Changes for Shorewall 2.2.0 Beta 3

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1743 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

LrpN/etc/shorewall/tcrules

@@ -92,6 +92,10 @@
 #			iptables include iprange match support, IP address
 #			ranges are also allowed.
 #
+#                       If the MARK column specificies a classification of
+#                       the form <major>:<minor> then this column may also
+#                       contain an interface name.
+#
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p", 
 #			a number, or "all". "ipp2p" requires ipp2p match
 #			support in your kernel and iptables.

LrpN/sbin/shorewall

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V2.1
+#     Shorewall Packet Filtering Firewall Control Program - V2.2
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
@@ -333,10 +333,9 @@ packet_log() # $1 = number of messages
 
     [ -n "$realtail" ] && options="-n$1"
 
-    grep "${LOGFORMAT}\|ipt_unclean" $LOGFILE | \
+    grep "${LOGFORMAT}" $LOGFILE | \
 	 sed s/" kernel:"// | \
 	 sed s/" $host $LOGFORMAT"/" "/ | \
-	 sed s/" $host kernel: ipt_unclean: "/" "/ | \
 	 sed 's/MAC=.* SRC=/SRC=/' | \
 	 tail $options
 }
@@ -870,7 +869,7 @@ case "$1" in
 	    [ $# -gt 2 ] && usage 1
 	    echo "Shorewall-$version Connections at $HOSTNAME - $(date)"
 	    echo
-	    cat /pro/net/ip_conntrack
+	    cat /proc/net/ip_conntrack
 	    ;;
 	nat)
 	    [ $# -gt 2 ] && usage 1

LrpN/usr/share/shorewall/firewall

@@ -2344,7 +2344,16 @@ process_tc_rule()
 
 	[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
 
-	[ "x$dest"   = "x-"  ] || r="${r}$(dest_ip_range $dest) "
+	if [ "x$dest" != "x-"  ]; then
+	    case $dest in
+		*.*.*)
+		    r="${r}$(dest_ip_range $dest) "
+		    ;;
+		*)
+		    r="${r}$(match_dest_dev $dest) "
+		    ;;
+	    esac
+	fi
 
 	if [ "x$proto" = xipp2p ]; then
 	    [ "x$port" = "x-" ] && port="ipp2p"

LrpN/usr/share/shorewall/rfc1918

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.1 -- RFC1918 File
+# Shorewall 2.2 -- RFC1918 File
 #
 # /etc/shorewall/rfc1918
 #
@@ -12,16 +12,17 @@
 #
 # Columns are:
 #
-# 	SUBNET		The subnet (host addresses also allowed as are IP
+# 	SUBNETS		A comma-separated list of subnet addresses
+#			(host addresses also allowed as are IP
 #			address ranges provided that your kernel and iptables
-#			have iprange match support).
+#			have iprange match support). 
 #	TARGET		Where to send packets to/from this subnet
 #			RETURN	- let the packet be processed normally
 #			DROP	- silently drop the packet
 #			logdrop - log then drop
 #
 ###############################################################################
-#SUBNET			TARGET
+#SUBNETS		TARGET
 172.16.0.0/12		logdrop		# RFC 1918
 192.168.0.0/16		logdrop		# RFC 1918
 10.0.0.0/8		logdrop		# RFC 1918

LrpN/usr/share/shorewall/version

@@ -1 +1 @@
-2.2.0-Beta2
+2.2.0-Beta3

Shorewall-docs2/Documentation_Index.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-10-06</pubdate>
+    <pubdate>2004-11-03</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -23,7 +23,7 @@
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
-    <edition>2.0.3</edition>
+    <edition>2.2.0 Beta 2</edition>
 
     <legalnotice>
       <para>Permission is granted to copy, distribute and/or modify this
@@ -337,6 +337,10 @@
       <para><ulink url="Install.htm">Installation/Upgrade</ulink></para>
     </listitem>
 
+    <listitem>
+      <para><ulink url="IPP2P.html">IPP2P</ulink></para>
+    </listitem>
+
     <listitem>
       <para><ulink url="IPSEC.htm">IPSEC</ulink></para>
     </listitem>

Shorewall-docs2/FAQ.xml

@@ -17,7 +17,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-10-30</pubdate>
+    <pubdate>2004-11-05</pubdate>
 
     <copyright>
       <year>2001-2004</year>
@@ -539,7 +539,7 @@ to debug/develop the newnat interface.</programlisting></para>
       </section>
 
       <section id="faq4c">
-        <title>(FAQ 4c) How to I use Shorewall with PortSentry?</title>
+        <title>(FAQ 4c) How do I use Shorewall with PortSentry?</title>
 
         <para><ulink
         url="http://www.shorewall.net/pub/shorewall/contrib/PortsentryHOWTO.txt">Here's
@@ -851,7 +851,8 @@ LOGBURST=""</programlisting>
     </section>
 
     <section id="faq17">
-      <title>(FAQ 17) Why are these packets being Dropped/Rejected?</title>
+      <title>(FAQ 17) Why are these packets being Dropped/Rejected?/How do I
+      decode Shorewall log messages?</title>
 
       <para><emphasis role="bold">Answer:</emphasis> Logging of
       dropped/rejected packets occurs out of a number of chains (as indicated
@@ -1465,6 +1466,12 @@ Creating input Chains...
       Shorewall. See the SHOREWALL_SHELL variable in <filename><ulink
       url="Documentation.htm#Conf">shorewall.conf</ulink></filename>.</para>
 
+      <para>Use a fast terminal emulator -- in particular the KDE konsole
+      scrolls much faster than the Gnome terminal. Also use the '-q' option if
+      you are restarting remotely or from a slow terminal (or redirect the
+      output to a file as in <command>shorewall restart &gt;
+      /dev/null</command>).</para>
+
       <para>Beginning with Shorewall version 2.0.2 Beta 1, Shorewall supports
       a fast start capability. To use this capability:</para>
 
@@ -1965,6 +1972,26 @@ REJECT    fw            net:216.239.39.99    all</programlisting>Given that
     <title>Revision History</title>
 
     <para><revhistory>
+        <revision>
+          <revnumber>1.37</revnumber>
+
+          <date>2004-11-05</date>
+
+          <authorinitials>TE</authorinitials>
+
+          <revremark>Added second title to FAQ 17.</revremark>
+        </revision>
+
+        <revision>
+          <revnumber>1.36</revnumber>
+
+          <date>2004-11-04</date>
+
+          <authorinitials>TE</authorinitials>
+
+          <revremark>Add note about Gnome Terminal.</revremark>
+        </revision>
+
         <revision>
           <revnumber>1.35</revnumber>
 

Shorewall-docs2/IPP2P.xml

@@ -0,0 +1,104 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Shorewall and ipp2p</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate>2004-11-04</pubdate>
+
+    <copyright>
+      <year>2004</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Introduction</title>
+
+    <para>Shorewall verions 2.2.0 and later include support for the ipp2p
+    match facility. This is a departure from my usual policy in that the ipp2p
+    match facility is included in Patch-O-Matic-NG and is unlikely to ever be
+    included in the kernel.org source tree. Questions about how to install the
+    patch or how to build your kernel and/or iptables should not be posted on
+    the Shorewall mailing lists but should rather be referred to the Netfilter
+    Mailing List.</para>
+  </section>
+
+  <section>
+    <title>Scope</title>
+
+    <para>In the following files, the "PROTO" or "PROTOCOL" column may contain
+    "ipp2p":</para>
+
+    <simplelist>
+      <member><ulink
+      url="Documentation.htm#Rules">/etc/shorewall/rules</ulink></member>
+
+      <member><ulink
+      url="traffic_shaping.htm">/etc/shorewall/tcrules</ulink></member>
+
+      <member><ulink
+      url="Accounting.html">/etc/shorewall/accounting</ulink></member>
+    </simplelist>
+
+    <para>When the PROTO or PROTOCOL column contains "ipp2p" then the DEST
+    PORT(S) or PORT(S) column may contain a recognized ipp2p option; for a
+    list of the options and their meaning, at a root prompt type:</para>
+
+    <programlisting><command>iptables -m ipp2p --help</command></programlisting>
+
+    <para>You must not include the leading "--" on the option; Shorewall will
+    supply those characters for you. If you do not include an option then
+    "ipp2p" is assumed (Shorewall will generate "-m ipp2p --ipp2p").</para>
+  </section>
+
+  <section>
+    <title>Example (assumes that you are running Shorewall 2.2.0 Beta 3 or
+    later):</title>
+
+    <para>Example 2 in the ipp2p documentation recommends the following
+    iptables rules:</para>
+
+    <programlisting>01# iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark
+02# iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT
+03# iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p -j MARK --set-mark 1
+04# iptables -t mangle -A PREROUTING -p tcp -m mark --mark 1 -j CONNMARK --save-mark
+
+05# iptables -t mangle -A POSTROUTING -o eth0 -m mark --mark 1 -j CLASSIFY --set-class 1:12
+06# iptables -t mangle -A POSTROUTING -o eth1 -m mark --mark 1 -j CLASSIFY --set-class 2:12</programlisting>
+
+    <para>These are implemented in the /etc/shorewall/tcrules file as
+    follows:</para>
+
+    <programlisting>#MARK                SOURCE        DEST        PROTO        PORT(S)        CLIENT     USER    TEST
+#                                                                          PORT(S)
+RESTORE:P            -             -           tcp
+CONTINUE:P           -             -           tcp          -              -          -       !0
+1:P                  -             -           ipp2p        ipp2p
+SAVE:P               -             -           tcp          -              -          -       1
+1:12                 -             eth0        -            -              -          -       1
+2:12                 -             eth1        -            -              -          -       1    </programlisting>
+  </section>
+</article>

Shorewall2/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=2.2.0-Beta2
+VERSION=2.2.0-Beta3
 
 usage() # $1 = exit status
 {

Shorewall2/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=2.2.0-Beta2
+VERSION=2.2.0-Beta3
 
 usage() # $1 = exit status
 {

Shorewall2/releasenotes.txt

@@ -114,7 +114,7 @@ Problems corrected since 2.2.0 Beta 2.
 
 1)  Missing '#' in the rfc1918 file.
 
-2) The INSTALL file now include special instructions for Slackware
+2) The INSTALL file now includes special instructions for Slackware
    users.
 
 -----------------------------------------------------------------------

Shorewall2/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 2.2.0
-%define release 0Beta2
+%define release 0Beta3
 %define prefix /usr
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -137,6 +137,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
 
 %changelog
+* Tue Nov 09 2004 Tom Eastep tom@shorewall.net
+- Updated to 2.2.0-0Beta3
 * Tue Nov 02 2004 Tom Eastep tom@shorewall.net
 - Updated to 2.2.0-0Beta2
 * Fri Oct 22 2004 Tom Eastep tom@shorewall.net

Shorewall2/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
 
-VERSION=2.2.0-Beta2
+VERSION=2.2.0-Beta3
 
 usage() # $1 = exit status
 {