Remove ipp2p support from the rules file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2215 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs2/Documentation.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-05-20</pubdate>
+    <pubdate>2005-06-01</pubdate>
 
     <copyright>
       <year>2001-2005</year>
@@ -1813,11 +1813,8 @@ ACCEPT<emphasis role="bold">:info</emphasis>   -              -               tc
 
         <listitem>
           <para>Protocol. Must be a protocol name from /etc/protocols, a
-          number, "ipp2p" or <quote>all</quote>. Specifies the protocol of the
-          connection request. If "ipp2p" then your kernel and iptables must
-          have ipp2p match support from <ulink
-          url="http://www.netfilter.org">Netfilter
-          Patch-o-matic-ng</ulink>.</para>
+          number, or <quote>all</quote>. Specifies the protocol of the
+          connection request.</para>
         </listitem>
       </varlistentry>
 
@@ -1828,14 +1825,11 @@ ACCEPT<emphasis role="bold">:info</emphasis>   -              -               tc
           <para>Port or port range (&lt;low port&gt;:&lt;high port&gt;) being
           connected to. May only be specified if the protocol is tcp, udp or
           icmp. For icmp, this column's contents are interpreted as an icmp
-          type. For ipp2p, this column must contain an ipp2p option without
-          the leading "--" (default "ipp2p" -- for a list of valid options, as
-          root type <command>iptables -m ipp2p --help</command>). If you don't
-          want to specify DEST PORT(S) but need to include information in one
-          of the columns to the right, enter <quote>-</quote> in this column.
-          You may give a list of ports and/or port ranges separated by commas.
-          Port numbers may be either integers or service names from
-          /etc/services.</para>
+          type. If you don't want to specify DEST PORT(S) but need to include
+          information in one of the columns to the right, enter
+          <quote>-</quote> in this column. You may give a list of ports and/or
+          port ranges separated by commas. Port numbers may be either integers
+          or service names from /etc/services.</para>
         </listitem>
       </varlistentry>
 

Shorewall-docs2/IPP2P.xml

@@ -15,11 +15,13 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-11-04</pubdate>
+    <pubdate>2005-06-01</pubdate>
 
     <copyright>
       <year>2004</year>
 
+      <year>2005</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -53,9 +55,6 @@
     "ipp2p":</para>
 
     <simplelist>
-      <member><ulink
-      url="Documentation.htm#Rules">/etc/shorewall/rules</ulink></member>
-
       <member><ulink
       url="traffic_shaping.htm">/etc/shorewall/tcrules</ulink></member>
 

Shorewall-docs2/Shorewall_and_Kazaa.xml

@@ -15,10 +15,10 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-11-29</pubdate>
+    <pubdate>2005-06-01</pubdate>
 
     <copyright>
-      <year>2003-2004</year>
+      <year>2003-2005</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -61,7 +61,6 @@
   </tip>
 
   <para>Shorewall verions 2.2.0 and later also include support for the ipp2p
-  match facility which can be use to filter and/or control P2P traffic. See
-  the <ulink url="IPP2P.html">Shorewall IPP2P documentation</ulink> for
-  details.</para>
+  match facility which can be use to control P2P traffic. See the <ulink
+  url="IPP2P.html">Shorewall IPP2P documentation</ulink> for details.</para>
 </article>

Shorewall-docs2/configuration_file_basics.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2005-06-01</pubdate>
+    <pubdate>2005-06-02</pubdate>
 
     <copyright>
       <year>2001-2005</year>
@@ -567,13 +567,43 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
 
       <para>Because the <filename>/etc/shorewall/params</filename> file is
       simply sourced into the shell, you can place arbitrary shell code in the
-      file and it will be executed each time that the file is read. One
-      possible use of this feature is to compensate for recent Linux behavior
-      in which the identity of network interfaces varies from boot to boot
-      (what is <filename class="devicefile">eth0</filename> after one boot may
-      be <filename class="devicefile">eth1</filename> after the next).
-      <trademark>SuSE</trademark> users, for example, can take the following
-      approach:</para>
+      file and it will be executed each time that the file is read. Any code
+      included should follow these guidelines:</para>
+
+      <orderedlist>
+        <listitem>
+          <para>The code should not have side effects, especially on other
+          shorewall configuration files.</para>
+        </listitem>
+
+        <listitem>
+          <para>The code should be safe to execute multiple times without
+          producing different results.</para>
+        </listitem>
+
+        <listitem>
+          <para>Should not depend on where the code is called from (the params
+          file is source by both /sbin/shorewall and
+          /usr/lib/shorewall/firewall).</para>
+        </listitem>
+
+        <listitem>
+          <para>Should not assume anything about the state of
+          Shorewall.</para>
+        </listitem>
+
+        <listitem>
+          <para>The names of any functions or variables declared should begin
+          with an upper case letter.</para>
+        </listitem>
+      </orderedlist>
+
+      <para>One possible use of this feature is to compensate for recent Linux
+      behavior in which the identity of network interfaces varies from boot to
+      boot (what is <filename class="devicefile">eth0</filename> after one
+      boot may be <filename class="devicefile">eth1</filename> after the
+      next). <trademark>SuSE</trademark> users, for example, can take the
+      following approach:</para>
 
       <programlisting>wookie:~ # lspci
 0000:00:00.0 Host bridge: VIA Technologies, Inc. VT82C598 [Apollo MVP3] (rev 04)

Shorewall-docs2/upgrade_issues.xml

@@ -62,9 +62,28 @@
   </section>
 
   <section>
-    <title>Version &gt;= 2.2.0</title>
+    <title>Version &gt;= 2.4.0</title>
 
-    <para></para>
+    <orderedlist>
+      <listitem>
+        <para>Shorewall now enforces the restriction that mark values used in
+        <filename> /etc/shorewall/tcrules</filename> are less than 256. If you
+        are using mark values &gt;= 256, you must change your configuration
+        before you upgrade.</para>
+      </listitem>
+
+      <listitem>
+        <para>The value "ipp2p" is no longer accepted in the PROTO column of
+        the <filename>/etc/shorewall/rules</filename> file. This support has
+        never worked as intended and cannot be made to work in a consistent
+        way. A "Howto" article on filtering P2P with Shorewall and ipp2p will
+        be forthcoming.</para>
+      </listitem>
+    </orderedlist>
+  </section>
+
+  <section>
+    <title>Version &gt;= 2.2.0</title>
 
     <orderedlist>
       <listitem>

Shorewall2/changelog.txt

@@ -2,6 +2,8 @@ Changes in 2.4.0-Final
 
 1) Add the ability to specify a weight in the balance option.
 
+2) Remove "ipp2p" support in the rules file.
+
 Changes in 2.4.0-RC2
 
 1) Relax "detect" restriction.

Shorewall2/firewall

@@ -4510,12 +4510,6 @@ add_a_rule()
 		fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
 	    proto=
 	    ;;
-	ipp2p)
-	    dports="-m ipp2p --${port:-ipp2p}"
-	    port=
-	    proto=tcp
-	    do_ports
-	    ;;
 	*)
 	    [ -n "$port" ] && \
 		fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""

Shorewall2/releasenotes.txt

@@ -18,6 +18,12 @@ Upgrade Issues when moving to 2.4.0
    /etc/shorewall/tcrules are less than 256. If you are using mark
    values >= 256, you must change your configuration before you 
    upgrade.
+
+2) The value "ipp2p" is no longer accepted in the PROTO column of the
+   rules file. This support has never worked as intended and filtering
+   P2P applications this way is a bad idea to begin with (you should be
+   using a proxy).
+
 -----------------------------------------------------------------------
 New Features in version 2.4.0
 

Shorewall2/rules

@@ -217,20 +217,14 @@
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p", 
-#			a number, or "all". "ipp2p" requires ipp2p match
-#			support in your kernel and iptables.
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
+#			"all".
 #
 #	DEST PORT(S)    Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
-#			If the protocol is ipp2p, this column is interpreted
-#			as an ipp2p option without the leading "--" (example "bit"
-#			for bit-torrent). If no port is given, "ipp2p" is
-#			assumed.
-#
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be