Final 1.2.13 Update

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@15 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -2,7 +2,10 @@ Changes since 1.2.12
 
 1. Added whitelist support
 2. Added SYN Flood Protection
-
+3. Make aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES look more
+   like what people expect.
+4. Merged shorewall.conf file patch that adds the kernel config help
+   text for TCPMSS to the description of the Shorewall parameter.
 
 
 

Shorewall/firewall

@@ -1096,7 +1096,7 @@ setup_nat() {
 		#
 		# Now get the VLSM, "brd" and the broadcast address
 		#
-		val=`echo $val | cut -d' ' -f1,2,3`
+		val=${val%% scope*}
 	    fi
 
 	    run_ip addr add ${external}${val} dev $interface
@@ -2006,7 +2006,7 @@ setup_masq()
 	    val=`ip addr show $interface | grep 'inet.*brd '` 2> /dev/null
 	    if [ -n "$val" ] ; then
 		val="/${val#*/}"
-		val=`echo $val | cut -d' ' -f1,2,3`
+		val=${val%% scope*}
 	    fi
 	    run_ip addr add ${address}${val} dev $interface
 

Shorewall/nat

@@ -14,7 +14,7 @@
 #
 #	EXTERNAL	External IP Address - this should NOT be the primary
 #			IP address of the interface named in the next
-#			column
+#			column.
 #	INTERFACE	Interface that we want to EXTERNAL address to appear
 #                       on
 #	INTERNAL	Internal Address

Shorewall/releasenotes.txt

@@ -3,14 +3,10 @@ This is a minor release of Shorewall.
 In this release:
 
 1. Whitelist support has been added.
-2. Optional SYN Flood protection is now available
+2. Optional SYN Flood protection is now available.
-
+3. Aliases added under ADD_IP_ALIASES and ADD_SNAT_ALIASES
-
+   now use the VLSM and broadcast address of the interface's
-
+   primary address.
-
+4. Port forwarding rules may now optionally override the 
-
+   contents of the /etc/shorewall/nat file.
-
-
-
-
 

Shorewall/shorewall.conf

@@ -165,6 +165,24 @@ BLACKLIST_LOGLEVEL=
 # Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
 # option. This option is most commonly required when your internet
 # interface is some variant of PPP (PPTP or PPPoE). Your kernel must
+# have CONFIG_IP_NF_TARGET_TCPMSS set.
+#
+# [From the kernel help:
+#
+#    This option adds a `TCPMSS' target, which allows you to alter the
+#    MSS value of TCP SYN packets, to control the maximum size for that
+#    connection (usually limiting it to your outgoing interface's MTU
+#    minus 40).
+#
+#    This is used to overcome criminally braindead ISPs or servers which
+#    block ICMP Fragmentation Needed packets.  The symptoms of this
+#    problem are that everything works fine from your Linux
+#    firewall/router, but machines behind it can never exchange large
+#    packets:
+#        1) Web browsers connect, then hang with no data received.
+#	 2) Small mail works fine, but large emails hang.
+#	 3) ssh works fine, but scp hangs after initial handshaking.
+# ]
 #
 # If left blank, or set to "No" or "no", the option is not enabled.
 #
@@ -176,6 +194,8 @@ CLAMPMSS="No"
 # Set this variable to "Yes" or "yes" if you want kernel route filtering on all
 # interfaces (anti-spoofing measure).
 #
+# If this variable is not set or is set to the empty value, "No" is assumed.
+
 ROUTE_FILTER="No"
 
 #
@@ -183,6 +203,8 @@ ROUTE_FILTER="No"
 #
 # Shorewall has traditionally processed static NAT rules before port forwarding
 # rules. If you would like to reverse the order, set this variable to "No".
+#
+# If this variable is not set or is set to the empty value, "Yes" is assumed.
 
 NAT_BEFORE_RULES="Yes"