Update known problems

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-init/install.sh

@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13-RC1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall-init/shorewall-init.spec

@@ -1,6 +1,6 @@
 %define name shorewall-init
 %define version 4.4.13
-%define release 0RC1
+%define release 0base
 
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -99,6 +99,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall-init/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13-RC1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13-RC1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.13
-%define release 0RC1
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -102,6 +102,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13-RC1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Chains.pm

@@ -68,7 +68,7 @@ our %EXPORT_TAGS = (
 				       SET
 				       NO_RESTRICT
 				       PREROUTE_RESTRICT
-				       DESTIFAC_DISALLOW
+				       DESTIFACE_DISALLOW
 				       INPUT_RESTRICT
 				       OUTPUT_RESTRICT
 				       POSTROUTE_RESTRICT
@@ -261,13 +261,13 @@ our %targets;
 #
 # expand_rule() restrictions
 #
-use constant { NO_RESTRICT        => 0,   # FORWARD chain rule     - Both -i and -o may be used in the rule
-	       PREROUTE_RESTRICT  => 1,   # PREROUTING chain rule  - -o converted to -d <address list> using main routing table
-	       INPUT_RESTRICT     => 4,   # INPUT chain rule       - -o not allowed
-	       OUTPUT_RESTRICT    => 8,   # OUTPUT chain rule      - -i not allowed
-	       POSTROUTE_RESTRICT => 16,  # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
-	       ALL_RESTRICT       => 12,  # fw->fw rule            - neither -i nor -o allowed
-	       DESTIFAC_DISALLOW  => 32,  # Don't allow dest interface
+use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i and -o may be used in the rule
+	       PREROUTE_RESTRICT   => 1,   # PREROUTING chain rule  - -o converted to -d <address list> using main routing table
+	       INPUT_RESTRICT      => 4,   # INPUT chain rule       - -o not allowed
+	       OUTPUT_RESTRICT     => 8,   # OUTPUT chain rule      - -i not allowed
+	       POSTROUTE_RESTRICT  => 16,  # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
+	       ALL_RESTRICT        => 12,  # fw->fw rule            - neither -i nor -o allowed
+	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface
 	       };
 
 our $iprangematch;
@@ -3408,14 +3408,14 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    #
 	    # Dest interface -- must use routing table
 	    #
-	    fatal_error "A DEST interface is not permitted in the PREROUTING chain" if $restriction & DESTIFAC_DISALLOW;
+	    fatal_error "A DEST interface is not permitted in the PREROUTING chain" if $restriction & DESTIFACE_DISALLOW;
 	    fatal_error "Bridge port ($diface) not allowed" if port_to_bridge( $diface );
 	    push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' );
 	    $rule .= '-d $dest ';
 	} else {
 	    fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
 	    fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT;
-	    fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain" if $restriction & DESTIFAC_DISALLOW;
+	    fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain" if $restriction & DESTIFACE_DISALLOW;
 
 	    if ( $iiface ) {
 		my $bridge = port_to_bridge( $diface );
@@ -3746,7 +3746,7 @@ sub promote_blacklist_rules() {
 		    #
 		    unless ( $chain2ref->{blacklist} ) {
 			unshift @{$chain2ref->{rules}}, $rule;
-			$chainbref->{references}{$chain2ref->{name}}++;
+			add_reference $chain2ref, $chainbref;
 			$chain2ref->{blacklist} = 1;
 		    }
 		}

Shorewall/Perl/Shorewall/Config.pm

@@ -347,7 +347,7 @@ sub initialize( $ ) {
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.13-RC1",
+		    VERSION => "4.4.13",
 		    CAPVERSION => 40413 ,
 		  );
 

Shorewall/Perl/Shorewall/Tc.pm

@@ -296,7 +296,7 @@ sub process_tc_rule( ) {
 			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
 			}
 
-			$restriction = DESTIFAC_DISALLOW;
+			$restriction = DESTIFACE_DISALLOW;
 			
 			ensure_mangle_chain($target);
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_13';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...

Shorewall/Perl/Shorewall/Zones.pm

@@ -903,6 +903,8 @@ sub process_interface( $$ ) {
 	$root = $interface;
     }
 
+    fatal_error "Invalid interface name ($interface)" if $interface =~ /\*/;
+
     my $physical = $interface;
     my $broadcasts;
 
@@ -1183,6 +1185,8 @@ sub known_interface($;$)
 
     return $interfaceref if $interfaceref;
 
+    fatal_error "Invalid interface ($interface)" if $interface =~ /\*/;
+
     for my $i ( @interfaces ) {
 	$interfaceref = $interfaces{$i};
 	my $root = $interfaceref->{root};
@@ -1807,7 +1811,7 @@ sub find_hosts_by_option( $ ) {
 }
 
 #
-# Retruns a reference to a list of zones with the passed in/out option
+# Returns a reference to a list of zones with the passed in/out option
 #
 
 sub find_zones_by_option( $$ ) {

Shorewall/changelog.txt

@@ -35,6 +35,8 @@ Changes in Shorewall 4.4.13
 
 16) Correct port-range check in tcfilters.
 
+17) Disallow '*' in interface names.
+
 Changes in Shorewall 4.4.12
 
 1)  Fix IPv6 shorecap program.

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13-RC1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -1 +1,2 @@
-There are no known problems in Shorewall 4.4.13-RC1
+1)  On systems running Upstart, shorewall-init cannot reliably start the
+    firewall before interfaces are brought up.

Shorewall/releasenotes.txt

@@ -1,6 +1,5 @@
 ----------------------------------------------------------------------------
                       S H O R E W A L L  4 . 4 . 1 3
-                                 R C  1
 ----------------------------------------------------------------------------
 
 I.    PROBLEMS CORRECTED IN THIS RELEASE
@@ -116,6 +115,8 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 13) An error message was incorrectly generated if a port range of the
     form :<port> (e.g., :22) appeared.
 
+14) An error is now generated if '*' appears in an interface name.
+
 ----------------------------------------------------------------------------
            I I.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
@@ -478,7 +479,7 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
       I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 2
 ----------------------------------------------------------------------------
 
 1)  Previously, the Shorewall6-lite version of shorecap was using
@@ -523,62 +524,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     correctly.
 
 ----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
-----------------------------------------------------------------------------
-
-1)  The IPv6 allowBcast action generated an invalid rule.
-
-2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
-    ipset was used in a configuration file entry, the following
-    fatal compilation error occurred:
-
-    ERROR: ipset names in Shorewall configuration files require Ipset
-    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
-
-    If you applied the workaround given in the "Known Problems", then
-    you should remove /etc/shorewall/capabilities after installing
-    this fix.
-
-3)  The start priority of shorewall-init on Debian and Debian-based
-    distributions was previously too low, making it start too late.
-
-4)  The log output from IPv6 logs was almost unreadable due to display
-    of IPv6 addresses in uncompressed format. A similar problem
-    occurred with 'shorewall6 show connections'. This update makes the
-    displays much clearer at the expense of opening the slight
-    possibility of two '::' sequences being incorrectly shown in the
-    same address.
-
-5)  The new REQUIRE_INTERFACE was inadvertently omitted from
-    shorewall.conf and shorewall6.conf. It has been added.
-
-6)  Under some versions of Perl, a Perl run-time diagnostic was produced
-    when options were omitted from shorewall.conf or shorewall6.conf. 
-
-7) If the following options were specified in /etc/shorewall/interfaces
-   for an interface with '-' in the ZONE column, then these options
-   would be ignored if there was an entry in the hosts file for the
-   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
-   implied when the host list begins with '!').
-
-   	blacklist
-	maclist
-	nosmurfs
-	tcpflags
-
-   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
-
-8) The generated script was missing a closing quote when
-   REQUIRE_INTERFACE=Yes.
-
-9) Previously, if nets= was specified under Shorewall6, this error
-   would result:
-
-   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
-                /etc/shorewall6/interfaces (line 16)
-
-----------------------------------------------------------------------------
-               N E W   F E A T U R E S   I N   4 . 4 . 1 1
+               N E W   F E A T U R E S   I N   4 . 4 . 1 2
 ----------------------------------------------------------------------------
 
 1)  Support has been added for ADD and DEL rules in
@@ -673,6 +619,106 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 
 	gateway:/etc/shorewall# 
 
+----------------------------------------------------------------------------
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
+----------------------------------------------------------------------------
+
+1)  The IPv6 allowBcast action generated an invalid rule.
+
+2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
+    ipset was used in a configuration file entry, the following
+    fatal compilation error occurred:
+
+    ERROR: ipset names in Shorewall configuration files require Ipset
+    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
+
+    If you applied the workaround given in the "Known Problems", then
+    you should remove /etc/shorewall/capabilities after installing
+    this fix.
+
+3)  The start priority of shorewall-init on Debian and Debian-based
+    distributions was previously too low, making it start too late.
+
+4)  The log output from IPv6 logs was almost unreadable due to display
+    of IPv6 addresses in uncompressed format. A similar problem
+    occurred with 'shorewall6 show connections'. This update makes the
+    displays much clearer at the expense of opening the slight
+    possibility of two '::' sequences being incorrectly shown in the
+    same address.
+
+5)  The new REQUIRE_INTERFACE was inadvertently omitted from
+    shorewall.conf and shorewall6.conf. It has been added.
+
+6)  Under some versions of Perl, a Perl run-time diagnostic was produced
+    when options were omitted from shorewall.conf or shorewall6.conf. 
+
+7) If the following options were specified in /etc/shorewall/interfaces
+   for an interface with '-' in the ZONE column, then these options
+   would be ignored if there was an entry in the hosts file for the
+   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
+   implied when the host list begins with '!').
+
+   	blacklist
+	maclist
+	nosmurfs
+	tcpflags
+
+   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
+
+8) The generated script was missing a closing quote when
+   REQUIRE_INTERFACE=Yes.
+
+9) Previously, if nets= was specified under Shorewall6, this error
+   would result:
+
+   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
+                /etc/shorewall6/interfaces (line 16)
+
+----------------------------------------------------------------------------
+               N E W   F E A T U R E S   I N   4 . 4 . 1 1
+----------------------------------------------------------------------------
+
+1)  Beginning with this release, Shorewall supports a 'vserver'
+    zone type. This zone type is used with Shorewall running on a
+    Linux-vserver host system and allows you to define zones that
+    represent a set of Linux-vserver hosts.
+
+    See http://www.shorewall.net/Vserver.html for details.
+
+2)  A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
+    and shorewall6.conf. 
+
+    Traditionally, Shorewall has cleared the packet mark in the first
+    rule in the mangle FORWARD chain. This behavior is maintained with
+    the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
+    set to No, packet marks set in the PREROUTING chain are retained in
+    the FORWARD chains.
+
+    As part of this change, a new "fwmark route mask" capability has
+    been added. If your version of iproute2 supports this capability,
+    fwmark routing rules may specify a mask to be applied to the mark
+    prior to comparison with the mark value in the rule. The presence
+    of this capability allows Shorewall to relax the restriction that
+    small mark values may not be set in the PREROUTING chain when
+    HIGH_ROUTE_MARKS is in effect. If you take advantage of this
+    capability, be sure that you logically OR mark values in PREROUTING
+    makring rules rather then simply setting them unless you are able
+    to set both the high and low bits in the mark in a single rule.
+
+    As always when a new capability has been introduced, be sure to
+    regenerate your capabilities file(s) after installing this release.
+
+3)  A new column (NET3) has been added to the /etc/shorewall/netmap
+    file. This new column can qualify the INTERFACE column by
+    specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
+    associated with the interface.
+
+4)  To accomodate systems with more than one version of Perl installed,
+    the shorewall.conf and shorewall6.conf files now support a PERL
+    option. If the program specified by that option does not exist or
+    is not executable, Shorewall (and Shorewall6) fall back to
+    /usr/bin/perl.
+
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 0
 ----------------------------------------------------------------------------
@@ -721,51 +767,6 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 
     This configuration now works correctly.
 
-----------------------------------------------------------------------------
-               N E W   F E A T U R E S   I N   4 . 4 . 1 1
-----------------------------------------------------------------------------
-
-1)  Beginning with this release, Shorewall supports a 'vserver'
-    zone type. This zone type is used with Shorewall running on a
-    Linux-vserver host system and allows you to define zones that
-    represent a set of Linux-vserver hosts.
-
-    See http://www.shorewall.net/Vserver.html for details.
-
-2)  A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
-    and shorewall6.conf. 
-
-    Traditionally, Shorewall has cleared the packet mark in the first
-    rule in the mangle FORWARD chain. This behavior is maintained with
-    the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
-    set to No, packet marks set in the PREROUTING chain are retained in
-    the FORWARD chains.
-
-    As part of this change, a new "fwmark route mask" capability has
-    been added. If your version of iproute2 supports this capability,
-    fwmark routing rules may specify a mask to be applied to the mark
-    prior to comparison with the mark value in the rule. The presence
-    of this capability allows Shorewall to relax the restriction that
-    small mark values may not be set in the PREROUTING chain when
-    HIGH_ROUTE_MARKS is in effect. If you take advantage of this
-    capability, be sure that you logically OR mark values in PREROUTING
-    makring rules rather then simply setting them unless you are able
-    to set both the high and low bits in the mark in a single rule.
-
-    As always when a new capability has been introduced, be sure to
-    regenerate your capabilities file(s) after installing this release.
-
-3)  A new column (NET3) has been added to the /etc/shorewall/netmap
-    file. This new column can qualify the INTERFACE column by
-    specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
-    associated with the interface.
-
-4)  To accomodate systems with more than one version of Perl installed,
-    the shorewall.conf and shorewall6.conf files now support a PERL
-    option. If the program specified by that option does not exist or
-    is not executable, Shorewall (and Shorewall6) fall back to
-    /usr/bin/perl.
-
 ----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 1 0
 ----------------------------------------------------------------------------

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.13
-%define release 0RC1
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -108,6 +108,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
 
 %changelog
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13-RC1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13-RC1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.13
-%define release 0RC1
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,6 +93,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13-RC1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13-RC1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.13
-%define release 0RC1
+%define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -98,6 +98,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13-RC1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {