diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm
index 2da0d7e33..69d8892f9 100644
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -40,7 +40,7 @@ our @EXPORT = qw( process_providers
handle_stickiness
handle_optional_interfaces );
our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_24';
use constant { LOCAL_TABLE => 255,
MAIN_TABLE => 254,
@@ -700,7 +700,7 @@ sub add_a_provider( $$ ) {
push_indent;
- if ( $balance || $default ) {
+ if ( $balance || $default > 0 ) {
$tbl = $default ? DEFAULT_TABLE : $config{USE_DEFAULT_RT} ? BALANCE_TABLE : MAIN_TABLE;
$weight = $balance ? $balance : $default;
@@ -715,7 +715,7 @@ sub add_a_provider( $$ ) {
$via .= " weight $weight" unless $weight < 0;
$via .= " $realm" if $realm;
- emit( qq(delete_gateway "$via" $tbl $physical) ) unless $default < 0;
+ emit( qq(delete_gateway "$via" $tbl $physical) );
}
emit (". $undo",
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 39ef5b13c..c5869f270 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -394,6 +394,7 @@ sub process_tc_rule( ) {
$target .= ' --tproxy-mark';
} elsif ( $target eq 'TTL' ) {
+ fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
@@ -412,6 +413,26 @@ sub process_tc_rule( ) {
} else {
$target .= " --ttl-set $param";
}
+ } elsif ( $target eq 'HL' ) {
+ fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
+ fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
+ fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
+
+ $chain = 'tcfor';
+
+ $cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+ my $param = $1;
+
+ fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+ if ( $1 =~ /^\+/ ) {
+ $target .= " --hl-inc $param";
+ } elsif ( $1 =~ /\-/ ) {
+ $target .= " --hl-dec $param";
+ } else {
+ $target .= " --hl-set $param";
+ }
}
if ( $rest ) {
@@ -1845,6 +1866,12 @@ sub setup_tc() {
mark => NOMARK,
mask => '',
connmark => 0
+ },
+ { match => sub( $ ) { $_[0] =~ /^HL/ },
+ target => 'HL',
+ mark => NOMARK,
+ mask => '',
+ connmark => 0
}
);
diff --git a/Shorewall/Perl/Shorewall/Tunnels.pm b/Shorewall/Perl/Shorewall/Tunnels.pm
index 9e2ef9c12..6139d5474 100644
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -253,6 +253,7 @@ sub setup_tunnels() {
'ipip' => { function => \&setup_one_other, params => [ \@source, \@dest , 4 ] } ,
'gre' => { function => \&setup_one_other, params => [ \@source, \@dest , 47 ] } ,
'6to4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
+ '6in4' => { function => \&setup_one_other, params => [ \@source, \@dest , 41 ] } ,
'pptpclient' => { function => \&setup_pptp_client, params => [ $kind, \@source, \@dest ] } ,
'pptpserver' => { function => \&setup_pptp_server, params => [ $kind, \@source, \@dest ] } ,
'openvpn' => { function => \&setup_one_openvpn, params => [ $kind, \@source, \@dest ] } ,
@@ -284,7 +285,7 @@ sub setup_tunnels() {
while ( read_a_line ) {
- my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { kind => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+ my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
fatal_error 'TYPE must be specified' if $kind eq '-';
fatal_error 'ZONE must be specified' if $zone eq '-';
diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml
index 86bf3f2e8..5bd842eeb 100644
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -535,8 +535,10 @@
is given without a weight, a
separate default route is added through the provider's
gateway; the route has a metric equal to the provider's
- NUMBER. The option is ignored with a warning message if
- USE_DEFAULT_RT=Yes in
+ NUMBER.
+
+ Prior to Shorewall 4.4.24, the option is ignored with
+ a warning message if USE_DEFAULT_RT=Yes in
shorewall.conf.
diff --git a/manpages/shorewall-providers.xml b/manpages/shorewall-providers.xml
index d9238fc12..d2fb1fdcb 100644
--- a/manpages/shorewall-providers.xml
+++ b/manpages/shorewall-providers.xml
@@ -263,8 +263,10 @@
specified weight. If the option is
given without a weight, an separate
default route is added through the provider's gateway; the
- route has a metric equal to the provider's NUMBER. The option
- is ignored with a warning message if USE_DEFAULT_RT=Yes in
+ route has a metric equal to the provider's NUMBER.
+
+ Prior to Shorewall 4.4.24, the option is ignored with a
+ warning message if USE_DEFAULT_RT=Yes in
shorewall.conf.
diff --git a/manpages/shorewall-tunnels.xml b/manpages/shorewall-tunnels.xml
index bcd5954c0..f3f4f026a 100644
--- a/manpages/shorewall-tunnels.xml
+++ b/manpages/shorewall-tunnels.xml
@@ -55,7 +55,9 @@
Types are as follows:
- 6to4 - 6to4 or 6in4 tunnel
+ 6to4 or 6in4 - 6to4 or 6in4 tunnel. The 6in4 synonym was added in 4.4.24.
ipsec - IPv4 IPSEC
ipsecnat - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
ipip - IPv4 encapsulated in IPv4 (Protocol 4)
@@ -111,14 +113,6 @@
-
-
-
-
-
-
-
-
ZONE -
zone
diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml
index f81e859a3..1158c8073 100644
--- a/manpages6/shorewall6-tcrules.xml
+++ b/manpages6/shorewall6-tcrules.xml
@@ -316,7 +316,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- TTL([HL([-|+]number)
@@ -324,13 +324,13 @@ SAME $FW 0.0.0.0/0 tcp 80,443
:F but the resulting rule is
always added to the FORWARD chain. If + is included, packets matching the rule
- will have their TTL incremented by
+ will have their HL (hop limit) incremented by
number. Similarly, if - is included, matching packets have
- their TTL decremented by number. If
+ their HL decremented by number. If
neither + nor - is given, the TTL of matching packets
- is set to number. The valid range of
+ role="bold">- is given, the HL of matching packets is
+ set to number. The valid range of
values for number is 1-255.