diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml
index 33f48e256..ce5049895 100644
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@@ -15,7 +15,7 @@
- 2005-05-20
+ 2005-06-01
2001-2005
@@ -1813,11 +1813,8 @@ ACCEPT:info - - tc
Protocol. Must be a protocol name from /etc/protocols, a
- number, "ipp2p" or all
. Specifies the protocol of the
- connection request. If "ipp2p" then your kernel and iptables must
- have ipp2p match support from Netfilter
- Patch-o-matic-ng.
+ number, or all
. Specifies the protocol of the
+ connection request.
@@ -1828,14 +1825,11 @@ ACCEPT:info - - tc
Port or port range (<low port>:<high port>) being
connected to. May only be specified if the protocol is tcp, udp or
icmp. For icmp, this column's contents are interpreted as an icmp
- type. For ipp2p, this column must contain an ipp2p option without
- the leading "--" (default "ipp2p" -- for a list of valid options, as
- root type iptables -m ipp2p --help). If you don't
- want to specify DEST PORT(S) but need to include information in one
- of the columns to the right, enter -
in this column.
- You may give a list of ports and/or port ranges separated by commas.
- Port numbers may be either integers or service names from
- /etc/services.
+ type. If you don't want to specify DEST PORT(S) but need to include
+ information in one of the columns to the right, enter
+ -
in this column. You may give a list of ports and/or
+ port ranges separated by commas. Port numbers may be either integers
+ or service names from /etc/services.
diff --git a/Shorewall-docs2/IPP2P.xml b/Shorewall-docs2/IPP2P.xml
index 5dadb3d3b..48f2a0abb 100644
--- a/Shorewall-docs2/IPP2P.xml
+++ b/Shorewall-docs2/IPP2P.xml
@@ -15,11 +15,13 @@
- 2004-11-04
+ 2005-06-01
2004
+ 2005
+
Thomas M. Eastep
@@ -53,9 +55,6 @@
"ipp2p":
- /etc/shorewall/rules
-
/etc/shorewall/tcrules
diff --git a/Shorewall-docs2/Shorewall_and_Kazaa.xml b/Shorewall-docs2/Shorewall_and_Kazaa.xml
index bb65c8f85..13fcc9097 100644
--- a/Shorewall-docs2/Shorewall_and_Kazaa.xml
+++ b/Shorewall-docs2/Shorewall_and_Kazaa.xml
@@ -15,10 +15,10 @@
- 2004-11-29
+ 2005-06-01
- 2003-2004
+ 2003-2005
Thomas M. Eastep
@@ -61,7 +61,6 @@
Shorewall verions 2.2.0 and later also include support for the ipp2p
- match facility which can be use to filter and/or control P2P traffic. See
- the Shorewall IPP2P documentation for
- details.
+ match facility which can be use to control P2P traffic. See the Shorewall IPP2P documentation for details.
\ No newline at end of file
diff --git a/Shorewall-docs2/configuration_file_basics.xml b/Shorewall-docs2/configuration_file_basics.xml
index 5ed4caa2e..24421dbb3 100644
--- a/Shorewall-docs2/configuration_file_basics.xml
+++ b/Shorewall-docs2/configuration_file_basics.xml
@@ -15,7 +15,7 @@
- 2005-06-01
+ 2005-06-02
2001-2005
@@ -567,13 +567,43 @@ DNAT net loc:192.168.1.3 tcp 4000:4100
Because the /etc/shorewall/params file is
simply sourced into the shell, you can place arbitrary shell code in the
- file and it will be executed each time that the file is read. One
- possible use of this feature is to compensate for recent Linux behavior
- in which the identity of network interfaces varies from boot to boot
- (what is eth0 after one boot may
- be eth1 after the next).
- SuSE users, for example, can take the following
- approach:
+ file and it will be executed each time that the file is read. Any code
+ included should follow these guidelines:
+
+
+
+ The code should not have side effects, especially on other
+ shorewall configuration files.
+
+
+
+ The code should be safe to execute multiple times without
+ producing different results.
+
+
+
+ Should not depend on where the code is called from (the params
+ file is source by both /sbin/shorewall and
+ /usr/lib/shorewall/firewall).
+
+
+
+ Should not assume anything about the state of
+ Shorewall.
+
+
+
+ The names of any functions or variables declared should begin
+ with an upper case letter.
+
+
+
+ One possible use of this feature is to compensate for recent Linux
+ behavior in which the identity of network interfaces varies from boot to
+ boot (what is eth0 after one
+ boot may be eth1 after the
+ next). SuSE users, for example, can take the
+ following approach:
wookie:~ # lspci
0000:00:00.0 Host bridge: VIA Technologies, Inc. VT82C598 [Apollo MVP3] (rev 04)
diff --git a/Shorewall-docs2/upgrade_issues.xml b/Shorewall-docs2/upgrade_issues.xml
index 9b51338cd..e9959ffae 100644
--- a/Shorewall-docs2/upgrade_issues.xml
+++ b/Shorewall-docs2/upgrade_issues.xml
@@ -62,9 +62,28 @@
- Version >= 2.2.0
+ Version >= 2.4.0
-
+
+
+ Shorewall now enforces the restriction that mark values used in
+ /etc/shorewall/tcrules are less than 256. If you
+ are using mark values >= 256, you must change your configuration
+ before you upgrade.
+
+
+
+ The value "ipp2p" is no longer accepted in the PROTO column of
+ the /etc/shorewall/rules file. This support has
+ never worked as intended and cannot be made to work in a consistent
+ way. A "Howto" article on filtering P2P with Shorewall and ipp2p will
+ be forthcoming.
+
+
+
+
+
+ Version >= 2.2.0
diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index 847997c8d..f13b8f85a 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -2,6 +2,8 @@ Changes in 2.4.0-Final
1) Add the ability to specify a weight in the balance option.
+2) Remove "ipp2p" support in the rules file.
+
Changes in 2.4.0-RC2
1) Relax "detect" restriction.
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 6f3763250..539171dbc 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -4510,12 +4510,6 @@ add_a_rule()
fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
proto=
;;
- ipp2p)
- dports="-m ipp2p --${port:-ipp2p}"
- port=
- proto=tcp
- do_ports
- ;;
*)
[ -n "$port" ] && \
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index c8146228d..339ad390f 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -18,6 +18,12 @@ Upgrade Issues when moving to 2.4.0
/etc/shorewall/tcrules are less than 256. If you are using mark
values >= 256, you must change your configuration before you
upgrade.
+
+2) The value "ipp2p" is no longer accepted in the PROTO column of the
+ rules file. This support has never worked as intended and filtering
+ P2P applications this way is a bad idea to begin with (you should be
+ using a proxy).
+
-----------------------------------------------------------------------
New Features in version 2.4.0
diff --git a/Shorewall2/rules b/Shorewall2/rules
index e0a619ab9..1ab6c7b6c 100755
--- a/Shorewall2/rules
+++ b/Shorewall2/rules
@@ -217,20 +217,14 @@
# contain the port number on the firewall that the
# request should be redirected to.
#
-# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
-# a number, or "all". "ipp2p" requires ipp2p match
-# support in your kernel and iptables.
+# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
+# "all".
#
# DEST PORT(S) Destination Ports. A comma-separated list of Port
# names (from /etc/services), port numbers or port
# ranges; if the protocol is "icmp", this column is
# interpreted as the destination icmp-type(s).
#
-# If the protocol is ipp2p, this column is interpreted
-# as an ipp2p option without the leading "--" (example "bit"
-# for bit-torrent). If no port is given, "ipp2p" is
-# assumed.
-#
# A port range is expressed as :.
#
# This column is ignored if PROTOCOL = all but must be