Merge branch '5.1.12'

# Conflicts:
#	Shorewall/Perl/Shorewall/Config.pm

Shorewall/Macros/macro.Apcupsd

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Apcupsd
+#
+# This macro handles apcupsd traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	3551

Shorewall/Macros/macro.FreeIPA

@@ -0,0 +1,16 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.FreeIPA
+#
+# This macro handles FreeIPA server traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+DNS
+HTTP
+HTTPS
+Kerberos
+Kpasswd
+LDAP
+LDAPS
+NTP

Shorewall/Macros/macro.IPMI

@@ -11,14 +11,20 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
 PARAM	-	-	tcp	623		# RMCP
+PARAM	-	-	udp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
-PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
+PARAM	-	-	tcp	5120,5122,5123	# CD,FD,HD (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
-PARAM	-	-	tcp	3520		# Remote Console (Redfish)
+PARAM	-	-	tcp	8889		# WS-MAN
-PARAM	-	-	udp	623		# RMCP
 HTTP
-HTTPS
-SNMP
-SSH						# Serial over Lan
 Telnet
+SNMP
+
+# TLS/secure ports
+PARAM	-	-	tcp	3520		# Remote Console (Redfish)
+PARAM	-	-	tcp	3669		# Virtual Media (Dell)
+PARAM	-	-	tcp	5124,5126,5127	# CD,FD,HD (AMI)
+PARAM	-	-	tcp	7582		# Remote Console (AMI)
+HTTPS
+SSH						# Serial over Lan

Shorewall/Macros/macro.Kpasswd

@@ -0,0 +1,10 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Kpasswd
+#
+# This macro handles Kerberos "passwd" traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	464
+PARAM	-	-	udp	464

Shorewall/Macros/macro.RedisSecure

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.RedisSecure
+#
+# This macro handles Redis Secure (SSL/TLS) traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	6380

Shorewall/Macros/macro.Rwhois

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.Rwhois
+#
+# This macro handles Remote Who Is (rwhois) traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	4321

Shorewall/Macros/macro.SSDP

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.SSDP
+#
+# This macro handles SSDP (used by DLNA/UPnP) client traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	udp	1900

Shorewall/Macros/macro.SSDPserver

@@ -0,0 +1,10 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.SSDPserver
+#
+# This macro handles SSDP (used by DLNA/UPnP) server bidirectional traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	udp	1900
+PARAM	DEST	SOURCE	udp	-	1900

Shorewall/Perl/Shorewall/Config.pm

@@ -834,7 +834,7 @@ sub initialize( $;$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.1.12-Beta2",
+		    VERSION                 => "5.1.12",
 		    CAPVERSION              => 50112 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -2412,6 +2412,10 @@ sub split_line2( $$;$$$ ) {
 	    fatal_error "Only one set of double semicolons (';;') allowed on a line" if defined $rest;
 
 	    $currline = $columns;
+	    #
+	    # Remove trailing white space
+	    #
+	    $currline =~ s/\s*$//;
 
 	    $inline_matches = $pairs;
 	    #

Shorewall/Samples/Universal/shorewall.conf

@@ -183,7 +183,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=Yes
+INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 

Shorewall/Samples/one-interface/shorewall.conf

@@ -194,7 +194,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=Yes
+INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -191,7 +191,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=Yes
+INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -194,7 +194,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=Yes
+INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -170,7 +170,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=Yes
+INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -171,7 +171,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=Yes
+INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -170,7 +170,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=Yes
+INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -170,7 +170,7 @@ IGNOREUNKNOWNVARIABLES=No
 
 IMPLICIT_CONTINUE=No
 
-INLINE_MATCHES=Yes
+INLINE_MATCHES=No
 
 IPSET_WARNINGS=Yes
 

docs/IPSEC-2.6.xml

@@ -107,7 +107,7 @@
     requires an appropriate SA to exist. SAs may be created manually using
     <command>setkey</command>(8) but most often, they are created by a
     cooperative process involving the ISAKMP protocol and a daemon included in
-    your IPSEC package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) .
+    your IPsec package (StrongSwan, LibreSwan, ipsec-tools/Racoon, etc.) .
     Incoming traffic is verified against the SPD to ensure that no unencrypted
     traffic is accepted in violation of the administrator's policies.</para>
 
@@ -227,7 +227,7 @@
 
     <important>
       <para>This article provides guidance regarding configuring Shorewall to
-      use with IPSEC. For configuring IPSEC itself, consult your IPSEC
+      use with IPsec. For configuring IPsec itself, consult your IPsec
       product's documentation.</para>
     </important>
   </section>
@@ -681,4 +681,75 @@ ipip                    <emphasis role="bold">vpn</emphasis>     0.0.0.0/0</prog
       the INPUT chain.</para>
     </important>
   </section>
+
+  <section>
+    <title>Using SNAT to Force Traffic over an IPsec Tunnel</title>
+
+    <para>Cases can arise where you need to use an IPsec tunnel to access a
+    remote network, but you have no control over the associated security
+    polices. In such cases, the resulting tunnel is accessible from your
+    firewall but not from your local networks.</para>
+
+    <para>Let's take an example:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>Remote gateway 192.0.2.26</para>
+      </listitem>
+
+      <listitem>
+        <para>Remote subnet 172.22.4.0/24</para>
+      </listitem>
+
+      <listitem>
+        <para>Your public IP address is 192.0.2.199</para>
+      </listitem>
+
+      <listitem>
+        <para>Your Internet-facing interface is eth0</para>
+      </listitem>
+
+      <listitem>
+        <para>Your local network is 192.168.219.0/24</para>
+      </listitem>
+
+      <listitem>
+        <para>You want to access 172.22.4.0/24 from 192.168.219.0/24</para>
+      </listitem>
+
+      <listitem>
+        <para>The IPsec tunnel is configured between 172.22.4.0/24 and
+        192.0.2.199</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>You need to configure as follows.</para>
+
+    <para>/etc/shorewall/zones:</para>
+
+    <programlisting>#ZONE        TYPE       OPTIONS
+...
+vpn          ip         # Note that the zone <emphasis role="bold">cannot</emphasis> be declared as type ipsec
+...</programlisting>
+
+    <para>/etc/shorewall/interfaces:</para>
+
+    <programlisting>#ZONE         INTERFACE                 OPTIONS
+net           eth0                      nets=(!172.22.4.0/24),...   # You must exclude the remote network from the net zone</programlisting>
+
+    <para>/etc/shorewall/hosts:</para>
+
+    <programlisting>#ZONE         HOSTS                     OPTIONS
+vpn           eth0:172.22.4.0/24        mss=1380,destonly
+vpn           eth0:0.0.0.0/0            mss=1380,ipsec</programlisting>
+
+    <para>/etc/shorewall/snat:</para>
+
+    <programlisting>SNAT(192.0.2.199)    192.168.219.0/24      eth0:172.22.4.0/24</programlisting>
+
+    <para>/etc/shorewall/tunnels:</para>
+
+    <programlisting>#TYPE            ZONE      GATEWAY            GATEWAY_ZONE
+ipsec            net       192.0.2.26         vpn</programlisting>
+  </section>
 </article>

docs/MultiISP.xml

@@ -1233,7 +1233,7 @@ gateway:~ #</programlisting>
         those clients. See<link linkend="Openvpn"> Example 2</link>
         below.</para>
 
-        <para>If you have an IPSEC gateway on your firewall, be sure to
+        <para>If you have an IPsec gateway on your firewall, be sure to
         arrange for ESP packets to be routed out of the same interface that
         you have configured your keying daemon to use.</para>
       </section>

docs/SharedConfig.xml

@@ -1021,7 +1021,7 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
     <section>
       <title>tunnels</title>
 
-      <para>Both address families define IPSEC tunnels:</para>
+      <para>Both address families define IPsec tunnels:</para>
 
       <programlisting>#TYPE			ZONE		GATEWAY			GATEWAY_ZONE
 ipsecnat {ZONE=net,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }

docs/VPN.xml

@@ -43,7 +43,7 @@
 
     <para>It is often the case that a system behind the firewall needs to be
     able to access a remote network through Virtual Private Networking (VPN).
-    The two most common means for doing this are IPSEC and PPTP. The basic
+    The two most common means for doing this are IPsec and PPTP. The basic
     setup is shown in the following diagram:</para>
 
     <graphic fileref="images/VPN.png"/>
@@ -60,8 +60,8 @@
     modules file, Shorewall (Lite) will attempt to load these modules when
     Shorewall (Lite) is started.</para>
 
-    <para>If IPSEC is being used, you should configure IPSEC to use
+    <para>If IPsec is being used, you should configure IPsec to use
-    <firstterm>NAT Traversal</firstterm> -- Under NAT traversal the IPSEC
+    <firstterm>NAT Traversal</firstterm> -- Under NAT traversal the IPsec
     packets (protocol 50 or 51) are encapsulated in UDP packets (normally with
     destination port 4500). Additionally, <firstterm>keep-alive
     messages</firstterm> are sent frequently so that NATing gateways between
@@ -69,10 +69,10 @@
     way that I connect to the HP Intranet and it works flawlessly without
     anything in Shorewall other than my ACCEPT loc-&gt;net policy. NAT
     traversal is available as a patch for Windows 2K and is a standard feature
-    of Windows XP -- simply select "L2TP IPSec VPN" from the "Type of VPN"
+    of Windows XP -- simply select "L2TP IPsec VPN" from the "Type of VPN"
     pulldown.</para>
 
-    <para>Alternatively, if you have an IPSEC gateway behind your firewall
+    <para>Alternatively, if you have an IPsec gateway behind your firewall
     then you can try the following: only one system may connect to the remote
     gateway and there are firewall configuration requirements as
     follows:</para>

docs/bridge-Shorewall-perl.xml

@@ -508,7 +508,7 @@ rc-update add bridge boot
     packet arrived on and/or the bridge port that a packet will be sent over.
     The latter has proved to be problematic because it requires that the
     evaluation of rules be deferred until the destination bridge port is
-    known. This deferral has the unfortunate side effect that it makes IPSEC
+    known. This deferral has the unfortunate side effect that it makes IPsec
     Netfilter filtration incompatible with bridges. To work around this
     problem, in kernel version 2.6.20 the Netfilter developers decided to
     remove the deferred processing in two cases:</para>

docs/configuration_file_basics.xml

@@ -854,6 +854,12 @@ INLINE               net              $FW ; -m recent --rcheck 10 --hitcount 5 -
           semicolons (";;"). If alternate input is present, the adjacent
           semicolons should follow that input.</para>
 
+          <caution>
+            <para>INLINE_MATCHES=Yes is deprecated and will no longer be
+            supported in Shorewall 5.2 and beyond. Use two adjacent semicolons
+            to introduce inline matches.</para>
+          </caution>
+
           <para>Example from the masq file that spits outgoing SNAT between
           two public IP addresses</para>
 

docs/ports.xml

@@ -242,7 +242,7 @@ IMAPS(ACCEPT)   &lt;source&gt;  &lt;destination&gt; # IMAP over SSL.</programlis
   </section>
 
   <section id="IPSEC">
-    <title>IPSEC</title>
+    <title>IPsec</title>
 
     <programlisting>#ACTION    SOURCE         DESTINATION      PROTO      DPORT
 ACCEPT     <emphasis>&lt;source&gt;</emphasis>  <emphasis>     &lt;destination&gt;</emphasis>    50     
@@ -252,8 +252,8 @@ ACCEPT     <emphasis>&lt;destination&gt;</emphasis>  <emphasis>&lt;source&gt;</e
 ACCEPT     <emphasis>&lt;destination&gt;</emphasis>  <emphasis>&lt;source&gt;</emphasis>         51
 ACCEPT     <emphasis>&lt;destination&gt;</emphasis>  <emphasis>&lt;source&gt;</emphasis>         udp        500</programlisting>
 
-    <para>Lots more information <ulink url="IPSEC.htm">here</ulink> and <ulink
+    <para>Lots more information <ulink url="IPSEC-2.6.html">here</ulink> and
-    url="VPN.htm">here</ulink>.</para>
+    <ulink url="VPN.htm">here</ulink>.</para>
   </section>
 
   <section id="LDAP">

docs/shorewall_features.xml

@@ -176,7 +176,7 @@
 
         <itemizedlist>
           <listitem>
-            <para><ulink url="manpages/shorewall-tunnels.html">IPSEC, GRE,
+            <para><ulink url="manpages/shorewall-tunnels.html">IPsec, GRE,
             IPIP and OpenVPN Tunnels</ulink>.</para>
           </listitem>
 

docs/support.xml

@@ -277,7 +277,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
           </listitem>
 
           <listitem>
-            <para>If your problem has anything to do with IPSEC, be sure that
+            <para>If your problem has anything to do with IPsec, be sure that
             the ipsec-tools package is installed.</para>
           </listitem>