share/shorewall/action.AllowVNC

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowVNC
+# Shorewall 2.1 /usr/share/shorewall/action.AllowVNC
 #
 #	This action accepts VNC traffic for VNC display's 0 - 9.
 #

LrpN/usr/share/shorewall/action.AllowVNCL

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowVNC
+# Shorewall 2.1 /usr/share/shorewall/action.AllowVNCL
 #
 #	This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
 #

LrpN/usr/share/shorewall/action.AllowWeb

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.AllowWeb
+# Shorewall 2.1 /usr/share/shorewall/action.AllowWeb
 #
 #	This action accepts WWW traffic (secure and insecure):
 #

LrpN/usr/share/shorewall/action.Drop

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.Drop
+# Shorewall 2.1 /usr/share/shorewall/action.Drop
 #
 #	The default DROP common rules
 #
@@ -8,6 +8,7 @@
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 RejectAuth
 dropBcast
+dropInvalid
 DropSMB
 DropUPnP
 dropNotSyn

LrpN/usr/share/shorewall/action.DropDNSrep

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.DropDNSrep
+# Shorewall 2.1 /usr/share/shorewall/action.DropDNSrep
 #
 #	This action silently drops DNS UDP replies
 #

LrpN/usr/share/shorewall/action.DropPing

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.DropPing
+# Shorewall 2.1 /usr/share/shorewall/action.DropPing
 #
 #	This action silently drops 'ping' requests.
 #

LrpN/usr/share/shorewall/action.DropSMB

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.DropSMB
+# Shorewall 2.1 /usr/share/shorewall/action.DropSMB
 #
 #	This action silently drops Microsoft SMB traffic
 #

LrpN/usr/share/shorewall/action.DropUPnP

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.DropUPnP
+# Shorewall 2.1 /usr/share/shorewall/action.DropUPnP
 #
 #	This action silently drops UPnP probes on UDP port 1900
 #

LrpN/usr/share/shorewall/action.Reject

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.Reject
+# Shorewall 2.1 /usr/share/shorewall/action.Reject
 #
 #	The default REJECT action common rules
 #
@@ -8,6 +8,7 @@
 #                       	        	PORT    PORT(S)		LIMIT	GROUP
 RejectAuth
 dropBcast
+dropInvalid
 RejectSMB
 DropUPnP
 dropNotSyn

LrpN/usr/share/shorewall/action.RejectAuth

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.RejectAuth
+# Shorewall 2.1 /usr/share/shorewall/action.RejectAuth
 #
 #	This action silently rejects Auth (tcp 113) traffic
 #

LrpN/usr/share/shorewall/action.RejectSMB

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.RejectSMB
+# Shorewall 2.1 /usr/share/shorewall/action.RejectSMB
 #
 #	This action silently rejects Microsoft SMB traffic
 #

LrpN/usr/share/shorewall/action.template

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.0 /etc/shorewall/action.template
+# Shorewall 2.1 /etc/shorewall/action.template
 #
 #	This file is a template for files with names of the form 
 #	/etc/shorewall/action.<action-name> where <action> is an
@@ -37,6 +37,10 @@
 #			ACCEPT:debugging). This causes the packet to be
 #			logged at the specified level.
 #
+#			The special log level 'none' does not result in logging
+#			but rather exempts the rule from being overridden by a
+#			non-forcing log level when the action is invoked.
+#
 #			You may also specify ULOG (must be in upper case) as a
 #			log level.This will log to the ULOG target for routing
 #			to a separate log through use of ulogd

LrpN/usr/share/shorewall/functions

@@ -1,6 +1,17 @@
 #!/bin/sh
 #
-# Shorewall 2.0 -- /usr/share/shorewall/functions
+# Shorewall 2.1 -- /usr/share/shorewall/functions
+
+#
+# Split a colon-separated list into a space-separated list
+#
+split() {
+    local ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
 
 #
 # Search a list looking for a match -- returns zero if a match found
@@ -377,7 +388,7 @@ mktempfile() {
 		> $1/shorewall-$$ && echo $1/shorewall-$$
 		;;
 	    *)
-		echo "   ERROR:Internal error in mktempfile"
+		echo "   ERROR:Internal error in mktempfile" >&2
 		;;
 	esac
     else
@@ -393,7 +404,7 @@ mktempfile() {
 		> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
 		;;
 	    *)
-		echo "   ERROR:Internal error in mktempfile"
+		echo "   ERROR:Internal error in mktempfile" >&2
 		;;
 	esac
     fi
@@ -417,7 +428,7 @@ mktempdir() {
 	    mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$
 	    ;;
 	*)
-	    echo "   ERROR:Internal error in mktempdir"
+	    echo "   ERROR:Internal error in mktempdir" >&2
 	    ;;
 	esac
 }	
@@ -680,6 +691,9 @@ chain_base() #$1 = interface
 	    *-*)
 		c="${c%-*}_${c##*-}"
 		;;
+	    *%*)
+		c="${c%\%*}_${c##*%}"
+		;;
 	    *)
 		echo ${c:=common}
 		return
@@ -767,3 +781,11 @@ find_interface_by_address() {
     [ -n "$dev" ] && echo $dev
 }
 
+#
+# Find interface addresses--returns the set of addresses assigned to the passed
+# device
+#
+find_interface_addresses() # $1 = interface
+{
+    ip -f inet addr show $1 | grep inet | sed 's/inet //;s/\/.*//;s/ peer.*//'
+}

LrpN/usr/share/shorewall/version

@@ -1 +1 @@
-2.1.1
+2.1.3