Update trunk with branch/4.2 changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9279 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -1,3 +1,44 @@
+Changes in Shorewall 4.2.5
+
+1) Add 'fallback' providers option.
+
+2) Support for xtables-addons IPP2P.
+
+3) Slow down startup some more by adding more modules and modules
+   search directories.
+
+4) Fix 'shorewall6 debug start'
+
+5) Added macro.Git.
+
+Changes in Shorewall 4.2.4.6
+
+1) Fix hosts exclusion in DNAT/REDIRECT.
+
+2) Work around  http://rt.cpan.org/Public/Bug/Display.html?id=13851
+
+Changes in Shorewall 4.2.4.5
+
+1) Fix critical hosts handling in Shorewall6.
+
+Changes in Shorewall 4.2.4.4
+
+1) Fix exclusion yet another time.
+
+Changes in Shorewall 4.2.4.3
+
+1) Fix exclusion again
+
+Changes in Shorewall 4.2.4.2
+
+1) Fix 'refresh'
+
+Changes in Shorewall 4.2.4.1
+
+1) Fix 'shorewall6 restore' etc.
+
+2) Fix init scripts.
+
 Changes in Shorewall 4.2.4-RC3
 
 1) Fix exclusion handling with certain hosts options.

Shorewall-common/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.2.4-RC3
+VERSION=4.2.5
 
 usage() # $1 = exit status
 {

Shorewall-common/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.2.4-RC3
+VERSION=4.2.5
 
 usage() # $1 = exit status
 {

Shorewall-common/lib.base

@@ -256,6 +256,7 @@ reload_kernel_modules() {
     moduledirectories=
     local moduleloader
     moduleloader=modprobe
+    local uname
 
     if ! qt mywhich modprobe; then
 	moduleloader=insmod
@@ -263,7 +264,11 @@ reload_kernel_modules() {
 
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+
+    [ -z "$MODULESDIR" ] && \
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+
     MODULES=$(lsmod | cut -d ' ' -f1)
 
     for directory in $(split $MODULESDIR); do
@@ -291,6 +296,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
     moduleloader=modprobe
     local savemoduleinfo
     savemoduleinfo=${1:-Yes} # So old compiled scripts still work
+    local uname
 
     if ! qt mywhich modprobe; then
 	moduleloader=insmod
@@ -299,7 +305,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
     [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -1250,7 +1257,7 @@ report_capabilities() {
 	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
 	report_capability "Raw Table" $RAW_TABLE
 	report_capability "IPP2P Match" $IPP2P_MATCH
-	[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match" $OLD_IPP2P_MATCH
+	[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
 	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
 	report_capability "Extended REJECT" $ENHANCED_REJECT
 	report_capability "Repeat match" $KLUDGEFREE

Shorewall-common/modules

@@ -39,6 +39,7 @@ loadmodule xt_dscp
 loadmodule xt_DSCP
 loadmodule xt_hashlimit
 loadmodule xt_helper
+loadmodule xt_ipp2p
 loadmodule xt_iprange
 loadmodule xt_length
 loadmodule xt_limit
@@ -77,6 +78,20 @@ loadmodule ip_set_ipmap
 loadmodule ip_set_macipmap
 loadmodule ip_set_portmap
 #
+# Ipset
+#
+loadmodule ip_set
+loadmodule ip_set_iphash
+loadmodule ip_set_ipmap
+loadmodule ip_set_ipporthash
+loadmodule ip_set_iptree
+loadmodule ip_set_iptreemap
+loadmodule ip_set_macipmap
+loadmodule ip_set_nethash
+loadmodule ip_set_portmap
+loadmodule ipt_SET
+loadmodule ipt_set
+#
 # 2.6.20+ helpers
 #
 loadmodule nf_conntrack_ftp

Shorewall-common/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.2.4 RC3
+Shorewall 4.2.5
 
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 2  H I G H L I G H T S
@@ -27,32 +27,51 @@ Shorewall 4.2.4 RC3
    - Perl 5.10 if you wish to use DNS names in your IPv6 config files. 
      In that case you will also have to install Perl Socket6 support.
 
-Problems Corrected in 4.2.4 RC3
+Problems corrected in 4.2.5
 
-1)  Previously, when exclusion was used in an entry in
+1)  If exclusion is used to define a zone in /etc/shorewall/hosts and
-    /etc/shorewall/hosts, Shorewall-perl ignored the exclusion when
+    that zone is used as the SOURCE zone in a DNAT or REDIRECT rule,
-    generating rules for the following OPTIONS in that entry:
+    then Shorewall-perl can generated invalid iptables-restore input.
 
-        blacklist
+2)  A bug in the Perl Cwd module (see
-	maclist
+    http://rt.cpan.org/Public/Bug/Display.html?id=13851) causes the
-	norfc1918
+    Shorewall-perl compiler to fail if it doesn't have at least read
-	tcpflags
+    access to its current working directory. 4.2.5 contains a
+    workaround.
 
-2)  Shorewall-perl previously promoted all exclusion in the
+3)  If 'critical' was specified on an entry in
-    /etc/shorewall/hosts file to the zone level. That meant that
+    /etc/shorewall/routestopped, Shorewall6 (Shorewall-perl) would
-    all traffic to/from the zone passed through exclusion rules 
+    generate an error. 
-    rather than only the traffic matching a hosts records that
-    specified exclusion.
 
-    Example /etc/shorewall/hosts:
+4)  In certain cases where exclusion occurred in /etc/shorewall/hosts,
+    Shorewall-perl would generate incorrect iptables-restore input.
 
-    	    z	eth0:192.168.4.0/24
+5)  In certain cases where exclusion occurred in /etc/shorewall/hosts,
-	    z	eth1:10.0.0.0/24!10.0.0.99
+    Shorewall-perl would generate invalid iptables-restore input.
 
-        Traffic entering eth0 from network 192.168.4.0/24 would still
+6)  The 'shorewall6 refresh' command runs iptables_restore rather than
-        be checked for '!10.0.0.99'.
+    ip6tables_restore.
 
-    This has been corrected.
+7)  The commands 'shorewall6 save-start', 'shorewall6-save-restart' and
+    'shorewall6 restore' were previously broken.
+
+8)  The Debian init script was checking $startup in
+    /etc/default/shorewall rather than in /etc/default/shorweall6
+
+9)  The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were
+    unconverted Shorewall scripts.
+
+10) When 'detect' is used in the GATEWAY column of
+    /etc/shorewall/providers, Shorewall-perl now ensures that the
+    gateway was successfully detected. If the gateway cannot be
+    detected, action is taken depending on whether the provider is
+    'optional' or not. If the provider is optional, it's configuration
+    is skipped; if the provider is not optional, the current operation
+    is aborted.
+
+11) The command 'shorewall6 debug start' would previously fail with
+
+    	ERROR: Command "/sbin/ip6tables -t nat -F" Failed
 
 Known Problems Remaiining:
 
@@ -65,100 +84,74 @@ Known Problems Remaiining:
 	norfc1918
 	tcpflags
 
-New Features in Shorewall 4.2.4.
+New Feature in Shorewall 4.2.5
 
-1) Two new packages are included:
+1)  A new 'fallback' option is added in
+    /etc/shorewall/providers. The option works similar to 'balance'
+    except that the default route is added in the default routing table
+    (253) rather than in the main table (254).
 
-   a) Shorewall6 - analagous to Shorewall-common but handles IPv6
+    The option can be used by itself or followed by =<number> (e.g,
-      rather than IPv4.
+    fallback=2).
 
-   b) Shorewall6-lite - analagous to Shorewall-lite but handles IPv6
+    When the option is used by itself, a separate (not balanced)
-      rather than IPv4.
+    default route is added with a metric equal to the provider's NUMBER.
 
-   The packages store their configurations in /etc/shorewall6/ and
+    When the option is used with a number, a balanced route is added
-   /etc/shorewall6-lite/ respectively.  
+    with the weight set to the specified number.
 
-   The fact that the packages are separate from their IPv4 counterparts
+    'fallback' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and
-   means that you control IPv4 and IPv6 traffic separately (the same
+    is only available with Shorewall-perl.
-   way that Netfilter does). Starting/Stopping the firewall for one
-   address family has no effect on the other address family.
 
-   For additional information, see
+    'fallback' is useful in situations where:
-   http://www.shorewall.net/IPV6Support.html.
 
-   Other features of Shorewall6 are:
+    - You want all traffic to be sent via one primary provider unless
+      there is a compelling reason to use a different provider
 
-   a) There is no NAT of any kind (most people see this as a giant step
+    - If the primary provider is down, then you want to balance the
-      forward). When an ISP assigns you a public IPv6 address, you are
+      outgoing traffic among a set of other providers or to a
-      actually assigned an IPv6 'prefix' which is like an IPv4
+      ordered list of providers.
-      subnet. A 64-bit prefix allows 4 billion squared individual hosts
-      (the size of the current IPv4 address space squared).
 
-   b) The default zone type is ipv6.
+    In this case:
 
-   c) The currently-supported interface options in Shorewall6 are:
+    - Do not specify 'balance' on any of the providers.
+    - Disable route filtering ('ROUTE_FILTER=No' in shorewall.conf).
+    - Specify 'fallback' on those providers that you want to use if 
+      the primary is down.
+    - Only the primary provider should have a default route in the main
+      routing table.
 
-	blacklist
+    See http://www.shorewall.net/MultiISP.html#Complete for an example
-        bridge
+    of this option's use.
-	dhcp
-	nosmurfs (traps multicast and Subnet-router anycast addresses
-        used as the packet source address).
-	optional
-	routeback
-	sourceroute
-        tcpflags
-	mss
-	forward (setting it to 0 makes the router behave like a host
-                 on that interface rather than like a router).
 
-   d)  The currently-supported host options in Shorewall6 are:
+2)  Shorewall-perl now transparently handles the xtables-addon version
+    of ipp2p. Shorewall detects whether the installed ipp2p is from
+    patch-o-matic-ng or from xtables-addon and proceeds accordingly.
 
-	blacklist
+    If the patch-o-matic-ng version is installed:
-	routeback
-	tcpflags
 
-   e)  Traffic Shaping is disabled by default. The tcdevices and
+    a) If no DEST PORT is supplied, the default is "--ipp2p".
-       tcclasses files are address-family independent so
+    b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
-       to use the Shorewall builtin Traffic Shaper, TC_ENABLED=Internal
+       iptables-restore as "--ipp2p".
-       should be specified in Shorewall or in Shorewall6 but not in
-       both. In the configuration where the internal traffic shaper is
-       not enabled, CLEAR_TC=No should be specified.
 
-       tcfilters are not available in Shorewall6.
+    If the xtables-addons version is installed:
 
-   f)  When both an interface and an address or address list need to
+    a) If no DEST PORT is supplied, the default is "--edk --gnu --dc
-       be specified in a rule, the address or list must be enclosed in
+       --kazaa".
-       angle brackets. Example:
+    b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
+       iptables-restore as "--edk --gnu --dc --kazaa". 
 
-        #ACTION      SOURCE		                        DEST
+    Shorewall-perl now also accepts a comma-separated list of options
-	ACCEPT	     net:eth0:<2001:19f0:feee::dead:beef:cafe>	dmz
+    (e.g., "edk,gnu,dc,kazaa).
 
-       Note that this includes MAC addresses as well as IPv6 addresses.
+    Additionally, Shorewall now looks for modules in /lib/modules/$(uname
+    -r)/extra and in /lib/modules/$(uname -r)/extra/ipset
 
-       The HOSTS column in /etc/shorewall6/hosts also uses this
+    This change introduced a new capability ("Old IPP2P Match Syntax")
-       convention:
+    so if you use a capabilities file, be sure to re-generate the
+    file(s) after you have installed 4.2.5.
 
-           #ZONE      HOSTS					OPTIONS
+3)  There is now a macro.Git, which opens git-daemon's port (9418/tcp).
-           chat6      eth0:<2001:19f0:feee::dead:beef:cafe>
-
-       Even when an interface is not specified, it is permitted to
-       enclose addresses in <> to improve readability. Example:
-
-           #ACTION      SOURCE		DEST
-	   ACCEPT	net:<2001:1::1>	$FW
-
-   g)  The options available in shorewall6.conf are a subset of those
-       available in shorewall.conf.
-
-   h)  The Socket6.pm Perl module is required if you include DNS names
-       in your Shorewall6 configuration. Note that it is loaded the
-       first time that a DNS name is encountered so if it is missing,
-       you get a message similar to this one:
-
-       ...
-       Checking /etc/shorewall6/rules...
-       Can't locate Socket6.pm in @INC (@INC contains: /root ...
-       teastep@ursa:~/Configs/standalone6$ 
 
 Migration Issues.
 
@@ -1307,3 +1300,34 @@ Other changes in Shorewall 4.2.3
 
     	    shorewall reset chain1 chain2 ...
 	    shorewall-lite reset chain1 chain2 ...
+
+Problems Corrected in 4.2.4
+
+1)  Previously, when exclusion was used in an entry in
+    /etc/shorewall/hosts, Shorewall-perl ignored the exclusion when
+    generating rules for the following OPTIONS in that entry:
+ 
+        blacklist
+	maclist
+	norfc1918
+	tcpflags
+
+2)  Shorewall-perl previously promoted all exclusion in the
+    /etc/shorewall/hosts file to the zone level. That meant that
+    all traffic to/from the zone passed through exclusion rules 
+    rather than only the traffic matching a hosts records that
+    specified exclusion.
+
+    Example /etc/shorewall/hosts:
+
+    	    z	eth0:192.168.4.0/24
+	    z	eth1:10.0.0.0/24!10.0.0.99
+
+        Traffic entering eth0 from network 192.168.4.0/24 would still
+        be checked for '!10.0.0.99'.
+
+    This has been corrected.
+
+Other changes in 4.2.4
+
+1)  Support for IPv6 was added -- see above.

Shorewall-common/shorewall-common.spec

@@ -1,6 +1,6 @@
 %define name shorewall-common
-%define version 4.2.4
+%define version 4.2.5
-%define release 0RC3
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -175,8 +175,10 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
 
 %changelog
-* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
+* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0RC3
+- Updated to 4.2.5-0base
+* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.4-0base
 * Sun Dec 21 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.4-0RC2
 * Wed Dec 17 2008 Tom Eastep tom@shorewall.net

Shorewall-common/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.2.4-RC3
+VERSION=4.2.5
 
 usage() # $1 = exit status
 {

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.2.4-RC3
+VERSION=4.2.5
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.2.4-RC3
+VERSION=4.2.5
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.2.4
+%define version 4.2.5
-%define release 0RC3
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -98,26 +98,14 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
+* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0RC3
+- Updated to 4.2.5-0base
-* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
+* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0RC2
+- Updated to 4.2.4-0base
-* Wed Dec 17 2008 Tom Eastep tom@shorewall.net
+* Fri Dec 05 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0RC1
+- Updated to 4.2.3-0base
-* Tue Dec 16 2008 Tom Eastep tom@shorewall.net
+* Wed Nov 05 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.4-0base
+- Updated to 4.2.2-0base
-* Sat Dec 13 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.3-0base
-* Fri Dec 12 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.2-0base
-* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.1-0base
-* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.1-0base
-* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.0-0base
-* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
-- Updated to 2.3.0-0base
 * Wed Oct 08 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.1-0base
 * Fri Oct 03 2008 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.2.4-RC3
+VERSION=4.2.5
 
 usage() # $1 = exit status
 {

Shorewall-perl/Shorewall/Chains.pm

@@ -240,6 +240,9 @@ our %interfacebcasts;
 our %interfaceacasts;
 our %interfacegateways;
 
+#
+# Built-in Chains
+#
 our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
 
 #
@@ -278,6 +281,8 @@ our %builtin_target = ( ACCEPT   => 1,
 #
 
 sub initialize( $ ) {
+    $family = shift;
+
     %chain_table = ( raw    => {} ,
 		     mangle => {},
 		     nat    => {},
@@ -325,7 +330,6 @@ sub initialize( $ ) {
     %interfaceacasts    = ();
     %interfacegateways  = ();
 
-    $family = shift;
 }
 
 INIT {
@@ -1039,17 +1043,17 @@ sub finish_chain_section ($$) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
 		if ( $section eq 'DONE' ) {
 		    if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
-			add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
+			add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
 		    }
 		} else {
-		    add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
+		    add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
 		}
 	    }
 	} else {
 	    my $policychainref = $filter_table->{$chainref->{policychain}};
 	    if ( $policychainref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
-		add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
+		add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
 	    }
 	}
     }
@@ -1063,9 +1067,7 @@ sub finish_chain_section ($$) {
 sub finish_section ( $ ) {
     my $sections = $_[0];
 
-    for my $section ( split /,/, $sections ) {
+    $sections{$_} = 1 for split /,/, $sections;
-	$sections{$section} = 1;
-    }
 
     for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
@@ -1292,12 +1294,12 @@ sub do_proto( $$$ )
 
 		my $options = '';
 		
-		if ( $ports ) {
+		if ( $ports ne 'ipp2p' ) {
 		    $options .= " --$_" for split /,/, $ports;
-		} else {
-		    $options = $capabilities{OLD_IPP2P_MATCH} ? '--ipp2p' : '--edk --kazza --gnu --dc';
 		}
 		
+		$options = $capabilities{OLD_IPP2P_MATCH} ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
+
 		$output .= "${proto}-m ipp2p${options} ";
 	    } else {
 		fatal_error "Invalid/Unknown protocol ($proto)"

Shorewall-perl/Shorewall/Compiler.pm

@@ -940,7 +940,7 @@ sub compiler {
     initialize_chain_table;
 
     unless ( $command eq 'check' ) {
-	create_temp_object( $objectfile );
+	create_temp_object( $objectfile , $export );
 	generate_script_1;
     }
 

Shorewall-perl/Shorewall/Config.pm

@@ -202,6 +202,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 XCONNMARK_MATCH => 'Extended Connmark Match',
 		 RAW_TABLE       => 'Raw Table',
 		 IPP2P_MATCH     => 'IPP2P Match',
+		 OLD_IPP2P_MATCH => 'Old IPP2P Match Syntax',
 		 CLASSIFY_TARGET => 'CLASSIFY Target',
 		 ENHANCED_REJECT => 'Extended Reject',
 		 KLUDGEFREE      => 'Repeat match',
@@ -299,13 +300,16 @@ sub initialize( $ ) {
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
-		    VERSION => "4.2.4",
+		    VERSION => "4.2.5",
 		    CAPVERSION => 40205 ,
 		  );
+
     #
     # From shorewall.conf file
     #
     if ( $family == F_IPV4 ) {
+	$globals{PRODUCT} = 'shorewall';
+
 	%config =
 	    ( STARTUP_ENABLED => undef,
 	      VERBOSITY => undef,
@@ -426,6 +430,7 @@ sub initialize( $ ) {
     } else {
 	$globals{SHAREDIR} = '/usr/share/shorewall6';
 	$globals{CONFDIR}  = '/etc/shorewall6';	
+	$globals{PRODUCT}  = 'shorewall6';
 
 	%config =
 	    ( STARTUP_ENABLED => undef,
@@ -977,8 +982,8 @@ sub copy1( $ ) {
 # Create the temporary object file -- the passed file name is the name of the final file.
 # We create a temporary file in the same directory so that we can use rename to finalize it.
 #
-sub create_temp_object( $ ) {
+sub create_temp_object( $$ ) {
-    my $objectfile = $_[0];
+    my ( $objectfile, $export ) = @_;
     my $suffix;
 
     eval {
@@ -993,10 +998,10 @@ sub create_temp_object( $ ) {
     fatal_error "$objectfile is a Symbolic Link" if -l $objectfile;
     fatal_error "$objectfile is a Directory"     if -d _;
     fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _;
-    fatal_error "A compiled script may not be named 'shorewall'" if "$file" eq 'shorewall' && $suffix eq '';
+    fatal_error "An exported \u$globals{PRODUCT} compiled script may not be named '$globals{PRODUCT}'" if $export && "$file" eq $globals{PRODUCT} && $suffix eq '';
 
     eval {
-	$dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=1385
+	$dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=13851
 	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
     };
 
@@ -1029,7 +1034,6 @@ sub create_temp_aux_config() {
     };
 
     die if $@;
-
 }
 
 #
@@ -1641,7 +1645,7 @@ sub load_kernel_modules( ) {
 	my $uname = `uname -r`;
 	fatal_error "The command 'uname -r' failed" unless $? == 0;
 	chomp $uname;
-	$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter";
+	$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset";
     }
 
     my @moduledirectories = split /:/, $modulesdir;

Shorewall-perl/Shorewall/Providers.pm

@@ -219,8 +219,11 @@ sub balance_fallback_route( $$$$ ) {
     }
 }
 
-sub start_provider( $$ ) {
+sub start_provider( $$$ ) {
-    my ($table, $number ) = @_;
+    my ($table, $number, $test ) = @_;
+    
+    emit $test;
+    push_indent;
 
     emit "#\n# Add Provider $table ($number)\n#";
 
@@ -263,13 +266,9 @@ sub add_a_provider( $$$$$$$$ ) {
 	fatal_error "'detect' is not allowed with USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
 	$gateway = get_interface_gateway $interface;
-	emit qq(if interface_is_usable $interface && [ -n "$gateway" ]; then);
+	start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
-	push_indent;
-	start_provider( $table, $number );
     } else {
-	emit "if interface_is_usable $interface; then";
+	start_provider( $table, $number, "if interface_is_usable $interface; then" );
-	push_indent;
-	start_provider( $table, $number );
 
 	if ( $gateway && $gateway ne '-' ) {
 	    validate_address $gateway, 0;
@@ -279,6 +278,7 @@ sub add_a_provider( $$$$$$$$ ) {
 	    emit "run_ip route add default dev $interface table $number";
 	}
     }
+
     my $val = 0;
 
     if ( $mark ne '-' ) {
@@ -337,13 +337,14 @@ sub add_a_provider( $$$$$$$$ ) {
 		    warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes";
 		} else {
 		    $default = $1;
+		    fatal_error 'fallback must be non-zero' unless $default;
 		}
 	    } elsif ( $option eq 'fallback' ) {
 		fatal_error q('fallback' is not available in IPv6) if $family == F_IPV6;
 		if ( $config{USE_DEFAULT_RT} ) {
 		    warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes";
 		} else {
-		    $default = 1;
+		    $default = -1;
 		}
 	    } else {
 		fatal_error "Invalid option ($option)";
@@ -409,7 +410,19 @@ sub add_a_provider( $$$$$$$$ ) {
     }
 
     balance_default_route $balance , $gateway, $interface, $realm if $balance;
-    balance_fallback_route $default , $gateway, $interface, $realm if $default;
+
+    if ( $default > 0 ) {
+	balance_fallback_route $default , $gateway, $interface, $realm;
+    } elsif ( $default ) {
+	emit '';
+	if ( $gateway ) {
+	    emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
+	    emit qq(echo "qt ip route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	} else {
+	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
+	    emit qq(echo "qt ip route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	}
+    }
 
     if ( $loose ) {
 	if ( $config{DELETE_THEN_ADD} ) {

Shorewall-perl/Shorewall/Tunnels.pm

@@ -71,10 +71,9 @@ sub setup_tunnels() {
 	    add_rule $outchainref, "-p 51 $dest   -j ACCEPT";
 	}
 
-	add_rule $outchainref,  "-p udp $dest --dport 500 $options";
-
 	if ( $kind eq 'ipsec' ) {
 	    add_rule $inchainref,  "-p udp $source --dport 500 $options";
+	    add_rule $outchainref, "-p udp $dest   --dport 500 $options";
 	} else {
 	    add_rule $inchainref,  "-p udp $source -m multiport --dports 500,4500 $options";
 	    add_rule $outchainref, "-p udp $dest   -m multiport --dports 500,4500 $options";

Shorewall-perl/Shorewall/Zones.pm

@@ -93,7 +93,7 @@ use constant { NOTHING    => 'NOTHING',
 #                                      }
 #                        parents =>    [ <parents> ]      Parents, Children and interfaces are listed by name
 #                        children =>   [ <children> ]
-#                        interfaces => [ <interfaces> ]
+#                        interfaces => { <interfaces1> => 1, ... }
 #                        bridge =>     <bridge>
 #                        hosts { <type> } => [ { <interface1> => { ipsec   => 'ipsec'|'none'
 #                                                                  options => { <option1> => <value1>

Shorewall-perl/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.2.4-RC3
+VERSION=4.2.5
 
 usage() # $1 = exit status
 {

Shorewall-perl/prog.functions6

@@ -178,13 +178,6 @@ debug_restore_input() {
 	qt1 $IP6TABLES -t raw -P $chain ACCEPT
     done
     
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IP6TABLES -t nat -P $chain ACCEPT
-    done
-    
     qt1 $IP6TABLES -t filter -F
     qt1 $IP6TABLES -t filter -X
 

Shorewall-perl/prog.header

@@ -1,6 +1,6 @@
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
@@ -245,6 +245,7 @@ reload_kernel_modules() {
     moduledirectories=
     local moduleloader
     moduleloader=modprobe
+    local uname
 
     if ! qt mywhich modprobe; then
 	moduleloader=insmod
@@ -252,7 +253,10 @@ reload_kernel_modules() {
 
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+    [ -z "$MODULESDIR" ] && \
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+
     MODULES=$(lsmod | cut -d ' ' -f1)
 
     for directory in $(split $MODULESDIR); do
@@ -280,6 +284,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
     moduleloader=modprobe
     local savemoduleinfo
     savemoduleinfo=${1:-Yes} # So old compiled scripts still work
+    local uname
 
     if ! qt mywhich modprobe; then
 	moduleloader=insmod
@@ -288,7 +293,8 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
     [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"

Shorewall-perl/prog.header6

@@ -1,6 +1,6 @@
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #

Shorewall-perl/shorewall-perl.spec

@@ -1,6 +1,6 @@
 %define name shorewall-perl
-%define version 4.2.4
+%define version 4.2.5
-%define release 0RC3
+%define release 0base
 
 Summary: Shoreline Firewall Perl-based compiler.
 Name: %{name}
@@ -62,8 +62,10 @@ rm -rf $RPM_BUILD_ROOT
 %doc COPYING releasenotes.txt
 
 %changelog
-* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
+* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0RC3
+- Updated to 4.2.5-0base
+* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.4-0base
 * Sun Dec 21 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.4-0RC2
 * Wed Dec 17 2008 Tom Eastep tom@shorewall.net

Shorewall-shell/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.2.4-RC3
+VERSION=4.2.5
 
 usage() # $1 = exit status
 {

Shorewall-shell/prog.header

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006 - 2009 - Tom Eastep (teastep@shorewall.net)
 #
 #
 #	Options are:

Shorewall-shell/shorewall-shell.spec

@@ -1,6 +1,6 @@
 %define name shorewall-shell
-%define version 4.2.4
+%define version 4.2.5
-%define release 0RC3
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -81,8 +81,10 @@ fi
 %doc COPYING INSTALL 
 
 %changelog
-* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
+* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0RC3
+- Updated to 4.2.5-0base
+* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.4-0base
 * Sun Dec 21 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.4-0RC2
 * Wed Dec 17 2008 Tom Eastep tom@shorewall.net

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.2.4-RC3
+VERSION=4.2.5
 
 usage() # $1 = exit status
 {

Shorewall6-lite/init.sh

@@ -41,7 +41,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
 # description: Packet filtering firewall
 
 ### BEGIN INIT INFO
-# Provides:	  shorewall6-lite
+# Provides:	  shorewall6
 # Required-Start: $network
 # Required-Stop:
 # Default-Start:  2 3 5

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.2.4-RC3
+VERSION=4.2.5
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.2.4
+%define version 4.2.5
-%define release 0RC3
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -89,8 +89,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sun Dec 28 2008 Tom Eastep tom@shorewall.net
+* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0RC3
+- Updated to 4.2.5-0base
+* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.4-0base
 * Sun Dec 21 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.4-0RC2
 * Wed Dec 17 2008 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.2.4-RC3
+VERSION=4.2.5
 
 usage() # $1 = exit status
 {

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.2.4-RC3
+VERSION=4.2.5
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.2.4-RC3
+VERSION=4.2.5
 
 usage() # $1 = exit status
 {

Shorewall6/lib.base

@@ -33,7 +33,7 @@
 #
 
 SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40203
+SHOREWALL_CAPVERSION=40205
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -716,6 +716,7 @@ determine_capabilities() {
     XCONNMARK_MATCH=
     RAW_TABLE=
     IPP2P_MATCH=
+    OLD_IPP2P_MATCH=
     LENGTH_MATCH=
     CLASSIFY_TARGET=
     ENHANCED_REJECT=
@@ -804,6 +805,10 @@ determine_capabilities() {
     fi
 
     qt $IP6TABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT       && IPP2P_MATCH=Yes
+    if [ -n "$IPP2P_MATCH" ]; then
+	qt $IP6TABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
+    fi
+
    qt $IP6TABLES -A $chain -m length --length 10:20 -j ACCEPT           && LENGTH_MATCH=Yes
     qt $IP6TABLES -A $chain -j REJECT --reject-with icmp6-adm-prohibited && ENHANCED_REJECT=Yes
 
@@ -897,6 +902,7 @@ report_capabilities() {
 	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
 	report_capability "Raw Table" $RAW_TABLE
 	report_capability "IPP2P Match" $IPP2P_MATCH
+	[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
 	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
 	report_capability "Extended REJECT" $ENHANCED_REJECT
 	report_capability "Repeat match" $KLUDGEFREE
@@ -949,6 +955,7 @@ report_capabilities1() {
     report_capability1 XCONNMARK_MATCH
     report_capability1 RAW_TABLE
     report_capability1 IPP2P_MATCH
+    report_capability1 OLD_IPP2P_MATCH
     report_capability1 CLASSIFY_TARGET
     report_capability1 ENHANCED_REJECT
     report_capability1 KLUDGEFREE

Shorewall6/shorewall6.spec

@@ -1,5 +1,5 @@
 %define name shorewall6
-%define version 4.2.4
+%define version 4.2.5
 %define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@@ -140,6 +140,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
+* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.2.5-0base
 * Thu Dec 25 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.4-0base
 * Sun Dec 21 2008 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.2.4-RC3
+VERSION=4.2.5
 
 usage() # $1 = exit status
 {