From f21b46aae507ef53a3e4fdf8a4e83df6e656f5fd Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Mon, 23 Aug 2004 00:15:35 +0000
Subject: [PATCH] Changes for Shorewall-2.0.8

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1573 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Lrp2/etc/shorewall/shorewall.conf | 17 +++++++++++
 Lrp2/usr/share/shorewall/firewall | 48 +++----------------------------
 Lrp2/usr/share/shorewall/version  |  2 +-
 Shorewall-docs2/IPSEC-2.6.xml     | 10 ++++---
 4 files changed, 28 insertions(+), 49 deletions(-)

diff --git a/Lrp2/etc/shorewall/shorewall.conf b/Lrp2/etc/shorewall/shorewall.conf
index 93d2febcf..f69799a99 100755
--- a/Lrp2/etc/shorewall/shorewall.conf
+++ b/Lrp2/etc/shorewall/shorewall.conf
@@ -605,6 +605,23 @@ BRIDGING=No
 # set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
 
 DYNAMIC_ZONES=No
+
+#
+# USE PKTTYPE MATCH 
+#
+# Some users have reported problems with the PKTTYPE match extension not being
+# able to match certain broadcast packets. 
+#
+# Other users have complained of the following message when 
+# starting Shorewall:
+#
+#	    modprobe: cant locate module ipt_pkttype
+#
+# If you set PKTTYPE=No then Shorewallwill use IP addresses to detect
+# broadcasts rather than pkttype. If not given or if given as empty
+# (PKTTYPE="") then PKTTYPE=Yes is assumed.
+
+PKTTYPE=Yes
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################
diff --git a/Lrp2/usr/share/shorewall/firewall b/Lrp2/usr/share/shorewall/firewall
index 820dbcb7d..28fd28713 100755
--- a/Lrp2/usr/share/shorewall/firewall
+++ b/Lrp2/usr/share/shorewall/firewall
@@ -1537,7 +1537,7 @@ setup_tunnels() # $1 = name of tunnels file
 
     setup_one_generic() # $1 = gateway, $2 = kind:protocol[:port], $3 = Gateway Zone
     {
-	local procotol
+	local protocol
 	local p=
 
 	case $2 in
@@ -2863,47 +2863,6 @@ process_actions1() {
 # process the associated action files.
 #
 process_actions2() {
-    #
-    # Process a rule where the source or destination is "all"
-    #
-    process_wildcard_rule() {
-	local yclients yservers ysourcezone ydestzone ypolicy
-	
-	for yclients in $xclients; do
-	    for yservers in $xservers; do
-		ysourcezone=${yclients%%:*}
-		ydestzone=${yservers%%:*}
-		if [ "${ysourcezone}" != "${ydestzone}" ] ; then
-		    eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
-		    if [ "$ypolicy" != NONE ] ; then
-			process_action $xaction $xtarget $yclients $yservers $xprotocol $xports $xcports $xratelimit $xuserspec
-		    fi
-		fi
-	    done
-	done
-    }
-
-    do_it() {
-	expandv xclients xservers xprotocol xports xcports xratelimit xuserspec
-
-	if [ "x$xclients" = xall ]; then
-	    xclients="$zones $FW"
-	    if [ "x$xservers" = xall ]; then
-		xservers="$zones $FW"
-	    fi
-	    process_wildcard_rule
-	    continue
-	fi
-
-	if [ "x$xservers" = xall ]; then
-	    xservers="$zones $FW"
-	    process_wildcard_rule
-	    continue
-	fi
-
-	process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
-
-    }
 
     log_action() {
 	[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
@@ -2981,8 +2940,9 @@ process_actions2() {
 		fn=$(find_file $f)
 		
 		echo "Processing $fn..."
-		while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
-		    do_it
+		while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec ; do
+		    expandv xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec
+		    process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
 		done < $TMP_DIR/$f
 		;;
 	esac
diff --git a/Lrp2/usr/share/shorewall/version b/Lrp2/usr/share/shorewall/version
index f1547e6d1..815e68dd2 100644
--- a/Lrp2/usr/share/shorewall/version
+++ b/Lrp2/usr/share/shorewall/version
@@ -1 +1 @@
-2.0.7
+2.0.8
diff --git a/Shorewall-docs2/IPSEC-2.6.xml b/Shorewall-docs2/IPSEC-2.6.xml
index e686ed47d..b6ba62456 100644
--- a/Shorewall-docs2/IPSEC-2.6.xml
+++ b/Shorewall-docs2/IPSEC-2.6.xml
@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-08-19</pubdate>
+    <pubdate>2004-08-21</pubdate>
 
     <copyright>
       <year>2004</year>
@@ -336,8 +336,8 @@ vpn               eth0:0.0.0.0/0        <emphasis role="bold"> ipsec</emphasis>
 
 remote anonymous
 {
-        exchange_mode aggressive ;
-        my_identifier user_fqdn "teastep@shorewall.net" ;
+        exchange_mode main ;
+        my_identifier address ;
         lifetime time 24 hour ;
         proposal {
                 encryption_algorithm 3des;
@@ -374,7 +374,9 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.
 
       <para>/etc/racoon/psk.txt:</para>
 
-      <programlisting>teastep@shorewall.net             &lt;key&gt;</programlisting>
+      <programlisting>192.168.20.20             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.20&gt;
+192.168.20.30             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.30&gt;
+192.168.20.40             &lt;key for 192.168.20.10&lt;-&gt;192.168.20.40&gt;</programlisting>
     </blockquote>
 
     <para>Shorewall configuration goes as follows:</para>