Run .restore for stop/clear; fix double slash in pathnames

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6595 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/diff-3.4-shorewall

@@ -1,5 +1,5 @@
 --- /home/teastep/shorewall/branches/3.4/Shorewall/shorewall	2007-06-18 11:32:15.000000000 -0700
-+++ shorewall	2007-06-18 11:31:44.000000000 -0700
++++ shorewall	2007-06-19 06:36:20.000000000 -0700
 @@ -1305,7 +1305,7 @@
      echo "   stop"
      echo "   status"
@@ -20,3 +20,11 @@
  	if [ -f /usr/share/shorewall-perl/version ]; then
  	    echo "Shorewall-perl $(cat /usr/share/shorewall-perl/version)"
  	fi
+@@ -1534,6 +1538,7 @@
+ 	[ $# -ne 1 ] && usage 1
+ 	get_config
+ 	export NOROUTES
++	[ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore
+ 	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
+ 	;;
+     compile)

Shorewall-common/shorewall

@@ -1538,6 +1538,7 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 1
 	get_config
 	export NOROUTES
+	[ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore
 	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
 	;;
     compile)

Shorewall-perl/Shorewall/Config.pm

@@ -905,11 +905,11 @@ sub ensure_config_path() {
     @config_path = split /:/, $config{CONFIG_PATH};
 
     for ( @config_path ) {
-	$_ .= '/' unless m|//$|;
+	$_ .= '/' unless m|/$|;
     }
 
     if ( $shorewall_dir ) {
-	$shorewall_dir .= '/' unless $shorewall_dir =~ m|//$|;
+	$shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|;
 	unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0];
     }
 }

Shorewall-perl/Shorewall/Rules.pm

@@ -383,6 +383,8 @@ sub process_criticalhosts() {
 
 	my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file';
 
+	fatal_error "Unknown interface ($interface)" unless known_interface $interface;
+
 	$hosts = ALLIPv4 unless $hosts ne '-';
 
 	my @hosts;
@@ -426,6 +428,8 @@ sub process_routestopped() {
 
 	my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file';
 
+	fatal_error "Unknown interface ($interface)" unless known_interface $interface;
+
 	$hosts = ALLIPv4 unless $hosts && $hosts ne '-';
 
 	my @hosts;

docs/FAQ.xml

@@ -1789,6 +1789,15 @@ iptables: Invalid argument
           <filename>/lib/iptables/libipt_policy.so</filename>.</para>
         </listitem>
       </itemizedlist>
+
+      <note>
+        <para>Beginning with Shorewall 3.4.0, Shorewall no longer attempts to
+        use policy match if you have no IPSEC zones and you have not specified
+        the <option>ipsec</option> option on any entry in
+        <filename>/etc/shorewall/hosts</filename>. The subject message will
+        still appear in your kernel log each time that Shorewall determines
+        the capabilities of your kernel/iptables.</para>
+      </note>
     </section>
 
     <section id="faq62">

web/News.htm

@@ -24,10 +24,151 @@ href="GnuCopyright.htm" target="_self">GNU Free Documentation
 License</a></span>”.<br>
 </p>
 
-<p>June 12, 2007<br>
+<p>June 17, 2007<br>
 </p>
 <hr style="width: 100%; height: 2px;">
 
+<p><strong>2006-06-17 Shorewall 3.4.4</strong></p>
+<pre>Problems corrected in 3.4.4:
+
+1)  The commands "shorewall add &lt;interface&gt; &lt;zone&gt;" and "shorewall
+    delete &lt;interface&gt; &lt;zone&gt;" no longer produce spurious error
+    messages.
+
+2)  The command "shorewall delete &lt;interface&gt; &lt;zone&gt;" now actually deletes
+    entries when it successfully completes.  Previously, it would appear
+    to remove an entry, even when removing that entry should fail. 
+
+3)  Setting HIGH_ROUTE_MARKS=No no longer causes TC_EXPERT flagging.
+
+4)  When run as root, the 'shorewall load' and 'shorewall reload'
+    commands would fail if the LOGFILE setting in
+    /etc/shorewall/shorewall.conf specified a non-existant file.
+
+5)  Entries in /etc/shorewall/tcrules that specify both a source and
+    destination port fail with the following diagnostic:
+
+    iptables v1.3.3: multiport can only have one option
+
+6)  Previously, Shorewall-lite did not allow DHCP traffic through an
+    interface when the interface was a bridge with 'dhcp' specified
+    unless there was a bridge on the administrative system with the
+    same name.
+
+7)  SOURCE and DEST are now flagged as invalid zone name to avoid
+    problems with macros that use those names as keywords.
+
+8)  Previously, Shorewall could *increase* the MSS under some
+    circumstances. This possibility is now eliminated, provided that
+    the system has TCPMSS match support (be sure to update your
+    capabilities files!).
+
+9)  Firewall zone names other than 'fw' no longer cause a error when
+    IPSECFILE is not set or is set to 'ipsec'.
+
+10) The 'proxyarp' option on an interface was previously ignored when
+    the /etc/shorewall/proxyarp file was empty.
+
+11) Previously, if action 'a' was defined then the following 
+    rule generated an error:
+
+         a:        z1   z2      ...
+
+    The trailing ":" is now ignored.
+
+12) Previously, if a RATE/LIMIT was specified on a REJECT rule, the
+    generated error messages referred to the rule as a DROP rule.
+
+13) The 'nolock' keyword was previously ignored on several
+    /sbin/shorewall[-lite] commands. 
+
+Other changes in 3.4.4:
+
+1)  The accounting, masq, rules and tos files now have a 'MARK' column
+    similar to the column of the same name in the tcrules file. This
+    column allows filtering by MARK value.
+
+2)  The "shorewall show zones" command now flags zone members that have
+    been added using "shorewall add" by preceding them with a plus sign
+    ("+").
+
+    Example:
+
+    Shorewall 3.9.4 Zones at gateway - Mon May 14 07:48:16 PDT 2007
+
+    fw (firewall)
+    net (ipv4)
+        eth0:0.0.0.0/0
+    loc (ipv4)
+        br0:0.0.0.0/0
+        eth4:0.0.0.0/0
+        eth5:0.0.0.0/0
+        +eth1:0.0.0.0/0
+    dmz (ipv4)
+        eth3:0.0.0.0/0
+    vpn (ipv4)
+        tun+:0.0.0.0/0
+
+    In the above output, "eth1:0.0.0.0/0" was dynamically added to the
+    'loc' zone. As part of this change, "shorewall delete" will only
+    delete entries that have been added dynamically. In earlier
+    versions, any entry could be deleted although the ruleset was only
+    changed by deleting entries that had been added dynamically.
+
+3)  Eariler generations of Shorewall Lite required that remote root
+    login via ssh be enabled in order to use the 'load' and 'reload'
+    commands.
+
+    Beginning with this release, you may define an alternative means
+    for accessing the remote firewall system.
+
+    Two new options have been added to shorewall.conf:
+
+        RSH_COMMAND
+        RCP_COMMAND
+
+    The default values for these are as follows:
+
+        RSH_COMMAND: ssh ${root}@${system} ${command}
+        RCP_COMMAND: scp ${files} ${root}@${system}:${destination}
+
+    Shell variables that will be set when the commands are envoked are
+    as follows:
+
+       root  - root user. Normally 'root' but may be overridden using
+               the '-r' option.
+
+       system - The name/IP address of the remote firewall system.
+
+       command - For RSH_COMMAND, the command to be executed on the 
+                 firewall system.
+
+       files   - For RCP_COMMAND, a space-separated list of files to
+                 be copied to the remote firewall system.
+
+       destination - The directory on the remote system that the files 
+                     are to be copied into. 
+
+4)  You may now select the compiler to use on the command line using
+    the '-C' option. This option is available on the following
+    commands:
+
+        check
+        compile
+        export
+        load
+        reload
+        restart
+        start
+        try
+        safe-start
+        save-restart
+
+     Example:
+
+        shorewall try -C perl .</pre>
+<hr>
+
 <p><strong>2006-06-12 New Host for www.shorewall.net and
 ftp.shorewall.net</strong></p>
 <pre>I'm pleased to announce that Ty Christiansen and the folks at Master Mind

web/shorewall_index.htm

@@ -21,7 +21,7 @@ Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the
 license is included in the section entitled “<a href="GnuCopyright.htm"
 target="_self">GNU Free Documentation License</a>”.</p>
 
-<p>2007-06-15</p>
+<p>2007-06-17</p>
 <hr style="width: 100%; height: 2px;">
 
 <h2>Table of Contents</h2>
@@ -103,17 +103,17 @@ Features page</a>.<br>
 <h3><a name="Releases"></a>Current Shorewall Releases</h3>
 
 <p style="margin-left: 40px;">The <span style="font-weight: bold;">current
-Stable Release</span> version is  3.4.3<br>
+Stable Release</span> version is  3.4.4<br>
 </p>
 <ul style="margin-left: 40px;">
   <li>Here are the <a
-    href="http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.3/releasenotes.txt">release
+    href="http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.4/releasenotes.txt">release
     notes</a> <br>
   </li>
   <li>Here are the <a
-    href="http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.3/known_problems.txt">known
+    href="http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.4/known_problems.txt">known
     problems</a> and <a
-    href="http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.3/errata/">updates</a>.</li>
+    href="http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.4/errata/">updates</a>.</li>
 </ul>
 
 <div style="margin-left: 40px;">