Merge branch '4.4.24'

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Providers.pm

@@ -40,7 +40,7 @@ our @EXPORT = qw( process_providers
 		  handle_stickiness
 		  handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_24';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -700,7 +700,7 @@ sub add_a_provider( $$ ) {
 
 	push_indent;
 
-	if ( $balance || $default ) {
+	if ( $balance || $default > 0 ) {
 	    $tbl    = $default ? DEFAULT_TABLE : $config{USE_DEFAULT_RT} ? BALANCE_TABLE : MAIN_TABLE;
 	    $weight = $balance ? $balance : $default;
 
@@ -715,7 +715,7 @@ sub add_a_provider( $$ ) {
 	    $via .= " weight $weight" unless $weight < 0;
 	    $via .= " $realm"         if $realm;
 
-	    emit( qq(delete_gateway "$via" $tbl $physical) ) unless $default < 0;
+	    emit( qq(delete_gateway "$via" $tbl $physical) );
 	}
 
 	emit (". $undo",

Shorewall/Perl/Shorewall/Tc.pm

@@ -394,6 +394,7 @@ sub process_tc_rule( ) {
 
 			$target .= ' --tproxy-mark';
 		    } elsif ( $target eq 'TTL' ) {
+			fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
 			fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
 			fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
 
@@ -412,6 +413,26 @@ sub process_tc_rule( ) {
 			} else {
 			    $target .= " --ttl-set $param";
 			}
+		    } elsif ( $target eq 'HL' ) {
+			fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
+			fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
+			fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
+
+			$chain = 'tcfor';
+
+			$cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+			my $param =  $1;
+
+			fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+			if ( $1 =~ /^\+/ ) {
+			    $target .= " --hl-inc $param";
+			} elsif ( $1 =~ /\-/ ) {
+			    $target .= " --hl-dec $param";
+			} else {
+			    $target .= " --hl-set $param";
+			}
 		    }
 
 		    if ( $rest ) {
@@ -1845,6 +1866,12 @@ sub setup_tc() {
 			  mark      => NOMARK,
 			  mask      => '',
 			  connmark  => 0
+			},
+			{ match     => sub( $ ) { $_[0] =~ /^HL/ },
+			  target    => 'HL',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
 			} 
 		      );
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -253,6 +253,7 @@ sub setup_tunnels() {
 			    'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
 			    'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
 			    '6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+			    '6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
 			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
 			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
 			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
@@ -284,7 +285,7 @@ sub setup_tunnels() {
 
 	while ( read_a_line ) {
 
-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { kind => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
 
 	    fatal_error 'TYPE must be specified' if $kind eq '-';
 	    fatal_error 'ZONE must be specified' if $zone eq '-';

docs/MultiISP.xml

@@ -535,8 +535,10 @@
                   is given without a <replaceable>weight</replaceable>, a
                   separate default route is added through the provider's
                   gateway; the route has a metric equal to the provider's
-                  NUMBER. The option is ignored with a warning message if
+                  NUMBER.</para>
-                  USE_DEFAULT_RT=Yes in
+
+                  <para>Prior to Shorewall 4.4.24, the option is ignored with
+                  a warning message if USE_DEFAULT_RT=Yes in
                   <filename>shorewall.conf</filename>.</para>
                 </listitem>
               </varlistentry>

manpages/shorewall-providers.xml

@@ -263,8 +263,10 @@
                 specified <replaceable>weight</replaceable>. If the option is
                 given without a <replaceable>weight</replaceable>, an separate
                 default route is added through the provider's gateway; the
-                route has a metric equal to the provider's NUMBER. The option
+                route has a metric equal to the provider's NUMBER.</para>
-                is ignored with a warning message if USE_DEFAULT_RT=Yes in
+
+                <para>Prior to Shorewall 4.4.24, the option is ignored with a
+                warning message if USE_DEFAULT_RT=Yes in
                 <filename>shorewall.conf</filename>.</para>
               </listitem>
             </varlistentry>

manpages/shorewall-tunnels.xml

@@ -55,7 +55,9 @@
         <listitem>
           <para>Types are as follows:</para>
 
-          <programlisting>        <emphasis role="bold">6to4</emphasis>          - 6to4 or 6in4 tunnel         
+          <programlisting>        <emphasis role="bold">6to4</emphasis> or <emphasis
+              role="bold">6in4</emphasis>  - 6to4 or 6in4 tunnel. The <emphasis
+              role="bold">6in4</emphasis> synonym was added in 4.4.24.        
         <emphasis role="bold">ipsec</emphasis>         - IPv4 IPSEC
         <emphasis role="bold">ipsecnat</emphasis>      - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
         <emphasis role="bold">ipip</emphasis>          - IPv4 encapsulated in IPv4 (Protocol 4)
@@ -111,14 +113,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term></term>
-
-        <listitem>
-          <para></para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">ZONE</emphasis> -
         <emphasis>zone</emphasis></term>

manpages6/shorewall6-tcrules.xml

@@ -316,7 +316,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
             </listitem>
 
             <listitem>
-              <para><emphasis role="bold">TTL</emphasis>([<emphasis
+              <para><emphasis role="bold">HL</emphasis>([<emphasis
               role="bold">-</emphasis>|<emphasis
               role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
 
@@ -324,13 +324,13 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               <emphasis role="bold">:F</emphasis> but the resulting rule is
               always added to the FORWARD chain. If <emphasis
               role="bold">+</emphasis> is included, packets matching the rule
-              will have their TTL incremented by
+              will have their HL (hop limit) incremented by
               <replaceable>number</replaceable>. Similarly, if <emphasis
               role="bold">-</emphasis> is included, matching packets have
-              their TTL decremented by <replaceable>number</replaceable>. If
+              their HL decremented by <replaceable>number</replaceable>. If
               neither <emphasis role="bold">+</emphasis> nor <emphasis
-              role="bold">-</emphasis> is given, the TTL of matching packets
+              role="bold">-</emphasis> is given, the HL of matching packets is
-              is set to <replaceable>number</replaceable>. The valid range of
+              set to <replaceable>number</replaceable>. The valid range of
               values for <replaceable>number</replaceable> is 1-255.</para>
             </listitem>
           </orderedlist>