From aa523ea52cc547240bba4e4b4166cec087cb3b74 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 10 Aug 2007 17:37:02 +0000 Subject: [PATCH] Bring trunk up to date with branch/4.0 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7113 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/fallback.sh | 2 +- Shorewall-common/install.sh | 2 +- Shorewall-common/lib.base | 2 +- Shorewall-common/shorewall-common.spec | 4 +- Shorewall-common/uninstall.sh | 2 +- Shorewall-lite/fallback.sh | 2 +- Shorewall-lite/install.sh | 2 +- Shorewall-lite/shorewall-lite.spec | 4 +- Shorewall-lite/uninstall.sh | 2 +- Shorewall-perl/Shorewall/Accounting.pm | 12 +++- Shorewall-perl/Shorewall/Chains.pm | 2 +- Shorewall-perl/Shorewall/Compiler.pm | 2 +- Shorewall-perl/Shorewall/Config.pm | 6 +- Shorewall-perl/Shorewall/Policy.pm | 2 +- Shorewall-perl/Shorewall/Providers.pm | 11 ++- Shorewall-perl/Shorewall/Rules.pm | 50 ++++++++++---- Shorewall-perl/Shorewall/Tc.pm | 2 +- Shorewall-perl/Shorewall/Zones.pm | 12 +++- Shorewall-perl/compiler.pl | 3 +- Shorewall-perl/install.sh | 2 +- Shorewall-perl/prog.header | 2 +- Shorewall-perl/shorewall-perl.spec | 4 +- Shorewall-shell/install.sh | 2 +- Shorewall-shell/lib.providers | 11 ++- Shorewall-shell/shorewall-shell.spec | 4 +- web/News.htm | 92 +++++++++++++++++++++++++- web/shorewall_index.htm | 10 +-- 27 files changed, 200 insertions(+), 51 deletions(-) diff --git a/Shorewall-common/fallback.sh b/Shorewall-common/fallback.sh index e9942be50..16eaa7c5f 100755 --- a/Shorewall-common/fallback.sh +++ b/Shorewall-common/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.1 +VERSION=4.0.2 usage() # $1 = exit status { diff --git a/Shorewall-common/install.sh b/Shorewall-common/install.sh index 79ffa57f0..221d25f66 100755 --- a/Shorewall-common/install.sh +++ b/Shorewall-common/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=4.0.1 +VERSION=4.0.2 usage() # $1 = exit status { diff --git a/Shorewall-common/lib.base b/Shorewall-common/lib.base index c9c78c3e3..eb13e0474 100644 --- a/Shorewall-common/lib.base +++ b/Shorewall-common/lib.base @@ -1424,7 +1424,7 @@ undo_routing() { # Restore rt_tables database # if [ -f ${VARDIR}/rt_tables ]; then - cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" + [ -w /etc/iproute2/rt_table ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" rm -f ${VARDIR}/rt_tables fi # diff --git a/Shorewall-common/shorewall-common.spec b/Shorewall-common/shorewall-common.spec index f5589eb24..8a813a590 100644 --- a/Shorewall-common/shorewall-common.spec +++ b/Shorewall-common/shorewall-common.spec @@ -1,5 +1,5 @@ %define name shorewall-common -%define version 4.0.1 +%define version 4.0.2 %define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -240,6 +240,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples %changelog +* Thu Aug 09 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.2-1 * Sat Jul 21 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.1-1 * Wed Jul 11 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-common/uninstall.sh b/Shorewall-common/uninstall.sh index b59c7df72..59ef6579d 100755 --- a/Shorewall-common/uninstall.sh +++ b/Shorewall-common/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.1 +VERSION=4.0.2 usage() # $1 = exit status { diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh index b0be772d5..0c8c5c215 100755 --- a/Shorewall-lite/fallback.sh +++ b/Shorewall-lite/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=4.0.1 +VERSION=4.0.2 usage() # $1 = exit status { diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index 8b8d7269e..c756c7136 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=4.0.1 +VERSION=4.0.2 usage() # $1 = exit status { diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec index 3aa0c2383..ff613f226 100644 --- a/Shorewall-lite/shorewall-lite.spec +++ b/Shorewall-lite/shorewall-lite.spec @@ -1,5 +1,5 @@ %define name shorewall-lite -%define version 4.0.1 +%define version 4.0.2 %define release 1 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems. @@ -98,6 +98,8 @@ fi %doc COPYING changelog.txt releasenotes.txt %changelog +* Thu Aug 09 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.2-1 * Sat Jul 21 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.1-1 * Wed Jul 11 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh index 91e5cb08f..0a7c7b6b5 100755 --- a/Shorewall-lite/uninstall.sh +++ b/Shorewall-lite/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Shorewall Firewall -VERSION=4.0.1 +VERSION=4.0.2 usage() # $1 = exit status { diff --git a/Shorewall-perl/Shorewall/Accounting.pm b/Shorewall-perl/Shorewall/Accounting.pm index c481e978d..5cad573ec 100644 --- a/Shorewall-perl/Shorewall/Accounting.pm +++ b/Shorewall-perl/Shorewall/Accounting.pm @@ -35,7 +35,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_accounting ); our @EXPORT_OK = qw( ); -our $VERSION = 4.00; +our $VERSION = 4.01; # # Initialize globals -- we take this novel approach to globals initialization to allow @@ -64,6 +64,11 @@ sub process_accounting_rule( $$$$$$$$$ ) { my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = @_; + sub check_for_builtin( $ ) { + my $chainref = shift; + fatal_error "A builtin Chain ($jumpchainref->{name}) may not appear in the accounting file" if $chainref->{builtin}; + } + sub accounting_error() { warning_message "Invalid Accounting rule"; } @@ -71,6 +76,7 @@ sub process_accounting_rule( $$$$$$$$$ ) { sub jump_to_chain( $ ) { my $jumpchain = $_[0]; $jumpchainref = ensure_chain( 'filter', $jumpchain ); + check_for_builtin( $jumpchainref ); mark_referenced $jumpchainref; "-j $jumpchain"; } @@ -129,12 +135,14 @@ sub process_accounting_rule( $$$$$$$$$ ) { } } } else { - $chain = 'accounting'; + $chain = 'accounting' unless $chain and $chain ne '-'; $dest = ALLIPv4 if $dest eq 'any' || $dest eq 'all'; } my $chainref = ensure_filter_chain $chain , 0; + check_for_builtin( $chainref ); + expand_rule $chainref , $restriction , diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index c07334f8e..2f571ad94 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -128,7 +128,7 @@ our @EXPORT = qw( STANDARD %targets ); our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.01; +our $VERSION = 4.02; # # Chain Table diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index ea34fb836..a16a8e76b 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -41,7 +41,7 @@ use Shorewall::Proxyarp; our @ISA = qw(Exporter); our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG ); our @EXPORT_OK = qw( $export ); -our $VERSION = 4.01; +our $VERSION = 4.02; our $export; diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 3d9e7add8..9d7be8370 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -93,7 +93,7 @@ our @EXPORT = qw( %capabilities ); our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path ); -our $VERSION = 4.01; +our $VERSION = 4.02; # # describe the current command, it's present progressive, and it's completion. @@ -198,7 +198,7 @@ sub initialize() { ORIGINAL_POLICY_MATCH => '', LOGPARMS => '', TC_SCRIPT => '', - VERSION => '4.0.1', + VERSION => '4.0.2', CAPVERSION => 30405 , ); # @@ -288,6 +288,7 @@ sub initialize() { EXPORTPARAMS => undef, SHOREWALL_COMPILER => undef, EXPAND_POLICIES => undef, + ACCOUNTING_EXPERT => undef, # # Packet Disposition # @@ -1417,6 +1418,7 @@ sub get_configuration( $ ) { default_yes_no 'EXPORTPARAMS' , ''; default_yes_no 'EXPAND_POLICIES' , ''; + default_yes_no 'ACCOUNTING_EXPERT' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm index 062a72a6a..6de28294c 100644 --- a/Shorewall-perl/Shorewall/Policy.pm +++ b/Shorewall-perl/Shorewall/Policy.pm @@ -34,7 +34,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains ); our @EXPORT_OK = qw( ); -our $VERSION = 4.01; +our $VERSION = 4.02; # # Create a new policy chain and return a reference to it. diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index 263b8e5ea..b7611a5c7 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -35,7 +35,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_providers @routemarked_interfaces); our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.01; +our $VERSION = 4.02; use constant { LOCAL_NUMBER => 255, MAIN_NUMBER => 254, @@ -412,7 +412,10 @@ sub setup_providers() { 'restore_default_route' ); } - emit 'cat > /etc/iproute2/rt_tables < /etc/iproute2/rt_tables <> /etc/iproute2/rt_tables"; } + pop_indent; + + emit "fi\n"; + my $fn = open_file 'route_rules'; if ( $fn ) { diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index a42a3e423..a92deda6e 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos dump_rule_chains ); our @EXPORT_OK = qw( process_rule process_rule1 initialize ); -our $VERSION = 4.01; +our $VERSION = 4.02; # # Keep track of chains for the /var/lib/shorewall[-lite]/chains file @@ -808,13 +808,27 @@ sub setup_mac_lists( $ ) { " echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3", 'done' ); } else { - my $variable1 = get_interface_bcasts $interfaces{$interface}{bridge}; - + my $bridge = $interfaces{$interface}{bridge}; + my $bridgeref = $interfaces{$bridge}; + add_commands( $chainref, - "for address in $variable; do", - " for address1 in $variable1; do", - " echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3", - " done", + "for address in $variable; do" ); + + if ( $bridgeref->{broadcasts} ) { + for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) { + add_commands( $chainref , + " echo \"-A $chainref->{name} -s \$address -d $address -j RETURN\" >&3" ); + } + } else { + my $variable1 = get_interface_bcasts $bridge; + + add_commands( $chainref, + " for address1 in $variable1; do" , + " echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3", + " done" ); + } + + add_commands( $chainref, " echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3", 'done' ); } @@ -1583,14 +1597,22 @@ sub generate_matrix() { if ( $capabilities{ADDRTYPE} ) { add_rule $filter_table->{output_chain $interface} , "-m addrtype --dst-type BROADCAST -j $chain1"; } else { - my $variable = get_interface_bcasts $interface; - my $chain = output_chain $interface; - my $chainref = $filter_table->{$chain}; + my $interfaceref = $interfaces{$interface}; + my $chain = output_chain $interface; + my $chainref = $filter_table->{$chain}; - add_commands( $chainref, - "for address in $variable; do", - " echo \"-A $chain -d \$address -j $chain1\" >&3", - 'done' ); + if ( $interfaceref->{broadcasts} ) { + for my $address ( @{$interfaceref->{broadcasts}} , '255.255.255.255' ) { + add_rule( $chainref, "-d $address -j $chain1" ); + } + } else { + my $variable = get_interface_bcasts $interface; + + add_commands( $chainref, + "for address in $variable; do", + " echo \"-A $chain -d \$address -j $chain1\" >&3", + 'done' ); + } } add_rule $filter_table->{output_chain $interface} , "-d 224.0.0.0/4 -j $chain1"; diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm index 7bb740b31..e931f3811 100644 --- a/Shorewall-perl/Shorewall/Tc.pm +++ b/Shorewall-perl/Shorewall/Tc.pm @@ -39,7 +39,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( setup_tc ); our @EXPORT_OK = qw( process_tc_rule initialize ); -our $VERSION = 4.01; +our $VERSION = 4.02; our %tcs = ( T => { chain => 'tcpost', connmark => 0, diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index aafd514ed..666775aeb 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -59,7 +59,7 @@ our @EXPORT = qw( NOTHING @bridges ); our @EXPORT_OK = qw( initialize ); -our $VERSION = 4.00; +our $VERSION = 4.01; # # IPSEC Option types @@ -121,6 +121,7 @@ our %reservedName = ( all => 1, # } # zone => # bridge => +# broadcasts => 'none', 'detect' or [ , , ... ] # } # } # @@ -627,12 +628,17 @@ sub validate_interfaces_file( $ ) } unless ( $networks eq '' || $networks eq 'detect' ) { + my @broadcasts = split /,/, $networks; - for my $address ( split /,/, $networks ) { + for my $address ( @broadcasts ) { fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; } - warning_message 'Shorewall no longer uses broadcast addresses in rule generation'; + if ( $capabilities{ADDRTYPE} ) { + warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available'; + } else { + $interfaces{$interface}{broadcasts} = \@broadcasts; + } } my $optionsref = {}; diff --git a/Shorewall-perl/compiler.pl b/Shorewall-perl/compiler.pl index 1d25519fd..f861aaba7 100755 --- a/Shorewall-perl/compiler.pl +++ b/Shorewall-perl/compiler.pl @@ -34,7 +34,8 @@ # --debug # Print stack trace on warnings and fatal error. # use strict; -use lib '/usr/share/shorewall-perl'; +use FindBin; +use lib "$FindBin::Bin"; use Shorewall::Compiler; use Getopt::Long; diff --git a/Shorewall-perl/install.sh b/Shorewall-perl/install.sh index 19d86664a..e73c57c61 100755 --- a/Shorewall-perl/install.sh +++ b/Shorewall-perl/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=4.0.1 +VERSION=4.0.2 usage() # $1 = exit status { diff --git a/Shorewall-perl/prog.header b/Shorewall-perl/prog.header index 2455da409..6cf884d7f 100644 --- a/Shorewall-perl/prog.header +++ b/Shorewall-perl/prog.header @@ -819,7 +819,7 @@ undo_routing() { # Restore rt_tables database # if [ -f ${VARDIR}/rt_tables ]; then - cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" + [ -w /etc/iproute2/rt_table ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored" rm -f ${VARDIR}/rt_tables fi # diff --git a/Shorewall-perl/shorewall-perl.spec b/Shorewall-perl/shorewall-perl.spec index 35ceaf784..aef481099 100644 --- a/Shorewall-perl/shorewall-perl.spec +++ b/Shorewall-perl/shorewall-perl.spec @@ -1,5 +1,5 @@ %define name shorewall-perl -%define version 4.0.1 +%define version 4.0.2 %define release 1 Summary: Shoreline Firewall Perl-based compiler. @@ -72,6 +72,8 @@ fi %doc COPYING releasenotes.txt %changelog +* Thu Aug 09 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.2-1 * Sat Jul 21 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.1-1 * Wed Jul 11 2007 Tom Eastep tom@shorewall.net diff --git a/Shorewall-shell/install.sh b/Shorewall-shell/install.sh index a3eefef28..fb5f29d81 100755 --- a/Shorewall-shell/install.sh +++ b/Shorewall-shell/install.sh @@ -22,7 +22,7 @@ # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA # -VERSION=4.0.1 +VERSION=4.0.2 usage() # $1 = exit status { diff --git a/Shorewall-shell/lib.providers b/Shorewall-shell/lib.providers index ddf0dc741..e9cae466b 100644 --- a/Shorewall-shell/lib.providers +++ b/Shorewall-shell/lib.providers @@ -372,8 +372,10 @@ __EOF__ save_command restore_default_route fi + save_command "if [ -w /etc/iproute2/rt_tables ]; then" + cat >&3 << __EOF__ -${INDENT}cat > /etc/iproute2/rt_tables < /etc/iproute2/rt_tables < /etc/iproute2/rt_tables <&3 << __EOF__ -\$echocommand "$number\t$table" >> /etc/iproute2/rt_tables + \$echocommand "$number\t$table" >> /etc/iproute2/rt_tables __EOF__ done + save_command "fi" + save_command + if [ -s $TMP_DIR/route_rules ]; then progress_message2 "$DOING $(find_file route_rules)..." diff --git a/Shorewall-shell/shorewall-shell.spec b/Shorewall-shell/shorewall-shell.spec index 8a1da70d7..445522b4b 100644 --- a/Shorewall-shell/shorewall-shell.spec +++ b/Shorewall-shell/shorewall-shell.spec @@ -1,5 +1,5 @@ %define name shorewall-shell -%define version 4.0.1 +%define version 4.0.2 %define release 1 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. @@ -81,6 +81,8 @@ fi %doc COPYING INSTALL %changelog +* Thu Aug 09 2007 Tom Eastep tom@shorewall.net +- Updated to 4.0.2-1 * Sat Jul 21 2007 Tom Eastep tom@shorewall.net - Updated to 4.0.1-1 * Wed Jul 11 2007 Tom Eastep tom@shorewall.net diff --git a/web/News.htm b/web/News.htm index 4aa4bded8..bf0de432d 100644 --- a/web/News.htm +++ b/web/News.htm @@ -24,9 +24,99 @@ href="GnuCopyright.htm" target="_self">GNU Free Documentation License”.

-

July 30, 2007

+

August 10, 2007


+

2007-08-10 Shorewall 4.0.2

+
Problems corrected in 4.0.2
+
+1)  The Shorewall-perl compiler was still generating invalid
+    iptables-restore input from entries in /etc/shorewall/ecn.
+
+2)  When using Shorewall-perl, unless an interface was specified as
+    'optional' in the interfaces file, the 'restore' command would
+    fail if the routes through the interface or the addresses on the
+    interface could not be detected.
+
+    Route detection occurs when the interface is named in the SOURCE
+    column of the masq file. Address detection occurs when
+    DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT
+    or REDIRECT rule or when 'maclist' is specified for the interface.
+   
+    Since the 'restore' command doesn't use the detected information,
+    detection is now skipped if the command is 'restore'.
+
+3)  It was not previously possible to define traffic shaping on a
+    bridge port; the generated script complained that the
+    interface was not up and configured.
+
+4)  When Shorewall-shell was not installed, certain options in
+    /etc/shorewall/interfaces and /etc/shorewall/hosts would cause the
+    'add' and 'delete' commands to fail with a missing library error.
+
+          OPTION               FILE
+          maclist              interfaces,hosts
+          proxyarp             interfaces
+
+5)  The /var/lib/shorewall/zones file was being overwritten during
+    processing of the 'refresh' command by a script generated with
+    Shorewall-perl. The result was that hosts previously added to
+    dynamic zones could not be deleted after the 'refresh'.
+
+6)  If the file named as the output file in a Shorewall-perl 'compile'
+    command was a symbolic link, the generated error message
+    erroneously stated that the file's parent directory was a symbolic
+    link.
+
+    As part of this change, cosmetic changes were made to a number of
+    other error messages.
+
+7)  Some intra-zone rules were missing when a zone involved multiple
+    interfaces or when a zone included both IPSEC and non-IPSEC
+    networks.
+
+8)  Shorewall was not previously loading the xt_multiport kernel
+    module.
+
+9)  The Russian and French translations no longer have English headings
+    on notes, cautions, etc..
+
+10) Previously, using a port list in the DEST PORT(S) column of the
+    rules file or in an action file could cause an invalid iptables
+    command to be generated by Shorewall-shell.
+
+11) If there were no bridges in a configuration, Shorewall-perl would
+    ignore the CHAIN column in /etc/shorewall/accounting.
+
+Other changes in 4.0.2
+
+1)  Shorewall-perl now detects when a port range is included in a list
+    of ports and iptables/kernel support for Extended Multi-port Match
+    is not available. This avoids an iptables-restore failure at
+    run-time.
+
+2)  Most chains created by Shorewall-shell have names that can be
+    embedded within shell variable names. This is a workaround for
+    limitations in the shell programming language which has no
+    equivalent to Perl hashes. Often chain names must have the name of
+    a network interface encoded in them. Given that interface names can
+    contain characters that are invalid in a shell variable name,
+    Shorewall-shell performs a name mapping which was carried forward to
+    Shorewall-perl:
+
+    - Trailing '+' is dropped.
+    - The characters ".", "-", "%' and "@" are translated to "_".
+
+    This mapping has been elminated in the 4.0.2 release of Shorewall-
+    perl. So where before you would see chain "eth0_0_in", you may now
+    see the same chain named "eth0.0_in". Similarly, a chain previously
+    named "ppp_fwd" may now be called "ppp+_fwd".
+
+3)  Shorewall-perl now uses the contents of the BROADCAST column in
+    /etc/shorewall/interfaces when the Address Type match capability is
+    not available.
+
+

2007-07-30 Shorewall 4.0.1

Problems corrected in 4.0.1.
 
diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm
index 1aa3141f7..c33220a1b 100644
--- a/web/shorewall_index.htm
+++ b/web/shorewall_index.htm
@@ -21,7 +21,7 @@ Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the
 license is included in the section entitled “GNU Free Documentation License”.

-

2007-07-30

+

2007-08-10


Table of Contents

@@ -103,17 +103,17 @@ Features page.

Current Shorewall Releases

The current -Stable Release version is  4.0.1
+Stable Release version is  4.0.2