Some 'on the train' changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6438 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -4,6 +4,10 @@ Changes in 4.0.0 Beta 2
 
 2)  Some minor tweaks.
 
+3)  Fix synflood chain jumps.
+
+4)  Simplify synflood handling and improve error diagnostics.
+
 Changes in 4.0.0 Beta 1
 
 1)  Fix add/delete <interface>.

Shorewall-common/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.0.0-Beta1
+VERSION=4.0.0-Beta2
 
 usage() # $1 = exit status
 {

Shorewall-common/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=4.0.0-Beta1
+VERSION=4.0.0-Beta2
 
 usage() # $1 = exit status
 {

Shorewall-common/releasenotes.txt

@@ -20,6 +20,10 @@ Problems corrected in 4.0.0 Beta 1.
 1)  If an interfaces named in the SOURCE column of /etc/shorewall/masq had a 
     default route, an iptables-restore failure previously resulted.
 
+2)  Specifying a BURST/LIMIT in the policy file no longer causes
+    iptables-restore to fail. Additionally, the BURST/LIMIT column is
+    more carefully checked than previously.
+
 Other changes in Shorewall 4.0.0 Beta 2.
 
 1)  The 'initdone' extension script has been restored as a compile-time

Shorewall-common/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.0.0
-%define release 0Beta1
+%define release 0Beta2
 %define prefix /usr
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.

Shorewall-common/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.0.0-Beta1
+VERSION=4.0.0-Beta2
 
 usage() # $1 = exit status
 {

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.0.0-Beta1
+VERSION=4.0.0-Beta2
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=4.0.0-Beta1
+VERSION=4.0.0-Beta2
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.0.0
-%define release 0Beta1
+%define release 0Beta2
 %define prefix /usr
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.0.0-Beta1
+VERSION=4.0.0-Beta2
 
 usage() # $1 = exit status
 {

Shorewall-shell/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=4.0.0-Beta1
+VERSION=4.0.0-Beta2
 
 usage() # $1 = exit status
 {

Shorewall-shell/shorewall-shell.spec

@@ -1,6 +1,6 @@
 %define name shorewall-shell
 %define version 4.0.0
-%define release 0Beta1
+%define release 0Beta2
 %define prefix /usr
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.

manpages/shorewall-hosts.xml

@@ -58,7 +58,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">HOST(S)</emphasis> —
-        <emphasis>interface</emphasis>:{[<emphasis>bridge-port</emphasis>:]{<emphasis>address-or-range</emphasis>[<emphasis
+        <emphasis>interface</emphasis>:{[{<emphasis>address-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...|<emphasis
         role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]</term>
 
@@ -84,20 +84,6 @@
               Your kernel and iptables must have iprange match support.</para>
             </listitem>
 
-            <listitem>
-              <para>A physical <emphasis>bridge-port</emphasis> name; only
-              allowed when the interface names a bridge created by the
-              <command>brctl(8) addbr</command> command. This port must not be
-              defined in <ulink
-              url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-              and may be optionally followed by a colon (":") and a host or
-              network IP or a range. See <ulink
-              url="http://www.shorewall.net/bridge.html">http://www.shorewall.net/bridge.html</ulink>
-              for details. Specifying a physical port name requires that you
-              have BRIDGING=Yes in <ulink
-              url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-            </listitem>
-
             <listitem>
               <para>The name of an <emphasis>ipset</emphasis>.</para>
             </listitem>

manpages/shorewall-interfaces.xml

@@ -94,9 +94,10 @@ loc     eth2            -</programlisting>
           role="bold">-</emphasis> in this column.</para>
 
           <para><emphasis role="bold">Note to Shorewall-perl users:</emphasis>
-          Shorewall-perl only supports <option>detect</option> in this column.
+          Shorewall-perl only supports <option>detect</option> or <emphasis
-          If you specify <replaceable>address</replaceable>es, a compilation
+          role="bold">-</emphasis> in this column. If you specify
-          warning will be issued.</para>
+          <replaceable>address</replaceable>es, a compilation warning will be
+          issued.</para>
         </listitem>
       </varlistentry>
 

manpages/shorewall-maclist.xml

@@ -50,13 +50,10 @@
 
       <varlistentry>
         <term><emphasis role="bold">INTERFACE</emphasis> —
-        <emphasis>interface</emphasis>[<emphasis
+        <emphasis>interface</emphasis></term>
-        role="bold">:</emphasis><emphasis>port</emphasis>]</term>
 
         <listitem>
-          <para>Network <emphasis>interface</emphasis> to a host. If the
+          <para>Network <emphasis>interface</emphasis> to a host.</para>
-          interface names a bridge, it may be optionally followed by a colon
-          (":") and a physical port name (e.g., br0:eth4).</para>
         </listitem>
       </varlistentry>
 

manpages/shorewall-masq.xml

@@ -45,7 +45,7 @@
         role="bold">+</emphasis>]<emphasis>interface</emphasis>[<emphasis
         role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
         role="bold">:</emphasis>[<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>]...][<emphasis>exclusion</emphasis>]</term>
+        role="bold">,</emphasis><emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]]</term>
 
         <listitem>
           <para>Outgoing <emphasis>interface</emphasis>. This is usually your
@@ -89,8 +89,8 @@
       <varlistentry>
         <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
         —
-        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
+        {<emphasis>interface</emphasis>[[:]<emphasis>exclusion</emphasis>]|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>]}[<emphasis>exclusion</emphasis>]</term>
+        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
 
         <listitem>
           <para>Set of hosts that you wish to masquerade. You can specify this
@@ -104,9 +104,16 @@
           append an <emphasis>exclusion</emphasis> ("!" and a comma-separated
           list of IP addresses (host or net) that you wish to exclude (see
           <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))).</para>
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))).
+          Note that with Shorewall-perl, a colon (":") must appear between an
+          <replaceable>interface</replaceable> name and the
+          <replaceable>exclusion</replaceable>;</para>
 
-          <para>Example: eth1!192.168.1.4,192.168.32.0/27</para>
+          <para>Example (shorewall-shell):
+          eth1!192.168.1.4,192.168.32.0/27</para>
+
+          <para>Example (shorewall-perl):
+          eth1:!192.168.1.4,192.168.32.0/27</para>
 
           <para>In that example traffic from eth1 would be masqueraded unless
           it came from 192.168.1.4 or 196.168.32.0/27</para>

manpages/shorewall.conf.xml

@@ -282,8 +282,10 @@
 
         <listitem>
           <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
-          role="bold">yes</emphasis>, enables Shorewall Bridging
+          role="bold">yes</emphasis>, enables Shorewall Bridging support.<note>
-          support.</para>
+              <para>BRIDGING=Yes may not work properly with Linux kernel
+              2.6.20 or later and is not supported by Shorewall-perl.</para>
+            </note></para>
         </listitem>
       </varlistentry>
 
@@ -443,11 +445,11 @@
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
 
         <listitem>
-          <para>Normally, Shorewall accepting ESTABLISHED/RELATED packets
+          <para>Normally, Shorewall defers accepting ESTABLISHED/RELATED
-          until these packets reach the chain in which the original connection
+          packets until these packets reach the chain in which the original
-          was accepted. So for packets going from the 'loc' zone to the 'net'
+          connection was accepted. So for packets going from the 'loc' zone to
-          zone, ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net'
+          the 'net' zone, ESTABLISHED/RELATED packets are ACCEPTED in the
-          chain.</para>
+          'loc2net' chain.</para>
 
           <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets
           are accepted early in the INPUT, FORWARD and OUTPUT chains. If you