From 5c8c4d1306d56090892b0bc777771914f0a0fbd2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 08:49:26 -0700 Subject: [PATCH 01/18] Update the Download page to mention the Git repository Signed-off-by: Tom Eastep --- web/download.htm | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/web/download.htm b/web/download.htm index 504f4676e..8e70020db 100644 --- a/web/download.htm +++ b/web/download.htm @@ -28,11 +28,14 @@ SVN
 + Git
+

-
2009-03-02 +
2009-04-12

Package Information

Before trying to install, we strongly urge you to read and print a @@ -508,6 +511,17 @@ Shorewall version 4.2.4. +

Git

+Beginning with Shorewall 4.3, the Shorewall project is migrating from +SVN to Git. You may browse the Shorewall +Git repository at Sourceforge.
+
+To create your own copy of the repository, use this command:
+
+
git clone git://shorewall.git.sourceforge.net/gitroot/shorewall
+
+
Copyright ©  2001-2009 Thomas M. Eastep

Permission is granted to copy, distribute and/or modify this From e7c71eecb80446fd2a55c1b322cea415b71d5d1a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 09:19:32 -0700 Subject: [PATCH 02/18] Update download page to include Ben Montgomery's Ubuntu Repository Signed-off-by: Tom Eastep --- web/download.htm | 41 +++++++++++++++++++---------------------- 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/web/download.htm b/web/download.htm index 8e70020db..a9e74fc98 100644 --- a/web/download.htm +++ b/web/download.htm @@ -16,11 +16,14 @@ cellspacing="0"> - Package Information
- + Package Information
+ + Distribution-specific Download Sites
+ Download Sites
+ style="font-weight: bold;">Standard Download Sites
Finding Updates that Correct Known Problems
@@ -118,6 +121,7 @@ single execution of the rpm utility.

Here are the installation instructions.

+

Distribution-specific Download Sites

Once you've printed the appropriate QuickStart Guide, download the appropriate modules:

You will probably also want to download the HTML version of the documentation for easy reference.

-

Download Sites

+

Standard Download Sites

Use the sites below to download the tarball, the documentation and the standard RPM for @@ -353,21 +365,6 @@ using our public key -

Redhat and Fedora RPMS -provided -by Simon Matter: http://www.invoca.ch/pub/packages/shorewall/
-
-Slackware SlackBuild scripts are -at http://slackbuilds.org/result/?search=shorewall&sv=.
-
-OpenWRT package provided by Marc Zonzon: http://www.iut-lannion.fr/ZONZON/memos_index.php?part=Network&section=WRTMemo&subsec=shorewall
-
-Leaf/Bering package is available at http://leaf.sourceforge.net/bering-uclibc/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=3&MMN_position=3:3
-

Finding Updates that Correct Known Problems

Beginning with Shorewall 4.0.6, updated packages that include fixes to From ebd7a139fad97b14f73a8eb820714e82c4cc93c9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 09:24:19 -0700 Subject: [PATCH 03/18] Add a link in the download page. Improve readability of the LEAF/Bering bullet Signed-off-by: Tom Eastep --- web/download.htm | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/web/download.htm b/web/download.htm index a9e74fc98..e1777f5d5 100644 --- a/web/download.htm +++ b/web/download.htm @@ -150,7 +150,8 @@ it from the Arch Linux site.

  • If you run a SUSE, Linux PPC, Trustix or TurboLinux distribution with a 2.4 -or 2.6 kernel, you can use the standard RPM version (note: the RPM +or 2.6 kernel, you can use the standard RPM version +(note: the RPM should also work with other distributions that store init scripts in /etc/init.d and that include chkconfig or insserv). If you find that it works in other cases, let me @@ -184,7 +185,10 @@ Hardy Heron.
    or one if it's derivatives, you can download a .lrp file from the Leaf site.

    -From the LEAF Bering-uClibc Team: We try to provide the latest stable +From the LEAF Bering-uClibc Team:
    +
    +

    +
    We try to provide the latest stable version shortly after release, but we also want to do some internal tests before making it available. So we may be behind sometimes. But better be sure that the new version is running on LEAF, than being too @@ -200,9 +204,9 @@ shorewall.lrp is part of the packages page:
    which itself links to cvs:

    http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/bin/bering-uclibc/packages/shorwall.lrp?rev=HEAD&content-type=application/octet-stream
    + href="http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/bin/bering-uclibc/packages/shorwall.lrp?rev=HEAD&content-type=application/octet-stream">http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/leaf/bin/bering-uclibc/packages/shorwall.lrp?rev=HEAD&content-type=application/octet-stream

    -

    +
  • Shorewall packages for Slackware From 52546657f19ac63e78aa28d3068728e697751a25 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 14:38:33 -0700 Subject: [PATCH 04/18] Add a connection rate limiting doc Signed-off-by: Tom Eastep --- docs/ConnectionRate.xml | 99 ++++++++++++++++++++++++++++++++++++ docs/Documentation_Index.xml | 11 +++- 2 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 docs/ConnectionRate.xml diff --git a/docs/ConnectionRate.xml b/docs/ConnectionRate.xml new file mode 100644 index 000000000..fe4c2e745 --- /dev/null +++ b/docs/ConnectionRate.xml @@ -0,0 +1,99 @@ + + +
    + + + + Connection Rate Limiting + + + + Tom + + Eastep + + + + + + + 2008 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
    + Introduction + + Shorewall supports several mechanisms for limiting connection rates. + These are described in the following sections. + + Rates are expressed in terms of a connections per unit + time and a burst. An + interval is calculated by dividing the unit of time + by the number of connections allowed in that unit of time + (connections/{||||week|month}[:burst] + + Example: 4/min:5 + + + Connections = 4 + + Unit of time = 1 minute + + Interval = 1 minute/4 = 15 seconds. + + Burst = 5 + + + As each connection arrives,if the burst count is > 0 the + burst count is reduced by one and the connection is + accepted. After each interval (15 seconds) that passes without a + connection arriving, the burst count is incremented + by 1 but is not allowed to exceed its initial setting (5). + + By default, the aggregate connection rate is limited. If the + specification is preceeded by "" or + "", then the rate is limited per SOURCE or per + DESTINATION IP address respectively. + +
    + Policy Rate Limiting + + The LIMIT:BURST column in the + /etc/shorewall/policy file applies to TCP + connections that are subject to the policy. The limiting is applied + BEFORE the connection request is passed through the rules generated by + entries in /etc/shorewall/rules. Those connections + in excess of the limit are logged and dropped. +
    + +
    + Rules Rate Limiting + + The RATE LIMIT column in the + /etc/shorewall/rules file allows limiting of + ACCEPT, DNAT and Action rules. +
    + +
    + Limit Action + + The Limit Action is a + legacy mechanism that limits connections per source IP. It does not + support the notion of a burst size. +
    +
    +
    diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml index ac73a6945..3f304b3fb 100644 --- a/docs/Documentation_Index.xml +++ b/docs/Documentation_Index.xml @@ -55,11 +55,20 @@ - 6to4 Tunnels + KVM (Kernel-mode Virtual Machine) + + + + + 6to4 Tunnels + + Limiting Connection + Rates + Shorewall Setup Guide From 271c339903458e859cda294ef77184292c878822 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Apr 2009 18:50:33 -0700 Subject: [PATCH 05/18] Make the mss interface option clear Signed-off-by: Tom Eastep --- manpages/shorewall-interfaces.xml | 2 +- manpages6/shorewall6-interfaces.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manpages/shorewall-interfaces.xml b/manpages/shorewall-interfaces.xml index c09355a2a..256e2e953 100644 --- a/manpages/shorewall-interfaces.xml +++ b/manpages/shorewall-interfaces.xml @@ -349,7 +349,7 @@ loc eth2 - mss[=number] + role="bold">mss=number Added in Shorewall 4.0.3. Causes forwarded TCP SYN diff --git a/manpages6/shorewall6-interfaces.xml b/manpages6/shorewall6-interfaces.xml index d0f59b07f..7989ff702 100644 --- a/manpages6/shorewall6-interfaces.xml +++ b/manpages6/shorewall6-interfaces.xml @@ -133,7 +133,7 @@ loc eth2 - mss[=number] + role="bold">mss=number Causes forwarded TCP SYN packets entering or leaving on From 516d361d09b739864d2966dbb480c0de83fa7e95 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 13 Apr 2009 07:26:01 -0700 Subject: [PATCH 06/18] Clarify the usage of the GATEWAY column when USE_DEFAULT_RT = Yes Signed-off-by: Tom Eastep --- docs/MultiISP.xml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index ae17297c3..09429aa30 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -1042,16 +1042,6 @@ gateway:~ #Note that because we used a priority of 1000, the for inserting rules that bypass the main table. - - All provider gateways must be specified explicitly in the - GATEWAY column. 'detect' may not be specified. Note that for ppp - interfaces, the GATEWAY may remain unspecified ("-"). - 'detect' may be specified for interfaces whose - configuration is managed by dhcpcd. Shorewall will use dhcpcd's - database to determine the gateway IP address. - - - You should disable all default route management outside of Shorewall. If a default route is inadvertently added to the main @@ -1059,6 +1049,14 @@ gateway:~ #Note that because we used a priority of 1000, the working except for those routing rules in the priority range 1-998. + + + For ppp interfaces, the GATEWAY may remain unspecified ("-"). + For those interfaces managed by dhcpcd or dhclient, you may specify + 'detect' in the GATEWAY column; Shorewall will use the dhcp client's + database to determine the gateway IP address. All other interfaces + must have a GATEWAY specified explicitly. + Although 'balance' is automatically assumed when From eafad3389eaf5b24ee23e7640b7ce6816efeeede Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 14 Apr 2009 15:20:03 -0700 Subject: [PATCH 07/18] Fix Typo in FTP doc Signed-off-by: Tom Eastep --- docs/FTP.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/FTP.xml b/docs/FTP.xml index 6e81ff89d..abba2bd82 100644 --- a/docs/FTP.xml +++ b/docs/FTP.xml @@ -196,7 +196,7 @@ ftp> uname -r - Note: If you are running kernel 3.6.19 or earlier, then the module + Note: If you are running kernel 2.6.19 or earlier, then the module names are ip_nat_ftp and ip_conntrack_ftp and they are normally loaded from From 078a639213b25fee1e29189c40f28d064ae24b5a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 11:57:27 -0700 Subject: [PATCH 08/18] Update web site for 4.2.8; fix broken link Signed-off-by: Tom Eastep --- docs/KVM.xml | 9 +++++---- web/shorewall_index.htm | 8 ++++---- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/KVM.xml b/docs/KVM.xml index 79d1f8e25..3d9414ce8 100644 --- a/docs/KVM.xml +++ b/docs/KVM.xml @@ -82,10 +82,11 @@ With this configuration, and with only a single network interface on the laptop, this is just a simple two-interface masquerading setup where the - local network interface is br0. As - with all bridges, br0 must be - configured with the option in two-interface masquerading setup where + the local network interface is br0. As with all bridges, br0 must be configured with the + option in shorewall-interfaces(5). For additional information about this setup, including the Shorewall diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index 8bb2fe520..746e1b61a 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -47,7 +47,7 @@ -
    2009-03-29
    +
    2009-04-16

    Important Notice to Shorewall-perl 4.2 Users

    @@ -67,13 +67,13 @@ Shorewall team members Tom and Roberto will be there!
    Stable Release
    - 4.2.7 + 4.2.8 (includes IPv6 support.) Release + href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.8/releasenotes.txt">Release notes Known + href="http://www1.shorewall.net/pub/shorewall/4.2/shorewall-4.2.8/known_problems.txt">Known Problems From f09b15b2bde746b5bdf956510f4792ee50e567f8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 12:42:36 -0700 Subject: [PATCH 09/18] Add 'FORMAT 2' to the macro template file --- Shorewall/Macros/macro.template | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Shorewall/Macros/macro.template b/Shorewall/Macros/macro.template index ae357d1bd..81aab0abf 100644 --- a/Shorewall/Macros/macro.template +++ b/Shorewall/Macros/macro.template @@ -365,4 +365,7 @@ FORMAT 2 ####################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ ORIGINAL # PORT(S) PORT(S) DEST LIMIT GROUP DEST +# Don't delete the next line +FORMAT 2 +# Add your rules below #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE From 1ea375c4e3aea9ade7332fc55eb35dca2316b5c8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 13:19:16 -0700 Subject: [PATCH 10/18] Document FORMAT 2 and the ORIGINAL DEST column --- docs/Macros.xml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/docs/Macros.xml b/docs/Macros.xml index 9bfed0ae2..37a8e722f 100644 --- a/docs/Macros.xml +++ b/docs/Macros.xml @@ -426,6 +426,45 @@ ACCEPT fw loc tcp 135,139,445 port.         + + ORIGINAL DEST (Shorewall-perl 4.2.0 and later) + + To use this column, you must include 'FORMAT 2' as the first + non-comment line in your macro file. + + If ACTION is DNAT[-] or REDIRECT[-] then if this column is + included and is different from the IP address given in the SERVER + column, then connections destined for that address will be forwarded + to the IP and port specified in the DEST column. + + A comma-separated list of addresses may also be used. This is + most useful with the REDIRECT target where you want to redirect + traffic destined for particular set of hosts. Finally, if the list of + addresses begins with "!" (exclusion) then the rule will be followed + only if the original destination address in the connection request + does not match any of the addresses listed. + + For other actions, this column may be included and may contain + one or more addresses (host or network) separated by commas. Address + ranges are not allowed. When this column is supplied, rules are + generated that require that the original destination address matches + one of the listed addresses. This feature is most useful when you want + to generate a filter rule that corresponds to a DNAT- or REDIRECT- + rule. In this usage, the list of addresses should not begin with + "!". + + It is also possible to specify a set of addresses then exclude + part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28 + specifies the addresses 192.168.1.0-182.168.1.15 and + 192.168.1.32-192.168.1.255. See shorewall-exclusion(5). + + See http://shorewall.net/PortKnocking.html + for an example of using an entry in this column with a user-defined + action rule. + + RATE LIMIT - You may rate-limit the rule by placing a value in this column: From dea3f3bc29011a3b794f15935cd04057f5baad40 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 13:21:26 -0700 Subject: [PATCH 11/18] Fix bug in manpage6 generation --- tools/build/buildshorewall | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/build/buildshorewall b/tools/build/buildshorewall index 8d5b25023..a5f050ee3 100755 --- a/tools/build/buildshorewall +++ b/tools/build/buildshorewall @@ -889,7 +889,7 @@ if [ -n "${BUILDXML}${BUILDHTML}" ]; then if [ -n "$MANPAGE6TAG" ]; then progress_message "Exporting $MANPAGE6TAG from SVN..." do_or_die "svn export --non-interactive --force ${SVN}/$MANPAGE6TAG manpages >> $LOGFILE 2>&1" - do_or_die mv manpages/* manpages6.save/ + do_or_die mv manpages manpages6.save/ fi progress_message "Exporting $LITEMANPAGETAG from SVN..." From a1e642c4c155d637a3f7db1d11cffee7f0e17a68 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 16:53:59 -0700 Subject: [PATCH 12/18] Another go-around with the macro.template file --- Shorewall/Macros/macro.template | 3 --- 1 file changed, 3 deletions(-) diff --git a/Shorewall/Macros/macro.template b/Shorewall/Macros/macro.template index 81aab0abf..ae357d1bd 100644 --- a/Shorewall/Macros/macro.template +++ b/Shorewall/Macros/macro.template @@ -365,7 +365,4 @@ FORMAT 2 ####################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ ORIGINAL # PORT(S) PORT(S) DEST LIMIT GROUP DEST -# Don't delete the next line -FORMAT 2 -# Add your rules below #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE From 8b6fe58264b53a44e7d39b2680e6aebf92211d3e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 16 Apr 2009 18:40:11 -0700 Subject: [PATCH 13/18] Update for 4.3.8 --- web/shorewall_index.htm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index 746e1b61a..9965b8631 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -99,14 +99,14 @@ Problems
    Release
    - 4.3.7
    + 4.3.8
    Release + href="http://www1.shorewall.net/pub/shorewall/development/4.3/shorewall-4.3.8/releasenotes.txt">Release Notes
     Known + href="http://www1.shorewall.net/pub/shorewall/development/4.3/shorewall-4.3.8/known_problems.txt">Known Problems From 061ba856242b7c65c98d3f46cbf075ce8ef35a7a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Apr 2009 08:31:45 -0700 Subject: [PATCH 14/18] Update web site for 4.2.8 -perl fiasco Signed-off-by: Tom Eastep --- web/Notices.html | 14 +++++++++++++- web/shorewall_index.htm | 7 ++++--- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/web/Notices.html b/web/Notices.html index 014d60edf..6ba068889 100644 --- a/web/Notices.html +++ b/web/Notices.html @@ -33,7 +33,7 @@ Users of Shorewall's Multi-ISP Feature
    -
    2009-03-29
    +
    2009-04-17

    End-of-life for Shorewall-shell in Shorewall 4.4
    @@ -52,6 +52,18 @@ with Shorewall-perl installed on an administrative system (may be a Windows[tm] system running Cygwin[tm]).

    Attention Shorewall-perl 4.2 Users

    +

    Shorewall-perl 4.2.8

    +Shorewall-perl 4.2.8 was dead on arrival. The compiler did not rename +the generated script file with the result that it was removed when the +compiler terminated. This lead to:
    +
      +
    1. It was not possible to start Shorewall or Shorewall6 for the +first time after installing 4.2.8
      2. +
    2. Changes to the configuration were apparently ignored.
      3. +
    +This problem was corrected in Shorewall-perl-4.2.8.1.
    +

    Shorewall-perl 4.2.6 and Earlier
    +

    On February 28, Klemens Rutz reported a problem that affects all Shorewall-perl 4.2 versions prior to 4.2.6.1.
    diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm index 9965b8631..0de147214 100644 --- a/web/shorewall_index.htm +++ b/web/shorewall_index.htm @@ -47,10 +47,11 @@ -
    2009-04-16
    +
    2009-04-17
     -

    Important -Notice to Shorewall-perl 4.2 Users

    +

    Attention +re: Shorewall-perl 4.2.8
    +

    LFNW LogoPlan to Attend From b8828d6ee1ed12fc47568b803850f5f890b85ae5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Apr 2009 09:00:14 -0700 Subject: [PATCH 15/18] Allow Shorewall6 on kernel 4.2.24 Signed-off-by: Tom Eastep --- Shorewall/Perl/prog.footer6 | 4 ++-- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 3 +++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/prog.footer6 b/Shorewall/Perl/prog.footer6 index 6f03e47de..7513b9696 100644 --- a/Shorewall/Perl/prog.footer6 +++ b/Shorewall/Perl/prog.footer6 @@ -68,8 +68,8 @@ COMMAND="$1" [ -n "${PRODUCT:=Shorewall6}" ] kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1) -if [ $kernel -lt 20625 ]; then - error_message "ERROR: $PRODUCT requires Linux kernel 2.6.25 or later" +if [ $kernel -lt 20624 ]; then + error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later" status=2 else case "$COMMAND" in diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 262df7fe0..a65b5fcdd 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -4,6 +4,8 @@ Changes in Shorewall 4.3.9 2) Fix netmask genereation in tcfilters. +3) Allow Shorewall6 with kernel 2.6.24 + Changes in Shorewall 4.3.8 1) Apply Tuomo Soini's patch for USE_DEFAULT_RT. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index c247b39dd..b8d9b3231 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -110,6 +110,9 @@ None. Notice also that the new LOG rule reflects the original action ("REJECT") rather than what Shorewall maps that to ("reject"). +2) Shorewall6 has now been tested on kernel 2.6.24 (Ubuntu Hardy) and + hence will now start successfully when running on that kernel. + ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 3 ---------------------------------------------------------------------------- From c3616bdc7183b4a7e8a7b5b5999460abc1c4d5a1 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Apr 2009 09:08:25 -0700 Subject: [PATCH 16/18] Document Shorewall6 support on kernel 2.6.24 Signed-off-by: Tom Eastep --- docs/FAQ.xml | 19 ++++++++++--------- docs/IPv6Support.xml | 2 +- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/docs/FAQ.xml b/docs/FAQ.xml index e2b936acf..91cf4687b 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -2176,7 +2176,7 @@ We have an error talking to the kernel later.
    - (FAQ 80a) Why does Shorewall lPv6 Support Require Kernel 2.6.25 + <title>(FAQ 80a) Why does Shorewall lPv6 Support Require Kernel 2.6.24 or later? Answer: Shorewall implements a @@ -2187,16 +2187,17 @@ We have an error talking to the kernel problems with the facility until at least kernel 2.6.23. When distributions began offering IPv6 connection tracking support, it was with kernel 2.6.25. So that is what we developed IPv6 support on and - that's all that it has been tested on. If you are running 2.6.20 or - later, you can try to run Shorewall6 - by hacking /usr/share/shorewall/prog.footer6 and - changing the kernel version test to check for your kernel version - rather than 2.6.25 (20625). But after that, you are on your - own. + that's all that we initially tested on. Subsequently, we have tested + Shorewall6 on Ubuntu Hardy with kernel 2.6.24. If you are running + 2.6.20 or later, you can try to run + Shorewall6 by hacking + /usr/share/shorewall/prog.footer6 and changing the kernel + version test to check for your kernel version rather than 2.6.24 + (20624). But after that, you are on your own. kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1) -if [ $kernel -lt 20625 ]; then - error_message "ERROR: $PRODUCT requires Linux kernel 2.6.25 or later" +if [ $kernel -lt 20624 ]; then + error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later" status=2 else diff --git a/docs/IPv6Support.xml b/docs/IPv6Support.xml index 7a50c892b..115cb74fe 100644 --- a/docs/IPv6Support.xml +++ b/docs/IPv6Support.xml @@ -57,7 +57,7 @@ - Kernel 2.6.25 or + Kernel 2.6.24 or later. From bd4bbd57ea21c6b26064823bdba08e676711ef96 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Apr 2009 11:20:58 -0700 Subject: [PATCH 17/18] Remove extraneous character from sample rules file Signed-off-by: Tom Eastep --- Samples/one-interface/rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules index a3ac5175e..58dca3254 100644 --- a/Samples/one-interface/rules +++ b/Samples/one-interface/rules @@ -1,4 +1,4 @@ -L# +# # Shorewall version 4.0 - Sample Rules File for one-interface configuration. # Copyright (C) 2006 by the Shorewall Team # From fdea4a4020457c03cc99721cbd3179f02602607b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 17 Apr 2009 11:27:00 -0700 Subject: [PATCH 18/18] Remove SUBSYSLOCK value from sample config files Signed-off-by: Tom Eastep --- Samples6/one-interface/shorewall6.conf | 2 +- Samples6/three-interfaces/shorewall6.conf | 2 +- Samples6/two-interfaces/shorewall6.conf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Samples6/one-interface/shorewall6.conf b/Samples6/one-interface/shorewall6.conf index b02d9fe09..789be9c3f 100644 --- a/Samples6/one-interface/shorewall6.conf +++ b/Samples6/one-interface/shorewall6.conf @@ -62,7 +62,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh -SUBSYSLOCK=/var/lock/subsys/shorewall +SUBSYSLOCK= MODULESDIR= diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf index fd2e7fabd..f07e36e71 100644 --- a/Samples6/three-interfaces/shorewall6.conf +++ b/Samples6/three-interfaces/shorewall6.conf @@ -62,7 +62,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh -SUBSYSLOCK=/var/lock/subsys/shorewall +SUBSYSLOCK= MODULESDIR= diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf index ea51755c4..ecf9d18dd 100644 --- a/Samples6/two-interfaces/shorewall6.conf +++ b/Samples6/two-interfaces/shorewall6.conf @@ -62,7 +62,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh -SUBSYSLOCK=/var/lock/subsys/shorewall +SUBSYSLOCK= MODULESDIR=