Copy latest 2.4 version from Shorewall2/

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2264 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-04-05 06:08:14 +02:00 · 2005-07-09 05:55:29 +00:00 · 2005-07-09 05:55:29 +00:00 · 2a19eb8a5a
commit 2a19eb8a5a
parent 90dd62e89e
75 changed files with 1694 additions and 1569 deletions
--- a/Shorewall/INSTALL
+++ b/Shorewall/INSTALL
@ -1,4 +1,4 @@
-Shoreline Firewall (Shorewall) Version 2.2
+Shoreline Firewall (Shorewall) Version 2.4
 -----         ----
 -----------------------------------------------------------------------------
--- a/Shorewall/accounting
+++ b/Shorewall/accounting
@ -1,5 +1,5 @@
 #
-# Shorewall version 2.2 - Accounting File
+# Shorewall version 2.4 - Accounting File
 #
 # /etc/shorewall/accounting
 #
@ -69,7 +69,7 @@
 #			
 #			The column may contain:
 #
-#			   [!][<user name or number>][:<group name or number>]
+#			   [!][<user name or number>][:<group name or number>][+<program name>]
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
@ -83,6 +83,7 @@
 #					#the 'kids' group
 #				!:kids  #program must not be run by a member
 #					#of the 'kids' group
 #				+upnpd  #program named upnpd
 #
 #	In all of the above columns except ACTION and CHAIN, the values "-",
 #	"any" and "all" may be used as wildcards
--- a/Shorewall/action.AllowAuth
+++ b/Shorewall/action.AllowAuth
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowAuth
+# Shorewall 2.4 /usr/share/shorewall/action.AllowAuth
 #
 #	This action accepts Auth (identd) traffic.
 #
--- a/Shorewall/action.AllowDNS
+++ b/Shorewall/action.AllowDNS
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowDNS
+# Shorewall 2.4 /usr/share/shorewall/action.AllowDNS
 #
 #	This action accepts DNS traffic.
 #
--- a/Shorewall/action.AllowFTP
+++ b/Shorewall/action.AllowFTP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowFTP
+# Shorewall 2.4 /usr/share/shorewall/action.AllowFTP
 #
 #	This action accepts FTP traffic. See
 #	http://www.shorewall.net/FTP.html for additional considerations.
--- a/Shorewall/action.AllowICMPs
+++ b/Shorewall/action.AllowICMPs
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowICMPs
+# Shorewall 2.4 /usr/share/shorewall/action.AllowICMPs
 #
 #	ACCEPT needed ICMP types
 #
--- a/Shorewall/action.AllowIMAP
+++ b/Shorewall/action.AllowIMAP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowIMAP
+# Shorewall 2.4 /usr/share/shorewall/action.AllowIMAP
 #
 #	This action accepts IMAP traffic (secure and insecure):
 #
--- a/Shorewall/action.AllowNNTP
+++ b/Shorewall/action.AllowNNTP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowNNTP
+# Shorewall 2.4 /usr/share/shorewall/action.AllowNNTP
 #
 #	This action accepts NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
 #
--- a/Shorewall/action.AllowNTP
+++ b/Shorewall/action.AllowNTP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowNTP
+# Shorewall 2.4 /usr/share/shorewall/action.AllowNTP
 #
 #	This action accepts NTP traffic (ntpd).
 #
--- a/Shorewall/action.AllowPCA
+++ b/Shorewall/action.AllowPCA
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowPCA
+# Shorewall 2.4 /usr/share/shorewall/action.AllowPCA
 #
 #	This action accepts PCAnywere (tm)
 #
--- a/Shorewall/action.AllowPOP3
+++ b/Shorewall/action.AllowPOP3
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowPOP3
+# Shorewall 2.4 /usr/share/shorewall/action.AllowPOP3
 #
 #	This action accepts POP3 traffic (secure and insecure):
 #
--- a/Shorewall/action.AllowPing
+++ b/Shorewall/action.AllowPing
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowPing
+# Shorewall 2.4 /usr/share/shorewall/action.AllowPing
 #
 #	This action accepts 'ping' requests.
 #
--- a/Shorewall/action.AllowRdate
+++ b/Shorewall/action.AllowRdate
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowRdate
+# Shorewall 2.4 /usr/share/shorewall/action.AllowRdate
 #
 #	This action accepts remote time retrieval (rdate).
 #
--- a/Shorewall/action.AllowSMB
+++ b/Shorewall/action.AllowSMB
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowSMB
+# Shorewall 2.4 /usr/share/shorewall/action.AllowSMB
 #
 #	Allow Microsoft SMB traffic. You need to invoke this action in
 #	both directions.
--- a/Shorewall/action.AllowSMTP
+++ b/Shorewall/action.AllowSMTP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowSMTP
+# Shorewall 2.4 /usr/share/shorewall/action.AllowSMTP
 #
 #	This action accepts SMTP (email) traffic.
 #
--- a/Shorewall/action.AllowSNMP
+++ b/Shorewall/action.AllowSNMP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowSNMP
+# Shorewall 2.4 /usr/share/shorewall/action.AllowSNMP
 #
 #	This action accepts SNMP traffic (including traps):
 #
--- a/Shorewall/action.AllowSSH
+++ b/Shorewall/action.AllowSSH
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowSSH
+# Shorewall 2.4 /usr/share/shorewall/action.AllowSSH
 #
 #	This action accepts secure shell (SSH) traffic.
 #
--- a/Shorewall/action.AllowTelnet
+++ b/Shorewall/action.AllowTelnet
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowTelnet
+# Shorewall 2.4 /usr/share/shorewall/action.AllowTelnet
 #
 #	This action accepts Telnet traffic. For traffic over the
 #	internet, telnet is inappropriate; use SSH instead
--- a/Shorewall/action.AllowTrcrt
+++ b/Shorewall/action.AllowTrcrt
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowTrcrt
+# Shorewall 2.4 /usr/share/shorewall/action.AllowTrcrt
 #
 #	This action accepts Traceroute (for up to 30 hops):
 #
--- a/Shorewall/action.AllowVNC
+++ b/Shorewall/action.AllowVNC
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowVNC
+# Shorewall 2.4 /usr/share/shorewall/action.AllowVNC
 #
 #	This action accepts VNC traffic for VNC display's 0 - 9.
 #
--- a/Shorewall/action.AllowVNCL
+++ b/Shorewall/action.AllowVNCL
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowVNCL
+# Shorewall 2.4 /usr/share/shorewall/action.AllowVNCL
 #
 #	This action accepts VNC traffic from Vncservers to Vncviewers in listen mode.
 #
--- a/Shorewall/action.AllowWeb
+++ b/Shorewall/action.AllowWeb
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.AllowWeb
+# Shorewall 2.4 /usr/share/shorewall/action.AllowWeb
 #
 #	This action accepts WWW traffic (secure and insecure):
 #
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.Drop
+# Shorewall 2.4 /usr/share/shorewall/action.Drop
 #
 #	The default DROP common rules
 #
--- a/Shorewall/action.DropDNSrep
+++ b/Shorewall/action.DropDNSrep
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.DropDNSrep
+# Shorewall 2.4 /usr/share/shorewall/action.DropDNSrep
 #
 #	This action silently drops DNS UDP replies
 #
--- a/Shorewall/action.DropPing
+++ b/Shorewall/action.DropPing
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.DropPing
+# Shorewall 2.4 /usr/share/shorewall/action.DropPing
 #
 #	This action silently drops 'ping' requests.
 #
--- a/Shorewall/action.DropSMB
+++ b/Shorewall/action.DropSMB
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.DropSMB
+# Shorewall 2.4 /usr/share/shorewall/action.DropSMB
 #
 #	This action silently drops Microsoft SMB traffic
 #
--- a/Shorewall/action.DropUPnP
+++ b/Shorewall/action.DropUPnP
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.DropUPnP
+# Shorewall 2.4 /usr/share/shorewall/action.DropUPnP
 #
 #	This action silently drops UPnP probes on UDP port 1900
 #
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.Reject
+# Shorewall 2.4 /usr/share/shorewall/action.Reject
 #
 #	The default REJECT action common rules
 #
--- a/Shorewall/action.RejectAuth
+++ b/Shorewall/action.RejectAuth
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.RejectAuth
+# Shorewall 2.4 /usr/share/shorewall/action.RejectAuth
 #
 #	This action silently rejects Auth (tcp 113) traffic
 #
--- a/Shorewall/action.RejectSMB
+++ b/Shorewall/action.RejectSMB
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/action.RejectSMB
+# Shorewall 2.4 /usr/share/shorewall/action.RejectSMB
 #
 #	This action silently rejects Microsoft SMB traffic
 #
--- a/Shorewall/action.template
+++ b/Shorewall/action.template
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /etc/shorewall/action.template
+# Shorewall 2.4 /etc/shorewall/action.template
 #
 #	This file is a template for files with names of the form 
 #	/etc/shorewall/action.<action-name> where <action> is an
@ -72,6 +72,16 @@
 #						kernel and iptables must have
 #						iprange match support.
 #
 #			+remote                 The name of an ipset prefaced
 #					        by "+". Your kernel and
 #						iptables must have set match
 #						support
 #
 #			+remote[4]              The name of the ipset may
 #                                               followed by a number of
 #                                               levels of ipset bindings
 #                                               enclosed in square brackets.
 #
 #			192.168.1.1,192.168.1.2
 #						Hosts 192.168.1.1 and
 #						192.168.1.2.
@ -85,8 +95,9 @@
 #			another colon (":") and an IP/MAC/subnet address
 #			as described above (e.g., eth1:192.168.1.5).
 #
-#	DEST		Location of Server. Same as above with the exception that
+#	DEST		Location of destination host. Same as above with the exception that
-#			MAC addresses are not allowed.
+#			MAC addresses are not allowed and that you cannot specify
 #                       an ipset name in both the SOURCE and DEST columns.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
 #			"all".
@ -146,7 +157,7 @@
 #			
 #			The column may contain:
 #
-#			   [!][<user name or number>][:<group name or number>]
+#			   [!][<user name or number>][:<group name or number>][+<program name>]
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
@ -160,6 +171,7 @@
 #					#the 'kids' group
 #				!:kids  #program must not be run by a member
 #					#of the 'kids' group
 #				+upnpd  #program named upnpd
 #
 ######################################################################################
 #TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE		USER/
--- a/Shorewall/actions
+++ b/Shorewall/actions
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /etc/shorewall/actions
+# Shorewall 2.4 /etc/shorewall/actions
 #
 #	This file allows you to define new ACTIONS for use in rules 
 #	(/etc/shorewall/rules). You define the iptables rules to
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /usr/share/shorewall/actions.std
+# Shorewall 2.4 /usr/share/shorewall/actions.std
 #
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
--- a/Shorewall/blacklist
+++ b/Shorewall/blacklist
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 -- Blacklist File
+# Shorewall 2.4 -- Blacklist File
 #
 # /etc/shorewall/blacklist
 #
@ -7,9 +7,10 @@
 #
 # Columns are:
 #
-#	ADDRESS/SUBNET 	- Host address, subnetwork, MAC address or IP address
+#	ADDRESS/SUBNET 	- Host address, subnetwork, MAC address, IP address
 #			  range (if your kernel and iptables contain iprange
-#			  match support).
+#			  match support) or ipset name prefaced by "+" (if 
 #			  your kernel supports ipset match).
 #
 # 			  MAC addresses must be prefixed with "~" and use "-"
 #			  as a separator.
@ -38,6 +39,13 @@
 # ADDRESS/SUBNET	PROTOCOL	PORT
 # 192.0.2.126		udp		53
 #
 # Example:
 #
 # To block DNS queries from addresses in the ipset 'dnsblack':
 #
 # ADDRESS/SUBNET	PROTOCOL	PORT
 # +dnsblack		udp		53
 #
 # Please see http://shorewall.net/blacklisting_support.htm for additional 
 # information.
 #
--- a/Shorewall/bogons
+++ b/Shorewall/bogons
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2-- Bogons File
+# Shorewall 2.4 -- Bogons File
 #
 # /etc/shorewall/bogons
 #
@ -45,19 +45,24 @@
 36.0.0.0/7		logdrop		# Reserved
 39.0.0.0/8		logdrop		# Reserved
 42.0.0.0/8		logdrop		# Reserved
-77.0.0.0/8		logdrop		# Reserved
+49.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
-78.0.0.0/7		logdrop		# Reserved
+50.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
 74.0.0.0/7		logdrop		# Reserved
 76.0.0.0/6		logdrop		# Reserved
 89.0.0.0/8		logdrop		# Reserved
 90.0.0.0/7		logdrop		# Reserved
 92.0.0.0/6		logdrop		# Reserved
-96.0.0.0/4		logdrop		# Reserved
+96.0.0.0/3		logdrop		# Reserved
-112.0.0.0/5		logdrop		# Reserved
+127.0.0.0/8		logdrop		# Loopback
 120.0.0.0/6		logdrop		# Reserved
 127.0.0.0/8		logdrop		# Reserved
 173.0.0.0/8		logdrop		# Reserved
 174.0.0.0/7		logdrop		# Reserved
 176.0.0.0/5		logdrop		# Reserved
 184.0.0.0/6		logdrop		# Reserved
 189.0.0.0/8		logdrop		# Reserved
 190.0.0.0/8		logdrop		# Reserved
 197.0.0.0/8		logdrop		# Reserved
-223.0.0.0/8		logdrop		# Reserved
+198.18.0.0/15		logdrop		# Reserved
 223.0.0.0/8		logdrop		# Reserved - Returned by APNIC in 2003
 240.0.0.0/4		logdrop		# Reserved
 #
 # End of generated entries
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,296 +1,50 @@
-Changes in 2.2.5
+Changes in 2.4.0-Final
-1) Correct behavior of PKTTYPE=No
+1) Add the ability to specify a weight in the balance option.
-2) Fixed typo in the tunnel script.
+2) Remove "ipp2p" support in the rules file.
-Changes in 2.2.4
+3) Fix duplicate routing table listings from "shorewall status"
-1) Added support for UPnP
+Changes in 2.4.0-RC2
-2) Add 'started' hook.
+1) Relax "detect" restriction.
-3) Make an error message more self-explanatory
+2) Fix detection via 'nexthop' so it will work with BusyBox
-4) Report Owner Match capability
+3) Merge Tuomo Soini's fix for "shorewall add"
-5) Add Paul Traina's patch to install.sh.
+Changes in 2.4.0-RC1
-6) Allow startup options to be overridden in /etc/sysconfig/shorewall
+1) Fix output from firewall itself vis-a-vis multiple providers.
   or /etc/default/shorewall.
-7) Add support for SAME
+2) Merge and tweak Lorenzo Martignoni's 'safe-restart' patch.
-8) Add 'shorewall show capabilities'
+Changes in 2.3.2
-8) Add '-v' option
+1) Add support for -j ROUTE
-9) Allow 'none' in /etc/shorewall/rules.
+2) Add TEST column to /etc/shorewall/routes
-10) Add error message for invalid HOST(S) column contents.
+3) Add support for different providers.
-11) Apply Christian Rodriguez's patch for Slackware install.
+4) Merge patch from Juan Jesús Prieto.
-Changes in 2.2.3
+5) Implement 'loose' routestopped option.
-1) Added the 'continue' extension script.
+6) Change 'loose' to 'source' and 'dest'
-2) Obey 'routestopped' rules during [re]start.
+7) Fix routing of connections from the firewall with multiple ISPs.
-3) MACLIST_TTL added.
+Changes in 2.3.1
-4) Fix ! in hosts file
+1) Change the behavior of SAVE_IPSETS and allow 'ipsets' files in
   Shorewall configuration directories.
-5) Add QUEUE policy.
+Changes in 2.3.0
-6) Fix routing output when advanced routing support not in kernel.
+1) Implement support for --cmd-owner
-Changes in 2.2.2
+2) Implement support for ipsets.
 1) The 'check' command disclaimer is toned down further and only
   appears once in the 'check' output.
 2) Enhanced support in the SOURCE column of /etc/shorewall/tcrules.
 3) All calls to 'clear' are now conditional on the output device being
   a terminal.
 4) Apply Juergen Kreileder's patch for logging.
 5) Add the output of 'arp -na' to the 'shorewall status' display.
 6) Provide support for the Extended multiport match available in
   2.6.11.
 7) Fix logging rule generation.
 8) Correct port numbers in action.AllowPCA.
 9) Fix installer's handling of action.* files.
 10) Implement RFC1918_STRICT
 11) Verify interface names in the DEST column of tcrules.
 Changes in 2.2.1
 1) Add examples to the zones and policy files.
 2) Simon Matter's patch for umask.
 Changes since 2.0.3
 1) Fix security vulnerability involving temporary files/directories.
 2) Hack security fix so that it works under Slackware.
 3) Correct mktempfile() for case where mktemp isn't installed.
 4) Implement 'dropInvalid' builtin action.
 5) Fix logging nat rules.
 6) Fix COMMAND typos.
 7) Add PKTTYPE option.
 8) Enhancements to /etc/shorewall/masq
 8) Allow overriding ADD_IP_ALIASES=Yes
 9) Fix syntax error in setup_nat()
 10) Port "shorewall status" changes from 2.0.7.
 11) All config files are now empty.
 12) Port blacklisting fix from 2.0.7
 13) Pass rule chain and display chain separately to log_rule_limit.
    Prep work for action logging.
 14) Show the iptables/ip/tc command that failed when failure is fatal.
 15) Implement STARTUP_ENABLED.
 16) Added DNAT ONLY column to /etc/shorewall/nat.
 17) Removed SNAT from ORIGINAL DESTINATION column.
 18) Removed DNAT ONLY column.
 19) Added IPSEC column to /etc/shorewall/masq.
 20) No longer enforce source port 500 for ISAKMP.
 21) Apply policy to interface/host options.
 22) Fix policy and maclist.
 23) Implement additional IPSEC options for zones and masq entries.
 24) Deprecate the -c option in /sbin/shorewall.
 25) Allow distinct input and output IPSEC parameters.
 26) Allow source port remapping in /etc/shorewall/masq.
 27) Include params file on 'restore'
 28) Apply Richard Musil's patch.
 29) Correct parsing of PROTO column in setup_tc1().
 30) Verify Physdev match if BRIDGING=Yes
 31) Don't NAT tunnel traffic.
 32) Fix shorewall.spec to run chkconfig/insserv after initial install.
 33) Add iprange support.
 34) Add CLASSIFY support.
 35) Fix iprange support so that ranges in both source and destination
    work.
 36) Remove logunclean and dropunclean
 37) Fixed proxy arp flag setting for complex configurations.
 38) Added RETAIN_ALIASES option.
 39) Relax OpenVPN source port restrictions.
 40) Implement DELAYBLACKLISTLOAD.
 41) Avoid double-setting proxy arp flags.
 42) Fix DELAYBLACKLISTLOAD=No.
 43) Merge 'brctl show' change from 2.0.9.
 44) Implememt LOGTAGONLY.
 45) Merge 'tcrules' clarification from 2.0.10.
 46) Implement 'sourceroute' interface option.
 47) Add 'AllowICMPs' action.
 48) Changed 'activate_rules' such that traffic from IPSEC hosts gets
    handled before traffic from non-IPSEC zones.
 49) Correct logmartians handling.
 50) Add a clarification and fix a typo in the blacklist file.
 51) Allow setting a specify MSS value.
 52) Detect duplicate zone names.
 53) Add mss=<number> option to the ipsec file.
 54) Added CONNMARK/ipp2p support.
 55) Added LOGALLNEW support.
 56) Fix typo in check_config()
 57) Allow outgoing NTP responses in action.AllowNTP.
 58) Clarification of the 'ipsec' hosts file option.
 59) Allow list in the SUBNET column of the rfc1918 file.
 60) Restore missing '#' in the rfc1918 file.
 61) Add note for Slackware users to INSTALL.
 62) Allow interface in DEST tcrules column.
 63) Remove 'ipt_unclean' from search expression in "log" commands.
 64) Remove nonsense from IPSEC description in masq file.
 65) Correct typo in rules file.
 66) Update bogons file.
 67) Add a rule for NNTPS to action.AllowNNTP
 68) Fix "shorewall add"
 69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
 70) Correct typo in shorewall.conf.
 71) Add the 'icmp_echo_ignore_all' file to the /proc display.
 72) Apply Tuomas Jormola's IPTABLES patch.
 73) Fixed some bugs in Tuomas's patch.
 74) Correct bug in "shorewall add"
 75) Correct bridge handling in "shorewall add" and "shorewall delete"
 76) Add "shorewall show zones"
 77) Remove dependency of "show zones" on dynamic zones.
 78) Implement variable expansion in INCLUDE directives
 79) More fixes for "shorewall delete" with bridging.
 80) Split restore-base into two files.
 81) Correct OUTPUT handling of dynamic zones.
 83) Add adapter statistics to the output of "shorewall status".
 84) Log drops due to policy rate limiting.
 85) Continue determining capabilities when fooX1234 already exists.
 86) Corrected typo in interfaces file.
 87) Add DROPINVALID option.
 88) Allow list of hosts in add and delete commands. Fix ipsec problem
    with "add" and "delete"
 89) Clarify add/delete syntax in /sbin/shorewall usage summary.
 90) Implement OpenVPN TCP support.
 91) Simplify the absurdly over-engineered code that restores the
    dynamic chain.
 92) Add OPENVPNPORT option.
 93) Remove OPENVPNPORT option and change default port to 1194.
 94) Avoid shell error during "shorewall stop/clear"
 95) Change encryption to blowfish in 'ipsecvpn' script.
 96) Correct rate limiting rule example.
 97) Fix <if>:: handling in setup_masq().
 98) Fix mis-leading typo in tunnels.
 99) Fix brain-dead ipsec option handling in setup_masq().
 100) Reconcile ipsec masq file implementation with the documentation.
 101) Add netfilter module display to status output.
 102) Add 'allowInvalid' builtin action.
 103) Expand range of Traceroute ports.
 102) Correct uninitialized variable in setup_ecn()
 103) Allow DHCP to be IPSEC-encrypted.
--- a/Shorewall/configpath
+++ b/Shorewall/configpath
@ -1,5 +1,5 @@
 #
-# Shorewall version 2.2 - Default Config Path 
+# Shorewall version 2.4 - Default Config Path 
 #
 # /usr/share/shorewall/configpath
 #
--- a/Shorewall/continue
+++ b/Shorewall/continue
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.2 -- /etc/shorewall/continue
+# Shorewall 2.4 -- /etc/shorewall/continue
 #
 # Add commands below that you want to be executed after shorewall has
 # cleared any existing Netfilter rules and has enabled existing connections.
--- a/Shorewall/ecn
+++ b/Shorewall/ecn
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 - /etc/shorewall/ecn
+# Shorewall 2.4 - /etc/shorewall/ecn
 #
 #	Use this file to list the destinations for which you want to
 #	disable ECN.
--- a/Shorewall/fallback.sh
+++ b/Shorewall/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=2.2.5
+VERSION=2.4.0
 usage() # $1 = exit status
 {
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
--- a/Shorewall/functions
+++ b/Shorewall/functions
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Shorewall 2.2 -- /usr/share/shorewall/functions
+# Shorewall 2.4 -- /usr/share/shorewall/functions
 # Function to truncate a string -- It uses 'cut -b -<n>'
 # rather than ${v:first:last} because light-weight shells like ash and
@ -159,9 +159,12 @@ find_file()
 # Replace commas with spaces and echo the result
 #
 separate_list() {
-    local list
+    local list="$@"
    local part
    local newlist
    local firstpart
    local lastpart
    local enclosure
    #
    # There's been whining about us not catching embedded white space in
    # comma-separated lists. This is an attempt to snag some of the cases.
@ -170,12 +173,31 @@ separate_list() {
    # either 'startup_error' or 'fatal_error' depending on the command and
    # command phase
    #
-    case "$@" in
+    case "$list" in
 	*,|,*|*,,*|*[[:space:]]*)
            [ -n "$terminator" ] && \
 		$terminator "Invalid comma-separated list \"$@\""
            echo "Warning -- invalid comma-separated list \"$@\"" >&2
 	    ;;
 	*\[*\]*)
 	    #
 	    # Where we need to embed comma-separated lists within lists, we enclose them
 	    # within square brackets
 	    #
 	    firstpart=${list%%\[*}
 	    lastpart=${list#*\[}
 	    enclosure=${lastpart%\]*}
 	    lastpart=${lastpart#*\]}
 	    case $lastpart in
 		\,*)
 		    echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
 		    ;;
 		*)
 		     echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
 		     ;;
 	    esac
 	    return
 	    ;;
    esac
    list="$@"
@ -756,6 +778,29 @@ find_device() {
    done
 }
 #
 # Find the value 'via' in the passed arguments then echo the next value
 #
 find_gateway() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xvia ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the value 'peer' in the passed arguments then echo the next value up to
 # "/"
 #
 find_peer() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xpeer ] && echo ${2%/*} && return
 	shift
    done
 }
 #
 # Find the interfaces that have a route to the passed address - the default
 # route is not used.
@ -778,6 +823,14 @@ find_rt_interface() {
    done
 }
 #
 # Try to find the gateway through an interface looking for 'nexthop' 
 find_nexthop() # $1 = interface
 {
    echo $(find_gateway `ip route ls | grep "[[:space:]]nexthop.* $1"`)
 }    
 #
 # Find the default route's interface
 #
--- a/Shorewall/help
+++ b/Shorewall/help
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Shorewall help subsystem - V2.2
+# Shorewall help subsystem - V2.4
 #
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@ -55,7 +55,10 @@ address|host)
    May be either a host IP address such as 192.168.1.4 or a network address in
    CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
    match support then IP address ranges of the form <low address>-<high address>
-    are also permitted."
+    are also permitted. If your kernel and iptables contain ipset match support 
    then you may specify the name of an ipset prefaced by "+". The name of the
    ipsec may be optionally followed by a number of levels of ipset bindings
    (1 - 6) that are to be followed"
 	;;
 allow)
@ -209,6 +212,19 @@ restart)
    If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
 	;;
 safe-restart)
 	echo "safe-restart: safe-restart
    Restart the same way as a shorewall restart except that previous firewall 
    configuration is backed up and will be restored if you notice any anomalies
    or you are not able to reach the firewall any more."
    ;;
 safe-start)
 	echo "safe-start: safe-start
    Start the same way as a shorewall start except that in case of anomalies 
    shorewall clear is issued. "
    ;;
 restore)
 	echo "restore: restore [ <file name> ]
    Restore Shorewall to a state saved using the 'save' command
--- a/Shorewall/hosts
+++ b/Shorewall/hosts
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 - /etc/shorewall/hosts
+# Shorewall 2.4 - /etc/shorewall/hosts
 #
 #	THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
 #	ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
--- a/Shorewall/init
+++ b/Shorewall/init
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.2 -- /etc/shorewall/init
+# Shorewall 2.4 -- /etc/shorewall/init
 #
 # Add commands below that you want to be executed at the beginning of
 # a "shorewall start" or "shorewall restart" command.
--- a/Shorewall/init.sh
+++ b/Shorewall/init.sh
@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V2.4
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
--- a/Shorewall/initdone
+++ b/Shorewall/initdone
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.2 -- /etc/shorewall/initdone
+# Shorewall 2.4 -- /etc/shorewall/initdone
 #
 # Add commands below that you want to be executed during 
 # "shorewall start" or "shorewall restart" commands at the point where
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
-VERSION=2.2.5
+VERSION=2.4.0
 usage() # $1 = exit status
 {
@ -407,6 +407,28 @@ else
    echo
    echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
 fi
 #
 # Install the Routes file
 #
 if [ -f ${PREFIX}/etc/shorewall/routes ]; then
    backup_file /etc/shorewall/routes
 else
    run_install $OWNERSHIP -m 0600 routes ${PREFIX}/etc/shorewall/routes
    echo
    echo "Routes file installed as ${PREFIX}/etc/shorewall/routes"
 fi
 #
 # Install the Providers file
 #
 if [ -f ${PREFIX}/etc/shorewall/providers ]; then
    backup_file /etc/shorewall/providers
 else
    run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall/providers
    echo
    echo "Providers file installed as ${PREFIX}/etc/shorewall/providers"
 fi
 #
 # Backup and remove the whitelist file
 #
@ -518,7 +540,7 @@ fi
 if [ -f ${PREFIX}/etc/shorewall/started ]; then
    backup_file /etc/shorewall/started
 else
-    run_install -o $OWNER -g $GROUP -m 0600 started ${PREFIX}/etc/shorewall/started
+    run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall/started
    echo
    echo "Started file installed as ${PREFIX}/etc/shorewall/started"
 fi
--- a/Shorewall/interfaces
+++ b/Shorewall/interfaces
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 -- Interfaces File
+# Shorewall 2.4 -- Interfaces File
 #
 # /etc/shorewall/interfaces
 #
@ -167,6 +167,7 @@
 #			detectnets   - Automatically taylors the zone named
 #				       in the ZONE column to include only those
 #				       hosts routed through the interface.
 #
 #			upnp         - Incoming requests from this interface may
 #				       be remapped via UPNP (upnpd).
 #			
@ -177,6 +178,12 @@
 #			significant but the list should have no embedded white
 #			space.
 #
 #	GATEWAY		This column is only meaningful if the 'default' OPTION
 #			is given -- it is ignored otherwise. You may specify 
 #			the default gateway IP address for this interface here
 #			and Shorewall will use that IP address rather than any
 #			that it finds in the main routing table.
 #
 #	Example 1:	Suppose you have eth0 connected to a DSL modem and
 #			eth1 connected to your local network and that your
 #			local subnet is 192.168.1.0/24. The interface gets
@ -205,6 +212,6 @@
 # For additional information, see http://shorewall.net/Documentation.htm#Interfaces
 #
 ##############################################################################
-#ZONE	 INTERFACE	BROADCAST	OPTIONS
+#ZONE	 INTERFACE	BROADCAST	OPTIONS			GATEWAY
 #
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall/ipsec
+++ b/Shorewall/ipsec
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 - /etc/shorewall/ipsec
+# Shorewall 2.4 - /etc/shorewall/ipsec
 #
 #	This file defines the attributes of zones with respect to
 #	IPSEC. To use this file for any purpose except for setting mss, 
--- a/Shorewall/maclist
+++ b/Shorewall/maclist
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 - MAC list file
+# Shorewall 2.4 - MAC list file
 #
 #	This file is used to define the MAC addresses and optionally their
 #	associated IP addresses to be allowed to use the specified interface.
--- a/Shorewall/masq
+++ b/Shorewall/masq
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 - Masquerade file
+# Shorewall 2.4 - Masquerade file
 #
 # /etc/shorewall/masq
 #
--- a/Shorewall/modules
+++ b/Shorewall/modules
@ -1,5 +1,5 @@
 ##############################################################################
-# Shorewall 2.2 /etc/shorewall/modules
+# Shorewall 2.4 /etc/shorewall/modules
 #
 # This file loads the modules needed by the firewall.
 #
@ -19,4 +19,9 @@
    loadmodule ip_nat_ftp
    loadmodule ip_nat_tftp
    loadmodule ip_nat_irc
    loadmodule ip_set
    loadmodule ip_set_iphash
    loadmodule ip_set_ipmap
    loadmodule ip_set_macipmap
    loadmodule ip_set_portmap
--- a/Shorewall/nat
+++ b/Shorewall/nat
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 2.2  -- Network Address Translation Table
+# Shorewall 2.4  -- Network Address Translation Table
 #
 # /etc/shorewall/nat
 #
--- a/Shorewall/netmap
+++ b/Shorewall/netmap
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 2.2  -- Network Mapping Table
+# Shorewall 2.4  -- Network Mapping Table
 #
 # /etc/shorewall/netmap
 #
--- a/Shorewall/params
+++ b/Shorewall/params
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /etc/shorewall/params
+# Shorewall 2.4 /etc/shorewall/params
 #
 # Assign any variables that you need here.
 #
--- a/Shorewall/policy
+++ b/Shorewall/policy
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 -- Policy File
+# Shorewall 2.4 -- Policy File
 #
 # /etc/shorewall/policy
 #
--- a/Shorewall/proxyarp
+++ b/Shorewall/proxyarp
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 2.2 -- Proxy ARP
+# Shorewall 2.4 -- Proxy ARP
 #
 # /etc/shorewall/proxyarp
 #
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
--- a/Shorewall/rfc1918
+++ b/Shorewall/rfc1918
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 -- RFC1918 File
+# Shorewall 2.4 -- RFC1918 File
 #
 # /etc/shorewall/rfc1918
 #
--- a/Shorewall/routestopped
+++ b/Shorewall/routestopped
@ -1,6 +1,6 @@
 ##############################################################################
 #
-# Shorewall 2.2 -- Hosts Accessible when the Firewall is Stopped
+# Shorewall 2.4 -- Hosts Accessible when the Firewall is Stopped
 #
 # /etc/shorewall/routestopped
 #
@ -25,12 +25,25 @@
 #			  routeback - Set up a rule to ACCEPT traffic from
 #			  these hosts back to themselves.
 #
 #			  source - Allow traffic from these hosts to ANY
 #			  destination. Without this option or the 'dest'
 #                         option, only traffic from this host to other
 #			  listed hosts (and the firewall) is allowed. If
 #                         'source' is specified then 'routeback' is redundent.
 #
 #			  dest - Allow traffic to these hosts from ANY
 #			  source. Without this option or the 'source'
 #                         option, only traffic from this host to other
 #			  listed hosts (and the firewall) is allowed. If
 #                         'dest' is specified then 'routeback' is redundent.
 #
 # Example:
 #
 #	INTERFACE	HOST(S)			OPTIONS
 #	eth2		192.168.1.0/24
 #	eth0		192.0.2.44
 #	br0		-			routeback
 #	eth3		-			source
 #
 # See http://shorewall.net/Documentation.htm#Routestopped and
 # http://shorewall.net/starting_and_stopping_shorewall.htm for additional 
--- a/Shorewall/rules
+++ b/Shorewall/rules
@ -1,5 +1,5 @@
 #
-# Shorewall version 2.2 - Rules File
+# Shorewall version 2.4 - Rules File
 #
 # /etc/shorewall/rules
 #
@ -134,6 +134,11 @@
 #			Hosts may be specified as an IP address range using the
 #			syntax <low address>-<high address>. This requires that
 #			your kernel and iptables contain iprange match support.
 #                       If you kernel and iptables have ipset match support then
 #                       you may give the name of an ipset prefaced by "+". The
 #                       ipset name may be optionally followed by a number from
 #                       1 to 6 enclosed in square brackets ([]) to indicate the
 #                       number of levels of source bindings to be matched.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
@ -189,6 +194,14 @@
 #			the connections will be assigned to addresses in the
 #			range in a round-robin fashion.
 #
 #                       If you kernel and iptables have ipset match support then
 #                       you may give the name of an ipset prefaced by "+". The
 #                       ipset name may be optionally followed by a number from
 #                       1 to 6 enclosed in square brackets ([]) to indicate the
 #                       number of levels of destination bindings to be matched.
 #                       Only one of the SOURCE and DEST columns may specify an
 #                       ipset name.
 #
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
 #			":". If omitted, the firewall will not modifiy the
@ -204,20 +217,14 @@
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p", 
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
-#			a number, or "all". "ipp2p" requires ipp2p match
+#			"all".
 #			support in your kernel and iptables.
 #
 #	DEST PORT(S)    Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
 #			If the protocol is ipp2p, this column is interpreted
 #			as an ipp2p option without the leading "--" (example "bit"
 #			for bit-torrent). If no port is given, "ipp2p" is
 #			assumed.
 #
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
@ -250,8 +257,8 @@
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
-#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT[-] or
+#	ORIGINAL DEST	(0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then 
-#                       REDIRECT[-]) If included and different from the IP
+#			if included and different from the IP
 #			address given in the SERVER column, this is an address
 #			on some interface on the firewall and connections to
 #			that address will be forwarded to the IP and port
@ -267,6 +274,20 @@
 #			destination address in the connection request does not
 #			match any of the addresses listed.
 #
 #			For other actions, this column may be included and may
 #			contain one or more addresses (host or network)
 #			separated by commas. Address ranges are not allowed.
 #                       When this column is supplied, rules are generated
 #                       that require that the original destination address matches
 #                       one of the listed addresses. This feature is most useful when
 #                       you want to generate a filter rule that corresponds to a 
 #		        DNAT- or REDIRECT- rule. In this usage, the list of
 #			addresses should not begin with "!".
 #
 #			See http://shorewall.net/PortKnocking.html for an 
 #			example of using an entry in this column with a
 #			user-defined action rule.		
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in 
 #			this colume:
 # 
@ -285,7 +306,7 @@
 #			
 #			The column may contain:
 #
-#			   [!][<user name or number>][:<group name or number>]
+#			   [!][<user name or number>][:<group name or number>][+<program name>]
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
@ -299,6 +320,7 @@
 #					#the 'kids' group
 #				!:kids  #program must not be run by a member
 #					#of the 'kids' group
 #				+upnpd  #program named 'upnpd'
 #
 #	Example: Accept SMTP requests from the DMZ to the internet
 #
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V2.2
+#     Shorewall Packet Filtering Firewall Control Program - V2.4
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
@ -97,6 +97,14 @@
 #          shorewall iprange <address>-<address>   Decomposes a range of IP addresses into
 #                                                  a list of network/host addresses.
 #
 #          shorewall safe-start                    Starts the firewall and promtp for a c
 #                                                  confirmation to accept or reject the new 
 #                                                  configuration
 #
 #          shorewall safe-restart                  Restarts the firewall and prompt for a 
 #                                                  confirmation to accept or reject the new 
 #                                                  configuration
 #
 # Fatal Error
 #
 fatal_error() # $@ = Message
@ -136,7 +144,7 @@ showchain() # $1 = name of chain
 }
 #
-# The 'awk' hack that compensates for a bug in iptables-save (actually in libipt_policy.so) and can be removed when that bug is fixed.
+# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
 #
 iptablesbug()
@ -146,6 +154,7 @@ iptablesbug()
             /^-j/           { print sline $0; next };\
             /-m policy.*-j/ { print $0; next };\
             /-m policy/     { sline=$0; next };\
             /--mask ff/     { sub( /--mask ff/, "--mask 0xff" ) };\
                             {print ; sline="" }'
    else
 	echo "   Warning: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
@ -589,6 +598,88 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
    done
 }
 #
 # Save currently running configuration
 #
 save_config() {
    [ "$nolock" ] || mutex_on
    if qt $IPTABLES -L shorewall -n; then
 	[ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
 	if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
 	    echo "   ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
 	else
 	    case $RESTOREFILE in
 		save|restore-base)
 		    echo "   ERROR: Reserved file name: $RESTOREFILE"
 		    ;;
 		*)
 		    if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
 			echo "   Dynamic Rules Saved"
 			if [ -f /var/lib/shorewall/restore-base ]; then
 			    cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
 			    if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
 				echo __EOF__ >> /var/lib/shorewall/restore-$$
 				[ -f /var/lib/shorewall/restore-tail ] && \
 				    cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
 				mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH 
 				chmod +x $RESTOREPATH
 				echo "   Currently-running Configuration Saved to $RESTOREPATH"
 				rm -f ${RESTOREPATH}-ipsets
 				case ${SAVE_IPSETS:-No} in
 				    [Yy][Ee][Ss])
                                        RESTOREPATH=${RESTOREPATH}-ipsets
 					f=/var/lib/shorewall/restore-$$
 					echo "#!/bin/sh" > $f
 					echo "#This ipset restore file generated $(date) by Shorewall $version" >> $f
 					echo  >> $f
 					echo ". /usr/share/shorewall/functions" >> $f
 					echo  >> $f
 					grep '^MODULE' /var/lib/shorewall/restore-base >>  $f
 					echo "reload_kernel_modules << __EOF__" >> $f
 					grep 'loadmodule ip_set' /var/lib/shorewall/restore-base >>  $f
                                        echo "__EOF__" >> $f
 					echo  >> $f
 					echo "ipset -U :all: :all:" >> $f
 					echo "ipset -F" >> $f
 					echo "ipset -X" >> $f
 					echo "ipset -R << __EOF__" >> $f
 					ipset -S >> $f
 					echo "__EOF__" >> $f
 					mv -f $f $RESTOREPATH 
 					chmod +x $RESTOREPATH
 					echo "   Current Ipset Contents Saved to $RESTOREPATH"
 					;;
 				    [Nn][Oo])
 				        ;;
 				    *)
 				        echo "   WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS. Ipset contents not saved"
 					;;
 				esac
 			    else
 			        rm -f /var/lib/shorewall/restore-$$
 				echo "   ERROR: Currently-running Configuration Not Saved"
 			    fi
 			else
 			    echo "   ERROR: /var/lib/shorewall/restore-base does not exist"
 			fi
 		    else
 		        echo "Error Saving the Dynamic Rules"
 		    fi
 		    ;;
 	    esac
 	fi
    else
 	echo "Shorewall isn't started"
    fi
    [ "$nolock" ] || mutex_off
 }
 #
 # Help information
 #
@ -630,6 +721,8 @@ usage() # $1 = exit status
    echo "   status"
    echo "   try <directory> [ <timeout> ]"
    echo "   version"
    echo "   safe-start"
    echo "   safe-restart"
    echo 
    exit $1
 }
@ -642,6 +735,7 @@ show_reset() {
 	echo "Counters reset $(cat $STATEDIR/restarted)" && \
 	echo
 }
 #
 # Display's the passed file name followed by "=" and the file's contents.
 #
@ -650,6 +744,27 @@ show_proc() # $1 = name of a file
    [ -f $1 ] && echo "   $1 = $(cat $1)"
 }
 read_yesno_with_timeout() { 
    read -t 60 yn 2> /dev/null
    if [ $? -eq 2 ]
    then
 	# read doesn't support timeout
 	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
 	/bin/bash -c 'read -t 60 yn ; if [ "$yn" == "y" ] ; then exit 0 ; else exit 1 ; fi' # invoke bash and use its version of read
 	return $?
    else
 	# read supports timeout
 	case "$yn" in
 	    y|Y)
 		return 0
 		;;
 	    *)
 		return 1
 		;;
 	esac
    fi
 }
 #
 # Execution begins here
 #
@ -846,6 +961,17 @@ case "$1" in
 	    RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
 	    if [ -x $RESTOREPATH ]; then
 		if [ -x ${RESTOREPATH}-ipsets ]; then
 		    echo Restoring Ipsets...
 		    #
 		    # We must purge iptables to be sure that there are no
 		    # references to ipsets
 		    #
 		    iptables -F
 		    iptables -X
 		    ${RESTOREPATH}-ipsets
 		fi
 		echo Restoring Shorewall...
 		$RESTOREPATH
 		date > $STATEDIR/restarted
@ -1035,7 +1161,8 @@ case "$1" in
 	    echo
 	    ip rule ls
 	    ip rule ls | while read rule; do
-		table=${rule##* }
+		echo ${rule##* }
 	    done | sort -u | while read table; do 
 		echo
 		echo "Table $table:"
 		echo
@ -1187,47 +1314,8 @@ case "$1" in
 	RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
-	mutex_on
+	save_config
 	if qt $IPTABLES -L shorewall -n; then
 	    [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
 	    if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
 		echo "   ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
 	    else
 		case $RESTOREFILE in
 		    save|restore-base)
 			echo "   ERROR: Reserved file name: $RESTOREFILE"
 			;;
 		    *)
 			if $IPTABLES -L dynamic -n > /var/lib/shorewall/save; then
 			    echo "   Dynamic Rules Saved"
 			    if [ -f /var/lib/shorewall/restore-base ]; then
 				cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
 				if iptables-save | iptablesbug >> /var/lib/shorewall/restore-$$ ; then
 				    echo __EOF__ >> /var/lib/shorewall/restore-$$
 				    [ -f /var/lib/shorewall/restore-tail ] && \
 					cat /var/lib/shorewall/restore-tail >> /var/lib/shorewall/restore-$$
 				    mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH 
 				    chmod +x $RESTOREPATH
 				    echo "   Currently-running Configuration Saved to $RESTOREPATH"
 				else
 				    rm -f /var/lib/shorewall/restore-$$
 				    echo "   ERROR: Currently-running Configuration Not Saved"
 				fi
 			    else
 				echo "   ERROR: /var/lib/shorewall/restore-base does not exist"
 			    fi
 			else
 			    echo "Error Saving the Dynamic Rules"
 			fi
 			;;
 		esac
 	    fi
 	else
 	    echo "Shorewall isn't started"
 	fi
 	mutex_off
 	;;
    forget)
 	case $# in
@ -1246,6 +1334,12 @@ case "$1" in
 	RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
 	if [ -x $RESTOREPATH ]; then
 	    if [ -x ${RESTOREPATH}-ipsets ]; then
 		rm -f ${RESTOREPATH}-ipsets
 		echo "    ${RESTOREPATH}-ipsets removed"
 	    fi
 	    rm -f $RESTOREPATH
 	    echo "    $RESTOREPATH removed"
 	elif [ -f $RESTOREPATH ]; then
@ -1302,11 +1396,22 @@ case "$1" in
 	RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
 	[ -n "$nolock" ] || mutex_on
 	if [ -x $RESTOREPATH ]; then 
 	    if [ -x ${RESTOREPATH}-ipsets ] ; then
 		echo Restoring Ipsets...
 		iptables -F
 		iptables -X
 		${RESTOREPATH}-ipsets
 	    fi
 	    echo Restoring Shorewall...
 	    $RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
 	    [ -n "$nolock" ] || mutex_off
 	else
 	    echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
 	    [ -n "$nolock" ] || mutex_off
            exit 2
        fi
        ;;
@ -1323,6 +1428,76 @@ case "$1" in
 	[ $# -ne 1 ] && usage 1
 	help $@
 	;;
    safe-restart|safe-start)
 	# test is the shell supports timed read 
 	read -t 0 junk 2> /dev/null
 	if [ $? -eq 2 -a ! -x /bin/bash ]
 	then
 	    echo "Your shell does not support a feature required to execute this command".
 	    exit 2
 	fi
 	mutex_on
 	if qt $IPTABLES -L shorewall -n 
 	then
 	    running=0
 	else
 	    running=1
 	fi
 	if [ "$1" = "safe-start" -a  $running -eq 0 ]
 	then
 	    # the command is safe-start but the firewall is already running
 	    $0 nolock $debugging start
 	    ret=$?
 	    exit 0
 	fi
 	if [ "$1" = "safe-start" -o  $running -ne 0 ]
 	then
 	    # the command is safe-start or shorewall is not started yet
 	    command="start"
 	else
 	    # the command is safe-restart and the firewall is already running
 	    command="restart"
 	fi
 	if [ "$command" = "restart" ]
 	then
 	    # save previous configuration
 	    $0 nolock $debugging save "safe-start-restart"
 	fi
 	$0 nolock $debugging $command
 	echo -n "Do you want to accept the new firewall configuration? [y/n] "
 	read_yesno_with_timeout
 	if [ $? -eq 0 ]
 	then
 	    echo "New configuration has been accepted"
 	    if [ "$command" = "restart" ]
 	    then
 		# removed previous configuration
 		rm /var/lib/shorewall/safe-start-restart
 	    fi
 	else	
 	    if [ "$command" = "restart" ]
 	    then
 		$0 nolock $debugging restore "safe-start-restart"
 		rm /var/lib/shorewall/safe-start-restart
 	    else		    
 		$0 nolock $debugging clear
 	    fi
 	    mutex_off
 	    echo "New configuration has been rejected and the old one restored"
 	    exit 2
 	fi
 	mutex_off
 	[ $? -eq 0 ] && [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
 	;;
    *)
 	usage 1
 	;;
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@ -1,5 +1,5 @@
 ##############################################################################
-#  /etc/shorewall/shorewall.conf V2.2 - Change the following variables to
+#  /etc/shorewall/shorewall.conf V2.4 - Change the following variables to
 #  match your setup
 #
 #  This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
@ -158,6 +158,7 @@ LOGALLNEW=
 #
 # See the comment at the top of this section for a description of log levels
 #
 BLACKLIST_LOGLEVEL=
 #
@ -174,7 +175,6 @@ BLACKLIST_LOGLEVEL=
 #
 # Example: LOGNEWNOTSYN=debug
 LOGNEWNOTSYN=info
 #
@ -251,6 +251,7 @@ BOGON_LOG_LEVEL=info
 #
 LOG_MARTIANS=No
 ################################################################################
 #       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S
 ################################################################################
@ -261,12 +262,14 @@ LOG_MARTIANS=No
 # not specified or if specified with an empty value (e.g., IPTABLES="") then
 # the iptables executable located via the PATH setting below is used.
 #
 IPTABLES=
 #
 # PATH - Change this if you want to change the order in which Shorewall
 #        searches directories for executable files.
 #
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
@ -336,6 +339,7 @@ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 # assumed.
 RESTOREFILE=
 ################################################################################
 #                       F I R E W A L L   O P T I O N S
 ################################################################################
@ -345,6 +349,7 @@ RESTOREFILE=
 # Name of the firewall zone -- if not set or if set to an empty string, "fw"
 # is assumed.
 #
 FW=fw
 #
@ -359,6 +364,7 @@ FW=fw
 # If you set this variable to "Keep" or "keep", Shorewall will neither
 # enable nor disable packet forwarding.
 #
 IP_FORWARDING=On
 #
@ -368,6 +374,7 @@ IP_FORWARDING=On
 # for each NAT external address that you give in /etc/shorewall/nat. If you say
 # "No" or "no", you must add these aliases youself.
 #
 ADD_IP_ALIASES=Yes
 #
@ -378,6 +385,7 @@ ADD_IP_ALIASES=Yes
 # "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
 # you are sure that you need it -- most people don't!!!
 #
 ADD_SNAT_ALIASES=No
 #
@ -393,6 +401,7 @@ ADD_SNAT_ALIASES=No
 # You can cause Shorewall to retain existing addresses by setting
 # RETAIN_ALIASES=Yes. 
 #
 RETAIN_ALIASES=No
 #
@ -475,6 +484,7 @@ MARK_IN_FORWARD_CHAIN=No
 #
 #	CLAMPMSS=1400
 #
 CLAMPMSS=No
 #
@ -571,7 +581,6 @@ MUTEX_TIMEOUT=60
 # The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis 
 # using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
 # network or host basis using the same option in /etc/shorewall/hosts.
 #
 # I find that NEWNOTSYN=No tends to result in lots of "stuck"
 # connections because any network timeout during TCP session tear down
@ -609,6 +618,7 @@ NEWNOTSYN=Yes
 # If this variable is not set or it is set to the null value then
 # ADMINISABSENTMINDED=No is assumed.
 #
 ADMINISABSENTMINDED=Yes
 #
@ -631,6 +641,7 @@ ADMINISABSENTMINDED=Yes
 # If the BLACKLISTNEWONLY option is not set or is set to the empty value then
 # BLACKLISTNEWONLY=No is assumed.
 #
 BLACKLISTNEWONLY=Yes
 #
@ -791,6 +802,20 @@ RFC1918_STRICT=No
 MACLIST_TTL=
 #
 # Save/Restore IPSETS
 #
 # If SAVE_IPSETS=Yes then Shorewall will:
 #
 #	Restore the last saved ipset contents during "shorewall [re]start"
 #	Save the current ipset contents during "shorewall save"
 #
 #       Regardless of the setting of SAVE_IPSETS, if ipset contents were
 #	saved during a "shorewall save" then they will be restored during
 #	a subsequent "shorewall restore".
 SAVE_IPSETS=No
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@ -1,5 +1,5 @@
 %define name shorewall
-%define version 2.2.5
+%define version 2.4.0
 %define release 1
 %define prefix /usr
@ -95,6 +95,8 @@ fi
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/actions
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/continue
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/started
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/routes
 %attr(0600,root,root) %config(noreplace) /etc/shorewall/providers
 %attr(0544,root,root) /sbin/shorewall
@ -139,8 +141,16 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
 %changelog
-* Fri May 20 2005 Tom Eastep tom@shorewall.net
+* Thu Jun 02 2005 Tom Eastep tom@shorewall.net
- Updated to 2.2.5-1
+- Updated to 2.4.0-1
 * Sun May 30 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.4.0-0RC2
 * Thu May 19 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.4.0-0RC1
 * Thu May 19 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.3.2-1
 * Sun May 15 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.3.1-1
 * Mon Apr 11 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.2.4-1
 * Fri Apr 08 2005 Tom Eastep tom@shorewall.net
--- a/Shorewall/start
+++ b/Shorewall/start
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.2 -- /etc/shorewall/start
+# Shorewall 2.4 -- /etc/shorewall/start
 #
 # Add commands below that you want to be executed after shorewall has
 # been started or restarted.
--- a/Shorewall/started
+++ b/Shorewall/started
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.2 -- /etc/shorewall/started
+# Shorewall 2.4 -- /etc/shorewall/started
 #
 # Add commands below that you want to be executed after shorewall has
 # been completely started or restarted. The difference between this
--- a/Shorewall/stop
+++ b/Shorewall/stop
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.2 -- /etc/shorewall/stop
+# Shorewall 2.4 -- /etc/shorewall/stop
 #
 # Add commands below that you want to be executed at the beginning of a
 # "shorewall stop" command.
--- a/Shorewall/stopped
+++ b/Shorewall/stopped
@ -1,5 +1,5 @@
 ############################################################################
-# Shorewall 2.2 -- /etc/shorewall/stopped
+# Shorewall 2.4 -- /etc/shorewall/stopped
 #
 # Add commands below that you want to be executed at the completion of a
 # "shorewall stop" command.
--- a/Shorewall/tcrules
+++ b/Shorewall/tcrules
@ -1,5 +1,5 @@
 #
-# Shorewall version 2.2 - Traffic Control Rules File
+# Shorewall version 2.4 - Traffic Control Rules File
 #
 # /etc/shorewall/tcrules
 #
@ -16,10 +16,14 @@
 #		final mark for each packet will be the one assigned by the
 #		LAST tcrule that matches.
 #
 #		If you use multiple internet providers with the 'track' option,
 #		in /etc/shorewall/providers be sure to read the restrictions at
 #		http://shorewall.net/Shorewall_and_Routing.html.
 #
 # Columns are:
 #
 #
-#	MARK/		a) A mark value which is a integer in the range 1-255
+#	MARK/		a) A mark value which is an integer in the range 1-255
 #       CLASSIFY
 #			   May optionally be followed by ":P" or ":F"
 #			   where ":P" indicates that marking should occur in
@ -130,10 +134,11 @@
 #
 #			It may contain :
 #
-#			   [<user name or number>]:[<group name or number>]
+#			   [<user name or number>]:[<group name or number>][+<program name>]
 #
-#			The colon is optionnal when specifying only a user.
+#			The colon is optionnal when specifying only a user 
-#			Examples : john: / john / :users / john:users
+#			or a program name.
 #			Examples : john: , john , :users , john:users , +mozilla-bin
 #
 #	TEST		Defines a test on the existing packet or connection mark. 
 #			The rule will match only if the test returns true. Tests
--- a/Shorewall/tos
+++ b/Shorewall/tos
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 -- /etc/shorewall/tos
+# Shorewall 2.4 -- /etc/shorewall/tos
 #
 #	This file defines rules for setting Type Of Service (TOS)
 #
--- a/Shorewall/tunnel
+++ b/Shorewall/tunnel
@ -2,7 +2,7 @@
 RCDLINKS="2,S45 3,S45 6,K45"
 ################################################################################
-#   Script to create a gre or ipip tunnel -- Shorewall 2.2
+#   Script to create a gre or ipip tunnel -- Shorewall 2.4
 #
 #   Modified - Steve Cowles 5/9/2000
 #     Incorporated init {start|stop} syntax and iproute2 usage
--- a/Shorewall/tunnels
+++ b/Shorewall/tunnels
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 - /etc/shorewall/tunnels
+# Shorewall 2.4 - /etc/shorewall/tunnels
 #
 #	This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
 #
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
-VERSION=2.2.5
+VERSION=2.4.0
 usage() # $1 = exit status
 {
--- a/Shorewall/zones
+++ b/Shorewall/zones
@ -1,5 +1,5 @@
 #
-# Shorewall 2.2 /etc/shorewall/zones
+# Shorewall 2.4 /etc/shorewall/zones
 #
 # This file determines your network zones. Columns are:
 #