From aa523ea52cc547240bba4e4b4166cec087cb3b74 Mon Sep 17 00:00:00 2001
From: teastep
Date: Fri, 10 Aug 2007 17:37:02 +0000
Subject: [PATCH] Bring trunk up to date with branch/4.0
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7113 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
Shorewall-common/fallback.sh | 2 +-
Shorewall-common/install.sh | 2 +-
Shorewall-common/lib.base | 2 +-
Shorewall-common/shorewall-common.spec | 4 +-
Shorewall-common/uninstall.sh | 2 +-
Shorewall-lite/fallback.sh | 2 +-
Shorewall-lite/install.sh | 2 +-
Shorewall-lite/shorewall-lite.spec | 4 +-
Shorewall-lite/uninstall.sh | 2 +-
Shorewall-perl/Shorewall/Accounting.pm | 12 +++-
Shorewall-perl/Shorewall/Chains.pm | 2 +-
Shorewall-perl/Shorewall/Compiler.pm | 2 +-
Shorewall-perl/Shorewall/Config.pm | 6 +-
Shorewall-perl/Shorewall/Policy.pm | 2 +-
Shorewall-perl/Shorewall/Providers.pm | 11 ++-
Shorewall-perl/Shorewall/Rules.pm | 50 ++++++++++----
Shorewall-perl/Shorewall/Tc.pm | 2 +-
Shorewall-perl/Shorewall/Zones.pm | 12 +++-
Shorewall-perl/compiler.pl | 3 +-
Shorewall-perl/install.sh | 2 +-
Shorewall-perl/prog.header | 2 +-
Shorewall-perl/shorewall-perl.spec | 4 +-
Shorewall-shell/install.sh | 2 +-
Shorewall-shell/lib.providers | 11 ++-
Shorewall-shell/shorewall-shell.spec | 4 +-
web/News.htm | 92 +++++++++++++++++++++++++-
web/shorewall_index.htm | 10 +--
27 files changed, 200 insertions(+), 51 deletions(-)
diff --git a/Shorewall-common/fallback.sh b/Shorewall-common/fallback.sh
index e9942be50..16eaa7c5f 100755
--- a/Shorewall-common/fallback.sh
+++ b/Shorewall-common/fallback.sh
@@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
-VERSION=4.0.1
+VERSION=4.0.2
usage() # $1 = exit status
{
diff --git a/Shorewall-common/install.sh b/Shorewall-common/install.sh
index 79ffa57f0..221d25f66 100755
--- a/Shorewall-common/install.sh
+++ b/Shorewall-common/install.sh
@@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
-VERSION=4.0.1
+VERSION=4.0.2
usage() # $1 = exit status
{
diff --git a/Shorewall-common/lib.base b/Shorewall-common/lib.base
index c9c78c3e3..eb13e0474 100644
--- a/Shorewall-common/lib.base
+++ b/Shorewall-common/lib.base
@@ -1424,7 +1424,7 @@ undo_routing() {
# Restore rt_tables database
#
if [ -f ${VARDIR}/rt_tables ]; then
- cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
+ [ -w /etc/iproute2/rt_table ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
rm -f ${VARDIR}/rt_tables
fi
#
diff --git a/Shorewall-common/shorewall-common.spec b/Shorewall-common/shorewall-common.spec
index f5589eb24..8a813a590 100644
--- a/Shorewall-common/shorewall-common.spec
+++ b/Shorewall-common/shorewall-common.spec
@@ -1,5 +1,5 @@
%define name shorewall-common
-%define version 4.0.1
+%define version 4.0.2
%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -240,6 +240,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
%changelog
+* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.2-1
* Sat Jul 21 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.1-1
* Wed Jul 11 2007 Tom Eastep tom@shorewall.net
diff --git a/Shorewall-common/uninstall.sh b/Shorewall-common/uninstall.sh
index b59c7df72..59ef6579d 100755
--- a/Shorewall-common/uninstall.sh
+++ b/Shorewall-common/uninstall.sh
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.0.1
+VERSION=4.0.2
usage() # $1 = exit status
{
diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh
index b0be772d5..0c8c5c215 100755
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
-VERSION=4.0.1
+VERSION=4.0.2
usage() # $1 = exit status
{
diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh
index 8b8d7269e..c756c7136 100755
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
-VERSION=4.0.1
+VERSION=4.0.2
usage() # $1 = exit status
{
diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec
index 3aa0c2383..ff613f226 100644
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,5 +1,5 @@
%define name shorewall-lite
-%define version 4.0.1
+%define version 4.0.2
%define release 1
Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -98,6 +98,8 @@ fi
%doc COPYING changelog.txt releasenotes.txt
%changelog
+* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.2-1
* Sat Jul 21 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.1-1
* Wed Jul 11 2007 Tom Eastep tom@shorewall.net
diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh
index 91e5cb08f..0a7c7b6b5 100755
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.0.1
+VERSION=4.0.2
usage() # $1 = exit status
{
diff --git a/Shorewall-perl/Shorewall/Accounting.pm b/Shorewall-perl/Shorewall/Accounting.pm
index c481e978d..5cad573ec 100644
--- a/Shorewall-perl/Shorewall/Accounting.pm
+++ b/Shorewall-perl/Shorewall/Accounting.pm
@@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_accounting );
our @EXPORT_OK = qw( );
-our $VERSION = 4.00;
+our $VERSION = 4.01;
#
# Initialize globals -- we take this novel approach to globals initialization to allow
@@ -64,6 +64,11 @@ sub process_accounting_rule( $$$$$$$$$ ) {
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = @_;
+ sub check_for_builtin( $ ) {
+ my $chainref = shift;
+ fatal_error "A builtin Chain ($jumpchainref->{name}) may not appear in the accounting file" if $chainref->{builtin};
+ }
+
sub accounting_error() {
warning_message "Invalid Accounting rule";
}
@@ -71,6 +76,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
sub jump_to_chain( $ ) {
my $jumpchain = $_[0];
$jumpchainref = ensure_chain( 'filter', $jumpchain );
+ check_for_builtin( $jumpchainref );
mark_referenced $jumpchainref;
"-j $jumpchain";
}
@@ -129,12 +135,14 @@ sub process_accounting_rule( $$$$$$$$$ ) {
}
}
} else {
- $chain = 'accounting';
+ $chain = 'accounting' unless $chain and $chain ne '-';
$dest = ALLIPv4 if $dest eq 'any' || $dest eq 'all';
}
my $chainref = ensure_filter_chain $chain , 0;
+ check_for_builtin( $chainref );
+
expand_rule
$chainref ,
$restriction ,
diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm
index c07334f8e..2f571ad94 100644
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@@ -128,7 +128,7 @@ our @EXPORT = qw( STANDARD
%targets
);
our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.01;
+our $VERSION = 4.02;
#
# Chain Table
diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm
index ea34fb836..a16a8e76b 100644
--- a/Shorewall-perl/Shorewall/Compiler.pm
+++ b/Shorewall-perl/Shorewall/Compiler.pm
@@ -41,7 +41,7 @@ use Shorewall::Proxyarp;
our @ISA = qw(Exporter);
our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
our @EXPORT_OK = qw( $export );
-our $VERSION = 4.01;
+our $VERSION = 4.02;
our $export;
diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm
index 3d9e7add8..9d7be8370 100644
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@@ -93,7 +93,7 @@ our @EXPORT = qw(
%capabilities );
our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path );
-our $VERSION = 4.01;
+our $VERSION = 4.02;
#
# describe the current command, it's present progressive, and it's completion.
@@ -198,7 +198,7 @@ sub initialize() {
ORIGINAL_POLICY_MATCH => '',
LOGPARMS => '',
TC_SCRIPT => '',
- VERSION => '4.0.1',
+ VERSION => '4.0.2',
CAPVERSION => 30405 ,
);
#
@@ -288,6 +288,7 @@ sub initialize() {
EXPORTPARAMS => undef,
SHOREWALL_COMPILER => undef,
EXPAND_POLICIES => undef,
+ ACCOUNTING_EXPERT => undef,
#
# Packet Disposition
#
@@ -1417,6 +1418,7 @@ sub get_configuration( $ ) {
default_yes_no 'EXPORTPARAMS' , '';
default_yes_no 'EXPAND_POLICIES' , '';
+ default_yes_no 'ACCOUNTING_EXPERT' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm
index 062a72a6a..6de28294c 100644
--- a/Shorewall-perl/Shorewall/Policy.pm
+++ b/Shorewall-perl/Shorewall/Policy.pm
@@ -34,7 +34,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
our @EXPORT_OK = qw( );
-our $VERSION = 4.01;
+our $VERSION = 4.02;
#
# Create a new policy chain and return a reference to it.
diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm
index 263b8e5ea..b7611a5c7 100644
--- a/Shorewall-perl/Shorewall/Providers.pm
+++ b/Shorewall-perl/Shorewall/Providers.pm
@@ -35,7 +35,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_providers @routemarked_interfaces);
our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.01;
+our $VERSION = 4.02;
use constant { LOCAL_NUMBER => 255,
MAIN_NUMBER => 254,
@@ -412,7 +412,10 @@ sub setup_providers() {
'restore_default_route' );
}
- emit 'cat > /etc/iproute2/rt_tables < /etc/iproute2/rt_tables <> /etc/iproute2/rt_tables";
}
+ pop_indent;
+
+ emit "fi\n";
+
my $fn = open_file 'route_rules';
if ( $fn ) {
diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm
index a42a3e423..a92deda6e 100644
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos
dump_rule_chains
);
our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = 4.01;
+our $VERSION = 4.02;
#
# Keep track of chains for the /var/lib/shorewall[-lite]/chains file
@@ -808,13 +808,27 @@ sub setup_mac_lists( $ ) {
" echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
'done' );
} else {
- my $variable1 = get_interface_bcasts $interfaces{$interface}{bridge};
-
+ my $bridge = $interfaces{$interface}{bridge};
+ my $bridgeref = $interfaces{$bridge};
+
add_commands( $chainref,
- "for address in $variable; do",
- " for address1 in $variable1; do",
- " echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
- " done",
+ "for address in $variable; do" );
+
+ if ( $bridgeref->{broadcasts} ) {
+ for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) {
+ add_commands( $chainref ,
+ " echo \"-A $chainref->{name} -s \$address -d $address -j RETURN\" >&3" );
+ }
+ } else {
+ my $variable1 = get_interface_bcasts $bridge;
+
+ add_commands( $chainref,
+ " for address1 in $variable1; do" ,
+ " echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
+ " done" );
+ }
+
+ add_commands( $chainref,
" echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
'done' );
}
@@ -1583,14 +1597,22 @@ sub generate_matrix() {
if ( $capabilities{ADDRTYPE} ) {
add_rule $filter_table->{output_chain $interface} , "-m addrtype --dst-type BROADCAST -j $chain1";
} else {
- my $variable = get_interface_bcasts $interface;
- my $chain = output_chain $interface;
- my $chainref = $filter_table->{$chain};
+ my $interfaceref = $interfaces{$interface};
+ my $chain = output_chain $interface;
+ my $chainref = $filter_table->{$chain};
- add_commands( $chainref,
- "for address in $variable; do",
- " echo \"-A $chain -d \$address -j $chain1\" >&3",
- 'done' );
+ if ( $interfaceref->{broadcasts} ) {
+ for my $address ( @{$interfaceref->{broadcasts}} , '255.255.255.255' ) {
+ add_rule( $chainref, "-d $address -j $chain1" );
+ }
+ } else {
+ my $variable = get_interface_bcasts $interface;
+
+ add_commands( $chainref,
+ "for address in $variable; do",
+ " echo \"-A $chain -d \$address -j $chain1\" >&3",
+ 'done' );
+ }
}
add_rule $filter_table->{output_chain $interface} , "-d 224.0.0.0/4 -j $chain1";
diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm
index 7bb740b31..e931f3811 100644
--- a/Shorewall-perl/Shorewall/Tc.pm
+++ b/Shorewall-perl/Shorewall/Tc.pm
@@ -39,7 +39,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_tc );
our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = 4.01;
+our $VERSION = 4.02;
our %tcs = ( T => { chain => 'tcpost',
connmark => 0,
diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm
index aafd514ed..666775aeb 100644
--- a/Shorewall-perl/Shorewall/Zones.pm
+++ b/Shorewall-perl/Shorewall/Zones.pm
@@ -59,7 +59,7 @@ our @EXPORT = qw( NOTHING
@bridges );
our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.00;
+our $VERSION = 4.01;
#
# IPSEC Option types
@@ -121,6 +121,7 @@ our %reservedName = ( all => 1,
# }
# zone =>
# bridge =>
+# broadcasts => 'none', 'detect' or [ , , ... ]
# }
# }
#
@@ -627,12 +628,17 @@ sub validate_interfaces_file( $ )
}
unless ( $networks eq '' || $networks eq 'detect' ) {
+ my @broadcasts = split /,/, $networks;
- for my $address ( split /,/, $networks ) {
+ for my $address ( @broadcasts ) {
fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
}
- warning_message 'Shorewall no longer uses broadcast addresses in rule generation';
+ if ( $capabilities{ADDRTYPE} ) {
+ warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available';
+ } else {
+ $interfaces{$interface}{broadcasts} = \@broadcasts;
+ }
}
my $optionsref = {};
diff --git a/Shorewall-perl/compiler.pl b/Shorewall-perl/compiler.pl
index 1d25519fd..f861aaba7 100755
--- a/Shorewall-perl/compiler.pl
+++ b/Shorewall-perl/compiler.pl
@@ -34,7 +34,8 @@
# --debug # Print stack trace on warnings and fatal error.
#
use strict;
-use lib '/usr/share/shorewall-perl';
+use FindBin;
+use lib "$FindBin::Bin";
use Shorewall::Compiler;
use Getopt::Long;
diff --git a/Shorewall-perl/install.sh b/Shorewall-perl/install.sh
index 19d86664a..e73c57c61 100755
--- a/Shorewall-perl/install.sh
+++ b/Shorewall-perl/install.sh
@@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
-VERSION=4.0.1
+VERSION=4.0.2
usage() # $1 = exit status
{
diff --git a/Shorewall-perl/prog.header b/Shorewall-perl/prog.header
index 2455da409..6cf884d7f 100644
--- a/Shorewall-perl/prog.header
+++ b/Shorewall-perl/prog.header
@@ -819,7 +819,7 @@ undo_routing() {
# Restore rt_tables database
#
if [ -f ${VARDIR}/rt_tables ]; then
- cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
+ [ -w /etc/iproute2/rt_table ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
rm -f ${VARDIR}/rt_tables
fi
#
diff --git a/Shorewall-perl/shorewall-perl.spec b/Shorewall-perl/shorewall-perl.spec
index 35ceaf784..aef481099 100644
--- a/Shorewall-perl/shorewall-perl.spec
+++ b/Shorewall-perl/shorewall-perl.spec
@@ -1,5 +1,5 @@
%define name shorewall-perl
-%define version 4.0.1
+%define version 4.0.2
%define release 1
Summary: Shoreline Firewall Perl-based compiler.
@@ -72,6 +72,8 @@ fi
%doc COPYING releasenotes.txt
%changelog
+* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.2-1
* Sat Jul 21 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.1-1
* Wed Jul 11 2007 Tom Eastep tom@shorewall.net
diff --git a/Shorewall-shell/install.sh b/Shorewall-shell/install.sh
index a3eefef28..fb5f29d81 100755
--- a/Shorewall-shell/install.sh
+++ b/Shorewall-shell/install.sh
@@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
-VERSION=4.0.1
+VERSION=4.0.2
usage() # $1 = exit status
{
diff --git a/Shorewall-shell/lib.providers b/Shorewall-shell/lib.providers
index ddf0dc741..e9cae466b 100644
--- a/Shorewall-shell/lib.providers
+++ b/Shorewall-shell/lib.providers
@@ -372,8 +372,10 @@ __EOF__
save_command restore_default_route
fi
+ save_command "if [ -w /etc/iproute2/rt_tables ]; then"
+
cat >&3 << __EOF__
-${INDENT}cat > /etc/iproute2/rt_tables < /etc/iproute2/rt_tables < /etc/iproute2/rt_tables <&3 << __EOF__
-\$echocommand "$number\t$table" >> /etc/iproute2/rt_tables
+ \$echocommand "$number\t$table" >> /etc/iproute2/rt_tables
__EOF__
done
+ save_command "fi"
+ save_command
+
if [ -s $TMP_DIR/route_rules ]; then
progress_message2 "$DOING $(find_file route_rules)..."
diff --git a/Shorewall-shell/shorewall-shell.spec b/Shorewall-shell/shorewall-shell.spec
index 8a1da70d7..445522b4b 100644
--- a/Shorewall-shell/shorewall-shell.spec
+++ b/Shorewall-shell/shorewall-shell.spec
@@ -1,5 +1,5 @@
%define name shorewall-shell
-%define version 4.0.1
+%define version 4.0.2
%define release 1
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -81,6 +81,8 @@ fi
%doc COPYING INSTALL
%changelog
+* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.2-1
* Sat Jul 21 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.1-1
* Wed Jul 11 2007 Tom Eastep tom@shorewall.net
diff --git a/web/News.htm b/web/News.htm
index 4aa4bded8..bf0de432d 100644
--- a/web/News.htm
+++ b/web/News.htm
@@ -24,9 +24,99 @@ href="GnuCopyright.htm" target="_self">GNU Free Documentation
License”.
-July 30, 2007
+August 10, 2007
+2007-08-10 Shorewall 4.0.2
+Problems corrected in 4.0.2
+
+1) The Shorewall-perl compiler was still generating invalid
+ iptables-restore input from entries in /etc/shorewall/ecn.
+
+2) When using Shorewall-perl, unless an interface was specified as
+ 'optional' in the interfaces file, the 'restore' command would
+ fail if the routes through the interface or the addresses on the
+ interface could not be detected.
+
+ Route detection occurs when the interface is named in the SOURCE
+ column of the masq file. Address detection occurs when
+ DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT
+ or REDIRECT rule or when 'maclist' is specified for the interface.
+
+ Since the 'restore' command doesn't use the detected information,
+ detection is now skipped if the command is 'restore'.
+
+3) It was not previously possible to define traffic shaping on a
+ bridge port; the generated script complained that the
+ interface was not up and configured.
+
+4) When Shorewall-shell was not installed, certain options in
+ /etc/shorewall/interfaces and /etc/shorewall/hosts would cause the
+ 'add' and 'delete' commands to fail with a missing library error.
+
+ OPTION FILE
+ maclist interfaces,hosts
+ proxyarp interfaces
+
+5) The /var/lib/shorewall/zones file was being overwritten during
+ processing of the 'refresh' command by a script generated with
+ Shorewall-perl. The result was that hosts previously added to
+ dynamic zones could not be deleted after the 'refresh'.
+
+6) If the file named as the output file in a Shorewall-perl 'compile'
+ command was a symbolic link, the generated error message
+ erroneously stated that the file's parent directory was a symbolic
+ link.
+
+ As part of this change, cosmetic changes were made to a number of
+ other error messages.
+
+7) Some intra-zone rules were missing when a zone involved multiple
+ interfaces or when a zone included both IPSEC and non-IPSEC
+ networks.
+
+8) Shorewall was not previously loading the xt_multiport kernel
+ module.
+
+9) The Russian and French translations no longer have English headings
+ on notes, cautions, etc..
+
+10) Previously, using a port list in the DEST PORT(S) column of the
+ rules file or in an action file could cause an invalid iptables
+ command to be generated by Shorewall-shell.
+
+11) If there were no bridges in a configuration, Shorewall-perl would
+ ignore the CHAIN column in /etc/shorewall/accounting.
+
+Other changes in 4.0.2
+
+1) Shorewall-perl now detects when a port range is included in a list
+ of ports and iptables/kernel support for Extended Multi-port Match
+ is not available. This avoids an iptables-restore failure at
+ run-time.
+
+2) Most chains created by Shorewall-shell have names that can be
+ embedded within shell variable names. This is a workaround for
+ limitations in the shell programming language which has no
+ equivalent to Perl hashes. Often chain names must have the name of
+ a network interface encoded in them. Given that interface names can
+ contain characters that are invalid in a shell variable name,
+ Shorewall-shell performs a name mapping which was carried forward to
+ Shorewall-perl:
+
+ - Trailing '+' is dropped.
+ - The characters ".", "-", "%' and "@" are translated to "_".
+
+ This mapping has been elminated in the 4.0.2 release of Shorewall-
+ perl. So where before you would see chain "eth0_0_in", you may now
+ see the same chain named "eth0.0_in". Similarly, a chain previously
+ named "ppp_fwd" may now be called "ppp+_fwd".
+
+3) Shorewall-perl now uses the contents of the BROADCAST column in
+ /etc/shorewall/interfaces when the Address Type match capability is
+ not available.
+
+
2007-07-30 Shorewall 4.0.1
Problems corrected in 4.0.1.
diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm
index 1aa3141f7..c33220a1b 100644
--- a/web/shorewall_index.htm
+++ b/web/shorewall_index.htm
@@ -21,7 +21,7 @@ Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the
license is included in the section entitled “GNU Free Documentation License”.
-2007-07-30
+2007-08-10
Table of Contents
@@ -103,17 +103,17 @@ Features page.
Current Shorewall Releases
The current
-Stable Release version is 4.0.1
+Stable Release version is 4.0.2