Document portlist-splitting change

Samples/one-interface/shorewall.conf

@@ -107,7 +107,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-IP_FORWARDING=On
+IP_FORWARDING=Off
 
 ADD_IP_ALIASES=Yes
 

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.0.1
+VERSION=4.4.1
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.0.1
+VERSION=4.4.1
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.0
-%define release 1
+%define version 4.4.1
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -98,8 +98,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-1
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.0.1
+VERSION=4.4.1
 
 usage() # $1 = exit status
 {

Shorewall/Makefile

@@ -14,4 +14,8 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
 	fi
 
+clean:
+	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
+.PHONY: clean
+
 # EOF

Shorewall/Perl/Shorewall/Accounting.pm

@@ -35,27 +35,16 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_1';
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function or when compiling
-#                       for IPv6.
+# Called by the compiler to [re-]initialize this module's state
 #
-
 sub initialize() {
     our $jumpchainref;
     $jumpchainref = undef;
 }
 
-INIT {
-    initialize;
-}
-
 #
 # Accounting
 #
@@ -109,7 +98,7 @@ sub process_accounting_rule( ) {
 		} elsif ( $cmd ne 'JUMP' ) {
 		    accounting_error;
 		}
-	    } 
+	    }
 
 	    $target = jump_to_chain $action;
 	}

Shorewall/Perl/Shorewall/Actions.pm

@@ -56,7 +56,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_1';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -91,15 +91,15 @@ our $family;
 our $macro_commands = { COMMENT => 0, FORMAT => 2 };
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function or when compiling
-#                       for IPv6.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
 
     $family          = shift;
@@ -113,10 +113,6 @@ sub initialize( $ ) {
     %macros          = ();
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 #
 # This function determines the logging for a subordinate action or a rule within a superior action
 #
@@ -232,7 +228,7 @@ sub merge_macro_column( $$ ) {
 # Get Macro Name -- strips away trailing /*, :* and (*) from the first column in a rule, macro or action.
 #
 sub isolate_basic_target( $ ) {
-    my $target = ( split '[/:]', $_[0])[0]; 
+    my $target = ( split '[/:]', $_[0])[0];
 
     $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
 }
@@ -705,7 +701,7 @@ sub process_action3( $$$$$ ) {
 
 	( $action2 , my $param ) = get_target_param $action2;
 
-	my $action2type = $targets{$action2} || 0; 
+	my $action2type = $targets{$action2} || 0;
 
 	unless ( $action2type == STANDARD ) {
 	    if ( $action2type & ACTION ) {
@@ -875,10 +871,10 @@ sub process_actions3 () {
 		       'allowBcast'     => \&allowBcast,
 		       'dropNotSyn'     => \&dropNotSyn,
 		       'rejNotSyn'      => \&rejNotSyn,
-		       'dropInvalid'    => \&dropInvalid, 
+		       'dropInvalid'    => \&dropInvalid,
 		       'allowInvalid'   => \&allowInvalid,
-		       'allowinUPnP'    => \&allowinUPnP, 
-		       'forwardUPnP'    => \&forwardUPnP, 
+		       'allowinUPnP'    => \&allowinUPnP,
+		       'forwardUPnP'    => \&forwardUPnP,
 		       'Limit'          => \&Limit, );
 
     for my $wholeaction ( keys %usedactions ) {

Shorewall/Perl/Shorewall/Chains.pm

@@ -50,7 +50,7 @@ our @EXPORT = qw(
 		  $filter_table
 		  );
 
-our %EXPORT_TAGS = ( 
+our %EXPORT_TAGS = (
 		    internal => [  qw( STANDARD
 				       NATRULE
 				       BUILTIN
@@ -83,7 +83,7 @@ our %EXPORT_TAGS = (
 				       clear_comment
 				       incr_cmd_level
 				       decr_cmd_level
-				       chain_base 
+				       chain_base
 				       forward_chain
 				       zone_forward_chain
 				       use_forward_chain
@@ -111,7 +111,6 @@ our %EXPORT_TAGS = (
 				       new_builtin_chain
 				       new_nat_chain
 				       ensure_filter_chain
-				       initialize_chain_table
 				       finish_section
 				       setup_zone_mss
 				       newexclusionchain
@@ -166,7 +165,7 @@ our %EXPORT_TAGS = (
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_0';
+our $VERSION = '4.4_1';
 
 #
 # Chain Table
@@ -297,16 +296,17 @@ our %builtin_target = ( ACCEPT   => 1,
 			NFQUEUE  => 1,
 			REDIRECT => 1 );
 
+sub initialize_chain_table();
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function or when compiling
-#                       for IPv6.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
 
@@ -357,10 +357,8 @@ sub initialize( $ ) {
     $global_variables   = 0;
     $idiotcount         = 0;
 
-}
+    initialize_chain_table;
 
-INIT {
-    initialize( F_IPV4 );
 }
 
 #
@@ -416,10 +414,11 @@ sub decr_cmd_level( $ ) {
 #
 
 sub add_commands ( $$;@ ) {
-    my $chainref = shift @_;
+    my $chainref    = shift @_;
+    my $indentation = '    ' x $chainref->{cmdlevel};
 
     for ( @_ ) {
-	push @{$chainref->{rules}}, join ('', '    ' x $chainref->{cmdlevel} , $_ );
+	push @{$chainref->{rules}}, join ('', $indentation , $_ );
     }
 
     $chainref->{referenced} = 1;
@@ -435,7 +434,7 @@ sub push_rule( $$ ) {
 	add_commands $chainref , qq(echo "-A $chainref->{name} $rule" >&3);
     } else {
 	#
-	# We omit the chain name for now -- this makes it easier to move rules from one 
+	# We omit the chain name for now -- this makes it easier to move rules from one
 	# chain to another
 	#
 	push @{$chainref->{rules}}, join( ' ', '-A' , $rule );
@@ -444,12 +443,22 @@ sub push_rule( $$ ) {
 }
 
 #
-# Post-process a rule having an sport list. Split the rule into multiple rules if necessary
+# Post-process a rule having a port list. Split the rule into multiple rules if necessary
 # to work within the 15-element limit imposed by iptables/Netfilter.
 #
+# The third argument ($dport) indicates what type of list we are spltting:
+#
+#      $dport == 1     Destination port list
+#      $dport == 0     Source port list
+#
+# When expanding a Destination port list, each resulting rule is checked for the presence
+# of a Source port list; if one is present, the function calls itself recursively with
+# $dport == 0.
+#
+sub handle_port_list( $$$$$$ );
 
-sub handle_sport_list( $$$$$ ) {
-    my ($chainref, $rule, $first, $ports, $rest) = @_;
+sub handle_port_list( $$$$$$ ) {
+    my ($chainref, $rule, $dport, $first, $ports, $rest) = @_;
 
     if ( port_count( $ports ) > 15 ) {
 	#
@@ -473,50 +482,7 @@ sub handle_sport_list( $$$$$ ) {
 			last;
 		    } else {
 			$newports .= $port;
-		    }	
-		} else {
-		    $newports .= "${port}${separator}";
-		}
-	    }
-
-	    push_rule ( $chainref, join( '', $first, $newports, $rest ) );
-	}
-    } else {
-	push_rule ( $chainref, $rule );
-    }
-}
-
-#
-# Post-process a rule having an dport list. Split the rule into multiple rules if necessary
-# to work within the 15-element limit imposed by iptables/Netfilter.
-#
-
-sub handle_dport_list( $$$$$ ) {
-    my ($chainref, $rule, $first, $ports, $rest) = @_;
-
-    if ( port_count( $ports ) > 15 ) {
-	#
-	# More than 15 ports specified
-	#
-	my @ports = split '([,:])', $ports;
-
-	while ( @ports ) {
-	    my $count = 0;
-	    my $newports = '';
-
-	    while ( @ports && $count < 15 ) {
-		my ($port, $separator) = ( shift @ports, shift @ports );
-
-		$separator ||= '';
-
-		if ( ++$count == 15 ) {
-		    if ( $separator eq ':' ) {
-			unshift @ports, $port, ':';
-			chop $newports;
-			last;
-		    } else {
-			$newports .= $port;
-		    }	
+		    }
 		} else {
 		    $newports .= "${port}${separator}";
 		}
@@ -524,14 +490,14 @@ sub handle_dport_list( $$$$$ ) {
 
 	    my $newrule = join( '', $first, $newports, $rest );
 
-	    if ( $newrule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
-		handle_sport_list( $chainref, $newrule, $1, $2, $3 );
+	    if ( $dport && $newrule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
+		handle_port_list( $chainref, $newrule, 0, $1, $2, $3 );
 	    } else {
 		push_rule ( $chainref, $newrule );
 	    }
 	}
-    } elsif ( $rule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
-	handle_sport_list( $chainref, $rule, $1, $2, $3 );
+    } elsif ( $dport && $rule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
+	handle_port_list( $chainref, $rule, 0, $1, $2, $3 );
     } else {
 	push_rule ( $chainref, $rule );
     }
@@ -561,12 +527,12 @@ sub add_rule($$;$)
 	    #
 	    # Rule has a --dports specification
 	    #
-	    handle_dport_list( $chainref, $rule, $1, $2, $3 )
+	    handle_port_list( $chainref, $rule, 1, $1, $2, $3 )
 	} elsif ( $rule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
 	    #
 	    # Rule has a --sports specification
 	    #
-	    handle_sport_list( $chainref, $rule, $1, $2, $3 )
+	    handle_port_list( $chainref, $rule, 0, $1, $2, $3 )
 	} else {
 	    push_rule ( $chainref, $rule );
 	}
@@ -613,7 +579,7 @@ sub add_jump( $$$;$$ ) {
 }
 
 #
-# Purge jumps previously added via add_jump. If the target chain is empty, reset its 
+# Purge jumps previously added via add_jump. If the target chain is empty, reset its
 # referenced flag
 #
 sub purge_jump ( $$ ) {
@@ -623,7 +589,7 @@ sub purge_jump ( $$ ) {
     for ( @{$fromref->{rules}} ) {
 	$_ = undef if / -[gj] ${to}\b/;
     }
-	
+
     $toref->{referenced} = 0 unless @{$toref->{rules}};
 }
 
@@ -673,7 +639,7 @@ sub add_tunnel_rule( $$ ) {
 # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to
 # a zone-oriented chain, hence this function.
 #
-# The source chain must not have any run-time code included in its rules. 
+# The source chain must not have any run-time code included in its rules.
 #
 sub move_rules( $$ ) {
     my ($chain1, $chain2 ) = @_;
@@ -785,10 +751,13 @@ sub use_input_chain($) {
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
     #
-    # We must use the interfaces's chain if the interface is associated with multiple zone nets or
-    # if the interface has the 'upnpclient' option. In the latter case, the chain's rules will contain
-    # run-time code which cannot currently be transferred to a zone-oriented chain by move_rules().
-    #    
+    # We must use the interfaces's chain if:
+    #
+    # - the interface is associated with multiple zone nets; or
+    # - the interface has the 'upnpclient' option.
+    #
+    # In the latter case, the chain's rules will contain run-time code which cannot currently be transferred to a zone-oriented chain by move_rules().
+    #
     return 1 if $nets > 1 || $interfaceref->{options}{upnpclient};
     #
     # Don't need it if it isn't associated with any zone
@@ -815,7 +784,7 @@ sub use_input_chain($) {
     $chainref = $filter_table->{join( '' , $zone , '2' , firewall_zone )};
 
     ! ( $chainref->{referenced} || $chainref->{is_policy} )
-}   
+}
 
 #
 # Output Chain for an interface
@@ -841,7 +810,7 @@ sub use_output_chain($) {
     my $nets = $interfaceref->{nets};
     #
     # We must use the interfaces's chain if the interface is associated with multiple zone nets
-    #    
+    #
     return 1 if $nets > 1;
     #
     # Don't need it if it isn't associated with any zone
@@ -849,7 +818,7 @@ sub use_output_chain($) {
     return 0 unless $nets;
     #
     # Interface associated with a single zone -- use the zone's output chain if it has one
-    #    
+    #
     my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}};
 
     return 0 if $chainref;
@@ -900,7 +869,7 @@ sub dnat_chain( $ )
 #
 # Notrack Chain from a zone
 #
-sub notrack_chain( $ ) 
+sub notrack_chain( $ )
 {
     $_[0] . '_notrk';
 }
@@ -987,7 +956,7 @@ sub ensure_filter_chain( $$ )
 }
 
 #
-# Create an accounting chain if necessary. 
+# Create an accounting chain if necessary.
 #
 sub ensure_accounting_chain( $  )
 {
@@ -1010,9 +979,7 @@ sub ensure_mangle_chain($) {
     my $chain = $_[0];
 
     my $chainref = ensure_chain 'mangle', $chain;
-
     $chainref->{referenced} = 1;
-
     $chainref;
 }
 
@@ -1020,9 +987,7 @@ sub ensure_nat_chain($) {
     my $chain = $_[0];
 
     my $chainref = ensure_chain 'nat', $chain;
-
     $chainref->{referenced} = 1;
-
     $chainref;
 }
 
@@ -1076,7 +1041,8 @@ sub ensure_manual_chain($) {
 }
 
 #
-# Add all builtin chains to the chain table
+# Add all builtin chains to the chain table -- it is separate from initialize() for purely historical reasons.
+# The function also initializes the target table with the pre-defined targets available for the specfied address family.
 #
 #
 sub initialize_chain_table()
@@ -1214,7 +1180,6 @@ sub finish_chain_section ($$) {
 	}
 
 	$chainref->{new} = @{$chainref->{rules}};
-
     }
 
     $comment = $savecomment;
@@ -1268,7 +1233,7 @@ sub set_mss( $$$ ) {
 }
 
 #
-# Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate. 
+# Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate.
 #
 sub setup_zone_mss() {
     for my $zone ( all_zones ) {
@@ -1307,7 +1272,7 @@ sub newnonatchain() {
 #
 #       Add a jump to the passed chain
 #
-#       Return the exclusion chain. The type of the returned value 
+#       Return the exclusion chain. The type of the returned value
 #                                   matches what was passed (reference
 #                                   or name).
 #
@@ -1358,6 +1323,8 @@ sub port_count( $ ) {
 #
 # Handle parsing of PROTO, DEST PORT(S) , SOURCE PORTS(S). Returns the appropriate match string.
 #
+# If the optional argument is true, port lists > 15 result in a fatal error.
+#
 sub do_proto( $$$;$ )
 {
     my ($proto, $ports, $sports, $restricted ) = @_;
@@ -1374,7 +1341,7 @@ sub do_proto( $$$;$ )
 	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
 	my $protonum = resolve_proto $proto;
 
-	if ( defined $protonum ) {	    
+	if ( defined $protonum ) {
 	    #
 	    # Protocol is numeric and <= 65535 or is defined in /etc/protocols or NSS equivalent
 	    #
@@ -1533,7 +1500,7 @@ sub verify_mark( $ ) {
 
 sub verify_small_mark( $ ) {
     verify_mark ( (my $mark) = $_[0] );
-    fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > ( $config{WIDE_TC_MARKS} ? 0x3FFF : 0xFF ); 
+    fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > ( $config{WIDE_TC_MARKS} ? 0x3FFF : 0xFF );
 }
 
 sub validate_mark( $ ) {
@@ -1580,7 +1547,7 @@ sub do_ratelimit( $$ ) {
 
     fatal_error "Rate Limiting not available with $action" if $norate{$action};
     #
-    # "-m hashlimit" match for the passed LIMIT/BURST 
+    # "-m hashlimit" match for the passed LIMIT/BURST
     #
     if ( $rate =~ /^[sd]:{1,2}/ ) {
 	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
@@ -1616,7 +1583,7 @@ sub do_connlimit( $ ) {
 
     return '' unless $limit and $limit ne '-';
 
-    require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's';  
+    require_capability 'CONNLIMIT_MATCH', 'A non-empty CONNLIMIT', 's';
 
     my $invert =  $limit =~ s/^!// ? '' : '! '; # Note Carefully -- we actually do 'connlimit-at-or-below'
 
@@ -1741,8 +1708,8 @@ sub do_connbytes( $ ) {
     my $invert = $1 || ''; $invert = '! ' if $invert;
     my $min    = $2;       $min    = 0  unless defined $min;
     my $max    = $3;       $max    = '' unless defined $max; fatal_error "Invalid byte range ($min:$max)" if $max ne '' and $min > $max;
-    my $dir    = $5 || 'B'; 
-    my $mode   = $6 || 'B'; 
+    my $dir    = $5 || 'B';
+    my $mode   = $6 || 'B';
 
     $dir  =~ s/://;
     $mode =~ s/://;
@@ -1851,14 +1818,14 @@ sub match_source_net( $;$ ) {
 
     $restriction |= NO_RESTRICT;
 
-    if ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ||
-	 $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) {
+    if ( ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) ||
+	 ( $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) ) {
 	my ($addr1, $addr2) = ( $2, $3 );
 	$net =~ s/!// if my $invert = $1 ? '! ' : '';
 	validate_range $addr1, $addr2;
 	iprange_match . "${invert}--src-range $net ";
     } elsif ( $net =~ /^!?~/ ) {
-	fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT;	
+	fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT;
 	mac_match $net;
     } elsif ( $net =~ /^(!?)\+/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
@@ -1873,13 +1840,13 @@ sub match_source_net( $;$ ) {
 }
 
 #
-# Match a Destination. 
+# Match a Destination.
 #
 sub match_dest_net( $ ) {
     my $net = $_[0];
 
-    if ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ||
-	 $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) {
+    if ( ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) ||
+	 ( $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) ) {
 	my ($addr1, $addr2) = ( $2, $3 );
 	$net =~ s/!// if my $invert = $1 ? '! ' : '';
 	validate_range $addr1, $addr2;
@@ -1950,7 +1917,7 @@ sub match_ipsec_out( $$ ) {
 
     unless ( $optionsref->{super} ) {
 	$match = '-m policy --dir out --pol ';
-	
+
 	if ( $zoneref->{type} eq 'ipsec' ) {
 	    $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
 	} elsif ( $capabilities{POLICY_MATCH} ) {
@@ -2145,7 +2112,7 @@ sub set_chain_variables() {
     } else {
 	emit 'IP=ip';
     }
-    
+
     if ( $config{TC} ) {
 	emit( qq(TC="$config{TC}") ,
 	      '[ -x "$TC" ] || startup_error "TC=$TC does not exist or is not executable"'
@@ -2373,21 +2340,21 @@ sub have_global_variables() {
 #
 
 sub set_global_variables( $ ) {
-    
+
     my $setall = shift;
 
     emit $_ for values %interfaceaddr;
     emit $_ for values %interfacegateways;
     emit $_ for values %interfacemacs;
-	
-    if ( $setall ) {    
+
+    if ( $setall ) {
 	emit $_ for values %interfaceaddrs;
 	emit $_ for values %interfacenets;
 
 	unless ( $capabilities{ADDRTYPE} ) {
 
 	    if ( $family == F_IPV4 ) {
-		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';		
+		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
 		emit $_ for values %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
@@ -2563,7 +2530,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    }
 
 	    $dest = '';
-	} elsif ( $family == F_IPV4 ) { 
+	} elsif ( $family == F_IPV4 ) {
 	    if ( $dest =~ /^(.+?):(.+)$/ ) {
 		$diface = $1;
 		$dnets  = $2;
@@ -2604,7 +2571,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' );
 	    $rule .= '-d $dest ';
 	} else {
-	    
+
 	    fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
 	    fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT;
 
@@ -2800,7 +2767,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 		    $source_match  = match_source_net( $inet, $restriction ) unless $capabilities{KLUDGEFREE};
 		    my $dest_match = match_dest_net( $dnet );
 		    my $predicates = join( '', $rule, $source_match, $dest_match, $onet );
-		    
+
 		    if ( $loglevel ne '' ) {
 			if ( $disposition ne 'LOG' ) {
 			    unless ( $logname ) {
@@ -2815,7 +2782,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 				#
 				# Now add the log rule and target rule without predicates to the log chain.
 				#
-				log_rule_limit( 
+				log_rule_limit(
 					       $loglevel ,
 					       $chainref = $logchainref ,
 					       $chain ,
@@ -2827,7 +2794,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 
 				add_rule( $chainref, $exceptionrule . $target );
 			    } else {
-				log_rule_limit( 
+				log_rule_limit(
 					       $loglevel ,
 					       $chainref ,
 					       $logname ,
@@ -2938,14 +2905,10 @@ sub create_netfilter_load( $ ) {
 
     my @table_list;
 
-    if ( $family == F_IPV4 ) {
-	push @table_list, 'raw'    if $capabilities{RAW_TABLE};
-	push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
-	push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
-	push @table_list, 'filter';
-    } else {
-	@table_list = qw( raw mangle filter );
-    }
+    push @table_list, 'raw'    if $capabilities{RAW_TABLE};
+    push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
+    push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
+    push @table_list, 'filter';
 
     $mode = NULL_MODE;
 
@@ -3168,14 +3131,10 @@ sub create_stop_load( $ ) {
 
     my @table_list;
 
-    if ( $family == F_IPV4 ) {
-	push @table_list, 'raw'    if $capabilities{RAW_TABLE};
-	push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
-	push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
-	push @table_list, 'filter';
-    } else {
-	@table_list = qw( raw mangle filter );
-    }
+    push @table_list, 'raw'    if $capabilities{RAW_TABLE};
+    push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
+    push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
+    push @table_list, 'filter';
 
     my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
     my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
@@ -3237,7 +3196,7 @@ sub create_stop_load( $ ) {
     #
     # Test result
     #
-    emit ('', 
+    emit ('',
 	  'if [ $? != 0 ]; then',
 	   '    error_message "ERROR: $command Failed."',
 	   "fi\n"

Shorewall/Perl/Shorewall/Compiler.pm

@@ -43,20 +43,18 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_0';
+our $VERSION = '4.4_1';
 
 our $export;
 
 our $test;
 
-our $reused = 0;
-
-our $family = F_IPV4;
+our $family;
 
 #
-# Reinitilize the package-globals in the other modules
+# Initilize the package-globals in the other modules
 #
-sub reinitialize() {
+sub initialize_package_globals() {
     Shorewall::Config::initialize($family);
     Shorewall::Chains::initialize ($family);
     Shorewall::Zones::initialize ($family);
@@ -79,11 +77,11 @@ sub reinitialize() {
 #
 sub generate_script_1() {
 
-    my $date = localtime;
-
     if ( $test ) {
 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
     } else {
+	my $date = localtime;
+
 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 	if ( $family == F_IPV4 ) {
 	    copy $globals{SHAREDIRPL} . 'prog.header';
@@ -248,7 +246,7 @@ sub generate_script_2() {
 	} else {
 	    emit( 'start|restart|refresh|restore)' );
 	}
-	 
+
 	push_indent;
 
 	set_global_variables(1);
@@ -256,10 +254,10 @@ sub generate_script_2() {
 	handle_optional_interfaces;
 
 	emit ';;';
-    
+
 	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 	    pop_indent;
-	
+
 	    emit 'restore)';
 
 	    push_indent;
@@ -364,7 +362,7 @@ sub generate_script_3($) {
 
 	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
 
-	    emit ( '' , 
+	    emit ( '' ,
 		   '    if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
 		   '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
 		   '    fi' );
@@ -383,7 +381,7 @@ sub generate_script_3($) {
 	       '' );
 
 	mark_firewall_not_started;
-		       	       
+
 	emit ('',
 	       'delete_proxyarp',
 	       ''
@@ -526,14 +524,14 @@ EOF
 #
 sub compiler {
 
-    my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) = 
+    my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
        ( '',          '',         -1,          '',          0,      '',       '',   -1 );
 
     $export = 0;
     $test   = 0;
 
     sub validate_boolean( $ ) {
-	 my $val = numeric_value( shift ); 
+	 my $val = numeric_value( shift );
 	 defined($val) && ($val >= 0) && ($val < 2);
      }
 
@@ -572,14 +570,17 @@ sub compiler {
 	${$ref->{store}} = $val;
     }
 
-    reinitialize if $reused++ || $family == F_IPV6;
+    #
+    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
+    #
+    initialize_package_globals;
 
     if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
 	set_shorewall_dir( $directory );
     }
 
-    set_verbose( $verbosity );
+    set_verbosity( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
     set_debug( $debug );
@@ -595,12 +596,11 @@ sub compiler {
     require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
     require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 
-    set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
-
-    initialize_chain_table;
-
-    unless ( $command eq 'check' ) {
+    if ( $objectfile ) {
+	set_command( 'compile', 'Compiling', 'Compiled' );
 	create_temp_object( $objectfile , $export );
+    } else {
+	set_command( 'check', 'Checking', 'Checked' );
     }
 
     #
@@ -640,8 +640,8 @@ sub compiler {
     setup_notrack;
 
     enable_object;
-    
-    unless ( $command eq 'check' ) {
+
+    if ( $objectfile ) {
 	#
 	# Place Header in the object
 	#
@@ -657,7 +657,7 @@ sub compiler {
 	    );
 
 	push_indent;
-    } 
+    }
     #
     # Do all of the zone-independent stuff
     #
@@ -681,7 +681,7 @@ sub compiler {
     #
     setup_zone_mss;
 
-    unless ( $command eq 'check' ) {
+    if ( $objectfile ) {
 	emit 'return 0';
 	pop_indent;
 	emit '}';
@@ -693,9 +693,8 @@ sub compiler {
     #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
     #
     enable_object;
-    
-    unless ( $command eq 'check' ) {
 
+    if ( $objectfile ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -713,7 +712,7 @@ sub compiler {
     #
     setup_tc;
 
-    unless ( $command eq 'check' ) {
+    if ( $objectfile ) {
 	pop_indent;
 	emit "}\n";
     }
@@ -733,7 +732,7 @@ sub compiler {
 	#
 	# Setup Masquerading/SNAT
 	#
-	setup_masq; 
+	setup_masq;
 	#
 	# Setup Nat
 	#
@@ -774,15 +773,9 @@ sub compiler {
     #
     setup_accounting;
 
-    if ( $command eq 'check' ) {
-	if ( $family == F_IPV4 ) {
-	    progress_message3 "Shorewall configuration verified";
-	} else {
-	    progress_message3 "Shorewall6 configuration verified";
-	}
-    } else {
+    if ( $objectfile ) {
 	#
-	# Generate the zone x zone matrix
+	# Generate the zone by zone matrix
 	#
 	generate_matrix;
 
@@ -804,8 +797,7 @@ sub compiler {
 	# for stopping the firewall
 	#
 	Shorewall::Chains::initialize( $family );
-	initialize_chain_table;
-	compile_stop_firewall( $test ); 
+	compile_stop_firewall( $test );
 	#
 	# Copy the footer to the object
 	#
@@ -816,7 +808,7 @@ sub compiler {
 		copy $globals{SHAREDIRPL} . 'prog.footer6';
 	    }
 	}
-	
+
 	disable_object;
 	#
 	# Close, rename and secure the object
@@ -826,6 +818,12 @@ sub compiler {
 	# And generate the auxilary config file
 	#
 	enable_object, generate_aux_config if $export;
+    } else {
+	if ( $family == F_IPV4 ) {
+	    progress_message3 "Shorewall configuration verified";
+	} else {
+	    progress_message3 "Shorewall6 configuration verified";
+	}
     }
 
     close_log if $log;

Shorewall/Perl/Shorewall/Config.pm

@@ -54,7 +54,7 @@ our @EXPORT = qw(
 
 our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall);
 
-our %EXPORT_TAGS = ( internal => [ qw( create_temp_object 
+our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
 				       finalize_object
 				       enable_object
 				       disable_object
@@ -72,7 +72,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
 				       save_progress_message
 				       save_progress_message_short
 				       set_timestamp
-				       set_verbose
+				       set_verbosity
 				       set_log
 				       close_log
 				       set_command
@@ -123,11 +123,11 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
 
 				       MIN_VERBOSITY
 				       MAX_VERBOSITY
-				     ) ] );	       
+				     ) ] );
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.3_12';
+our $VERSION = '4.4_1';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -136,11 +136,11 @@ our ($command, $doing, $done );
 #
 # VERBOSITY
 #
-our $verbose;
+our $verbosity;
 #
 # Logging
 #
-our ( $log, $log_verbose );
+our ( $log, $log_verbosity );
 #
 # Timestamp each progress message, if true.
 #
@@ -202,9 +202,9 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 MULTIPORT       => 'Multi-port Match' ,
 		 XMULTIPORT      => 'Extended Multi-port Match',
 		 CONNTRACK_MATCH => 'Connection Tracking Match',
-		 OLD_CONNTRACK_MATCH => 
+		 OLD_CONNTRACK_MATCH =>
 		                    'Old conntrack match syntax',
-		 NEW_CONNTRACK_MATCH => 
+		 NEW_CONNTRACK_MATCH =>
 		                    'Extended Connection Tracking Match',
 		 USEPKTTYPE      => 'Packet Type Match',
 		 POLICY_MATCH    => 'Policy Match',
@@ -241,6 +241,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 LOG_TARGET      => 'LOG Target',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
 		 IPMARK_TARGET   => 'IPMARK Target',
+		 PERSISTENT_SNAT => 'Persistent SNAT',
 		 CAPVERSION      => 'Capability Version',
 	       );
 #
@@ -284,13 +285,14 @@ use constant { MIN_VERBOSITY => -1,
 our %validlevels;             # Valid log levels.
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function and when compiling
-#                       for IPv6.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
     $family = shift;
@@ -299,13 +301,11 @@ sub initialize( $ ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
     } else {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall6 Shorewall6 ip6tables IP6TABLES );
-    }	
+    }
 
-    ( $command, $doing, $done ) = qw/compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion.
-
-    $verbose = 0;              # Verbosity setting. 0 = almost silent, 1 = major progress messages only, 2 = all progress messages (very noisy)
+    $verbosity = 0;            # Verbosity setting. -1 = silent, 0 = almost silent, 1 = major progress messages only, 2 = all progress messages (very noisy)
     $log = undef;              # File reference for log file
-    $log_verbose = -1;         # Verbosity of log.
+    $log_verbosity = -1;       # Verbosity of log.
     $timestamp = '';           # If true, we are to timestamp each progress message
     $object = 0;               # Object (script) file Handle Reference
     $object_enabled = 0;       # Object (script) file Handle Reference
@@ -327,8 +327,8 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.0.1",
-		    CAPVERSION => 40310 ,
+		    VERSION => "4.4.1",
+		    CAPVERSION => 40401 ,
 		  );
 
     #
@@ -464,7 +464,7 @@ sub initialize( $ ) {
 		         LOGMARK => 'LOGMARK' );
     } else {
 	$globals{SHAREDIR} = '/usr/share/shorewall6';
-	$globals{CONFDIR}  = '/etc/shorewall6';	
+	$globals{CONFDIR}  = '/etc/shorewall6';
 	$globals{PRODUCT}  = 'shorewall6';
 
 	%config =
@@ -613,6 +613,7 @@ sub initialize( $ ) {
 	       LOGMARK_TARGET => undef,
 	       IPMARK_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
+	       PERSISTENT_SNAT => undef,
 	       CAPVERSION => undef,
 	       );
     #
@@ -640,7 +641,6 @@ sub initialize( $ ) {
 }
 
 INIT {
-    initialize( F_IPV4 );
     #
     # These variables appear within single quotes in shorewall.conf -- add them to ENV
     # so that read_a_line doesn't have to be smart enough to parse that usage.
@@ -661,7 +661,7 @@ sub warning_message
     my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
     our @localtime;
 
-    $| = 1;
+    $| = 1; #Reset output buffering (flush any partially filled buffers).
 
     if ( $log ) {
 	@localtime = localtime;
@@ -676,7 +676,22 @@ sub warning_message
 	print $log   "   WARNING: @_$currentlineinfo\n" if $log;
     }
 
-    $| = 0;
+    $| = 0; #Re-allow output buffering
+}
+
+sub cleanup() {
+    #
+    # Close files first in case we're running under Cygwin
+    #
+    close  $object, $object = undef         if $object;
+    close  $scriptfile, $scriptfile = undef if $scriptfile;
+    close  $log, $log = undef               if $log;
+    #
+    # Unlink temporary files
+    #
+    unlink ( $tempfile ), $tempfile = undef             if $tempfile;
+    unlink ( $scriptfilename ), $scriptfilename = undef if $scriptfilename;
+    unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
 }
 
 #
@@ -686,7 +701,7 @@ sub fatal_error	{
     my $linenumber = $currentlinenumber || 1;
     my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
 
-    $| = 1;
+    $| = 1; #Reset output buffering (flush any partially filled buffers).
 
     if ( $log ) {
 	our @localtime = localtime;
@@ -702,6 +717,7 @@ sub fatal_error	{
 	$log = undef;
     }
 
+    cleanup;
     confess "   ERROR: @_$currentlineinfo" if $debug;
     die "   ERROR: @_$currentlineinfo\n";
 }
@@ -723,6 +739,7 @@ sub fatal_error1	{
 	$log = undef;
     }
 
+    cleanup;
     confess "   ERROR: @_" if $debug;
     die "   ERROR: @_\n";
 }
@@ -854,14 +871,14 @@ sub set_timestamp( $ ) {
 }
 
 #
-# Set $verbose
+# Set $verbosity
 #
-sub set_verbose( $ ) {
-    $verbose = shift;
+sub set_verbosity( $ ) {
+    $verbosity = shift;
 }
 
 #
-# Set $log and $log_verbose
+# Set $log and $log_verbosity
 #
 sub set_log ( $$ ) {
     my ( $l, $v ) = @_;
@@ -869,16 +886,16 @@ sub set_log ( $$ ) {
     if ( defined $v ) {
 	my $value = numeric_value( $v );
 	fatal_error "Invalid Log Verbosity ( $v )" unless defined($value) && ( $value >= -1 ) && ( $value <= 2);
-	$log_verbose = $value;
+	$log_verbosity = $value;
     }
 
-    if ( $l && $log_verbose >= 0 ) {	
+    if ( $l && $log_verbosity >= 0 ) {
 	unless ( open $log , '>>' , $l ) {
-	    $log = undef; 
+	    $log = undef;
 	    fatal_error "Unable to open STARTUP_LOG ($l) for writing: $!";
 	}
     } else {
-	$log_verbose = -1;
+	$log_verbosity = -1;
     }
 }
 
@@ -902,17 +919,17 @@ sub timestamp() {
 }
 
 #
-# Write a message if $verbose >= 2
+# Write a message if $verbosity >= 2
 #
 sub progress_message {
     my $havelocaltime = 0;
 
-    if ( $verbose > 1 || $log_verbose > 1 ) {
+    if ( $verbosity > 1 || $log_verbosity > 1 ) {
 	my $line = "@_";
 	my $leading = $line =~ /^(\s+)/ ? $1 : '';
 	$line =~ s/\s+/ /g;
 
-	if ( $verbose > 1 ) {
+	if ( $verbosity > 1 ) {
 	    timestamp, $havelocaltime = 1 if $timestamp;
 	    #
 	    # We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession).
@@ -921,10 +938,10 @@ sub progress_message {
 	    print "${leading}${line}\n";
 	}
 
-	if ( $log_verbose > 1 ) {
+	if ( $log_verbosity > 1 ) {
 	    our @localtime;
 
-	    @localtime = localtime unless $havelocaltime; 
+	    @localtime = localtime unless $havelocaltime;
 
 	    printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	    print $log "${leading}${line}\n";
@@ -935,15 +952,15 @@ sub progress_message {
 sub progress_message_nocompress {
     my $havelocaltime = 0;
 
-    if ( $verbose > 1 ) {
+    if ( $verbosity > 1 ) {
 	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
     }
 
-    if ( $log_verbose > 1 ) {
+    if ( $log_verbosity > 1 ) {
 	our @localtime;
 
-	@localtime = localtime unless $havelocaltime; 
+	@localtime = localtime unless $havelocaltime;
 
 	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
@@ -951,20 +968,20 @@ sub progress_message_nocompress {
 }
 
 #
-# Write a message if $verbose >= 1
+# Write a message if $verbosity >= 1
 #
 sub progress_message2 {
     my $havelocaltime = 0;
 
-    if ( $verbose > 0 ) {
+    if ( $verbosity > 0 ) {
 	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
     }
 
-    if ( $log_verbose > 0 ) {
+    if ( $log_verbosity > 0 ) {
 	our @localtime;
 
-	@localtime = localtime unless $havelocaltime; 
+	@localtime = localtime unless $havelocaltime;
 
 	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
@@ -972,17 +989,17 @@ sub progress_message2 {
 }
 
 #
-# Write a message if $verbose >= 0
+# Write a message if $verbosity >= 0
 #
 sub progress_message3 {
     my $havelocaltime = 0;
 
-    if ( $verbose >= 0 ) {
+    if ( $verbosity >= 0 ) {
 	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
     }
 
-    if ( $log_verbose >= 0 ) {
+    if ( $log_verbosity >= 0 ) {
 	our @localtime;
 
 	@localtime = localtime unless $havelocaltime;
@@ -1034,7 +1051,7 @@ sub copy( $ ) {
 		$lastlineblank = 1;
 	    } else {
 		if  ( $indent ) {
-		    s/^(\s*)/$indent1$1$indent2/; 
+		    s/^(\s*)/$indent1$1$indent2/;
 		    s/        /\t/ if $indent2;
 		}
 
@@ -1114,7 +1131,7 @@ sub create_temp_object( $$ ) {
     my $suffix;
 
     if ( $objectfile eq '-' ) {
-	$verbose = -1;
+	$verbosity = -1;
 	$object = undef;
 	open( $object, '>&STDOUT' ) or fatal_error "Open of STDOUT failed";
 	$file = '-';
@@ -1125,7 +1142,7 @@ sub create_temp_object( $$ ) {
 	( $file, $dir, $suffix ) = fileparse( $objectfile );
     };
 
-    die if $@;
+    cleanup, die if $@;
 
     fatal_error "$dir is a Symbolic Link"        if -l $dir;
     fatal_error "Directory $dir does not exist"  unless -d _;
@@ -1171,7 +1188,7 @@ sub create_temp_aux_config() {
 	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
     };
 
-    die if $@;
+    cleanup, die if $@;
 }
 
 #
@@ -1366,7 +1383,7 @@ sub pop_include() {
     } else {
 	$currentfile = undef;
     }
-}    
+}
 
 #
 # This function is normally called below in read_a_line() when EOF is reached. Clients of the
@@ -1406,6 +1423,11 @@ sub pop_open() {
     pop_include;
 }
 
+#
+# This function is called by in-line PERL to generate a line of input for the current file.
+# If the in-line PERL returns an indication of success, then the generated lines will be
+# processed as regular file input.
+#
 sub shorewall {
     unless ( $scriptfile ) {
 	fatal_error "shorewall() may not be called in this context" unless $currentfile;
@@ -1423,18 +1445,18 @@ sub shorewall {
 }
 
 #
-# We don't announce that we are checking/compiling a file until we determine that the file contains 
+# We don't announce that we are checking/compiling a file until we determine that the file contains
 # at least one non-blank, non-commentary line.
 #
 # The argument to this function may be either a scalar or a function reference. When the first
-# non-blank/non-commentary line is reached: 
+# non-blank/non-commentary line is reached:
 #
 # - if a function reference was passed to first_entry(), that function is called
 # - otherwise, the argument to first_entry() is passed to progress_message2().
 #
 # We do this processing in read_a_line() rather than in the higher-level routines because
 # Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement
-# until we get back to the caller of read_a_line(), we could issue error messages about parsing and 
+# until we get back to the caller of read_a_line(), we could issue error messages about parsing and
 # running scripts in the file before we'd even indicated that we are processing it.
 #
 sub first_entry( $ ) {
@@ -1443,7 +1465,7 @@ sub first_entry( $ ) {
     if ( $reftype ) {
 	fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE';
     }
-}   
+}
 
 sub embedded_shell( $ ) {
     my $multiline = shift;
@@ -1483,7 +1505,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
     my $multiline = shift;
 
-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );		
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
 
     if ( $multiline ) {
 	#
@@ -1514,9 +1536,9 @@ sub embedded_perl( $ ) {
 	}
 
 	unless ( defined $return ) {
-	    fatal_error "Perl Script failed: $!" if $!; 
+	    fatal_error "Perl Script failed: $!" if $!;
 	    fatal_error "Perl Script failed";
-	} 
+	}
 
 	fatal_error "Perl Script Returned False";
     }
@@ -1585,6 +1607,10 @@ sub read_a_line() {
 	    # Line not blank -- Handle any first-entry message/capabilities check
 	    #
 	    if ( $first_entry ) {
+		#
+		# $first_entry can contain either a function reference or a message. If it
+		# contains a reference, call the function -- otherwise issue the message
+		#
 		reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry );
 		$first_entry = 0;
 	    }
@@ -1817,7 +1843,7 @@ sub report_capability( $ ) {
 }
 
 sub report_capabilities() {
-    if ( $verbose > 1 ) {
+    if ( $verbosity > 1 ) {
 	print "Shorewall has detected the following capabilities:\n";
 
 	for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) {
@@ -1923,6 +1949,14 @@ sub determine_capabilities( $ ) {
 
     $capabilities{NAT_ENABLED}    = qt1( "$iptables -t nat -L -n" ) if $family == F_IPV4;
 
+    if ( $capabilities{NAT_ENABLED} ) {
+	if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
+	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to source 1.2.3.4 --persistent" );
+	    qt1( "$iptables -t NAT -F $sillyname" );
+	    qt1( "$iptables -t NAT -X $sillyname" );
+	}
+    }
+
     $capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" );
 
     qt1( "$iptables -N $sillyname" );
@@ -2003,7 +2037,7 @@ sub determine_capabilities( $ ) {
 
 	$capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" );
 	$capabilities{IPMARK_TARGET}   = qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" );
-	
+
 	qt1( "$iptables -t mangle -F $sillyname" );
 	qt1( "$iptables -t mangle -X $sillyname" );
 
@@ -2262,7 +2296,7 @@ sub get_configuration( $ ) {
     }
 
     check_trivalue ( 'IP_FORWARDING', 'on' );
-    check_trivalue ( 'ROUTE_FILTER',  '' );    fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6; 
+    check_trivalue ( 'ROUTE_FILTER',  '' );    fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6;
 
     if ( $family == F_IPV4 ) {
 	check_trivalue ( 'LOG_MARTIANS',  'on' );
@@ -2423,7 +2457,8 @@ sub get_configuration( $ ) {
     default 'ACCEPT_DEFAULT'        , 'none';
     default 'OPTIMIZE'              , 0;
 
-    fatal_error 'IPSECFILE=ipsec is not supported by Shorewall ' . $globals{VERSION} unless $config{IPSECFILE} eq 'zones';
+    fatal_error 'IPSECFILE=ipsec is not supported by Shorewall ' . $globals{VERSION} if $config{IPSECFILE} eq 'ipsec';
+    fatal_error "Invalid IPSECFILE value ($config{IPSECFILE}"                    unless $config{IPSECFILE} eq 'zones';
 
     for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
@@ -2433,7 +2468,6 @@ sub get_configuration( $ ) {
 
     fatal_error "Invalid OPTIMIZE value ($val)" unless ( $val eq '0' ) || ( $val eq '1' );
 
-    fatal_error "Invalid IPSECFILE value ($config{IPSECFILE}" unless $config{IPSECFILE} eq 'zones';
 
     $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre';
 
@@ -2466,7 +2500,7 @@ sub get_configuration( $ ) {
 	    ( $file, $dir, $suffix ) = fileparse( $config{LOCKFILE} );
 	};
 
-	die $@ if $@;
+	cleanup, die $@ if $@;
 
 	fatal_error "LOCKFILE=$config{LOCKFILE}: Directory $dir does not exist" unless $export or -d $dir;
     } else {
@@ -2507,7 +2541,7 @@ sub append_file( $;$ ) {
 	    } else {
 		#
 		# Include progress message -- Pretend progress_message call was in the file
-		#                             
+		#
 		$result = 1;
 		save_progress_message "Processing $user_exit ...";
 		copy1 $user_exit;
@@ -2534,9 +2568,9 @@ sub run_user_exit( $ ) {
 	    fatal_error "Couldn't parse $file: $@" if $@;
 
 	    unless ( defined $return ) {
-		fatal_error "Couldn't do $file: $!" if $!;    
+		fatal_error "Couldn't do $file: $!" if $!;
 		fatal_error "Couldn't do $file";
-	    }    
+	    }
 
 	    fatal_error "$file returned a false value";
 	}
@@ -2641,18 +2675,7 @@ sub generate_aux_config() {
 }
 
 END {
-    #
-    # Close files first in case we're running under Cygwin
-    #
-    close  $object         if $object;
-    close  $scriptfile     if $scriptfile;
-    close  $log            if $log;
-    #
-    # Unlink temporary files
-    #
-    unlink $tempfile       if $tempfile;
-    unlink $scriptfilename if $scriptfilename;
-    unlink $_ for @tempfiles; 
+    cleanup;
 }
 
 1;

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -21,7 +21,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   This module provides interfaces for dealing with IPv4 addresses, protocol names, and
-#   port names. It also exports functions for validating protocol- and port- (service) 
+#   port names. It also exports functions for validating protocol- and port- (service)
 #   related constructs.
 #
 package Shorewall::IPAddrs;
@@ -34,10 +34,10 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( ALLIPv4
                   ALLIPv6
+	          IPv4_MULTICAST
 	          IPv6_MULTICAST
 	          IPv6_LINKLOCAL
 	          IPv6_SITELOCAL
-	          IPv6_LINKLOCAL
 	          IPv6_LOOPBACK
 	          IPv6_LINK_ALLNODES
 	          IPv6_LINK_ALLRTRS
@@ -72,28 +72,34 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_1';
 
 #
 # Some IPv4/6 useful stuff
 #
 our @allipv4 = ( '0.0.0.0/0' );
 our @allipv6 = ( '::/0' );
-our $family;
+our $allip;
+our @allip;
+our $valid_address;
+our $validate_address;
+our $validate_net;
+our $validate_range;
+our $validate_host;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
+	       IPv4_MULTICAST      => '224.0.0.0/4' ,
 	       IPv6_MULTICAST      => 'FF00::/10' ,
 	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_SITELOCAL      => 'FFC0::/10' ,
-	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
 	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
 	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
 	       IPv6_SITE_ALLNODES  => 'FF02::1' ,
 	       IPv6_SITE_ALLRTRS   => 'FF02::2' ,
-	       ICMP                => 1, 
-	       TCP                 => 6, 
+	       ICMP                => 1,
+	       TCP                 => 6,
 	       UDP                 => 17,
 	       DCCP                => 33,
 	       IPv6_ICMP           => 58,
@@ -101,23 +107,10 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 
 our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
+
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Note: initialize() is declared at the bottom of the file
 #
-
-sub initialize( $ ) {
-    $family = shift;
-}
-
-INIT {
-    initialize( F_IPV4 );
-}
-
 sub vlsm_to_mask( $ ) {
     my $vlsm = $_[0];
 
@@ -207,7 +200,7 @@ sub validate_4net( $$ ) {
 	    ( decodeaddr( $net ) , $vlsm );
 	} else {
 	    "$net/$vlsm";
-	}	    
+	}
     }
 }
 
@@ -398,7 +391,6 @@ my %icmp_types = ( any                          => 'any',
 		   'address-mask-reply'         => 18 );
 
 sub validate_icmp( $ ) {
-    fatal_error "IPv4 ICMP not allowed in an IPv6 Rule" unless $family == F_IPV4;
 
     my $type = $_[0];
 
@@ -445,7 +437,7 @@ sub expand_port_range( $$ ) {
 	# Break the range into groups:
 	#
 	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
-	#      - Otherwise, find the largest power of two P that divides the first address such that 
+	#      - Otherwise, find the largest power of two P that divides the first address such that
 	#        the remaining range has less than or equal to P ports. The next group is
 	#        ( <first> , ~( P-1 ) ).
 	#
@@ -471,8 +463,8 @@ sub expand_port_range( $$ ) {
 
     } else {
 	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
-    } 
-}   
+    }
+}
 
 sub valid_6address( $ ) {
     my $address = $_[0];
@@ -614,7 +606,6 @@ my %ipv6_icmp_types = ( any                          => 'any',
 
 
 sub validate_icmp6( $ ) {
-    fatal_error "IPv6 ICMP not allowed in an IPv4 Rule" unless $family == F_IPV6;
     my $type = $_[0];
 
     my $value = $ipv6_icmp_types{$type};
@@ -629,31 +620,63 @@ sub validate_icmp6( $ ) {
 }
 
 sub ALLIP() {
-    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
+    $allip;
 }
 
 sub allip() {
-    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
-}    
+    @allip;
+}
 
 sub valid_address ( $ ) {
-    $family == F_IPV4 ? valid_4address( $_[0] ) :  valid_6address( $_[0] );
+    $valid_address->(@_);
 }
 
 sub validate_address ( $$ ) {
-    $family == F_IPV4 ? validate_4address( $_[0], $_[1] ) :  validate_6address( $_[0], $_[1] );
+    $validate_address->(@_);
 }
 
 sub validate_net ( $$ ) {
-    $family == F_IPV4 ? validate_4net( $_[0], $_[1] ) :  validate_6net( $_[0], $_[1] );
+    $validate_net->(@_);
 }
 
-sub validate_range ($$ ) { 
-    $family == F_IPV4 ? validate_4range( $_[0], $_[1] ) :  validate_6range( $_[0], $_[1] );
+sub validate_range ($$ ) {
+    $validate_range->(@_);
 }
 
-sub validate_host ($$ ) { 
-    $family == F_IPV4 ? validate_4host( $_[0], $_[1] ) :  validate_6host( $_[0], $_[1] );
+sub validate_host ($$ ) {
+    $validate_host->(@_);
+}
+
+#
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
+#
+sub initialize( $ ) {
+    my $family = shift;
+
+    if ( $family == F_IPV4 ) {
+	$allip            = ALLIPv4;
+	@allip            = @allipv4;
+	$valid_address    = \&valid_4address;
+	$validate_address = \&validate_4address;
+	$validate_net     = \&validate_4net;
+	$validate_range   = \&validate_4range;
+	$validate_host    = \&validate_4host;
+    } else {
+	$allip            = ALLIPv6;
+	@allip            = @allipv6;
+	$valid_address    = \&valid_6address;
+	$validate_address = \&validate_6address;
+	$validate_net     = \&validate_6net;
+	$validate_range   = \&validate_6range;
+	$validate_host    = \&validate_6host;
+    }
 }
 
 1;

Shorewall/Perl/Shorewall/Nat.pm

@@ -29,7 +29,6 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
-use Shorewall::IPAddrs;
 use Shorewall::Providers qw( lookup_provider );
 
 use strict;
@@ -37,29 +36,19 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_1';
 
 our @addresses_to_add;
 our %addresses_to_add;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Called by the compiler
 #
-
 sub initialize() {
     @addresses_to_add = ();
     %addresses_to_add = ();
 }
 
-INIT {
-    initialize;
-}
-
 #
 # Handle IPSEC Options in a masq record
 #
@@ -178,7 +167,6 @@ sub process_one_masq( )
     # Handle Protocol and Ports
     #
     $baserule .= do_proto $proto, $ports, '';
-
     #
     # Handle Mark
     #
@@ -216,6 +204,7 @@ sub process_one_masq( )
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
+	my $persistent    = '';
 	#
 	# Parse the ADDRESSES column
 	#
@@ -223,7 +212,10 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
-		$addresses =~ s/:random$// and $randomize = '--random ';
+		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
+		$addresses =~ s/:random$//     and $randomize  = '--random ';
+
+		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;
 
 		if ( $addresses =~ /^SAME/ ) {
 		    fatal_error "The SAME target is no longer supported";
@@ -262,6 +254,7 @@ sub process_one_masq( )
 	    }
 
 	    $target .= $randomize;
+	    $target .= $persistent;
 	} else {
 	    $add_snat_aliases = 0;
 	}

Shorewall/Perl/Shorewall/Policy.pm

@@ -34,29 +34,19 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_1';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
 our @policy_chains;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Called by the compiler
 #
-
 sub initialize() {
     @policy_chains = ();
 }
 
-INIT {
-    initialize;
-}
-
 #
 # Convert a chain into a policy chain.
 #
@@ -140,7 +130,7 @@ sub add_or_modify_policy_chain( $$ ) {
     } else {
 	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
     }
-}    
+}
 
 sub print_policy($$$$) {
     my ( $source, $dest, $policy , $chain ) = @_;
@@ -169,7 +159,7 @@ sub process_a_policy() {
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
     my $serverwild = ( "\L$server" eq 'all' );
-    
+
     fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
 
     my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 );
@@ -203,7 +193,7 @@ sub process_a_policy() {
 
     if ( defined $queue ) {
 	fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
-	require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' ); 
+	require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
 	my $queuenum = numeric_value( $queue );
 	fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
 	$policy = "NFQUEUE --queue-num $queuenum";
@@ -244,7 +234,7 @@ sub process_a_policy() {
 	$chainref = new_policy_chain $client, $server, $policy, 0;
 	push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
     }
-    
+
     $chainref->{loglevel}  = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
 
     if ( $synparams ne '' || $connlimit ne '' ) {
@@ -277,7 +267,7 @@ sub process_a_policy() {
 	    set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
 	    print_policy $client, $zone, $policy, $chain;
 	}
-	
+
     } else {
 	print_policy $client, $server, $policy, $chain;
     }
@@ -356,7 +346,7 @@ sub policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
 
     unless ( $target eq 'NONE' ) {
-	add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE';
+	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
 	add_rule $chainref, "-j $default" if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;

Shorewall/Perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_0';
+our $VERSION = '4.4_1';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -62,14 +62,15 @@ our $family;
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
 
@@ -89,10 +90,6 @@ sub initialize( $ ) {
     @providers = ();
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 #
 # Set up marking for 'tracked' interfaces.
 #
@@ -120,7 +117,7 @@ sub setup_route_marking() {
 	    } else {
 		add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
 	    }
-		
+
 	    incr_cmd_level( $chainref );
 	}
 
@@ -273,7 +270,7 @@ sub add_a_provider( ) {
     }
 
     fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
-    
+
     my $provider    = chain_base $table;
     my $base        = uc chain_base $interface;
     my $gatewaycase = '';
@@ -398,7 +395,7 @@ sub add_a_provider( ) {
     my $realm = '';
 
     fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
-    
+
     if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
@@ -411,7 +408,7 @@ sub add_a_provider( ) {
 	} else {
 	    start_provider( $table, $number, "if interface_is_usable $interface; then" );
 	}
-	
+
 	$provider_interfaces{$interface} = $table;
 
 	emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
@@ -540,7 +537,7 @@ sub add_an_rtrule( ) {
     fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
 
     if ( $dest eq '-' ) {
-	$dest = 'to ' . ALLIP; 
+	$dest = 'to ' . ALLIP;
     } else {
 	validate_net( $dest, 0 );
 	$dest = "to $dest";
@@ -602,12 +599,12 @@ sub setup_null_routing() {
     for ( rfc1918_networks ) {
 	emit( qq(run_ip route replace unreachable $_) );
 	emit( qq(echo "qt \$IP -$family route del unreachable $_" >> \${VARDIR}/undo_routing) );
-    } 
+    }
 }
 
 sub start_providers() {
     require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' );
-    
+
     emit  ( '#',
 	    '# Undo any changes made since the last time that we [re]started -- this will not restore the default route',
 	    '#',
@@ -619,7 +616,7 @@ sub start_providers() {
 	       '# Save current routing table database so that it can be restored later',
 	       '#',
 	       'cp /etc/iproute2/rt_tables ${VARDIR}/' );
-	
+
     }
 
     emit  ( '#',
@@ -630,9 +627,9 @@ sub start_providers() {
 	    '# Initialize the file that holds \'undo\' commands',
 	    '#',
 	    '> ${VARDIR}/undo_routing' );
-    
+
     save_progress_message 'Adding Providers...';
-    
+
     emit 'DEFAULT_ROUTE=';
     emit 'FALLBACK_ROUTE=';
     emit '';
@@ -663,7 +660,7 @@ sub finish_providers() {
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
-	
+
 	emit(   'fi',
 		'' );
     } else {
@@ -727,7 +724,7 @@ sub setup_providers() {
 	    first_entry "$doing $fn...";
 
 	    emit '';
-	    
+
 	    add_an_rtrule while read_a_line;
 	}
 
@@ -744,10 +741,10 @@ sub setup_providers() {
 	emit "\nif [ -z \"\$NOROUTES\" ]; then";
 
 	push_indent;
-	
+
 	emit "\nundo_routing";
 	emit 'restore_default_route';
-	
+
 	if ( $config{NULL_ROUTE_RFC1918} ) {
 	    emit  ( '#',
 		    '# Initialize the file that holds \'undo\' commands',
@@ -841,18 +838,18 @@ sub handle_stickiness( $ ) {
 
     if ( $havesticky ) {
 	fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
-	
+
 
 	for my $providerref ( @routemarked_providers ) {
 	    my $interface = $providerref->{interface};
 	    my $base      = uc chain_base $interface;
 	    my $mark      = $providerref->{mark};
-	
+
 	    for ( grep /-j sticky/, @{$tcpreref->{rules}} ) {
 		my $stickyref = ensure_mangle_chain 'sticky';
 		my ( $rule1, $rule2 );
 		my $list = sprintf "sticky%03d" , $sticky++;
-		
+
 		for my $chainref ( $stickyref, $setstickyref ) {
 
 		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
@@ -866,7 +863,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
 		    }
-		
+
 		    $rule1 =~ s/-A //;
 
 		    add_rule $chainref, $rule1;
@@ -877,7 +874,7 @@ sub handle_stickiness( $ ) {
 		    }
 
 		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
-		    
+
 		}
 	    }
 
@@ -898,7 +895,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
 		    }
-		
+
 		    $rule1 =~ s/-A //;
 
 		    add_rule $chainref, $rule1;
@@ -916,7 +913,7 @@ sub handle_stickiness( $ ) {
 
     if ( @routemarked_providers ) {
 	purge_jump $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
-	purge_jump $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};	
+	purge_jump $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
     }
 }
 1;

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -35,30 +35,27 @@ our @EXPORT = qw(
 		  );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_1';
 
 our @proxyarp;
 
 our $family;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
     @proxyarp = ();
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 sub setup_one_proxy_arp( $$$$$ ) {
     my ( $address, $interface, $external, $haveroute, $persistent) = @_;
 

Shorewall/Perl/Shorewall/Raw.pm

@@ -47,7 +47,7 @@ sub process_notrack_rule( $$$$$$ ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    ( my $zone, $source) = split /:/, $source, 2;  
+    ( my $zone, $source) = split /:/, $source, 2;
     my $zoneref  = find_zone $zone;
     my $chainref = ensure_raw_chain( notrack_chain $zone );
     my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;

Shorewall/Perl/Shorewall/Rules.pm

@@ -41,11 +41,10 @@ our @EXPORT = qw( process_tos
 		  setup_mac_lists
 		  process_rules
 		  generate_matrix
-		  setup_mss
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_0';
+our $VERSION = '4.4_1';
 
 #
 # Set to one if we find a SECTION
@@ -64,14 +63,15 @@ my %rules_commands = ( COMMENT => 0,
 		       SECTION => 2 );
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
     $sectioned = 0;
@@ -80,10 +80,6 @@ sub initialize( $ ) {
     @param_stack = ();
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 use constant { MAX_MACRO_NEST_LEVEL => 5 };
 
 sub process_tos() {
@@ -529,7 +525,7 @@ sub add_common_rules() {
 	    add_rule $rejectref, '-j REJECT --reject-with icmp-host-prohibited';
 	} else {
 	    add_rule $rejectref, '-p 58 -j REJECT --reject-with icmp6-addr-unreachable';
-	    add_rule $rejectref, '-j REJECT --reject-with icmp6-adm-prohibited'; 
+	    add_rule $rejectref, '-j REJECT --reject-with icmp6-adm-prohibited';
 	}
     } else {
 	add_rule $rejectref , '-j REJECT';
@@ -632,7 +628,7 @@ sub add_common_rules() {
 		my $variable = get_interface_gateway $interface;
 
 		if ( interface_is_optional $interface ) {
-		    add_commands( $chainref, 
+		    add_commands( $chainref,
 				  qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
 				  qq(    echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) ,
 				  qq(fi) );
@@ -680,7 +676,7 @@ sub setup_mac_lists( $ ) {
 	    my $chainref = new_chain $table , mac_chain $interface;
 
 	    if ( $family == F_IPV4 ) {
-		add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN' 
+		add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
 		    if $table eq 'mangle'  && get_interface_option( $interface, 'dhcp');
 	    } else {
 		#
@@ -809,7 +805,7 @@ sub setup_mac_lists( $ ) {
 			} else {
 			    my $variable1 = get_interface_bcasts $bridge;
 
-			    add_commands( $chainref, 
+			    add_commands( $chainref,
 					  "    for address1 in $variable1; do" ,
 					  "        echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
 					  "    done" );
@@ -892,7 +888,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 	    if ( $msource eq '-' ) {
 		$msource = $source || '';
 	    } elsif ( $msource =~ s/^DEST:?// ) {
-		$msource = merge_macro_source_dest $msource, $dest; 
+		$msource = merge_macro_source_dest $msource, $dest;
 	    } else {
 		$msource =~ s/^SOURCE:?//;
 		$msource = merge_macro_source_dest $msource, $source;
@@ -914,17 +910,17 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 	    $mdest = '';
 	}
 
-	process_rule1( 
-		      $mtarget, 
-		      $msource, 
-		      $mdest, 
-		      merge_macro_column( $mproto,    $proto ) , 
+	process_rule1(
+		      $mtarget,
+		      $msource,
+		      $mdest,
+		      merge_macro_column( $mproto,    $proto ) ,
 		      merge_macro_column( $mports,    $ports ) ,
 		      merge_macro_column( $msports,   $sports ) ,
-		      merge_macro_column( $morigdest, $origdest ) , 
+		      merge_macro_column( $morigdest, $origdest ) ,
 		      merge_macro_column( $mrate,     $rate ) ,
 		      merge_macro_column( $muser,     $user ) ,
-		      $mark, 
+		      $mark,
 		      $connlimit,
 		      $time,
 		      $wildcard
@@ -999,7 +995,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	return;
 
     } elsif ( $actiontype & NFQ ) {
-	require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' ); 
+	require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
 	my $paramval = $param eq '' ? 0 : numeric_value( $param );
 	fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535;
 	$action = "NFQUEUE --queue-num $paramval";
@@ -1078,7 +1074,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     if ( $actiontype & NATONLY ) {
 	unless ( $destzone eq '-' || $destzone eq '' ) {
 	    $destref = defined_zone( $destzone );
-	    
+
 	    if ( $destref ) {
 		warning_message "Destination zone ($destzone) ignored";
 	    } else {
@@ -1165,14 +1161,14 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 
 	require_capability( 'NAT_ENABLED' , "$basictarget rules", '' );
 	#
-	# Isolate server port 
+	# Isolate server port
 	#
 	if ( $dest =~ /^(.*)(:(.+))$/ ) {
 	    #
 	    # Server IP and Port
 	    #
 	    $server = $1;      # May be empty
-	    $serverport = $3;  # Not Empty due to RE 
+	    $serverport = $3;  # Not Empty due to RE
 	    $origdstports = $ports;
 
 	    if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) {
@@ -1301,7 +1297,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	my $nonat_chain;
 
 	my $chn;
-	
+
 	if ( $sourceref->{type} == FIREWALL ) {
 	    $nonat_chain = $nat_table->{OUTPUT};
 	} else {
@@ -1362,7 +1358,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	#
 	if ( $chn && ${$nonat_chain->{rules}}[-1] eq "-A -j $tgt" ) {
 	    #
-	    # It was -- delete that rule 
+	    # It was -- delete that rule
 	    #
 	    pop @{$nonat_chain->{rules}};
 	    #
@@ -1417,7 +1413,7 @@ sub process_rule ( ) {
 	process_comment;
 	return 1;
     }
-    
+
     if ( $target eq 'SECTION' ) {
 	#
 	# read_a_line has already verified that there are exactly two tokens on the line
@@ -1426,7 +1422,7 @@ sub process_rule ( ) {
 	fatal_error "Duplicate or out of order SECTION $source" if $sections{$source};
 	$sectioned = 1;
 	$sections{$source} = 1;
-	
+
 	if ( $source eq 'RELATED' ) {
 	    $sections{ESTABLISHED} = 1;
 	    finish_section 'ESTABLISHED';
@@ -1434,7 +1430,7 @@ sub process_rule ( ) {
 	    @sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
 	    finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
 	}
-	
+
 	$section = $source;
 	return 1;
     }
@@ -1463,7 +1459,7 @@ sub process_rule ( ) {
     #
     # Handle Wildcards
     #
-    
+
     if ( $source =~ /^all[-+]/ ) {
 	if ( $source eq 'all+' ) {
 	    $source = 'all';
@@ -1510,7 +1506,7 @@ sub process_rule ( ) {
 	}
 
 	unshift @source, firewall_zone if $includesrcfw;
-    }	
+    }
 
     if ( $dest eq 'all' ) {
 	if ( $anydest ) {
@@ -1520,7 +1516,7 @@ sub process_rule ( ) {
 	}
 
 	unshift @dest, firewall_zone if $includedstfw;
-    }	
+    }
 
     fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
 
@@ -1810,7 +1806,7 @@ sub generate_matrix() {
 
 			clearrule;
 
-			next if $hostref->{options}{destonly}; 
+			next if $hostref->{options}{destonly};
 
 			my $source = match_source_net $net;
 
@@ -2000,11 +1996,11 @@ sub generate_matrix() {
 							     $excl3ref ,
 							     dest_exclusion( $host1ref->{exclusions}, $chain ),
 							     0,
-							     join( '', 
-								   $match_source_dev, 
-								   match_dest_dev($interface1), 
-								   match_source_net($net), 
-								   match_dest_net($net1), 
+							     join( '',
+								   $match_source_dev,
+								   match_dest_dev($interface1),
+								   match_source_net($net),
+								   match_dest_net($net1),
 								   $ipsec_out_match )
 							    );
 						}
@@ -2088,11 +2084,11 @@ sub setup_mss( ) {
 	if ( $capabilities{POLICY_MATCH} ) {
 	    $in_match  = '-m policy --pol none --dir in ';
 	    $out_match = '-m policy --pol none --dir out ';
-	} 
+	}
 
 	for ( @$interfaces ) {
 	    my $mss      = get_interface_option( $_, 'mss' );
-	    my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; 
+	    my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
 	    add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
 	    add_rule $chainref, "-o $_ -j RETURN" if $clampmss;
 	    add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
@@ -2226,7 +2222,7 @@ EOF
 	  );
 
     my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/;
-    
+
     add_rule $filter_table->{$_}, '-m state --state ESTABLISHED,RELATED -j ACCEPT' for @chains;
 
     if ( $family == F_IPV6 ) {
@@ -2278,7 +2274,7 @@ EOF
     } else {
 	for my $interface ( all_bridges ) {
 	    emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
-	}	    
+	}
 
 	if ( $config{IP_FORWARDING} eq 'on' ) {
 	    emit( 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding',
@@ -2295,7 +2291,7 @@ EOF
     emit '
     run_stopped_exit';
 
-    my @ipsets = all_ipsets; 
+    my @ipsets = all_ipsets;
 
     if ( @ipsets ) {
 	emit <<'EOF';
@@ -2310,8 +2306,8 @@ EOF
     fi
 EOF
     }
-    
-    emit ' 
+
+    emit '
     set_state "Stopped"
 
     logger -p kern.info "$PRODUCT Stopped"

Shorewall/Perl/Shorewall/Tc.pm

@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.3_12';
+our $VERSION = '4.4_1';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -163,6 +163,8 @@ our @deferred_rules;
 #                              nextclass     => <number>
 #                              occurs        => Has one or more occurring classes
 #                              qdisc         => htb|hfsc
+#                              guarantee     => <total RATE of classes seen so far>
+#                              name          => <interface>
 #                                               }
 #
 our @tcdevices;
@@ -186,6 +188,7 @@ our $sticky;
 #              occurs    => <number> # 0 means that this is a class generated by another class with occurs > 1
 #              parent    => <class number>
 #              leaf      => 0|1
+#              guarantee => <sum of rates of sub-classes>
 #              options   => { tos  => [ <value1> , <value2> , ... ];
 #                             tcp_ack => 1 ,
 #                             ...
@@ -202,14 +205,15 @@ our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 our $family;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family   = shift;
     %classids = ();
@@ -223,10 +227,6 @@ sub initialize( $ ) {
     $sticky = 0;
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
 
@@ -343,7 +343,7 @@ sub process_tc_rule( ) {
 				fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
 				$mask2 = $m2;
 			    }
-				
+
 			    if ( defined $s ) {
 				$val = numeric_value ($s);
 				fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val < 128;
@@ -352,7 +352,7 @@ sub process_tc_rule( ) {
 			} else {
 			    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
 			}
-			    
+
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
 		    }
 
@@ -388,12 +388,12 @@ sub process_tc_rule( ) {
 
     if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 				     $restrictions{$chain} ,
-				     do_proto( $proto, $ports, $sports) . 
-				     do_user( $user ) . 
-				     do_test( $testval, $mask ) . 
-				     do_length( $length ) . 
-				     do_tos( $tos ) . 
-				     do_connbytes( $connbytes ) . 
+				     do_proto( $proto, $ports, $sports) .
+				     do_user( $user ) .
+				     do_test( $testval, $mask ) .
+				     do_length( $length ) .
+				     do_tos( $tos ) .
+				     do_connbytes( $connbytes ) .
 				     do_helper( $helper ),
 				     $source ,
 				     $dest ,
@@ -509,7 +509,7 @@ sub validate_tc_device( ) {
     if ( @redirected ) {
 	fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband;
 	$classify = 1;
-    }	
+    }
 
     for my $rdevice ( @redirected ) {
 	fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
@@ -529,6 +529,8 @@ sub validate_tc_device( ) {
 			    default       => 0,
 			    nextclass     => 2,
 			    qdisc         => $qdisc,
+			    guarantee     => 0,
+			    name          => $device,
 			  } ,
 
     push @tcdevices, $device;
@@ -538,8 +540,8 @@ sub validate_tc_device( ) {
     progress_message "  Tcdevice \"$currentline\" $done.";
 }
 
-sub convert_rate( $$$ ) {
-    my ($full, $rate, $column) = @_;
+sub convert_rate( $$$$ ) {
+    my ($full, $rate, $column, $max) = @_;
 
     if ( $rate =~ /\bfull\b/ ) {
 	$rate =~ s/\bfull\b/$full/g;
@@ -553,14 +555,14 @@ sub convert_rate( $$$ ) {
     }
 
     fatal_error "$column may not be zero" unless $rate;
-    fatal_error "$column ($_[1]) exceeds OUT-BANDWIDTH" if $rate > $full;
+    fatal_error "$column ($_[1]) exceeds $max (${full}kbit)" if $rate > $full;
 
     $rate;
 }
 
 sub convert_delay( $ ) {
     my $delay = shift;
-    
+
     return 0 unless $delay;
     return $1 if $delay =~ /^(\d+)(ms)?$/;
     fatal_error "Invalid Delay ($delay)";
@@ -599,6 +601,7 @@ sub validate_tc_class( ) {
     my $device = $devclass;
     my $occurs = 1;
     my $parentclass = 1;
+    my $parentref;
 
     if ( $devclass =~ /:/ ) {
 	( $device, my ($number, $subnumber, $rest ) )  = split /:/, $device, 4;
@@ -618,7 +621,7 @@ sub validate_tc_class( ) {
 		fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber;
 		$parentclass = $classnumber;
 		$classnumber = hex_value $subnumber;
-	    } 
+	    }
 
 	    fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber;
 	    fatal_error "Duplicate interface/class number ($devclass)" if defined $devnums[ $classnumber ];
@@ -630,7 +633,11 @@ sub validate_tc_class( ) {
 	fatal_error "Missing class NUMBER" if $devref->{classify};
     }
 
-    my $full  = rate_to_kbit $devref->{out_bandwidth};
+    my $full    = rate_to_kbit $devref->{out_bandwidth};
+    my $ratemax = $full;
+    my $ceilmax = $full;
+    my $ratename = 'OUT-BANDWIDTH';
+    my $ceilname = 'OUT-BANDWIDTH';
 
     my $tcref = $tcclasses{$device};
 
@@ -660,39 +667,52 @@ sub validate_tc_class( ) {
 	#
 	# Nested Class
 	#
-	my $parentref = $tcref->{$parentclass};
+	$parentref = $tcref->{$parentclass};
 	fatal_error "Unknown Parent class ($parentclass)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The parent class ($parentclass) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
 	$parentref->{leaf} = 0;
+	$ratemax  = $parentref->{rate};
+	$ratename = q(the parent class's RATE);
+	$ceilmax = $parentref->{ceiling};
+	$ceilname = q(the parent class's CEIL);
     }
 
     my ( $umax, $dmax ) = ( '', '' );
 
     if ( $devref->{qdisc} eq 'hfsc' ) {
 	( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4;
-	
+
 	fatal_error "Invalid RATE ($rate)" if defined $rest;
 
-	$rate = convert_rate ( $full, $trate, 'RATE' );
+	$rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
 	$dmax = convert_delay( $dmax );
 	$umax = convert_size( $umax );
-	fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax; 
+	fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
     } else {
-	$rate = convert_rate ( $full, $rate, 'RATE' );
+	$rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename );
     }
 
-    $tcref->{$classnumber} = { tos      => [] ,
-			       rate     => $rate ,
-			       umax     => $umax ,
-			       dmax     => $dmax ,
-			       ceiling  => convert_rate( $full, $ceil, 'CEIL' ) ,
-			       priority => $prio eq '-' ? 1 : $prio ,
-			       mark     => $markval ,
-			       flow     => '' ,
-			       pfifo    => 0,
-			       occurs   => 1,
-			       parent   => $parentclass,
-			       leaf     => 1,
+    if ( $parentref ) {
+	warning_message "Total RATE of sub classes ($parentref->{guarantee}kbits) exceeds RATE of parent class ($parentref->{rate}kbits)" if ( $parentref->{guarantee} += $rate ) > $parentref->{rate};
+    } else {
+	warning_message "Total RATE of classes ($devref->{guarantee}kbits) exceeds OUT-BANDWIDTH (${full}kbits)" if ( $devref->{guarantee} += $rate ) > $full;
+    }
+
+    fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
+
+    $tcref->{$classnumber} = { tos       => [] ,
+			       rate      => $rate ,
+			       umax      => $umax ,
+			       dmax      => $dmax ,
+			       ceiling   => convert_rate( $ceilmax, $ceil, 'CEIL' , $ceilname ) ,
+			       priority  => $prio eq '-' ? 1 : $prio ,
+			       mark      => $markval ,
+			       flow      => '' ,
+			       pfifo     => 0,
+			       occurs    => 1,
+			       parent    => $parentclass,
+			       leaf      => 1,
+			       guarantee => 0,
 			     };
 
     $tcref = $tcref->{$classnumber};
@@ -737,7 +757,7 @@ sub validate_tc_class( ) {
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
 		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
-		warning_message "MARK ($mark) is ignored on an occurring class"     if $mark ne '-'; 
+		warning_message "MARK ($mark) is ignored on an occurring class"     if $mark ne '-';
 
 		$tcref->{occurs} = $occurs;
 		$devref->{occurs} = 1;
@@ -749,7 +769,7 @@ sub validate_tc_class( ) {
 
     unless ( $devref->{classify} || $occurs > 1 ) {
 	fatal_error "Missing MARK" if $mark eq '-';
-	warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/; 
+	warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
     }
 
     $tcref->{flow}  = $devref->{flow}  unless $tcref->{flow};
@@ -783,7 +803,7 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 sub process_tc_filter( ) {
     my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 2, 8, 'tcfilters file';
-    
+
     my ($device, $class, $rest ) = split /:/, $devclass, 3;
 
     fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class );
@@ -834,13 +854,13 @@ sub process_tc_filter( ) {
 
 	$rule .= "\\\n  match ip tos $tosval $mask";
     }
-	
+
     if ( $length ne '-' ) {
 	my $len = numeric_value( $length ) || 0;
 	my $mask = $validlengths{$len};
 	fatal_error "Invalid LENGTH ($length)" unless $mask;
 	$rule .="\\\n   match u16 0x0000 $mask at 2";
-    }      
+    }
 
     my $protonumber = 0;
 
@@ -889,7 +909,7 @@ sub process_tc_filter( ) {
 	$rule     = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
 
 	if ( $portlist eq '-' ) {
-	    fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT" 
+	    fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
 		unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP;
 
 	    for my $sportrange ( split_list $sportlist , 'port list' ) {
@@ -913,7 +933,7 @@ sub process_tc_filter( ) {
 		}
 	    }
 	} else {
-	    fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT" 
+	    fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT"
 		unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP || $protonumber == ICMP;
 
 	    for my $portrange ( split_list $portlist, 'port list' ) {
@@ -934,7 +954,7 @@ sub process_tc_filter( ) {
 			my ( $port, $mask ) = ( shift @portlist, shift @portlist );
 
 			my $rule1;
-			
+
 			if ( $protonumber == TCP ) {
 			    $rule1 = join( ' ', 'match tcp dst', hex_value( $port ), "0x$mask" );
 			} elsif ( $protonumber == UDP ) {
@@ -970,9 +990,9 @@ sub process_tc_filter( ) {
 					  "   flowid $devref->{number}:$class" );
 				}
 			    }
-			}   
+			}
 		    }
-		}    
+		}
 	    }
 	}
     }
@@ -987,7 +1007,7 @@ sub process_tc_filter( ) {
 
     emit '';
 
-}   
+}
 
 sub setup_traffic_shaping() {
     our $lastrule = '';
@@ -1119,7 +1139,7 @@ sub setup_traffic_shaping() {
 	}
 
 	emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
-	
+
 	if ( $devref->{qdisc} eq 'htb' ) {
 	    emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
 	} else {
@@ -1132,7 +1152,7 @@ sub setup_traffic_shaping() {
 		emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
 	    }
 	}
-	    
+
 	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
 	#
 	# add filters

Shorewall/Perl/Shorewall/Zones.pm

@@ -73,7 +73,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_0';
+our $VERSION = '4.4_1';
 
 #
 # IPSEC Option types
@@ -164,7 +164,7 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       OBSOLETE_IF_OPTION => 5,
 	       IPLIST_IF_OPTION   => 6,
 	       MASK_IF_OPTION     => 7,
-	       
+
 	       IF_OPTION_ZONEONLY => 8,
 	       IF_OPTION_HOST     => 16,
 	   };
@@ -174,15 +174,15 @@ our %validinterfaceoptions;
 our %validhostoptions;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function or when compiling
-#                       for IPv6.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
     @zones = ();
@@ -250,10 +250,6 @@ sub initialize( $ ) {
     }
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 #
 # Parse the passed option list and return a reference to a hash as follows:
 #
@@ -330,7 +326,7 @@ sub set_super( $ );
 
 sub set_super( $ ) {
     my $zoneref = shift;
-    
+
     unless ( $zoneref->{options}{super} ) {
 	$zoneref->{options}{super} = 1;
 	set_super( $zones{$_} ) for @{$zoneref->{parents}};
@@ -362,9 +358,9 @@ sub process_zone( \$ ) {
     fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
     fatal_error "Invalid zone name ($zone)"      if $reservedName{$zone} || $zone =~ /^all2|2all$/;
     fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
-    
-    if ( $type =~ /ipv([46])?/i ) {
-	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
+
+    if ( $type =~ /^ip(v([46]))?$/i ) {
+	fatal_error "Invalid zone type ($type)" if $1 && $2 != $family;
 	$type = IP;
 	$$ip = 1;
     } elsif ( $type =~ /^ipsec([46])?$/i ) {
@@ -395,11 +391,11 @@ sub process_zone( \$ ) {
 	    }
 	}
     }
-    
+
     for ( $options, $in_options, $out_options ) {
 	$_ = '' if $_ eq '-';
     }
-    
+
     $zones{$zone} = { type       => $type,
 		      parents    => \@parents,
 		      bridge     => '',
@@ -414,9 +410,9 @@ sub process_zone( \$ ) {
 		      children   => [] ,
 		      hosts      => {}
 		    };
-    
+
     return $zone;
-    
+
 }
 #
 # Parse the zones file.
@@ -480,7 +476,7 @@ sub zone_report()
 
     if ( $family == F_IPV4 ) {
 	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
-    } else { 
+    } else {
 	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
     }
 
@@ -534,7 +530,7 @@ sub dump_zone_contents()
 
     if ( $family == F_IPV4 ) {
 	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
-    } else { 
+    } else {
 	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
     }
 
@@ -601,7 +597,6 @@ sub add_group_to_zone($$$$$)
     my $interfaceref;
     my $zoneref  = $zones{$zone};
     my $zonetype = $zoneref->{type};
-    my $ifacezone = $interfaces{$interface}{zone};
 
     $zoneref->{interfaces}{$interface} = 1;
 
@@ -609,8 +604,7 @@ sub add_group_to_zone($$$$$)
     my @exclusions = ();
     my $new = \@newnetworks;
     my $switched = 0;
-
-    $ifacezone = '' unless defined $ifacezone;
+    my $allip    = 0;
 
     for my $host ( @$networks ) {
 	$interfaces{$interface}{nets}++;
@@ -626,14 +620,18 @@ sub add_group_to_zone($$$$$)
 
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
-		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $ifacezone eq $zone;
-		$ifacezone = $zone if $host eq ALLIP;
+		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone;
+		if ( $host eq ALLIP ) {
+		    fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
+		    $interfaces{$interface}{zone} = $zone;
+		    $allip = 1;
+		}
 	    }
 	}
 
 	if ( substr( $host, 0, 1 ) eq '+' ) {
 	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+[a-zA-Z]\w*$/;
-	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', ''); 
+	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
 	} else {
 	    validate_host $host, 0;
 	}
@@ -649,6 +647,8 @@ sub add_group_to_zone($$$$$)
     $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
     $interfaceref = ( $typeref->{$interface}      || ( $typeref->{$interface} = [] ) );
 
+    fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
+
     $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions );
 
     push @{$interfaceref}, { options => $options,
@@ -771,7 +771,7 @@ sub process_interface( $ ) {
 
     unless ( $networks eq '' || $networks eq 'detect' ) {
 	my @broadcasts = split_list $networks, 'address';
-	
+
 	for my $address ( @broadcasts ) {
 	    fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
 	}
@@ -792,7 +792,7 @@ sub process_interface( $ ) {
     if ( $options ) {
 
 	my %hostoptions = ( dynamic => 0 );
-	    
+
 	for my $option (split_list1 $options, 'option' ) {
 	    next if $option eq '-';
 
@@ -841,6 +841,7 @@ sub process_interface( $ ) {
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
 		fatal_error "The $option option requires a value" unless defined $value;
+		fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
 		fatal_error "Duplicate $option option" if $nets;
 		#
 		# Remove parentheses from address list if present
@@ -850,13 +851,15 @@ sub process_interface( $ ) {
 		# Add all IP to the front of a list if the list begins with '!'
 		#
 		$value = join ',' , ALLIP , $value if $value =~ /^!/;
-		
+
 		if ( $value eq 'dynamic' ) {
 		    require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
 		    $value = "+${zone}_${interface}";
 		    $hostoptions{dynamic} = 1;
 		    $ipsets{"${zone}_${interface}"} = 1;
-		}   
+		} else {
+		    $hostoptions{multicast} = 1;
+		}
 		#
 		# Convert into a Perl array reference
 		#
@@ -887,13 +890,19 @@ sub process_interface( $ ) {
 				number     => $nextinum ,
 				root       => $root ,
 				broadcasts => $broadcasts ,
-				options    => \%options };
+				options    => \%options ,
+			        zone       => ''
+			      };
 
-    $nets = [ allip ] unless $nets; 
-
-    add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone;
-
-    $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
+    if ( $zone ) {
+	$nets ||= [ allip ];
+	add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref );
+	add_group_to_zone( $zone, 
+			   $zoneref->{type}, 
+			   $interface, 
+			   [ IPv4_MULTICAST ], 
+			   { destonly => 1 } ) if $hostoptionsref->{multicast} && $interfaces{$interface}{zone} ne $zone;
+    } 
 
     progress_message "  Interface \"$currentline\" Validated";
 
@@ -1154,9 +1163,9 @@ sub process_host( ) {
 	$hosts = "+${zone}_${interface}";
 	$optionsref->{dynamic} = 1;
 	$ipsets{"${zone}_${interface}"} = 1;
-	
+
     }
-   
+
     add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
 
     progress_message "   Host \"$currentline\" validated";

Shorewall/Perl/compiler.pl

@@ -105,11 +105,11 @@ my $result = GetOptions('h'               => \$help,
 usage(1) unless $result && @ARGV < 2;
 usage(0) if $help;
 
-compiler( object          => defined $ARGV[0] ? $ARGV[0] : '', 
-	  directory       => $shorewall_dir, 
-	  verbosity       => $verbose, 
+compiler( object          => defined $ARGV[0] ? $ARGV[0] : '',
+	  directory       => $shorewall_dir,
+	  verbosity       => $verbose,
 	  timestamp       => $timestamp,
-	  debug           => $debug, 
+	  debug           => $debug,
 	  export          => $export,
 	  chains          => $chains,
 	  log             => $log,

Shorewall/Perl/prog.footer

@@ -200,7 +200,7 @@ get_all_bcasts()
 debug_restore_input() {
     local first second rest table chain
     #
-    # Clear the ruleset 
+    # Clear the ruleset
     #
     qt1 $IPTABLES -t mangle -F
     qt1 $IPTABLES -t mangle -X
@@ -291,7 +291,7 @@ usage() {
 #
 # Start trace if first arg is "debug" or "trace"
 #
-if [ $# -gt 1 ]; then 
+if [ $# -gt 1 ]; then
     if [ "x$1" = "xtrace" ]; then
 	set -x
 	shift

Shorewall/Perl/prog.footer6

@@ -168,7 +168,7 @@ restore_dynamic_rules() {
 debug_restore_input() {
     local first second rest table chain
     #
-    # Clear the ruleset 
+    # Clear the ruleset
     #
     qt1 $IP6TABLES -t mangle -F
     qt1 $IP6TABLES -t mangle -X
@@ -252,7 +252,7 @@ usage() {
 #
 # Start trace if first arg is "debug" or "trace"
 #
-if [ $# -gt 1 ]; then 
+if [ $# -gt 1 ]; then
     if [ "x$1" = "xtrace" ]; then
 	set -x
 	shift
@@ -319,7 +319,7 @@ kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//'
 if [ $kernel -lt 20624 ]; then
     error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later"
     status=2
-else 
+else
     case "$COMMAND" in
 	start)
 	    [ $# -ne 1 ] && usage 2

Shorewall/Perl/prog.header6

@@ -578,7 +578,7 @@ convert_to_anycast() {
     local l
 
     while read address; do
-	case $address in 
+	case $address in
 	    2*|3*)
 		vlsm=${address#*/}
 		vlsm=${vlsm:=128}
@@ -626,7 +626,7 @@ convert_to_anycast() {
 			badress=$address
 		    fi
 		    #
-		    # Note: at this point $address and $badress are the same except possibly for 
+		    # Note: at this point $address and $badress are the same except possibly for
 		    #       the contents of the last half-word
 		    #
 		    list_count $(split $address)
@@ -663,7 +663,7 @@ convert_to_anycast() {
 
 #
 # Generate a list of anycast addresses for a given interface
-# 
+#
 
 get_interface_acasts() # $1 = interface
 {

Shorewall/changelog.txt

@@ -1,11 +1,39 @@
+Changes in Shorewall 4.4.1
 
-Changes in Shorewall 4.4.0.1
+1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
 
-1)  Updated release versions.
+2)  Deleted superfluous export from Chains.pm.
 
-2)  Fix log level in rules at the end of INPUT and OUTPUT
+3)  Added support for --persistent.
 
-3)  Correct handling of nested IPSEC chains.
+4)  Don't do module initialization in an INIT block.
+
+5)  Minor performance improvements.
+
+6)  Add 'clean' target to Makefile.
+
+7)  Redefine 'full' for sub-classes.
+
+8)  Fix log level in rules at the end of INPUT and OUTPUT chains.
+
+9)  Fix nested ipsec zones.
+
+10) Change one-interface sample to IP_FORWARDING=Off.
+
+11) Allow multicast to non-dynamic zones defined with nets=.
+
+12) Allow zones with nets= to be extended by /etc/shorewall/hosts
+    entries.
+
+13) Don't allow nets= in a multi-zone interface definition.
+
+14) Fix rule generated by MULTICAST=Yes
+
+15) Fix silly hole in zones file parsing.
+
+16) Tighen up zone membership checking.
+
+17) Combine portlist-spitting routines into a single function.
 
 Changes in Shorewall 4.4.0
 
@@ -19,7 +47,7 @@ Changes in Shorewall 4.4.0
 
 5)  Fix 'upnpclient' with required interfaces.
 
-5)  Fix provider number in 
+5)  Fix provider number in masq file.
 
 Changes in Shorewall 4.4.0-RC2
 
@@ -225,10 +253,8 @@ Changes in Shorewall 4.3.5
 
 1)  Remove support for shorewall-shell.
 
-2)  Combine shorewall-common and shorewall-perl to product shorewall.
+2)  Combine shorewall-common and shorewall-perl to produce shorewall.
 
 3)  Add nets= OPTION in interfaces file.
 
-4)  Add SAME MARK/CLASSIFY target
-
 

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.0.1
+VERSION=4.4.1
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -1,16 +1 @@
-1)  If ULOG is specified as the LOG LEVEL in the all->all policy, the
-    rules at the end of the INPUT and OUTPUT chains still use the
-    LOG target rather than ULOG.
-
-    You can work around this problem by adding two additional policies
-    before the all->all one:
-
-    	   all 		$FW	DROP	ULOG
-	   $FW		all	REJECT	ULOG
-
-    This problem was corrected in Shorewall 4.4.0.1.
-
-2)  Use of CONTINUE policies with a nested IPSEC zone was broken in
-    some cases.
-
-    This problem was corrected in Shorewall 4.4.0.1.
+There are no known problems in Shorewall version 4.4.1

Shorewall/lib.base

@@ -30,7 +30,7 @@
 #
 
 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40310
+SHOREWALL_CAPVERSION=40401
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -777,6 +777,13 @@ set_state () # $1 = state
 # Determine which optional facilities are supported by iptables/netfilter
 #
 determine_capabilities() {
+    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
+
+    if [ -z "$IPTABLES" ]; then
+	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
+	exit 1
+    fi
+
     qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
     qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
 
@@ -820,14 +827,16 @@ determine_capabilities() {
     LOGMARK_TARGET=
     IPMARK_TARGET=
     LOG_TARGET=Yes
+    PERSISTENT_SNAT=
 
     chain=fooX$$
 
-    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
-
-    if [ -z "$IPTABLES" ]; then
-	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
-	exit 1
+    if [ -n "$NAT_ENABLED" ]; then
+	if qt $IPTABLES -t nat -N $chain; then
+	    qt $IPTABLES -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
+	    qt $IPTABLES -t nat -F $chain
+	    qt $IPTABLES -t nat -X $chain
+	fi
     fi
 
     qt $IPTABLES -F $chain
@@ -1011,6 +1020,7 @@ report_capabilities() {
 	report_capability "LOGMARK Target" $LOGMARK_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
+	report_capability "Persistent SNAT" $PERSISTENT_SNAT
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1068,6 +1078,7 @@ report_capabilities1() {
     report_capability1 LOGMARK_TARGET
     report_capability1 IPMARK_TARGET
     report_capability1 LOG_TARGET
+    report_capability1 PERSISTENT_SNAT
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
 }

Shorewall/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.4.0 patch release 1.
+Shorewall 4.4.1
 
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 4  H I G H L I G H T S
@@ -153,62 +153,56 @@ Shorewall 4.4.0 patch release 1.
 
 10) The name 'any' is now reserved and may not be used as a zone name.
 
+11) Perl module initialization has changed in Shorewall
+    4.4.1. Previously, each Shorewall Perl package would initialize its
+    global variables for IPv4 in an INIT block. Then, if the
+    compilation turned out to be for IPv6,
+    Shorewall::Compiler::compiler() would reinitialize them for IPv6.
+
+    Beginning in Shorewall 4.4.1, the modules do not initialize
+    themselves in an INIT block. So if you use Shorewall modules
+    outside of the Shorewall compilation environment, then you must
+    explicitly call the module's 'initialize' function after the module
+    has been loaded.
+
+12) Checking for zone membership has been tighened up. Previously, 
+    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
+    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
+    then it may have no additional members in /etc/shorewall/hosts.
+
 ----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 0 . 1
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1
 ----------------------------------------------------------------------------
 
 1)  If ULOG was specified as the LOG LEVEL in the all->all policy, the
-    rules at the end of the INPUT and OUTPUT chains still used the
+    rules at the end of the INPUT and OUTPUT chains would still use the
     LOG target rather than ULOG.
 
-2)  Use of CONTINUE policies with a nested IPSEC zone was broken in
-    some cases.
+2)  Using CONTINUE policies with a nested IPSEC zone was still broken
+    in some cases.
 
-----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 0
-----------------------------------------------------------------------------
+3)  The setting of IP_FORWARDING has been change to Off in the
+    one-interface sample configuration since forwarding is typically
+    not required with only a single interface.
 
-1)  When compiling to standard out, it is no longer necessary to
-    specify '-v-1' to suppress the 'Compiling...' progress message 
+4)  If MULTICAST=Yes in shorewall.conf, multicast traffic was
+    incorrectly exempted from ACCEPT policies.
 
-2)  Previously, Shorewall would generate invalid iptables-restore input
-    if all of these conditions were met:
+5)  Previously, the definition of a zone that specified "nets=" in
+    /etc/shorewall/interfaces could not be extended by entries in
+    /etc/shorewall/hosts.
 
-    - a nat rule (DNAT, REDIRECT, DNAT-, etc.) changed the destination
-      port number
-    - logging was specified on the rule
-    - no non-trivial exclusions in the rule (a non-trivial exclusion is
-      one whose exclusion list has more than one element)
+6)  Previously, "nets=" could be specified in a multi-zone interface
+    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
+    now raises a fatal compilation error.
 
-    Example of rule:
+7)  MULTICAST=Yes generates an incorrect rule that limits its
+    effectiveness to a small part of the multicast address space.
 
-    	    REDIRECT:ULOG   wall    82      tcp     80
-
-    Example of error message:
-
-       iptables v1.3.5: Need TCP or UDP with port specification
-        Try `iptables -h' or 'iptables --help' for more information.
-	ERROR: Command "/sbin/iptables -A log0 -j REDIRECT --to-port
-        82" Failed
-
-3)  Previously, log displays from the 'dump', 'show log' and 'logwatch'
-    commands did not properly suppress redundant fields in the records
-    (host name, and leading constant part of the LOGPREFIX).
-
-4)  Given that Jozsef Kadlecsik has not yet released ipset 3.1, ipset
-    bindings are once again supported.
-
-5)  The 'upnpclient' option only worked correctly if 'optional' was
-    also specified for the interface.
-
-6)  Where more than one internet provider shares the same external
-    interface, specifying the provider by number in /etc/shorewall/masq
-    (e.g., eth1(2)) resulted in the fatal compilation error:
-
-    	   ERROR: 2 is not a shared-interface provider
-
-    Also, the shorewall-masq (5) man page did not describe the syntax
-    for specifying the provider.
+8)  Checking for zone membership has been tighened up. Previously, 
+    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
+    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
+    then it may have no additional members in /etc/shorewall/hosts.
 
 ----------------------------------------------------------------------------
              K N O W N   P R O B L E M S   R E M A I N I N G
@@ -217,7 +211,66 @@ Shorewall 4.4.0 patch release 1.
 None.
 
 ----------------------------------------------------------------------------
-                 N E W   F E A T U R E S   IN   4 . 4
+                N E W   F E A T U R E S   I N   4 . 4 . 1
+----------------------------------------------------------------------------
+
+1)  To replace the SAME keyword in /etc/shorewall/masq, support has
+    been added for 'persistent' SNAT. Persistent SNAT is required when
+    an address range is specified in the ADDRESS column and when you
+    want a client to always receive the same source/destination IP
+    pair. It replaces SAME: which was removed in Shorewall 4.4.0.
+
+    To specify persistence, follow the address range with
+    ":persistent".
+
+    Example:
+
+    #INTERFACE	SOURCE	   ADDRESS
+    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
+
+    This feature requires Persistent SNAT support in your kernel and
+    iptables. 
+
+    If you use a capabilities file, you will need to create a new one
+    as a result of this feature.
+
+    WARNING: Linux kernels beginning with 2.6.29 include persistent
+    SNAT support. If your iptables supports persistent SNAT but your
+    kernel does not, there is no way for Shorewall to determine that
+    persistent SNAT isn't going to work. The kernel SNAT code blindly
+    accepts all SNAT flags without verifying them and returns them to
+    iptables when asked.
+
+2)  A 'clean' target has been added to the Makefiles. It removes backup
+    files (*~ and .*~). 
+
+3)  The meaning of 'full' has been redefined when used in the context
+    of a traffic shaping sub-class. Previously, 'full' always meant the
+    OUT-BANDWIDTH of the device. In the case of a sub-class, however,
+    that definition is awkward to use because the sub-class is limited
+    by the parent class.
+
+    Beginning with this release, 'full' in a sub-class definition
+    refers to the specified rate defined for the parent class. So
+    'full' used in the RATE column refers to the parent class's RATE;
+    when used in the CEIL column, 'full' refers to the parent class's
+    CEIL.
+
+    As part of this change, the compiler now issues a warning if the
+    sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of
+    the device. Similarly, a warning is issued if the sum of the RATEs
+    of a class's sub-classes exceeds the rate of the CLASS.
+
+4)  When 'nets=<network>' or 'nets=(<net1>,<net2>,...) is specified in
+    /etc/shorewall/interfaces, multicast traffic will now be sent to
+    the zone along with limited broadcasts.
+
+5)  A flaw in the parsing logic for the zones file allowed most zone
+    types containing the character string 'ip' to be accepted as a
+    synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration).
+
+----------------------------------------------------------------------------
+                 N E W   F E A T U R E S   I N   4 . 4
 ----------------------------------------------------------------------------
 
 1)  The Shorewall packaging has been completely revamped in Shorewall

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.0
-%define release 1
+%define version 4.4.1
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -104,8 +104,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-1
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
 * Sun Aug 09 2009 Tom Eastep tom@shorewall.net
 - Made Perl a dependency
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.0.1
+VERSION=4.4.1
 
 usage() # $1 = exit status
 {

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.0.1
+VERSION=4.4.1
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.0.1
+VERSION=4.4.1
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.0
-%define release 1
+%define version 4.4.1
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -89,8 +89,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-1
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.0.1
+VERSION=4.4.1
 
 usage() # $1 = exit status
 {

Shorewall6/Makefile

@@ -14,4 +14,8 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall6 -q restart 2>&1 | tail >&2; \
 	fi
 
+clean:
+	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
+.PHONY: clean
+
 # EOF

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.0.1
+VERSION=4.4.1
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.0.1
+VERSION=4.4.1
 
 usage() # $1 = exit status
 {

Shorewall6/lib.base

@@ -33,7 +33,7 @@
 #
 
 SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40310
+SHOREWALL_CAPVERSION=40401
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.0
-%define release 1
+%define version 4.4.1
+%define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,8 +93,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-1
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.0.1
+VERSION=4.4.1
 
 usage() # $1 = exit status
 {

contrib/shoregen/AUTHORS

@@ -1 +0,0 @@
-Paul Gear <paul@gear.dyndns.org>

contrib/shoregen/BUGS

@@ -1 +0,0 @@
-None known at present.

contrib/shoregen/COPYING

@@ -1,340 +0,0 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-			    Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-			    NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) year name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
-Public License instead of this License.

contrib/shoregen/ChangeLog

@@ -1,14 +0,0 @@
-0.1.1	Paul Gear <paul@gear.dyndns.org>  No idea when
-	- Initial release.
-
-0.1.2	Paul Gear <paul@gear.dyndns.org>  No idea when
-	- Removed filtering of zones that are on the same interface.
-	  This caused problems when a zone was accessible via more than
-	  one interface.
-
-0.1.3	Paul Gear <paul@gear.dyndns.org>  No idea when
-	- Optimisation to detect whether system is a router and remove
-	  redundant zones from rules and policies if so.
-
-3.2.0-beta1	Paul Gear <paul@gear.dyndns.org>
-	- First attempt at compatibility with Shorewall 3.2.x.

contrib/shoregen/README

@@ -1,124 +0,0 @@
-Shoreline Firewall configuration generator
-(c) Copyright 2004-2006 Paul D. Gear <paul@gear.dyndns.org>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
-
-SHOREWALL
-
-The quick plug:
-
-  - Shorewall is the only firewall i trust.
-
-The IT Manager plug:
-
-  - Shorewall is a policy-driven firewall which lets you think about your
-    firewall at a higher level than iptables commands.
-
-The hard sell to you crazy people still maintaining manual firewall scripts:
-
-  - Shorewall is a wrapper around the kernel iptables, so your existing
-    Linux firewall skills transfer.  I converted from a 900-plus-line
-    ipchains shell script to around 50 lines of shorewall configuration in
-    less than 4 hours, with no prior experience.
-
-
-ISSUES
-
-  - I'm paranoid - i want more than one firewall between me and the world.
-
-  - Configuring multiple firewalls separately is a recipe for getting your
-    rules out of sync, and allowing security problems to creep in.
-
-  - IT Manager types (like me) like to know their policy is consistently
-    implemented.
-
-
-SOLUTION
-
-Shoregen is a script that generates shorewall configurations for multiple
-firewalls from a common set of rules and policies.  Only the minimal
-information necessary for operation is stored on each firewall, so, for
-example, your DMZ server doesn't need to know about the rules on your
-internal network, but at the same time, it gets consistent rules to your
-outer guard.
-
-
-PHILOSOPHY
-
-Shoregen assumes the X-Files approach to firewall design: trust no one.
-That is, paranoia is a virtue.  All access should be as limited as possible
-for things to work.  If you don't already agree with this philosophy, you
-may find some of the things shoregen does frustrating, but then again,
-you're probably not reading this document.  :-)
-
-
-DESIGN
-
-Shoregen distinguishes between two different types of shorewall
-configuration files.  Most shorewall configuration files are simply
-concatenated together from parts constructed from common and host-specific
-parts.  These are called simple configs; shoregen doesn't substantially
-alter them, and uses little information from them.
-
-Configs with which shoregen is more concerned are treated separately, and
-additional features beyond the scope of shorewall itself are implemented.
-Most importantly, two new policy/rule keywords are introduced: WARN and
-BAN.  These keywords are not included in shoregen's output, but when a
-subsequent rule or policy is encountered which matches a rule or policy
-marked WARN or BAN, an error message is issued.  In the case of BAN, the
-offending line is also dropped from the output, and a non-zero return code
-issued.
-
-
-PREREQUISITES
-
-The tools you will need to use shoregen are:
-	perl	The main shoregen script is written in Perl
-	rsync	Used to keep /etc/shorewall directories on your firewalls
-		in sync with the central repository
-	ssh	Encrypted transport for rsync
-	make	Optional, but saves a few keystrokes.
-
-
-USAGE
-
-Put shoregen and install_shoregen in a directory on your PATH.
-
-Make a central directory for your configs.  I recommend somewhere in a
-trusted user's home directory or central system admin repository.  This
-directory should be on a trusted machine in the most secure part of your
-network.  Put all of your policies, rules, and zones together in the
-correct order in files in the top level of this directory.
-
-For each of the simple configs you want to generate centrally, create a
-directory, with a file called COMMON (if necessary) containing the content
-you want to see in that file on all hosts, and a file named for each host
-for host-specific content.  I recommend that the default shorewall
-configuration file be placed in the COMMON file of the corresponding
-directory, with directives that are not appropriate commented out.
-
-When shoregen is run, it places the generated files in the directory 
-SPOOL/<host>, where <host> is the hostname of the target firewall.  The
-files in this directory are synchronised and the firewall checked and/or
-restarted by a simple wrapper script called install_shoregen.
-
-See the samples directory for a starting point configuration.  It provides
-some suggested policies & rules for the network shown in example1.png.  The
-sample configuration has not been tested in any way.
-
-I hope you find shoregen useful.  I welcome your comments, contributions,
-criticisms, and questions.
-

contrib/shoregen/TODO

@@ -1,21 +0,0 @@
-
-- Make it possible for a host to have the same $FW name as the zone in
-  which it belongs, and have shoregen automatically create appropriate
-  rules.
-
-- At the moment, if a fully-expanded policy file (such as is shown 
-
-- Better rule & policy sanitisation.
-
-- Hosts and interfaces could be reduced based on what's used in the policy
-  and rules files.
-
-- The Makefile could be improved to detect changes in the lower level
-  config files and call shoregen automatically when they are out-of-date.
-  At the moment, shoregen is so simple (and thus fast) that the amount of
-  time that would be saved by a clever Makefile (in comparison to the
-  rsync, ssh, and shorewall steps) is probably not worth the trouble to
-  code.
-
-- Automatic generation of firewall hosts & interfaces files.
-

contrib/shoregen/install_shoregen

@@ -1,116 +0,0 @@
-#!/bin/sh
-#
-# $Id: install_shoregen,v 1.5 2004/04/22 11:12:51 paulgear Exp $
-# 
-# Wrapper script to install shoregen-generated shorewall configuration files.
-#
-
-# 
-# (c) Copyright 2004 Paul D. Gear <paul@gear.dyndns.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
-# Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA, or go to
-# <http://www.gnu.org/licenses/old-licenses/gpl-2.0.txtl> on the World Wide Web.
-
-VERBOSE=0
-RESTART=0
-CHECK=1
-TIME=0
-
-usage()
-{
-    echo "Usage:	$0 [--verbose] [--restart] host ...
-	Generates and installs shorewall configuration on the given hosts" >&2
-    exit 1
-}
-
-error()
-{
-    echo "$0: ERROR -" "$@" >&2
-}
-
-while :; do
-    case "$1" in
-
-    -v|--verbose)
-    	VERBOSE=1
-	shift
-	;;
-
-    -r|--restart)
-	RESTART=1
-	shift
-	;;
-
-    -c|--nocheck)
-	CHECK=0
-	shift
-	;;
-
-    -t|--notime)
-	TIME=0
-	shift
-	;;
-
-    --)
-	shift
-	break 2
-    	;;
-
-    --*)
-	error "Unrecognised option $1"
-	usage
-	;;
-
-    *)
-	break 2
-    	;;
-
-    esac
-done
-
-set -e
-set -u
-
-if [ "$#" -lt 1 ]; then
-    usage
-fi
-
-USER=root
-RSYNC_ARGS="--recursive --backup --times --cvs-exclude --rsh=ssh"
-#--progress 
-if [ "$VERBOSE" -gt 0 ]; then
-    RSYNC_ARGS="$RSYNC_ARGS --verbose"
-fi
-DIR=/etc/shorewall
-SW_PATH=/sbin/shorewall
-
-PATH=$PATH:
-
-if [ "$TIME" -gt 0 ]; then
-    TIME="time"
-else
-    TIME=""
-fi
-
-for HOST; do
-    shoregen $HOST
-    rsync $RSYNC_ARGS SPOOL/$HOST/ $USER@$HOST:$DIR/
-    if [ "$CHECK" -gt 0 ]; then
-	$TIME ssh -l $USER -t $HOST $SW_PATH check
-    fi
-    if [ "$RESTART" -gt 0 ]; then
-	$TIME ssh -l $USER -t $HOST $SW_PATH restart
-    fi
-done

contrib/shoregen/samples/Makefile

@@ -1,10 +0,0 @@
-FLAGS=-c -r
-HOSTS=ig proxy mail og
-
-default:	$(HOSTS)
-
-$(HOSTS):
-	shoregen $@
-
-install:	$(HOSTS)
-	install_shoregen -c -r $(HOSTS)

contrib/shoregen/samples/hosts/ig

@@ -1,13 +0,0 @@
-# ZONE		HOST(S)				OPTIONS
-
-# I used the vi command
-#	!Gsort -k2 -k1 
-# to sort this file, starting at the next line.
-mail		eth0:$MAIL
-og		eth0:$OG
-proxy		eth0:$PROXY
-net		eth0:0.0.0.0/0
-lan		eth1:$LAN
-other		eth1:0.0.0.0/0
-guest		eth2:$GUEST
-other		eth2:0.0.0.0/0

contrib/shoregen/samples/hosts/mail

@@ -1,7 +0,0 @@
-# ZONE		HOST(S)				OPTIONS
-guest		eth0:$GUEST
-ig		eth0:$IG
-lan		eth0:$LAN
-og		eth0:$OG
-proxy		eth0:$PROXY
-net		eth0:0.0.0.0/0

contrib/shoregen/samples/hosts/og

@@ -1,7 +0,0 @@
-# ZONE		HOST(S)				OPTIONS
-guest		eth0:$GUEST
-ig		eth0:$IG
-lan		eth0:$LAN
-mail		eth0:$MAIL
-proxy		eth0:$PROXY
-other		eth0:0.0.0.0/0

contrib/shoregen/samples/hosts/proxy

@@ -1,7 +0,0 @@
-# ZONE		HOST(S)				OPTIONS
-guest		eth0:$GUEST
-ig		eth0:$IG
-lan		eth0:$LAN
-mail		eth0:$MAIL
-og		eth0:$OG
-net		eth0:0.0.0.0/0

contrib/shoregen/samples/interfaces/ig

@@ -1,5 +0,0 @@
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	eth0		detect		-
--	eth1		detect		dhcp
--	eth2		detect		dhcp
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/interfaces/mail

@@ -1,3 +0,0 @@
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	eth0		detect		-
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/interfaces/og

@@ -1,5 +0,0 @@
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	eth0		detect		-
-net	eth1		detect		norfc1918,blacklist,dhcp
-net	ppp+		detect		norfc1918,blacklist
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/interfaces/proxy

@@ -1,3 +0,0 @@
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	eth0		detect		-
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/params/COMMON

@@ -1,9 +0,0 @@
-# These are parameterised firstly so they only live in one place, and
-# secondly because they can appear on different interfaces, but with a
-# constant address.
-OG=10.1.1.1
-MAIL=10.1.1.2
-PROXY=10.1.1.3
-IG=10.1.1.4
-LAN=10.1.2.0/24
-GUEST=10.1.3.0/24

contrib/shoregen/samples/policy

@@ -1,112 +0,0 @@
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST EXT
-
-#
-# Meta-policies - no ACCEPT/DNAT rules contravening these may be defined in
-# the policy or rules file.  These are not part of shorewall and do not
-# actually block any traffic.  They are about stopping the firewall
-# administrator from activating silly rules.  Note that these rules should
-# always be accompanied by a corresponding REJECT/BAN policy as they don't
-# actually set the shorewall policy (see below for these).
-#
-# These policies are samples only and are not suggested for your
-# environment.  You must decide on the policies that are right for you.
-#
-
-guest		lan		BAN
-proxy		lan		BAN
-mail		lan		BAN
-og		lan		BAN
-net		lan		BAN
-
-proxy		guest		BAN
-mail		guest		BAN
-og		guest		BAN
-net		guest		BAN
-
-proxy		ig		BAN
-mail		ig		BAN
-og		ig		BAN
-net		ig		BAN
-
-net		proxy		BAN
-
-proxy		og		BAN
-mail		og		BAN
-net		og		BAN
-
-ig		net		BAN
-
-
-#
-# Now the normal policies.  We define each set of zone pairs individually
-# so that Shorewall produces more meaningful error messages.
-#
-
-lan		guest		ACCEPT		info
-lan		ig		REJECT		info
-lan		proxy		REJECT		info
-lan		mail		REJECT		info
-lan		og		REJECT		info
-lan		net		REJECT		info
-lan		other		REJECT		info
-lan		all		REJECT		info
-
-guest		lan		REJECT		info
-guest		ig		REJECT		info
-guest		proxy		REJECT		info
-guest		mail		REJECT		info
-guest		og		REJECT		info
-guest		net		ACCEPT		info
-guest		other		REJECT		info
-guest		all		REJECT		info
-
-ig		lan		REJECT		info
-ig		guest		REJECT		info
-ig		proxy		REJECT		info
-ig		mail		REJECT		info
-ig		og		REJECT		info
-ig		net		REJECT		info
-ig		other		REJECT		info
-ig		all		REJECT		info
-
-proxy		lan		REJECT		info
-proxy		guest		REJECT		info
-proxy		ig		REJECT		info
-proxy		mail		REJECT		info
-proxy		og		REJECT		info
-proxy		net		ACCEPT
-proxy		other		REJECT		info
-proxy		all		REJECT		info
-
-mail		lan		REJECT		info
-mail		guest		REJECT		info
-mail		ig		REJECT		info
-mail		proxy		REJECT		info
-mail		og		REJECT		info
-mail		net		REJECT		info
-mail		other		REJECT		info
-mail		all		REJECT		info
-
-og		lan		REJECT		info
-og		guest		REJECT		info
-og		ig		REJECT		info
-og		proxy		REJECT		info
-og		mail		REJECT		info
-og		net		REJECT		info
-og		other		REJECT		info
-og		all		REJECT		info
-
-net		lan		DROP		info
-net		guest		DROP		info
-net		ig		DROP		info
-net		proxy		DROP		info
-net		mail		DROP		info
-net		og		DROP		info
-net		other		DROP		info
-net		all		DROP		info
-
-# Catch-all policies
-other		all		DROP		info
-all		all		DROP		info
-
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

contrib/shoregen/samples/rules

@@ -1,187 +0,0 @@
-#
-# $Id: rules,v 1.4 2004/04/24 12:26:25 paulgear Exp $
-#
-# Master Rules File
-#
-# This file is organised into 4 main sections:
-#   1.	Rules that need to transcend the more general WARN/BAN rules.  The
-#	reason for this is typically system administration and
-#	troubleshooting.  This section should be kept as small as possible.
-#   2.	WARN/BAN rules to put restrictions on which rules contravening
-#	policies may be created.  This section should be as large as
-#	possible, if you take a traditional (i.e. paranoid) approach to
-#	firewall design.
-#   3.	Noise-reducing rules for illegitimate traffic.  This is typically
-#	small, but may grow as time goes on.
-#   4.	Normal rules which define the holes in your firewall.  Again, this
-#	should include only the rules you need and no more.  However, even
-#	on a simple home network like mine, this section tends to get
-#	large!
-#
-
-#
-# Order by port, protocol, dest zone (in->out order), src zone (in->out
-# order).
-#
-
-#ACTION		CLIENT(S) SERVER(S)	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
-
-#
-# Section 1: Rules that need to transcend WARN/BAN rules in section 2.
-#
-# Nearly all of these rules should be limited to system administration
-# terminals.  These would be better put in a separate zone.
-#
-
-# ping (more below)
-ACCEPT		lan	og		icmp	8
-
-# ssh (more below)
-ACCEPT		lan	og		tcp	22
-ACCEPT		ig	og		tcp	22
-
-# SNMP (more below) - for MRTG stats run from LAN
-ACCEPT		lan	og		udp	161	
-
-# syslog (more below)
-ACCEPT		ig	lan		udp	514
-
-# Squid - this wouldn't be necessary except that a lot of OS updates are
-# rather large...
-ACCEPT		mail	proxy		tcp	3128
-
-#
-# Section 2: WARN/BAN rule directives
-#
-
-BAN		ig	lan
-BAN		mail	proxy
-BAN		lan	og
-BAN		ig	og
-
-#
-# Section 3: Drop noisy junk
-#
-
-# auth - reverse of the SMTP rules below
-REJECT		mail	lan		tcp	113
-REJECT		mail	guest		tcp	113
-REJECT		mail	ig		tcp	113
-REJECT		mail	proxy		tcp	113
-REJECT		mail	og		tcp	113
-REJECT		net	og		tcp	113
-REJECT		mail	net		tcp	113
-
-# KaZaA file sharing
-DROP		net	og		tcp	1214
-
-# Gnutella server
-REJECT		net	og		tcp	6346,6347
-
-# Half-Life
-REJECT		net	og		udp	27015,27016
-
-
-#
-# Section 4: Normal traffic
-#
-
-# ping (more above)
-ACCEPT		lan	ig		icmp	8
-ACCEPT		lan	proxy		icmp	8
-ACCEPT		lan	mail		icmp	8
-ACCEPT		ig	proxy		icmp	8
-ACCEPT		ig	mail		icmp	8
-ACCEPT		og	proxy		icmp	8
-ACCEPT		og	mail		icmp	8
-ACCEPT		og	net		icmp	8
-
-# FTP
-ACCEPT		proxy	net		tcp	21
-
-# ssh (more above)
-ACCEPT		lan	ig		tcp	22
-ACCEPT		lan	proxy		tcp	22
-ACCEPT		lan	mail		tcp	22
-ACCEPT		lan	net		tcp	22
-ACCEPT		ig	proxy		tcp	22
-ACCEPT		ig	mail		tcp	22
-ACCEPT		proxy	mail		tcp	22
-ACCEPT		proxy	net		tcp	22
-
-# SMTP
-ACCEPT		lan	mail		tcp	25
-ACCEPT		guest	mail		tcp	25
-ACCEPT		ig	mail		tcp	25
-ACCEPT		proxy	mail		tcp	25
-ACCEPT		og	mail		tcp	25
-DNAT		net	mail:$MAIL	tcp	25
-ACCEPT		mail	net		tcp	25
-
-# DNS - assumes split DNS, with internal DNS run in LAN, external DNS on
-# proxy, and mail independent of the rest (proxy & mail should run their
-# own caches).
-ACCEPT		lan	proxy		tcp	53
-ACCEPT		lan	proxy		udp	53
-ACCEPT		guest	proxy		tcp	53
-ACCEPT		guest	proxy		udp	53
-ACCEPT		ig	proxy		tcp	53
-ACCEPT		ig	proxy		udp	53
-ACCEPT		og	proxy		tcp	53
-ACCEPT		og	proxy		udp	53
-ACCEPT		proxy	net		tcp	53
-ACCEPT		proxy	net		udp	53
-ACCEPT		mail	net		tcp	53
-ACCEPT		mail	net		udp	53
-
-# HTTP
-ACCEPT		proxy	net		tcp	80
-
-# POP3 - must be proxied through mail
-ACCEPT		mail	net		tcp	110
-ACCEPT		lan	mail		tcp	110
-
-# NNTP - application layer proxy (e.g. leafnode) on proxy
-ACCEPT		lan	proxy		tcp	119
-ACCEPT		proxy	net		tcp	119
-
-# NTP - we really need more than 2 servers, but this is only an example.  :-)
-ACCEPT		lan	proxy		udp	123
-ACCEPT		lan	mail		udp	123
-ACCEPT		ig	proxy		udp	123
-ACCEPT		ig	mail		udp	123
-ACCEPT		proxy	net		udp	123
-ACCEPT		mail	net		udp	123
-ACCEPT		og	proxy		udp	123
-ACCEPT		og	mail		udp	123
-
-# IMAP
-ACCEPT		lan	mail		tcp	143
-ACCEPT		guest	mail		tcp	143
-
-# SNMP (more above) - for MRTG stats
-ACCEPT		lan	ig		udp	161
-ACCEPT		lan	proxy		udp	161
-ACCEPT		lan	mail		udp	161
-
-# HTTPS
-ACCEPT		proxy	net		tcp	443
-
-# syslog (more above) - DMZ & OG hosts log to mail, IG & LAN hosts log to LAN
-ACCEPT		og	mail		udp	514
-ACCEPT		proxy	mail		udp	514
-
-# Squid
-ACCEPT		lan	proxy		tcp	3128
-ACCEPT		guest	proxy		tcp	3128
-ACCEPT		ig	proxy		tcp	3128
-ACCEPT		og	proxy		tcp	3128
-
-# Webmin
-ACCEPT		lan	proxy		tcp	10000
-ACCEPT		guest	proxy		tcp	10000
-ACCEPT		ig	proxy		tcp	10000
-ACCEPT		og	proxy		tcp	10000
-
-
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/shorewall.conf/COMMON

@@ -1,569 +0,0 @@
-##############################################################################
-#  /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
-#  match your setup
-#
-#  This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#  This file should be placed in /etc/shorewall
-#
-#  (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
-##############################################################################
-#                              L O G G I N G
-##############################################################################
-#
-# General note about log levels. Log levels are a method of describing
-# to syslog (8) the importance of a message and a number of parameters
-# in this file have log levels as their value.
-#
-# Valid levels are:
-#
-#	7	debug
-#	6	info
-#	5	notice
-#	4	warning
-#	3	err
-#	2	crit
-#	1	alert
-#	0	emerg
-#
-# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
-# log messages are generated by NetFilter and are logged using facility
-# 'kern' and the level that you specifify. If you are unsure of the level
-# to choose, 6 (info) is a safe bet. You may specify levels by name or by
-# number.
-#
-# If you have build your kernel with ULOG target support, you may also
-# specify a log level of ULOG (must be all caps). Rather than log its
-# messages to syslogd, Shorewall will direct netfilter to log the messages
-# via the ULOG target which will send them to a process called 'ulogd'.
-# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
-# configured to log all Shorewall message to their own log file
-################################################################################
-#
-# LOG FILE LOCATION
-#
-# This variable tells the /sbin/shorewall program where to look for Shorewall
-# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
-# /var/log/messages is assumed.
-#
-# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
-#          look for Shorewall messages.It does NOT control the destination for
-#          these messages. For information about how to do that, see
-#
-#              http://www.shorewall.net/shorewall_logging.html
-
-LOGFILE=/var/log/messages
-
-#
-# LOG FORMAT
-#
-# Shell 'printf' Formatting template for the --log-prefix value in log messages
-# generated by Shorewall to identify Shorewall log messages. The supplied
-# template is expected to accept either two or three arguments; the first is
-# the chain name, the second (optional) is the logging rule number within that
-# chain and the third is the ACTION specifying the disposition of the packet
-# being logged. You must use the %d formatting type for the rule number; if your
-# template does not contain %d then the rule number will not be included.
-#
-# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
-#
-#	LOGFORMAT="fp=%s:%d a=%s "
-#
-# If not specified or specified as empty (LOGFORMAT="") then the value
-# "Shorewall:%s:%s:" is assumed.
-# 
-# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up 
-# to but not including the first '%') to find log messages in the 'show log',
-# 'status' and 'hits' commands. This part should not be omitted (the 
-# LOGFORMAT should not begin with "%") and the leading part should be
-# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-#
-# LOG RATE LIMITING
-#
-# The next two variables can be used to control the amount of log output
-# generated. LOGRATE is expressed as a number followed by an optional
-# `/second',  `/minute', `/hour', or `/day' suffix and specifies the maximum
-# rate at which a particular message will occur. LOGBURST determines the
-# maximum initial burst size that will be logged. If set empty, the default
-# value of 5 will be used.
-#
-# Example:
-#
-#	LOGRATE=10/minute
-#	LOGBURST=5
-#
-# If BOTH variables are set empty then logging will not be rate-limited.
-#
-
-LOGRATE=10/minute
-LOGBURST=5
-
-#
-# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
-#
-# This variable determines the level at which Mangled/Invalid packets are logged
-# under the 'dropunclean' interface option. If you set this variable to an
-# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
-# silently.
-#
-# The value of this variable also determines the level at which Mangled/Invalid
-# packets are logged under the 'logunclean' interface option. If the variable
-# is empty, these packets will still be logged at the 'info' level.
-#
-# See the comment at the top of this section for a description of log levels
-#
-
-LOGUNCLEAN=info
-
-#
-# BLACKLIST LOG LEVEL
-#
-# Set this variable to the syslogd level that you want blacklist packets logged
-# (beware of DOS attacks resulting from such logging). If not set, no logging
-# of blacklist packets occurs.
-#
-# See the comment at the top of this section for a description of log levels
-#
-BLACKLIST_LOGLEVEL=
-
-#
-# LOGGING 'New not SYN' rejects
-#
-# This variable only has an effect when NEWNOTSYN=No (see below).
-#
-# When a TCP packet that does not have the SYN flag set and the ACK and RST
-# flags clear then unless the packet is part of an established connection,
-# it will be rejected by the firewall. If you want these rejects logged,
-# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
-#
-# See the comment at the top of this section for a description of log levels
-#
-# Example: LOGNEWNOTSYN=debug
-
-
-LOGNEWNOTSYN=info
-
-#
-# MAC List Log Level
-#
-# Specifies the logging level for connection requests that fail MAC
-# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
-# such connection requests will not be logged.
-#
-# See the comment at the top of this section for a description of log levels
-#
-
-MACLIST_LOG_LEVEL=info
-
-#
-# TCP FLAGS Log Level
-#
-# Specifies the logging level for packets that fail TCP Flags
-# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
-# such packets will not be logged.
-#
-# See the comment at the top of this section for a description of log levels
-#
-
-TCP_FLAGS_LOG_LEVEL=info
-
-#
-# RFC1918 Log Level
-#
-# Specifies the logging level for packets that fail RFC 1918
-# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
-# RFC1918_LOG_LEVEL=info is assumed.
-#
-# See the comment at the top of this section for a description of log levels
-#
-
-RFC1918_LOG_LEVEL=info
-
-################################################################################
-#       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S
-################################################################################
-#
-# PATH - Change this if you want to change the order in which Shorewall
-#        searches directories for executable files.
-#
-#PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-
-#
-# SHELL
-#
-# The firewall script is normally interpreted by /bin/sh. If you wish to change
-# the shell used to interpret that script, specify the shell here.
-
-SHOREWALL_SHELL=/bin/sh
-
-# SUBSYSTEM LOCK FILE
-#
-# Set this to the name of the lock file expected by your init scripts. For
-# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
-# use lock files, set this to "".
-#
-
-SUBSYSLOCK=/var/lock/subsys/shorewall
-
-#
-# SHOREWALL TEMPORARY STATE DIRECTORY
-#
-# This is the directory where the firewall maintains state information while
-# it is running
-#
-
-STATEDIR=/var/lib/shorewall
-
-#
-# KERNEL MODULE DIRECTORY
-#
-# If your netfilter kernel modules are in a directory other than
-# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
-# directory in this variable. Example: MODULESDIR=/etc/modules.
-
-MODULESDIR=
-
-################################################################################
-#                       F I R E W A L L   O P T I O N S
-################################################################################
-
-# NAME OF THE FIREWALL ZONE
-#
-# Name of the firewall zone -- if not set or if set to an empty string, "fw"
-# is assumed.
-#
-#FW=fw
-
-#
-# ENABLE IP FORWARDING
-#
-# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
-# say "Off" or "off", packet forwarding will be disabled. You would only want
-# to disable packet forwarding if you are installing Shorewall on a
-# standalone system or if you want all traffic through the Shorewall system
-# to be handled by proxies.
-#
-# If you set this variable to "Keep" or "keep", Shorewall will neither
-# enable nor disable packet forwarding.
-#
-#IP_FORWARDING=On
-
-#
-# AUTOMATICALLY ADD NAT IP ADDRESSES
-#
-# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
-# for each NAT external address that you give in /etc/shorewall/nat. If you say
-# "No" or "no", you must add these aliases youself.
-#
-ADD_IP_ALIASES=Yes
-
-#
-# AUTOMATICALLY ADD SNAT IP ADDRESSES
-#
-# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
-# for each SNAT external address that you give in /etc/shorewall/masq. If you say
-# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
-# you are sure that you need it -- most people don't!!!
-#
-ADD_SNAT_ALIASES=No
-
-#
-# ENABLE TRAFFIC SHAPING
-#
-# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
-# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
-# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
-# you must enable packet mangling above.
-#
-TC_ENABLED=No
-
-#
-# Clear Traffic Shapping/Control
-#
-# If this option is set to 'No' then Shorewall won't clear the current
-# traffic control rules during [re]start. This setting is intended
-# for use by people that prefer to configure traffic shaping when
-# the network interfaces come up rather than when the firewall
-# is started. If that is what you want to do, set TC_ENABLED=Yes and
-# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
-# way, your traffic shaping rules can still use the 'fwmark'
-# classifier based on packet marking defined in /etc/shorewall/tcrules.
-#
-# If omitted, CLEAR_TC=Yes is assumed.
-
-CLEAR_TC=Yes
-
-#
-# Mark Packets in the forward chain
-#
-# When processing the tcrules file, Shorewall normally marks packets in the
-# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
-# this to "Yes". If not specified or if set to the empty value (e.g.,
-# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
-#
-# Marking packets in the FORWARD chain has the advantage that inbound
-# packets destined for Masqueraded/SNATed local hosts have had their destination
-# address rewritten so they can be marked based on their destination. When
-# packets are marked in the PREROUTING chain, packets destined for
-# Masqueraded/SNATed local hosts still have a destination address corresponding
-# to the firewall's external interface.
-#
-# Note: Older kernels do not support marking packets in the FORWARD chain and
-#       setting this variable to Yes may cause startup problems.
-
-MARK_IN_FORWARD_CHAIN=No
-
-#
-# MSS CLAMPING
-#
-# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
-# option. This option is most commonly required when your internet
-# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
-# have CONFIG_IP_NF_TARGET_TCPMSS set.
-#
-# [From the kernel help:
-#
-#    This option adds a `TCPMSS' target, which allows you to alter the
-#    MSS value of TCP SYN packets, to control the maximum size for that
-#    connection (usually limiting it to your outgoing interface's MTU
-#    minus 40).
-#
-#    This is used to overcome criminally braindead ISPs or servers which
-#    block ICMP Fragmentation Needed packets.  The symptoms of this
-#    problem are that everything works fine from your Linux
-#    firewall/router, but machines behind it can never exchange large
-#    packets:
-#        1) Web browsers connect, then hang with no data received.
-#	 2) Small mail works fine, but large emails hang.
-#	 3) ssh works fine, but scp hangs after initial handshaking.
-# ]
-#
-# If left blank, or set to "No" or "no", the option is not enabled.
-#
-CLAMPMSS=No
-
-#
-# ROUTE FILTERING
-#
-# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
-# interfaces started while Shorewall is started (anti-spoofing measure).
-#
-# If this variable is not set or is set to the empty value, "No" is assumed.
-# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
-# on individual interfaces using the 'routefilter' option in the
-# /etc/shorewall/interfaces file.
-
-ROUTE_FILTER=yes
-
-#
-# NAT BEFORE RULES
-#
-# Shorewall has traditionally processed static NAT rules before port forwarding
-# rules. If you would like to reverse the order, set this variable to "No".
-#
-# If this variable is not set or is set to the empty value, "Yes" is assumed.
-
-NAT_BEFORE_RULES=Yes
-
-# DNAT IP ADDRESS DETECTION
-#
-# Normally when Shorewall encounters the following rule:
-#
-#	DNAT	net	loc:192.168.1.3	tcp	80
-#
-# it will forward TCP port 80 connections from the net to 192.168.1.3
-# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
-# convenient for two reasons:
-#
-#	a) If the the network interface has a dynamic IP address, the
-#	   firewall configuration will work even when the address
-#	   changes.
-#
-#	b) It saves having to configure the IP address in the rule
-#	   while still allowing the firewall to be started before the
-#	   internet interface is brought up.
-#
-# This default behavior can also have a negative effect. If the
-# internet interface has more than one IP address then the above
-# rule will forward connection requests on all of these addresses;
-# that may not be what is desired.
-#
-# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
-# only if the original destination address is the primary IP address of
-# one of the interfaces associated with the source zone. Note that this
-# requires all interfaces to the source zone to be up when the firewall
-# is [re]started.
-
-DETECT_DNAT_IPADDRS=No
-
-#
-# MUTEX TIMEOUT
-#
-# The value of this variable determines the number of seconds that programs
-# will wait for exclusive access to the Shorewall lock file. After the number
-# of seconds corresponding to the value of this variable, programs will assume
-# that the last program to hold the lock died without releasing the lock.
-#
-# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
-#
-# An appropriate value for this parameter would be twice the length of time
-# that it takes your firewall system to process a "shorewall restart" command.
-
-MUTEX_TIMEOUT=60
-
-#
-# NEWNOTSYN
-#
-# TCP connections are established using the familiar three-way "handshake":
-#
-#	CLIENT			SERVER
-#
-#	SYN-------------------->
-#            <------------------SYN,ACK
-#       ACK-------------------->
-#
-# The first packet in that exchange (packet with the SYN flag on and the ACK
-# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
-# A packet is said to be NEW if it is not part of or related to an already
-# established connection.
-#
-# The NETNOTSYN option determines the handling of non-SYN packets (those with
-# SYN off or with ACK or RST on) that are not associated with an already
-# established connection.
-# 
-# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
-# part of an already established connection, it will be dropped by the
-# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
-# logged before they are dropped.
-#
-# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
-# dropped but will pass through the normal rule/policy processing.
-#
-# Users with a High-availability setup with two firewall's and one acting
-# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
-# also need to select NEWNOTSYN=Yes.
-#
-# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis 
-# using the 'newnotsyn' option in /etc/shorewall/interfaces.
-#
-# I find that NEWNOTSYN=No tends to result in lots of "stuck"
-# connections because any network timeout during TCP session tear down
-# results in retries being dropped (Netfilter has removed the
-# connection from the conntrack table but the end-points haven't
-# completed shutting down the connection).  I therefore have chosen
-# NEWNOTSYN=Yes as the default value.
-
-NEWNOTSYN=Yes
-
-#
-# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
-#
-# Normally, when a "shorewall stop" command is issued or an error occurs during
-# the execution of another shorewall command, Shorewall puts the firewall into
-# a state where only traffic to/from the hosts listed in
-# /etc/shorewall/routestopped is accepted. 
-#
-# When performing remote administration on a Shorewall firewall, it is
-# therefore recommended that the IP address of the computer being used for
-# administration be added to the firewall's /etc/shorewall/routestopped file.
-#
-# Some administrators have a hard time remembering to do this with the result
-# that they get to drive across town in the middle of the night to restart
-# a remote firewall (or worse, they have to get someone out of bed to drive 
-# across town to restart a very remote firewall).
-#
-# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
-# when the firewall enters the 'stopped' state:
-#
-# All traffic that is part of or related to established connections is still
-# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
-# to and from hosts listed in /etc/shorewall/routestopped.
-#
-# If this variable is not set or it is set to the null value then
-# ADMINISABSENTMINDED=No is assumed.
-#
-ADMINISABSENTMINDED=Yes
-
-#
-# BLACKLIST Behavior
-#
-# Shorewall offers two types of blacklisting:
-#
-#	- static blacklisting through the /etc/shorewall/blacklist file together
-#	  with the 'blacklist' interface option.
-#	- dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
-#
-# The following variable determines whether the blacklist is checked for each
-# packet or for each new connection.
-#
-#	BLACKLISTNEWONLY=Yes	Only consult blacklists for new connection
-#				requests
-#
-#	BLACKLISTNEWONLY=No	Consult blacklists for all packets.
-#
-# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
-# BLACKLISTNEWONLY=No is assumed.
-#
-BLACKLISTNEWONLY=Yes
-
-# MODULE NAME SUFFIX
-#
-# When loading a module named in /etc/shorewall/modules, Shorewall normally
-# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
-# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
-# naming convention then you can specify the suffix (extension) for module 
-# names in this variable.
-#
-# To see what suffix is used by your distribution:
-#
-#     ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#
-# All of the file names listed should have the same suffix (extension). Set
-# MODULE_SUFFIX to that suffix.
-#
-# Examples: 
-#
-#	If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
-#	If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
-#
-
-MODULE_SUFFIX=
-
-################################################################################
-#                       P A C K E T   D I S P O S I T I O N
-################################################################################
-#
-# BLACKLIST DISPOSITION
-#
-# Set this variable to the action that you want to perform on packets from
-# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
-# DROP is assumed.
-#
-BLACKLIST_DISPOSITION=DROP
-
-#
-# MAC List Disposition
-#
-# This variable determines the disposition of connection requests arriving
-# on interfaces that have the 'maclist' option and that are from a device
-# that is not listed for that interface in /etc/shorewall/maclist. Valid
-# values are ACCEPT, DROP and REJECT. If not specified or specified as
-# empty (MACLIST_DISPOSITION="") then REJECT is assumed
-
-MACLIST_DISPOSITION=REJECT
-
-#
-# TCP FLAGS Disposition
-#
-# This variable determins the disposition of packets having an invalid
-# combination of TCP flags that are received on interfaces having the
-# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
-# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
-
-TCP_FLAGS_DISPOSITION=DROP
-
-#LAST LINE -- DO NOT REMOVE

contrib/shoregen/samples/shorewall.conf/ig

@@ -1,2 +0,0 @@
-FW=ig
-IP_FORWARDING=On

contrib/shoregen/samples/shorewall.conf/mail

@@ -1,2 +0,0 @@
-FW=enoch
-IP_FORWARDING=Off

contrib/shoregen/samples/shorewall.conf/og

@@ -1,2 +0,0 @@
-FW=og
-IP_FORWARDING=On

contrib/shoregen/samples/shorewall.conf/proxy

@@ -1,2 +0,0 @@
-FW=dmz
-IP_FORWARDING=Off

contrib/shoregen/samples/zones

@@ -1,10 +0,0 @@
-#ZONE	DISPLAY		COMMENTS
-lan	LAN		Local network
-guest	Guest		Untrusted LAN hosts
-ig	IG		Inner Guard
-og	OG		Outer Guard
-mail	Mail		Mail server
-proxy	Proxy		Proxy server
-net	Net		Internet 
-other	Other		Basket for things that don't fit elsewhere
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

contrib/shoregen/shoregen

@@ -1,443 +0,0 @@
-#!/usr/bin/perl -w
-#
-# shoregen: Generate shorewall configuration for a host from central
-# configuration files.
-#
-
-#
-# (c) Copyright 2004-2006 Paul D. Gear <paul@gear.dyndns.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
-# Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA, or go to
-# <http://www.gnu.org/licenses/old-licenses/gpl-2.0.txtl> on the World Wide Web.
-#
-
-use strict;
-
-my $VERBOSE = 1;
-my $DEBUG = 1;
-my $DATE = scalar localtime;
-my $HEADER = "#\n# Shorewall %s - constructed by $0 on $DATE\n#\n\n";
-my $ret = 0;		# return code to shell
-
-if ($#ARGV != 0) {
-    print STDERR "Usage: $0 <hostname>\n";
-    exit 1;
-}
-
-my $base = ".";
-my $host = $ARGV[ 0 ];
-my $spool = "$base/SPOOL";
-my $dir = "$spool/$host";
-
-
-#
-# Messaging routines for use by the program itself - any errors that are
-# generated externally (e.g. file opening problems) are reported using the
-# usual perl 'die' or 'warn' functions.
-#
-
-sub info
-{
-    print "$0: @_\n";
-}
-
-sub mesg
-{
-    my $type = shift;
-    print STDERR "$0: $type - @_\n";
-}
-
-sub warning
-{
-    mesg "WARNING", @_;
-}
-
-sub error
-{
-    mesg "ERROR", @_;
-    ++$ret;
-}
-
-sub fatal
-{
-    mesg "FATAL", @_;
-    ++$ret;
-    exit $ret;
-}
-
-
-#
-# These bits make the files that actually get copied to the target host
-#
-
-sub stripfile
-{
-    open( my $file, $_[ 0 ] ) or die "Can't open $_[ 0 ] for reading: $!";
-    my @file;
-
-    for (<$file>) {
-	s/\s*#.*$//g;		# remove all comments
-	next if m/^\s*$/;	# skip blank lines
-	push @file, $_;
-    }
-
-    close $file or warn "Can't close $_[ 0 ] after reading: $!";
-
-    return @file;
-}
-
-
-#
-# Construct a configuration file given a number of input files
-#
-sub constructfile
-{
-    my $confname = shift;
-    my $dst = shift;
-    my $foundone = 0;
-
-    info "Constructing $confname" if $VERBOSE > 1;
-
-    open( my $DST, ">$dst" ) or die "Can't create $dst: $!";
-    printf $DST $HEADER, $confname;
-
-    for my $file (@_) {
-	if (-r $file) {
-	    $foundone = 1;
-	    print $DST "##$file\n" if $DEBUG > 1;
-	    print $DST stripfile $file;
-	}
-    }
-
-    close $DST or warn "Can't close $dst: $!";
-
-    if (!$foundone) {
-	warning "\"$confname\" not present.  " .
-	    "Existing file on $host will be preserved." if $VERBOSE > 2;
-	unlink $dst;
-    }
-}
-
-#
-# main
-#
-
-my $fw;			# Firewall zone for this host
-my $router;		# Is this host a router?
-my @globalzones;	# All known zones
-my %globalzones;
-my %hostzones;		# zones applicable to this host
-my $outfile;		# filename holders
-my $conf;		# config file we're processing at present
-my %warnban;		# meta-rules/policies
-
-
-# Change to the base configuration directory
-die "Configuration directory $base doesn't exist!" if ! -d $base;
-chdir $base or die "Can't change directory to $base: $!";
-
-# Create spool directories if necessary
-if (! -d "$spool") {
-    mkdir "$spool" or die "Can't create spool directory $spool: $!";
-}
-if (! -d $dir) {
-    mkdir $dir or die "Can't create host spool directory $dir: $!";
-}
-
-
-#
-# Construct all the simple config files.
-#
-
-# Config files for which the host-specific file is included *first*
-my @hostfirstconfigs = qw(
-    accounting
-    actions
-    blacklist
-    bogons
-    continue
-    ecn
-    hosts
-    interfaces
-    maclist
-    masq
-    nat
-    netmap
-    proxyarp
-    rfc1918
-    routestopped
-    route_rules
-    start
-    started
-    stop
-    stopped
-    tcclasses
-    tcdevices
-    tos
-    tunnels
-);
-
-# Config files for which the host-specific file is included *last*
-my @hostlastconfigs = qw(
-    common
-    configpath
-    init
-    initdone
-    ipsec
-    modules
-    params
-    providers
-    shorewall.conf
-    tcrules
-);
-
-
-for my $conf (@hostfirstconfigs) {
-    constructfile "$conf", "$dir/$conf", "$conf/$host", "$conf/COMMON";
-}
-
-for my $conf (@hostlastconfigs) {
-    constructfile "$conf", "$dir/$conf", "$conf/COMMON", "$conf/$host";
-}
-
-#
-# The remaining config files (policy, rules, zones) are processed uniquely.
-#
-
-# Find the firewall name of this host
-open( my $infile, "$dir/shorewall.conf" ) or
-    die "Can't open $dir/shorewall.conf: $!";
-
-for (<$infile>) {
-    if (/^\s*FW=(\S+)/) {
-	$fw = $1 unless defined $fw;
-    }
-    if (/^\s*IP_FORWARDING=(\S+)/) {
-	$router = $1 unless defined $router;
-    }
-}
-
-close $infile;
-
-
-# The firewall name must be defined
-unless (defined $fw) {
-    fatal "Can't find firewall name (FW variable) for $host in $dir/shorewall.conf";
-}
-
-# Router must be defined
-unless (defined $router) {
-    fatal "Can't find IP_FORWARDING setting for $host in $dir/shorewall.conf";
-}
-if ($router =~ m/On|Yes/i) {
-    $router = 1;
-}
-else {
-    $router = 0;
-}
-print "fw=$fw, router=$router\n" if $DEBUG > 3;
-
-# Find all valid zones
-unless (-r "zones") {
-    fatal "You must provide a global zone file";
-}
-
-
-for (stripfile "zones") {
-    chomp;
-    my ($zone, $details) = split /[\s:]+/, $_, 2;
-    push @globalzones, $zone;
-    $globalzones{ $zone } = $details;
-}
-
-#
-# Work out which zones apply to this host from the combination of hosts &
-# interfaces.  The first field in both files is the zone name, and the
-# second (minus any trailing ips) is the interface, which we save as well
-# for later reference.
-#
-
-for my $infile ("$dir/hosts", "$dir/interfaces") {
-    if (-r $infile) {
-	for (stripfile $infile) {
-	    chomp;
-	    my @F = split;
-	    next if $#F < 0;
-	    next if $F[ 0 ] eq "-";
-	    my @IF = split /:/, $F[ 0 ]; # strip off parent zone, if present
-	    $hostzones{ $IF[ 0 ] } = 1;
-	}
-    }
-}
-
-$conf = "zones";
-
-#
-# Create the zones file from the intersection of the above - note the order
-# from the original zone file must be preserved, hence the need for the
-# array as well as the hash.
-#
-
-open( $outfile, ">$dir/$conf" ) or
-    die "Can't open $dir/$conf for writing: $!";
-
-printf $outfile $HEADER, "$conf";
-my %tmpzones = %hostzones;		# Take a copy of all the zones,
-
-for my $zone (@globalzones) {
-    if (exists $tmpzones{ $zone }) {
-	print $outfile "$zone	$globalzones{ $zone }\n";
-	delete $tmpzones{ $zone };	# deleting those found as we go along.
-    }
-}
-
-close $outfile or warn "Can't close $dir/$conf after writing: $!";
-
-for my $zone (sort keys %tmpzones) {	# Warn if we've got any zones left now.
-    #next if $zone eq "-";
-    warning "No entry for $zone in global zones file - ignored";
-}
-undef %tmpzones;
-
-
-my @tmp = sort keys %hostzones;
-info "FW zone for $host: $fw" if $VERBOSE > 0;
-info "Other zones for $host: @tmp" if $VERBOSE > 0;
-
-#
-# Add 'all' as a valid source or destination.  Added here so it doesn't get
-# checked in %tmpzones check above.  Also add firewall itself.  (The
-# numbers are not important as long as they are non-zero.)
-#
-
-$hostzones{"all"} = 1;
-$hostzones{$fw} = 1;
-
-#
-# Create the policy file, including only the applicable zones.
-#
-
-$conf = "policy";
-if (! -r $conf) {
-    fatal "You must provide a global \"$conf\" file";
-}
-
-open( $outfile, ">$dir/$conf" ) or
-    die "Can't open $dir/$conf for writing: $!";
-printf $outfile $HEADER, "$conf";
-
-for (stripfile $conf) {
-    chomp;
-
-    my ($src, $dst, $pol, $rest) = split /\s+/, $_, 4;
-
-    print "$src, $dst, $pol, $rest\n" if $DEBUG > 3;
-
-    # Both source and destination zones must be valid on this host for this
-    # policy to apply.
-    next unless defined $hostzones{$src} and defined $hostzones{$dst};
-
-    # Source and destination zones must be on different interfaces as well,
-    # except for the case of all2all.
-    #next if ($hostzones{$src} eq $hostzones{$dst} && $src ne "all");
-
-    # Save WARN & BAN details for later rules processing
-    if ($pol eq "WARN"  or  $pol eq "BAN") {
-	if (exists $warnban{$src}{$dst}) {
-	    error "Duplicate WARN/BAN rule: $src,$dst,$pol - possible typo?";
-	}
-	$warnban{$src}{$dst} = $pol;
-	next;
-    }
-
-    printf $outfile "%s\n", $_;
-}
-close $outfile or warn "Can't close $dir/$conf for writing: $!";
-
-
-#
-# Create the rules file, only including the applicable zones and taking
-# into account any WARN or BAN policies.
-#
-
-$conf = "rules";
-if (! -r $conf) {
-    fatal "You must provide a global \"$conf\" file";
-}
-
-open( $outfile, ">$dir/$conf" ) or
-    die "Can't open $dir/$conf for writing: $!";
-printf $outfile $HEADER, "$conf";
-
-for my $infile ("$conf.COMMON", "$conf.$host", "$conf") {
-    next unless -r $infile;
-    for (stripfile $infile) {
-	chomp;
-
-	my ($act, $src, $dst, $rest) = split /\s+/, $_, 4;
-
-	$act =~ s/:.*//;	# strip off logging directives
-	$src =~ s/:.*//;	# strip off host & port specifiers
-	$dst =~ s/:.*//;	# strip off host & port specifiers
-
-	print "$act, $src, $dst, $rest\n" if $DEBUG > 3;
-
-	# Both source and destination zones must be valid on this host
-	# for this rule to apply.
-	next unless defined $hostzones{$src} and defined $hostzones{$dst};
-
-	# If host is not a router, either the source or destination zone
-	# must be the firewall itself.
-	if (!$router) {
-	    next unless $src eq $fw
-		     or $dst eq $fw
-		     or $src eq "all"
-		     or $dst eq "all";
-	}
-
-	# Save additional WARN/BAN rules
-	if ($act eq "WARN"  or  $act eq "BAN") {
-	    if (exists $warnban{$src}{$dst}) {
-		error "Duplicate WARN/BAN rule: $src,$dst,$act - possible typo?";
-	    }
-	    $warnban{$src}{$dst} = $act;
-	    next;
-	}
-
-	# Check against WARN/BAN rules
-	if (exists $warnban{$src}{$dst} && $act =~ /^(ACCEPT|Allow|DNAT)/) {
-	    if ($warnban{$src}{$dst} eq "WARN") {
-		warning "Rule contravenes WARN policy:\n\t$_";
-	    }
-	    else { # $warnban{$src}{$dst} eq "BAN"
-		error "Rule contravenes BAN policy (omitted):\n\t$_";
-		next;
-	    }
-	}
-
-	# Mangle DNAT rules if the destination is the local machine
-	if ($act =~ /^DNAT/  &&  $dst eq $fw) {
-	    $_ =~ s/\bDNAT(-)?/ACCEPT/;	# change rule type
-	    $_ =~ s/\b$fw:\S+/$dst/;	# strip trailing server address/port
-	}
-
-	printf $outfile "%s\n", $_;
-    }
-}
-close $outfile or warn "Can't close $dir/$conf for writing: $!";
-
-
-# Finished - return whatever we produced above...
-exit $ret;

contrib/shoregen/spec/description

@@ -1,3 +0,0 @@
-Shoregen is a script that generates Shoreline Firewall configurations for
-multiple firewalls from a common set of rules and policies.  Only the
-minimal information necessary for operation is stored on each firewall.

contrib/shoregen/spec/files

@@ -1,4 +0,0 @@
-# $Id: files,v 1.2 2004/04/24 13:15:14 paulgear Exp $
-/usr/bin/%{name}
-/usr/bin/install_%{name}
-%doc /usr/share/doc/%{name}-%{version}/

contrib/shoregen/spec/header

@@ -1,10 +0,0 @@
-# $Id: header,v 1.1 2004/04/24 12:53:04 paulgear Exp $
-Summary:	Shoreline Firewall configuration generator
-License:	GPL
-Group:		Applications/System
-BuildArch:	noarch
-URL:		http://paulgear.webhop.net/linux/#shoregen
-Packager:	Paul Gear <paul@gear.dyndns.org>
-Requires:	openssh
-Requires:	perl
-Requires:	rsync

contrib/shoregen/spec/install

@@ -1,9 +0,0 @@
-# $Id: install,v 1.6 2004/04/24 13:15:14 paulgear Exp $
-
-install -d -m 0700 $RPM_BUILD_ROOT/usr/bin/
-install -m 0555 install_%{name} %{name} $RPM_BUILD_ROOT/usr/bin/
-
-install -d -m 0755 $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
-install -m 0444 AUTHORS BUGS COPYING README TODO $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
-cp -r samples $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
-chmod -R go=u-w $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/

contrib/shoregen/spec/type

@@ -1,2 +0,0 @@
-install
-# $Id: type,v 1.2 2004/04/24 13:13:57 paulgear Exp $

docs/6to4.xml

@@ -135,20 +135,20 @@ GATEWAY=::192.88.99.1</programlisting></para>
 1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 16436 
     inet6 ::1/128 scope host 
        valid_lft forever preferred_lft forever
-2: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
+1: eth1: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
+    inet6 fe80::202:e3ff:fe08:484c/64 scope link 
+       valid_lft forever preferred_lft forever
+2: eth2: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
 <emphasis role="bold">    inet6 2002:ce7c:92b4:1::1/64 scope global 
        valid_lft forever preferred_lft forever</emphasis>
     inet6 fe80::202:e3ff:fe08:55fa/64 scope link 
        valid_lft forever preferred_lft forever
-3: eth1: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
-    inet6 fe80::202:e3ff:fe08:484c/64 scope link 
-       valid_lft forever preferred_lft forever
-4: eth2: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
+3: eth4: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
 <emphasis role="bold">    inet6 2002:ce7c:92b4:2::1/64 scope global 
        valid_lft forever preferred_lft forever</emphasis>
     inet6 fe80::2a0:ccff:fed2:353a/64 scope link 
        valid_lft forever preferred_lft forever
-24: sit1@NONE: &lt;NOARP,UP,LOWER_UP&gt; mtu 1480 
+4: sit1@NONE: &lt;NOARP,UP,LOWER_UP&gt; mtu 1480 
 <emphasis role="bold">    inet6 ::206.124.146.180/128 scope global 
        valid_lft forever preferred_lft forever
     inet6 2002:ce7c:92b4::1/128 scope global 
@@ -156,24 +156,24 @@ GATEWAY=::192.88.99.1</programlisting></para>
 gateway:~ # ip -6 route ls
 <emphasis role="bold">::/96 via :: dev sit1  metric 256  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
 <emphasis role="bold">2002:ce7c:92b4::1 dev sit1  metric 256  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
-2002:ce7c:92b4:1::/64 dev eth0  metric 256  expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295
-2002:ce7c:92b4:2::/64 dev eth2  metric 256  expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
-fe80::/64 dev eth0  metric 256  expires 20748424sec mtu 1500 advmss 1440 hoplimit 4294967295
-fe80::/64 dev eth1  metric 256  expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
+2002:ce7c:92b4:1::/64 dev eth2  metric 256  expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295
+2002:ce7c:92b4:2::/64 dev eth4  metric 256  expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
+fe80::/64 dev eth1  metric 256  expires 20748424sec mtu 1500 advmss 1440 hoplimit 4294967295
 fe80::/64 dev eth2  metric 256  expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
+fe80::/64 dev eth4  metric 256  expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
 fe80::/64 dev sit1  metric 256  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
 <emphasis role="bold">default via ::192.88.99.1 dev sit1  metric 1  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
 gateway:~ # </programlisting></para>
       </blockquote>
 
-      <para>You will notice that sit1, eth0 and eth2 each have an IPv6 address
+      <para>You will notice that sit1, eth2 and eth4 each have an IPv6 address
       beginning with 2002: -- All 6to4 IPv6 addresses have that in their most
       significant 16 bits. The next 32-bits (ce7c:92b4) encode the IPv4
       ADDRESS (206.124.146.180). So once you start the 6to4 tunnel, you are
       the proud owner of 2<superscript>80</superscript> IPv6 addresses! In the
       case shown here, 2002:ce7c:92b4::/48. The SLA is used to assign each
       interface in INTERFACES, a subnet of 2<superscript>64</superscript>
-      addresses; in the case of eth0, 2002:ce7c:92b4:1::/64.</para>
+      addresses; in the case of eth2, 2002:ce7c:92b4:1::/64.</para>
 
       <para>I run <ulink url="http://www.litech.org/radvd/">radvd</ulink> on
       the firewall to allow hosts conntected to eth2 and eth4 to automatically
@@ -232,7 +232,7 @@ interface eth4 {
       </note>
 
       <para>Here is the automatic IPv6 configuration on my server attached to
-      eth2:</para>
+      eth4:</para>
 
       <blockquote>
         <para><programlisting>webadmin@lists:~/ftpsite/contrib/IPv6&gt; /sbin/ip -6 addr ls
@@ -281,7 +281,7 @@ ursa:~ #</programlisting></para>
 
       <para>Here is the resulting simple IPv6 Network:</para>
 
-      <graphic align="center" fileref="images/Network2008c.png" />
+      <graphic align="center" fileref="images/Network2009b.png" />
     </section>
 
     <section>
@@ -404,7 +404,7 @@ iface sit1 inet6 v4tunnel
 
       <para>That file produces the following IPv6 network.</para>
 
-      <graphic align="center" fileref="images/Network2009b.png" />
+      <graphic align="center" fileref="images/Network2008c.png" />
     </section>
 
     <section>
@@ -429,14 +429,15 @@ iface sit1 inet6 v4tunnel
       instructions above, you should have a completely functional IPv6
       network. Try:</para>
 
-      <programlisting><emphasis role="bold">ping6 2001:19f0:feee::dead:beef:cafe</emphasis>
+      <programlisting><emphasis role="bold">ping6 www.kame.net
+ping6 ipv6.chat.eu.freenode.net</emphasis>
 </programlisting>
 
-      <para>If that doesn't work from your firewall and from any local IPv6
-      systems that you have behind your firewall, do not go any further until
-      it does work. If you ask for help from the Shorewall team, the first
-      question we will ask is 'With Shorewall6 cleared, can you ping6
-      2001:19f0:feee::dead:beef:cafe?'.</para>
+      <para>If neither of those work from your firewall and from any local
+      IPv6 systems that you have behind your firewall, do not go any further
+      until one of them does work. If you ask for help from the Shorewall
+      team, the first question we will ask is 'With Shorewall6 cleared, can
+      you ping6 kame or freenode?'.</para>
 
       <para>The Shorewall6 configuration on my firewall is a very basic
       three-interface one.</para>
@@ -563,4 +564,4 @@ Ping(ACCEPT)     all             all
     commands as listed above. The systems in both IPv6 subnetworks can now
     talk to each other using IPv6.</para>
   </section>
-</article>
+</article>

docs/Build.xml

@@ -305,14 +305,6 @@
                 </listitem>
               </varlistentry>
 
-              <varlistentry>
-                <term>S</term>
-
-                <listitem>
-                  <para>sign the packages using GnuPg</para>
-                </listitem>
-              </varlistentry>
-
               <varlistentry>
                 <term>c</term>
 
@@ -382,15 +374,16 @@
     </section>
 
     <section>
-      <title>upload</title>
+      <title>upload44</title>
 
       <para>This script is used to upload a release to lists.shorewall.net.
       The command is run in the build directory for the major release of the
       product.</para>
 
       <blockquote>
-        <para><command>upload</command> [ -<replaceable>products</replaceable>
-        ] <replaceable>release</replaceable></para>
+        <para><command>upload44</command> [
+        -<replaceable>products</replaceable> ]
+        <replaceable>release</replaceable></para>
       </blockquote>
 
       <para>where</para>

docs/FAQ.xml

@@ -91,8 +91,8 @@
     </section>
 
     <section id="faq75">
-      <title>(FAQ 75) I can't find the Shorewall 4.x shorewall-common RPM.
-      Where is it?</title>
+      <title>(FAQ 75) I can't find the Shorewall 4.0 (or 4.2) shorewall-common
+      RPM. Where is it?</title>
 
       <para><emphasis role="bold">Answer:</emphasis> If you use Simon Matter's
       Redhat/Fedora/CentOS rpms, be aware that Simon calls the
@@ -118,15 +118,15 @@
     <title>Upgrading Shorewall</title>
 
     <section id="faq66">
-      <title>(FAQ 66) I'm trying to upgrade to Shorewall 4.x; where is the
-      'shorewall' package?</title>
+      <title>(FAQ 66) I'm trying to upgrade to Shorewall 4.0 (or 4.2); where
+      is the 'shorewall' package?</title>
 
       <para><emphasis role="bold">Answer:</emphasis> Please see the <ulink
       url="upgrade_issues.htm">upgrade issues.</ulink></para>
 
       <section id="faq66a">
-        <title>(FAQ 66a) I'm trying to upgrade to Shorewall 4.x; do I have to
-        uninstall the 'shorewall' package?</title>
+        <title>(FAQ 66a) I'm trying to upgrade to Shorewall 4.0 (or 4.2); do I
+        have to uninstall the 'shorewall' package?</title>
 
         <para><emphasis role="bold">Answer:</emphasis> Please see the <ulink
         url="upgrade_issues.htm">upgrade issues.</ulink></para>
@@ -539,6 +539,13 @@ REDIRECT        net           22          tcp          9022</programlisting>
       you use ACCEPT unless you need to hijack connections as they go through
       your firewall and handle them on the firewall box itself; in that case,
       you use a REDIRECT rule.</para>
+
+      <note>
+        <para>The preceding answer should <emphasis>not</emphasis> be
+        interpreted to mean that DNAT can only be used in conjunction with
+        SNAT. But in common configurations using private local addresses, that
+        is the most common usage.</para>
+      </note>
     </section>
 
     <section id="faq8">
@@ -1100,6 +1107,25 @@ to debug/develop the newnat interface.</programlisting></para>
           will not prevent the above message from being issued.</para>
         </note></para>
     </section>
+
+    <section id="faq85">
+      <title>(FAQ 85) Shorewall is rejecting connections from my local lan
+      because it thinks they are coming from the 'net' zone.</title>
+
+      <para>I'm seeing this in my log:</para>
+
+      <programlisting>Aug 31 16:51:24 fw22 kernel: Shorewall:net2fw:DROP:IN=eth5 OUT= MAC=00:0c:29:74:9c:0c:08:00:20:b2:5f:db:08:00
+                                       SRC=10.1.50.14 DST=10.1.50.7 LEN=57 TOS=0x00 PREC=0x00 TTL=255 ID=32302 DF
+                                       PROTO=UDP SPT=53289 DPT=53 LEN=37</programlisting>
+
+      <para><emphasis role="bold">Answer</emphasis>: This occurs when the
+      external interface and an internal interface are connected to the same
+      switch or hub. See <ulink url="FoolsFirewall.html">this article</ulink>
+      for details. The solution is to never connect more than one firewall
+      interface to the same hub or switch (an obvious exception is that when
+      you have a switch that supports VLAN tagging and the interfaces are
+      associated with different VLANs).</para>
+    </section>
   </section>
 
   <section id="Logging">
@@ -1890,16 +1916,16 @@ iptables: Invalid argument
       <para><command>/sbin/shorewall stop</command> places the firewall in a
       <firstterm>safe state</firstterm>, the details of which depend on your
       <filename>/etc/shorewall/routestopped</filename> file (<ulink
-      url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(8))
+      url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5))
       and on the setting of ADMINISABSENTMINDED in
       <filename>/etc/shorewall/shorewall.conf</filename> (<ulink
-      url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8)).</para>
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
 
       <para><command>/etc/init.d/shorewall stop</command> may or may not do
       the same thing. In the case of <trademark>Debian</trademark> systems for
       example, that command actually executes <command>/sbin/shorewall
       clear</command> which opens the firewall completely. In other words, in
-      the init script's <command>stop</command> reverses the effect of
+      the init script, <command>stop</command> reverses the effect of
       <command>start</command>.</para>
 
       <para>One way to avoid these differences is to install Shorewall from
@@ -2153,42 +2179,6 @@ We have an error talking to the kernel
       url="http://linuxman.wikispaces.com/Clustering+Shorewall">This article
       by Paul Gear</ulink> should help you get started.</para>
     </section>
-
-    <section id="faq80">
-      <title>(FAQ 80) Does Shorewall support IPV6?</title>
-
-      <para>Answer: <ulink url="IPv6Support.html">Shorewall IPv6
-      support</ulink> is currently available in Shorewall 4.2.4 and
-      later.</para>
-
-      <section id="faq80a">
-        <title>(FAQ 80a) Why does Shorewall lPv6 Support Require Kernel 2.6.24
-        or later?</title>
-
-        <para><emphasis role="bold">Answer:</emphasis> Shorewall implements a
-        stateful firewall which requires connection tracking be present in
-        ip6tables and in the kernel. Linux kernel's before 2.6.20 didn't
-        support connection tracking for IPv6. So we could not even start to
-        develop Shorewall IPv6 support until 2.6.20 and there were significant
-        problems with the facility until at least kernel 2.6.23. When
-        distributions began offering IPv6 connection tracking support, it was
-        with kernel 2.6.25. So that is what we developed IPv6 support on and
-        that's all that we initially tested on. Subsequently, we have tested
-        Shorewall6 on Ubuntu Hardy with kernel 2.6.24. If you are running
-        2.6.20 or later, you can <emphasis role="bold">try</emphasis> to run
-        Shorewall6 by hacking<filename>
-        /usr/share/shorewall/prog.footer6</filename> and changing the kernel
-        version test to check for your kernel version rather than 2.6.24
-        (20624). But after that, you are on your own.</para>
-
-        <programlisting>kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2&gt; /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
-if [ $kernel -lt <emphasis role="bold">20624</emphasis> ]; then
-    error_message "ERROR: $PRODUCT requires Linux kernel <emphasis role="bold">2.6.24</emphasis> or later"
-    status=2
-else 
- </programlisting>
-      </section>
-    </section>
   </section>
 
   <section id="ALIASES">
@@ -2303,6 +2293,42 @@ rmmod nf_conntrack_sip</programlisting>Then change the DONT_LOAD specification
   <section id="faq40">
     <title>IPv6</title>
 
+    <section id="faq80">
+      <title>(FAQ 80) Does Shorewall support IPV6?</title>
+
+      <para>Answer: <ulink url="IPv6Support.html">Shorewall IPv6
+      support</ulink> is currently available in Shorewall 4.2.4 and
+      later.</para>
+
+      <section id="faq80a">
+        <title>(FAQ 80a) Why does Shorewall lPv6 Support Require Kernel 2.6.24
+        or later?</title>
+
+        <para><emphasis role="bold">Answer:</emphasis> Shorewall implements a
+        stateful firewall which requires connection tracking be present in
+        ip6tables and in the kernel. Linux kernels before 2.6.20 didn't
+        support connection tracking for IPv6. So we could not even start to
+        develop Shorewall IPv6 support until 2.6.20 and there were significant
+        problems with the facility until at least kernel 2.6.23. When
+        distributions began offering IPv6 connection tracking support, it was
+        with kernel 2.6.25. So that is what we developed IPv6 support on and
+        that's all that we initially tested on. Subsequently, we have tested
+        Shorewall6 on Ubuntu Hardy with kernel 2.6.24. If you are running
+        2.6.20 or later, you can <emphasis role="bold">try</emphasis> to run
+        Shorewall6 by hacking<filename>
+        /usr/share/shorewall/prog.footer6</filename> and changing the kernel
+        version test to check for your kernel version rather than 2.6.24
+        (20624). But after that, you are on your own.</para>
+
+        <programlisting>kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2&gt; /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
+if [ $kernel -lt <emphasis role="bold">20624</emphasis> ]; then
+    error_message "ERROR: $PRODUCT requires Linux kernel <emphasis role="bold">2.6.24</emphasis> or later"
+    status=2
+else 
+ </programlisting>
+      </section>
+    </section>
+
     <section>
       <title>(FAQ 40) I have an interface that gets its IPv6 configuration
       from radvd. When I start Shorewall6, I immediately loose my default

docs/Introduction.xml

@@ -412,11 +412,11 @@ ACCEPT     net           $FW       tcp        22</programlisting>
 
       <listitem>
         <para><emphasis role="bold">Shorewall6-lite</emphasis>. Shorewall
-        allows for central administration of multiple IPv4 firewalls through
-        use of Shorewall lite. The full Shorewall product is installed on a
-        central administrative system where compiled Shorewall scripts are
-        generated. These scripts are copied to the firewall systems where they
-        run under the control of Shorewall-lite.</para>
+        allows for central administration of multiple IPv6 firewalls through
+        use of Shorewall6 lite. The full Shorewall and Shorewall6 products are
+        installed on a central administrative system where compiled Shorewall
+        scripts are generated. These scripts are copied to the firewall
+        systems where they run under the control of Shorewall6-lite.</para>
       </listitem>
     </orderedlist>
   </section>

docs/MultiISP.xml

@@ -235,9 +235,22 @@
 
               <listitem>
                 <para>Use mark values &gt; 255 for provider marks in this
-                column. These mark values must be a multiple of 256 in the
-                range 256-65280 (hex equivalent 0x100 - 0xFF00 with the
-                low-order 8 bits being zero).</para>
+                column. </para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>These mark values must be a multiple of 256 in the
+                    range 256-65280 (hex equivalent 0x100 - 0xFF00 with the
+                    low-order 8 bits being zero); or</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Set WIDE_TC_MARKS=Yes in <ulink
+                    url="manpages/shorewall.conf.html">shorewall.conf
+                    </ulink>(5) and use mark values in the range 0x10000 -
+                    0xFF0000 with the low-order 16 bits being zero.</para>
+                  </listitem>
+                </itemizedlist>
               </listitem>
             </itemizedlist>
 
@@ -265,10 +278,10 @@
 
           <listitem>
             <para>The name of the interface to the provider. Where multiple
-            providers share the same interface (which is not recommended), you
-            must follow the name of the interface by a colon (":") and the IP
-            address assigned by this provider (e.g., eth0:206.124.146.176).
-            See <link linkend="Shared">below</link> for additional
+            providers share the same interface, you must follow the name of
+            the interface by a colon (":") and the IP address assigned by this
+            provider (e.g., eth0:206.124.146.176). See <link
+            linkend="Shared">below</link> for additional
             considerations.</para>
 
             <para>The interface must have been previously defined in <ulink
@@ -618,8 +631,9 @@
 
         <listitem>
           <para>Once routing determines where the packet is to go, the
-          firewall (Shorewall) determines if the packet is allowed to go
-          there.</para>
+          firewall (Shorewall) determines if the packet is allowed to go there
+          and controls rewriting of the SOURCE IP address
+          (SNAT/MASQUERADE).</para>
         </listitem>
       </orderedlist>
 
@@ -655,7 +669,7 @@ eth1             0.0.0.0/0            130.252.99.27</programlisting>
       internal subnetwork.</para>
 
       <para>If you have multiple IP addresses on one of your interfaces, you
-      can use a similar technique -- simple exclude the smallest network that
+      can use a similar technique -- simplY exclude the smallest network that
       contains all of those addresses from being masqueraded.</para>
 
       <warning>

docs/OPENVPN.xml

@@ -2,7 +2,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article id="OPENVPN">
-  <!--$Id$-->
+  <!--Id$-->
 
   <articleinfo>
     <title>OpenVPN Tunnels and Bridges</title>
@@ -420,7 +420,7 @@ verb 3</programlisting>
     <orderedlist>
       <listitem>
         <para>Include the <emphasis role="bold">client-to-client</emphasis>
-        directive in the server's OpenVPN configuration; and</para>
+        directive in the server's OpenVPN configuration; or</para>
       </listitem>
 
       <listitem>
@@ -429,11 +429,6 @@ verb 3</programlisting>
         url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink>.</para>
       </listitem>
     </orderedlist>
-
-    <para>If you want to selectively allow communication between the clients,
-    then see <ulink
-    url="http://marc.zonzon.free.fr/public_html/home.php?section=WRTMemo&amp;subsec=vpnwithshorewall">this
-    article</ulink> by Marc Zonzon</para>
   </section>
 
   <section>

docs/shorewall_prerequisites.xml

@@ -59,7 +59,11 @@
         <para>Iproute (<quote>ip</quote> and "tc" utilities). The iproute
         package is included with most distributions but may not be installed
         by default. The official download site is <ulink type="remote"
-        url="http://developer.osdl.org/dev/iproute2/download/">http://developer.osdl.org/dev/iproute2/download/</ulink>.</para>
+        url="http://developer.osdl.org/dev/iproute2/download/">http://developer.osdl.org/dev/iproute2/download/</ulink>.
+        Note that the Busybox versions of the iproute2 utilities
+        (<firstterm>ip</firstterm> and <firstterm>tc</firstterm>) do not
+        support all of the features required for advanced Shorewall
+        use.</para>
       </listitem>
 
       <listitem>
@@ -97,9 +101,9 @@
 
         <itemizedlist>
           <listitem>
-            <para> If you want to be able to use DNS names in your Shorewall6
+            <para>If you want to be able to use DNS names in your Shorewall6
             configuration files, then Perl 5.10 is required together with the
-            Perl Socket6 module. </para>
+            Perl Socket6 module.</para>
           </listitem>
 
           <listitem>

docs/support.xml

@@ -262,7 +262,10 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
           <listitem>
             <para>Be sure that the LOGFILE setting in<filename>
             /etc/shorewall/shorewall.conf</filename> is correct (that it names
-            the file where 'Shorewall' messages are being logged).</para>
+            the file where 'Shorewall' messages are being logged). See <ulink
+            url="manpages/shorewall.conf.html">shorewall.conf </ulink>(5) and
+            the <ulink url="shorewall_logging.html">Shorewall Logging
+            Article</ulink>.</para>
           </listitem>
 
           <listitem>

docs/three-interface.xml

@@ -350,6 +350,14 @@ $FW        net         ACCEPT</programlisting>
     those policies should be <ulink url="shorewall_logging.html">logged at
     that level</ulink>.</para>
 
+    <para>Some people want to consider their firewall to be part of their
+    local network from a security perspective. If you want to do this, add
+    these two policies:</para>
+
+    <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
+loc        $FW         ACCEPT
+$FW        loc         ACCEPT</programlisting>
+
     <para>It is important to note that Shorewall policies (and rules) refer to
     <emphasis role="bold">connections</emphasis> and not packet flow. With the
     policies defined in the <filename
@@ -1127,4 +1135,4 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
     url="starting_and_stopping_shorewall.htm">Operating Shorewall and
     Shorewall Lite</ulink> contains a lot of useful operational hints.</para>
   </section>
-</article>
+</article>

docs/traffic_shaping.xml

@@ -1493,7 +1493,7 @@ ppp0            4       90kbit          200kbit         3           default
 eth0            1       100kbit         500kbit         1           tcp-ack
 eth0            2       3mbit           6mbit           2
 eth0            3       3mbit           6mbit           3
-eth0            4       94mbit          full            default #for local traffic</programlisting></para>
+eth0            4       94mbit          full            4           default #for local traffic</programlisting></para>
 
     <para>/etc/shorewall/tcrules:<programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)      CLIENT   USER
 #                                                                    PORT(S)
@@ -2038,4 +2038,4 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300
     <para>At least one Shorewall user has found this tool helpful: <ulink
     url="http://e2epi.internet2.edu/network-performance-toolkit.html">http://e2epi.internet2.edu/network-performance-toolkit.html</ulink></para>
   </section>
-</article>
+</article>

docs/two-interface.xml

@@ -323,8 +323,6 @@ $FW        net         ACCEPT</programlisting> The above policy will:
     rejected under those policies should be <ulink
     url="shorewall_logging.html">logged at that level</ulink>.</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-
     <para>It is important to note that Shorewall policies (and rules) refer to
     <emphasis role="bold">connections</emphasis> and not packet flow. With the
     policies defined in the <filename
@@ -333,6 +331,16 @@ $FW        net         ACCEPT</programlisting> The above policy will:
     <emphasis>net</emphasis> zone even though connections are not allowed from
     the <emphasis>loc</emphasis> zone to the firewall itself.</para>
 
+    <para>Some people want to consider their firewall to be part of their
+    local network from a security perspective. If you want to do this, add
+    these two policies:</para>
+
+    <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
+loc        $FW         ACCEPT
+$FW        loc         ACCEPT</programlisting>
+
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+
     <para>At this point, edit your <filename
     class="directory">/etc/shorewall/</filename><filename>policy</filename>
     and make any changes that you wish.</para>
@@ -1134,4 +1142,4 @@ eth0                 wlan0</programlisting>
     requires the rules listed in the <ulink url="samba.htm">Shorewall/Samba
     documentation</ulink>.</para>
   </section>
-</article>
+</article>