Update known problems

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-init/install.sh

@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.14-Beta1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall-init/shorewall-init.spec

@@ -1,6 +1,6 @@
 %define name shorewall-init
-%define version 4.4.14
+%define version 4.4.13
-%define release 0Beta1
+%define release 0base
 
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -99,8 +99,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta1
+- Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall-init/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.14-Beta1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.14-Beta1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.14
+%define version 4.4.13
-%define release 0Beta1
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -102,8 +102,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta1
+- Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.14-Beta1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Chains.pm

@@ -717,8 +717,6 @@ sub move_rules( $$ ) {
 	my $count     = @{$chain1->{rules}};
 	my $tableref  = $chain_table{$chain1->{table}};
 	my $blacklist = $chain2->{blacklist};
-
-	assert( ! $chain1->{blacklist} );
 	#
 	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
 	#
@@ -737,15 +735,11 @@ sub move_rules( $$ ) {
 
 	$chain2->{referenced} = 1;
 
-	#
+	unless ( $chain2->{blacklist} += $chain1->{blacklist} ) {
-	# In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain.
+	    #
-	# This hack avoids that.
+	    # In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain.
-	#
+	    # This hack avoids that.
-	if ( $blacklist ) {
+	    #
-	    my $rule = shift @{$rules};
-	    shift @{$rules} while @{$rules} > 1 && $rules->[0] eq $rules->[1];
-	    unshift @{$rules}, $rule;
-	} else {
 	    shift @{$rules} while @{$rules} > 1 && $rules->[0] eq $rules->[1];
 	}
 	    
@@ -2572,8 +2566,6 @@ sub get_set_flags( $$ ) {
     have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
 }
 
-sub mysplit( $ );
-
 #
 # Match a Source.
 #
@@ -2594,18 +2586,6 @@ sub match_source_net( $;$ ) {
     } elsif ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
 	join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
-    } elsif ( $net =~ /^\+\[(.+)\]$/ ) {
-	my $result = '';
-	my @sets = mysplit $1;
-
-	require_capability 'KLUDGEFREE', 'Multiple ipset matches', '' if @sets > 1;
-
-	for $net ( @sets ) {
-	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
-	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
-	}
-
-	$result;
     } elsif ( $net =~ s/^!// ) {
 	validate_net $net, 1;
 	"! -s $net ";
@@ -2630,18 +2610,6 @@ sub match_dest_net( $ ) {
     } elsif ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?$/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '');
 	join( '', '-m set ', $1 ? '! ' : '',  get_set_flags( $net, 'dst' ) );
-    } elsif ( $net =~ /^\+\[(.+)\]$/ ) {
-	my $result = '';
-	my @sets = mysplit $1;
-
-	require_capability 'KLUDGEFREE', 'Multiple ipset matches', '' if @sets > 1;
-
-	for $net ( @sets ) {
-	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
-	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
-	}
-
-	$result;
     } elsif ( $net =~ /^!/ ) {
 	$net =~ s/!//;
 	validate_net $net, 1;
@@ -2889,7 +2857,7 @@ sub addnatjump( $$$ ) {
 
 #
 # Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists
-# where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
+# where an element of the list might be +ipset[binding].
 #
 sub mysplit( $ ) {
     my @input = split_list $_[0], 'host';
@@ -2902,12 +2870,12 @@ sub mysplit( $ ) {
 	my $element = shift @input;
 
 	if ( $element =~ /\[/ ) {
-	    while ( $element =~ tr/[/[/ > $element =~ tr/]/]/ ) {
+	    while ( substr( $element, -1, 1 ) ne ']' ) {
-		fatal_error "Missing ']' ($element)" unless @input;
+		last unless @input;
 		$element .= ( ',' . shift @input );
 	    }
 
-	    fatal_error "Mismatched [...] ($element)" unless $element =~ tr/[/[/ == $element =~ tr/]/]/;
+	    fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
 	}
 
 	push @result, $element;

Shorewall/Perl/Shorewall/Config.pm

@@ -347,7 +347,7 @@ sub initialize( $ ) {
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.14-Beta1",
+		    VERSION => "4.4.13",
 		    CAPVERSION => 40413 ,
 		  );
 

Shorewall/changelog.txt

@@ -1,7 +1,3 @@
-Changes in Shorewall 4.4.14
-
-1)  Support ipset lists.
-
 Changes in Shorewall 4.4.13
 
 1)  Allow zone lists in rules SOURCE and DEST.

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.14-Beta1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -1 +1,2 @@
-There are no known problems in Shorewall 4.4.14-Beta1
+1)  On systems running Upstart, shorewall-init cannot reliably start the
+    firewall before interfaces are brought up.

Shorewall/releasenotes.txt

@@ -1,6 +1,5 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 4
+                      S H O R E W A L L  4 . 4 . 1 3
-                                B E T A  1
 ----------------------------------------------------------------------------
 
 I.    PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,7 +13,109 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
   I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
-None.
+1)  Under rare circumstances where COMMENT is used to attach comments
+    to rules, OPTIMIZE 8 through 15 could result in invalid
+    iptables-restore (ip6tables-restore) input.
+
+2)  Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
+    could result in invalid iptables-restore (ip6tables-restore) input.
+
+3)  The change in 4.4.12 to detect and use the new ipset match syntax
+    broke the ability to detect the old ipset match capability. Now,
+    both versions of the capability can be correctly detected.
+
+4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
+    if the last optional interface tested was not available.
+
+5)  Exclusion in the blacklist file was correctly validated but was then
+    ignored when generating iptables (ip6tables) rules.
+
+6)  Previously, non-trivial exclusion (more than one excluded
+    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
+    valid but incorrect iptables input. This has been corrected but
+    requires that your iptables/kernel support marking rules in any
+    Netfilter table (CONTINUE in the tcrules file does not require this
+    support).
+
+    This fix implements a new 'Mark in any table' capability; those
+    who utilize a capabilities file should re-generate the file using
+    this release.
+
+7)  Interface handling has been extensively modified in this release
+    to correct a number of problems with the earlier
+    implementation. Among those problems:
+
+    - Invalid shell variable names could be generated in the firewall
+      script. The generated firewall script uses shell variables to
+      track the availability of optional and required interfaces and
+      to record detected gateways, detected addresses, etc.
+
+    - The same shell variable name could be generated by two different
+      interface names.
+
+    - Entries in the interfaces file with a wildcard physical name
+      (physical name ends with "+") and with the 'optional' option were
+      handled strangely.
+
+      o If there were references to specific interfaces that matched
+        the wildcard, those entries were handled as if they had been
+        defined as optional in the interfaces file.
+
+      o If there were no references matching the wildcard, then the
+        'optional' option was effectively ignored. 
+
+    The new implementation:
+
+    - Insures valid shell variable names.
+    
+    - Insures that shell variable names are unique.
+
+    - Handles interface names appearing in the INTERFACE column of the
+      providers file as a special case for 'optional'. If the name
+      matches a wildcard entry in the interfaces file then the
+      usability of the specific interface is tracked individually. 
+
+    - Handles the availabilty of other interfaces matching a wildcard
+      as a group; if there is one useable interface in the group then
+      the wildcard itself is considered usable.
+
+      The following example illustrates this use case:
+
+      /etc/shorewall/interfaces
+
+	net	ppp+	-	optional
+
+      /etc/shorewall/shorewall.conf
+
+	REQUIRE_INTERFACE=Yes
+
+      If there is any usable PPP interface then the firewall will be
+      allowed to start. Previously, the firewall would never be allowed
+      to start.
+
+8)  When a comma-separated list of 'src' and/or 'dst' was specified in
+    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
+    or 'dst' was previously ignored when generating the resulting
+    iptables rule.
+
+9)  Beginning with Shorewall 4.4.9, the SAME target in tcrules has
+    generated invalid iptables (ip6tables) input. That target now
+    generates correct input.
+
+10) Ipsets associated with 'dynamic' zones were being created during
+    'restart' but not during 'start'.
+
+11) To work around an issue in Netfilter/iptables, Shorewall now uses
+    state match rather than conntrack match for UNTRACKED state
+    matching.
+
+12) If the routestopped files contains NOTRACK rules, 'shorewall* clear' 
+    did not clear the raw table.
+
+13) An error message was incorrectly generated if a port range of the
+    form :<port> (e.g., :22) appeared.
+
+14) An error is now generated if '*' appears in an interface name.
 
 ----------------------------------------------------------------------------
            I I.  K N O W N   P R O B L E M S   R E M A I N I N G
@@ -27,12 +128,136 @@ None.
       I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
-1)  Multiple source or destination ipset matches can be generated by
+1)  Entries in the rules file (both Shorewall and Shorewall6) may now
-    enclosing the ipset list in [...].
+    contain zone lists in the SOURCE and DEST column. A zone list is a
+    comma-separated list of zone names where each name appears in the
+    zones file. A zone list may be optionally followed by a plus sign
+    ("+") to indicate that the rule should apply to intra-zone traffic
+    as well as to inter-zone traffic.
 
-    Example (/etc/shorewall/rules):
+    Zone lists behave like 'all' and 'any' with respect to Optimization
+    1. If the rule matches the applicable policy for a given (source
+    zone, dest zone), then the rule will be suppessed for that pair of
+    zones unless overridden by the '!' suffix on the target in the
+    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
 
-        ACCEPT $FW net:+[dest-ip-map,dest-port-map]
+    Additionally, 'any', 'all' and zone lists may be qualified in the
+    same way as a single zone.
+
+    Examples:
+
+	fw,dmz:90.90.191.120/29
+	all:+blacklist
+
+    The 'all' and 'any' keywords now support exclusion in the form of a
+    comma-separated list of excluded zones.
+
+    Examples: 
+
+    	     all!fw         (same as all-).
+	     any+!dmz,loc   (All zones except 'dmz' and 'loc' and
+	     		     include intra-zone rules).
+
+2)  An IPSEC column has been added to the accounting file, allowing you
+    to segregate IPSEC traffic from non-IPSEC traffic. See 'man
+    shorewall-accounting' (man shorewall6-accounting) for details.
+
+    With this change, there are now three trees of accounting chains:
+
+    - The one rooted in the 'accounting' chain.
+    - The one rooted in the 'accipsecin' chain. This tree handles
+      traffic that has been decrypted on the firewall. Rules in this
+      tree cannot specify an interface name in the DEST column.
+    - The one rooted in the 'accipsecout' chain. This tree handles
+      traffic that will be encrypted on the firewall. Rules in this
+      tree cannot specify an interface name in the SOURCE column.
+
+    In reality, when there are bridges defined in the configuration,
+    there is a fourth tree rooted in the 'accountout' chain. That chain
+    handles traffic that originates on the firewall (both IPSEC and
+    non-IPSEC).
+
+    This change also implements a couple of new warnings:
+
+    - WARNING: Adding rule to unreferenced accounting chain <name>
+
+      The first reference to user-defined accounting chain <name> is
+      not a JUMP or COUNT from an already-defined chain.
+
+    - WARNING: Accounting chain <name> has o references
+
+      The named chain contains accounting rules but no JUMP or COUNT
+      specifies that chain as the target.
+
+3)  Shorewall now supports the SECMARK and CONNSECMARK targets for
+    manipulating the SELinux context of packets.
+
+    See the shorewall-secmarks and shorewall6-secmarks manpages for
+    details.
+
+    As part of this change, the tcrules file now accepts $FW in the
+    DEST column for marking packets in the INPUT chain.
+
+4)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
+
+    a) Blacklisting is now based on zones rather than on interfaces and
+       host groups.
+
+    b) Near compatibility with earlier releases is maintained.
+
+    c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
+       column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
+       respectively. The old keywords are still supported.
+
+    d) The 'blacklist' keyword may now appear in the OPTIONS,
+       IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
+
+       i)  In the IN_OPTIONS column, it indicates that packets received
+           on the interface are checked against the 'src' entries in
+           /etc/shorewall/blacklist.
+
+       ii) In the OUT_OPTIONS column, it indicates that packets being
+           sent to the interface are checked against the 'dst' entries.
+
+       iii) Placing 'blacklist' in the OPTIONS column is equivalent to
+           placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
+
+    e) The 'blacklist' option in the OPTIONS column of
+       /etc/shorewall/interfaces or /etc/shorewall/hosts is now
+       equivalent to placing it in the IN_OPTIONS column of the
+       associates record in /etc/shorewall/zones. If no zone is given
+       in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
+       option is ignored with a warning (it was previously ignored
+       silently).
+
+    f) The 'blacklist' option in the /etc/shorewall/interfaces and
+       /etc/shorewall/hosts files is now deprecated but will continue
+       to be supported for several releases. A warning will be added at
+       least one release before support is removed.
+
+5)  There is now an OUT-BANDWIDTH column in
+    /etc/shorewall/tcinterfaces.
+
+    The format of this column is:
+
+    	<rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]]
+
+    These terms are described in tc-tbf(8). Shorewall supplies default
+    values as follows:
+
+    	   <burst>   = 10kb
+	   <latency> = 200ms
+
+    The remaining options are defaulted by tc.
+
+6)  The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and
+    /etc/shorewall/tcinterfaces now accepts an optional burst parameter.
+
+        <rate>[:<burst>]
+
+    The default <burst> is 10kb. A larger <burst> can help make the
+    <rate> more accurate; often for fast lines, the enforced rate is
+    well below the specified <rate>.
 
 ----------------------------------------------------------------------------
              I V.  R E L E A S E  4 . 4  H I G H L I G H T S
@@ -253,250 +478,6 @@ None.
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
       I N   P R I O R  R E L E A S E S
-----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 3
-----------------------------------------------------------------------------
-
-1)  Under rare circumstances where COMMENT is used to attach comments
-    to rules, OPTIMIZE 8 through 15 could result in invalid
-    iptables-restore (ip6tables-restore) input.
-
-2)  Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
-    could result in invalid iptables-restore (ip6tables-restore) input.
-
-3)  The change in 4.4.12 to detect and use the new ipset match syntax
-    broke the ability to detect the old ipset match capability. Now,
-    both versions of the capability can be correctly detected.
-
-4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
-    if the last optional interface tested was not available.
-
-5)  Exclusion in the blacklist file was correctly validated but was then
-    ignored when generating iptables (ip6tables) rules.
-
-6)  Previously, non-trivial exclusion (more than one excluded
-    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
-    valid but incorrect iptables input. This has been corrected but
-    requires that your iptables/kernel support marking rules in any
-    Netfilter table (CONTINUE in the tcrules file does not require this
-    support).
-
-    This fix implements a new 'Mark in any table' capability; those
-    who utilize a capabilities file should re-generate the file using
-    this release.
-
-7)  Interface handling has been extensively modified in this release
-    to correct a number of problems with the earlier
-    implementation. Among those problems:
-
-    - Invalid shell variable names could be generated in the firewall
-      script. The generated firewall script uses shell variables to
-      track the availability of optional and required interfaces and
-      to record detected gateways, detected addresses, etc.
-
-    - The same shell variable name could be generated by two different
-      interface names.
-
-    - Entries in the interfaces file with a wildcard physical name
-      (physical name ends with "+") and with the 'optional' option were
-      handled strangely.
-
-      o If there were references to specific interfaces that matched
-        the wildcard, those entries were handled as if they had been
-        defined as optional in the interfaces file.
-
-      o If there were no references matching the wildcard, then the
-        'optional' option was effectively ignored. 
-
-    The new implementation:
-
-    - Insures valid shell variable names.
-    
-    - Insures that shell variable names are unique.
-
-    - Handles interface names appearing in the INTERFACE column of the
-      providers file as a special case for 'optional'. If the name
-      matches a wildcard entry in the interfaces file then the
-      usability of the specific interface is tracked individually. 
-
-    - Handles the availabilty of other interfaces matching a wildcard
-      as a group; if there is one useable interface in the group then
-      the wildcard itself is considered usable.
-
-      The following example illustrates this use case:
-
-      /etc/shorewall/interfaces
-
-	net	ppp+	-	optional
-
-      /etc/shorewall/shorewall.conf
-
-	REQUIRE_INTERFACE=Yes
-
-      If there is any usable PPP interface then the firewall will be
-      allowed to start. Previously, the firewall would never be allowed
-      to start.
-
-8)  When a comma-separated list of 'src' and/or 'dst' was specified in
-    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
-    or 'dst' was previously ignored when generating the resulting
-    iptables rule.
-
-9)  Beginning with Shorewall 4.4.9, the SAME target in tcrules has
-    generated invalid iptables (ip6tables) input. That target now
-    generates correct input.
-
-10) Ipsets associated with 'dynamic' zones were being created during
-    'restart' but not during 'start'.
-
-11) To work around an issue in Netfilter/iptables, Shorewall now uses
-    state match rather than conntrack match for UNTRACKED state
-    matching.
-
-12) If the routestopped files contains NOTRACK rules, 'shorewall* clear' 
-    did not clear the raw table.
-
-13) An error message was incorrectly generated if a port range of the
-    form :<port> (e.g., :22) appeared.
-
-14) An error message is now generated when '*' appears in an interface
-    name.
-
-----------------------------------------------------------------------------
-               N E W   F E A T U R E S   I N   4 . 4 . 1 3
-----------------------------------------------------------------------------
-
-1)  Entries in the rules file (both Shorewall and Shorewall6) may now
-    contain zone lists in the SOURCE and DEST column. A zone list is a
-    comma-separated list of zone names where each name appears in the
-    zones file. A zone list may be optionally followed by a plus sign
-    ("+") to indicate that the rule should apply to intra-zone traffic
-    as well as to inter-zone traffic.
-
-    Zone lists behave like 'all' and 'any' with respect to Optimization
-    1. If the rule matches the applicable policy for a given (source
-    zone, dest zone), then the rule will be suppessed for that pair of
-    zones unless overridden by the '!' suffix on the target in the
-    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
-
-    Additionally, 'any', 'all' and zone lists may be qualified in the
-    same way as a single zone.
-
-    Examples:
-
-	fw,dmz:90.90.191.120/29
-	all:+blacklist
-
-    The 'all' and 'any' keywords now support exclusion in the form of a
-    comma-separated list of excluded zones.
-
-    Examples: 
-
-    	     all!fw         (same as all-).
-	     any+!dmz,loc   (All zones except 'dmz' and 'loc' and
-	     		     include intra-zone rules).
-
-2)  An IPSEC column has been added to the accounting file, allowing you
-    to segregate IPSEC traffic from non-IPSEC traffic. See 'man
-    shorewall-accounting' (man shorewall6-accounting) for details.
-
-    With this change, there are now three trees of accounting chains:
-
-    - The one rooted in the 'accounting' chain.
-    - The one rooted in the 'accipsecin' chain. This tree handles
-      traffic that has been decrypted on the firewall. Rules in this
-      tree cannot specify an interface name in the DEST column.
-    - The one rooted in the 'accipsecout' chain. This tree handles
-      traffic that will be encrypted on the firewall. Rules in this
-      tree cannot specify an interface name in the SOURCE column.
-
-    In reality, when there are bridges defined in the configuration,
-    there is a fourth tree rooted in the 'accountout' chain. That chain
-    handles traffic that originates on the firewall (both IPSEC and
-    non-IPSEC).
-
-    This change also implements a couple of new warnings:
-
-    - WARNING: Adding rule to unreferenced accounting chain <name>
-
-      The first reference to user-defined accounting chain <name> is
-      not a JUMP or COUNT from an already-defined chain.
-
-    - WARNING: Accounting chain <name> has o references
-
-      The named chain contains accounting rules but no JUMP or COUNT
-      specifies that chain as the target.
-
-3)  Shorewall now supports the SECMARK and CONNSECMARK targets for
-    manipulating the SELinux context of packets.
-
-    See the shorewall-secmarks and shorewall6-secmarks manpages for
-    details.
-
-    As part of this change, the tcrules file now accepts $FW in the
-    DEST column for marking packets in the INPUT chain.
-
-4)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
-
-    a) Blacklisting is now based on zones rather than on interfaces and
-       host groups.
-
-    b) Near compatibility with earlier releases is maintained.
-
-    c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
-       column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
-       respectively. The old keywords are still supported.
-
-    d) The 'blacklist' keyword may now appear in the OPTIONS,
-       IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
-
-       i)  In the IN_OPTIONS column, it indicates that packets received
-           on the interface are checked against the 'src' entries in
-           /etc/shorewall/blacklist.
-
-       ii) In the OUT_OPTIONS column, it indicates that packets being
-           sent to the interface are checked against the 'dst' entries.
-
-       iii) Placing 'blacklist' in the OPTIONS column is equivalent to
-           placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
-
-    e) The 'blacklist' option in the OPTIONS column of
-       /etc/shorewall/interfaces or /etc/shorewall/hosts is now
-       equivalent to placing it in the IN_OPTIONS column of the
-       associates record in /etc/shorewall/zones. If no zone is given
-       in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
-       option is ignored with a warning (it was previously ignored
-       silently).
-
-    f) The 'blacklist' option in the /etc/shorewall/interfaces and
-       /etc/shorewall/hosts files is now deprecated but will continue
-       to be supported for several releases. A warning will be added at
-       least one release before support is removed.
-
-5)  There is now an OUT-BANDWIDTH column in
-    /etc/shorewall/tcinterfaces.
-
-    The format of this column is:
-
-    	<rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]]
-
-    These terms are described in tc-tbf(8). Shorewall supplies default
-    values as follows:
-
-    	   <burst>   = 10kb
-	   <latency> = 200ms
-
-    The remaining options are defaulted by tc.
-
-6)  The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and
-    /etc/shorewall/tcinterfaces now accepts an optional burst parameter.
-
-        <rate>[:<burst>]
-
-    The default <burst> is 10kb. A larger <burst> can help make the
-    <rate> more accurate; often for fast lines, the enforced rate is
-    well below the specified <rate>.
-
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 2
 ----------------------------------------------------------------------------

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.14
+%define version 4.4.13
-%define release 0Beta1
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -108,8 +108,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
 
 %changelog
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta1
+- Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.14-Beta1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.14-Beta1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.14
+%define version 4.4.13
-%define release 0Beta1
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,8 +93,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta1
+- Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.14-Beta1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.14-Beta1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.14
+%define version 4.4.13
-%define release 0Beta1
+%define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -98,8 +98,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta1
+- Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.14-Beta1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

docs/Manpages.xml

@@ -83,10 +83,6 @@
         the interfaces on the system and optionally associate them with
         zones.</member>
 
-        <member><ulink url="manpages/shorewall-ipsets.html">ipsets</ulink> -
-        Describes how to specify set names in Shorewall configuration
-        files.</member>
-
         <member><ulink url="manpages/shorewall-maclist.html">maclist</ulink> -
         Define MAC verification.</member>
 

docs/ipsets.xml

@@ -95,8 +95,8 @@
       </listitem>
 
       <listitem>
-        <para>They must be composed of letters, digits, dashes ("-") or
+        <para>They must be composed of letters, digits or underscores
-        underscores ("_").</para>
+        ("_").</para>
       </listitem>
     </itemizedlist>
 
@@ -128,11 +128,6 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
     blacklist file, you can coerce the rule into matching the destination IP
     address rather than the source.</para>
 
-    <para>Beginning with Shorewall 4.4.14, multiple source or destination
-    matches may be specified by placing multiple set names in '+[...]' (e.g.,
-    +[myset,myotherset]). When so inclosed, the set names need not be prefixed
-    with a plus sign.</para>
-
     <para>Shorewall can save/restore your ipset contents with certain
     restrictions:</para>
 

manpages/shorewall-accounting.xml

@@ -481,7 +481,7 @@
     </ulink></para>
 
     <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
-    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-actions.xml

@@ -50,7 +50,7 @@
     url="http://shorewall.net/Actions.html">http://shorewall.net/Actions.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
-    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-blacklist.xml

@@ -168,7 +168,7 @@
     url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-ecn.xml

@@ -64,7 +64,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-exclusion.xml

@@ -151,7 +151,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-hosts.xml

@@ -263,7 +263,7 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-blacklist(5), shorewall-interfaces(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-nesting(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-init.xml

@@ -163,7 +163,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-ipsets.xml

@@ -1,121 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<refentry>
-  <refmeta>
-    <refentrytitle>shorewall-ipsets</refentrytitle>
-
-    <manvolnum>5</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>ipsets</refname>
-
-    <refpurpose>Specifying the name if an ipset in Shorewall configuration
-    files</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>+<replaceable>ipsetname</replaceable></command>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>+<replaceable>ipsetname</replaceable>[<replaceable>flag</replaceable>,...]</command>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>+[ipsetname,...]</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>Description</title>
-
-    <para>Note: In the above syntax descriptions, the square brackets ("[]")
-    are to be taken literally rather than as meta-characters.</para>
-
-    <para>In most places where a network address may be entered, an ipset may
-    be substituted. Set names must be prefixed by the character "+", must
-    start with a letter and may be composed of alphanumeric characters, "-"
-    and "_".</para>
-
-    <para>Whether the set is matched against the packet source or destination
-    is determined by which column the set name appears (SOURCE or DEST). For
-    those set types that specify a tupple, two alternative syntaxes are
-    available:</para>
-
-    <simplelist>
-      <member>[<replaceable>number</replaceable>] - Indicates that 'src' or
-      'dst' should repleated number times. Example: myset[2].</member>
-
-      <member>[<replaceable>flag</replaceable>,...] where
-      <replaceable>flag</replaceable> is <option>src</option> or
-      <option>dst</option>. Example: myset[src,dst].</member>
-    </simplelist>
-
-    <para>In a SOURCE column, the following pairs are equivalent:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>+myset[2] and +myset[src,src]</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>In a DEST column, the following paris are equivalent:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>+myset[2] and +myset[dst,dst]</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>Beginning with Shorewall 4.4.14, multiple source or destination
-    matches may be specified by enclosing the set names within +[...]. The set
-    names need not be prefixed with '+'.</para>
-  </refsect1>
-
-  <refsect1>
-    <title>Examples</title>
-
-    <para>+myset</para>
-
-    <para>+myset[src]</para>
-
-    <para>+myset[2]</para>
-
-    <para>+[myset1,myset2[dst]]</para>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <para>/etc/shorewall/accounting</para>
-
-    <para>/etc/shorewall/blacklist</para>
-
-    <para>/etc/shorewall/hosts</para>
-
-    <para>/etc/shorewall/masq</para>
-
-    <para>/etc/shorewall/rules</para>
-
-    <para>/etc/shorewall/secmarks</para>
-
-    <para>/etc/shorewall/tcrules</para>
-  </refsect1>
-
-  <refsect1>
-    <title>See ALSO</title>
-
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
-  </refsect1>
-</refentry>

manpages/shorewall-maclist.xml

@@ -102,7 +102,7 @@
     url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-masq.xml

@@ -565,7 +565,7 @@
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
-    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-nat(5),
+    shorewall-interfaces(5), shorewall-maclist(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
     shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),

manpages/shorewall-modules.xml

@@ -86,7 +86,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-nat.xml

@@ -138,7 +138,7 @@
     url="http://shorewall.net/NAT.htm">http://shorewall.net/NAT.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-nesting.xml

@@ -204,7 +204,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-netmap.xml

@@ -114,7 +114,7 @@
     url="http://shorewall.net/netmap.html">http://shorewall.net/netmap.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-notrack.xml

@@ -147,7 +147,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-params.xml

@@ -128,7 +128,7 @@ net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
     url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-policy.xml

@@ -313,7 +313,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-providers.xml

@@ -340,7 +340,7 @@
     url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-proxyarp.xml

@@ -132,7 +132,7 @@
     url="http://shorewall.net/ProxyARP.htm">http://shorewall.net/ProxyARP.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-route_rules(5),

manpages/shorewall-route_rules.xml

@@ -165,7 +165,7 @@
     url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-routestopped(5),

manpages/shorewall-routestopped.xml

@@ -200,7 +200,7 @@
     url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-rules.xml

@@ -1370,7 +1370,7 @@
     url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-secmarks.xml

@@ -376,7 +376,7 @@ RESTORE                               I:ER</programlisting>
     url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tcclasses.xml

@@ -500,7 +500,7 @@
     url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tcdevices.xml

@@ -219,7 +219,7 @@
     url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tcfilters.xml

@@ -204,7 +204,7 @@
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tcinterfaces.xml

@@ -203,7 +203,7 @@
     url="http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tcpri.xml

@@ -149,7 +149,7 @@
 
     <para>PRIO(8), shorewall(8), shorewall-accounting(5),
     shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
-    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-interfaces(5), shorewall-maclist(5), shorewall-masq(5),
     shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
     shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
     shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),

manpages/shorewall-tcrules.xml

@@ -805,7 +805,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-template.xml

@@ -52,7 +52,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tos.xml

@@ -160,7 +160,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tunnels.xml

@@ -275,7 +275,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-vardir.xml

@@ -54,7 +54,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-zones.xml

@@ -338,7 +338,7 @@ c:a,b     ipv4</programlisting>
     url="http://www.shorewall.net/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-nesting(8), shorewall-netmap(5), shorewall-params(5),
     shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),

manpages/shorewall.conf.xml

@@ -1885,7 +1885,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall.xml

@@ -1480,7 +1480,7 @@
     url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
 
     <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),