Merge branch 'master' of ssh://judas_iscariote@shorewall.git.sourceforge.net/gitroot/shorewall

2025-06-27 13:11:57 +02:00 · 2009-06-21 18:58:27 -04:00 · 2009-06-21 18:58:27 -04:00 · 1967f9cbb4
commit 1967f9cbb4
parent 9e246996ad 14d07265ee
25 changed files with 738 additions and 123 deletions
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@ -97,6 +97,9 @@ sub generate_script_1() {
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
    my $lib = find_file 'lib.private';
    copy1 $lib, emit "\n" if -f $lib;
    for my $exit qw/init isusable start tcclear started stop stopped clear refresh refreshed restored findgw/ {
 	emit "\nrun_${exit}_exit() {";
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -79,6 +79,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
 				       push_indent
 				       pop_indent
 				       copy
 				       copy1
 				       create_temp_aux_config
 				       finalize_aux_config
 				       set_shorewall_dir
@ -1088,6 +1089,8 @@ sub copy1( $ ) {
 	close IF;
    }
    $lastlineblank = 0;
 }
 #
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@ -115,7 +115,7 @@ sub do_ipsec_options($)
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@ -183,6 +183,7 @@ sub process_one_masq( )
    # Handle Mark
    #
    $baserule .= do_test( $mark, 0xFF) if $mark ne '-';
    $baserule .= do_user( $user )      if $user ne '-';
    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@ -116,7 +116,15 @@ sub setup_route_marking() {
 	my $mark      = $providerref->{mark};
 	my $base      = uc chain_base $interface;
-	add_command( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
+	if ( $providerref->{optional} ) {
 	    if ( $providerref->{shared} ) {
 		add_command( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) );
 	    } else {
 		add_command( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
 	    }
 	    incr_cmd_level( $chainref );
 	}
 	unless ( $marked_interfaces{$interface} ) {
 	    add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
@ -391,22 +399,25 @@ sub add_a_provider( ) {
    my $realm = '';
-    if ( $optional && ! $shared ) {
+    fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
-	start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
+    
 	$provider_interfaces{$interface} = $table;
    }
    if ( $shared ) {
 	fatal_error "Interface $interface is associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
 	start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
    } elsif ( $gatewaycase eq 'detect' ) {
 	start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) ) unless $optional;
    } else {
-	start_provider( $table, $number, "if interface_is_usable $interface; then" ) unless $optional;
+	if ( $optional ) {
 	    start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
 	    start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
 	} else {
 	    start_provider( $table, $number, "if interface_is_usable $interface; then" );
 	}
 	$provider_interfaces{$interface} = $table;
 	emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
-    }	
+    }
    if ( $mark ne '-' ) {
 	emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
@ -800,7 +811,7 @@ sub handle_optional_interfaces() {
 	    if ( $provider ) {
 		#
-		# This is a provider -- get the provider table entry
+		# This interface is associated with a non-shared provider -- get the provider table entry
 		#
 		my $providerref = $providers{$provider};
@ -811,7 +822,7 @@ sub handle_optional_interfaces() {
 		}
 	    } else {
 		#
-		# Not a provider
+		# Not a provider interface
 		#
 		emit qq(if interface_is_usable $interface; then);
 	    }
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -14,6 +14,14 @@ Changes in Shorewall 4.4.0-Beta2
 5)  Add 'upnpclient' interface option.
 6)  Fix handling of optional interfaces.
 7)  Add 'iptrace' and 'noiptrace' command.
 8)  Add 'USER/GROUP' column to masq file.
 9)  Added lib.private.
 Changes in Shorewall 4.4.0-Beta1
 1)  Correct typo in Shorewall6 two-interface sample shorewall.conf.
--- a/Shorewall/configfiles/lib.private
+++ b/Shorewall/configfiles/lib.private
@ -0,0 +1,14 @@
 #
 # Shorewall version 4 - lib.private File
 #
 # /etc/shorewall/lib.private
 #
 #	Use this file to declare shell functions to be called in the other
 #	run-time extension scripts. The file will be copied into the generated
 #       firewall script.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
 #
 ###############################################################################
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@ -7,5 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###############################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -576,6 +576,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/accounting ]; then
    echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
 fi
 #
 # Install the private library file
 #
 run_install $OWNERSHIP -m 0644 configfiles/lib.private ${PREFIX}/usr/share/shorewall/configfiles/lib.private
 if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/lib.private ]; then
    run_install $OWNERSHIP -m 0600 configfiles/lib.private ${PREFIX}/etc/shorewall/lib.private
    echo "Private library file installed as ${PREFIX}/etc/shorewall/lib.private"
 fi
 #
 # Install the Started file
 #
 run_install $OWNERSHIP -m 0644 configfiles/started ${PREFIX}/usr/share/shorewall/configfiles/started
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -149,6 +149,41 @@ None.
    that, like all aspects of UPnP, this is a security hole so use this
    option at your own risk.
 2)  'iptrace' and 'noiptrace' commands have been added to both
    /sbin/shorewall and /sbin/shorewall6.
    These are low-level debugging commands that cause
    iptables/ip6tables TRACE log messages to be generated. See 'man
    iptables' and 'man ip6tables' for details.
    The syntax for the commands is:
    	iptrace <iptables/ip6tables match expression>
    	noiptrace <iptables/ip6tables match expression>
    iptrace starts the trace; noiptrace turns it off.
    The  match expression must be an expression that is legal in both
    the raw table OUTPUT and PREROUTING chains.
    Examaple:
 	To trace all packets desinted for IP address 206.124.146.176:
 	   shorewall iptrace -d 206.124.146.176
 	To turn that trace off:
 	   shorewall noiptrace -d 206.124.146.176
 3)  A USER/GROUP column has been added to /etc/shorewall/masq. The
    column works similarly to USER/GROUP columns in other Shorewall
    configuration files. Only locally-generated traffic is matched.
 4)  A new extension script, 'lib.private' has been added. This file is
    intended to include declarations of shell functions that will be
    called by the other run-time extension scripts. 
 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   IN   4 . 4
 ----------------------------------------------------------------------------
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -1454,10 +1454,12 @@ usage() # $1 = exit status
    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
    echo "   ipdecimal { <address> | <integer> }"
    echo "   iprange <address>-<address>"
    echo "   iptrace <iptables match expression>"
    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
    echo "   noiptrace <iptables match expression>"
    echo "   refresh [ <chain>... ]"
    echo "   reject <address> ..."
    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
@ -2012,6 +2014,26 @@ case "$COMMAND" in
 	shift
 	safe_commands $@
 	;;
    iptrace)
 	get_config
 	shift
 	if shorewall_is_started ; then
 	    $IPTABLES -t raw -A PREROUTING $@ -j TRACE
 	    $IPTABLES -t raw -A OUTPUT $@ -j TRACE
 	else
 	    fatal_error "Shorewall is not started"
 	fi
 	;;	
     noiptrace)
 	get_config
 	shift
 	if shorewall_is_started ; then
 	    $IPTABLES -t raw -D PREROUTING $@ -j TRACE
 	    $IPTABLES -t raw -D OUTPUT $@ -j TRACE
 	else
 	    fatal_error "Shorewall is not started"
 	fi
 	;;	
    *)
 	usage 1
 	;;
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@ -1371,10 +1371,12 @@ usage() # $1 = exit status
    echo "   export [ <directory1> ] [<user>@]<system>[:<directory2>]"
    echo "   forget [ <file name> ]"
    echo "   help"
    echo "   iptrace <ip6tables match expression>"
    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
    echo "   noiptrace <ip6tables match expression>"
    echo "   refresh [ <chain>... ]"
    echo "   reject <address> ..."
    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
@ -1857,7 +1859,26 @@ case "$COMMAND" in
 	shift
 	safe_commands $@
 	;;
-    *)
+    iptrace)
 	get_config
 	shift
 	if shorewall_is_started ; then
 	    $IP6TABLES -t raw -A PREROUTING $@ -j TRACE
 	    $IP6TABLES -t raw -A OUTPUT $@ -j TRACE
 	else
 	    fatal_error "Shorewall6 is not started"
 	fi
 	;;	
     noiptrace)
 	get_config
 	shift
 	if shorewall_is_started ; then
 	    $IP6TABLES -t raw -D PREROUTING $@ -j TRACE
 	    $IP6TABLES -t raw -D OUTPUT $@ -j TRACE
 	else
 	    fatal_error "Shorewall6 is not started"
 	fi
 	;;	    *)
 	usage 1
 	;;
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@ -1321,9 +1321,10 @@ fi</programlisting></para>
        in the preceding section.</para>
        <para>Like many Open Source products, LSM is poorly documented. It's
-        main configuration file is normally kept in /etc/lsm/lsm.conf, but the
+        main configuration file is normally kept in
-        file's name is passed as an argument to the lsm program so you can
+        <filename>/etc/lsm/lsm.conf</filename>, but the file's name is passed
-        name it anything you want.</para>
+        as an argument to the lsm program so you can name it anything you
        want.</para>
        <para>The sample <filename>lsm.conf</filename> included with the
        product shows some of the possibilities for configuration. One feature
@ -1332,50 +1333,86 @@ fi</programlisting></para>
        configuration file.</para>
        <para>I personally use LSM here at shorewall.net (configuration is
-        described <link linkend="Complete">below</link>). Here are my relevant
+        described <link linkend="Complete">below</link>). I have set things up
-        configuration files:</para>
+        so that Shorewall [re]starts lsm during processing of the
        <command>start</command> and <command>restore</command> commands. I
        don't have Shorewall restart lsm during Shorewall
        <command>restart</command> because I restart Shorewall much more often
        than the average user is likely to do. I have Shorewall start lsm
        because I have a dynamic IP address from one of my providers
        (Comcast); Shorewall detects the default gateway to that provider and
        creates a secondary configuration file
        (<filename>/etc/lsm/shorewall.conf</filename>) that contains the link
        configurations. That file is included by
        <filename>/etc/lsm/lsm.conf</filename>.B</para>
        <para>Below are my relevant configuration files.</para>
        <warning>
          <para>These files only work with Shorewall-perl 4.4 Beta 2 and
          later.</para>
        </warning>
        <para><filename>/etc/shorewall/isusable</filename>:</para>
        <para>Note that <filename>/etc/lsm/script </filename>writes
        a<filename> ${VARDIR}/xxx.status</filename> file when the status of an
        interface changes.</para>
        <programlisting>local status=0
 [ -f ${VARDIR}/${1}.status ] &amp;&amp; status=$(cat ${VARDIR}/${1}.status)
 return $status</programlisting>
-        <para><filename>/etc/shorewall/started</filename>:</para>
+        <para><filename>/etc/shorewall/lib.private</filename>:</para>
        <programlisting>###############################################################################
-# My 'restored' script calls this one if there is no lsm process running
+# Create /etc/lsm/shorewall.conf
 # Remove the current interface status files
 # Start lsm
 ###############################################################################
-if [ "$COMMAND" = start -o "$COMMAND" = restore ]; then
+start_lsm() {
   killall lsm 2&gt; /dev/null
   cat &lt;&lt;EOF &gt; /etc/lsm/shorewall.conf
 connection {
    name=Avvanta
    checkip=206.124.146.254
-    device=eth0
+    device=$EXT_IF
    ttl=2
 }
 connection {
    name=Comcast
-    checkip=$ETH3_GATEWAY
+    checkip=${ETH0_GATEWAY:-71.231.152.1}
-    device=eth3
+    device=$COM_IF
    ttl=1
 }
 EOF
-   rm -f ${VARDIR}/*.status
+   rm -f /etc/shorewall/*.status
   /usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
-fi</programlisting>
+}</programlisting>
        <para>eth3 has a dynamic IP address so I need to use the
-        Shorewall-detected gateway address ($ETH3_GATEWAY).</para>
+        Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default
        value in the event that detection fails.</para>
        <para><filename>/etc/shorewall/started</filename>:</para>
        <programlisting>##################################################################################
 # [re]start lsm if this is a 'start' command or if lsm isn't running
 ##################################################################################
 if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
    start_lsm
 fi</programlisting>
        <para><filename>/etc/shorewall/restored</filename>:</para>
-        <programlisting>if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
+        <programlisting>##################################################################################
-   run_started_exit
+# Start lsm if it isn't running
 ##################################################################################
 if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
   start_lsm
 fi</programlisting>
        <para><filename>/etc/lsm/lsm.conf</filename>:</para>
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@ -51,7 +51,18 @@
    stored in the <emphasis>skb</emphasis> (socket buffer) structure used by
    the Linux kernel to track packets; the mark value is not part of the
    packet itself and cannot be seen with <command>tcpdump</command>,
-    <command>ethereal</command> or any other packet sniffing program.</para>
+    <command>ethereal</command> or any other packet sniffing program. They can
    be seen in an iptables/ip6tables trace -- see the
    <command>iptrace</command> command in <ulink
    url="manpages/shorewall.html">shorewal</ulink>(8) and <ulink
    url="manpages6/shorewall6.html">shorewall6</ulink>(8).</para>
    <para>Example (output has been folded for display ):</para>
    <programlisting>[11692.096077] TRACE: mangle:tcout:return:3 IN= OUT=eth0 SRC=172.20.1.130
                                            DST=206.124.146.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64
                                            ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7212 SEQ=3 UID=0 
                                            GID=1000 <emphasis role="bold">MARK=0x10082</emphasis></programlisting>
    <para>Each active connection (even those that are not yet in ESTABLISHED
    state) has a mark value that is distinct from the packet marks. Connection
--- a/docs/Shorewall-4.xml
+++ b/docs/Shorewall-4.xml
@ -0,0 +1,189 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
  <!--$Id$-->
  <articleinfo>
    <title>Shorewall Version 4</title>
    <authorgroup>
      <author>
        <firstname>Tom</firstname>
        <surname>Eastep</surname>
      </author>
    </authorgroup>
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
      <year>2007</year>
      <year>2009</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
  <section id="Intro">
    <title>Introduction</title>
    <para>Shorewall version 4.0 represented a substantial shift in direction
    for Shorewall. Up until then</para>
    <itemizedlist>
      <listitem>
        <para>Shorewall had been written entirely in Bourne Shell.</para>
      </listitem>
      <listitem>
        <para>Shorewall had run the <command>iptables</command> utility to add
        each Netfilter rule.</para>
      </listitem>
    </itemizedlist>
    <para>Shorewall version 4.0 offered you a choice. You could continue to
    use the existing shell-based implementation or you could use a new
    implementation of the Shorewall compiler written in the Perl programming
    language. The new compiler:</para>
    <itemizedlist>
      <listitem>
        <para>had a small disk footprint</para>
      </listitem>
      <listitem>
        <para>was very fast.</para>
      </listitem>
      <listitem>
        <para>generateed a firewall script that uses
        <command>iptables-restore</command>; so the script was very
        fast.</para>
      </listitem>
      <listitem>
        <para>generated better and more consistent error messages.</para>
      </listitem>
      <listitem>
        <para>did a much more thorough job of checking the configuration to
        avoid run-time errors.</para>
      </listitem>
      <listitem>
        <para>supported creating either Ipv4 or Ipv6 firewalls (Shorewall
        4.2.4 and later).</para>
      </listitem>
    </itemizedlist>
    <para><ulink url="Shorewall-perl.html#Install">Both compilers could be
    installed on your system</ulink> and you could <ulink
    url="Shorewall-perl.html#CompilerSelection">use whichever one suited you
    in a particular case</ulink>.</para>
  </section>
  <section id="Install">
    <title>Shorewall 4.4</title>
    <para>Shorewall 4.4 (currently in Beta testing) discontinues the
    availability of the legacy shell-based compiler. All users must migrate to
    the perl-based compiler before or during an upgrade to Shorewall version
    4.4. We highly recommend that current users of the shell-based compiler
    migrate before upgrading to 4.4 so that both compilers are available
    during the migration.</para>
    <para>Shorewall 4.4 contains four packages:</para>
    <itemizedlist>
      <listitem>
        <para><emphasis role="bold">Shorewall</emphasis> - Everything needed
        to create an IPv4 firewall.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">Shorewall-lite</emphasis>- Can run scripts
        generated by Shorewall on another system.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">Shorewall6</emphasis> - The utilities for
        creating and operating an Ipv6 firewall. Requires Shorewall.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">Shorewall6-lite</emphasis> - Ipv6
        equivalent of Shorewall Lite. Can run scripts generated by Shoreall on
        another system.</para>
      </listitem>
    </itemizedlist>
  </section>
  <section id="Prereqs">
    <title>Prerequisites for using the Shorewall Version 4.2/4.4 Perl-based
    Compiler</title>
    <itemizedlist>
      <listitem>
        <para>Perl (I use Perl 5.8.10 but other 5.8 versions should work
        fine). <note>
            <para>If you want to be able to use DNS names in your Shorewall6
            configuration files, then Perl 5.10 is required together with the
            Perl <emphasis role="bold">Socket6</emphasis> module.</para>
          </note></para>
      </listitem>
      <listitem>
        <para>Perl <emphasis role="bold">Cwd</emphasis> Module</para>
      </listitem>
      <listitem>
        <para>Perl <emphasis role="bold">File::Basename</emphasis>
        Module</para>
      </listitem>
      <listitem>
        <para>Perl <emphasis role="bold">File::Temp</emphasis> Module</para>
      </listitem>
      <listitem>
        <para>Perl <emphasis role="bold">Getopt::Long</emphasis> Module</para>
      </listitem>
      <listitem>
        <para>Perl <emphasis role="bold">Carp</emphasis> Module</para>
      </listitem>
      <listitem>
        <para>Perl <emphasis role="bold">FindBin</emphasis> Module</para>
      </listitem>
      <listitem>
        <para>Perl <emphasis role="bold">Scalar::Util </emphasis>Module</para>
      </listitem>
    </itemizedlist>
    <para>Please note that there are <ulink url="IPv6Support.html">additional
    requirements</ulink> if you plan to install and use Shorewall6.</para>
  </section>
  <section id="Incompatibilities">
    <title>Incompatibilities Introduced in the Shorewall Version 4 Perl-based
    Compiler</title>
    <para>The Shorewall Perl-based compiler is not 100% compatible with the
    Shorewall shell-based version. See <ulink url="Shorewall-perl.html">this
    document</ulink> for details.</para>
  </section>
 </article>
--- a/docs/Shorewall-perl.xml
+++ b/docs/Shorewall-perl.xml
@ -108,9 +108,10 @@
        </listitem>
        <listitem>
-          <para>DYNAMIC_ZONES=Yes is not supported. <ulink
+          <para>DYNAMIC_ZONES=Yes is not supported in Shorewall-perl 4.2.
-          url="ipsets.html#Dynamic">Use an ipset </ulink>to define your
+          <ulink url="ipsets.html#Dynamic">Use an ipset </ulink>to define your
-          dytnamic zones.</para>
+          dytnamic zones. In Shorewall 4.4, dynamic zone support based on
          ipsets was added to Shorewall.</para>
        </listitem>
        <listitem>
@ -534,6 +535,20 @@ DNAT-              net                loc:192.168.1.3  tcp          21</programl
          <para>you instead want:<programlisting>#ACTION            SOURCE             DEST             PROTO        DEST PORT(S)
 DNAT-              net                192.168.1.3      tcp          21</programlisting></para>
        </listitem>
        <listitem>
          <para>Supplying an interface name in the SOURCE column of
          /etc/shorewall/masq is deprecated as of Shorewall 4.4. Entering the
          name of an interface there will result in a compile-time
          warning:</para>
          <para>WARNING: Using an interface as the masq SOURCE requires the
          interface to be up and configured when Shorewall
          starts/restarts</para>
          <para>To avoid this warning, replace interface names by the
          corresponding network addresses (e.g., 192.168.144.0/24).</para>
        </listitem>
      </orderedlist>
    </section>
@ -545,10 +560,100 @@ DNAT-              net                192.168.1.3      tcp          21</programl
      environment. The best way to work around this limitation is to install
      Shorewall-perl on an administrative system and employ Shorewall-lite on
      your embedded systems. Shorewall-perl will run on Windows under <ulink
-      url="http://www.cygwin.com/">Cygwin</ulink>.</para>
+      url="http://www.cygwin.com/">Cygwin</ulink>. Install using the
      install.sh script.</para>
    </section>
  </section>
  <section id="Install">
    <title>Installing Shorewall Version 4.0 or 4.2</title>
    <para>Shorewall 4.2 contains six packages, four of which are also included
    in Shorewall 4.0:</para>
    <itemizedlist>
      <listitem>
        <para><emphasis role="bold">Shorewall-shell</emphasis> - the old
        shell-based compiler and related components.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">Shorewall-perl</emphasis> - the new
        Perl-based compiler.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">Shorewall-common</emphasis> - the part of
        Shorewall common to both compilers.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">Shorewall-lite</emphasis>- same as the 3.4
        version of Shorewall Lite. Can run scripts generated by either
        Shorewall-perl or Shorewall-shell.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">Shorewall6</emphasis> - The utilities for
        creating and operating an Ipv6 firewall. Requires Shorewall-perl and
        Shorewall-common. Introduced in Shorewall 4.2.4.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">Shorewall6-lite</emphasis> - Ipv6
        equivalent of Shorewall Lite. Can run scripts generated by
        Shoreall-perl 4.2.4 and later.</para>
      </listitem>
    </itemizedlist>
    <para>If you upgrade to Shorewall Version 4.0 or 4.2, you must install
    Shorewall-shell and/or Shorewall-perl; in fact, if you are using the
    tarball for your installation, you must install Shorewall-shell and/or
    Shorewall-perl <emphasis role="bold">before</emphasis> you upgrade
    Shorewall. See the <ulink url="upgrade_issues.htm">upgrade issues</ulink>
    for details.</para>
  </section>
  <section id="CompilerSelection">
    <title>Compiler Selection (Shorewall 4.0-4.2)</title>
    <para>If you only install one compiler, then that compiler will be
    used.</para>
    <para>If you install both compilers, then the compiler actually used for
    IPv4 depends on the SHOREWALL_COMPILER setting in
    <filename>shorewall.conf</filename>.</para>
    <para>The value of this new option can be either 'perl' or 'shell'.</para>
    <para>If you add 'SHOREWALL_COMPILER=perl' to
    <filename>/etc/shorewall/shorewall.conf</filename> then by default, the
    new compiler will be used on the system. If you add it to
    <filename>shorewall.conf</filename> in a separate directory (such as a
    Shorewall-lite export directory) then the new compiler will only be used
    when you compile from that directory.</para>
    <para>If you only install one compiler, it is suggested that you do not
    set SHOREWALL_COMPILER.</para>
    <para>If both compilers are installed, you can select the compiler to use
    on the command line using the 'C option:<simplelist>
        <member>'-C shell' means use the shell compiler</member>
        <member>'-C perl' means use the perl compiler</member>
      </simplelist>The -C option overrides the setting in
    shorewall.conf.</para>
    <para>Example:<programlisting><command>shorewall restart -C perl</command></programlisting></para>
    <para>When the Shorewall-perl compiler has been selected, the
    <filename>params</filename> file is processed using the shell
    <option>-a</option> option which causes all variables set within the file
    to be exported automatically by the shell. The Shorewall-perl compiler
    uses the current environmental variables to perform variable expansion
    within the other Shorewall configuration files.</para>
  </section>
  <section id="Modules">
    <title>The Shorewall Perl Modules</title>
--- a/docs/shorewall_extension_scripts.xml
+++ b/docs/shorewall_extension_scripts.xml
@ -69,6 +69,13 @@
    <para>The following scripts can be supplied:</para>
    <itemizedlist>
      <listitem>
        <para><filename>lib.private</filename> -- Intended to contain
        declarations of shell functions to be called by other run-time
        extension scripts. See<ulink url="MultiISP.html#lsm"> this
        article</ulink> for an example of its use.</para>
      </listitem>
      <listitem>
        <para><filename>compile</filename> -- Invoked by the rules compiler
        early in the compilation process. Must be written in Perl.</para>
@ -184,6 +191,15 @@ esac</programlisting><caution>
        completion of a successful <command>shorewall restore</command> and
        <command>shorewall-lite restore</command>.</para>
      </listitem>
      <listitem>
        <para>findgw -- This script is invoked when Shorewall is attempting to
        discover the gateway through a dynamic interface. The script is most
        often used when the interface is managed by dhclient which has no
        standardized location/name for its lease database. Scripts for use
        with dhclient on several distributions are available at <ulink
        url="http://www.shorewall.net/pub/shorewall/contrib/findgw/">http://www.shorewall.net/pub/shorewall/contrib/findgw/</ulink></para>
      </listitem>
    </itemizedlist>
    <para><emphasis role="bold">If your version of Shorewall doesn't have the
--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@ -119,9 +119,11 @@
        <listitem>
          <para>Set of hosts that you wish to masquerade. You can specify this
          as an <emphasis>address</emphasis> (net or host) or as an
-          <emphasis>interface</emphasis>. If you give the name of an
+          <emphasis>interface</emphasis> (use of an
-          interface, the interface must be up before you start the firewall
+          <emphasis>interface</emphasis> is deprecated). If you give the name
-          (Shorewall will use your main routing table to determine the
+          of an interface, the interface must be up before you start the
          firewall and the Shorewall rules compiler will warn you of that
          fact. (Shorewall will use your main routing table to determine the
          appropriate addresses to masquerade).</para>
          <para>In order to exclude a address of the specified SOURCE, you may
@ -384,6 +386,67 @@
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
        [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
        <listitem>
          <para>Only locally-generated connections will match if this column
          is non-empty.</para>
          <para>When this column is non-empty, the rule applies only if the
          program generating the output is running under the effective
          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
          specified (or is NOT running under that id if "!" is given).</para>
          <para>Examples:</para>
          <variablelist>
            <varlistentry>
              <term>joe</term>
              <listitem>
                <para>program must be run by joe</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>:kids</term>
              <listitem>
                <para>program must be run by a member of the 'kids'
                group</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>!:kids</term>
              <listitem>
                <para>program must not be run by a member of the 'kids'
                group</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>+upnpd</term>
              <listitem>
                <para>#program named upnpd</para>
                <important>
                  <para>The ability to specify a program name was removed from
                  Netfilter in kernel version 2.6.14.</para>
                </important>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/manpages/shorewall-tcclasses.xml
+++ b/manpages/shorewall-tcclasses.xml
@ -266,10 +266,7 @@
                <para>This lets you define a classifier for the given
                <emphasis>value</emphasis>/<emphasis>mask</emphasis>
                combination of the IP packet's TOS/Precedence/DiffSrv octet
-                (aka the TOS byte). Please note that classifiers override all
+                (aka the TOS byte). </para>
                mark settings, so if you define a classifer for a class, all
                traffic having that mark will go in it regardless of any mark
                set on the packet by a firewall/mangle filter.</para>
              </listitem>
            </varlistentry>
--- a/manpages/shorewall-tos.xml
+++ b/manpages/shorewall-tos.xml
@ -1,4 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-tos</refentrytitle>
@ -26,38 +28,11 @@
    <para>The columns in the file are as follows.</para>
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
        {<emphasis>zone</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
        role="bold">all</emphasis>|<emphasis role="bold">$FW</emphasis>}
        (Shorewall-shell)</term>
        <listitem>
          <para>Name of a <replaceable>zone</replaceable> declared in <ulink
          url="shorewall-zones.html">shorewall-zones</ulink>(5), <emphasis
          role="bold">all</emphasis> or <emphasis
          role="bold">$FW</emphasis>.</para>
          <para>If not <emphasis role="bold">all</emphasis> or <emphasis
          role="bold">$FW</emphasis>, may optionally be followed by ":" and an
          IP address, a MAC address, a subnet specification or the name of an
          interface.</para>
          <para>Example: loc:192.168.2.3</para>
          <para>MAC addresses must be prefixed with "~" and use "-" as a
          separator.</para>
          <para>Example: ~00-A0-C9-15-39-78</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
        role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
        role="bold">all</emphasis>:<emphasis>address</emphasis>|<emphasis
-        role="bold">$FW</emphasis>} (Shorewall-perl)</term>
+        role="bold">$FW</emphasis>}</term>
        <listitem>
          <para>If <emphasis role="bold">all</emphasis>, may optionally be
@ -73,29 +48,10 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
        {<emphasis>zone</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
        role="bold">all</emphasis>} (Shorewall-shell)</term>
        <listitem>
          <para>Name of a zone declared in <ulink
          url="shorewall-zones.html">shorewall-zones</ulink>(5) or <emphasis
          role="bold">all</emphasis>.</para>
          <para>If not <emphasis role="bold">all</emphasis>, may optionally be
          followed by ":" and an IP address or a subnet specification</para>
          <para>Example: loc:192.168.2.3</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
        role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
-        role="bold">all</emphasis>:<emphasis>address</emphasis>}
+        role="bold">all</emphasis>:<emphasis>address</emphasis>}</term>
        (Shorewall-perl)</term>
        <listitem>
          <para>Example: 192.168.2.3</para>
@ -213,4 +169,4 @@
    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
-</refentry>
+</refentry>
--- a/manpages/shorewall.xml
+++ b/manpages/shorewall.xml
@ -219,6 +219,19 @@
      choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>iptrace</option></arg>
      <arg choice="plain"><replaceable>iptables match
      expression</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
@ -279,6 +292,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>noiptrace</option></arg>
      <arg choice="plain"><replaceable>iptables match
      expression</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall</command>
@ -835,6 +861,25 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">iptrace</emphasis></term>
        <listitem>
          <para>This is a low-level debugging command that causes iptables
          TRACE log records to be created. See iptables(8) for details.</para>
          <para>The <replaceable>iptables match expression</replaceable> must
          be one or more matches that may appear in both the raw table OUTPUT
          and raw table PREROUTING chains.</para>
          <para>The trace records are written to the kernel's log buffer with
          faciility = kernel and priority = warning, and they are routed from
          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
          Shorewall has no control over where the messages go; consult your
          logging daemon's documentation.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">load</emphasis></term>
@ -919,6 +964,19 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">noiptrace</emphasis></term>
        <listitem>
          <para>This is a low-level debugging command that cancels a trace
          started by a preceding <command>iptrace</command> command.</para>
          <para>The <replaceable>iptables match expression</replaceable> must
          be one given in the <command>iptrace</command> command being
          cancelled.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">refresh</emphasis></term>
@ -1350,9 +1408,9 @@
        <term><emphasis role="bold">version</emphasis></term>
        <listitem>
-          <para>Displays Shorewall's version. If the <option>-a</option>
+          <para>Displays Shorewall's version. The <option>-a</option> option
-          option is included, the versions of Shorewall-shell and/or
+          is included for compatibility with earlier Shorewall releases and is
-          Shorewall-perl will also be displayed.</para>
+          ignored.</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/manpages6/shorewall6-tcclasses.xml
+++ b/manpages6/shorewall6-tcclasses.xml
@ -260,10 +260,7 @@
                <para>This lets you define a classifier for the given
                <emphasis>value</emphasis>/<emphasis>mask</emphasis>
                combination of the IP packet's TOS/Precedence/DiffSrv octet
-                (aka the TOS byte). Please note that classifiers override all
+                (aka the TOS byte).</para>
                mark settings, so if you define a classifer for a class, all
                traffic having that mark will go in it regardless of any mark
                set on the packet by a firewall/mangle filter.</para>
              </listitem>
            </varlistentry>
--- a/manpages6/shorewall6.xml
+++ b/manpages6/shorewall6.xml
@ -144,6 +144,19 @@
      <arg choice="plain"><option>help</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>iptrace</option></arg>
      <arg choice="plain"><replaceable>iptables match
      expression</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
@ -204,6 +217,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>noiptrace</option></arg>
      <arg choice="plain"><replaceable>iptables match
      expression</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall6</command>
@ -670,12 +696,22 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">hits</emphasis></term>
+        <term><emphasis role="bold">iptrace</emphasis></term>
        <listitem>
-          <para>Generates several reports from Shorewall6 log messages in the
+          <para>This is a low-level debugging command that causes iptables
-          current log file. If the <option>-t</option> option is included, the
+          TRACE log records to be created. See ip6tables(8) for
-          reports are restricted to log messages generated today.</para>
+          details.</para>
          <para>The <replaceable>ip6tables match expression</replaceable> must
          be one or more matches that may appear in both the raw table OUTPUT
          and raw table PREROUTING chains.</para>
          <para>The trace records are written to the kernel's log buffer with
          faciility = kernel and priority = warning, and they are routed from
          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
          Shorewall has no control over where the messages go; consult your
          logging daemon's documentation.</para>
        </listitem>
      </varlistentry>
@ -763,6 +799,19 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">noiptrace</emphasis></term>
        <listitem>
          <para>This is a low-level debugging command that cancels a trace
          started by a preceding <command>iptrace</command> command.</para>
          <para>The <replaceable>iptables match expression</replaceable> must
          be one given in the <command>iptrace</command> command being
          cancelled.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">refresh</emphasis></term>
@ -1163,7 +1212,7 @@
        <listitem>
          <para>Displays Shorewall6's version. If the <option>-a</option>
-          option is included, the version of Shorewall-perl will also be
+          option is included, the version of Shorewall will also be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/web/News.htm
+++ b/web/News.htm
@ -23,9 +23,13 @@ license is included in the section entitled <span
 href="GnuCopyright.htm" target="_self">GNU Free Documentation
 License</a></span>".
 </p>
-<p>June 14, 2009<br>
+<p>June 18, 2009<br>
 </p>
 <hr style="width: 100%; height: 2px;">
 <p><span style="font-weight: bold;">2009-06-18 Shorewall 4.2.10<br>
 </span><span style="font-weight: bold;"></span></p>
 <pre>Problems corrected in Shorewall 4.2.10<br><br>1)  A 'large quantum' warning log message during restart has been<br>    eliminated. The log message occurred when an interface with a large<br>    OUT-BANDWIDTH was defined in /etc/shorewall/tcdevices.<br><br>2)  When a REJECT rule included a log entry, the disposition in the log<br>    message was incorrectly shown as 'reject' rather than 'REJECT'.<br><br>3)  When 'forward' was specified on one or more interfaces in<br>    /etc/shorewall6/interfaces, the progress message "Compiling<br>    Interface forwarding..." was issued multiple times. Now, only one<br>    instance of the message is generated.<br><br>4)  A typing error in the IPv6 two-interface sample shorewall6.conf<br>    file has been corrected. This error prevented the compiler from<br>    being able to find macros in /usr/share/shorewall/.<br><br>Known Problems Remaining:<br><br>1)  When exclusion is used in an entry in /etc/shorewall/hosts, then<br>    Shorewall-shell produces an invalid iptables rule if any of the <br>    following OPTIONS are also specified in the entry:    <br><br>        blacklist<br>        maclist<br>        norfc1918<br>        tcpflags<br><br>2)  Shorewall-shell generates inversion rules which produce<br>    warnings with iptables 1.4.3.  <br><br>    Example:<br><br>        iptables -A  lan2fw  -p 6  --dport 999  -s ! 192.168.20.1  -j ACCEPT<br><br>    with iptables 1.4.3.1 the following information message is produced:<br><br>    Using intrapositioned negation (`--option ! this`) is deprecated in<br>    favor of extrapositioned (`! --option this`).<br><br>    We don't intend to fix this. It's time to migrate to Shorewall-perl<br>    anyway.<br><br>New Features in Shorewall 4.2.10<br><br>1)  Shorewall's suppport for dynamic gateways on interfaces managed by<br>    dhclient works on OpenSuSE systems but not on some other<br>    distributions.<br><br>    In order to generalize support for learning the gateway for dynamic<br>    interfaces, a new 'findgw' extension script (user exit) has been<br>    added.<br><br>    The exit will be invoked in a function that has a single argument:<br><br>        $1 = &lt;name of an interface&gt;<br><br>    If the function can determine the gateway for the passed interface,<br>    it should write the gateway to standard out. Here is a sample<br>    /etc/shorewall/findgw that works with dhclient (dhcp3) in Debian<br>    Lenny:<br><br>    if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then<br>       grep 'option routers' /var/lib/dhcp3/dhclient.${1}.leases |\<br>          tail -n 1 |\<br>          while read j1 j2 gateway; do\<br>              echo $gateway | sed 's/;//';\<br>          done<br>    fi<br><br>    The same code works on Ubuntu Jaunty if you replace the first '.'<br>    with '-' and replace '.leases' with '.lease' (don't you just love<br>    the consistency between distributions?).<br><br>    That code also works on CentOS if you replace 'dhcp3' by<br>    'dhclient'.<br><br>    'findgw' files that have been customized for various distributions<br>    may be found at<br>    http://www.shorewall.net/pub/shorewall/contrib/findgw.<br></pre>
 <p><strong></strong></p>
 <p><strong>2009-06-13 Shorewall 4.4.0 Beta 1</strong></p>
 <pre>Read the details at <a
 href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt">http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt</a><br><strong></strong></pre>
--- a/web/download.htm
+++ b/web/download.htm
@ -38,7 +38,7 @@
  </tbody>
 </table>
 <p> </p>
-<hr><span style="font-weight: bold;">2009-06-14</span>
+<hr><span style="font-weight: bold;">2009-06-19</span>
 <h2><a name="Which"></a>Package Information</h2>
 <p><b>Before trying to install, we strongly urge you to read and print
 a
@ -66,7 +66,8 @@ shake out the bugs in the next stable release. <span
 </ul>
 For additional information, see this article about the <a
 href="ReleaseModel.html">Shorewall Release Model</a>.
-<p>In Shorewall version 4.0.*, there are four related
+<p>In Shorewall version <span style="font-weight: bold;">4.0.*</span>,
 there are four related
 packages:</p>
 <ul>
  <li><span style="font-weight: bold;">Shorewall-shell</span> -- the
@ -87,7 +88,8 @@ light-weight Shorewall version that will run
 compiled firewall scripts generated on a system with one of the
 compiler packages installed.</li>
 </ul>
-In Shorewall version 4.2.*, there are two additional
+In Shorewall version <span style="font-weight: bold;">4.2.*</span>,
 there are two additional
 packages that provide IPv6 support:<br>
 <ul>
  <li><span style="font-weight: bold;">Shorewall6</span> -- Provides
@ -101,7 +103,8 @@ run compiled firewall scripts generated on a system with Shorewall6
 installed.<br>
  </li>
 </ul>
-In Shorewall version 4.4.*, the Shorewall-common, Shorewall-shell and
+In Shorewall version <span style="font-weight: bold;">4.4.*</span>,
 the Shorewall-common, Shorewall-shell and
 Shorewall-perl packages are discontinued and replaced with a single <span
 style="font-weight: bold;">Shorewall</span> package which combined the
 functions of Shorewall-common and Shorewall-perl. The shell-based
@ -137,6 +140,11 @@ or both of the compilers on a single <em>administrative</em> system
 and install Shorewall-lite and/or Shorewall6-lite on the firewalls.
 Doing so will allow for
 centralized administration and configuration of the firewalls.</li>
    <li>When RPM is used to install Shorewall, the compiler
 (shorewall-shell
 and/or shorewall-perl) and shorewall-common must be installed in a
 single execution of the
 rpm utility.</li>
  </ul>
  <li>If you are installing Shorewall 4.4 or later:</li>
  <ul>
@ -153,11 +161,6 @@ configuration of the firewalls.<br>
    </li>
  </ul>
 </ul>
 <p>When RPM is used to install Shorewall, the compiler (shorewall-shell
 and/or shorewall-perl) and shorewall-common must be installed in a
 single execution of the
 rpm utility.<br>
 </p>
 <p>Here are the <a href="Install.htm">installation instructions</a>.</p>
 <h2><a name="Distros"></a>Distribution-specific Download Sites</h2>
 <p>Once you've printed the appropriate QuickStart Guide, download the
@ -215,7 +218,7 @@ stable release are available from the package maintainer's <a
  <li>If you run <a style="font-weight: bold;" href="Ubuntu">Ubuntu,</a>
 Benjamin Montgomery maintains a <a
 href="https://launchpad.net/%7Ebmonty/+archive/ppa">repository for
-Hardy Heron</a>.<br>
+Hardy Heron and Jaunty Jackalope</a>.<br>
  </li>
  <li>
    <p style="margin-bottom: 0in;">If you run <a
--- a/web/shorewall_index.htm
+++ b/web/shorewall_index.htm
@ -47,7 +47,9 @@
    </tr>
  </tbody>
 </table>
-<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2009-06-14</span><br>
+<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2009-06-20</span><br>
 <h3><a href="Notices.html#Shell-EOL">Attention Shorewall-shell users</a><br>
 </h3>
 <h3><a name="Releases"></a>Current Shorewall Releases</h3>
 <table style="text-align: left; width: 100%;" border="0" cellpadding="2"
 cellspacing="0">
@ -58,13 +60,13 @@
 Stable Release</span><br>
      </div>
      </td>
-      <td style="vertical-align: top;"><span style="font-weight: bold;">4.2.9</span>
+      <td style="vertical-align: top;"><span style="font-weight: bold;">4.2.10</span>
 (includes <a href="IPv6Support.html">IPv6 support.</a>)</td>
      <td style="vertical-align: top;"><a
- href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.9/releasenotes.txt">Release
+ href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.10/releasenotes.txt">Release
 notes</a> </td>
      <td style="vertical-align: top;"><a
- href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.9/known_problems.txt">Known
+ href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.10/known_problems.txt">Known
 Problems</a></td>
    </tr>
    <tr>
@ -91,14 +93,14 @@ Release</span><br>
      </div>
      </td>
      <td style="vertical-align: top;"><span style="font-weight: bold;">4.4.0
-Beta 1</span><br>
+Beta 2</span><br>
      </td>
      <td style="vertical-align: top;"><a
- href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/releasenotes.txt">Release
+ href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta2/releasenotes.txt">Release
 Notes<br>
      </a> </td>
      <td style="vertical-align: top;"><a
- href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta1/known_problems.txt">Known
+ href="http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.0-Beta2/known_problems.txt">Known
 Problems</a> </td>
    </tr>
  </tbody>