Bring trunk up to date with 4.0

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7226 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.0.2
+VERSION=4.0.3
 
 usage() # $1 = exit status
 {

Shorewall-common/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
 #
 
-VERSION=4.0.2
+VERSION=4.0.3
 
 usage() # $1 = exit status
 {

Shorewall-common/lib.base

@@ -35,7 +35,7 @@
 #
 
 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=30405
+SHOREWALL_CAPVERSION=40003
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -1004,6 +1004,8 @@ determine_capabilities() {
     COMMENTS=
     ADDRTYPE=
     TCPMSS_MATCH=
+    HASHLIMIT_MATCH=
+    NFQUEUE_TARGET=
 
     qt $IPTABLES -N fooX1234
     qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
@@ -1072,6 +1074,9 @@ determine_capabilities() {
     qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
     qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
+    
 
     qt $IPTABLES -F fooX1234
     qt $IPTABLES -X fooX1234
@@ -1119,6 +1124,8 @@ report_capabilities() {
 	report_capability "Comments" $COMMENTS
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
+	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
+	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1161,6 +1168,9 @@ report_capabilities1() {
     report_capability1 MANGLE_FORWARD
     report_capability1 COMMENTS
     report_capability1 ADDRTYPE
+    report_capability1 TCPMSS_MATCH
+    report_capability1 HASHLIMIT_MATCH
+    report_capability1 NFQUEUE_TARGET
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
 }
@@ -1331,7 +1341,7 @@ do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = dispos
     fi
 
     if [ ${#prefix} -gt 29 ]; then
-	prefix=`echo "$prefix" | truncate 29`
+	prefix="`echo "$prefix" | truncate 28` "
 	error_message "WARNING: Log Prefix shortened to \"$prefix\""
     fi
 

Shorewall-common/lib.cli

@@ -147,12 +147,10 @@ packet_log() # $1 = number of messages
 {
     local options
 
-    [ -n "$realtail" ] && options="-n$1"
-
     if [ -n "$SHOWMACS" -o $VERBOSE -gt 2 ]; then
-	$LOGREAD | grep 'IN=.* OUT=' | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/ | tail $options
+	$LOGREAD | grep 'IN=.* OUT=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
     else
-	$LOGREAD | grep 'IN=.* OUT=' | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/ | tail $options
+	$LOGREAD | grep 'IN=.* OUT=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
     fi
 }
 
@@ -173,15 +171,8 @@ show_tc() {
 	fi
     }
 
-    ip link list | \
-    while read inx interface details; do
-	case $inx in
-	[0-9]*)
-	    show_one_tc ${interface%:}
-	    ;;
-	*)
-	    ;;
-	esac
+    ip -o link list | while read inx interface details; do
+	show_one_tc ${interface%:}
     done
 
 }
@@ -202,15 +193,8 @@ show_classifiers() {
 	fi
     }
 
-    ip link list | \
-    while read inx interface details; do
-	case $inx in
-	[0-9]*)
-	    show_one_classifier ${interface%:}
-	    ;;
-	*)
-	    ;;
-	esac
+    ip -o link list | while read inx interface details; do
+	show_one_classifier ${interface%:}
     done
 
 }

Shorewall-common/lib.config

@@ -506,6 +506,9 @@ setup_ipsec() {
 	    if [ -s ${TMP_DIR}/ipsec ]; then
 		progress_message "$DOING ipsec..."
 		[ $PROGRAM = compiler ] && save_progress_message "Setting up IPSEC management..."
+		f=ipsec
+	    else
+		return
 	    fi
 	    ;;
     esac

Shorewall-common/modules

@@ -102,6 +102,7 @@ loadmodule sch_sfq
 loadmodule sch_ingress
 loadmodule sch_htb
 loadmodule cls_u32
+loadmodule act_police
 #
 # Extensions
 #

Shorewall-common/shorewall

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V3.4
+#     Shorewall Packet Filtering Firewall Control Program - V4.0
 #
 #     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
 #
@@ -156,9 +156,9 @@ get_config() {
 	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
 
 	    if [ -n "$(syslog_circular_buffer)" ]; then
-		LOGREAD="logread"
+		LOGREAD="logread | tac"
 	    elif [ -f $LOGFILE ]; then
-		LOGREAD="cat $LOGFILE"
+		LOGREAD="tac $LOGFILE"
 	    else
 		echo "LOGFILE ($LOGFILE) does not exist!" >&2
 		exit 2
@@ -1282,7 +1282,7 @@ usage() # $1 = exit status
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   check [ -e ] [ -C {shell|perl} ] [ <directory> ]"
-    echo "   clear"
+    echo "   clear [ -f ]"
     echo "   compile [ -e ] [ -C {shell|perl} ] [ <directory name> ] <path name>"
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   drop <address> ..."
@@ -1307,7 +1307,7 @@ usage() # $1 = exit status
     echo "   save [ <file name> ]"
     echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|zones} ]"
     echo "   start [ -f ] [ -n ] [ -C {shell|perl} ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
     echo "   status"
     echo "   try [ -C {shell|perl} ] <directory> [ <timeout> ]"
     echo "   version [ -a ]"
@@ -1542,15 +1542,27 @@ case "$COMMAND" in
 	shift
 	start_command $@
 	;;
-    stop|reset|clear)
+    stop|clear)
+	if [ "x$2" = x-f ]; then
+	    [ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore
+	    shift;
+	fi
+
 	[ $# -ne 1 ] && usage 1
 	get_config
 	export NOROUTES
-	[ -x ${VARDIR}/.restore ] && FIREWALL=${VARDIR}/.restore
 	mutex_on
 	$SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
 	mutex_off
 	;;
+    reset)
+	[ $# -ne 1 ] && usage 1
+	get_config
+	export NOROUTES
+	mutex_on
+	$SHOREWALL_SHELL $FIREWALL $debugging $nolock reset
+	mutex_off
+	;;
     compile)
 	get_config Yes
 	shift

Shorewall-common/shorewall-common.spec

@@ -1,5 +1,5 @@
 %define name shorewall-common
-%define version 4.0.2
+%define version 4.0.3
 %define release 1
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -240,6 +240,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
 
 %changelog
+* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.3-1
 * Thu Aug 09 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.2-1
 * Sat Jul 21 2007 Tom Eastep tom@shorewall.net

Shorewall-common/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.0.2
+VERSION=4.0.3
 
 usage() # $1 = exit status
 {