Remove ipp2p support from the rules file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2215 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-05 04:58:49 +01:00 · 2005-06-02 14:08:57 +00:00 · 2005-06-02 14:08:57 +00:00 · 9749cd292f
commit 9749cd292f
parent 918838a61c
9 changed files with 84 additions and 47 deletions
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-05-20</pubdate>
+    <pubdate>2005-06-01</pubdate>
    <copyright>
      <year>2001-2005</year>
@ -1813,11 +1813,8 @@ ACCEPT<emphasis role="bold">:info</emphasis>   -              -               tc
        <listitem>
          <para>Protocol. Must be a protocol name from /etc/protocols, a
-          number, "ipp2p" or <quote>all</quote>. Specifies the protocol of the
+          number, or <quote>all</quote>. Specifies the protocol of the
-          connection request. If "ipp2p" then your kernel and iptables must
+          connection request.</para>
          have ipp2p match support from <ulink
          url="http://www.netfilter.org">Netfilter
          Patch-o-matic-ng</ulink>.</para>
        </listitem>
      </varlistentry>
@ -1828,14 +1825,11 @@ ACCEPT<emphasis role="bold">:info</emphasis>   -              -               tc
          <para>Port or port range (&lt;low port&gt;:&lt;high port&gt;) being
          connected to. May only be specified if the protocol is tcp, udp or
          icmp. For icmp, this column's contents are interpreted as an icmp
-          type. For ipp2p, this column must contain an ipp2p option without
+          type. If you don't want to specify DEST PORT(S) but need to include
-          the leading "--" (default "ipp2p" -- for a list of valid options, as
+          information in one of the columns to the right, enter
-          root type <command>iptables -m ipp2p --help</command>). If you don't
+          <quote>-</quote> in this column. You may give a list of ports and/or
-          want to specify DEST PORT(S) but need to include information in one
+          port ranges separated by commas. Port numbers may be either integers
-          of the columns to the right, enter <quote>-</quote> in this column.
+          or service names from /etc/services.</para>
          You may give a list of ports and/or port ranges separated by commas.
          Port numbers may be either integers or service names from
          /etc/services.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall-docs2/IPP2P.xml
+++ b/Shorewall-docs2/IPP2P.xml
@ -15,11 +15,13 @@
      </author>
    </authorgroup>
-    <pubdate>2004-11-04</pubdate>
+    <pubdate>2005-06-01</pubdate>
    <copyright>
      <year>2004</year>
      <year>2005</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -53,9 +55,6 @@
    "ipp2p":</para>
    <simplelist>
      <member><ulink
      url="Documentation.htm#Rules">/etc/shorewall/rules</ulink></member>
      <member><ulink
      url="traffic_shaping.htm">/etc/shorewall/tcrules</ulink></member>
--- a/Shorewall-docs2/Shorewall_and_Kazaa.xml
+++ b/Shorewall-docs2/Shorewall_and_Kazaa.xml
@ -15,10 +15,10 @@
      </author>
    </authorgroup>
-    <pubdate>2004-11-29</pubdate>
+    <pubdate>2005-06-01</pubdate>
    <copyright>
-      <year>2003-2004</year>
+      <year>2003-2005</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -61,7 +61,6 @@
  </tip>
  <para>Shorewall verions 2.2.0 and later also include support for the ipp2p
-  match facility which can be use to filter and/or control P2P traffic. See
+  match facility which can be use to control P2P traffic. See the <ulink
-  the <ulink url="IPP2P.html">Shorewall IPP2P documentation</ulink> for
+  url="IPP2P.html">Shorewall IPP2P documentation</ulink> for details.</para>
  details.</para>
 </article>
--- a/Shorewall-docs2/configuration_file_basics.xml
+++ b/Shorewall-docs2/configuration_file_basics.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-06-01</pubdate>
+    <pubdate>2005-06-02</pubdate>
    <copyright>
      <year>2001-2005</year>
@ -567,13 +567,43 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
      <para>Because the <filename>/etc/shorewall/params</filename> file is
      simply sourced into the shell, you can place arbitrary shell code in the
-      file and it will be executed each time that the file is read. One
+      file and it will be executed each time that the file is read. Any code
-      possible use of this feature is to compensate for recent Linux behavior
+      included should follow these guidelines:</para>
-      in which the identity of network interfaces varies from boot to boot
+
-      (what is <filename class="devicefile">eth0</filename> after one boot may
+      <orderedlist>
-      be <filename class="devicefile">eth1</filename> after the next).
+        <listitem>
-      <trademark>SuSE</trademark> users, for example, can take the following
+          <para>The code should not have side effects, especially on other
-      approach:</para>
+          shorewall configuration files.</para>
        </listitem>
        <listitem>
          <para>The code should be safe to execute multiple times without
          producing different results.</para>
        </listitem>
        <listitem>
          <para>Should not depend on where the code is called from (the params
          file is source by both /sbin/shorewall and
          /usr/lib/shorewall/firewall).</para>
        </listitem>
        <listitem>
          <para>Should not assume anything about the state of
          Shorewall.</para>
        </listitem>
        <listitem>
          <para>The names of any functions or variables declared should begin
          with an upper case letter.</para>
        </listitem>
      </orderedlist>
      <para>One possible use of this feature is to compensate for recent Linux
      behavior in which the identity of network interfaces varies from boot to
      boot (what is <filename class="devicefile">eth0</filename> after one
      boot may be <filename class="devicefile">eth1</filename> after the
      next). <trademark>SuSE</trademark> users, for example, can take the
      following approach:</para>
      <programlisting>wookie:~ # lspci
 0000:00:00.0 Host bridge: VIA Technologies, Inc. VT82C598 [Apollo MVP3] (rev 04)
--- a/Shorewall-docs2/upgrade_issues.xml
+++ b/Shorewall-docs2/upgrade_issues.xml
@ -62,9 +62,28 @@
  </section>
  <section>
-    <title>Version &gt;= 2.2.0</title>
+    <title>Version &gt;= 2.4.0</title>
-    <para></para>
+    <orderedlist>
      <listitem>
        <para>Shorewall now enforces the restriction that mark values used in
        <filename> /etc/shorewall/tcrules</filename> are less than 256. If you
        are using mark values &gt;= 256, you must change your configuration
        before you upgrade.</para>
      </listitem>
      <listitem>
        <para>The value "ipp2p" is no longer accepted in the PROTO column of
        the <filename>/etc/shorewall/rules</filename> file. This support has
        never worked as intended and cannot be made to work in a consistent
        way. A "Howto" article on filtering P2P with Shorewall and ipp2p will
        be forthcoming.</para>
      </listitem>
    </orderedlist>
  </section>
  <section>
    <title>Version &gt;= 2.2.0</title>
    <orderedlist>
      <listitem>
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -2,6 +2,8 @@ Changes in 2.4.0-Final
 1) Add the ability to specify a weight in the balance option.
 2) Remove "ipp2p" support in the rules file.
 Changes in 2.4.0-RC2
 1) Relax "detect" restriction.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -4510,12 +4510,6 @@ add_a_rule()
 		fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
 	    proto=
 	    ;;
 	ipp2p)
 	    dports="-m ipp2p --${port:-ipp2p}"
 	    port=
 	    proto=tcp
 	    do_ports
 	    ;;
 	*)
 	    [ -n "$port" ] && \
 		fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -18,6 +18,12 @@ Upgrade Issues when moving to 2.4.0
   /etc/shorewall/tcrules are less than 256. If you are using mark
   values >= 256, you must change your configuration before you 
   upgrade.
 2) The value "ipp2p" is no longer accepted in the PROTO column of the
   rules file. This support has never worked as intended and filtering
   P2P applications this way is a bad idea to begin with (you should be
   using a proxy).
 -----------------------------------------------------------------------
 New Features in version 2.4.0
--- a/Shorewall2/rules
+++ b/Shorewall2/rules
@ -217,20 +217,14 @@
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p", 
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
-#			a number, or "all". "ipp2p" requires ipp2p match
+#			"all".
 #			support in your kernel and iptables.
 #
 #	DEST PORT(S)    Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
 #			If the protocol is ipp2p, this column is interpreted
 #			as an ipp2p option without the leading "--" (example "bit"
 #			for bit-torrent). If no port is given, "ipp2p" is
 #			assumed.
 #
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be