Shorewall 2.2.3

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2027 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

STABLE2/changelog.txt

@@ -1,3 +1,17 @@
+Changes in 2.2.3
+
+1) Added the 'continue' extension script.
+
+2) Obey 'routestopped' rules during [re]start.
+
+3) MACLIST_TTL added.
+
+4) Fix ! in hosts file
+
+5) Add QUEUE policy.
+
+6) Fix routing output when advanced routing support not in kernel.
+
 Changes in 2.2.2
 
 1) The 'check' command disclaimer is toned down further and only

STABLE2/continue

@@ -0,0 +1,6 @@
+############################################################################
+# Shorewall 2.2 -- /etc/shorewall/continue
+#
+# Add commands below that you want to be executed after shorewall has
+# cleared any existing Netfilter rules and has enabled existing connections.
+#

STABLE2/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=2.2.2
+VERSION=2.2.3
 
 usage() # $1 = exit status
 {

STABLE2/firewall

@@ -464,6 +464,11 @@ mac_chain() # $1 = interface
    echo $(chain_base $1)_mac
 }
 
+macrecent_target() # $1 - interface
+{
+    [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
+}
+
 #
 # Functions for creating dynamic zone rules
 #
@@ -1095,7 +1100,7 @@ validate_policy()
 	esac
 
 	case $policy in
-	ACCEPT|REJECT|DROP|CONTINUE)
+	ACCEPT|REJECT|DROP|CONTINUE|QUEUE)
 	    ;;
 	NONE)
 	    [ "$client" = "$FW" -o "$server" = "$FW" ] && \
@@ -1390,6 +1395,58 @@ disable_ipv6_1() {
     fi
 }
 
+#
+# Process the routestopped file either adding or deleting rules
+#
+
+process_routestopped() # $1 = command
+{
+    local hosts= interface host host1 options networks
+
+    while read interface host options; do
+	expandv interface host options
+	[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
+	for h in $(separate_list $host); do
+	    hosts="$hosts $interface:$h"
+	done
+
+	routeback=
+
+	if [ -n "$options" ]; then
+	    for option in $(separate_list $options); do
+		case $option in
+		    routeback)
+			if [ -n "$routeback" ]; then
+			    error_message "Warning: Duplicate routestopped option ignored: routeback"
+			else
+			    routeback=Yes
+			    for h in $(separate_list $host); do
+				run_iptables $1 FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
+			    done
+			fi
+			;;
+		    *)
+			error_message "Warning: Unknown routestopped option ignored: $option"
+			;;
+		esac
+	    done
+	fi
+		    
+    done < $TMP_DIR/routestopped
+
+    for host in $hosts; do
+	interface=${host%:*}
+	networks=${host#*:}
+	$IPTABLES $1 INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
+	[ -z "$ADMINISABSENTMINDED" ] && \
+	    run_iptables $1 OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
+
+	for host1 in $hosts; do
+	    [ "$host" != "$host1" ] && run_iptables $1 FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
+	done
+    done
+}
+
 #
 # Stop the Firewall
 #
@@ -1465,50 +1522,9 @@ stop_firewall() {
 
     hosts=
 
-    strip_file routestopped
+    [ -f $TMP_DIR/routestopped ] || strip_file routestopped
 
-    while read interface host options; do
-	expandv interface host options
-	[ "x$host" = "x-" -o -z "$host" ] && host=0.0.0.0/0
-	for h in $(separate_list $host); do
-	    hosts="$hosts $interface:$h"
-	done
-
-	routeback=
-
-	if [ -n "$options" ]; then
-	    for option in $(separate_list $options); do
-		case $option in
-		    routeback)
-			if [ -n "$routeback" ]; then
-			    error_message "Warning: Duplicate option ignored: routeback"
-			else
-			    routeback=Yes
-			    for h in $(separate_list $host); do
-				$IPTABLES -A FORWARD -i $interface -o $interface $(both_ip_ranges $h $h) -j ACCEPT
-			    done
-			fi
-			;;
-		    *)
-			error_message "Warning: Unknown option ignored: $option"
-			;;
-		esac
-	    done
-	fi
-		    
-    done < $TMP_DIR/routestopped
-
-    for host in $hosts; do
-	interface=${host%:*}
-	networks=${host#*:}
-	$IPTABLES -A INPUT  -i $interface $(source_ip_range $networks) -j ACCEPT
-	[ -z "$ADMINISABSENTMINDED" ] && \
-	    $IPTABLES -A OUTPUT -o $interface $(dest_ip_range $networks) -j ACCEPT
-
-	for host1 in $hosts; do
-	    [ "$host" != "$host1" ] && $IPTABLES -A FORWARD -i $interface -o ${host1%:*} $(both_ip_ranges $networks ${host1#*:}) -j ACCEPT
-	done
-    done
+    process_routestopped -A
 
     $IPTABLES -A INPUT  -i lo -j ACCEPT
     [ -z "$ADMINISABSENTMINDED" ] && \
@@ -1989,6 +2005,7 @@ setup_mac_lists() {
     local addresses
     local address
     local chain
+    local chain1
     local macpart
     local blob
     local hosts
@@ -2013,10 +2030,19 @@ setup_mac_lists() {
 
     progress_message "Setting up MAC Verification on $maclist_interfaces..."
     #
-    # Be sure that they are all ethernet interfaces
+    # Create chains.
     #
     for interface in $maclist_interfaces; do
-	createchain $(mac_chain $interface) no
+	chain=$(mac_chain $interface)
+	createchain $chain no
+	
+	if [ -n "$MACLIST_TTL" ]; then
+	    chain1=$(macrecent_target $interface)
+	    createchain $chain1 no
+	    run_iptables -A $chain  -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1
+	    run_iptables -A $chain1 -m recent --update                        --name $chain -j ACCEPT
+	    run_iptables -A $chain1 -m recent --set                           --name $chain -j ACCEPT
+	fi
     done
     #
     # Process the maclist file producing the verification rules
@@ -2036,6 +2062,7 @@ setup_mac_lists() {
 	fi
 
 	chain=$(mac_chain $interface)
+	chain1=$(macrecent_target $interface)
 
 	if ! havechain $chain ; then
 	    fatal_error "No hosts on $interface have the maclist option specified"
@@ -2044,10 +2071,10 @@ setup_mac_lists() {
 	macpart=$(mac_match $mac)
 
 	if [ -z "$addresses" ]; then
-	    run_iptables -A $chain $macpart $physdev_part -j RETURN
+	    run_iptables -A $chain $macpart $physdev_part -j $chain1
 	else
 	    for address in $(separate_list $addresses) ; do
-		run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
+		run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1
 	    done
 	fi
     done < $TMP_DIR/maclist
@@ -2057,6 +2084,7 @@ setup_mac_lists() {
     #
     for interface in $maclist_interfaces; do
 	chain=$(mac_chain $interface)
+	chain1=$(macrecent_target $interface)
 
 	blob=$(ip link show $interface 2> /dev/null)
 
@@ -2065,11 +2093,11 @@ setup_mac_lists() {
 
 	ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
 	    if [ -n "$broadcast" ]; then
-		run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN
+		run_iptables -A $chain -s ${address%/*} -d $broadcast -j $chain1
 	    fi
 
-	    run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
-	    run_iptables -A $chain -s $address -d 224.0.0.0/4     -j RETURN
+	    run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1
+	    run_iptables -A $chain -s $address -d 224.0.0.0/4     -j $chain1
 	done
 
 	if [ -n "$MACLIST_LOG_LEVEL" ]; then
@@ -3462,14 +3490,14 @@ process_actions1() {
 		    [ ${#temp} -le 30 ] || fatal_error "Action Name Longer than 30 Characters: $temp"
 		    xaction=${xaction%:*}
 		    case $temp in
-			ACCEPT|REJECT|DROP)
+			ACCEPT|REJECT|DROP|QUEUE)
 			    eval ${temp}_common=$xaction
 			    if [ -n "$xaction" ] && ! list_search $xaction $USEDACTIONS; then
 				USEDACTIONS="$USEDACTIONS $xaction"
 			    fi
 			    ;;
 			*)
-			    startup_error "Common Actions are only allowed for ACCEPT, DROP and REJECT"
+			    startup_error "Common Actions are only allowed for ACCEPT, DROP, REJECT and QUEUE"
 			    ;;
 		    esac
 	    esac
@@ -4778,6 +4806,9 @@ policy_rules() # $1 = chain to add rules to
 	    [ -n "$REJECT_common" ] && run_iptables -A $1 -j $REJECT_common    
 	    target=reject
 	    ;;
+	QUEUE)
+	    [ -n "$QUEUE_common" ] && run_iptables -A $1 -j $QUEUE_common    
+	    ;;
 	CONTINUE)
 	    target=
 	    ;;
@@ -4843,7 +4874,7 @@ default_policy() # $1 = client $2 = server
 	    # depends on the policy
 	    #
 	    case $policy in
-	    ACCEPT)
+	    ACCEPT|QUEUE)
 		if [ -n "$synparams" ]; then
 		    #
 		    # To avoid double-counting SYN packets, enforce the policy
@@ -5589,6 +5620,7 @@ determine_capabilities() {
     POLICY_MATCH=
     PHYSDEV_MATCH=
     IPRANGE_MATCH=
+    RECENT_MATCH=
 
     qt $IPTABLES -N fooX1234
     qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
@@ -5597,7 +5629,7 @@ determine_capabilities() {
     qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT                   && POLICY_MATCH=Yes
     qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT                     && PHYSDEV_MATCH=Yes
     qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
-
+    qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT                               && RECENT_MATCH=Yes
 
     if [ -n "$PKTTYPE" ]; then
 	qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
@@ -5627,6 +5659,7 @@ report_capabilities() {
     report_capability "Policy Match" $POLICY_MATCH
     report_capability "Physdev Match" $PHYSDEV_MATCH
     report_capability "IP range Match" $IPRANGE_MATCH
+    report_capability "Recent Match" $RECENT_MATCH
 }
 
 #
@@ -5678,7 +5711,7 @@ initialize_netfilter () {
     run_user_exit init
 
     #
-    # The some files might be large so strip them while the firewall is still running
+    # Some files might be large so strip them while the firewall is still running
     # (restart command). This reduces the length of time that the firewall isn't
     # accepting new connections.
     #
@@ -5721,6 +5754,16 @@ initialize_netfilter () {
     setcontinue INPUT
     setcontinue OUTPUT
 
+    run_user_exit continue
+
+    f=$(find_file routestopped)
+
+    echo "Processing $f ..."
+
+    strip_file routestopped $f
+
+    process_routestopped -A
+
     [ -n "$DISABLE_IPV6" ] && disable_ipv6
 
     #
@@ -5729,10 +5772,6 @@ initialize_netfilter () {
     run_iptables -A INPUT  -i lo -j ACCEPT
     run_iptables -A OUTPUT -o lo -j ACCEPT
 
-    accounting_file=$(find_file accounting)
-
-    [ -f $accounting_file ] && setup_accounting $accounting_file
-
     #
     # Allow DNS lookups during startup for FQDNs
     #
@@ -5756,6 +5795,10 @@ initialize_netfilter () {
 	run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
     fi
 
+    accounting_file=$(find_file accounting)
+
+    [ -f $accounting_file ] && setup_accounting $accounting_file
+
     if [ -z "$NEWNOTSYN" ]; then
 	createchain newnotsyn no
 
@@ -6332,7 +6375,7 @@ activate_rules()
 	shift
 
 	if havenatchain $destchain ; then
-	    run_iptables -t nat -A $sourcechain $@ -j $destchain
+	    run_iptables2 -t nat -A $sourcechain $@ -j $destchain
 	else
 	    [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ]      && -rm -f $TMP_DIR/physdev
 	    [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
@@ -6350,7 +6393,7 @@ activate_rules()
 	shift
 
 	if havenatchain $destchain; then
-	    eval run_iptables -t nat -I $sourcechain \
+	    eval run_iptables2 -t nat -I $sourcechain \
 		\$${sourcechain}_rule $@ -j $destchain
 	    eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
 	else 
@@ -6358,7 +6401,7 @@ activate_rules()
 	    [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
 
 	fi
-    }
+    }    
 
     #
     # Add jumps to early SNAT chains
@@ -6410,7 +6453,7 @@ activate_rules()
 		    interface=${host%%:*}
 		    networks=${host#*:}
 		    
-		    run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
+		    run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
 		done
 	    fi
 	fi
@@ -6439,7 +6482,7 @@ activate_rules()
 	    interface=${host%%:*}
 	    networks=${host#*:}
 
-	    run_iptables -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
+	    run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
 
 	    #
 	    # Add jumps from the builtin chains for DNAT and SNAT rules
@@ -6447,10 +6490,10 @@ activate_rules()
 	    addrulejump PREROUTING  $(dnat_chain $zone) -i $interface $(match_source_hosts $networks) $(match_ipsec_in $zone $host)
 	    addrulejump POSTROUTING $(snat_chain $zone) -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host)
 
-	    run_iptables -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
+	    run_iptables2 -A $(input_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $chain2
 
 	    if [ -n "$complex" ] && ! is_ipsec_host $zone $host ; then
-                run_iptables -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
+                run_iptables2 -A $(forward_chain $interface) $(match_source_hosts $networks) $(match_ipsec_in $zone $host) -j $frwd_chain
 	    fi
 
 	    case $networks in
@@ -6515,7 +6558,7 @@ activate_rules()
 		    # routeback was specified for this host group
 		    #
 		    if [ $zone != $zone1 -o $num_ifaces -gt 1 ] || list_search $host1 $routeback ; then
-			run_iptables -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain			
+			run_iptables2 -A $frwd_chain -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain			
 		    fi
 		done
 	    else
@@ -6530,7 +6573,7 @@ activate_rules()
 			networks1=${host1#*:}
 
 			if [ "$host" != "$host1" ] || list_search $host $routeback; then
-			    run_iptables -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
+			    run_iptables2 -A $chain1 $(match_source_hosts $networks) -o $interface1 $(match_dest_hosts $networks1) $(match_ipsec_out $zone1 $host1) -j $chain
 			fi
 		    done
 		done
@@ -6577,7 +6620,9 @@ activate_rules()
 	run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
 	run_iptables -D $chain -p udp --dport 53 -j ACCEPT
     done
-    
+ 
+    process_routestopped -D
+
     if [ -n "$LOGALLNEW" ]; then
 	for table in mangle nat filter; do
 	    case $table in
@@ -7240,6 +7285,7 @@ do_initialize() {
     LOGALLNEW=
     DROPINVALID=
     RFC1918_STRICT=
+    MACLIST_TTL=
 
     RESTOREBASE=
     TMP_DIR=
@@ -7436,6 +7482,12 @@ do_initialize() {
     LOGTAGONLY=$(added_param_value_no LOGTAGONLY $LOGTAGONLY)
     DROPINVALID=$(added_param_value_yes DROPINVALID $DROPINVALID)
     RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
+
+    [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=
+
+    if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
+	startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables"
+    fi
     #
     # Strip the files that we use often
     #

STABLE2/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=2.2.2
+VERSION=2.2.3
 
 usage() # $1 = exit status
 {

STABLE2/policy

@@ -25,6 +25,8 @@
 #			DROP		- Ignore the connection request
 #			REJECT		- For TCP, send RST. For all other, send
 #					  "port unreachable" ICMP.
+#			QUEUE		- Send the request to a user-space
+#					  application using the QUEUE target.
 #			CONTINUE	- Pass the connection request past
 #					  any other rules that it might also
 #					  match (where the source or destination

STABLE2/releasenotes.txt

@@ -1,4 +1,74 @@
-Shorewall 2.2.2
+Shorewall 2.2.3
+
+-----------------------------------------------------------------------
+Problems corrected in version 2.2.3
+
+1) If a zone is defined in /etc/shorewall/hosts using
+   <interface>:!<network> in the HOSTS column then startup errors occur
+   on "shorewall [re]start".
+
+2) Previously, if "shorewall status" was run on a system whose kernel
+   lacked advanced routing support (CONFIG_IP_ADVANCED_ROUTER),  then
+   no routing information was displayed. 
+
+-----------------------------------------------------------------------
+New Features in version 2.2.3
+
+1) A new extension script "continue" has been added. This script is
+   invoked after Shorewall has set the built-in filter chains' 
+   policy to DROP, deleted any existing Netfilter rules and user
+   chains and has enabled existing connections.
+
+   It is useful for enabling certain communication while Shorewall is
+   being [re]started. Be sure to delete any rules that you add here in
+   your /etc/shorewall/start file.
+
+2) There has been ongoing confusion about how the
+   /etc/shorewall/routestopped file works. People understand how it
+   works with the 'shorewall stop' command but when they read that
+   'shorewall restart' is logically equivalent to 'shorewall stop'
+   followed by 'shorewall start' then they erroneously conclude that
+   /etc/shorewall/routestopped can be used to enable new connections
+   during 'shorewall restart'. Up to now, it cannot -- that file is not
+   processed during either 'shorewall start' or 'shorewall restart'.
+
+   Beginning with Shorewall version 2.2.3, /etc/shorewall/routestopped
+   will be processed TWICE during 'shorewall start' and during
+   'shorewall restart'. It will be processed early in the command 
+   execution to add rules allowing new connections while the command
+   is running and it will be processed again when the
+   command is complete to remove the rules added earlier.
+
+   The result of this change will be that during most of [re]start, new
+   connections will be allowed in accordance with the contents of
+   /etc/shorewall/routestopped.
+
+3) The performance of configurations with a large numbers of entries in
+   /etc/shorewall/maclist can be improved by setting the new 
+   MACLIST_TTL variable in /etc/shorewall/shorewall.conf.
+
+   If your iptables and kernel support the "Recent Match" (see the
+   output of "shorewall check" near the top), you can cache the results
+   of a 'maclist' file lookup and thus reduce the overhead associated
+   with MAC Verification.
+
+   When a new connection arrives from a 'maclist' interface, the packet
+   passes through then list of entries for that interface in
+   /etc/shorewall/maclist. If there is a match then the source IP
+   address is added to the 'Recent' set for that interface. Subsequent
+   connection attempts from that IP address occuring within
+   $MACLIST_TTL seconds will be accepted without having to scan all
+   of the entries. After $MACLIST_TTL from the first accepted
+   connection request from an IP address, the next connection request
+   from that IP address will be checked against the entire list.
+
+   If MACLIST_TTL is not specified or is specified as empty (e.g, 
+   MACLIST_TTL="" or is specified as zero then 'maclist' lookups
+   will not be cached.
+
+4) You can now specify QUEUE as a policy and you can designate a 
+   common action for QUEUE policies in /etc/shorewall/actions. This is
+   useful for sending packets to something like Snort Inline.
 
 -----------------------------------------------------------------------
 Problems corrected in version 2.2.2

STABLE2/routestopped

@@ -5,7 +5,8 @@
 # /etc/shorewall/routestopped
 #
 #	This file is used to define the hosts that are accessible when the
-#	firewall is stopped
+#	firewall is stopped or when it is in the process of being
+#	[re]started.
 #
 # Columns must be separated by white space and are:
 #

STABLE2/shorewall

@@ -1014,17 +1014,24 @@ case "$1" in
 	    done
 	done
 
-	echo
-	echo "Routing Rules"
-	echo
-	ip rule ls
-	ip rule ls | while read rule; do
-	    table=${rule##* }
+	if [ -n "$(ip rule ls)" ]; then
 	    echo
-	    echo "Table $table:"
+	    echo "Routing Rules"
 	    echo
-	    ip route ls table $table
-	done
+	    ip rule ls
+	    ip rule ls | while read rule; do
+		table=${rule##* }
+		echo
+		echo "Table $table:"
+		echo
+		ip route ls table $table
+	    done
+	else
+	    echo
+	    echo "Routing Table"
+	    echo
+	    ip route ls
+	fi
 
 	echo
 	echo "ARP"

STABLE2/shorewall.conf

@@ -768,6 +768,29 @@ DROPINVALID=No
 
 RFC1918_STRICT=No
 
+#
+# MACLIST caching
+#
+# If your iptables and kernel support the "Recent Match" (see the output of
+# "shorewall check" near the top), you can cache the results of a 'maclist'
+# file lookup and thus reduce the overhead associated with MAC Verification
+# (/etc/shorewall/maclist).
+#
+# When a new connection arrives from a 'maclist' interface, the packet passes
+# through then list of entries for that interface in /etc/shorewall/maclist. If
+# there is a match then the source IP address is added to the 'Recent' set for
+# that interface. Subsequent connection attempts from that IP address occuring
+# within $MACLIST_TTL seconds will be accepted without having to scan all of
+# the entries. After $MACLIST_TTL from the first accepted connection request,
+# the next connection request from that IP address will be checked against
+# the entire list.
+# 
+# If MACLIST_TTL is not specified or is specified as empty (e.g, 
+# MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
+# be cached.
+
+MACLIST_TTL=
+
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################

STABLE2/shorewall.spec

@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 2.2.2
+%define version 2.2.3
 %define release 1
 %define prefix /usr
 
@@ -137,6 +137,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn
 
 %changelog
+* Tue Apr 05 2005 Tom Eastep tom@shorewall.net
+- Updated to 2.2.3-1
 * Mon Mar 07 2005 Tom Eastep tom@shorewall.net
 - Updated to 2.2.2-1
 * Mon Jan 24 2005 Tom Eastep tom@shorewall.net

STABLE2/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Seattle Firewall
 
-VERSION=2.2.2
+VERSION=2.2.3
 
 usage() # $1 = exit status
 {