From cb64f41c6e9fcd71aee9193ac7d97a727981a3a5 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 11 May 2005 17:20:23 +0000
Subject: [PATCH] Clarify requirements for /etc/shorewall/ipsec; fix PKTTYPE
 Handling

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2104 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 STABLE2/changelog.txt    | 4 ++++
 STABLE2/firewall         | 3 ++-
 STABLE2/ipsec            | 7 ++++---
 STABLE2/releasenotes.txt | 8 +++++++-
 4 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/STABLE2/changelog.txt b/STABLE2/changelog.txt
index 11288bc27..52958a7a5 100644
--- a/STABLE2/changelog.txt
+++ b/STABLE2/changelog.txt
@@ -1,3 +1,7 @@
+Changes in 2.2.5
+
+1) Correct behavior of PKTTYPE=No
+
 Changes in 2.2.4
 
 1) Added support for UPnP
diff --git a/STABLE2/firewall b/STABLE2/firewall
index 66392de8d..744cc4a92 100755
--- a/STABLE2/firewall
+++ b/STABLE2/firewall
@@ -7461,6 +7461,8 @@ do_initialize() {
 	[ -e "$IPTABLES" ] || startup_error "\$IPTABLES=$IPTABLES does not exist or is not executable"
     fi
 
+    PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) # Used in determine_capabilities
+
     determine_capabilities
 
     [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
@@ -7580,7 +7582,6 @@ do_initialize() {
     DISABLE_IPV6=$(added_param_value_no DISABLE_IPV6 $DISABLE_IPV6)
     BRIDGING=$(added_param_value_no BRIDGING $BRIDGING)
     DYNAMIC_ZONES=$(added_param_value_no DYNAMIC_ZONES $DYNAMIC_ZONES)
-    PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
     STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
     RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
     DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
diff --git a/STABLE2/ipsec b/STABLE2/ipsec
index b6692d8fd..84e884edc 100644
--- a/STABLE2/ipsec
+++ b/STABLE2/ipsec
@@ -2,8 +2,9 @@
 # Shorewall 2.2 - /etc/shorewall/ipsec
 #
 #	This file defines the attributes of zones with respect to
-#	IPSEC. To use this file, you must be running a 2.6 kernel and
-#       both your kernel and iptables must include Policy Match Support.
+#	IPSEC. To use this file for any purpose except for setting mss, 
+#	you must be running a 2.6 kernel and both your kernel and iptables
+#	must include Policy Match Support.
 #
 #	The columns are:
 #
@@ -26,7 +27,7 @@
 #
 #				proto=ah|esp|ipcomp
 #
-#				mss=<number> (sets the MSS field in TCP packets) 
+#				mss=<number> (sets the MSS field in TCP packets)
 #
 #				mode=transport|tunnel
 #
diff --git a/STABLE2/releasenotes.txt b/STABLE2/releasenotes.txt
index 19dc7e7d1..d60b6aab5 100644
--- a/STABLE2/releasenotes.txt
+++ b/STABLE2/releasenotes.txt
@@ -1,4 +1,10 @@
-Shorewall 2.2.4
+Shorewall 2.2.5
+
+-----------------------------------------------------------------------
+Problems corrected in version 2.2.5
+
+1) Previously, if PKTTYPE=No in shorewall.conf then pkttype match would
+   still be used if the kernel supported it.
 
 -----------------------------------------------------------------------
 Problems corrected in version 2.2.4