4.4.1.2

Samples/one-interface/shorewall.conf

@@ -107,7 +107,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-IP_FORWARDING=On
+IP_FORWARDING=Off
 
 ADD_IP_ALIASES=Yes
 

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.0.2
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.0.2
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,5 +1,5 @@
 %define name shorewall-lite
-%define version 4.4.0
+%define version 4.4.1
 %define release 2
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -98,10 +98,12 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Fri Aug 28 2009 Tom Eastep tom@shorewall.net
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-2
+- Updated to 4.4.1-2
-* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-1
+- Updated to 4.4.1-1
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.0.2
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall/Makefile

@@ -14,4 +14,8 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
 	fi
 
+clean:
+	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
+.PHONY: clean
+
 # EOF

Shorewall/Perl/Shorewall/Accounting.pm

@@ -35,27 +35,16 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_1';
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
+# Called by the compiler to [re-]initialize this module's state
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function or when compiling
-#                       for IPv6.
 #
-
 sub initialize() {
     our $jumpchainref;
     $jumpchainref = undef;
 }
 
-INIT {
-    initialize;
-}
-
 #
 # Accounting
 #

Shorewall/Perl/Shorewall/Actions.pm

@@ -56,7 +56,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_1';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -91,15 +91,15 @@ our $family;
 our $macro_commands = { COMMENT => 0, FORMAT => 2 };
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
+# Rather than initializing globals in an INIT block or during declaration,
-#                       the compiler to run multiple times in the same process. The
+# we initialize them in a function. This is done for two reasons:
-#                       initialize() function does globals initialization for this
+#
-#                       module and is called from an INIT block below. The function is
+#   1. Proper initialization depends on the address family which isn't
-#                       also called by Shorewall::Compiler::compiler at the beginning of
+#      known until the compiler has started.
-#                       the second and subsequent calls to that function or when compiling
+#
-#                       for IPv6.
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
 
     $family          = shift;
@@ -113,10 +113,6 @@ sub initialize( $ ) {
     %macros          = ();
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 #
 # This function determines the logging for a subordinate action or a rule within a superior action
 #

Shorewall/Perl/Shorewall/Chains.pm

@@ -71,6 +71,7 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE
 
+				       initialize_chain_table
 				       add_commands
 				       move_rules
 				       move_rules1
@@ -111,7 +112,6 @@ our %EXPORT_TAGS = (
 				       new_builtin_chain
 				       new_nat_chain
 				       ensure_filter_chain
-				       initialize_chain_table
 				       finish_section
 				       setup_zone_mss
 				       newexclusionchain
@@ -166,7 +166,7 @@ our %EXPORT_TAGS = (
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_0';
+our $VERSION = '4.4_1';
 
 #
 # Chain Table
@@ -298,15 +298,15 @@ our %builtin_target = ( ACCEPT   => 1,
 			REDIRECT => 1 );
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
+# Rather than initializing globals in an INIT block or during declaration,
-#                       the compiler to run multiple times in the same process. The
+# we initialize them in a function. This is done for two reasons:
-#                       initialize() function does globals initialization for this
+#
-#                       module and is called from an INIT block below. The function is
+#   1. Proper initialization depends on the address family which isn't
-#                       also called by Shorewall::Compiler::compiler at the beginning of
+#      known until the compiler has started.
-#                       the second and subsequent calls to that function or when compiling
+#
-#                       for IPv6.
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
 
@@ -359,10 +359,6 @@ sub initialize( $ ) {
 
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 #
 # Process a COMMENT line (in $currentline)
 #
@@ -417,9 +413,10 @@ sub decr_cmd_level( $ ) {
 
 sub add_commands ( $$;@ ) {
     my $chainref    = shift @_;
+    my $indentation = '    ' x $chainref->{cmdlevel};
 
     for ( @_ ) {
-	push @{$chainref->{rules}}, join ('', '    ' x $chainref->{cmdlevel} , $_ );
+	push @{$chainref->{rules}}, join ('', $indentation , $_ );
     }
 
     $chainref->{referenced} = 1;
@@ -444,55 +441,22 @@ sub push_rule( $$ ) {
 }
 
 #
-# Post-process a rule having an sport list. Split the rule into multiple rules if necessary
+# Post-process a rule having a port list. Split the rule into multiple rules if necessary
 # to work within the 15-element limit imposed by iptables/Netfilter.
 #
-
+# The third argument ($dport) indicates what type of list we are spltting:
-sub handle_sport_list( $$$$$ ) {
-    my ($chainref, $rule, $first, $ports, $rest) = @_;
-
-    if ( port_count( $ports ) > 15 ) {
 #
-	# More than 15 ports specified
+#      $dport == 1     Destination port list
+#      $dport == 0     Source port list
 #
-	my @ports = split '([,:])', $ports;
+# When expanding a Destination port list, each resulting rule is checked for the presence
-
+# of a Source port list; if one is present, the function calls itself recursively with
-	while ( @ports ) {
+# $dport == 0.
-	    my $count = 0;
-	    my $newports = '';
-
-	    while ( @ports && $count < 15 ) {
-		my ($port, $separator) = ( shift @ports, shift @ports );
-
-		$separator ||= '';
-
-		if ( ++$count == 15 ) {
-		    if ( $separator eq ':' ) {
-			unshift @ports, $port, ':';
-			chop $newports;
-			last;
-		    } else {
-			$newports .= $port;
-		    }	
-		} else {
-		    $newports .= "${port}${separator}";
-		}
-	    }
-
-	    push_rule ( $chainref, join( '', $first, $newports, $rest ) );
-	}
-    } else {
-	push_rule ( $chainref, $rule );
-    }
-}
-
-#
-# Post-process a rule having an dport list. Split the rule into multiple rules if necessary
-# to work within the 15-element limit imposed by iptables/Netfilter.
 #
+sub handle_port_list( $$$$$$ );
 
-sub handle_dport_list( $$$$$ ) {
+sub handle_port_list( $$$$$$ ) {
-    my ($chainref, $rule, $first, $ports, $rest) = @_;
+    my ($chainref, $rule, $dport, $first, $ports, $rest) = @_;
 
     if ( port_count( $ports ) > 15 ) {
 	#
@@ -524,14 +488,14 @@ sub handle_dport_list( $$$$$ ) {
 
 	    my $newrule = join( '', $first, $newports, $rest );
 
-	    if ( $newrule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
+	    if ( $dport && $newrule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
-		handle_sport_list( $chainref, $newrule, $1, $2, $3 );
+		handle_port_list( $chainref, $newrule, 0, $1, $2, $3 );
 	    } else {
 		push_rule ( $chainref, $newrule );
 	    }
 	}
-    } elsif ( $rule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
+    } elsif ( $dport && $rule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
-	handle_sport_list( $chainref, $rule, $1, $2, $3 );
+	handle_port_list( $chainref, $rule, 0, $1, $2, $3 );
     } else {
 	push_rule ( $chainref, $rule );
     }
@@ -561,12 +525,12 @@ sub add_rule($$;$)
 	    #
 	    # Rule has a --dports specification
 	    #
-	    handle_dport_list( $chainref, $rule, $1, $2, $3 )
+	    handle_port_list( $chainref, $rule, 1, $1, $2, $3 )
 	} elsif ( $rule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
 	    #
 	    # Rule has a --sports specification
 	    #
-	    handle_sport_list( $chainref, $rule, $1, $2, $3 )
+	    handle_port_list( $chainref, $rule, 0, $1, $2, $3 )
 	} else {
 	    push_rule ( $chainref, $rule );
 	}
@@ -785,9 +749,12 @@ sub use_input_chain($) {
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
     #
-    # We must use the interfaces's chain if the interface is associated with multiple zone nets or
+    # We must use the interfaces's chain if:
-    # if the interface has the 'upnpclient' option. In the latter case, the chain's rules will contain
+    #
-    # run-time code which cannot currently be transferred to a zone-oriented chain by move_rules().
+    # - the interface is associated with multiple zone nets; or
+    # - the interface has the 'upnpclient' option.
+    #
+    # In the latter case, the chain's rules will contain run-time code which cannot currently be transferred to a zone-oriented chain by move_rules().
     #
     return 1 if $nets > 1 || $interfaceref->{options}{upnpclient};
     #
@@ -1010,9 +977,7 @@ sub ensure_mangle_chain($) {
     my $chain = $_[0];
 
     my $chainref = ensure_chain 'mangle', $chain;
-
     $chainref->{referenced} = 1;
-
     $chainref;
 }
 
@@ -1020,9 +985,7 @@ sub ensure_nat_chain($) {
     my $chain = $_[0];
 
     my $chainref = ensure_chain 'nat', $chain;
-
     $chainref->{referenced} = 1;
-
     $chainref;
 }
 
@@ -1076,7 +1039,8 @@ sub ensure_manual_chain($) {
 }
 
 #
-# Add all builtin chains to the chain table
+# Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
+# The function also initializes the target table with the pre-defined targets available for the specfied address family.
 #
 #
 sub initialize_chain_table()
@@ -1214,7 +1178,6 @@ sub finish_chain_section ($$) {
 	}
 
 	$chainref->{new} = @{$chainref->{rules}};
-
     }
 
     $comment = $savecomment;
@@ -1358,6 +1321,8 @@ sub port_count( $ ) {
 #
 # Handle parsing of PROTO, DEST PORT(S) , SOURCE PORTS(S). Returns the appropriate match string.
 #
+# If the optional argument is true, port lists > 15 result in a fatal error.
+#
 sub do_proto( $$$;$ )
 {
     my ($proto, $ports, $sports, $restricted ) = @_;
@@ -1851,8 +1816,8 @@ sub match_source_net( $;$ ) {
 
     $restriction |= NO_RESTRICT;
 
-    if ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ||
+    if ( ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) ||
-	 $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) {
+	 ( $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) ) {
 	my ($addr1, $addr2) = ( $2, $3 );
 	$net =~ s/!// if my $invert = $1 ? '! ' : '';
 	validate_range $addr1, $addr2;
@@ -1878,8 +1843,8 @@ sub match_source_net( $;$ ) {
 sub match_dest_net( $ ) {
     my $net = $_[0];
 
-    if ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ||
+    if ( ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) ||
-	 $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) {
+	 ( $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) ) {
 	my ($addr1, $addr2) = ( $2, $3 );
 	$net =~ s/!// if my $invert = $1 ? '! ' : '';
 	validate_range $addr1, $addr2;
@@ -2938,14 +2903,10 @@ sub create_netfilter_load( $ ) {
 
     my @table_list;
 
-    if ( $family == F_IPV4 ) {
     push @table_list, 'raw'    if $capabilities{RAW_TABLE};
     push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
     push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
     push @table_list, 'filter';
-    } else {
-	@table_list = qw( raw mangle filter );
-    }
 
     $mode = NULL_MODE;
 
@@ -3168,14 +3129,10 @@ sub create_stop_load( $ ) {
 
     my @table_list;
 
-    if ( $family == F_IPV4 ) {
     push @table_list, 'raw'    if $capabilities{RAW_TABLE};
     push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
     push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
     push @table_list, 'filter';
-    } else {
-	@table_list = qw( raw mangle filter );
-    }
 
     my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
     my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';

Shorewall/Perl/Shorewall/Compiler.pm

@@ -43,20 +43,18 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_0';
+our $VERSION = '4.4_1';
 
 our $export;
 
 our $test;
 
-our $reused = 0;
+our $family;
-
-our $family = F_IPV4;
 
 #
-# Reinitilize the package-globals in the other modules
+# Initilize the package-globals in the other modules
 #
-sub reinitialize() {
+sub initialize_package_globals() {
     Shorewall::Config::initialize($family);
     Shorewall::Chains::initialize ($family);
     Shorewall::Zones::initialize ($family);
@@ -79,11 +77,11 @@ sub reinitialize() {
 #
 sub generate_script_1() {
 
-    my $date = localtime;
-
     if ( $test ) {
 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
     } else {
+	my $date = localtime;
+
 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 	if ( $family == F_IPV4 ) {
 	    copy $globals{SHAREDIRPL} . 'prog.header';
@@ -572,14 +570,17 @@ sub compiler {
 	${$ref->{store}} = $val;
     }
 
-    reinitialize if $reused++ || $family == F_IPV6;
+    #
+    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
+    #
+    initialize_package_globals;
 
     if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
 	set_shorewall_dir( $directory );
     }
 
-    set_verbose( $verbosity );
+    set_verbosity( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
     set_debug( $debug );
@@ -588,6 +589,8 @@ sub compiler {
     #
     get_configuration( $export );
 
+    initialize_chain_table;
+
     report_capabilities;
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
@@ -595,12 +598,11 @@ sub compiler {
     require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
     require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 
-    set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
+    if ( $objectfile ) {
-
+	set_command( 'compile', 'Compiling', 'Compiled' );
-    initialize_chain_table;
-
-    unless ( $command eq 'check' ) {
 	create_temp_object( $objectfile , $export );
+    } else {
+	set_command( 'check', 'Checking', 'Checked' );
     }
 
     #
@@ -641,7 +643,7 @@ sub compiler {
 
     enable_object;
 
-    unless ( $command eq 'check' ) {
+    if ( $objectfile ) {
 	#
 	# Place Header in the object
 	#
@@ -681,7 +683,7 @@ sub compiler {
     #
     setup_zone_mss;
 
-    unless ( $command eq 'check' ) {
+    if ( $objectfile ) {
 	emit 'return 0';
 	pop_indent;
 	emit '}';
@@ -694,8 +696,7 @@ sub compiler {
     #
     enable_object;
 
-    unless ( $command eq 'check' ) {
+    if ( $objectfile ) {
-
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -713,7 +714,7 @@ sub compiler {
     #
     setup_tc;
 
-    unless ( $command eq 'check' ) {
+    if ( $objectfile ) {
 	pop_indent;
 	emit "}\n";
     }
@@ -774,15 +775,9 @@ sub compiler {
     #
     setup_accounting;
 
-    if ( $command eq 'check' ) {
+    if ( $objectfile ) {
-	if ( $family == F_IPV4 ) {
-	    progress_message3 "Shorewall configuration verified";
-	} else {
-	    progress_message3 "Shorewall6 configuration verified";
-	}
-    } else {
 	#
-	# Generate the zone x zone matrix
+	# Generate the zone by zone matrix
 	#
 	generate_matrix;
 
@@ -826,6 +821,12 @@ sub compiler {
 	# And generate the auxilary config file
 	#
 	enable_object, generate_aux_config if $export;
+    } else {
+	if ( $family == F_IPV4 ) {
+	    progress_message3 "Shorewall configuration verified";
+	} else {
+	    progress_message3 "Shorewall6 configuration verified";
+	}
     }
 
     close_log if $log;

Shorewall/Perl/Shorewall/Config.pm

@@ -72,7 +72,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
 				       save_progress_message
 				       save_progress_message_short
 				       set_timestamp
-				       set_verbose
+				       set_verbosity
 				       set_log
 				       close_log
 				       set_command
@@ -127,7 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.3_12';
+our $VERSION = '4.4_1';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -136,11 +136,11 @@ our ($command, $doing, $done );
 #
 # VERBOSITY
 #
-our $verbose;
+our $verbosity;
 #
 # Logging
 #
-our ( $log, $log_verbose );
+our ( $log, $log_verbosity );
 #
 # Timestamp each progress message, if true.
 #
@@ -241,6 +241,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 LOG_TARGET      => 'LOG Target',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
 		 IPMARK_TARGET   => 'IPMARK Target',
+		 PERSISTENT_SNAT => 'Persistent SNAT',
 		 CAPVERSION      => 'Capability Version',
 	       );
 #
@@ -284,13 +285,14 @@ use constant { MIN_VERBOSITY => -1,
 our %validlevels;             # Valid log levels.
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
+# Rather than initializing globals in an INIT block or during declaration,
-#                       the compiler to run multiple times in the same process. The
+# we initialize them in a function. This is done for two reasons:
-#                       initialize() function does globals initialization for this
+#
-#                       module and is called from an INIT block below. The function is
+#   1. Proper initialization depends on the address family which isn't
-#                       also called by Shorewall::Compiler::compiler at the beginning of
+#      known until the compiler has started.
-#                       the second and subsequent calls to that function and when compiling
+#
-#                       for IPv6.
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
     $family = shift;
@@ -301,11 +303,9 @@ sub initialize( $ ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall6 Shorewall6 ip6tables IP6TABLES );
     }
 
-    ( $command, $doing, $done ) = qw/compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion.
+    $verbosity = 0;            # Verbosity setting. -1 = silent, 0 = almost silent, 1 = major progress messages only, 2 = all progress messages (very noisy)
-
-    $verbose = 0;              # Verbosity setting. 0 = almost silent, 1 = major progress messages only, 2 = all progress messages (very noisy)
     $log = undef;              # File reference for log file
-    $log_verbose = -1;         # Verbosity of log.
+    $log_verbosity = -1;       # Verbosity of log.
     $timestamp = '';           # If true, we are to timestamp each progress message
     $object = 0;               # Object (script) file Handle Reference
     $object_enabled = 0;       # Object (script) file Handle Reference
@@ -327,8 +327,8 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.0.2",
+		    VERSION => "4.4.1.2",
-		    CAPVERSION => 40310 ,
+		    CAPVERSION => 40401 ,
 		  );
 
     #
@@ -613,6 +613,7 @@ sub initialize( $ ) {
 	       LOGMARK_TARGET => undef,
 	       IPMARK_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
+	       PERSISTENT_SNAT => undef,
 	       CAPVERSION => undef,
 	       );
     #
@@ -640,7 +641,6 @@ sub initialize( $ ) {
 }
 
 INIT {
-    initialize( F_IPV4 );
     #
     # These variables appear within single quotes in shorewall.conf -- add them to ENV
     # so that read_a_line doesn't have to be smart enough to parse that usage.
@@ -661,7 +661,7 @@ sub warning_message
     my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
     our @localtime;
 
-    $| = 1;
+    $| = 1; #Reset output buffering (flush any partially filled buffers).
 
     if ( $log ) {
 	@localtime = localtime;
@@ -676,7 +676,22 @@ sub warning_message
 	print $log   "   WARNING: @_$currentlineinfo\n" if $log;
     }
 
-    $| = 0;
+    $| = 0; #Re-allow output buffering
+}
+
+sub cleanup() {
+    #
+    # Close files first in case we're running under Cygwin
+    #
+    close  $object, $object = undef         if $object;
+    close  $scriptfile, $scriptfile = undef if $scriptfile;
+    close  $log, $log = undef               if $log;
+    #
+    # Unlink temporary files
+    #
+    unlink ( $tempfile ), $tempfile = undef             if $tempfile;
+    unlink ( $scriptfilename ), $scriptfilename = undef if $scriptfilename;
+    unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
 }
 
 #
@@ -686,7 +701,7 @@ sub fatal_error	{
     my $linenumber = $currentlinenumber || 1;
     my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
 
-    $| = 1;
+    $| = 1; #Reset output buffering (flush any partially filled buffers).
 
     if ( $log ) {
 	our @localtime = localtime;
@@ -702,6 +717,7 @@ sub fatal_error	{
 	$log = undef;
     }
 
+    cleanup;
     confess "   ERROR: @_$currentlineinfo" if $debug;
     die "   ERROR: @_$currentlineinfo\n";
 }
@@ -723,6 +739,7 @@ sub fatal_error1	{
 	$log = undef;
     }
 
+    cleanup;
     confess "   ERROR: @_" if $debug;
     die "   ERROR: @_\n";
 }
@@ -854,14 +871,14 @@ sub set_timestamp( $ ) {
 }
 
 #
-# Set $verbose
+# Set $verbosity
 #
-sub set_verbose( $ ) {
+sub set_verbosity( $ ) {
-    $verbose = shift;
+    $verbosity = shift;
 }
 
 #
-# Set $log and $log_verbose
+# Set $log and $log_verbosity
 #
 sub set_log ( $$ ) {
     my ( $l, $v ) = @_;
@@ -869,16 +886,16 @@ sub set_log ( $$ ) {
     if ( defined $v ) {
 	my $value = numeric_value( $v );
 	fatal_error "Invalid Log Verbosity ( $v )" unless defined($value) && ( $value >= -1 ) && ( $value <= 2);
-	$log_verbose = $value;
+	$log_verbosity = $value;
     }
 
-    if ( $l && $log_verbose >= 0 ) {	
+    if ( $l && $log_verbosity >= 0 ) {
 	unless ( open $log , '>>' , $l ) {
 	    $log = undef;
 	    fatal_error "Unable to open STARTUP_LOG ($l) for writing: $!";
 	}
     } else {
-	$log_verbose = -1;
+	$log_verbosity = -1;
     }
 }
 
@@ -902,17 +919,17 @@ sub timestamp() {
 }
 
 #
-# Write a message if $verbose >= 2
+# Write a message if $verbosity >= 2
 #
 sub progress_message {
     my $havelocaltime = 0;
 
-    if ( $verbose > 1 || $log_verbose > 1 ) {
+    if ( $verbosity > 1 || $log_verbosity > 1 ) {
 	my $line = "@_";
 	my $leading = $line =~ /^(\s+)/ ? $1 : '';
 	$line =~ s/\s+/ /g;
 
-	if ( $verbose > 1 ) {
+	if ( $verbosity > 1 ) {
 	    timestamp, $havelocaltime = 1 if $timestamp;
 	    #
 	    # We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession).
@@ -921,7 +938,7 @@ sub progress_message {
 	    print "${leading}${line}\n";
 	}
 
-	if ( $log_verbose > 1 ) {
+	if ( $log_verbosity > 1 ) {
 	    our @localtime;
 
 	    @localtime = localtime unless $havelocaltime;
@@ -935,12 +952,12 @@ sub progress_message {
 sub progress_message_nocompress {
     my $havelocaltime = 0;
 
-    if ( $verbose > 1 ) {
+    if ( $verbosity > 1 ) {
 	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
     }
 
-    if ( $log_verbose > 1 ) {
+    if ( $log_verbosity > 1 ) {
 	our @localtime;
 
 	@localtime = localtime unless $havelocaltime;
@@ -951,17 +968,17 @@ sub progress_message_nocompress {
 }
 
 #
-# Write a message if $verbose >= 1
+# Write a message if $verbosity >= 1
 #
 sub progress_message2 {
     my $havelocaltime = 0;
 
-    if ( $verbose > 0 ) {
+    if ( $verbosity > 0 ) {
 	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
     }
 
-    if ( $log_verbose > 0 ) {
+    if ( $log_verbosity > 0 ) {
 	our @localtime;
 
 	@localtime = localtime unless $havelocaltime;
@@ -972,17 +989,17 @@ sub progress_message2 {
 }
 
 #
-# Write a message if $verbose >= 0
+# Write a message if $verbosity >= 0
 #
 sub progress_message3 {
     my $havelocaltime = 0;
 
-    if ( $verbose >= 0 ) {
+    if ( $verbosity >= 0 ) {
 	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
     }
 
-    if ( $log_verbose >= 0 ) {
+    if ( $log_verbosity >= 0 ) {
 	our @localtime;
 
 	@localtime = localtime unless $havelocaltime;
@@ -1114,7 +1131,7 @@ sub create_temp_object( $$ ) {
     my $suffix;
 
     if ( $objectfile eq '-' ) {
-	$verbose = -1;
+	$verbosity = -1;
 	$object = undef;
 	open( $object, '>&STDOUT' ) or fatal_error "Open of STDOUT failed";
 	$file = '-';
@@ -1125,7 +1142,7 @@ sub create_temp_object( $$ ) {
 	( $file, $dir, $suffix ) = fileparse( $objectfile );
     };
 
-    die if $@;
+    cleanup, die if $@;
 
     fatal_error "$dir is a Symbolic Link"        if -l $dir;
     fatal_error "Directory $dir does not exist"  unless -d _;
@@ -1171,7 +1188,7 @@ sub create_temp_aux_config() {
 	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
     };
 
-    die if $@;
+    cleanup, die if $@;
 }
 
 #
@@ -1406,6 +1423,11 @@ sub pop_open() {
     pop_include;
 }
 
+#
+# This function is called by in-line PERL to generate a line of input for the current file.
+# If the in-line PERL returns an indication of success, then the generated lines will be
+# processed as regular file input.
+#
 sub shorewall {
     unless ( $scriptfile ) {
 	fatal_error "shorewall() may not be called in this context" unless $currentfile;
@@ -1585,6 +1607,10 @@ sub read_a_line() {
 	    # Line not blank -- Handle any first-entry message/capabilities check
 	    #
 	    if ( $first_entry ) {
+		#
+		# $first_entry can contain either a function reference or a message. If it
+		# contains a reference, call the function -- otherwise issue the message
+		#
 		reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry );
 		$first_entry = 0;
 	    }
@@ -1817,7 +1843,7 @@ sub report_capability( $ ) {
 }
 
 sub report_capabilities() {
-    if ( $verbose > 1 ) {
+    if ( $verbosity > 1 ) {
 	print "Shorewall has detected the following capabilities:\n";
 
 	for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) {
@@ -1923,6 +1949,14 @@ sub determine_capabilities( $ ) {
 
     $capabilities{NAT_ENABLED}    = qt1( "$iptables -t nat -L -n" ) if $family == F_IPV4;
 
+    if ( $capabilities{NAT_ENABLED} ) {
+	if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
+	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
+	    qt1( "$iptables -t NAT -F $sillyname" );
+	    qt1( "$iptables -t NAT -X $sillyname" );
+	}
+    }
+
     $capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" );
 
     qt1( "$iptables -N $sillyname" );
@@ -2423,7 +2457,8 @@ sub get_configuration( $ ) {
     default 'ACCEPT_DEFAULT'        , 'none';
     default 'OPTIMIZE'              , 0;
 
-    fatal_error 'IPSECFILE=ipsec is not supported by Shorewall ' . $globals{VERSION} unless $config{IPSECFILE} eq 'zones';
+    fatal_error 'IPSECFILE=ipsec is not supported by Shorewall ' . $globals{VERSION} if $config{IPSECFILE} eq 'ipsec';
+    fatal_error "Invalid IPSECFILE value ($config{IPSECFILE}"                    unless $config{IPSECFILE} eq 'zones';
 
     for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
@@ -2433,7 +2468,6 @@ sub get_configuration( $ ) {
 
     fatal_error "Invalid OPTIMIZE value ($val)" unless ( $val eq '0' ) || ( $val eq '1' );
 
-    fatal_error "Invalid IPSECFILE value ($config{IPSECFILE}" unless $config{IPSECFILE} eq 'zones';
 
     $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre';
 
@@ -2466,7 +2500,7 @@ sub get_configuration( $ ) {
 	    ( $file, $dir, $suffix ) = fileparse( $config{LOCKFILE} );
 	};
 
-	die $@ if $@;
+	cleanup, die $@ if $@;
 
 	fatal_error "LOCKFILE=$config{LOCKFILE}: Directory $dir does not exist" unless $export or -d $dir;
     } else {
@@ -2641,18 +2675,7 @@ sub generate_aux_config() {
 }
 
 END {
-    #
+    cleanup;
-    # Close files first in case we're running under Cygwin
-    #
-    close  $object         if $object;
-    close  $scriptfile     if $scriptfile;
-    close  $log            if $log;
-    #
-    # Unlink temporary files
-    #
-    unlink $tempfile       if $tempfile;
-    unlink $scriptfilename if $scriptfilename;
-    unlink $_ for @tempfiles; 
 }
 
 1;

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -34,10 +34,10 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( ALLIPv4
                   ALLIPv6
+	          IPv4_MULTICAST
 	          IPv6_MULTICAST
 	          IPv6_LINKLOCAL
 	          IPv6_SITELOCAL
-	          IPv6_LINKLOCAL
 	          IPv6_LOOPBACK
 	          IPv6_LINK_ALLNODES
 	          IPv6_LINK_ALLRTRS
@@ -72,21 +72,27 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_1';
 
 #
 # Some IPv4/6 useful stuff
 #
 our @allipv4 = ( '0.0.0.0/0' );
 our @allipv6 = ( '::/0' );
-our $family;
+our $allip;
+our @allip;
+our $valid_address;
+our $validate_address;
+our $validate_net;
+our $validate_range;
+our $validate_host;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
+	       IPv4_MULTICAST      => '224.0.0.0/4' ,
 	       IPv6_MULTICAST      => 'FF00::/10' ,
 	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_SITELOCAL      => 'FFC0::/10' ,
-	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
 	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
 	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
@@ -101,23 +107,10 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 
 our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
+
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
+# Note: initialize() is declared at the bottom of the file
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
 #
-
-sub initialize( $ ) {
-    $family = shift;
-}
-
-INIT {
-    initialize( F_IPV4 );
-}
-
 sub vlsm_to_mask( $ ) {
     my $vlsm = $_[0];
 
@@ -398,7 +391,6 @@ my %icmp_types = ( any                          => 'any',
 		   'address-mask-reply'         => 18 );
 
 sub validate_icmp( $ ) {
-    fatal_error "IPv4 ICMP not allowed in an IPv6 Rule" unless $family == F_IPV4;
 
     my $type = $_[0];
 
@@ -614,7 +606,6 @@ my %ipv6_icmp_types = ( any                          => 'any',
 
 
 sub validate_icmp6( $ ) {
-    fatal_error "IPv6 ICMP not allowed in an IPv4 Rule" unless $family == F_IPV6;
     my $type = $_[0];
 
     my $value = $ipv6_icmp_types{$type};
@@ -629,31 +620,63 @@ sub validate_icmp6( $ ) {
 }
 
 sub ALLIP() {
-    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
+    $allip;
 }
 
 sub allip() {
-    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
+    @allip;
 }
 
 sub valid_address ( $ ) {
-    $family == F_IPV4 ? valid_4address( $_[0] ) :  valid_6address( $_[0] );
+    $valid_address->(@_);
 }
 
 sub validate_address ( $$ ) {
-    $family == F_IPV4 ? validate_4address( $_[0], $_[1] ) :  validate_6address( $_[0], $_[1] );
+    $validate_address->(@_);
 }
 
 sub validate_net ( $$ ) {
-    $family == F_IPV4 ? validate_4net( $_[0], $_[1] ) :  validate_6net( $_[0], $_[1] );
+    $validate_net->(@_);
 }
 
 sub validate_range ($$ ) {
-    $family == F_IPV4 ? validate_4range( $_[0], $_[1] ) :  validate_6range( $_[0], $_[1] );
+    $validate_range->(@_);
 }
 
 sub validate_host ($$ ) {
-    $family == F_IPV4 ? validate_4host( $_[0], $_[1] ) :  validate_6host( $_[0], $_[1] );
+    $validate_host->(@_);
+}
+
+#
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
+#
+sub initialize( $ ) {
+    my $family = shift;
+
+    if ( $family == F_IPV4 ) {
+	$allip            = ALLIPv4;
+	@allip            = @allipv4;
+	$valid_address    = \&valid_4address;
+	$validate_address = \&validate_4address;
+	$validate_net     = \&validate_4net;
+	$validate_range   = \&validate_4range;
+	$validate_host    = \&validate_4host;
+    } else {
+	$allip            = ALLIPv6;
+	@allip            = @allipv6;
+	$valid_address    = \&valid_6address;
+	$validate_address = \&validate_6address;
+	$validate_net     = \&validate_6net;
+	$validate_range   = \&validate_6range;
+	$validate_host    = \&validate_6host;
+    }
 }
 
 1;

Shorewall/Perl/Shorewall/Nat.pm

@@ -29,7 +29,6 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
-use Shorewall::IPAddrs;
 use Shorewall::Providers qw( lookup_provider );
 
 use strict;
@@ -37,29 +36,19 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_1';
 
 our @addresses_to_add;
 our %addresses_to_add;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
+# Called by the compiler
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
 #
-
 sub initialize() {
     @addresses_to_add = ();
     %addresses_to_add = ();
 }
 
-INIT {
-    initialize;
-}
-
 #
 # Handle IPSEC Options in a masq record
 #
@@ -178,7 +167,6 @@ sub process_one_masq( )
     # Handle Protocol and Ports
     #
     $baserule .= do_proto $proto, $ports, '';
-
     #
     # Handle Mark
     #
@@ -216,6 +204,7 @@ sub process_one_masq( )
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
+	my $persistent    = '';
 	#
 	# Parse the ADDRESSES column
 	#
@@ -223,8 +212,11 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
+		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
 		$addresses =~ s/:random$//     and $randomize  = '--random ';
 
+		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;
+
 		if ( $addresses =~ /^SAME/ ) {
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
@@ -262,6 +254,7 @@ sub process_one_masq( )
 	    }
 
 	    $target .= $randomize;
+	    $target .= $persistent;
 	} else {
 	    $add_snat_aliases = 0;
 	}

Shorewall/Perl/Shorewall/Policy.pm

@@ -34,29 +34,19 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_1';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
 our @policy_chains;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
+# Called by the compiler
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
 #
-
 sub initialize() {
     @policy_chains = ();
 }
 
-INIT {
-    initialize;
-}
-
 #
 # Convert a chain into a policy chain.
 #
@@ -356,7 +346,7 @@ sub policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
 
     unless ( $target eq 'NONE' ) {
-	add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
+	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
 	add_rule $chainref, "-j $default" if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;

Shorewall/Perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_0';
+our $VERSION = '4.4_1';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -62,14 +62,15 @@ our $family;
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
+# Rather than initializing globals in an INIT block or during declaration,
-#                       the compiler to run multiple times in the same process. The
+# we initialize them in a function. This is done for two reasons:
-#                       initialize() function does globals initialization for this
+#
-#                       module and is called from an INIT block below. The function is
+#   1. Proper initialization depends on the address family which isn't
-#                       also called by Shorewall::Compiler::compiler at the beginning of
+#      known until the compiler has started.
-#                       the second and subsequent calls to that function.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
 
@@ -89,10 +90,6 @@ sub initialize( $ ) {
     @providers = ();
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 #
 # Set up marking for 'tracked' interfaces.
 #

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -35,30 +35,27 @@ our @EXPORT = qw(
 		  );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_1';
 
 our @proxyarp;
 
 our $family;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
+# Rather than initializing globals in an INIT block or during declaration,
-#                       the compiler to run multiple times in the same process. The
+# we initialize them in a function. This is done for two reasons:
-#                       initialize() function does globals initialization for this
+#
-#                       module and is called from an INIT block below. The function is
+#   1. Proper initialization depends on the address family which isn't
-#                       also called by Shorewall::Compiler::compiler at the beginning of
+#      known until the compiler has started.
-#                       the second and subsequent calls to that function.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
     @proxyarp = ();
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 sub setup_one_proxy_arp( $$$$$ ) {
     my ( $address, $interface, $external, $haveroute, $persistent) = @_;
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -41,11 +41,10 @@ our @EXPORT = qw( process_tos
 		  setup_mac_lists
 		  process_rules
 		  generate_matrix
-		  setup_mss
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_0';
+our $VERSION = '4.4_1';
 
 #
 # Set to one if we find a SECTION
@@ -64,14 +63,15 @@ my %rules_commands = ( COMMENT => 0,
 		       SECTION => 2 );
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
+# Rather than initializing globals in an INIT block or during declaration,
-#                       the compiler to run multiple times in the same process. The
+# we initialize them in a function. This is done for two reasons:
-#                       initialize() function does globals initialization for this
+#
-#                       module and is called from an INIT block below. The function is
+#   1. Proper initialization depends on the address family which isn't
-#                       also called by Shorewall::Compiler::compiler at the beginning of
+#      known until the compiler has started.
-#                       the second and subsequent calls to that function.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
     $sectioned = 0;
@@ -80,10 +80,6 @@ sub initialize( $ ) {
     @param_stack = ();
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 use constant { MAX_MACRO_NEST_LEVEL => 5 };
 
 sub process_tos() {

Shorewall/Perl/Shorewall/Tc.pm

@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.3_12';
+our $VERSION = '4.4_1';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -163,6 +163,8 @@ our @deferred_rules;
 #                              nextclass     => <number>
 #                              occurs        => Has one or more occurring classes
 #                              qdisc         => htb|hfsc
+#                              guarantee     => <total RATE of classes seen so far>
+#                              name          => <interface>
 #                                               }
 #
 our @tcdevices;
@@ -186,6 +188,7 @@ our $sticky;
 #              occurs    => <number> # 0 means that this is a class generated by another class with occurs > 1
 #              parent    => <class number>
 #              leaf      => 0|1
+#              guarantee => <sum of rates of sub-classes>
 #              options   => { tos  => [ <value1> , <value2> , ... ];
 #                             tcp_ack => 1 ,
 #                             ...
@@ -202,14 +205,15 @@ our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 our $family;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
+# Rather than initializing globals in an INIT block or during declaration,
-#                       the compiler to run multiple times in the same process. The
+# we initialize them in a function. This is done for two reasons:
-#                       initialize() function does globals initialization for this
+#
-#                       module and is called from an INIT block below. The function is
+#   1. Proper initialization depends on the address family which isn't
-#                       also called by Shorewall::Compiler::compiler at the beginning of
+#      known until the compiler has started.
-#                       the second and subsequent calls to that function.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family   = shift;
     %classids = ();
@@ -223,10 +227,6 @@ sub initialize( $ ) {
     $sticky = 0;
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
 
@@ -529,6 +529,8 @@ sub validate_tc_device( ) {
 			    default       => 0,
 			    nextclass     => 2,
 			    qdisc         => $qdisc,
+			    guarantee     => 0,
+			    name          => $device,
 			  } ,
 
     push @tcdevices, $device;
@@ -538,8 +540,8 @@ sub validate_tc_device( ) {
     progress_message "  Tcdevice \"$currentline\" $done.";
 }
 
-sub convert_rate( $$$ ) {
+sub convert_rate( $$$$ ) {
-    my ($full, $rate, $column) = @_;
+    my ($full, $rate, $column, $max) = @_;
 
     if ( $rate =~ /\bfull\b/ ) {
 	$rate =~ s/\bfull\b/$full/g;
@@ -553,7 +555,7 @@ sub convert_rate( $$$ ) {
     }
 
     fatal_error "$column may not be zero" unless $rate;
-    fatal_error "$column ($_[1]) exceeds OUT-BANDWIDTH" if $rate > $full;
+    fatal_error "$column ($_[1]) exceeds $max (${full}kbit)" if $rate > $full;
 
     $rate;
 }
@@ -599,6 +601,7 @@ sub validate_tc_class( ) {
     my $device = $devclass;
     my $occurs = 1;
     my $parentclass = 1;
+    my $parentref;
 
     if ( $devclass =~ /:/ ) {
 	( $device, my ($number, $subnumber, $rest ) )  = split /:/, $device, 4;
@@ -631,6 +634,10 @@ sub validate_tc_class( ) {
     }
 
     my $full    = rate_to_kbit $devref->{out_bandwidth};
+    my $ratemax = $full;
+    my $ceilmax = $full;
+    my $ratename = 'OUT-BANDWIDTH';
+    my $ceilname = 'OUT-BANDWIDTH';
 
     my $tcref = $tcclasses{$device};
 
@@ -660,10 +667,14 @@ sub validate_tc_class( ) {
 	#
 	# Nested Class
 	#
-	my $parentref = $tcref->{$parentclass};
+	$parentref = $tcref->{$parentclass};
 	fatal_error "Unknown Parent class ($parentclass)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The parent class ($parentclass) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
 	$parentref->{leaf} = 0;
+	$ratemax  = $parentref->{rate};
+	$ratename = q(the parent class's RATE);
+	$ceilmax = $parentref->{ceiling};
+	$ceilname = q(the parent class's CEIL);
     }
 
     my ( $umax, $dmax ) = ( '', '' );
@@ -673,19 +684,27 @@ sub validate_tc_class( ) {
 
 	fatal_error "Invalid RATE ($rate)" if defined $rest;
 
-	$rate = convert_rate ( $full, $trate, 'RATE' );
+	$rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
 	$dmax = convert_delay( $dmax );
 	$umax = convert_size( $umax );
 	fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
     } else {
-	$rate = convert_rate ( $full, $rate, 'RATE' );
+	$rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename );
     }
 
+    if ( $parentref ) {
+	warning_message "Total RATE of sub classes ($parentref->{guarantee}kbits) exceeds RATE of parent class ($parentref->{rate}kbits)" if ( $parentref->{guarantee} += $rate ) > $parentref->{rate};
+    } else {
+	warning_message "Total RATE of classes ($devref->{guarantee}kbits) exceeds OUT-BANDWIDTH (${full}kbits)" if ( $devref->{guarantee} += $rate ) > $full;
+    }
+
+    fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
+
     $tcref->{$classnumber} = { tos       => [] ,
 			       rate      => $rate ,
 			       umax      => $umax ,
 			       dmax      => $dmax ,
-			       ceiling  => convert_rate( $full, $ceil, 'CEIL' ) ,
+			       ceiling   => convert_rate( $ceilmax, $ceil, 'CEIL' , $ceilname ) ,
 			       priority  => $prio eq '-' ? 1 : $prio ,
 			       mark      => $markval ,
 			       flow      => '' ,
@@ -693,6 +712,7 @@ sub validate_tc_class( ) {
 			       occurs    => 1,
 			       parent    => $parentclass,
 			       leaf      => 1,
+			       guarantee => 0,
 			     };
 
     $tcref = $tcref->{$classnumber};

Shorewall/Perl/Shorewall/Zones.pm

@@ -73,7 +73,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_0';
+our $VERSION = '4.4_1';
 
 #
 # IPSEC Option types
@@ -174,15 +174,15 @@ our %validinterfaceoptions;
 our %validhostoptions;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
+# Rather than initializing globals in an INIT block or during declaration,
-#                       the compiler to run multiple times in the same process. The
+# we initialize them in a function. This is done for two reasons:
-#                       initialize() function does globals initialization for this
+#
-#                       module and is called from an INIT block below. The function is
+#   1. Proper initialization depends on the address family which isn't
-#                       also called by Shorewall::Compiler::compiler at the beginning of
+#      known until the compiler has started.
-#                       the second and subsequent calls to that function or when compiling
+#
-#                       for IPv6.
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
     @zones = ();
@@ -250,10 +250,6 @@ sub initialize( $ ) {
     }
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 #
 # Parse the passed option list and return a reference to a hash as follows:
 #
@@ -363,8 +359,8 @@ sub process_zone( \$ ) {
     fatal_error "Invalid zone name ($zone)"      if $reservedName{$zone} || $zone =~ /^all2|2all$/;
     fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
 
-    if ( $type =~ /ipv([46])?/i ) {
+    if ( $type =~ /^ip(v([46]))?$/i ) {
-	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
+	fatal_error "Invalid zone type ($type)" if $1 && $2 != $family;
 	$type = IP;
 	$$ip = 1;
     } elsif ( $type =~ /^ipsec([46])?$/i ) {
@@ -608,6 +604,7 @@ sub add_group_to_zone($$$$$)
     my @exclusions = ();
     my $new = \@newnetworks;
     my $switched = 0;
+    my $allip    = 0;
 
     for my $host ( @$networks ) {
 	$interfaces{$interface}{nets}++;
@@ -624,7 +621,11 @@ sub add_group_to_zone($$$$$)
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
 		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone;
-		$interfaces{$interface}{zone} = $zone if $host eq ALLIP;
+		if ( $host eq ALLIP ) {
+		    fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
+		    $interfaces{$interface}{zone} = $zone;
+		    $allip = 1;
+		}
 	    }
 	}
 
@@ -646,6 +647,8 @@ sub add_group_to_zone($$$$$)
     $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
     $interfaceref = ( $typeref->{$interface}      || ( $typeref->{$interface} = [] ) );
 
+    fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
+
     $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions );
 
     push @{$interfaceref}, { options => $options,
@@ -854,6 +857,8 @@ sub process_interface( $ ) {
 		    $value = "+${zone}_${interface}";
 		    $hostoptions{dynamic} = 1;
 		    $ipsets{"${zone}_${interface}"} = 1;
+		} else {
+		    $hostoptions{multicast} = 1;
 		}
 		#
 		# Convert into a Perl array reference
@@ -889,9 +894,15 @@ sub process_interface( $ ) {
 			        zone       => ''
 			      };
 
-    $nets = [ allip ] unless $nets; 
+    if ( $zone ) {
-
+	$nets ||= [ allip ];
-    add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone;
+	add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref );
+	add_group_to_zone( $zone, 
+			   $zoneref->{type}, 
+			   $interface, 
+			   [ IPv4_MULTICAST ], 
+			   { destonly => 1 } ) if $hostoptionsref->{multicast} && $interfaces{$interface}{zone} ne $zone;
+    } 
 
     progress_message "  Interface \"$currentline\" Validated";
 

Shorewall/changelog.txt

@@ -1,19 +1,49 @@
+Changes in Shorewall 4.4.1.2
 
-Changes in Shorewall 4.4.0.2
+1)  Re-initialize chain table before generating 'stop_firewall()'
 
-1)  Fix MULTICAST=Yes and ACCEPT policy.
+Changes in Shorewall 4.4.1.1
 
-2)  Allow extension of zone definition with nets=.
+1)  Fixed detection of Persistent SNAT
 
-3)  Don't allow nets= in a multi-zone interface definition.
+2)  Fix compiler initialization fiasco.
 
-Changes in Shorewall 4.4.0.1
+Changes in Shorewall 4.4.1
 
-1)  Updated release versions.
+1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
 
-2)  Fix log level in rules at the end of INPUT and OUTPUT
+2)  Deleted superfluous export from Chains.pm.
 
-3)  Correct handling of nested IPSEC chains.
+3)  Added support for --persistent.
+
+4)  Don't do module initialization in an INIT block.
+
+5)  Minor performance improvements.
+
+6)  Add 'clean' target to Makefile.
+
+7)  Redefine 'full' for sub-classes.
+
+8)  Fix log level in rules at the end of INPUT and OUTPUT chains.
+
+9)  Fix nested ipsec zones.
+
+10) Change one-interface sample to IP_FORWARDING=Off.
+
+11) Allow multicast to non-dynamic zones defined with nets=.
+
+12) Allow zones with nets= to be extended by /etc/shorewall/hosts
+    entries.
+
+13) Don't allow nets= in a multi-zone interface definition.
+
+14) Fix rule generated by MULTICAST=Yes
+
+15) Fix silly hole in zones file parsing.
+
+16) Tighen up zone membership checking.
+
+17) Combine portlist-spitting routines into a single function.
 
 Changes in Shorewall 4.4.0
 
@@ -27,7 +57,7 @@ Changes in Shorewall 4.4.0
 
 5)  Fix 'upnpclient' with required interfaces.
 
-5)  Fix provider number in 
+5)  Fix provider number in masq file.
 
 Changes in Shorewall 4.4.0-RC2
 
@@ -233,10 +263,8 @@ Changes in Shorewall 4.3.5
 
 1)  Remove support for shorewall-shell.
 
-2)  Combine shorewall-common and shorewall-perl to product shorewall.
+2)  Combine shorewall-common and shorewall-perl to produce shorewall.
 
 3)  Add nets= OPTION in interfaces file.
 
-4)  Add SAME MARK/CLASSIFY target
-
 

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.0.2
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -1,31 +1,13 @@
-1)  If ULOG is specified as the LOG LEVEL in the all->all policy, the
+1)  The compiler's detection of Persistent SNAT support is broken.
-    rules at the end of the INPUT and OUTPUT chains still use the
-    LOG target rather than ULOG.
 
-    You can work around this problem by adding two additional policies
+    Fixed in Shorewall 4.4.1.1
-    before the all->all one:
 
-    	   all 		$FW	DROP	ULOG
+2)  Initialization of the compiler's chain table was broken in ways
-	   $FW		all	REJECT	ULOG
+    that prevented some features from working.
 
-    This problem was corrected in Shorewall 4.4.0.1.
+    Fixed in Shorewall 4.4.1.1
 
-2)  Use of CONTINUE policies with a nested IPSEC zone was broken in
+3)  Initialization of the compiler's chain table was still broken.
-    some cases.
 
-    This problem was corrected in Shorewall 4.4.0.1.
+    Fixed in Shorewall 4.4.1.2.
 
-3)  If MULTICAST=Yes in shorewall.conf, multicast traffic is
-    incorrectly exempted from ACCEPT policies.
-
-    This problem was corrected in Shorewall 4.4.0.2.
-
-4)  If a zone is defined with "nets=" in /etc/shorewall/zones, that
-    definition cannot be extended by entries in /etc/shorewall/hosts.
-
-    This problem was corrected in Shorewall 4.4.0.2.
-
-5)  Shoerwall accepts "nets=" in a multi-zone interface entry (one with
-    "-" in the ZONES column) in /etc/shorewall/interfaces.
-
-    This problem was corrected in Shorewall 4.4.0.2.

Shorewall/lib.base

@@ -30,7 +30,7 @@
 #
 
 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40310
+SHOREWALL_CAPVERSION=40401
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -777,6 +777,13 @@ set_state () # $1 = state
 # Determine which optional facilities are supported by iptables/netfilter
 #
 determine_capabilities() {
+    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
+
+    if [ -z "$IPTABLES" ]; then
+	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
+	exit 1
+    fi
+
     qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
     qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
 
@@ -820,14 +827,16 @@ determine_capabilities() {
     LOGMARK_TARGET=
     IPMARK_TARGET=
     LOG_TARGET=Yes
+    PERSISTENT_SNAT=
 
     chain=fooX$$
 
-    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
+    if [ -n "$NAT_ENABLED" ]; then
-
+	if qt $IPTABLES -t nat -N $chain; then
-    if [ -z "$IPTABLES" ]; then
+	    qt $IPTABLES -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
-	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
+	    qt $IPTABLES -t nat -F $chain
-	exit 1
+	    qt $IPTABLES -t nat -X $chain
+	fi
     fi
 
     qt $IPTABLES -F $chain
@@ -1011,6 +1020,7 @@ report_capabilities() {
 	report_capability "LOGMARK Target" $LOGMARK_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
+	report_capability "Persistent SNAT" $PERSISTENT_SNAT
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1068,6 +1078,7 @@ report_capabilities1() {
     report_capability1 LOGMARK_TARGET
     report_capability1 IPMARK_TARGET
     report_capability1 LOG_TARGET
+    report_capability1 PERSISTENT_SNAT
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
 }

Shorewall/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.4.0 patch release 1.
+Shorewall 4.4.1 patch release 1
 
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 4  H I G H L I G H T S
@@ -153,77 +153,70 @@ Shorewall 4.4.0 patch release 1.
 
 10) The name 'any' is now reserved and may not be used as a zone name.
 
-----------------------------------------------------------------------------
+11) Perl module initialization has changed in Shorewall
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 0 . 2
+    4.4.1. Previously, each Shorewall Perl package would initialize its
-----------------------------------------------------------------------------
+    global variables for IPv4 in an INIT block. Then, if the
+    compilation turned out to be for IPv6,
+    Shorewall::Compiler::compiler() would reinitialize them for IPv6.
 
-1)  If MULTICAST=Yes in shorewall.conf, then multicast traffic was
+    Beginning in Shorewall 4.4.1, the modules do not initialize
-    excluded from ACCEPT policies.
+    themselves in an INIT block. So if you use Shorewall modules
+    outside of the Shorewall compilation environment, then you must
+    explicitly call the module's 'initialize' function after the module
+    has been loaded.
 
-2)  If a zone was defined with nets= in /etc/shorewall/zones, that
+12) Checking for zone membership has been tighened up. Previously, 
-    definition could not be extended by entries in
+    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
-    /etc/shorewall/hosts.
+    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
-
+    then it may have no additional members in /etc/shorewall/hosts.
-3)  Previously, "nets=" could be specified in a multi-zone interface
-    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
-    now raises a fatal compilation error.
 
 ----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 0 . 1
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 2
+----------------------------------------------------------------------------
+1)  The compiler's chain table was not being re-initialized prior to
+    creating the stop_firewall() function, resulting in Perl run-time
+    errors.
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 1
+----------------------------------------------------------------------------
+1)  Detection of Persistent SNAT support was broken in the compiler.
+
+2)  Initialization of the compiler's chain table was broken in ways
+    that made some features not work and that caused Perl runtime errors.
+
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1
 ----------------------------------------------------------------------------
 
 1)  If ULOG was specified as the LOG LEVEL in the all->all policy, the
-    rules at the end of the INPUT and OUTPUT chains still used the
+    rules at the end of the INPUT and OUTPUT chains would still use the
     LOG target rather than ULOG.
 
-2)  Use of CONTINUE policies with a nested IPSEC zone was broken in
+2)  Using CONTINUE policies with a nested IPSEC zone was still broken
-    some cases.
+    in some cases.
 
-----------------------------------------------------------------------------
+3)  The setting of IP_FORWARDING has been change to Off in the
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 0
+    one-interface sample configuration since forwarding is typically
-----------------------------------------------------------------------------
+    not required with only a single interface.
 
-1)  When compiling to standard out, it is no longer necessary to
+4)  If MULTICAST=Yes in shorewall.conf, multicast traffic was
-    specify '-v-1' to suppress the 'Compiling...' progress message 
+    incorrectly exempted from ACCEPT policies.
 
-2)  Previously, Shorewall would generate invalid iptables-restore input
+5)  Previously, the definition of a zone that specified "nets=" in
-    if all of these conditions were met:
+    /etc/shorewall/interfaces could not be extended by entries in
+    /etc/shorewall/hosts.
 
-    - a nat rule (DNAT, REDIRECT, DNAT-, etc.) changed the destination
+6)  Previously, "nets=" could be specified in a multi-zone interface
-      port number
+    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
-    - logging was specified on the rule
+    now raises a fatal compilation error.
-    - no non-trivial exclusions in the rule (a non-trivial exclusion is
-      one whose exclusion list has more than one element)
 
-    Example of rule:
+7)  MULTICAST=Yes generates an incorrect rule that limits its
+    effectiveness to a small part of the multicast address space.
 
-    	    REDIRECT:ULOG   wall    82      tcp     80
+8)  Checking for zone membership has been tighened up. Previously, 
-
+    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
-    Example of error message:
+    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
-
+    then it may have no additional members in /etc/shorewall/hosts.
-       iptables v1.3.5: Need TCP or UDP with port specification
-        Try `iptables -h' or 'iptables --help' for more information.
-	ERROR: Command "/sbin/iptables -A log0 -j REDIRECT --to-port
-        82" Failed
-
-3)  Previously, log displays from the 'dump', 'show log' and 'logwatch'
-    commands did not properly suppress redundant fields in the records
-    (host name, and leading constant part of the LOGPREFIX).
-
-4)  Given that Jozsef Kadlecsik has not yet released ipset 3.1, ipset
-    bindings are once again supported.
-
-5)  The 'upnpclient' option only worked correctly if 'optional' was
-    also specified for the interface.
-
-6)  Where more than one internet provider shares the same external
-    interface, specifying the provider by number in /etc/shorewall/masq
-    (e.g., eth1(2)) resulted in the fatal compilation error:
-
-    	   ERROR: 2 is not a shared-interface provider
-
-    Also, the shorewall-masq (5) man page did not describe the syntax
-    for specifying the provider.
 
 ----------------------------------------------------------------------------
              K N O W N   P R O B L E M S   R E M A I N I N G
@@ -231,6 +224,65 @@ Shorewall 4.4.0 patch release 1.
 
 None.
 
+----------------------------------------------------------------------------
+                N E W   F E A T U R E S   I N   4 . 4 . 1
+----------------------------------------------------------------------------
+
+1)  To replace the SAME keyword in /etc/shorewall/masq, support has
+    been added for 'persistent' SNAT. Persistent SNAT is required when
+    an address range is specified in the ADDRESS column and when you
+    want a client to always receive the same source/destination IP
+    pair. It replaces SAME: which was removed in Shorewall 4.4.0.
+
+    To specify persistence, follow the address range with
+    ":persistent".
+
+    Example:
+
+    #INTERFACE	SOURCE	   ADDRESS
+    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
+
+    This feature requires Persistent SNAT support in your kernel and
+    iptables. 
+
+    If you use a capabilities file, you will need to create a new one
+    as a result of this feature.
+
+    WARNING: Linux kernels beginning with 2.6.29 include persistent
+    SNAT support. If your iptables supports persistent SNAT but your
+    kernel does not, there is no way for Shorewall to determine that
+    persistent SNAT isn't going to work. The kernel SNAT code blindly
+    accepts all SNAT flags without verifying them and returns them to
+    iptables when asked.
+
+2)  A 'clean' target has been added to the Makefiles. It removes backup
+    files (*~ and .*~). 
+
+3)  The meaning of 'full' has been redefined when used in the context
+    of a traffic shaping sub-class. Previously, 'full' always meant the
+    OUT-BANDWIDTH of the device. In the case of a sub-class, however,
+    that definition is awkward to use because the sub-class is limited
+    by the parent class.
+
+    Beginning with this release, 'full' in a sub-class definition
+    refers to the specified rate defined for the parent class. So
+    'full' used in the RATE column refers to the parent class's RATE;
+    when used in the CEIL column, 'full' refers to the parent class's
+    CEIL.
+
+    As part of this change, the compiler now issues a warning if the
+    sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of
+    the device. Similarly, a warning is issued if the sum of the RATEs
+    of a class's sub-classes exceeds the rate of the CLASS.
+
+4)  When 'nets=<network>' or 'nets=(<net1>,<net2>,...) is specified in
+    /etc/shorewall/interfaces, multicast traffic will now be sent to
+    the zone along with limited broadcasts.
+
+5)  A flaw in the parsing logic for the zones file allowed most zone
+    types containing the character string 'ip' to be accepted as a
+    synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration).
+
 ----------------------------------------------------------------------------
                  N E W   F E A T U R E S   I N   4 . 4
 ----------------------------------------------------------------------------

Shorewall/shorewall.spec

@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 4.4.0
+%define version 4.4.1
 %define release 2
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -104,10 +104,12 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Fri Aug 28 2009 Tom Eastep tom@shorewall.net
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-2
+- Updated to 4.4.1-2
-* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-1
+- Updated to 4.4.1-1
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
 * Sun Aug 09 2009 Tom Eastep tom@shorewall.net
 - Made Perl a dependency
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.0.2
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.0.2
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.0.2
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,5 +1,5 @@
 %define name shorewall6-lite
-%define version 4.4.0
+%define version 4.4.1
 %define release 2
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
@@ -89,10 +89,12 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Fri Aug 28 2009 Tom Eastep tom@shorewall.net
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-2
+- Updated to 4.4.1-2
-* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-1
+- Updated to 4.4.1-1
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.0.2
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall6/Makefile

@@ -14,4 +14,8 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall6 -q restart 2>&1 | tail >&2; \
 	fi
 
+clean:
+	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
+.PHONY: clean
+
 # EOF

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.0.2
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.0.2
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

Shorewall6/lib.base

@@ -33,7 +33,7 @@
 #
 
 SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40310
+SHOREWALL_CAPVERSION=40401
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]

Shorewall6/shorewall6.spec

@@ -1,5 +1,5 @@
 %define name shorewall6
-%define version 4.4.0
+%define version 4.4.1
 %define release 2
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@@ -93,10 +93,12 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Fri Aug 28 2009 Tom Eastep tom@shorewall.net
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-2
+- Updated to 4.4.1-2
-* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-1
+- Updated to 4.4.1-1
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.0.2
+VERSION=4.4.1.2
 
 usage() # $1 = exit status
 {

contrib/shoregen/AUTHORS

@@ -1 +0,0 @@
-Paul Gear <paul@gear.dyndns.org>

contrib/shoregen/BUGS

@@ -1 +0,0 @@
-None known at present.

contrib/shoregen/COPYING

@@ -1,340 +0,0 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-			    Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-			    NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) year name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
-Public License instead of this License.

contrib/shoregen/ChangeLog

@@ -1,14 +0,0 @@
-0.1.1	Paul Gear <paul@gear.dyndns.org>  No idea when
-	- Initial release.
-
-0.1.2	Paul Gear <paul@gear.dyndns.org>  No idea when
-	- Removed filtering of zones that are on the same interface.
-	  This caused problems when a zone was accessible via more than
-	  one interface.
-
-0.1.3	Paul Gear <paul@gear.dyndns.org>  No idea when
-	- Optimisation to detect whether system is a router and remove
-	  redundant zones from rules and policies if so.
-
-3.2.0-beta1	Paul Gear <paul@gear.dyndns.org>
-	- First attempt at compatibility with Shorewall 3.2.x.

contrib/shoregen/README

@@ -1,124 +0,0 @@
-Shoreline Firewall configuration generator
-(c) Copyright 2004-2006 Paul D. Gear <paul@gear.dyndns.org>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
-
-SHOREWALL
-
-The quick plug:
-
-  - Shorewall is the only firewall i trust.
-
-The IT Manager plug:
-
-  - Shorewall is a policy-driven firewall which lets you think about your
-    firewall at a higher level than iptables commands.
-
-The hard sell to you crazy people still maintaining manual firewall scripts:
-
-  - Shorewall is a wrapper around the kernel iptables, so your existing
-    Linux firewall skills transfer.  I converted from a 900-plus-line
-    ipchains shell script to around 50 lines of shorewall configuration in
-    less than 4 hours, with no prior experience.
-
-
-ISSUES
-
-  - I'm paranoid - i want more than one firewall between me and the world.
-
-  - Configuring multiple firewalls separately is a recipe for getting your
-    rules out of sync, and allowing security problems to creep in.
-
-  - IT Manager types (like me) like to know their policy is consistently
-    implemented.
-
-
-SOLUTION
-
-Shoregen is a script that generates shorewall configurations for multiple
-firewalls from a common set of rules and policies.  Only the minimal
-information necessary for operation is stored on each firewall, so, for
-example, your DMZ server doesn't need to know about the rules on your
-internal network, but at the same time, it gets consistent rules to your
-outer guard.
-
-
-PHILOSOPHY
-
-Shoregen assumes the X-Files approach to firewall design: trust no one.
-That is, paranoia is a virtue.  All access should be as limited as possible
-for things to work.  If you don't already agree with this philosophy, you
-may find some of the things shoregen does frustrating, but then again,
-you're probably not reading this document.  :-)
-
-
-DESIGN
-
-Shoregen distinguishes between two different types of shorewall
-configuration files.  Most shorewall configuration files are simply
-concatenated together from parts constructed from common and host-specific
-parts.  These are called simple configs; shoregen doesn't substantially
-alter them, and uses little information from them.
-
-Configs with which shoregen is more concerned are treated separately, and
-additional features beyond the scope of shorewall itself are implemented.
-Most importantly, two new policy/rule keywords are introduced: WARN and
-BAN.  These keywords are not included in shoregen's output, but when a
-subsequent rule or policy is encountered which matches a rule or policy
-marked WARN or BAN, an error message is issued.  In the case of BAN, the
-offending line is also dropped from the output, and a non-zero return code
-issued.
-
-
-PREREQUISITES
-
-The tools you will need to use shoregen are:
-	perl	The main shoregen script is written in Perl
-	rsync	Used to keep /etc/shorewall directories on your firewalls
-		in sync with the central repository
-	ssh	Encrypted transport for rsync
-	make	Optional, but saves a few keystrokes.
-
-
-USAGE
-
-Put shoregen and install_shoregen in a directory on your PATH.
-
-Make a central directory for your configs.  I recommend somewhere in a
-trusted user's home directory or central system admin repository.  This
-directory should be on a trusted machine in the most secure part of your
-network.  Put all of your policies, rules, and zones together in the
-correct order in files in the top level of this directory.
-
-For each of the simple configs you want to generate centrally, create a
-directory, with a file called COMMON (if necessary) containing the content
-you want to see in that file on all hosts, and a file named for each host
-for host-specific content.  I recommend that the default shorewall
-configuration file be placed in the COMMON file of the corresponding
-directory, with directives that are not appropriate commented out.
-
-When shoregen is run, it places the generated files in the directory 
-SPOOL/<host>, where <host> is the hostname of the target firewall.  The
-files in this directory are synchronised and the firewall checked and/or
-restarted by a simple wrapper script called install_shoregen.
-
-See the samples directory for a starting point configuration.  It provides
-some suggested policies & rules for the network shown in example1.png.  The
-sample configuration has not been tested in any way.
-
-I hope you find shoregen useful.  I welcome your comments, contributions,
-criticisms, and questions.
-

contrib/shoregen/TODO

@@ -1,21 +0,0 @@
-
-- Make it possible for a host to have the same $FW name as the zone in
-  which it belongs, and have shoregen automatically create appropriate
-  rules.
-
-- At the moment, if a fully-expanded policy file (such as is shown 
-
-- Better rule & policy sanitisation.
-
-- Hosts and interfaces could be reduced based on what's used in the policy
-  and rules files.
-
-- The Makefile could be improved to detect changes in the lower level
-  config files and call shoregen automatically when they are out-of-date.
-  At the moment, shoregen is so simple (and thus fast) that the amount of
-  time that would be saved by a clever Makefile (in comparison to the
-  rsync, ssh, and shorewall steps) is probably not worth the trouble to
-  code.
-
-- Automatic generation of firewall hosts & interfaces files.
-

contrib/shoregen/install_shoregen

@@ -1,116 +0,0 @@
-#!/bin/sh
-#
-# $Id: install_shoregen,v 1.5 2004/04/22 11:12:51 paulgear Exp $
-# 
-# Wrapper script to install shoregen-generated shorewall configuration files.
-#
-
-# 
-# (c) Copyright 2004 Paul D. Gear <paul@gear.dyndns.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
-# Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA, or go to
-# <http://www.gnu.org/licenses/old-licenses/gpl-2.0.txtl> on the World Wide Web.
-
-VERBOSE=0
-RESTART=0
-CHECK=1
-TIME=0
-
-usage()
-{
-    echo "Usage:	$0 [--verbose] [--restart] host ...
-	Generates and installs shorewall configuration on the given hosts" >&2
-    exit 1
-}
-
-error()
-{
-    echo "$0: ERROR -" "$@" >&2
-}
-
-while :; do
-    case "$1" in
-
-    -v|--verbose)
-    	VERBOSE=1
-	shift
-	;;
-
-    -r|--restart)
-	RESTART=1
-	shift
-	;;
-
-    -c|--nocheck)
-	CHECK=0
-	shift
-	;;
-
-    -t|--notime)
-	TIME=0
-	shift
-	;;
-
-    --)
-	shift
-	break 2
-    	;;
-
-    --*)
-	error "Unrecognised option $1"
-	usage
-	;;
-
-    *)
-	break 2
-    	;;
-
-    esac
-done
-
-set -e
-set -u
-
-if [ "$#" -lt 1 ]; then
-    usage
-fi
-
-USER=root
-RSYNC_ARGS="--recursive --backup --times --cvs-exclude --rsh=ssh"
-#--progress 
-if [ "$VERBOSE" -gt 0 ]; then
-    RSYNC_ARGS="$RSYNC_ARGS --verbose"
-fi
-DIR=/etc/shorewall
-SW_PATH=/sbin/shorewall
-
-PATH=$PATH:
-
-if [ "$TIME" -gt 0 ]; then
-    TIME="time"
-else
-    TIME=""
-fi
-
-for HOST; do
-    shoregen $HOST
-    rsync $RSYNC_ARGS SPOOL/$HOST/ $USER@$HOST:$DIR/
-    if [ "$CHECK" -gt 0 ]; then
-	$TIME ssh -l $USER -t $HOST $SW_PATH check
-    fi
-    if [ "$RESTART" -gt 0 ]; then
-	$TIME ssh -l $USER -t $HOST $SW_PATH restart
-    fi
-done

contrib/shoregen/samples/Makefile

@@ -1,10 +0,0 @@
-FLAGS=-c -r
-HOSTS=ig proxy mail og
-
-default:	$(HOSTS)
-
-$(HOSTS):
-	shoregen $@
-
-install:	$(HOSTS)
-	install_shoregen -c -r $(HOSTS)

contrib/shoregen/samples/hosts/ig

@@ -1,13 +0,0 @@
-# ZONE		HOST(S)				OPTIONS
-
-# I used the vi command
-#	!Gsort -k2 -k1 
-# to sort this file, starting at the next line.
-mail		eth0:$MAIL
-og		eth0:$OG
-proxy		eth0:$PROXY
-net		eth0:0.0.0.0/0
-lan		eth1:$LAN
-other		eth1:0.0.0.0/0
-guest		eth2:$GUEST
-other		eth2:0.0.0.0/0

contrib/shoregen/samples/hosts/mail

@@ -1,7 +0,0 @@
-# ZONE		HOST(S)				OPTIONS
-guest		eth0:$GUEST
-ig		eth0:$IG
-lan		eth0:$LAN
-og		eth0:$OG
-proxy		eth0:$PROXY
-net		eth0:0.0.0.0/0

contrib/shoregen/samples/hosts/og

@@ -1,7 +0,0 @@
-# ZONE		HOST(S)				OPTIONS
-guest		eth0:$GUEST
-ig		eth0:$IG
-lan		eth0:$LAN
-mail		eth0:$MAIL
-proxy		eth0:$PROXY
-other		eth0:0.0.0.0/0

contrib/shoregen/samples/hosts/proxy

@@ -1,7 +0,0 @@
-# ZONE		HOST(S)				OPTIONS
-guest		eth0:$GUEST
-ig		eth0:$IG
-lan		eth0:$LAN
-mail		eth0:$MAIL
-og		eth0:$OG
-net		eth0:0.0.0.0/0

contrib/shoregen/samples/interfaces/ig

@@ -1,5 +0,0 @@
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	eth0		detect		-
--	eth1		detect		dhcp
--	eth2		detect		dhcp
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/interfaces/mail

@@ -1,3 +0,0 @@
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	eth0		detect		-
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/interfaces/og

@@ -1,5 +0,0 @@
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	eth0		detect		-
-net	eth1		detect		norfc1918,blacklist,dhcp
-net	ppp+		detect		norfc1918,blacklist
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/interfaces/proxy

@@ -1,3 +0,0 @@
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	eth0		detect		-
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/params/COMMON

@@ -1,9 +0,0 @@
-# These are parameterised firstly so they only live in one place, and
-# secondly because they can appear on different interfaces, but with a
-# constant address.
-OG=10.1.1.1
-MAIL=10.1.1.2
-PROXY=10.1.1.3
-IG=10.1.1.4
-LAN=10.1.2.0/24
-GUEST=10.1.3.0/24

contrib/shoregen/samples/policy

@@ -1,112 +0,0 @@
-#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST EXT
-
-#
-# Meta-policies - no ACCEPT/DNAT rules contravening these may be defined in
-# the policy or rules file.  These are not part of shorewall and do not
-# actually block any traffic.  They are about stopping the firewall
-# administrator from activating silly rules.  Note that these rules should
-# always be accompanied by a corresponding REJECT/BAN policy as they don't
-# actually set the shorewall policy (see below for these).
-#
-# These policies are samples only and are not suggested for your
-# environment.  You must decide on the policies that are right for you.
-#
-
-guest		lan		BAN
-proxy		lan		BAN
-mail		lan		BAN
-og		lan		BAN
-net		lan		BAN
-
-proxy		guest		BAN
-mail		guest		BAN
-og		guest		BAN
-net		guest		BAN
-
-proxy		ig		BAN
-mail		ig		BAN
-og		ig		BAN
-net		ig		BAN
-
-net		proxy		BAN
-
-proxy		og		BAN
-mail		og		BAN
-net		og		BAN
-
-ig		net		BAN
-
-
-#
-# Now the normal policies.  We define each set of zone pairs individually
-# so that Shorewall produces more meaningful error messages.
-#
-
-lan		guest		ACCEPT		info
-lan		ig		REJECT		info
-lan		proxy		REJECT		info
-lan		mail		REJECT		info
-lan		og		REJECT		info
-lan		net		REJECT		info
-lan		other		REJECT		info
-lan		all		REJECT		info
-
-guest		lan		REJECT		info
-guest		ig		REJECT		info
-guest		proxy		REJECT		info
-guest		mail		REJECT		info
-guest		og		REJECT		info
-guest		net		ACCEPT		info
-guest		other		REJECT		info
-guest		all		REJECT		info
-
-ig		lan		REJECT		info
-ig		guest		REJECT		info
-ig		proxy		REJECT		info
-ig		mail		REJECT		info
-ig		og		REJECT		info
-ig		net		REJECT		info
-ig		other		REJECT		info
-ig		all		REJECT		info
-
-proxy		lan		REJECT		info
-proxy		guest		REJECT		info
-proxy		ig		REJECT		info
-proxy		mail		REJECT		info
-proxy		og		REJECT		info
-proxy		net		ACCEPT
-proxy		other		REJECT		info
-proxy		all		REJECT		info
-
-mail		lan		REJECT		info
-mail		guest		REJECT		info
-mail		ig		REJECT		info
-mail		proxy		REJECT		info
-mail		og		REJECT		info
-mail		net		REJECT		info
-mail		other		REJECT		info
-mail		all		REJECT		info
-
-og		lan		REJECT		info
-og		guest		REJECT		info
-og		ig		REJECT		info
-og		proxy		REJECT		info
-og		mail		REJECT		info
-og		net		REJECT		info
-og		other		REJECT		info
-og		all		REJECT		info
-
-net		lan		DROP		info
-net		guest		DROP		info
-net		ig		DROP		info
-net		proxy		DROP		info
-net		mail		DROP		info
-net		og		DROP		info
-net		other		DROP		info
-net		all		DROP		info
-
-# Catch-all policies
-other		all		DROP		info
-all		all		DROP		info
-
-#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

contrib/shoregen/samples/rules

@@ -1,187 +0,0 @@
-#
-# $Id: rules,v 1.4 2004/04/24 12:26:25 paulgear Exp $
-#
-# Master Rules File
-#
-# This file is organised into 4 main sections:
-#   1.	Rules that need to transcend the more general WARN/BAN rules.  The
-#	reason for this is typically system administration and
-#	troubleshooting.  This section should be kept as small as possible.
-#   2.	WARN/BAN rules to put restrictions on which rules contravening
-#	policies may be created.  This section should be as large as
-#	possible, if you take a traditional (i.e. paranoid) approach to
-#	firewall design.
-#   3.	Noise-reducing rules for illegitimate traffic.  This is typically
-#	small, but may grow as time goes on.
-#   4.	Normal rules which define the holes in your firewall.  Again, this
-#	should include only the rules you need and no more.  However, even
-#	on a simple home network like mine, this section tends to get
-#	large!
-#
-
-#
-# Order by port, protocol, dest zone (in->out order), src zone (in->out
-# order).
-#
-
-#ACTION		CLIENT(S) SERVER(S)	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
-
-#
-# Section 1: Rules that need to transcend WARN/BAN rules in section 2.
-#
-# Nearly all of these rules should be limited to system administration
-# terminals.  These would be better put in a separate zone.
-#
-
-# ping (more below)
-ACCEPT		lan	og		icmp	8
-
-# ssh (more below)
-ACCEPT		lan	og		tcp	22
-ACCEPT		ig	og		tcp	22
-
-# SNMP (more below) - for MRTG stats run from LAN
-ACCEPT		lan	og		udp	161	
-
-# syslog (more below)
-ACCEPT		ig	lan		udp	514
-
-# Squid - this wouldn't be necessary except that a lot of OS updates are
-# rather large...
-ACCEPT		mail	proxy		tcp	3128
-
-#
-# Section 2: WARN/BAN rule directives
-#
-
-BAN		ig	lan
-BAN		mail	proxy
-BAN		lan	og
-BAN		ig	og
-
-#
-# Section 3: Drop noisy junk
-#
-
-# auth - reverse of the SMTP rules below
-REJECT		mail	lan		tcp	113
-REJECT		mail	guest		tcp	113
-REJECT		mail	ig		tcp	113
-REJECT		mail	proxy		tcp	113
-REJECT		mail	og		tcp	113
-REJECT		net	og		tcp	113
-REJECT		mail	net		tcp	113
-
-# KaZaA file sharing
-DROP		net	og		tcp	1214
-
-# Gnutella server
-REJECT		net	og		tcp	6346,6347
-
-# Half-Life
-REJECT		net	og		udp	27015,27016
-
-
-#
-# Section 4: Normal traffic
-#
-
-# ping (more above)
-ACCEPT		lan	ig		icmp	8
-ACCEPT		lan	proxy		icmp	8
-ACCEPT		lan	mail		icmp	8
-ACCEPT		ig	proxy		icmp	8
-ACCEPT		ig	mail		icmp	8
-ACCEPT		og	proxy		icmp	8
-ACCEPT		og	mail		icmp	8
-ACCEPT		og	net		icmp	8
-
-# FTP
-ACCEPT		proxy	net		tcp	21
-
-# ssh (more above)
-ACCEPT		lan	ig		tcp	22
-ACCEPT		lan	proxy		tcp	22
-ACCEPT		lan	mail		tcp	22
-ACCEPT		lan	net		tcp	22
-ACCEPT		ig	proxy		tcp	22
-ACCEPT		ig	mail		tcp	22
-ACCEPT		proxy	mail		tcp	22
-ACCEPT		proxy	net		tcp	22
-
-# SMTP
-ACCEPT		lan	mail		tcp	25
-ACCEPT		guest	mail		tcp	25
-ACCEPT		ig	mail		tcp	25
-ACCEPT		proxy	mail		tcp	25
-ACCEPT		og	mail		tcp	25
-DNAT		net	mail:$MAIL	tcp	25
-ACCEPT		mail	net		tcp	25
-
-# DNS - assumes split DNS, with internal DNS run in LAN, external DNS on
-# proxy, and mail independent of the rest (proxy & mail should run their
-# own caches).
-ACCEPT		lan	proxy		tcp	53
-ACCEPT		lan	proxy		udp	53
-ACCEPT		guest	proxy		tcp	53
-ACCEPT		guest	proxy		udp	53
-ACCEPT		ig	proxy		tcp	53
-ACCEPT		ig	proxy		udp	53
-ACCEPT		og	proxy		tcp	53
-ACCEPT		og	proxy		udp	53
-ACCEPT		proxy	net		tcp	53
-ACCEPT		proxy	net		udp	53
-ACCEPT		mail	net		tcp	53
-ACCEPT		mail	net		udp	53
-
-# HTTP
-ACCEPT		proxy	net		tcp	80
-
-# POP3 - must be proxied through mail
-ACCEPT		mail	net		tcp	110
-ACCEPT		lan	mail		tcp	110
-
-# NNTP - application layer proxy (e.g. leafnode) on proxy
-ACCEPT		lan	proxy		tcp	119
-ACCEPT		proxy	net		tcp	119
-
-# NTP - we really need more than 2 servers, but this is only an example.  :-)
-ACCEPT		lan	proxy		udp	123
-ACCEPT		lan	mail		udp	123
-ACCEPT		ig	proxy		udp	123
-ACCEPT		ig	mail		udp	123
-ACCEPT		proxy	net		udp	123
-ACCEPT		mail	net		udp	123
-ACCEPT		og	proxy		udp	123
-ACCEPT		og	mail		udp	123
-
-# IMAP
-ACCEPT		lan	mail		tcp	143
-ACCEPT		guest	mail		tcp	143
-
-# SNMP (more above) - for MRTG stats
-ACCEPT		lan	ig		udp	161
-ACCEPT		lan	proxy		udp	161
-ACCEPT		lan	mail		udp	161
-
-# HTTPS
-ACCEPT		proxy	net		tcp	443
-
-# syslog (more above) - DMZ & OG hosts log to mail, IG & LAN hosts log to LAN
-ACCEPT		og	mail		udp	514
-ACCEPT		proxy	mail		udp	514
-
-# Squid
-ACCEPT		lan	proxy		tcp	3128
-ACCEPT		guest	proxy		tcp	3128
-ACCEPT		ig	proxy		tcp	3128
-ACCEPT		og	proxy		tcp	3128
-
-# Webmin
-ACCEPT		lan	proxy		tcp	10000
-ACCEPT		guest	proxy		tcp	10000
-ACCEPT		ig	proxy		tcp	10000
-ACCEPT		og	proxy		tcp	10000
-
-
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/shorewall.conf/COMMON

@@ -1,569 +0,0 @@
-##############################################################################
-#  /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
-#  match your setup
-#
-#  This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#  This file should be placed in /etc/shorewall
-#
-#  (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
-##############################################################################
-#                              L O G G I N G
-##############################################################################
-#
-# General note about log levels. Log levels are a method of describing
-# to syslog (8) the importance of a message and a number of parameters
-# in this file have log levels as their value.
-#
-# Valid levels are:
-#
-#	7	debug
-#	6	info
-#	5	notice
-#	4	warning
-#	3	err
-#	2	crit
-#	1	alert
-#	0	emerg
-#
-# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
-# log messages are generated by NetFilter and are logged using facility
-# 'kern' and the level that you specifify. If you are unsure of the level
-# to choose, 6 (info) is a safe bet. You may specify levels by name or by
-# number.
-#
-# If you have build your kernel with ULOG target support, you may also
-# specify a log level of ULOG (must be all caps). Rather than log its
-# messages to syslogd, Shorewall will direct netfilter to log the messages
-# via the ULOG target which will send them to a process called 'ulogd'.
-# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
-# configured to log all Shorewall message to their own log file
-################################################################################
-#
-# LOG FILE LOCATION
-#
-# This variable tells the /sbin/shorewall program where to look for Shorewall
-# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
-# /var/log/messages is assumed.
-#
-# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
-#          look for Shorewall messages.It does NOT control the destination for
-#          these messages. For information about how to do that, see
-#
-#              http://www.shorewall.net/shorewall_logging.html
-
-LOGFILE=/var/log/messages
-
-#
-# LOG FORMAT
-#
-# Shell 'printf' Formatting template for the --log-prefix value in log messages
-# generated by Shorewall to identify Shorewall log messages. The supplied
-# template is expected to accept either two or three arguments; the first is
-# the chain name, the second (optional) is the logging rule number within that
-# chain and the third is the ACTION specifying the disposition of the packet
-# being logged. You must use the %d formatting type for the rule number; if your
-# template does not contain %d then the rule number will not be included.
-#
-# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
-#
-#	LOGFORMAT="fp=%s:%d a=%s "
-#
-# If not specified or specified as empty (LOGFORMAT="") then the value
-# "Shorewall:%s:%s:" is assumed.
-# 
-# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up 
-# to but not including the first '%') to find log messages in the 'show log',
-# 'status' and 'hits' commands. This part should not be omitted (the 
-# LOGFORMAT should not begin with "%") and the leading part should be
-# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-#
-# LOG RATE LIMITING
-#
-# The next two variables can be used to control the amount of log output
-# generated. LOGRATE is expressed as a number followed by an optional
-# `/second',  `/minute', `/hour', or `/day' suffix and specifies the maximum
-# rate at which a particular message will occur. LOGBURST determines the
-# maximum initial burst size that will be logged. If set empty, the default
-# value of 5 will be used.
-#
-# Example:
-#
-#	LOGRATE=10/minute
-#	LOGBURST=5
-#
-# If BOTH variables are set empty then logging will not be rate-limited.
-#
-
-LOGRATE=10/minute
-LOGBURST=5
-
-#
-# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
-#
-# This variable determines the level at which Mangled/Invalid packets are logged
-# under the 'dropunclean' interface option. If you set this variable to an
-# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
-# silently.
-#
-# The value of this variable also determines the level at which Mangled/Invalid
-# packets are logged under the 'logunclean' interface option. If the variable
-# is empty, these packets will still be logged at the 'info' level.
-#
-# See the comment at the top of this section for a description of log levels
-#
-
-LOGUNCLEAN=info
-
-#
-# BLACKLIST LOG LEVEL
-#
-# Set this variable to the syslogd level that you want blacklist packets logged
-# (beware of DOS attacks resulting from such logging). If not set, no logging
-# of blacklist packets occurs.
-#
-# See the comment at the top of this section for a description of log levels
-#
-BLACKLIST_LOGLEVEL=
-
-#
-# LOGGING 'New not SYN' rejects
-#
-# This variable only has an effect when NEWNOTSYN=No (see below).
-#
-# When a TCP packet that does not have the SYN flag set and the ACK and RST
-# flags clear then unless the packet is part of an established connection,
-# it will be rejected by the firewall. If you want these rejects logged,
-# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
-#
-# See the comment at the top of this section for a description of log levels
-#
-# Example: LOGNEWNOTSYN=debug
-
-
-LOGNEWNOTSYN=info
-
-#
-# MAC List Log Level
-#
-# Specifies the logging level for connection requests that fail MAC
-# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
-# such connection requests will not be logged.
-#
-# See the comment at the top of this section for a description of log levels
-#
-
-MACLIST_LOG_LEVEL=info
-
-#
-# TCP FLAGS Log Level
-#
-# Specifies the logging level for packets that fail TCP Flags
-# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
-# such packets will not be logged.
-#
-# See the comment at the top of this section for a description of log levels
-#
-
-TCP_FLAGS_LOG_LEVEL=info
-
-#
-# RFC1918 Log Level
-#
-# Specifies the logging level for packets that fail RFC 1918
-# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
-# RFC1918_LOG_LEVEL=info is assumed.
-#
-# See the comment at the top of this section for a description of log levels
-#
-
-RFC1918_LOG_LEVEL=info
-
-################################################################################
-#       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S
-################################################################################
-#
-# PATH - Change this if you want to change the order in which Shorewall
-#        searches directories for executable files.
-#
-#PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-
-#
-# SHELL
-#
-# The firewall script is normally interpreted by /bin/sh. If you wish to change
-# the shell used to interpret that script, specify the shell here.
-
-SHOREWALL_SHELL=/bin/sh
-
-# SUBSYSTEM LOCK FILE
-#
-# Set this to the name of the lock file expected by your init scripts. For
-# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
-# use lock files, set this to "".
-#
-
-SUBSYSLOCK=/var/lock/subsys/shorewall
-
-#
-# SHOREWALL TEMPORARY STATE DIRECTORY
-#
-# This is the directory where the firewall maintains state information while
-# it is running
-#
-
-STATEDIR=/var/lib/shorewall
-
-#
-# KERNEL MODULE DIRECTORY
-#
-# If your netfilter kernel modules are in a directory other than
-# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
-# directory in this variable. Example: MODULESDIR=/etc/modules.
-
-MODULESDIR=
-
-################################################################################
-#                       F I R E W A L L   O P T I O N S
-################################################################################
-
-# NAME OF THE FIREWALL ZONE
-#
-# Name of the firewall zone -- if not set or if set to an empty string, "fw"
-# is assumed.
-#
-#FW=fw
-
-#
-# ENABLE IP FORWARDING
-#
-# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
-# say "Off" or "off", packet forwarding will be disabled. You would only want
-# to disable packet forwarding if you are installing Shorewall on a
-# standalone system or if you want all traffic through the Shorewall system
-# to be handled by proxies.
-#
-# If you set this variable to "Keep" or "keep", Shorewall will neither
-# enable nor disable packet forwarding.
-#
-#IP_FORWARDING=On
-
-#
-# AUTOMATICALLY ADD NAT IP ADDRESSES
-#
-# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
-# for each NAT external address that you give in /etc/shorewall/nat. If you say
-# "No" or "no", you must add these aliases youself.
-#
-ADD_IP_ALIASES=Yes
-
-#
-# AUTOMATICALLY ADD SNAT IP ADDRESSES
-#
-# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
-# for each SNAT external address that you give in /etc/shorewall/masq. If you say
-# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
-# you are sure that you need it -- most people don't!!!
-#
-ADD_SNAT_ALIASES=No
-
-#
-# ENABLE TRAFFIC SHAPING
-#
-# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
-# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
-# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
-# you must enable packet mangling above.
-#
-TC_ENABLED=No
-
-#
-# Clear Traffic Shapping/Control
-#
-# If this option is set to 'No' then Shorewall won't clear the current
-# traffic control rules during [re]start. This setting is intended
-# for use by people that prefer to configure traffic shaping when
-# the network interfaces come up rather than when the firewall
-# is started. If that is what you want to do, set TC_ENABLED=Yes and
-# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
-# way, your traffic shaping rules can still use the 'fwmark'
-# classifier based on packet marking defined in /etc/shorewall/tcrules.
-#
-# If omitted, CLEAR_TC=Yes is assumed.
-
-CLEAR_TC=Yes
-
-#
-# Mark Packets in the forward chain
-#
-# When processing the tcrules file, Shorewall normally marks packets in the
-# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
-# this to "Yes". If not specified or if set to the empty value (e.g.,
-# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
-#
-# Marking packets in the FORWARD chain has the advantage that inbound
-# packets destined for Masqueraded/SNATed local hosts have had their destination
-# address rewritten so they can be marked based on their destination. When
-# packets are marked in the PREROUTING chain, packets destined for
-# Masqueraded/SNATed local hosts still have a destination address corresponding
-# to the firewall's external interface.
-#
-# Note: Older kernels do not support marking packets in the FORWARD chain and
-#       setting this variable to Yes may cause startup problems.
-
-MARK_IN_FORWARD_CHAIN=No
-
-#
-# MSS CLAMPING
-#
-# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
-# option. This option is most commonly required when your internet
-# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
-# have CONFIG_IP_NF_TARGET_TCPMSS set.
-#
-# [From the kernel help:
-#
-#    This option adds a `TCPMSS' target, which allows you to alter the
-#    MSS value of TCP SYN packets, to control the maximum size for that
-#    connection (usually limiting it to your outgoing interface's MTU
-#    minus 40).
-#
-#    This is used to overcome criminally braindead ISPs or servers which
-#    block ICMP Fragmentation Needed packets.  The symptoms of this
-#    problem are that everything works fine from your Linux
-#    firewall/router, but machines behind it can never exchange large
-#    packets:
-#        1) Web browsers connect, then hang with no data received.
-#	 2) Small mail works fine, but large emails hang.
-#	 3) ssh works fine, but scp hangs after initial handshaking.
-# ]
-#
-# If left blank, or set to "No" or "no", the option is not enabled.
-#
-CLAMPMSS=No
-
-#
-# ROUTE FILTERING
-#
-# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
-# interfaces started while Shorewall is started (anti-spoofing measure).
-#
-# If this variable is not set or is set to the empty value, "No" is assumed.
-# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
-# on individual interfaces using the 'routefilter' option in the
-# /etc/shorewall/interfaces file.
-
-ROUTE_FILTER=yes
-
-#
-# NAT BEFORE RULES
-#
-# Shorewall has traditionally processed static NAT rules before port forwarding
-# rules. If you would like to reverse the order, set this variable to "No".
-#
-# If this variable is not set or is set to the empty value, "Yes" is assumed.
-
-NAT_BEFORE_RULES=Yes
-
-# DNAT IP ADDRESS DETECTION
-#
-# Normally when Shorewall encounters the following rule:
-#
-#	DNAT	net	loc:192.168.1.3	tcp	80
-#
-# it will forward TCP port 80 connections from the net to 192.168.1.3
-# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
-# convenient for two reasons:
-#
-#	a) If the the network interface has a dynamic IP address, the
-#	   firewall configuration will work even when the address
-#	   changes.
-#
-#	b) It saves having to configure the IP address in the rule
-#	   while still allowing the firewall to be started before the
-#	   internet interface is brought up.
-#
-# This default behavior can also have a negative effect. If the
-# internet interface has more than one IP address then the above
-# rule will forward connection requests on all of these addresses;
-# that may not be what is desired.
-#
-# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
-# only if the original destination address is the primary IP address of
-# one of the interfaces associated with the source zone. Note that this
-# requires all interfaces to the source zone to be up when the firewall
-# is [re]started.
-
-DETECT_DNAT_IPADDRS=No
-
-#
-# MUTEX TIMEOUT
-#
-# The value of this variable determines the number of seconds that programs
-# will wait for exclusive access to the Shorewall lock file. After the number
-# of seconds corresponding to the value of this variable, programs will assume
-# that the last program to hold the lock died without releasing the lock.
-#
-# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
-#
-# An appropriate value for this parameter would be twice the length of time
-# that it takes your firewall system to process a "shorewall restart" command.
-
-MUTEX_TIMEOUT=60
-
-#
-# NEWNOTSYN
-#
-# TCP connections are established using the familiar three-way "handshake":
-#
-#	CLIENT			SERVER
-#
-#	SYN-------------------->
-#            <------------------SYN,ACK
-#       ACK-------------------->
-#
-# The first packet in that exchange (packet with the SYN flag on and the ACK
-# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
-# A packet is said to be NEW if it is not part of or related to an already
-# established connection.
-#
-# The NETNOTSYN option determines the handling of non-SYN packets (those with
-# SYN off or with ACK or RST on) that are not associated with an already
-# established connection.
-# 
-# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
-# part of an already established connection, it will be dropped by the
-# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
-# logged before they are dropped.
-#
-# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
-# dropped but will pass through the normal rule/policy processing.
-#
-# Users with a High-availability setup with two firewall's and one acting
-# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
-# also need to select NEWNOTSYN=Yes.
-#
-# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis 
-# using the 'newnotsyn' option in /etc/shorewall/interfaces.
-#
-# I find that NEWNOTSYN=No tends to result in lots of "stuck"
-# connections because any network timeout during TCP session tear down
-# results in retries being dropped (Netfilter has removed the
-# connection from the conntrack table but the end-points haven't
-# completed shutting down the connection).  I therefore have chosen
-# NEWNOTSYN=Yes as the default value.
-
-NEWNOTSYN=Yes
-
-#
-# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
-#
-# Normally, when a "shorewall stop" command is issued or an error occurs during
-# the execution of another shorewall command, Shorewall puts the firewall into
-# a state where only traffic to/from the hosts listed in
-# /etc/shorewall/routestopped is accepted. 
-#
-# When performing remote administration on a Shorewall firewall, it is
-# therefore recommended that the IP address of the computer being used for
-# administration be added to the firewall's /etc/shorewall/routestopped file.
-#
-# Some administrators have a hard time remembering to do this with the result
-# that they get to drive across town in the middle of the night to restart
-# a remote firewall (or worse, they have to get someone out of bed to drive 
-# across town to restart a very remote firewall).
-#
-# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
-# when the firewall enters the 'stopped' state:
-#
-# All traffic that is part of or related to established connections is still
-# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
-# to and from hosts listed in /etc/shorewall/routestopped.
-#
-# If this variable is not set or it is set to the null value then
-# ADMINISABSENTMINDED=No is assumed.
-#
-ADMINISABSENTMINDED=Yes
-
-#
-# BLACKLIST Behavior
-#
-# Shorewall offers two types of blacklisting:
-#
-#	- static blacklisting through the /etc/shorewall/blacklist file together
-#	  with the 'blacklist' interface option.
-#	- dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
-#
-# The following variable determines whether the blacklist is checked for each
-# packet or for each new connection.
-#
-#	BLACKLISTNEWONLY=Yes	Only consult blacklists for new connection
-#				requests
-#
-#	BLACKLISTNEWONLY=No	Consult blacklists for all packets.
-#
-# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
-# BLACKLISTNEWONLY=No is assumed.
-#
-BLACKLISTNEWONLY=Yes
-
-# MODULE NAME SUFFIX
-#
-# When loading a module named in /etc/shorewall/modules, Shorewall normally
-# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
-# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
-# naming convention then you can specify the suffix (extension) for module 
-# names in this variable.
-#
-# To see what suffix is used by your distribution:
-#
-#     ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#
-# All of the file names listed should have the same suffix (extension). Set
-# MODULE_SUFFIX to that suffix.
-#
-# Examples: 
-#
-#	If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
-#	If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
-#
-
-MODULE_SUFFIX=
-
-################################################################################
-#                       P A C K E T   D I S P O S I T I O N
-################################################################################
-#
-# BLACKLIST DISPOSITION
-#
-# Set this variable to the action that you want to perform on packets from
-# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
-# DROP is assumed.
-#
-BLACKLIST_DISPOSITION=DROP
-
-#
-# MAC List Disposition
-#
-# This variable determines the disposition of connection requests arriving
-# on interfaces that have the 'maclist' option and that are from a device
-# that is not listed for that interface in /etc/shorewall/maclist. Valid
-# values are ACCEPT, DROP and REJECT. If not specified or specified as
-# empty (MACLIST_DISPOSITION="") then REJECT is assumed
-
-MACLIST_DISPOSITION=REJECT
-
-#
-# TCP FLAGS Disposition
-#
-# This variable determins the disposition of packets having an invalid
-# combination of TCP flags that are received on interfaces having the
-# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
-# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
-
-TCP_FLAGS_DISPOSITION=DROP
-
-#LAST LINE -- DO NOT REMOVE

contrib/shoregen/samples/shorewall.conf/ig

@@ -1,2 +0,0 @@
-FW=ig
-IP_FORWARDING=On

contrib/shoregen/samples/shorewall.conf/mail

@@ -1,2 +0,0 @@
-FW=enoch
-IP_FORWARDING=Off

contrib/shoregen/samples/shorewall.conf/og

@@ -1,2 +0,0 @@
-FW=og
-IP_FORWARDING=On

contrib/shoregen/samples/shorewall.conf/proxy

@@ -1,2 +0,0 @@
-FW=dmz
-IP_FORWARDING=Off

contrib/shoregen/samples/zones

@@ -1,10 +0,0 @@
-#ZONE	DISPLAY		COMMENTS
-lan	LAN		Local network
-guest	Guest		Untrusted LAN hosts
-ig	IG		Inner Guard
-og	OG		Outer Guard
-mail	Mail		Mail server
-proxy	Proxy		Proxy server
-net	Net		Internet 
-other	Other		Basket for things that don't fit elsewhere
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

contrib/shoregen/shoregen

@@ -1,443 +0,0 @@
-#!/usr/bin/perl -w
-#
-# shoregen: Generate shorewall configuration for a host from central
-# configuration files.
-#
-
-#
-# (c) Copyright 2004-2006 Paul D. Gear <paul@gear.dyndns.org>
-#
-# This program is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by the
-# Free Software Foundation; either version 2 of the License, or (at your
-# option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
-# Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA, or go to
-# <http://www.gnu.org/licenses/old-licenses/gpl-2.0.txtl> on the World Wide Web.
-#
-
-use strict;
-
-my $VERBOSE = 1;
-my $DEBUG = 1;
-my $DATE = scalar localtime;
-my $HEADER = "#\n# Shorewall %s - constructed by $0 on $DATE\n#\n\n";
-my $ret = 0;		# return code to shell
-
-if ($#ARGV != 0) {
-    print STDERR "Usage: $0 <hostname>\n";
-    exit 1;
-}
-
-my $base = ".";
-my $host = $ARGV[ 0 ];
-my $spool = "$base/SPOOL";
-my $dir = "$spool/$host";
-
-
-#
-# Messaging routines for use by the program itself - any errors that are
-# generated externally (e.g. file opening problems) are reported using the
-# usual perl 'die' or 'warn' functions.
-#
-
-sub info
-{
-    print "$0: @_\n";
-}
-
-sub mesg
-{
-    my $type = shift;
-    print STDERR "$0: $type - @_\n";
-}
-
-sub warning
-{
-    mesg "WARNING", @_;
-}
-
-sub error
-{
-    mesg "ERROR", @_;
-    ++$ret;
-}
-
-sub fatal
-{
-    mesg "FATAL", @_;
-    ++$ret;
-    exit $ret;
-}
-
-
-#
-# These bits make the files that actually get copied to the target host
-#
-
-sub stripfile
-{
-    open( my $file, $_[ 0 ] ) or die "Can't open $_[ 0 ] for reading: $!";
-    my @file;
-
-    for (<$file>) {
-	s/\s*#.*$//g;		# remove all comments
-	next if m/^\s*$/;	# skip blank lines
-	push @file, $_;
-    }
-
-    close $file or warn "Can't close $_[ 0 ] after reading: $!";
-
-    return @file;
-}
-
-
-#
-# Construct a configuration file given a number of input files
-#
-sub constructfile
-{
-    my $confname = shift;
-    my $dst = shift;
-    my $foundone = 0;
-
-    info "Constructing $confname" if $VERBOSE > 1;
-
-    open( my $DST, ">$dst" ) or die "Can't create $dst: $!";
-    printf $DST $HEADER, $confname;
-
-    for my $file (@_) {
-	if (-r $file) {
-	    $foundone = 1;
-	    print $DST "##$file\n" if $DEBUG > 1;
-	    print $DST stripfile $file;
-	}
-    }
-
-    close $DST or warn "Can't close $dst: $!";
-
-    if (!$foundone) {
-	warning "\"$confname\" not present.  " .
-	    "Existing file on $host will be preserved." if $VERBOSE > 2;
-	unlink $dst;
-    }
-}
-
-#
-# main
-#
-
-my $fw;			# Firewall zone for this host
-my $router;		# Is this host a router?
-my @globalzones;	# All known zones
-my %globalzones;
-my %hostzones;		# zones applicable to this host
-my $outfile;		# filename holders
-my $conf;		# config file we're processing at present
-my %warnban;		# meta-rules/policies
-
-
-# Change to the base configuration directory
-die "Configuration directory $base doesn't exist!" if ! -d $base;
-chdir $base or die "Can't change directory to $base: $!";
-
-# Create spool directories if necessary
-if (! -d "$spool") {
-    mkdir "$spool" or die "Can't create spool directory $spool: $!";
-}
-if (! -d $dir) {
-    mkdir $dir or die "Can't create host spool directory $dir: $!";
-}
-
-
-#
-# Construct all the simple config files.
-#
-
-# Config files for which the host-specific file is included *first*
-my @hostfirstconfigs = qw(
-    accounting
-    actions
-    blacklist
-    bogons
-    continue
-    ecn
-    hosts
-    interfaces
-    maclist
-    masq
-    nat
-    netmap
-    proxyarp
-    rfc1918
-    routestopped
-    route_rules
-    start
-    started
-    stop
-    stopped
-    tcclasses
-    tcdevices
-    tos
-    tunnels
-);
-
-# Config files for which the host-specific file is included *last*
-my @hostlastconfigs = qw(
-    common
-    configpath
-    init
-    initdone
-    ipsec
-    modules
-    params
-    providers
-    shorewall.conf
-    tcrules
-);
-
-
-for my $conf (@hostfirstconfigs) {
-    constructfile "$conf", "$dir/$conf", "$conf/$host", "$conf/COMMON";
-}
-
-for my $conf (@hostlastconfigs) {
-    constructfile "$conf", "$dir/$conf", "$conf/COMMON", "$conf/$host";
-}
-
-#
-# The remaining config files (policy, rules, zones) are processed uniquely.
-#
-
-# Find the firewall name of this host
-open( my $infile, "$dir/shorewall.conf" ) or
-    die "Can't open $dir/shorewall.conf: $!";
-
-for (<$infile>) {
-    if (/^\s*FW=(\S+)/) {
-	$fw = $1 unless defined $fw;
-    }
-    if (/^\s*IP_FORWARDING=(\S+)/) {
-	$router = $1 unless defined $router;
-    }
-}
-
-close $infile;
-
-
-# The firewall name must be defined
-unless (defined $fw) {
-    fatal "Can't find firewall name (FW variable) for $host in $dir/shorewall.conf";
-}
-
-# Router must be defined
-unless (defined $router) {
-    fatal "Can't find IP_FORWARDING setting for $host in $dir/shorewall.conf";
-}
-if ($router =~ m/On|Yes/i) {
-    $router = 1;
-}
-else {
-    $router = 0;
-}
-print "fw=$fw, router=$router\n" if $DEBUG > 3;
-
-# Find all valid zones
-unless (-r "zones") {
-    fatal "You must provide a global zone file";
-}
-
-
-for (stripfile "zones") {
-    chomp;
-    my ($zone, $details) = split /[\s:]+/, $_, 2;
-    push @globalzones, $zone;
-    $globalzones{ $zone } = $details;
-}
-
-#
-# Work out which zones apply to this host from the combination of hosts &
-# interfaces.  The first field in both files is the zone name, and the
-# second (minus any trailing ips) is the interface, which we save as well
-# for later reference.
-#
-
-for my $infile ("$dir/hosts", "$dir/interfaces") {
-    if (-r $infile) {
-	for (stripfile $infile) {
-	    chomp;
-	    my @F = split;
-	    next if $#F < 0;
-	    next if $F[ 0 ] eq "-";
-	    my @IF = split /:/, $F[ 0 ]; # strip off parent zone, if present
-	    $hostzones{ $IF[ 0 ] } = 1;
-	}
-    }
-}
-
-$conf = "zones";
-
-#
-# Create the zones file from the intersection of the above - note the order
-# from the original zone file must be preserved, hence the need for the
-# array as well as the hash.
-#
-
-open( $outfile, ">$dir/$conf" ) or
-    die "Can't open $dir/$conf for writing: $!";
-
-printf $outfile $HEADER, "$conf";
-my %tmpzones = %hostzones;		# Take a copy of all the zones,
-
-for my $zone (@globalzones) {
-    if (exists $tmpzones{ $zone }) {
-	print $outfile "$zone	$globalzones{ $zone }\n";
-	delete $tmpzones{ $zone };	# deleting those found as we go along.
-    }
-}
-
-close $outfile or warn "Can't close $dir/$conf after writing: $!";
-
-for my $zone (sort keys %tmpzones) {	# Warn if we've got any zones left now.
-    #next if $zone eq "-";
-    warning "No entry for $zone in global zones file - ignored";
-}
-undef %tmpzones;
-
-
-my @tmp = sort keys %hostzones;
-info "FW zone for $host: $fw" if $VERBOSE > 0;
-info "Other zones for $host: @tmp" if $VERBOSE > 0;
-
-#
-# Add 'all' as a valid source or destination.  Added here so it doesn't get
-# checked in %tmpzones check above.  Also add firewall itself.  (The
-# numbers are not important as long as they are non-zero.)
-#
-
-$hostzones{"all"} = 1;
-$hostzones{$fw} = 1;
-
-#
-# Create the policy file, including only the applicable zones.
-#
-
-$conf = "policy";
-if (! -r $conf) {
-    fatal "You must provide a global \"$conf\" file";
-}
-
-open( $outfile, ">$dir/$conf" ) or
-    die "Can't open $dir/$conf for writing: $!";
-printf $outfile $HEADER, "$conf";
-
-for (stripfile $conf) {
-    chomp;
-
-    my ($src, $dst, $pol, $rest) = split /\s+/, $_, 4;
-
-    print "$src, $dst, $pol, $rest\n" if $DEBUG > 3;
-
-    # Both source and destination zones must be valid on this host for this
-    # policy to apply.
-    next unless defined $hostzones{$src} and defined $hostzones{$dst};
-
-    # Source and destination zones must be on different interfaces as well,
-    # except for the case of all2all.
-    #next if ($hostzones{$src} eq $hostzones{$dst} && $src ne "all");
-
-    # Save WARN & BAN details for later rules processing
-    if ($pol eq "WARN"  or  $pol eq "BAN") {
-	if (exists $warnban{$src}{$dst}) {
-	    error "Duplicate WARN/BAN rule: $src,$dst,$pol - possible typo?";
-	}
-	$warnban{$src}{$dst} = $pol;
-	next;
-    }
-
-    printf $outfile "%s\n", $_;
-}
-close $outfile or warn "Can't close $dir/$conf for writing: $!";
-
-
-#
-# Create the rules file, only including the applicable zones and taking
-# into account any WARN or BAN policies.
-#
-
-$conf = "rules";
-if (! -r $conf) {
-    fatal "You must provide a global \"$conf\" file";
-}
-
-open( $outfile, ">$dir/$conf" ) or
-    die "Can't open $dir/$conf for writing: $!";
-printf $outfile $HEADER, "$conf";
-
-for my $infile ("$conf.COMMON", "$conf.$host", "$conf") {
-    next unless -r $infile;
-    for (stripfile $infile) {
-	chomp;
-
-	my ($act, $src, $dst, $rest) = split /\s+/, $_, 4;
-
-	$act =~ s/:.*//;	# strip off logging directives
-	$src =~ s/:.*//;	# strip off host & port specifiers
-	$dst =~ s/:.*//;	# strip off host & port specifiers
-
-	print "$act, $src, $dst, $rest\n" if $DEBUG > 3;
-
-	# Both source and destination zones must be valid on this host
-	# for this rule to apply.
-	next unless defined $hostzones{$src} and defined $hostzones{$dst};
-
-	# If host is not a router, either the source or destination zone
-	# must be the firewall itself.
-	if (!$router) {
-	    next unless $src eq $fw
-		     or $dst eq $fw
-		     or $src eq "all"
-		     or $dst eq "all";
-	}
-
-	# Save additional WARN/BAN rules
-	if ($act eq "WARN"  or  $act eq "BAN") {
-	    if (exists $warnban{$src}{$dst}) {
-		error "Duplicate WARN/BAN rule: $src,$dst,$act - possible typo?";
-	    }
-	    $warnban{$src}{$dst} = $act;
-	    next;
-	}
-
-	# Check against WARN/BAN rules
-	if (exists $warnban{$src}{$dst} && $act =~ /^(ACCEPT|Allow|DNAT)/) {
-	    if ($warnban{$src}{$dst} eq "WARN") {
-		warning "Rule contravenes WARN policy:\n\t$_";
-	    }
-	    else { # $warnban{$src}{$dst} eq "BAN"
-		error "Rule contravenes BAN policy (omitted):\n\t$_";
-		next;
-	    }
-	}
-
-	# Mangle DNAT rules if the destination is the local machine
-	if ($act =~ /^DNAT/  &&  $dst eq $fw) {
-	    $_ =~ s/\bDNAT(-)?/ACCEPT/;	# change rule type
-	    $_ =~ s/\b$fw:\S+/$dst/;	# strip trailing server address/port
-	}
-
-	printf $outfile "%s\n", $_;
-    }
-}
-close $outfile or warn "Can't close $dir/$conf for writing: $!";
-
-
-# Finished - return whatever we produced above...
-exit $ret;

contrib/shoregen/spec/description

@@ -1,3 +0,0 @@
-Shoregen is a script that generates Shoreline Firewall configurations for
-multiple firewalls from a common set of rules and policies.  Only the
-minimal information necessary for operation is stored on each firewall.

contrib/shoregen/spec/files

@@ -1,4 +0,0 @@
-# $Id: files,v 1.2 2004/04/24 13:15:14 paulgear Exp $
-/usr/bin/%{name}
-/usr/bin/install_%{name}
-%doc /usr/share/doc/%{name}-%{version}/

contrib/shoregen/spec/header

@@ -1,10 +0,0 @@
-# $Id: header,v 1.1 2004/04/24 12:53:04 paulgear Exp $
-Summary:	Shoreline Firewall configuration generator
-License:	GPL
-Group:		Applications/System
-BuildArch:	noarch
-URL:		http://paulgear.webhop.net/linux/#shoregen
-Packager:	Paul Gear <paul@gear.dyndns.org>
-Requires:	openssh
-Requires:	perl
-Requires:	rsync

contrib/shoregen/spec/install

@@ -1,9 +0,0 @@
-# $Id: install,v 1.6 2004/04/24 13:15:14 paulgear Exp $
-
-install -d -m 0700 $RPM_BUILD_ROOT/usr/bin/
-install -m 0555 install_%{name} %{name} $RPM_BUILD_ROOT/usr/bin/
-
-install -d -m 0755 $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
-install -m 0444 AUTHORS BUGS COPYING README TODO $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
-cp -r samples $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
-chmod -R go=u-w $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/

contrib/shoregen/spec/type

@@ -1,2 +0,0 @@
-install
-# $Id: type,v 1.2 2004/04/24 13:13:57 paulgear Exp $

docs/6to4.xml

@@ -135,20 +135,20 @@ GATEWAY=::192.88.99.1</programlisting></para>
 1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 16436 
     inet6 ::1/128 scope host 
        valid_lft forever preferred_lft forever
-2: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
+1: eth1: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
+    inet6 fe80::202:e3ff:fe08:484c/64 scope link 
+       valid_lft forever preferred_lft forever
+2: eth2: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
 <emphasis role="bold">    inet6 2002:ce7c:92b4:1::1/64 scope global 
        valid_lft forever preferred_lft forever</emphasis>
     inet6 fe80::202:e3ff:fe08:55fa/64 scope link 
        valid_lft forever preferred_lft forever
-3: eth1: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
+3: eth4: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
-    inet6 fe80::202:e3ff:fe08:484c/64 scope link 
-       valid_lft forever preferred_lft forever
-4: eth2: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
 <emphasis role="bold">    inet6 2002:ce7c:92b4:2::1/64 scope global 
        valid_lft forever preferred_lft forever</emphasis>
     inet6 fe80::2a0:ccff:fed2:353a/64 scope link 
        valid_lft forever preferred_lft forever
-24: sit1@NONE: &lt;NOARP,UP,LOWER_UP&gt; mtu 1480 
+4: sit1@NONE: &lt;NOARP,UP,LOWER_UP&gt; mtu 1480 
 <emphasis role="bold">    inet6 ::206.124.146.180/128 scope global 
        valid_lft forever preferred_lft forever
     inet6 2002:ce7c:92b4::1/128 scope global 
@@ -156,24 +156,24 @@ GATEWAY=::192.88.99.1</programlisting></para>
 gateway:~ # ip -6 route ls
 <emphasis role="bold">::/96 via :: dev sit1  metric 256  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
 <emphasis role="bold">2002:ce7c:92b4::1 dev sit1  metric 256  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
-2002:ce7c:92b4:1::/64 dev eth0  metric 256  expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295
+2002:ce7c:92b4:1::/64 dev eth2  metric 256  expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295
-2002:ce7c:92b4:2::/64 dev eth2  metric 256  expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
+2002:ce7c:92b4:2::/64 dev eth4  metric 256  expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
-fe80::/64 dev eth0  metric 256  expires 20748424sec mtu 1500 advmss 1440 hoplimit 4294967295
+fe80::/64 dev eth1  metric 256  expires 20748424sec mtu 1500 advmss 1440 hoplimit 4294967295
-fe80::/64 dev eth1  metric 256  expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
 fe80::/64 dev eth2  metric 256  expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
+fe80::/64 dev eth4  metric 256  expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
 fe80::/64 dev sit1  metric 256  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
 <emphasis role="bold">default via ::192.88.99.1 dev sit1  metric 1  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
 gateway:~ # </programlisting></para>
       </blockquote>
 
-      <para>You will notice that sit1, eth0 and eth2 each have an IPv6 address
+      <para>You will notice that sit1, eth2 and eth4 each have an IPv6 address
       beginning with 2002: -- All 6to4 IPv6 addresses have that in their most
       significant 16 bits. The next 32-bits (ce7c:92b4) encode the IPv4
       ADDRESS (206.124.146.180). So once you start the 6to4 tunnel, you are
       the proud owner of 2<superscript>80</superscript> IPv6 addresses! In the
       case shown here, 2002:ce7c:92b4::/48. The SLA is used to assign each
       interface in INTERFACES, a subnet of 2<superscript>64</superscript>
-      addresses; in the case of eth0, 2002:ce7c:92b4:1::/64.</para>
+      addresses; in the case of eth2, 2002:ce7c:92b4:1::/64.</para>
 
       <para>I run <ulink url="http://www.litech.org/radvd/">radvd</ulink> on
       the firewall to allow hosts conntected to eth2 and eth4 to automatically
@@ -232,7 +232,7 @@ interface eth4 {
       </note>
 
       <para>Here is the automatic IPv6 configuration on my server attached to
-      eth2:</para>
+      eth4:</para>
 
       <blockquote>
         <para><programlisting>webadmin@lists:~/ftpsite/contrib/IPv6&gt; /sbin/ip -6 addr ls
@@ -281,7 +281,7 @@ ursa:~ #</programlisting></para>
 
       <para>Here is the resulting simple IPv6 Network:</para>
 
-      <graphic align="center" fileref="images/Network2008c.png" />
+      <graphic align="center" fileref="images/Network2009b.png" />
     </section>
 
     <section>
@@ -404,7 +404,7 @@ iface sit1 inet6 v4tunnel
 
       <para>That file produces the following IPv6 network.</para>
 
-      <graphic align="center" fileref="images/Network2009b.png" />
+      <graphic align="center" fileref="images/Network2008c.png" />
     </section>
 
     <section>
@@ -429,14 +429,15 @@ iface sit1 inet6 v4tunnel
       instructions above, you should have a completely functional IPv6
       network. Try:</para>
 
-      <programlisting><emphasis role="bold">ping6 2001:19f0:feee::dead:beef:cafe</emphasis>
+      <programlisting><emphasis role="bold">ping6 www.kame.net
+ping6 ipv6.chat.eu.freenode.net</emphasis>
 </programlisting>
 
-      <para>If that doesn't work from your firewall and from any local IPv6
+      <para>If neither of those work from your firewall and from any local
-      systems that you have behind your firewall, do not go any further until
+      IPv6 systems that you have behind your firewall, do not go any further
-      it does work. If you ask for help from the Shorewall team, the first
+      until one of them does work. If you ask for help from the Shorewall
-      question we will ask is 'With Shorewall6 cleared, can you ping6
+      team, the first question we will ask is 'With Shorewall6 cleared, can
-      2001:19f0:feee::dead:beef:cafe?'.</para>
+      you ping6 kame or freenode?'.</para>
 
       <para>The Shorewall6 configuration on my firewall is a very basic
       three-interface one.</para>

docs/Build.xml

@@ -305,14 +305,6 @@
                 </listitem>
               </varlistentry>
 
-              <varlistentry>
-                <term>S</term>
-
-                <listitem>
-                  <para>sign the packages using GnuPg</para>
-                </listitem>
-              </varlistentry>
-
               <varlistentry>
                 <term>c</term>
 
@@ -382,15 +374,16 @@
     </section>
 
     <section>
-      <title>upload</title>
+      <title>upload44</title>
 
       <para>This script is used to upload a release to lists.shorewall.net.
       The command is run in the build directory for the major release of the
       product.</para>
 
       <blockquote>
-        <para><command>upload</command> [ -<replaceable>products</replaceable>
+        <para><command>upload44</command> [
-        ] <replaceable>release</replaceable></para>
+        -<replaceable>products</replaceable> ]
+        <replaceable>release</replaceable></para>
       </blockquote>
 
       <para>where</para>

docs/FAQ.xml

@@ -91,8 +91,8 @@
     </section>
 
     <section id="faq75">
-      <title>(FAQ 75) I can't find the Shorewall 4.x shorewall-common RPM.
+      <title>(FAQ 75) I can't find the Shorewall 4.0 (or 4.2) shorewall-common
-      Where is it?</title>
+      RPM. Where is it?</title>
 
       <para><emphasis role="bold">Answer:</emphasis> If you use Simon Matter's
       Redhat/Fedora/CentOS rpms, be aware that Simon calls the
@@ -118,15 +118,15 @@
     <title>Upgrading Shorewall</title>
 
     <section id="faq66">
-      <title>(FAQ 66) I'm trying to upgrade to Shorewall 4.x; where is the
+      <title>(FAQ 66) I'm trying to upgrade to Shorewall 4.0 (or 4.2); where
-      'shorewall' package?</title>
+      is the 'shorewall' package?</title>
 
       <para><emphasis role="bold">Answer:</emphasis> Please see the <ulink
       url="upgrade_issues.htm">upgrade issues.</ulink></para>
 
       <section id="faq66a">
-        <title>(FAQ 66a) I'm trying to upgrade to Shorewall 4.x; do I have to
+        <title>(FAQ 66a) I'm trying to upgrade to Shorewall 4.0 (or 4.2); do I
-        uninstall the 'shorewall' package?</title>
+        have to uninstall the 'shorewall' package?</title>
 
         <para><emphasis role="bold">Answer:</emphasis> Please see the <ulink
         url="upgrade_issues.htm">upgrade issues.</ulink></para>
@@ -539,6 +539,13 @@ REDIRECT        net           22          tcp          9022</programlisting>
       you use ACCEPT unless you need to hijack connections as they go through
       your firewall and handle them on the firewall box itself; in that case,
       you use a REDIRECT rule.</para>
+
+      <note>
+        <para>The preceding answer should <emphasis>not</emphasis> be
+        interpreted to mean that DNAT can only be used in conjunction with
+        SNAT. But in common configurations using private local addresses, that
+        is the most common usage.</para>
+      </note>
     </section>
 
     <section id="faq8">
@@ -1100,6 +1107,25 @@ to debug/develop the newnat interface.</programlisting></para>
           will not prevent the above message from being issued.</para>
         </note></para>
     </section>
+
+    <section id="faq85">
+      <title>(FAQ 85) Shorewall is rejecting connections from my local lan
+      because it thinks they are coming from the 'net' zone.</title>
+
+      <para>I'm seeing this in my log:</para>
+
+      <programlisting>Aug 31 16:51:24 fw22 kernel: Shorewall:net2fw:DROP:IN=eth5 OUT= MAC=00:0c:29:74:9c:0c:08:00:20:b2:5f:db:08:00
+                                       SRC=10.1.50.14 DST=10.1.50.7 LEN=57 TOS=0x00 PREC=0x00 TTL=255 ID=32302 DF
+                                       PROTO=UDP SPT=53289 DPT=53 LEN=37</programlisting>
+
+      <para><emphasis role="bold">Answer</emphasis>: This occurs when the
+      external interface and an internal interface are connected to the same
+      switch or hub. See <ulink url="FoolsFirewall.html">this article</ulink>
+      for details. The solution is to never connect more than one firewall
+      interface to the same hub or switch (an obvious exception is that when
+      you have a switch that supports VLAN tagging and the interfaces are
+      associated with different VLANs).</para>
+    </section>
   </section>
 
   <section id="Logging">
@@ -1890,16 +1916,16 @@ iptables: Invalid argument
       <para><command>/sbin/shorewall stop</command> places the firewall in a
       <firstterm>safe state</firstterm>, the details of which depend on your
       <filename>/etc/shorewall/routestopped</filename> file (<ulink
-      url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(8))
+      url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5))
       and on the setting of ADMINISABSENTMINDED in
       <filename>/etc/shorewall/shorewall.conf</filename> (<ulink
-      url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8)).</para>
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
 
       <para><command>/etc/init.d/shorewall stop</command> may or may not do
       the same thing. In the case of <trademark>Debian</trademark> systems for
       example, that command actually executes <command>/sbin/shorewall
       clear</command> which opens the firewall completely. In other words, in
-      the init script's <command>stop</command> reverses the effect of
+      the init script, <command>stop</command> reverses the effect of
       <command>start</command>.</para>
 
       <para>One way to avoid these differences is to install Shorewall from
@@ -2153,42 +2179,6 @@ We have an error talking to the kernel
       url="http://linuxman.wikispaces.com/Clustering+Shorewall">This article
       by Paul Gear</ulink> should help you get started.</para>
     </section>
-
-    <section id="faq80">
-      <title>(FAQ 80) Does Shorewall support IPV6?</title>
-
-      <para>Answer: <ulink url="IPv6Support.html">Shorewall IPv6
-      support</ulink> is currently available in Shorewall 4.2.4 and
-      later.</para>
-
-      <section id="faq80a">
-        <title>(FAQ 80a) Why does Shorewall lPv6 Support Require Kernel 2.6.24
-        or later?</title>
-
-        <para><emphasis role="bold">Answer:</emphasis> Shorewall implements a
-        stateful firewall which requires connection tracking be present in
-        ip6tables and in the kernel. Linux kernel's before 2.6.20 didn't
-        support connection tracking for IPv6. So we could not even start to
-        develop Shorewall IPv6 support until 2.6.20 and there were significant
-        problems with the facility until at least kernel 2.6.23. When
-        distributions began offering IPv6 connection tracking support, it was
-        with kernel 2.6.25. So that is what we developed IPv6 support on and
-        that's all that we initially tested on. Subsequently, we have tested
-        Shorewall6 on Ubuntu Hardy with kernel 2.6.24. If you are running
-        2.6.20 or later, you can <emphasis role="bold">try</emphasis> to run
-        Shorewall6 by hacking<filename>
-        /usr/share/shorewall/prog.footer6</filename> and changing the kernel
-        version test to check for your kernel version rather than 2.6.24
-        (20624). But after that, you are on your own.</para>
-
-        <programlisting>kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2&gt; /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
-if [ $kernel -lt <emphasis role="bold">20624</emphasis> ]; then
-    error_message "ERROR: $PRODUCT requires Linux kernel <emphasis role="bold">2.6.24</emphasis> or later"
-    status=2
-else 
- </programlisting>
-      </section>
-    </section>
   </section>
 
   <section id="ALIASES">
@@ -2303,6 +2293,42 @@ rmmod nf_conntrack_sip</programlisting>Then change the DONT_LOAD specification
   <section id="faq40">
     <title>IPv6</title>
 
+    <section id="faq80">
+      <title>(FAQ 80) Does Shorewall support IPV6?</title>
+
+      <para>Answer: <ulink url="IPv6Support.html">Shorewall IPv6
+      support</ulink> is currently available in Shorewall 4.2.4 and
+      later.</para>
+
+      <section id="faq80a">
+        <title>(FAQ 80a) Why does Shorewall lPv6 Support Require Kernel 2.6.24
+        or later?</title>
+
+        <para><emphasis role="bold">Answer:</emphasis> Shorewall implements a
+        stateful firewall which requires connection tracking be present in
+        ip6tables and in the kernel. Linux kernels before 2.6.20 didn't
+        support connection tracking for IPv6. So we could not even start to
+        develop Shorewall IPv6 support until 2.6.20 and there were significant
+        problems with the facility until at least kernel 2.6.23. When
+        distributions began offering IPv6 connection tracking support, it was
+        with kernel 2.6.25. So that is what we developed IPv6 support on and
+        that's all that we initially tested on. Subsequently, we have tested
+        Shorewall6 on Ubuntu Hardy with kernel 2.6.24. If you are running
+        2.6.20 or later, you can <emphasis role="bold">try</emphasis> to run
+        Shorewall6 by hacking<filename>
+        /usr/share/shorewall/prog.footer6</filename> and changing the kernel
+        version test to check for your kernel version rather than 2.6.24
+        (20624). But after that, you are on your own.</para>
+
+        <programlisting>kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2&gt; /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
+if [ $kernel -lt <emphasis role="bold">20624</emphasis> ]; then
+    error_message "ERROR: $PRODUCT requires Linux kernel <emphasis role="bold">2.6.24</emphasis> or later"
+    status=2
+else 
+ </programlisting>
+      </section>
+    </section>
+
     <section>
       <title>(FAQ 40) I have an interface that gets its IPv6 configuration
       from radvd. When I start Shorewall6, I immediately loose my default

docs/Introduction.xml

@@ -412,11 +412,11 @@ ACCEPT     net           $FW       tcp        22</programlisting>
 
       <listitem>
         <para><emphasis role="bold">Shorewall6-lite</emphasis>. Shorewall
-        allows for central administration of multiple IPv4 firewalls through
+        allows for central administration of multiple IPv6 firewalls through
-        use of Shorewall lite. The full Shorewall product is installed on a
+        use of Shorewall6 lite. The full Shorewall and Shorewall6 products are
-        central administrative system where compiled Shorewall scripts are
+        installed on a central administrative system where compiled Shorewall
-        generated. These scripts are copied to the firewall systems where they
+        scripts are generated. These scripts are copied to the firewall
-        run under the control of Shorewall-lite.</para>
+        systems where they run under the control of Shorewall6-lite.</para>
       </listitem>
     </orderedlist>
   </section>

docs/MultiISP.xml

@@ -235,9 +235,22 @@
 
               <listitem>
                 <para>Use mark values &gt; 255 for provider marks in this
-                column. These mark values must be a multiple of 256 in the
+                column. </para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>These mark values must be a multiple of 256 in the
                     range 256-65280 (hex equivalent 0x100 - 0xFF00 with the
-                low-order 8 bits being zero).</para>
+                    low-order 8 bits being zero); or</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Set WIDE_TC_MARKS=Yes in <ulink
+                    url="manpages/shorewall.conf.html">shorewall.conf
+                    </ulink>(5) and use mark values in the range 0x10000 -
+                    0xFF0000 with the low-order 16 bits being zero.</para>
+                  </listitem>
+                </itemizedlist>
               </listitem>
             </itemizedlist>
 
@@ -265,10 +278,10 @@
 
           <listitem>
             <para>The name of the interface to the provider. Where multiple
-            providers share the same interface (which is not recommended), you
+            providers share the same interface, you must follow the name of
-            must follow the name of the interface by a colon (":") and the IP
+            the interface by a colon (":") and the IP address assigned by this
-            address assigned by this provider (e.g., eth0:206.124.146.176).
+            provider (e.g., eth0:206.124.146.176). See <link
-            See <link linkend="Shared">below</link> for additional
+            linkend="Shared">below</link> for additional
             considerations.</para>
 
             <para>The interface must have been previously defined in <ulink
@@ -618,8 +631,9 @@
 
         <listitem>
           <para>Once routing determines where the packet is to go, the
-          firewall (Shorewall) determines if the packet is allowed to go
+          firewall (Shorewall) determines if the packet is allowed to go there
-          there.</para>
+          and controls rewriting of the SOURCE IP address
+          (SNAT/MASQUERADE).</para>
         </listitem>
       </orderedlist>
 
@@ -655,7 +669,7 @@ eth1             0.0.0.0/0            130.252.99.27</programlisting>
       internal subnetwork.</para>
 
       <para>If you have multiple IP addresses on one of your interfaces, you
-      can use a similar technique -- simple exclude the smallest network that
+      can use a similar technique -- simplY exclude the smallest network that
       contains all of those addresses from being masqueraded.</para>
 
       <warning>

docs/OPENVPN.xml

@@ -2,7 +2,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article id="OPENVPN">
-  <!--$Id$-->
+  <!--Id$-->
 
   <articleinfo>
     <title>OpenVPN Tunnels and Bridges</title>
@@ -420,7 +420,7 @@ verb 3</programlisting>
     <orderedlist>
       <listitem>
         <para>Include the <emphasis role="bold">client-to-client</emphasis>
-        directive in the server's OpenVPN configuration; and</para>
+        directive in the server's OpenVPN configuration; or</para>
       </listitem>
 
       <listitem>
@@ -429,11 +429,6 @@ verb 3</programlisting>
         url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink>.</para>
       </listitem>
     </orderedlist>
-
-    <para>If you want to selectively allow communication between the clients,
-    then see <ulink
-    url="http://marc.zonzon.free.fr/public_html/home.php?section=WRTMemo&amp;subsec=vpnwithshorewall">this
-    article</ulink> by Marc Zonzon</para>
   </section>
 
   <section>

docs/shorewall_prerequisites.xml

@@ -59,7 +59,11 @@
         <para>Iproute (<quote>ip</quote> and "tc" utilities). The iproute
         package is included with most distributions but may not be installed
         by default. The official download site is <ulink type="remote"
-        url="http://developer.osdl.org/dev/iproute2/download/">http://developer.osdl.org/dev/iproute2/download/</ulink>.</para>
+        url="http://developer.osdl.org/dev/iproute2/download/">http://developer.osdl.org/dev/iproute2/download/</ulink>.
+        Note that the Busybox versions of the iproute2 utilities
+        (<firstterm>ip</firstterm> and <firstterm>tc</firstterm>) do not
+        support all of the features required for advanced Shorewall
+        use.</para>
       </listitem>
 
       <listitem>

docs/support.xml

@@ -262,7 +262,10 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
           <listitem>
             <para>Be sure that the LOGFILE setting in<filename>
             /etc/shorewall/shorewall.conf</filename> is correct (that it names
-            the file where 'Shorewall' messages are being logged).</para>
+            the file where 'Shorewall' messages are being logged). See <ulink
+            url="manpages/shorewall.conf.html">shorewall.conf </ulink>(5) and
+            the <ulink url="shorewall_logging.html">Shorewall Logging
+            Article</ulink>.</para>
           </listitem>
 
           <listitem>

docs/three-interface.xml

@@ -350,6 +350,14 @@ $FW        net         ACCEPT</programlisting>
     those policies should be <ulink url="shorewall_logging.html">logged at
     that level</ulink>.</para>
 
+    <para>Some people want to consider their firewall to be part of their
+    local network from a security perspective. If you want to do this, add
+    these two policies:</para>
+
+    <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
+loc        $FW         ACCEPT
+$FW        loc         ACCEPT</programlisting>
+
     <para>It is important to note that Shorewall policies (and rules) refer to
     <emphasis role="bold">connections</emphasis> and not packet flow. With the
     policies defined in the <filename

docs/traffic_shaping.xml

@@ -1493,7 +1493,7 @@ ppp0            4       90kbit          200kbit         3           default
 eth0            1       100kbit         500kbit         1           tcp-ack
 eth0            2       3mbit           6mbit           2
 eth0            3       3mbit           6mbit           3
-eth0            4       94mbit          full            default #for local traffic</programlisting></para>
+eth0            4       94mbit          full            4           default #for local traffic</programlisting></para>
 
     <para>/etc/shorewall/tcrules:<programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)      CLIENT   USER
 #                                                                    PORT(S)

docs/two-interface.xml

@@ -323,8 +323,6 @@ $FW        net         ACCEPT</programlisting> The above policy will:
     rejected under those policies should be <ulink
     url="shorewall_logging.html">logged at that level</ulink>.</para>
 
-    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
-
     <para>It is important to note that Shorewall policies (and rules) refer to
     <emphasis role="bold">connections</emphasis> and not packet flow. With the
     policies defined in the <filename
@@ -333,6 +331,16 @@ $FW        net         ACCEPT</programlisting> The above policy will:
     <emphasis>net</emphasis> zone even though connections are not allowed from
     the <emphasis>loc</emphasis> zone to the firewall itself.</para>
 
+    <para>Some people want to consider their firewall to be part of their
+    local network from a security perspective. If you want to do this, add
+    these two policies:</para>
+
+    <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
+loc        $FW         ACCEPT
+$FW        loc         ACCEPT</programlisting>
+
+    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
+
     <para>At this point, edit your <filename
     class="directory">/etc/shorewall/</filename><filename>policy</filename>
     and make any changes that you wish.</para>

manpages/shorewall-interfaces.xml

@@ -120,15 +120,17 @@ loc     eth2            -</programlisting>
         role="bold">detect</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...}</term>
 
         <listitem>
-          <para>The broadcast address(es) for the network(s) to which the
-          interface belongs. For P-T-P interfaces, this column is left blank.
-          If the interface has multiple addresses on multiple subnets then
-          list the broadcast addresses as a comma-separated list.</para>
-
           <para>If you use the special value <emphasis
           role="bold">detect</emphasis>, Shorewall will detect the broadcast
-          address(es) for you. If you select this option, the interface must
+          address(es) for you if your iptables and kernel include Address Type
-          be up before the firewall is started.</para>
+          Match support. </para>
+
+          <para>If your iptables and/or kernel lack Address Type Match support
+          then you may list the broadcast address(es) for the network(s) to
+          which the interface belongs. For P-T-P interfaces, this column is
+          left blank. If the interface has multiple addresses on multiple
+          subnets then list the broadcast addresses as a comma-separated
+          list.</para>
 
           <para>If you don't want to give a value for this column but you want
           to enter a value in the OPTIONS column, enter <emphasis
@@ -347,6 +349,32 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis
+              role="bold">nets=(<emphasis>net</emphasis>[,...])</emphasis></term>
+
+              <listitem>
+                <para>Limit the zone named in the ZONE column to only the
+                listed networks. The parentheses may be omitted if only a
+                single <replaceable>net</replaceable> is given (e.g.,
+                nets=192.168.1.0/24). Limited broadcast to the zone is
+                supported. Beginning with Shorewall 4.4.1, multicast traffic
+                to the zone is also supported.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">nets=dynamic</emphasis></term>
+
+              <listitem>
+                <para>Defines the zone as <firstterm>dynamic</firstterm>.
+                Requires ipset match support in your iptables and kernel. See
+                <ulink
+                url="http://www.shorewall.net/Dynamic.html">http://www.shorewall.net/Dynamic.html</ulink>
+                for further information.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">nosmurfs</emphasis></term>
 

manpages/shorewall-masq.xml

@@ -155,7 +155,7 @@
         role="bold">-</emphasis>|<emphasis
         role="bold">NONAT</emphasis>|[<emphasis>address-or-address-range</emphasis>[,<emphasis>address-or-address-range</emphasis>]...][:<emphasis>lowport</emphasis><emphasis
         role="bold">-</emphasis><emphasis>highport</emphasis>][<emphasis
-        role="bold">:random</emphasis>]|<emphasis
+        role="bold">:random</emphasis>][:persistent]|<emphasis
         role="bold">detect</emphasis>|<emphasis
         role="bold">random</emphasis>]</term>
 
@@ -178,6 +178,15 @@
 
           <para>Example: 206.124.146.177-206.124.146.180</para>
 
+          <para>You may follow the port range (or <emphasis
+          role="bold">:random</emphasis>) with <emphasis
+          role="bold">:persistent</emphasis>. This is only useful when an
+          address range is specified and causes a client to be given the same
+          source/destination IP pair. This feature replaces the SAME modifier
+          which was removed from Shorewall in version 4.4.0. Unlike <emphasis
+          role="bold">random</emphasis>, <emphasis
+          role="bold">persistent</emphasis> may not be used by itself.</para>
+
           <para>You may also use the special value "detect" which causes
           Shorewall to determine the IP addresses configured on the interface
           named in the INTERFACES column and substitute them in this

manpages/shorewall-nat.xml

@@ -54,14 +54,6 @@
 
           <para>To stop the comment from being attached to further rules,
           simply include COMMENT on a line by itself.</para>
-
-          <para>Comments may be attached to Netfilter rules generated from
-          entries in this file through the use of COMMENT lines. These lines
-          begin with the word COMMENT; the remainder of the line is treated as
-          a comment which is attached to subsequent rules until another
-          COMMENT line is found or until the end of the file is reached. To
-          stop adding comments to rules, use a line with only the word
-          COMMENT.</para>
         </listitem>
       </varlistentry>
 

manpages/shorewall-tcclasses.xml

@@ -104,6 +104,10 @@
           </varlistentry>
         </variablelist>
 
+        <para>Note that in a sub-class (a class that has a specified parent
+        class), full refers to the RATE or CEIL of the parent class rather
+        than to the OUT-BANDWIDTH of the device.</para>
+
         <para>DO NOT add a unit to the rate if it is calculated !</para>
       </listitem>
     </itemizedlist>
@@ -113,7 +117,7 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">INTERFACE</emphasis> -
-        <emphasis>interface</emphasis>[:<emphasis>parent</emphasis>][:<emphasis>class</emphasis>]</term>
+        <emphasis>interface</emphasis>[[:<emphasis>parent</emphasis>]:<emphasis>class</emphasis>]</term>
 
         <listitem>
           <para>Name of <emphasis>interface</emphasis>. Each interface may be
@@ -206,8 +210,9 @@
           when more needed services (e.g. ssh) are not used.</para>
 
           <para>You can use the value <emphasis role="bold">full</emphasis> in
-          here for setting the maximum bandwidth to the defined output
+          here for setting the maximum bandwidth to the RATE of the parent
-          bandwidth of that interface.</para>
+          class, or the OUT-BANDWIDTH of the device if there is no parent
+          class.</para>
         </listitem>
       </varlistentry>