Revert "Remove tools and web"

This reverts commit 966f162c87.

Samples/one-interface/shorewall.conf

@@ -107,7 +107,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-IP_FORWARDING=Off
+IP_FORWARDING=On
 
 ADD_IP_ALIASES=Yes
 

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.2.2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.2.2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.2
-%define release 2
+%define version 4.4.0
+%define release 1
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -98,16 +98,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-2
-* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-1
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
+* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-1
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.2.2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall/Macros/macro.template

@@ -269,7 +269,7 @@
 #                       an action. See 'man shorewall-rules'.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in
-#			this column:
+#			this colume:
 #
 #				<rate>/<interval>[:<burst>]
 #
@@ -304,100 +304,6 @@
 #					#removed from Netfilter in kernel
 #					#version 2.6.14).
 #
-#	MARK		Specifies a MARK value to match. Must be empty or 
-#			'-' if the macro is to be used within an action.
-#			
-#				[!]value[/mask][:C]
-#
-#    			Defines a test on the existing packet or connection
-#			mark. The rule will match only if the test returns
-#			true.
-#
-#    			If you don't want to define a test but need to
-#			specify anything in the following columns,
-#			place a "-" in this field.
-#
-#    			!
-#
-#				Inverts the test (not equal)
-#
-#    			value
-#
-#				Value of the packet or connection mark.
-#
-#  			mask
-#
-#				A mask to be applied to the mark before
-#				testing.
-#
-#    			:C
-#
-#				Designates a connection mark. If omitted, the
-#				packet mark's value is tested.
-#
-#	CONNLIMIT	Must be empty or '-' if the macro is to be used within
-#			an action.
-#
-#				[!]limit[:mask]
-#
-#			May be used to limit the number of simultaneous
-#			connections from each individual host to limit 
-#			connections. Requires connlimit match in your kernel
-#			and iptables. While the limit is only checked on rules
-#			specifying CONNLIMIT, the number of current connections
-#			is calculated over all current connections from the
-#			SOURCE host. By default, the limit is applied to each
-#			host but can be made to apply to networks of hosts by
-#			specifying a mask. The mask specifies the width of a
-#			VLSM mask to be applied to the source address; the
-#			number of current connections is then taken over all
-#			hosts in the subnet source-address/mask. When ! is
-#			specified, the rule matches when the number of
-#			connection exceeds the limit.
-#
-#	TIME		Must be empty or '-' if the macro is to be used within
-#			an action.
-#
-#
-#				<timeelement>[&...]
-#
-#			timeelement may be:
-#
-#    				timestart=hh:mm[:ss]
-#
-#					Defines the starting time of day.
-#
-#    				timestop=hh:mm[:ss]
-#
-#					Defines the ending time of day.
-#
-#    				utc
-#
-#					Times are expressed in Greenwich Mean
-#					Time.
-#
-#    				localtz
-#
-#					Times are expressed in Local Civil Time
-#					(default).
-#
-#    				weekdays=ddd[,ddd]...
-#
-#					where ddd is one of Mon, Tue, Wed, Thu,
-#					Fri, Sat or Sun
-#
-#    				monthdays=dd[,dd],...
-#
-#					where dd is an ordinal day of the month#
-#
-#    				datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
-#
-#					Defines the starting date and time.
-#
-#    				datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
-#
-#					Defines the ending date and time.
-#
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:

Shorewall/Makefile

@@ -14,8 +14,4 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
 	fi
 
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
-.PHONY: clean
-
 # EOF

Shorewall/Perl/Shorewall/Accounting.pm

@@ -35,16 +35,27 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_1';
+our $VERSION = '4.3_7';
 
 #
-# Called by the compiler to [re-]initialize this module's state
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function or when compiling
+#                       for IPv6.
 #
+
 sub initialize() {
     our $jumpchainref;
     $jumpchainref = undef;
 }
 
+INIT {
+    initialize;
+}
+
 #
 # Accounting
 #

Shorewall/Perl/Shorewall/Actions.pm

@@ -47,7 +47,6 @@ our @EXPORT = qw( merge_levels
 		  substitute_param
 		  merge_macro_source_dest
 		  merge_macro_column
-		  map_old_actions
 
 		  %usedactions
 		  %default_actions
@@ -57,7 +56,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_2';
+our $VERSION = '4.3_7';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -86,23 +85,21 @@ our %macros;
 
 our $family;
 
-our @builtins;
-
 #
 # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
 #
 our $macro_commands = { COMMENT => 0, FORMAT => 2 };
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function or when compiling
+#                       for IPv6.
 #
+
 sub initialize( $ ) {
 
     $family          = shift;
@@ -114,12 +111,10 @@ sub initialize( $ ) {
     %actions         = ();
     %logactionchains = ();
     %macros          = ();
+}
 
-    if ( $family == F_IPV4 ) {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
-    } else {
-	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
-    }
+INIT {
+    initialize( F_IPV4 );
 }
 
 #
@@ -273,34 +268,6 @@ sub add_requiredby ( $$ ) {
     $actions{$requires}{requires}{$requiredby} = 1;
 }
 
-#
-# Map pre-3.0 actions to the corresponding Macro invocation
-#
-
-sub find_old_action ( $$$ ) {
-    my ( $target, $macro, $param ) = @_;
-
-    if ( my $actiontype = find_macro( $macro ) ) {
-	( $macro, $actiontype , $param );
-    } else {
-	( $target, 0, '' );
-    }
-}
-
-sub map_old_actions( $ ) {
-    my $target = shift;
-
-    if ( $target =~ /^Allow(.*)$/ ) {
-	find_old_action( $target, $1, 'ACCEPT' );
-    } elsif ( $target =~ /^Drop(.*)$/ ) {
-	find_old_action( $target, $1, 'DROP' );
-    } elsif ( $target = /^Reject(.*)$/ ) {
-	find_old_action( $target, $1, 'REJECT' );
-    } else {
-	( $target, 0, '' );
-    }
-}
-
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
@@ -339,7 +306,7 @@ sub createlogactionchain( $$ ) {
 
     fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
 
-    unless ( $targets{$action} & BUILTIN ) {
+    unless ( $targets{$action} & STANDARD ) {
 
 	my $file = find_file $chain;
 
@@ -365,7 +332,7 @@ sub createsimpleactionchain( $ ) {
 
     $logactionchains{"$action:none"} = $chainref;
 
-    unless ( $targets{$action} & BUILTIN ) {
+    unless ( $targets{$action} & STANDARD ) {
 
 	my $file = find_file $action;
 
@@ -450,9 +417,8 @@ sub process_macro1 ( $$ ) {
 #
 # The functions process_actions1-3() implement the three phases of action processing.
 #
-# The first phase (process_actions1) occurs before the rules file is processed. The builtin-actions are added
-# to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and
-# ${CONFDIR}/actions are scanned (in that order). For each action:
+# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
+# and ${CONFDIR}/actions are scanned (in that order) and for each action:
 #
 #      a) The related action definition file is located and scanned.
 #      b) Forward and unresolved action references are trapped as errors.
@@ -514,10 +480,10 @@ sub process_action1 ( $$ ) {
 sub process_actions1() {
 
     progress_message2 "Preprocessing Action Files...";
-    #
-    # Add built-in actions to the target table and create those actions
-    #
-    $targets{$_} = ACTION + BUILTIN, new_action( $_ ) for @builtins;
+
+    for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
+	new_action $act;
+    }
 
     for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
@@ -553,7 +519,7 @@ sub process_actions1() {
 
 	    while ( read_a_line ) {
 
-		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users, $mark ) = split_line 1, 9, 'action file';
+		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 1, 8, 'action file';
 
 		process_action1( $action, $wholetarget );
 
@@ -590,8 +556,8 @@ sub process_actions2 () {
 #
 # This function is called to process each rule generated from an action file.
 #
-sub process_action( $$$$$$$$$$$ ) {
-    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
+sub process_action( $$$$$$$$$$ ) {
+    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
 
     my ( $action , $level ) = split_action $target;
 
@@ -609,7 +575,7 @@ sub process_action( $$$$$$$$$$$ ) {
 
     expand_rule ( $chainref ,
 		  NO_RESTRICT ,
-		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, 0xFF ) ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
@@ -622,8 +588,8 @@ sub process_action( $$$$$$$$$$$ ) {
 #
 # Expand Macro in action files.
 #
-sub process_macro3( $$$$$$$$$$$$ ) {
-    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
+sub process_macro3( $$$$$$$$$$$ ) {
+    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
 
     my $nocomment = no_comment;
 
@@ -639,14 +605,12 @@ sub process_macro3( $$$$$$$$$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
 
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
-	    $morigdest = '-';
-	    $mmark     = '-';
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark ) = split_line1 1, 10, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
 	}
 
 	if ( $mtarget eq 'COMMENT' ) {
@@ -660,6 +624,8 @@ sub process_macro3( $$$$$$$$$$$$ ) {
 	    next;
 	}
 
+	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
+
 	if ( $mtarget =~ /^PARAM:?/ ) {
 	    fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
 	    $mtarget = substitute_param $param,  $mtarget;
@@ -700,9 +666,8 @@ sub process_macro3( $$$$$$$$$$$$ ) {
 	$msports = merge_macro_column $msports, $sports;
 	$mrate   = merge_macro_column $mrate,   $rate;
 	$muser   = merge_macro_column $muser,   $user;
-	$mmark   = merge_macro_column $mmark,   $mark;
 
-	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $mark;
+	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
     }
 
     pop_open;
@@ -727,7 +692,7 @@ sub process_action3( $$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file';
+	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file';
 
 	if ( $target eq 'COMMENT' ) {
 	    process_comment;
@@ -751,9 +716,9 @@ sub process_action3( $$$$$ ) {
 	}
 
 	if ( $action2type == MACRO ) {
-	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark );
+	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
 	} else {
-	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark;
+	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
 	}
     }
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -71,9 +71,9 @@ our %EXPORT_TAGS = (
 				       ALL_COMMANDS
 				       NOT_RESTORE
 
-				       initialize_chain_table
 				       add_commands
 				       move_rules
+				       move_rules1
 				       insert_rule1
 				       purge_jump
 				       add_tunnel_rule
@@ -111,6 +111,7 @@ our %EXPORT_TAGS = (
 				       new_builtin_chain
 				       new_nat_chain
 				       ensure_filter_chain
+				       initialize_chain_table
 				       finish_section
 				       setup_zone_mss
 				       newexclusionchain
@@ -165,7 +166,7 @@ our %EXPORT_TAGS = (
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_2';
+our $VERSION = '4.4_0';
 
 #
 # Chain Table
@@ -246,7 +247,6 @@ use constant { NO_RESTRICT        => 0,   # FORWARD chain rule     - Both -i and
 our $iprangematch;
 our $chainseq;
 our $idiotcount;
-our $idiotcount1;
 
 our $global_variables;
 
@@ -272,11 +272,11 @@ our %interfacegateways;     # Gateway of default route out of the interface
 our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
 
 #
-# Mode of the emitter.
+# Mode of the generator.
 #
-use constant { NULL_MODE => 0 ,   # Emitting neither shell commands nor iptables-restore input
-	       CAT_MODE  => 1 ,   # Emitting iptables-restore input
-	       CMD_MODE  => 2 };  # Emitting shell commands.
+use constant { NULL_MODE => 0 ,   # Generating neither shell commands nor iptables-restore input
+	       CAT_MODE  => 1 ,   # Generating iptables-restore input
+	       CMD_MODE  => 2 };  # Generating shell commands.
 
 our $mode;
 
@@ -298,15 +298,15 @@ our %builtin_target = ( ACCEPT   => 1,
 			REDIRECT => 1 );
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function or when compiling
+#                       for IPv6.
 #
+
 sub initialize( $ ) {
     $family = shift;
 
@@ -356,10 +356,13 @@ sub initialize( $ ) {
 
     $global_variables   = 0;
     $idiotcount         = 0;
-    $idiotcount1        = 0;
 
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 #
 # Process a COMMENT line (in $currentline)
 #
@@ -413,48 +416,83 @@ sub decr_cmd_level( $ ) {
 #
 
 sub add_commands ( $$;@ ) {
-    my $chainref    = shift @_;
-    my $indentation = '    ' x $chainref->{cmdlevel};
+    my $chainref = shift @_;
 
     for ( @_ ) {
-	push @{$chainref->{rules}}, join ('', $indentation , $_ );
+	push @{$chainref->{rules}}, join ('', '    ' x $chainref->{cmdlevel} , $_ );
     }
 
     $chainref->{referenced} = 1;
 }
 
 sub push_rule( $$ ) {
-    my $chainref = $_[0];
-    my $rule     = join( ' ',  '-A',  $chainref->{name} , $_[1]);
+    my ($chainref, $rule) = @_;
 
     $rule .= qq( -m comment --comment "$comment") if $comment;
 
     if ( $chainref->{cmdlevel} ) {
 	$rule =~ s/"/\\"/g; #Must preserve quotes in the rule
-	add_commands $chainref , qq(echo "$rule" >&3);
+	add_commands $chainref , qq(echo "-A $chainref->{name} $rule" >&3);
     } else {
-	push @{$chainref->{rules}}, $rule;
+	#
+	# We omit the chain name for now -- this makes it easier to move rules from one 
+	# chain to another
+	#
+	push @{$chainref->{rules}}, join( ' ', '-A' , $rule );
 	$chainref->{referenced} = 1;
     }
 }
 
 #
-# Post-process a rule having a port list. Split the rule into multiple rules if necessary
+# Post-process a rule having an sport list. Split the rule into multiple rules if necessary
 # to work within the 15-element limit imposed by iptables/Netfilter.
 #
-# The third argument ($dport) indicates what type of list we are spltting:
-#
-#      $dport == 1     Destination port list
-#      $dport == 0     Source port list
-#
-# When expanding a Destination port list, each resulting rule is checked for the presence
-# of a Source port list; if one is present, the function calls itself recursively with
-# $dport == 0.
-#
-sub handle_port_list( $$$$$$ );
 
-sub handle_port_list( $$$$$$ ) {
-    my ($chainref, $rule, $dport, $first, $ports, $rest) = @_;
+sub handle_sport_list( $$$$$ ) {
+    my ($chainref, $rule, $first, $ports, $rest) = @_;
+
+    if ( port_count( $ports ) > 15 ) {
+	#
+	# More than 15 ports specified
+	#
+	my @ports = split '([,:])', $ports;
+
+	while ( @ports ) {
+	    my $count = 0;
+	    my $newports = '';
+
+	    while ( @ports && $count < 15 ) {
+		my ($port, $separator) = ( shift @ports, shift @ports );
+
+		$separator ||= '';
+
+		if ( ++$count == 15 ) {
+		    if ( $separator eq ':' ) {
+			unshift @ports, $port, ':';
+			chop $newports;
+			last;
+		    } else {
+			$newports .= $port;
+		    }	
+		} else {
+		    $newports .= "${port}${separator}";
+		}
+	    }
+
+	    push_rule ( $chainref, join( '', $first, $newports, $rest ) );
+	}
+    } else {
+	push_rule ( $chainref, $rule );
+    }
+}
+
+#
+# Post-process a rule having an dport list. Split the rule into multiple rules if necessary
+# to work within the 15-element limit imposed by iptables/Netfilter.
+#
+
+sub handle_dport_list( $$$$$ ) {
+    my ($chainref, $rule, $first, $ports, $rest) = @_;
 
     if ( port_count( $ports ) > 15 ) {
 	#
@@ -486,14 +524,14 @@ sub handle_port_list( $$$$$$ ) {
 
 	    my $newrule = join( '', $first, $newports, $rest );
 
-	    if ( $dport && $newrule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
-		handle_port_list( $chainref, $newrule, 0, $1, $2, $3 );
+	    if ( $newrule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
+		handle_sport_list( $chainref, $newrule, $1, $2, $3 );
 	    } else {
 		push_rule ( $chainref, $newrule );
 	    }
 	}
-    } elsif ( $dport && $rule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
-	handle_port_list( $chainref, $rule, 0, $1, $2, $3 );
+    } elsif ( $rule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
+	handle_sport_list( $chainref, $rule, $1, $2, $3 );
     } else {
 	push_rule ( $chainref, $rule );
     }
@@ -523,12 +561,12 @@ sub add_rule($$;$)
 	    #
 	    # Rule has a --dports specification
 	    #
-	    handle_port_list( $chainref, $rule, 1, $1, $2, $3 )
+	    handle_dport_list( $chainref, $rule, $1, $2, $3 )
 	} elsif ( $rule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
 	    #
 	    # Rule has a --sports specification
 	    #
-	    handle_port_list( $chainref, $rule, 0, $1, $2, $3 )
+	    handle_sport_list( $chainref, $rule, $1, $2, $3 )
 	} else {
 	    push_rule ( $chainref, $rule );
 	}
@@ -605,7 +643,7 @@ sub insert_rule1($$$)
 
     $rule .= "-m comment --comment \"$comment\"" if $comment;
 
-    splice( @{$chainref->{rules}}, $number, 0,  join( ' ', '-A', $chainref->{name}, $rule ) );
+    splice( @{$chainref->{rules}}, $number, 0,  join( ' ', '-A', $rule ) );
 
     $iprangematch = 0;
 
@@ -635,18 +673,15 @@ sub add_tunnel_rule( $$ ) {
 # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to
 # a zone-oriented chain, hence this function.
 #
+# The source chain must not have any run-time code included in its rules. 
+#
 sub move_rules( $$ ) {
     my ($chain1, $chain2 ) = @_;
 
     if ( $chain1->{referenced} ) {
 	my @rules = @{$chain1->{rules}};
-	my $name  = $chain1->{name};
-	#
-	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
-	#
-	$name =~ s/\+/\\+/;
 
-	( s/\-([AI]) $name /-$1 $chain2->{name} / ) for @rules;
+	assert( /^-A/ ) for @rules;
 
 	splice @{$chain2->{rules}}, 0, 0, @rules;
 
@@ -656,6 +691,29 @@ sub move_rules( $$ ) {
     }
 }
 
+#
+# Like above except it returns 0 if it can't move the rules
+#
+sub move_rules1( $$ ) {
+    my ($chain1, $chain2 ) = @_;
+
+    if ( $chain1->{referenced} ) {
+	my @rules = @{$chain1->{rules}};
+
+	for ( @rules ) {
+	    return 0 unless /^-A/;
+	}
+
+	splice @{$chain2->{rules}}, 0, 0, @rules;
+
+	$chain2->{referenced} = 1;
+	$chain1->{referenced} = 0;
+	$chain1->{rules}      = [];
+    }
+
+    1;
+}
+
 #
 # Transform the passed interface name into a legal shell variable name.
 #
@@ -727,12 +785,9 @@ sub use_input_chain($) {
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
     #
-    # We must use the interfaces's chain if:
-    #
-    # - the interface is associated with multiple zone nets; or
-    # - the interface has the 'upnpclient' option.
-    #
-    # In the latter case, the chain's rules will contain run-time code which cannot currently be transferred to a zone-oriented chain by move_rules().
+    # We must use the interfaces's chain if the interface is associated with multiple zone nets or
+    # if the interface has the 'upnpclient' option. In the latter case, the chain's rules will contain
+    # run-time code which cannot currently be transferred to a zone-oriented chain by move_rules().
     #    
     return 1 if $nets > 1 || $interfaceref->{options}{upnpclient};
     #
@@ -918,18 +973,16 @@ sub ensure_filter_chain( $$ )
 
     my $chainref = ensure_chain 'filter', $chain;
 
-    unless ( $chainref->{referenced} ) {
-	if ( $populate ) {
-	    if ( $section eq 'NEW' or $section eq 'DONE' ) {
-		finish_chain_section $chainref , 'ESTABLISHED,RELATED';
-	    } elsif ( $section eq 'RELATED' ) {
-		finish_chain_section $chainref , 'ESTABLISHED';
-	    }
+    if ( $populate and ! $chainref->{referenced} ) {
+	if ( $section eq 'NEW' or $section eq 'DONE' ) {
+	    finish_chain_section $chainref , 'ESTABLISHED,RELATED';
+	} elsif ( $section eq 'RELATED' ) {
+	    finish_chain_section $chainref , 'ESTABLISHED';
 	}
-
-	$chainref->{referenced} = 1;
     }
 
+    $chainref->{referenced} = 1;
+
     $chainref;
 }
 
@@ -945,25 +998,9 @@ sub ensure_accounting_chain( $  )
     if ( $chainref ) {
 	fatal_error "Non-accounting chain ($chain) used in accounting rule" unless $chainref->{accounting};
     } else {
-	$chainref = new_chain 'filter' , $chain;
+	$chainref = new_chain 'filter' , $chain unless $chainref;
 	$chainref->{accounting} = 1;
 	$chainref->{referenced} = 1;
-
-	if ( $chain ne 'accounting' ) {
-	    my $file = find_file $chain;
-
-	    if ( -f $file ) {
-		progress_message "Processing $file...";
-
-		my ( $level, $tag ) = ( '', '' );
-
-		unless ( my $return = eval `cat $file` ) {
-		    fatal_error "Couldn't parse $file: $@" if $@;
-		    fatal_error "Couldn't do $file: $!"    unless defined $return;
-		    fatal_error "Couldn't run $file"       unless $return;
-		}
-	    }
-	}
     }
 
     $chainref;
@@ -973,7 +1010,9 @@ sub ensure_mangle_chain($) {
     my $chain = $_[0];
 
     my $chainref = ensure_chain 'mangle', $chain;
+
     $chainref->{referenced} = 1;
+
     $chainref;
 }
 
@@ -981,7 +1020,9 @@ sub ensure_nat_chain($) {
     my $chain = $_[0];
 
     my $chainref = ensure_chain 'nat', $chain;
+
     $chainref->{referenced} = 1;
+
     $chainref;
 }
 
@@ -1035,8 +1076,8 @@ sub ensure_manual_chain($) {
 }
 
 #
-# Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
-# The function also initializes the target table with the pre-defined targets available for the specfied address family.
+# Add all builtin chains to the chain table
+#
 #
 sub initialize_chain_table()
 {
@@ -1064,6 +1105,15 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'dropBcast'       => BUILTIN  + ACTION,
+		    'allowBcast'      => BUILTIN  + ACTION,
+		    'dropNotSyn'      => BUILTIN  + ACTION,
+		    'rejNotSyn'       => BUILTIN  + ACTION,
+		    'dropInvalid'     => BUILTIN  + ACTION,
+		    'allowInvalid'    => BUILTIN  + ACTION,
+		    'allowinUPnP'     => BUILTIN  + ACTION,
+		    'forwardUPnP'     => BUILTIN  + ACTION,
+		    'Limit'           => BUILTIN  + ACTION,
 		   );
 
 	for my $chain qw(OUTPUT PREROUTING) {
@@ -1105,6 +1155,12 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'dropBcast'       => BUILTIN  + ACTION,
+		    'allowBcast'      => BUILTIN  + ACTION,
+		    'dropNotSyn'      => BUILTIN  + ACTION,
+		    'rejNotSyn'       => BUILTIN  + ACTION,
+		    'dropInvalid'     => BUILTIN  + ACTION,
+		    'allowInvalid'    => BUILTIN  + ACTION,
 		   );
 
 	for my $chain qw(OUTPUT PREROUTING) {
@@ -1158,6 +1214,7 @@ sub finish_chain_section ($$) {
 	}
 
 	$chainref->{new} = @{$chainref->{rules}};
+
     }
 
     $comment = $savecomment;
@@ -1301,8 +1358,6 @@ sub port_count( $ ) {
 #
 # Handle parsing of PROTO, DEST PORT(S) , SOURCE PORTS(S). Returns the appropriate match string.
 #
-# If the optional argument is true, port lists > 15 result in a fatal error.
-#
 sub do_proto( $$$;$ )
 {
     my ($proto, $ports, $sports, $restricted ) = @_;
@@ -1531,14 +1586,12 @@ sub do_ratelimit( $$ ) {
 	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
 
 	my $limit = "-m hashlimit ";
-	my $match = $capabilities{OLD_HL_MATCH} ? 'hashlimit' : 'hashlimit-upto';
-
 	if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
-	    $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
+	    $limit .= "--hashlimit-upto $3 --hashlimit-burst $6 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall';
 	    $limit .= ' --hashlimit-mode ';
 	} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
-	    $limit .= "--$match $3 --hashlimit-name ";
+	    $limit .= "--hashlimit-upto $3 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall';
 	    $limit .= ' --hashlimit-mode ';
 	} else {
@@ -1798,8 +1851,8 @@ sub match_source_net( $;$ ) {
 
     $restriction |= NO_RESTRICT;
 
-    if ( ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) ||
-	 ( $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) ) {
+    if ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ||
+	 $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) {
 	my ($addr1, $addr2) = ( $2, $3 );
 	$net =~ s/!// if my $invert = $1 ? '! ' : '';
 	validate_range $addr1, $addr2;
@@ -1825,8 +1878,8 @@ sub match_source_net( $;$ ) {
 sub match_dest_net( $ ) {
     my $net = $_[0];
 
-    if ( ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ) ||
-	 ( $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) ) {
+    if ( $family == F_IPV4 && $net =~ /^(!?)(\d+\.\d+\.\d+\.\d+)-(\d+\.\d+\.\d+\.\d+)$/ ||
+	 $family == F_IPV6 && $net =~  /^(!?)(.*:.*)-(.*:.*)$/ ) {
 	my ($addr1, $addr2) = ( $2, $3 );
 	$net =~ s/!// if my $invert = $1 ? '! ' : '';
 	validate_range $addr1, $addr2;
@@ -2463,12 +2516,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    # An interface in the SOURCE column of a masq file
 	    #
 	    fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface );
-
-	    if ( $chainref->{table} eq 'nat' ) {
-		warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
-	    } else {
-		warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount1++;
-	    }
+	    warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
 
 	    push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done';
 
@@ -2826,15 +2874,14 @@ sub expand_rule( $$$$$$$$$$;$ )
 }
 
 #
-# The following code generates the input to iptables-restore from the contents of the
-# @rules arrays in the chain table entries.
+# The following code generates the input to iptables-restore
 #
 # We always write the iptables-restore input into a file then pass the
 # file to iptables-restore. That way, if things go wrong, the user (and Shorewall support)
 # has (have) something to look at to determine the error
 #
 # We may have to generate part of the input at run-time. The rules array in each chain
-# table entry may contain both rules (begin with '-A') or shell source. We alternate between
+# table entry may contain rules (begin with '-A') or shell source. We alternate between
 # writing the rules ('-A') into the temporary file to be passed to iptables-restore
 # (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
 #
@@ -2854,31 +2901,33 @@ sub enter_cmd_mode() {
 #
 # Emits the passed rule (input to iptables-restore) or command
 #
-sub emitr( $ ) {
-    if ( my $rule = $_[0] ) {
-	if ( substr( $rule, 0, 2 ) eq '-A' ) {
-	    #
-	    # A rule
-	    #
-	    enter_cat_mode unless $mode == CAT_MODE;
-	    emit_unindented $rule;
-	} else {
-	    #
-	    # A command
-	    #
-	    enter_cmd_mode unless $mode == CMD_MODE;
-	    emit $rule;
-	}
+sub emitr( $$ ) {
+    my ( $name, $rule ) = @_;
+
+    if ( $rule && substr( $rule, 0, 2 ) eq '-A' ) {
+	#
+	# A rule
+	#
+	enter_cat_mode unless $mode == CAT_MODE;
+	emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) );
+    } else {
+	#
+	# A command
+	#
+	enter_cmd_mode unless $mode == CMD_MODE;
+	emit $rule;
     }
 }
 
 #
 # Simple version that only handles rules
 #
-sub emitr1( $ ) {
-    my $rule = $_[0];
+sub emitr1( $$ ) {
+    my ( $name, $rule ) = @_;
 
-    emit_unindented $rule;
+    assert( substr( $rule, 0, 2 ) eq '-A' );
+
+    emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) );
 }
 
 #
@@ -2889,10 +2938,14 @@ sub create_netfilter_load( $ ) {
 
     my @table_list;
 
-    push @table_list, 'raw'    if $capabilities{RAW_TABLE};
-    push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
-    push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
-    push @table_list, 'filter';
+    if ( $family == F_IPV4 ) {
+	push @table_list, 'raw'    if $capabilities{RAW_TABLE};
+	push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
+	push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
+	push @table_list, 'filter';
+    } else {
+	@table_list = qw( raw mangle filter );
+    }
 
     $mode = NULL_MODE;
 
@@ -2954,7 +3007,7 @@ sub create_netfilter_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emitr $_ for ( grep defined $_, @{$chainref->{rules}} );
+	    emitr $chainref->{name}, $_ for ( grep defined $_, @{$chainref->{rules}} );
 	}
 	#
 	# Commit the changes to the table
@@ -3063,7 +3116,7 @@ sub create_chainlist_reload($) {
 		#
 		# Emit the chain rules
 		#
-		emitr $_ for ( grep defined $_, @rules );
+		emitr $chain, $_ for ( grep defined $_, @rules );
 	    }
 	    #
 	    # Commit the changes to the table
@@ -3115,10 +3168,14 @@ sub create_stop_load( $ ) {
 
     my @table_list;
 
-    push @table_list, 'raw'    if $capabilities{RAW_TABLE};
-    push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
-    push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
-    push @table_list, 'filter';
+    if ( $family == F_IPV4 ) {
+	push @table_list, 'raw'    if $capabilities{RAW_TABLE};
+	push @table_list, 'nat'    if $capabilities{NAT_ENABLED};
+	push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
+	push @table_list, 'filter';
+    } else {
+	@table_list = qw( raw mangle filter );
+    }
 
     my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
     my $UTILITY = $family == F_IPV4 ? 'IPTABLES_RESTORE' : 'IP6TABLES_RESTORE';
@@ -3168,7 +3225,7 @@ sub create_stop_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emitr1 $_ for @{$chainref->{rules}};
+	    emitr1 $chainref->{name}, $_ for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table

Shorewall/Perl/Shorewall/Compiler.pm

@@ -43,18 +43,20 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_2';
+our $VERSION = '4.4_0';
 
 our $export;
 
 our $test;
 
-our $family;
+our $reused = 0;
+
+our $family = F_IPV4;
 
 #
-# Initilize the package-globals in the other modules
+# Reinitilize the package-globals in the other modules
 #
-sub initialize_package_globals() {
+sub reinitialize() {
     Shorewall::Config::initialize($family);
     Shorewall::Chains::initialize ($family);
     Shorewall::Zones::initialize ($family);
@@ -77,11 +79,11 @@ sub initialize_package_globals() {
 #
 sub generate_script_1() {
 
+    my $date = localtime;
+
     if ( $test ) {
 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
     } else {
-	my $date = localtime;
-
 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 	if ( $family == F_IPV4 ) {
 	    copy $globals{SHAREDIRPL} . 'prog.header';
@@ -570,17 +572,14 @@ sub compiler {
 	${$ref->{store}} = $val;
     }
 
-    #
-    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
-    #
-    initialize_package_globals;
+    reinitialize if $reused++ || $family == F_IPV6;
 
     if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
 	set_shorewall_dir( $directory );
     }
 
-    set_verbosity( $verbosity );
+    set_verbose( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
     set_debug( $debug );
@@ -596,18 +595,14 @@ sub compiler {
     require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
     require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 
-    if ( $objectfile ) {
-	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_object( $objectfile , $export );
-    } else {
-	set_command( 'check', 'Checking', 'Checked' );
-    }
-    #
-    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
-    # shorewall.conf has been processed and the capabilities have been determined.
-    #
+    set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
+
     initialize_chain_table;
 
+    unless ( $command eq 'check' ) {
+	create_temp_object( $objectfile , $export );
+    }
+
     #
     # Allow user to load Perl modules
     #
@@ -646,7 +641,7 @@ sub compiler {
 
     enable_object;
     
-    if ( $objectfile ) {
+    unless ( $command eq 'check' ) {
 	#
 	# Place Header in the object
 	#
@@ -686,7 +681,7 @@ sub compiler {
     #
     setup_zone_mss;
 
-    if ( $objectfile ) {
+    unless ( $command eq 'check' ) {
 	emit 'return 0';
 	pop_indent;
 	emit '}';
@@ -699,7 +694,8 @@ sub compiler {
     #
     enable_object;
     
-    if ( $objectfile ) {
+    unless ( $command eq 'check' ) {
+
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -717,7 +713,7 @@ sub compiler {
     #
     setup_tc;
 
-    if ( $objectfile ) {
+    unless ( $command eq 'check' ) {
 	pop_indent;
 	emit "}\n";
     }
@@ -778,16 +774,22 @@ sub compiler {
     #
     setup_accounting;
 
-    if ( $objectfile ) {
+    if ( $command eq 'check' ) {
+	if ( $family == F_IPV4 ) {
+	    progress_message3 "Shorewall configuration verified";
+	} else {
+	    progress_message3 "Shorewall6 configuration verified";
+	}
+    } else {
 	#
-	# Generate the zone by zone matrix
+	# Generate the zone x zone matrix
 	#
 	generate_matrix;
 
 	enable_object;
 	#
-	#                             I N I T I A L I Z E
-	#           (Writes the initialize() function to the compiled script)
+	#                                    I N I T I A L I Z E
+	#                  (Writes the initialize() function to the compiled script)
 	#
 	generate_script_2;
 	#
@@ -795,16 +797,14 @@ sub compiler {
 	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
+	#                               S T O P _ F I R E W A L L
+	#             (Writes the stop_firewall() function to the compiled script)
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
 	#
 	Shorewall::Chains::initialize( $family );
 	initialize_chain_table;
-	#
-	#                           S T O P _ F I R E W A L L
-	#         (Writes the stop_firewall() function to the compiled script)
-	#
 	compile_stop_firewall( $test ); 
 	#
 	# Copy the footer to the object
@@ -826,24 +826,6 @@ sub compiler {
 	# And generate the auxilary config file
 	#
 	enable_object, generate_aux_config if $export;
-    } else {
-	#
-	# Re-initialize the chain table so that process_routestopped() has the same
-	# environment that it would when called by compile_stop_firewall().
-	#
-	Shorewall::Chains::initialize( $family );
-	initialize_chain_table;
-	#
-	# compile_stop_firewall() also validates the routestopped file. Since we don't
-	# call that function during 'check', we must validate routestopped here.
-	#
-	process_routestopped;
-
-	if ( $family == F_IPV4 ) {
-	    progress_message3 "Shorewall configuration verified";
-	} else {
-	    progress_message3 "Shorewall6 configuration verified";
-	}
     }
 
     close_log if $log;

Shorewall/Perl/Shorewall/Config.pm

@@ -72,7 +72,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
 				       save_progress_message
 				       save_progress_message_short
 				       set_timestamp
-				       set_verbosity
+				       set_verbose
 				       set_log
 				       close_log
 				       set_command
@@ -127,7 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_2';
+our $VERSION = '4.3_12';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -136,11 +136,11 @@ our ($command, $doing, $done );
 #
 # VERBOSITY
 #
-our $verbosity;
+our $verbose;
 #
 # Logging
 #
-our ( $log, $log_verbosity );
+our ( $log, $log_verbose );
 #
 # Timestamp each progress message, if true.
 #
@@ -241,8 +241,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 LOG_TARGET      => 'LOG Target',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
 		 IPMARK_TARGET   => 'IPMARK Target',
-		 PERSISTENT_SNAT => 'Persistent SNAT',
-		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 CAPVERSION      => 'Capability Version',
 	       );
 #
@@ -286,14 +284,13 @@ use constant { MIN_VERBOSITY => -1,
 our %validlevels;             # Valid log levels.
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function and when compiling
+#                       for IPv6.
 #
 sub initialize( $ ) {
     $family = shift;
@@ -304,9 +301,11 @@ sub initialize( $ ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall6 Shorewall6 ip6tables IP6TABLES );
     }	
 
-    $verbosity = 0;            # Verbosity setting. -1 = silent, 0 = almost silent, 1 = major progress messages only, 2 = all progress messages (very noisy)
+    ( $command, $doing, $done ) = qw/compile Compiling Compiled/; #describe the current command, it's present progressive, and it's completion.
+
+    $verbose = 0;              # Verbosity setting. 0 = almost silent, 1 = major progress messages only, 2 = all progress messages (very noisy)
     $log = undef;              # File reference for log file
-    $log_verbosity = -1;       # Verbosity of log.
+    $log_verbose = -1;         # Verbosity of log.
     $timestamp = '';           # If true, we are to timestamp each progress message
     $object = 0;               # Object (script) file Handle Reference
     $object_enabled = 0;       # Object (script) file Handle Reference
@@ -328,8 +327,8 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.2.2",
-		    CAPVERSION => 40402 ,
+		    VERSION => "4.4.0.1",
+		    CAPVERSION => 40310 ,
 		  );
 
     #
@@ -567,7 +566,7 @@ sub initialize( $ ) {
 			 NONE    => '',
 			 NFLOG   => 'NFLOG',
 		         LOGMARK => 'LOGMARK' );
-    }
+	}
     #
     # From parsing the capabilities file
     #
@@ -614,8 +613,6 @@ sub initialize( $ ) {
 	       LOGMARK_TARGET => undef,
 	       IPMARK_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
-	       PERSISTENT_SNAT => undef,
-	       OLD_HL_MATCH => undef,
 	       CAPVERSION => undef,
 	       );
     #
@@ -643,6 +640,7 @@ sub initialize( $ ) {
 }
 
 INIT {
+    initialize( F_IPV4 );
     #
     # These variables appear within single quotes in shorewall.conf -- add them to ENV
     # so that read_a_line doesn't have to be smart enough to parse that usage.
@@ -663,7 +661,7 @@ sub warning_message
     my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
     our @localtime;
 
-    $| = 1; #Reset output buffering (flush any partially filled buffers).
+    $| = 1;
 
     if ( $log ) {
 	@localtime = localtime;
@@ -678,22 +676,7 @@ sub warning_message
 	print $log   "   WARNING: @_$currentlineinfo\n" if $log;
     }
 
-    $| = 0; #Re-allow output buffering
-}
-
-sub cleanup() {
-    #
-    # Close files first in case we're running under Cygwin
-    #
-    close  $object, $object = undef         if $object;
-    close  $scriptfile, $scriptfile = undef if $scriptfile;
-    close  $log, $log = undef               if $log;
-    #
-    # Unlink temporary files
-    #
-    unlink ( $tempfile ), $tempfile = undef             if $tempfile;
-    unlink ( $scriptfilename ), $scriptfilename = undef if $scriptfilename;
-    unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
+    $| = 0;
 }
 
 #
@@ -703,7 +686,7 @@ sub fatal_error	{
     my $linenumber = $currentlinenumber || 1;
     my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
 
-    $| = 1; #Reset output buffering (flush any partially filled buffers).
+    $| = 1;
 
     if ( $log ) {
 	our @localtime = localtime;
@@ -719,7 +702,6 @@ sub fatal_error	{
 	$log = undef;
     }
 
-    cleanup;
     confess "   ERROR: @_$currentlineinfo" if $debug;
     die "   ERROR: @_$currentlineinfo\n";
 }
@@ -741,7 +723,6 @@ sub fatal_error1	{
 	$log = undef;
     }
 
-    cleanup;
     confess "   ERROR: @_" if $debug;
     die "   ERROR: @_\n";
 }
@@ -873,14 +854,14 @@ sub set_timestamp( $ ) {
 }
 
 #
-# Set $verbosity
+# Set $verbose
 #
-sub set_verbosity( $ ) {
-    $verbosity = shift;
+sub set_verbose( $ ) {
+    $verbose = shift;
 }
 
 #
-# Set $log and $log_verbosity
+# Set $log and $log_verbose
 #
 sub set_log ( $$ ) {
     my ( $l, $v ) = @_;
@@ -888,16 +869,16 @@ sub set_log ( $$ ) {
     if ( defined $v ) {
 	my $value = numeric_value( $v );
 	fatal_error "Invalid Log Verbosity ( $v )" unless defined($value) && ( $value >= -1 ) && ( $value <= 2);
-	$log_verbosity = $value;
+	$log_verbose = $value;
     }
 
-    if ( $l && $log_verbosity >= 0 ) {
+    if ( $l && $log_verbose >= 0 ) {	
 	unless ( open $log , '>>' , $l ) {
 	    $log = undef; 
 	    fatal_error "Unable to open STARTUP_LOG ($l) for writing: $!";
 	}
     } else {
-	$log_verbosity = -1;
+	$log_verbose = -1;
     }
 }
 
@@ -921,17 +902,17 @@ sub timestamp() {
 }
 
 #
-# Write a message if $verbosity >= 2
+# Write a message if $verbose >= 2
 #
 sub progress_message {
     my $havelocaltime = 0;
 
-    if ( $verbosity > 1 || $log_verbosity > 1 ) {
+    if ( $verbose > 1 || $log_verbose > 1 ) {
 	my $line = "@_";
 	my $leading = $line =~ /^(\s+)/ ? $1 : '';
 	$line =~ s/\s+/ /g;
 
-	if ( $verbosity > 1 ) {
+	if ( $verbose > 1 ) {
 	    timestamp, $havelocaltime = 1 if $timestamp;
 	    #
 	    # We use this function to display messages containing raw config file images which may contains tabs (including multiple tabs in succession).
@@ -940,7 +921,7 @@ sub progress_message {
 	    print "${leading}${line}\n";
 	}
 
-	if ( $log_verbosity > 1 ) {
+	if ( $log_verbose > 1 ) {
 	    our @localtime;
 
 	    @localtime = localtime unless $havelocaltime; 
@@ -954,12 +935,12 @@ sub progress_message {
 sub progress_message_nocompress {
     my $havelocaltime = 0;
 
-    if ( $verbosity > 1 ) {
+    if ( $verbose > 1 ) {
 	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
     }
 
-    if ( $log_verbosity > 1 ) {
+    if ( $log_verbose > 1 ) {
 	our @localtime;
 
 	@localtime = localtime unless $havelocaltime; 
@@ -970,17 +951,17 @@ sub progress_message_nocompress {
 }
 
 #
-# Write a message if $verbosity >= 1
+# Write a message if $verbose >= 1
 #
 sub progress_message2 {
     my $havelocaltime = 0;
 
-    if ( $verbosity > 0 ) {
+    if ( $verbose > 0 ) {
 	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
     }
 
-    if ( $log_verbosity > 0 ) {
+    if ( $log_verbose > 0 ) {
 	our @localtime;
 
 	@localtime = localtime unless $havelocaltime; 
@@ -991,17 +972,17 @@ sub progress_message2 {
 }
 
 #
-# Write a message if $verbosity >= 0
+# Write a message if $verbose >= 0
 #
 sub progress_message3 {
     my $havelocaltime = 0;
 
-    if ( $verbosity >= 0 ) {
+    if ( $verbose >= 0 ) {
 	timestamp, $havelocaltime = 1 if $timestamp;
 	print "@_\n";
     }
 
-    if ( $log_verbosity >= 0 ) {
+    if ( $log_verbose >= 0 ) {
 	our @localtime;
 
 	@localtime = localtime unless $havelocaltime;
@@ -1133,7 +1114,7 @@ sub create_temp_object( $$ ) {
     my $suffix;
 
     if ( $objectfile eq '-' ) {
-	$verbosity = -1;
+	$verbose = -1;
 	$object = undef;
 	open( $object, '>&STDOUT' ) or fatal_error "Open of STDOUT failed";
 	$file = '-';
@@ -1144,7 +1125,7 @@ sub create_temp_object( $$ ) {
 	( $file, $dir, $suffix ) = fileparse( $objectfile );
     };
 
-    cleanup, die if $@;
+    die if $@;
 
     fatal_error "$dir is a Symbolic Link"        if -l $dir;
     fatal_error "Directory $dir does not exist"  unless -d _;
@@ -1190,7 +1171,7 @@ sub create_temp_aux_config() {
 	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
     };
 
-    cleanup, die if $@;
+    die if $@;
 }
 
 #
@@ -1425,11 +1406,6 @@ sub pop_open() {
     pop_include;
 }
 
-#
-# This function is called by in-line PERL to generate a line of input for the current file.
-# If the in-line PERL returns an indication of success, then the generated lines will be
-# processed as regular file input.
-#
 sub shorewall {
     unless ( $scriptfile ) {
 	fatal_error "shorewall() may not be called in this context" unless $currentfile;
@@ -1594,16 +1570,11 @@ sub read_a_line() {
 	    #
 	    s/^\s*// if $currentline =~ /[,:]$/;
 	    #
-	    # If this isn't a continued line, remove trailing comments. Note that
-	    # the result may now end in '\'.
-	    #
-	    s/\s*#.*$// unless /\\$/;
-	    #
 	    # Continuation
 	    #
 	    chop $currentline, next if substr( ( $currentline .= $_ ), -1, 1 ) eq '\\';
 	    #
-	    # Now remove concatinated comments
+	    # Remove Trailing Comments -- result might be a blank line
 	    #
 	    $currentline =~ s/#.*$//;
 	    #
@@ -1614,10 +1585,6 @@ sub read_a_line() {
 	    # Line not blank -- Handle any first-entry message/capabilities check
 	    #
 	    if ( $first_entry ) {
-		#
-		# $first_entry can contain either a function reference or a message. If it
-		# contains a reference, call the function -- otherwise issue the message
-		#
 		reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry );
 		$first_entry = 0;
 	    }
@@ -1850,7 +1817,7 @@ sub report_capability( $ ) {
 }
 
 sub report_capabilities() {
-    if ( $verbosity > 1 ) {
+    if ( $verbose > 1 ) {
 	print "Shorewall has detected the following capabilities:\n";
 
 	for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) {
@@ -1956,14 +1923,6 @@ sub determine_capabilities( $ ) {
 
     $capabilities{NAT_ENABLED}    = qt1( "$iptables -t nat -L -n" ) if $family == F_IPV4;
 
-    if ( $capabilities{NAT_ENABLED} ) {
-	if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
-	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
-	    qt1( "$iptables -t NAT -F $sillyname" );
-	    qt1( "$iptables -t NAT -X $sillyname" );
-	}
-    }
-
     $capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" );
 
     qt1( "$iptables -N $sillyname" );
@@ -2029,15 +1988,6 @@ sub determine_capabilities( $ ) {
     $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
     $capabilities{COMMENTS}        = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
 
-    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
-
-    if ( $capabilities{HASHLIMIT_MATCH} ) {
-	$capabilities{OLD_HL_MATCH} = '';
-    } else {
-	$capabilities{OLD_HL_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
-	$capabilities{HASHLIMIT_MATCH} = $capabilities{OLD_HL_MATCH};
-    }
-
     if  ( $capabilities{MANGLE_ENABLED} ) {
 	qt1( "$iptables -t mangle -N $sillyname" );
 
@@ -2082,6 +2032,7 @@ sub determine_capabilities( $ ) {
     $capabilities{USEPKTTYPE}      = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
     $capabilities{ADDRTYPE}        = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
     $capabilities{TCPMSS_MATCH}    = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
+    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
     $capabilities{NFQUEUE_TARGET}  = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
     $capabilities{REALM_MATCH}     = qt1( "$iptables -A $sillyname -m realm --realm 1" );
     $capabilities{HELPER_MATCH}    = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
@@ -2261,14 +2212,6 @@ sub unsupported_yes_no( $ ) {
     fatal_error "$option=Yes is not supported by Shorewall $globals{VERSION}" if $config{$option};
 }
 
-sub unsupported_yes_no_warning( $ ) {
-    my $option = shift;
-
-    default_yes_no $option, '';
-
-    warning_message "$option=Yes is not supported by Shorewall $globals{VERSION}" if $config{$option};
-}
-
 #
 # - Read the shorewall.conf file
 # - Read the capabilities file, if any
@@ -2368,14 +2311,14 @@ sub get_configuration( $ ) {
     default_yes_no 'BLACKLISTNEWONLY'           , '';
     default_yes_no 'DISABLE_IPV6'               , '';
 
-    unsupported_yes_no_warning 'DYNAMIC_ZONES';
-    unsupported_yes_no         'BRIDGING';
-    unsupported_yes_no_warning 'SAVE_IPSETS';
-    unsupported_yes_no_warning 'RFC1918_STRICT';
+    unsupported_yes_no 'DYNAMIC_ZONES';
+    unsupported_yes_no 'BRIDGING';
+    unsupported_yes_no 'SAVE_IPSETS';
+    unsupported_yes_no 'MAPOLDACTIONS';
+    unsupported_yes_no 'RFC1918_STRICT';
 
     default_yes_no 'STARTUP_ENABLED'            , 'Yes';
     default_yes_no 'DELAYBLACKLISTLOAD'         , '';
-    default_yes_no 'MAPOLDACTIONS'              , 'Yes';
 
     warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD};
 
@@ -2480,8 +2423,7 @@ sub get_configuration( $ ) {
     default 'ACCEPT_DEFAULT'        , 'none';
     default 'OPTIMIZE'              , 0;
 
-    fatal_error 'IPSECFILE=ipsec is not supported by Shorewall ' . $globals{VERSION} if $config{IPSECFILE} eq 'ipsec';
-    fatal_error "Invalid IPSECFILE value ($config{IPSECFILE}"                    unless $config{IPSECFILE} eq 'zones';
+    fatal_error 'IPSECFILE=ipsec is not supported by Shorewall ' . $globals{VERSION} unless $config{IPSECFILE} eq 'zones';
 
     for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
@@ -2491,6 +2433,7 @@ sub get_configuration( $ ) {
 
     fatal_error "Invalid OPTIMIZE value ($val)" unless ( $val eq '0' ) || ( $val eq '1' );
 
+    fatal_error "Invalid IPSECFILE value ($config{IPSECFILE}" unless $config{IPSECFILE} eq 'zones';
 
     $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre';
 
@@ -2523,7 +2466,7 @@ sub get_configuration( $ ) {
 	    ( $file, $dir, $suffix ) = fileparse( $config{LOCKFILE} );
 	};
 
-	cleanup, die $@ if $@;
+	die $@ if $@;
 
 	fatal_error "LOCKFILE=$config{LOCKFILE}: Directory $dir does not exist" unless $export or -d $dir;
     } else {
@@ -2698,7 +2641,18 @@ sub generate_aux_config() {
 }
 
 END {
-    cleanup;
+    #
+    # Close files first in case we're running under Cygwin
+    #
+    close  $object         if $object;
+    close  $scriptfile     if $scriptfile;
+    close  $log            if $log;
+    #
+    # Unlink temporary files
+    #
+    unlink $tempfile       if $tempfile;
+    unlink $scriptfilename if $scriptfilename;
+    unlink $_ for @tempfiles; 
 }
 
 1;

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -34,10 +34,10 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( ALLIPv4
                   ALLIPv6
-	          IPv4_MULTICAST
 	          IPv6_MULTICAST
 	          IPv6_LINKLOCAL
 	          IPv6_SITELOCAL
+	          IPv6_LINKLOCAL
 	          IPv6_LOOPBACK
 	          IPv6_LINK_ALLNODES
 	          IPv6_LINK_ALLRTRS
@@ -72,27 +72,21 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_1';
+our $VERSION = '4.3_7';
 
 #
 # Some IPv4/6 useful stuff
 #
 our @allipv4 = ( '0.0.0.0/0' );
 our @allipv6 = ( '::/0' );
-our $allip;
-our @allip;
-our $valid_address;
-our $validate_address;
-our $validate_net;
-our $validate_range;
-our $validate_host;
+our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
-	       IPv4_MULTICAST      => '224.0.0.0/4' ,
 	       IPv6_MULTICAST      => 'FF00::/10' ,
 	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_SITELOCAL      => 'FFC0::/10' ,
+	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
 	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
 	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
@@ -107,10 +101,23 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 
 our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
+#
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
+#
+
+sub initialize( $ ) {
+    $family = shift;
+}
+
+INIT {
+    initialize( F_IPV4 );
+}
 
-#
-# Note: initialize() is declared at the bottom of the file
-#
 sub vlsm_to_mask( $ ) {
     my $vlsm = $_[0];
 
@@ -391,6 +398,7 @@ my %icmp_types = ( any                          => 'any',
 		   'address-mask-reply'         => 18 );
 
 sub validate_icmp( $ ) {
+    fatal_error "IPv4 ICMP not allowed in an IPv6 Rule" unless $family == F_IPV4;
 
     my $type = $_[0];
 
@@ -606,6 +614,7 @@ my %ipv6_icmp_types = ( any                          => 'any',
 
 
 sub validate_icmp6( $ ) {
+    fatal_error "IPv6 ICMP not allowed in an IPv4 Rule" unless $family == F_IPV6;
     my $type = $_[0];
 
     my $value = $ipv6_icmp_types{$type};
@@ -620,63 +629,31 @@ sub validate_icmp6( $ ) {
 }
 
 sub ALLIP() {
-    $allip;
+    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
 }
 
 sub allip() {
-    @allip;
+    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
 }    
 
 sub valid_address ( $ ) {
-    $valid_address->(@_);
+    $family == F_IPV4 ? valid_4address( $_[0] ) :  valid_6address( $_[0] );
 }
 
 sub validate_address ( $$ ) {
-    $validate_address->(@_);
+    $family == F_IPV4 ? validate_4address( $_[0], $_[1] ) :  validate_6address( $_[0], $_[1] );
 }
 
 sub validate_net ( $$ ) {
-    $validate_net->(@_);
+    $family == F_IPV4 ? validate_4net( $_[0], $_[1] ) :  validate_6net( $_[0], $_[1] );
 }
 
 sub validate_range ($$ ) { 
-    $validate_range->(@_);
+    $family == F_IPV4 ? validate_4range( $_[0], $_[1] ) :  validate_6range( $_[0], $_[1] );
 }
 
 sub validate_host ($$ ) { 
-    $validate_host->(@_);
-}
-
-#
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
-#
-sub initialize( $ ) {
-    my $family = shift;
-
-    if ( $family == F_IPV4 ) {
-	$allip            = ALLIPv4;
-	@allip            = @allipv4;
-	$valid_address    = \&valid_4address;
-	$validate_address = \&validate_4address;
-	$validate_net     = \&validate_4net;
-	$validate_range   = \&validate_4range;
-	$validate_host    = \&validate_4host;
-    } else {
-	$allip            = ALLIPv6;
-	@allip            = @allipv6;
-	$valid_address    = \&valid_6address;
-	$validate_address = \&validate_6address;
-	$validate_net     = \&validate_6net;
-	$validate_range   = \&validate_6range;
-	$validate_host    = \&validate_6host;
-    }
+    $family == F_IPV4 ? validate_4host( $_[0], $_[1] ) :  validate_6host( $_[0], $_[1] );
 }
 
 1;

Shorewall/Perl/Shorewall/Nat.pm

@@ -29,6 +29,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
+use Shorewall::IPAddrs;
 use Shorewall::Providers qw( lookup_provider );
 
 use strict;
@@ -36,19 +37,29 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_2';
+our $VERSION = '4.3_7';
 
 our @addresses_to_add;
 our %addresses_to_add;
 
 #
-# Called by the compiler
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize() {
     @addresses_to_add = ();
     %addresses_to_add = ();
 }
 
+INIT {
+    initialize;
+}
+
 #
 # Handle IPSEC Options in a masq record
 #
@@ -167,6 +178,7 @@ sub process_one_masq( )
     # Handle Protocol and Ports
     #
     $baserule .= do_proto $proto, $ports, '';
+
     #
     # Handle Mark
     #
@@ -204,7 +216,6 @@ sub process_one_masq( )
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
-	my $persistent    = '';
 	#
 	# Parse the ADDRESSES column
 	#
@@ -212,10 +223,7 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
-		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
-		$addresses =~ s/:random$//     and $randomize  = '--random ';
-
-		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;
+		$addresses =~ s/:random$// and $randomize = '--random ';
 
 		if ( $addresses =~ /^SAME/ ) {
 		    fatal_error "The SAME target is no longer supported";
@@ -239,11 +247,7 @@ sub process_one_masq( )
 			if ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
-			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
-				validate_range( $1, $2 );
-			    } else {
-				validate_address $ipaddr, 0;
-			    }
+			    validate_address $ipaddr, 0;
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
@@ -258,7 +262,6 @@ sub process_one_masq( )
 	    }
 
 	    $target .= $randomize;
-	    $target .= $persistent;
 	} else {
 	    $add_snat_aliases = 0;
 	}

Shorewall/Perl/Shorewall/Policy.pm

@@ -34,19 +34,29 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_1';
+our $VERSION = '4.3_7';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
 our @policy_chains;
 
 #
-# Called by the compiler
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize() {
     @policy_chains = ();
 }
 
+INIT {
+    initialize;
+}
+
 #
 # Convert a chain into a policy chain.
 #
@@ -346,7 +356,7 @@ sub policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
 
     unless ( $target eq 'NONE' ) {
-	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
+	add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE';
 	add_rule $chainref, "-j $default" if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;

Shorewall/Perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_2';
+our $VERSION = '4.4_0';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -62,15 +62,14 @@ our $family;
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize( $ ) {
     $family = shift;
 
@@ -90,6 +89,10 @@ sub initialize( $ ) {
     @providers = ();
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 #
 # Set up marking for 'tracked' interfaces.
 #
@@ -455,10 +458,10 @@ sub add_a_provider( ) {
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	} else {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP -$family route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	}
     }
 
@@ -864,12 +867,12 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
 		    }
 		
-		    $rule1 =~ s/-A tcpre //;
+		    $rule1 =~ s/-A //;
 
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcpre //;
+			$rule2 =~ s/-A //;
 			add_rule $chainref, $rule2;
 		    }
 
@@ -896,12 +899,12 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
 		    }
 		
-		    $rule1 =~ s/-A tcout //;
+		    $rule1 =~ s/-A //;
 
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcout //;
+			$rule2 =~ s/-A //;
 			add_rule $chainref, $rule2;
 		    }
 

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -35,27 +35,30 @@ our @EXPORT = qw(
 		  );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.3_7';
 
 our @proxyarp;
 
 our $family;
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize( $ ) {
     $family = shift;
     @proxyarp = ();
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 sub setup_one_proxy_arp( $$$$$ ) {
     my ( $address, $interface, $external, $haveroute, $persistent) = @_;
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -40,12 +40,12 @@ our @EXPORT = qw( process_tos
 		  add_common_rules
 		  setup_mac_lists
 		  process_rules
-		  process_routestopped
 		  generate_matrix
+		  setup_mss
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_2';
+our $VERSION = '4.4_0';
 
 #
 # Set to one if we find a SECTION
@@ -64,15 +64,14 @@ my %rules_commands = ( COMMENT => 0,
 		       SECTION => 2 );
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize( $ ) {
     $family = shift;
     $sectioned = 0;
@@ -81,6 +80,10 @@ sub initialize( $ ) {
     @param_stack = ();
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 use constant { MAX_MACRO_NEST_LEVEL => 5 };
 
 sub process_tos() {
@@ -330,8 +333,6 @@ sub process_routestopped() {
 	}
 
 	unless ( $options eq '-' ) {
-	    my $chainref = $filter_table->{FORWARD};
-
 	    for my $option (split /,/, $options ) {
 		if ( $option eq 'routeback' ) {
 		    if ( $routeback ) {
@@ -343,7 +344,7 @@ sub process_routestopped() {
 			    my $source = match_source_net $host;
 			    my $dest   = match_dest_net   $host;
 
-			    add_rule $chainref , "-i $interface -o $interface $source $dest -j ACCEPT";
+			    emit "run_iptables -A FORWARD -i $interface -o $interface $source $dest -j ACCEPT";
 			    clearrule;
 			}
 		    }
@@ -779,9 +780,6 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
     } else {
-	#
-	# Phase II
-	#
 	for my $interface ( @maclist_interfaces ) {
 	    my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
 	    my $chain    = $chainref->{name};
@@ -854,13 +852,12 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime);
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
 
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
-	    ( $morigdest, $mmark, $mconnlimit, $mtime ) = qw/- - - -/;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime ) = split_line1 1, 12, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
 	}
 
 	if ( $mtarget eq 'COMMENT' ) {
@@ -874,6 +871,8 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 	    next;
 	}
 
+	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
+
 	$mtarget = merge_levels $target, $mtarget;
 
 	if ( $mtarget =~ /^PARAM(:.*)?$/ ) {
@@ -919,15 +918,15 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 		      $mtarget, 
 		      $msource, 
 		      $mdest, 
-		      merge_macro_column( $mproto,     $proto ) ,
-		      merge_macro_column( $mports,     $ports ) ,
-		      merge_macro_column( $msports,    $sports ) ,
-		      merge_macro_column( $morigdest,  $origdest ) ,
-		      merge_macro_column( $mrate,      $rate ) ,
-		      merge_macro_column( $muser,      $user ) ,
-		      merge_macro_column( $mmark,      $mark ) ,
-		      merge_macro_column( $mconnlimit, $connlimit) ,
-		      merge_macro_column( $mtime,      $time ),
+		      merge_macro_column( $mproto,    $proto ) , 
+		      merge_macro_column( $mports,    $ports ) ,
+		      merge_macro_column( $msports,   $sports ) ,
+		      merge_macro_column( $morigdest, $origdest ) , 
+		      merge_macro_column( $mrate,     $rate ) ,
+		      merge_macro_column( $muser,     $user ) ,
+		      $mark, 
+		      $connlimit,
+		      $time,
 		      $wildcard
 		     );
 
@@ -964,10 +963,6 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     #
     my $actiontype = $targets{$basictarget} || find_macro( $basictarget );
 
-    if ( $config{ MAPOLDACTIONS } ) {
-	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless ( $actiontype || $param );
-    }
-
     fatal_error "Unknown action ($action)" unless $actiontype;
 
     if ( $actiontype == MACRO ) {

Shorewall/Perl/Shorewall/Tc.pm

@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.3_12';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -163,8 +163,6 @@ our @deferred_rules;
 #                              nextclass     => <number>
 #                              occurs        => Has one or more occurring classes
 #                              qdisc         => htb|hfsc
-#                              guarantee     => <total RATE of classes seen so far>
-#                              name          => <interface>
 #                                               }
 #
 our @tcdevices;
@@ -188,7 +186,6 @@ our $sticky;
 #              occurs    => <number> # 0 means that this is a class generated by another class with occurs > 1
 #              parent    => <class number>
 #              leaf      => 0|1
-#              guarantee => <sum of rates of sub-classes>
 #              options   => { tos  => [ <value1> , <value2> , ... ];
 #                             tcp_ack => 1 ,
 #                             ...
@@ -205,15 +202,14 @@ our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 our $family;
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize( $ ) {
     $family   = shift;
     %classids = ();
@@ -227,6 +223,10 @@ sub initialize( $ ) {
     $sticky = 0;
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
 
@@ -529,8 +529,6 @@ sub validate_tc_device( ) {
 			    default       => 0,
 			    nextclass     => 2,
 			    qdisc         => $qdisc,
-			    guarantee     => 0,
-			    name          => $device,
 			  } ,
 
     push @tcdevices, $device;
@@ -540,8 +538,8 @@ sub validate_tc_device( ) {
     progress_message "  Tcdevice \"$currentline\" $done.";
 }
 
-sub convert_rate( $$$$ ) {
-    my ($full, $rate, $column, $max) = @_;
+sub convert_rate( $$$ ) {
+    my ($full, $rate, $column) = @_;
 
     if ( $rate =~ /\bfull\b/ ) {
 	$rate =~ s/\bfull\b/$full/g;
@@ -555,7 +553,7 @@ sub convert_rate( $$$$ ) {
     }
 
     fatal_error "$column may not be zero" unless $rate;
-    fatal_error "$column ($_[1]) exceeds $max (${full}kbit)" if $rate > $full;
+    fatal_error "$column ($_[1]) exceeds OUT-BANDWIDTH" if $rate > $full;
 
     $rate;
 }
@@ -601,7 +599,6 @@ sub validate_tc_class( ) {
     my $device = $devclass;
     my $occurs = 1;
     my $parentclass = 1;
-    my $parentref;
 
     if ( $devclass =~ /:/ ) {
 	( $device, my ($number, $subnumber, $rest ) )  = split /:/, $device, 4;
@@ -633,11 +630,7 @@ sub validate_tc_class( ) {
 	fatal_error "Missing class NUMBER" if $devref->{classify};
     }
 
-    my $full    = rate_to_kbit $devref->{out_bandwidth};
-    my $ratemax = $full;
-    my $ceilmax = $full;
-    my $ratename = 'OUT-BANDWIDTH';
-    my $ceilname = 'OUT-BANDWIDTH';
+    my $full  = rate_to_kbit $devref->{out_bandwidth};
 
     my $tcref = $tcclasses{$device};
 
@@ -667,14 +660,10 @@ sub validate_tc_class( ) {
 	#
 	# Nested Class
 	#
-	$parentref = $tcref->{$parentclass};
+	my $parentref = $tcref->{$parentclass};
 	fatal_error "Unknown Parent class ($parentclass)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The parent class ($parentclass) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
 	$parentref->{leaf} = 0;
-	$ratemax  = $parentref->{rate};
-	$ratename = q(the parent class's RATE);
-	$ceilmax = $parentref->{ceiling};
-	$ceilname = q(the parent class's CEIL);
     }
 
     my ( $umax, $dmax ) = ( '', '' );
@@ -684,35 +673,26 @@ sub validate_tc_class( ) {
 	
 	fatal_error "Invalid RATE ($rate)" if defined $rest;
 
-	$rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
+	$rate = convert_rate ( $full, $trate, 'RATE' );
 	$dmax = convert_delay( $dmax );
 	$umax = convert_size( $umax );
 	fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax; 
     } else {
-	$rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename );
+	$rate = convert_rate ( $full, $rate, 'RATE' );
     }
 
-    if ( $parentref ) {
-	warning_message "Total RATE of sub classes ($parentref->{guarantee}kbits) exceeds RATE of parent class ($parentref->{rate}kbits)" if ( $parentref->{guarantee} += $rate ) > $parentref->{rate};
-    } else {
-	warning_message "Total RATE of classes ($devref->{guarantee}kbits) exceeds OUT-BANDWIDTH (${full}kbits)" if ( $devref->{guarantee} += $rate ) > $full;
-    }
-
-    fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
-
-    $tcref->{$classnumber} = { tos       => [] ,
-			       rate      => $rate ,
-			       umax      => $umax ,
-			       dmax      => $dmax ,
-			       ceiling   => convert_rate( $ceilmax, $ceil, 'CEIL' , $ceilname ) ,
-			       priority  => $prio eq '-' ? 1 : $prio ,
-			       mark      => $markval ,
-			       flow      => '' ,
-			       pfifo     => 0,
-			       occurs    => 1,
-			       parent    => $parentclass,
-			       leaf      => 1,
-			       guarantee => 0,
+    $tcref->{$classnumber} = { tos      => [] ,
+			       rate     => $rate ,
+			       umax     => $umax ,
+			       dmax     => $dmax ,
+			       ceiling  => convert_rate( $full, $ceil, 'CEIL' ) ,
+			       priority => $prio eq '-' ? 1 : $prio ,
+			       mark     => $markval ,
+			       flow     => '' ,
+			       pfifo    => 0,
+			       occurs   => 1,
+			       parent   => $parentclass,
+			       leaf     => 1,
 			     };
 
     $tcref = $tcref->{$classnumber};

Shorewall/Perl/Shorewall/Zones.pm

@@ -73,7 +73,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_0';
 
 #
 # IPSEC Option types
@@ -174,15 +174,15 @@ our %validinterfaceoptions;
 our %validhostoptions;
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function or when compiling
+#                       for IPv6.
 #
+
 sub initialize( $ ) {
     $family = shift;
     @zones = ();
@@ -250,6 +250,10 @@ sub initialize( $ ) {
     }
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 #
 # Parse the passed option list and return a reference to a hash as follows:
 #
@@ -359,8 +363,8 @@ sub process_zone( \$ ) {
     fatal_error "Invalid zone name ($zone)"      if $reservedName{$zone} || $zone =~ /^all2|2all$/;
     fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
     
-    if ( $type =~ /^ip(v([46]))?$/i ) {
-	fatal_error "Invalid zone type ($type)" if $1 && $2 != $family;
+    if ( $type =~ /ipv([46])?/i ) {
+	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
 	$type = IP;
 	$$ip = 1;
     } elsif ( $type =~ /^ipsec([46])?$/i ) {
@@ -597,6 +601,7 @@ sub add_group_to_zone($$$$$)
     my $interfaceref;
     my $zoneref  = $zones{$zone};
     my $zonetype = $zoneref->{type};
+    my $ifacezone = $interfaces{$interface}{zone};
 
     $zoneref->{interfaces}{$interface} = 1;
 
@@ -604,7 +609,8 @@ sub add_group_to_zone($$$$$)
     my @exclusions = ();
     my $new = \@newnetworks;
     my $switched = 0;
-    my $allip    = 0;
+
+    $ifacezone = '' unless defined $ifacezone;
 
     for my $host ( @$networks ) {
 	$interfaces{$interface}{nets}++;
@@ -620,12 +626,8 @@ sub add_group_to_zone($$$$$)
 
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
-		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone;
-		if ( $host eq ALLIP ) {
-		    fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
-		    $interfaces{$interface}{zone} = $zone;
-		    $allip = 1;
-		}
+		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $ifacezone eq $zone;
+		$ifacezone = $zone if $host eq ALLIP;
 	    }
 	}
 
@@ -647,8 +649,6 @@ sub add_group_to_zone($$$$$)
     $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
     $interfaceref = ( $typeref->{$interface}      || ( $typeref->{$interface} = [] ) );
 
-    fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
-
     $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions );
 
     push @{$interfaceref}, { options => $options,
@@ -841,7 +841,6 @@ sub process_interface( $ ) {
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
 		fatal_error "The $option option requires a value" unless defined $value;
-		fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
 		fatal_error "Duplicate $option option" if $nets;
 		#
 		# Remove parentheses from address list if present
@@ -857,8 +856,6 @@ sub process_interface( $ ) {
 		    $value = "+${zone}_${interface}";
 		    $hostoptions{dynamic} = 1;
 		    $ipsets{"${zone}_${interface}"} = 1;
-		} else {
-		    $hostoptions{multicast} = 1;
 		}   
 		#
 		# Convert into a Perl array reference
@@ -890,19 +887,13 @@ sub process_interface( $ ) {
 				number     => $nextinum ,
 				root       => $root ,
 				broadcasts => $broadcasts ,
-				options    => \%options ,
-			        zone       => ''
-			      };
+				options    => \%options };
 
-    if ( $zone ) {
-	$nets ||= [ allip ];
-	add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref );
-	add_group_to_zone( $zone, 
-			   $zoneref->{type}, 
-			   $interface, 
-			   [ IPv4_MULTICAST ], 
-			   { destonly => 1 } ) if $hostoptionsref->{multicast} && $interfaces{$interface}{zone} ne $zone;
-    } 
+    $nets = [ allip ] unless $nets; 
+
+    add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone;
+
+    $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
 
     progress_message "  Interface \"$currentline\" Validated";
 

Shorewall/changelog.txt

@@ -1,81 +1,11 @@
-Changes in Shorewall 4.4.2.2
 
-1)  Another fix for 'routeback' in routestopped.
+Changes in Shorewall 4.4.0.1
 
-Changes in Shorewall 4.4.2.1
+1)  Updated release versions.
 
-1)  Fix 'routeback' in routestopped.
+2)  Fix log level in rules at the end of INPUT and OUTPUT
 
-Changes in Shorewall 4.4.2
-
-1)  BUGFIX: Correct detection of Persistent SNAT support
-
-2)  BUGFIX: Fix chain table initialization
-
-3)  BUGFIX: Validate routestopped file on 'check'
-
-4)  Let the Actions module add the builtin actions to
-    %Shorewall::Chains::targets. Much better modularization that way.
-
-5)  Some changes to make Lenny->Squeeze less painful.
-
-6)  Allow comments at the end of continued lines.
-
-7)  Call process_routestopped() during 'check' rather than
-    'compile_stop_firewall()'.
-
-8)  Don't look for an extension script for built-in actions.
-
-9)  Apply Jesse Shrieve's patch for SNAT range.
-
-10) Add -<family> to 'ip route del default' command.
-
-11) Add three new columns to macro body.
-
-12) Change 'wait4ifup' so that it requires no PATH
-
-13) Allow extension scripts for accounting chains.
-
-14) Allow per-ip LIMIT to work on ancient iptables releases.
-
-15) Add 'MARK' column to action body.
-
-Changes in Shorewall 4.4.1
-
-1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
-
-2)  Deleted superfluous export from Chains.pm.
-
-3)  Added support for --persistent.
-
-4)  Don't do module initialization in an INIT block.
-
-5)  Minor performance improvements.
-
-6)  Add 'clean' target to Makefile.
-
-7)  Redefine 'full' for sub-classes.
-
-8)  Fix log level in rules at the end of INPUT and OUTPUT chains.
-
-9)  Fix nested ipsec zones.
-
-10) Change one-interface sample to IP_FORWARDING=Off.
-
-11) Allow multicast to non-dynamic zones defined with nets=.
-
-12) Allow zones with nets= to be extended by /etc/shorewall/hosts
-    entries.
-
-13) Don't allow nets= in a multi-zone interface definition.
-
-14) Fix rule generated by MULTICAST=Yes
-
-15) Fix silly hole in zones file parsing.
-
-16) Tighen up zone membership checking.
-
-17) Combine portlist-spitting routines into a single function.
+3)  Correct handling of nested IPSEC chains.
 
 Changes in Shorewall 4.4.0
 
@@ -89,7 +19,7 @@ Changes in Shorewall 4.4.0
 
 5)  Fix 'upnpclient' with required interfaces.
 
-6)  Fix provider number in masq file.
+5)  Fix provider number in 
 
 Changes in Shorewall 4.4.0-RC2
 
@@ -295,8 +225,10 @@ Changes in Shorewall 4.3.5
 
 1)  Remove support for shorewall-shell.
 
-2)  Combine shorewall-common and shorewall-perl to produce shorewall.
+2)  Combine shorewall-common and shorewall-perl to product shorewall.
 
 3)  Add nets= OPTION in interfaces file.
 
+4)  Add SAME MARK/CLASSIFY target
+
 

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.2.2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {
@@ -453,15 +453,6 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/blacklist ]; then
     echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
 fi
 #
-# Install the findgw file
-#
-run_install $OWNERSHIP -m 0644 configfiles/findgw ${PREFIX}/usr/share/shorewall/configfiles/findgw
-
-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/findgw ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/findgw ${PREFIX}/etc/shorewall/findgw
-    echo "Find GW file installed as ${PREFIX}/etc/shorewall/findgw"
-fi
-#
 # Delete the Routes file
 #
 delete_file ${PREFIX}/etc/shorewall/routes
@@ -792,11 +783,6 @@ cd ..
 
 echo "Man Pages Installed"
 
-if [ -z "$PREFIX" ]; then
-    rm -rf /usr/share/shorewall-perl
-    rm -rf /usr/share/shorewall-shell
-fi
-
 if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall

Shorewall/known_problems.txt

@@ -1,16 +1,16 @@
-1)  'shorewall check' produces an internal error if 'routeback' appears
-    in /etc/shorewall/routestopped.
+1)  If ULOG is specified as the LOG LEVEL in the all->all policy, the
+    rules at the end of the INPUT and OUTPUT chains still use the
+    LOG target rather than ULOG.
 
-    You can work around this problem by using 'source' rather than
-    'routeback'.
+    You can work around this problem by adding two additional policies
+    before the all->all one:
 
-    Corrected in Shorewall 4.4.2.1.
+    	   all 		$FW	DROP	ULOG
+	   $FW		all	REJECT	ULOG
 
-2)  'routestopped' appearing in /etc/shorewall/routestopped doesn't
-    work (routeback traffic is not allowed).
+    This problem was corrected in Shorewall 4.4.0.1.
 
-    You can work around this problem by using 'source' rather than
-    'routeback'.
-
-    Corrected in Shorewall 4.4.2.2.
+2)  Use of CONTINUE policies with a nested IPSEC zone was broken in
+    some cases.
 
+    This problem was corrected in Shorewall 4.4.0.1.

Shorewall/lib.base

@@ -30,7 +30,7 @@
 #
 
 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40402
+SHOREWALL_CAPVERSION=40310
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -777,13 +777,6 @@ set_state () # $1 = state
 # Determine which optional facilities are supported by iptables/netfilter
 #
 determine_capabilities() {
-    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
-
-    if [ -z "$IPTABLES" ]; then
-	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
-	exit 1
-    fi
-
     qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
     qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
 
@@ -827,16 +820,14 @@ determine_capabilities() {
     LOGMARK_TARGET=
     IPMARK_TARGET=
     LOG_TARGET=Yes
-    PERSISTENT_SNAT=
 
     chain=fooX$$
 
-    if [ -n "$NAT_ENABLED" ]; then
-	if qt $IPTABLES -t nat -N $chain; then
-	    qt $IPTABLES -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
-	    qt $IPTABLES -t nat -F $chain
-	    qt $IPTABLES -t nat -X $chain
-	fi
+    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
+
+    if [ -z "$IPTABLES" ]; then
+	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
+	exit 1
     fi
 
     qt $IPTABLES -F $chain
@@ -945,11 +936,7 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
     qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
-    if [ -z "$HASHLIMIT_MATCH" ]; then
-	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
-	HASHLIMIT_MATCH=$OLD_HL_MATCH
-    fi	
+    qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
     qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
     qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
     qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -1015,7 +1002,6 @@ report_capabilities() {
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
-	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
 	report_capability "Helper Match" $HELPER_MATCH
@@ -1025,7 +1011,6 @@ report_capabilities() {
 	report_capability "LOGMARK Target" $LOGMARK_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
-	report_capability "Persistent SNAT" $PERSISTENT_SNAT
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1074,7 +1059,6 @@ report_capabilities1() {
     report_capability1 ADDRTYPE
     report_capability1 TCPMSS_MATCH
     report_capability1 HASHLIMIT_MATCH
-    report_capability1 OLD_HL_MATCH
     report_capability1 NFQUEUE_TARGET
     report_capability1 REALM_MATCH
     report_capability1 HELPER_MATCH
@@ -1084,7 +1068,6 @@ report_capabilities1() {
     report_capability1 LOGMARK_TARGET
     report_capability1 IPMARK_TARGET
     report_capability1 LOG_TARGET
-    report_capability1 PERSISTENT_SNAT
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
 }

Shorewall/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.4.2 Patch Release 1.
+Shorewall 4.4.0 patch release 1.
 
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 4  H I G H L I G H T S
@@ -66,9 +66,10 @@ Shorewall 4.4.2 Patch Release 1.
        WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell
                 support has been removed in this release.
 
-    b) Review the migration issues at
-       http://www.shorewall.net/LennyToSqueeze.html and make changes as
-       required.
+    b) Review the incompatibilities between Shorewall-shell and
+       Shorewall-perl at
+       http://www.shorewall.net/Shorewall-perl.html#Incompatibilities
+       and make changes to your configuration as necessary.
 
     We strongly recommend that you migrate to Shorewall-perl on your
     current Shorewall version before upgrading to Shorewall 4.4.0. That
@@ -104,7 +105,7 @@ Shorewall 4.4.2 Patch Release 1.
              starts/restarts
 
     To avoid this warning, replace interface names by the corresponding
-    network(s) in CIDR format (e.g., 192.168.144.0/24).
+    network addresses (e.g., 192.168.144.0/24).
 
 6)  Previously, Shorewall has treated traffic shaping class IDs as
     decimal numbers (or pairs of decimal numbers). That worked fine
@@ -152,89 +153,62 @@ Shorewall 4.4.2 Patch Release 1.
 
 10) The name 'any' is now reserved and may not be used as a zone name.
 
-11) Perl module initialization has changed in Shorewall
-    4.4.1. Previously, each Shorewall Perl package would initialize its
-    global variables for IPv4 in an INIT block. Then, if the
-    compilation turned out to be for IPv6,
-    Shorewall::Compiler::compiler() would reinitialize them for IPv6.
-
-    Beginning in Shorewall 4.4.1, the modules do not initialize
-    themselves in an INIT block. So if you use Shorewall modules
-    outside of the Shorewall compilation environment, then you must
-    explicitly call the module's 'initialize' function after the module
-    has been loaded.
-
-12) Checking for zone membership has been tighened up. Previously, 
-    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
-    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
-    then it may have no additional members in /etc/shorewall/hosts.
-
 ----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2 . 2
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 0 . 1
 ----------------------------------------------------------------------------
 
-1)  'routeback' in /etc/shorewall/routestopped was ineffective.
+1)  If ULOG was specified as the LOG LEVEL in the all->all policy, the
+    rules at the end of the INPUT and OUTPUT chains still used the
+    LOG target rather than ULOG.
+
+2)  Use of CONTINUE policies with a nested IPSEC zone was broken in
+    some cases.
 
 ----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2 . 1
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 0
 ----------------------------------------------------------------------------
 
-1)  'shorewall check' produced an internal error if 'routeback' was
-    specified in /etc/shorewall/routestopped.
+1)  When compiling to standard out, it is no longer necessary to
+    specify '-v-1' to suppress the 'Compiling...' progress message 
 
-----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2
-----------------------------------------------------------------------------
+2)  Previously, Shorewall would generate invalid iptables-restore input
+    if all of these conditions were met:
 
-1)  Detection of Persistent SNAT was broken in the rules compiler. 
+    - a nat rule (DNAT, REDIRECT, DNAT-, etc.) changed the destination
+      port number
+    - logging was specified on the rule
+    - no non-trivial exclusions in the rule (a non-trivial exclusion is
+      one whose exclusion list has more than one element)
 
-2)  Initialization of the compiler's chain table was occurring before 
-    shorewall.conf had been read and before the capabilities had been
-    determined. This could lead to incorrect rules and Perl runtime
-    errors.
+    Example of rule:
 
-3)  The 'shorewall check' command previously did not detect errors in
-    /etc/shorewall/routestopped.
+    	    REDIRECT:ULOG   wall    82      tcp     80
 
-4)  In earlier versions, if a file with the same name as a built-in
-    action were present in the CONFIG_PATH, then the compiler would
-    process that file like it was an extension script.
+    Example of error message:
 
-    The compiler now ignores the presence of such files.
+       iptables v1.3.5: Need TCP or UDP with port specification
+        Try `iptables -h' or 'iptables --help' for more information.
+	ERROR: Command "/sbin/iptables -A log0 -j REDIRECT --to-port
+        82" Failed
 
-5)  Several configuration issues which previously produced an error or
-    warning are now handled differently.
+3)  Previously, log displays from the 'dump', 'show log' and 'logwatch'
+    commands did not properly suppress redundant fields in the records
+    (host name, and leading constant part of the LOGPREFIX).
 
-    a)  MAPOLDACTIONS=Yes and MAPOLDACTIOSN= in shorewall.conf are now
-        handled as they were by the old shell-based compiler. That is,
-        they cause pre-3.0 built-in actions to be mapped automatically
-        to the corresponding macro invocation.
+4)  Given that Jozsef Kadlecsik has not yet released ipset 3.1, ipset
+    bindings are once again supported.
 
-    b)  SAVE_IPSETS=Yes no longer produces a fatal error -- it is now a
-        warning.
+5)  The 'upnpclient' option only worked correctly if 'optional' was
+    also specified for the interface.
 
-    c)  DYNAMIC_ZONES=Yes no longer produces a fatal error -- it is now
-        a warning.
+6)  Where more than one internet provider shares the same external
+    interface, specifying the provider by number in /etc/shorewall/masq
+    (e.g., eth1(2)) resulted in the fatal compilation error:
 
-    d)  RFC1918_STRICT=Yes no loger produces a fatal error -- it is now
-        a warning.
+    	   ERROR: 2 is not a shared-interface provider
 
-6)  Previously, it was not possible to specify an IP address range in
-    ADDRESS column of /etc/shorewall/masq. Thanks go to Jessee Shrieve
-    for the patch.
-
-7)  The 'wait4ifup' script included for Debian compatibility now runs
-    correctly with no PATH.
-
-8)  The new per-IP LIMIT feature now works with ancient iptables
-    releases (e.g., 1.3.5 as found on RHEL 5). This change required
-    testing for an additional capability which means that those who use
-    a capabilities file should regenerate that file after installing
-    4.4.2.
-
-9)  One unintended difference between Shorewall-shell and
-    Shorewall-perl was that Shorewall-perl did not support the MARK
-    column in action bodies. This has been corrected.
+    Also, the shorewall-masq (5) man page did not describe the syntax
+    for specifying the provider.
 
 ----------------------------------------------------------------------------
              K N O W N   P R O B L E M S   R E M A I N I N G
@@ -243,41 +217,7 @@ Shorewall 4.4.2 Patch Release 1.
 None.
 
 ----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 2
-----------------------------------------------------------------------------
-
-1)  Prior to this release, line continuation has taken precedence over 
-    #-style comments. This prevented us from doing the following:
-
-    	    ACCEPT    net:206.124.146.176,\   #Gateway
-	    	          206.124.146.177,\   #Mail
-			  206.124.146.178\    #Server
-			  		      ...
-    
-    Now, unless a line ends with '\', any trailing comment is stripped
-    off (including any white-space preceding the '#'). Then if the line
-    ends with '\', it is treated as a continuation line as normal.
-
-2)  Three new columns have been added to FORMAT-2 macro bodies.
-
-    	  MARK
-	  CONNLIMIT
-	  TIME
-
-    These three columns correspond to the similar columns in
-    /etc/shorewall/rules and must be empty in macros invoked from an
-    action.
-
-3)  Accounting chains may now have extension scripts. Simply place your
-    Perl script in the file /etc/shorewall/<chain> and when the
-    accounting chain named <chain> is created, your script will be
-    invoked.
-
-    As usual, the variable $chainref will contain a reference to the
-    chain's table entry.
-
-----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 0
+                 N E W   F E A T U R E S   IN   4 . 4
 ----------------------------------------------------------------------------
 
 1)  The Shorewall packaging has been completely revamped in Shorewall
@@ -925,96 +865,3 @@ None.
     the iptables utility is discovered using the PATH setting, then
     ip6tables in the same directory as the discovered iptables will be
     used.
-
-----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1
-----------------------------------------------------------------------------
-
-1)  If ULOG was specified as the LOG LEVEL in the all->all policy, the
-    rules at the end of the INPUT and OUTPUT chains would still use the
-    LOG target rather than ULOG.
-
-2)  Using CONTINUE policies with a nested IPSEC zone was still broken
-    in some cases.
-
-3)  The setting of IP_FORWARDING has been change to Off in the
-    one-interface sample configuration since forwarding is typically
-    not required with only a single interface.
-
-4)  If MULTICAST=Yes in shorewall.conf, multicast traffic was
-    incorrectly exempted from ACCEPT policies.
-
-5)  Previously, the definition of a zone that specified "nets=" in
-    /etc/shorewall/interfaces could not be extended by entries in
-    /etc/shorewall/hosts.
-
-6)  Previously, "nets=" could be specified in a multi-zone interface
-    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
-    now raises a fatal compilation error.
-
-7)  MULTICAST=Yes generates an incorrect rule that limits its
-    effectiveness to a small part of the multicast address space.
-
-8)  Checking for zone membership has been tighened up. Previously, 
-    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
-    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
-    then it may have no additional members in /etc/shorewall/hosts.
-
-----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 1
-----------------------------------------------------------------------------
-
-1)  To replace the SAME keyword in /etc/shorewall/masq, support has
-    been added for 'persistent' SNAT. Persistent SNAT is required when
-    an address range is specified in the ADDRESS column and when you
-    want a client to always receive the same source/destination IP
-    pair. It replaces SAME: which was removed in Shorewall 4.4.0.
-
-    To specify persistence, follow the address range with
-    ":persistent".
-
-    Example:
-
-    #INTERFACE	SOURCE	   ADDRESS
-    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
-
-    This feature requires Persistent SNAT support in your kernel and
-    iptables. 
-
-    If you use a capabilities file, you will need to create a new one
-    as a result of this feature.
-
-    WARNING: Linux kernels beginning with 2.6.29 include persistent
-    SNAT support. If your iptables supports persistent SNAT but your
-    kernel does not, there is no way for Shorewall to determine that
-    persistent SNAT isn't going to work. The kernel SNAT code blindly
-    accepts all SNAT flags without verifying them and returns them to
-    iptables when asked.
-
-2)  A 'clean' target has been added to the Makefiles. It removes backup
-    files (*~ and .*~). 
-
-3)  The meaning of 'full' has been redefined when used in the context
-    of a traffic shaping sub-class. Previously, 'full' always meant the
-    OUT-BANDWIDTH of the device. In the case of a sub-class, however,
-    that definition is awkward to use because the sub-class is limited
-    by the parent class.
-
-    Beginning with this release, 'full' in a sub-class definition
-    refers to the specified rate defined for the parent class. So
-    'full' used in the RATE column refers to the parent class's RATE;
-    when used in the CEIL column, 'full' refers to the parent class's
-    CEIL.
-
-    As part of this change, the compiler now issues a warning if the
-    sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of
-    the device. Similarly, a warning is issued if the sum of the RATEs
-    of a class's sub-classes exceeds the rate of the CLASS.
-
-4)  When 'nets=<network>' or 'nets=(<net1>,<net2>,...) is specified in
-    /etc/shorewall/interfaces, multicast traffic will now be sent to
-    the zone along with limited broadcasts.
-
-5)  A flaw in the parsing logic for the zones file allowed most zone
-    types containing the character string 'ip' to be accepted as a
-    synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration).

Shorewall/shorewall

@@ -23,9 +23,99 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#       For a list of supported commands, type 'shorewall help'
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
 #
-#####################################################################################################
+#	The firewall uses configuration files in /etc/shorewall/ - skeleton
+#	files are included with the firewall.
+#
+#	Commands are:
+#
+#          shorewall add <iface>[:<host>] zone     Adds a host or subnet to a zone
+#          shorewall delete <iface>[:<host>] zone  Deletes a host or subnet from a zone
+#          shorewall dump                          Dumps all Shorewall-related information
+#                                                  for problem analysis
+#	   shorewall start 			   Starts the firewall
+#	   shorewall restart			   Restarts the firewall
+#	   shorewall stop			   Stops the firewall
+#	   shorewall status			   Displays firewall status
+#	   shorewall reset			   Resets iptables packet and
+#						   byte counts
+#	   shorewall clear			   Open the floodgates by
+#						   removing all iptables rules
+#						   and setting the three permanent
+#						   chain policies to ACCEPT
+#	   shorewall refresh			   Rebuild the common chain to
+#						   compensate for a change of
+#						   broadcast address on any "detect"
+#						   interface.
+#	   shorewall [re]load [ <directory> ] <system>
+#						   Compile a script and install it on a
+#						   remote Shorewall Lite system.
+#	   shorewall show <chain> [ <chain> ... ]  Display the rules in each <chain> listed
+#          shorewall show actions                  Displays the available actions
+#	   shorewall show log			   Print the last 20 log messages
+#	   shorewall show connections		   Show the kernel's connection
+#						   tracking table
+#	   shorewall show nat			   Display the rules in the nat table
+#	   shorewall show {mangle|tos}		   Display the rules in the mangle table
+#	   shorewall show tc			   Display traffic control info
+#	   shorewall show classifiers		   Display classifiers
+#          shorewall show capabilities             Display iptables/kernel capabilities
+#          shorewall show vardir                   Display the VARDIR setting.
+#	   shorewall version			   Display the installed version id
+#	   shorewall check [ -e ] [ <directory> ]  Dry-run compilation.
+#	   shorewall try <directory> [ <timeout> ] Try a new configuration and if
+#						   it doesn't work, revert to the
+#						   standard one. If a timeout is supplied
+#						   the command reverts back to the
+#						   standard configuration after that many
+#						   seconds have elapsed after successfully
+#						   starting the new configuration.
+#	   shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall
+#						   messages.
+#	   shorewall drop <address> ...		   Temporarily drop all packets from the
+#						   listed address(es)
+#	   shorewall reject <address> ...	   Temporarily reject all packets from the
+#						   listed address(es)
+#	   shorewall allow <address> ...	   Reenable address(es) previously
+#						   disabled with "drop" or "reject"
+#	   shorewall save [ <file> ]		   Save the list of "rejected" and
+#						   "dropped" addresses so that it will
+#						   be automatically reinstated the
+#						   next time that Shorewall starts.
+#                                                  Save the current state so that 'shorewall
+#                                                  restore' can be used.
+#
+#          shorewall forget [ <file> ]             Discard the data saved by 'shorewall save'
+#
+#          shorewall restore [ <file> ]            Restore the state of the firewall from
+#                                                  previously saved information.
+#
+#          shorewall ipaddr { <address>/<cidr> | <address> <netmask> }
+#
+#                                                  Displays information about the network
+#                                                  defined by the argument[s]
+#
+#          shorewall iprange <address>-<address>   Decomposes a range of IP addresses into
+#                                                  a list of network/host addresses.
+#
+#          shorewall ipdecimal { <address> | <integer> }
+#
+#                                                  Displays the decimal equivalent of an IP
+#                                                  address and vice versa.
+#
+#          shorewall safe-start [ <directory> ]    Starts the firewall and promtp for a c
+#                                                  confirmation to accept or reject the new
+#                                                  configuration
+#
+#          shorewall safe-restart [ <directory> ]  Restarts the firewall and prompt for a
+#                                                  confirmation to accept or reject the new
+#                                                  configuration
+#
+#          shorewall compile [ -e ] [ <directory> ] <filename>
+#                                                  Compile a firewall program file.
+
 #
 # Set the configuration variables from shorewall.conf
 #
@@ -33,6 +123,7 @@
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
 #     
+#
 get_config() {
     local prog
 
@@ -184,7 +275,7 @@ get_config() {
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
+			echo "   ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
 			exit 2
 		    fi
 		    ;;

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.2
-%define release 2
+%define version 4.4.0
+%define release 1
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -104,16 +104,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-2
-* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-1
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
+* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-1
 * Sun Aug 09 2009 Tom Eastep tom@shorewall.net
 - Made Perl a dependency
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.2.2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall/wait4ifup

@@ -33,7 +33,7 @@
 #
 
 interface_is_up() {
-    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] 
+    [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] 
 }
 
 case $# in
@@ -51,7 +51,7 @@ esac
 
 while [ $timeout -gt 0 ]; do
     interface_is_up $1 && exit 0
-    /bin/sleep 1
+    sleep 1
     timeout=$(( $timeout - 1 ))
 done
 

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.2.2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.2.2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.2
-%define release 2
+%define version 4.4.0
+%define release 1
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -89,16 +89,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-2
-* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-1
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
+* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-1
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.2.2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall6/Makefile

@@ -14,8 +14,4 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall6 -q restart 2>&1 | tail >&2; \
 	fi
 
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
-.PHONY: clean
-
 # EOF

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.2.2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.2.2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

Shorewall6/lib.base

@@ -33,7 +33,7 @@
 #
 
 SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40402
+SHOREWALL_CAPVERSION=40310
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -853,11 +853,7 @@ determine_capabilities() {
     qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
     qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
-    if [ -z "$HASHLIMIT_MATCH" ]; then
-	qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
-	HASHLIMIT_MATCH=$OLD_HL_MATCH
-    fi	
+    qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
     qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
     qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
     qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -921,7 +917,6 @@ report_capabilities() {
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
-	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
 	report_capability "Helper Match" $HELPER_MATCH
@@ -977,7 +972,6 @@ report_capabilities1() {
     report_capability1 ADDRTYPE
     report_capability1 TCPMSS_MATCH
     report_capability1 HASHLIMIT_MATCH
-    report_capability1 OLD_HL_MATCH
     report_capability1 NFQUEUE_TARGET
     report_capability1 REALM_MATCH
     report_capability1 HELPER_MATCH

Shorewall6/shorewall6

@@ -23,9 +23,99 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#       For a list of supported commands, type 'shorewall6 help'
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
 #
-################################################################################################
+#	The firewall uses configuration files in /etc/shorewall/ - skeleton
+#	files are included with the firewall.
+#
+#	Commands are:
+#
+#          shorewall6 add <iface>[:<host>] zone    Adds a host or subnet to a zone
+#          shorewall6 delete <iface>[:<host>] zone Deletes a host or subnet from a zone
+#          shorewall6 dump                         Dumps all Shorewall6-related information
+#                                                  for problem analysis
+#	   shorewall6 start 			   Starts the firewall
+#	   shorewall6 restart			   Restarts the firewall
+#	   shorewall6 stop			   Stops the firewall
+#	   shorewall6 status			   Displays firewall status
+#	   shorewall6 reset			   Resets ip6tables packet and
+#						   byte counts
+#	   shorewall6 clear			   Open the floodgates by
+#						   removing all ip6tables rules
+#						   and setting the three permanent
+#						   chain policies to ACCEPT
+#	   shorewall6 refresh			   Rebuild the common chain to
+#						   compensate for a change of
+#						   broadcast address on any "detect"
+#						   interface.
+#	   shorewall6 [re]load [ <directory> ] <system>
+#						   Compile a script and install it on a
+#						   remote Shorewall6 Lite system.
+#	   shorewall6 show <chain> [ <chain> ... ] Display the rules in each <chain> listed
+#          shorewall6 show actions                 Displays the available actions
+#	   shorewall6 show log			   Print the last 20 log messages
+#	   shorewall6 show connections		   Show the kernel's connection
+#						   tracking table
+#	   shorewall6 show nat			   Display the rules in the nat table
+#	   shorewall6 show {mangle|tos}		   Display the rules in the mangle table
+#	   shorewall6 show tc			   Display traffic control info
+#	   shorewall6 show classifiers		   Display classifiers
+#          shorewall6 show capabilities            Display ip6tables/kernel capabilities
+#          shorewall6 show vardir                  Display the VARDIR setting.
+#	   shorewall6 version			   Display the installed version id
+#	   shorewall6 check [ -e ] [ <directory> ] Dry-run compilation.
+#	   shorewall6 try <directory> [ <timeout> ] Try a new configuration and if
+#						   it doesn't work, revert to the
+#						   standard one. If a timeout is supplied
+#						   the command reverts back to the
+#						   standard configuration after that many
+#						   seconds have elapsed after successfully
+#						   starting the new configuration.
+#	   shorewall6 logwatch [ refresh-interval ] Monitor the local log for Shorewall6
+#						    messages.
+#	   shorewall6 drop <address> ...	   Temporarily drop all packets from the
+#						   listed address(es)
+#	   shorewall6 reject <address> ...	   Temporarily reject all packets from the
+#						   listed address(es)
+#	   shorewall6 allow <address> ...	   Reenable address(es) previously
+#						   disabled with "drop" or "reject"
+#	   shorewall6 save [ <file> ]		   Save the list of "rejected" and
+#						   "dropped" addresses so that it will
+#						   be automatically reinstated the
+#						   next time that Shorewall6 starts.
+#                                                  Save the current state so that 'shorewall6
+#                                                  restore' can be used.
+#
+#          shorewall6 forget [ <file> ]            Discard the data saved by 'shorewall6 save'
+#
+#          shorewall6 restore [ <file> ]           Restore the state of the firewall from
+#                                                  previously saved information.
+#
+#          shorewall6 ipaddr { <address>/<cidr> | <address> <netmask> }
+#
+#                                                  Displays information about the network
+#                                                  defined by the argument[s]
+#
+#          shorewall6 iprange <address>-<address>  Decomposes a range of IP addresses into
+#                                                  a list of network/host addresses.
+#
+#          shorewall6 ipdecimal { <address> | <integer> }
+#
+#                                                  Displays the decimal equivalent of an IP
+#                                                  address and vice versa.
+#
+#          shorewall6 safe-start [ <directory> ]   Starts the firewall and promtp for a c
+#                                                  confirmation to accept or reject the new
+#                                                  configuration
+#
+#          shorewall6 safe-restart [ <directory> ] Restarts the firewall and prompt for a
+#                                                  confirmation to accept or reject the new
+#                                                  configuration
+#
+#          shorewall6 compile [ -e ] [ <directory> ] <filename>
+#                                                  Compile a firewall program file.
+
 #
 # Set the configuration variables from shorewall6.conf
 #
@@ -115,7 +205,7 @@ get_config() {
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
+			echo "   ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
 			exit 2
 		    fi
 		    ;;

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.2
-%define release 2
+%define version 4.4.0
+%define release 1
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,16 +93,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-2
-* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-1
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
+* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-1
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.2.2
+VERSION=4.4.0.1
 
 usage() # $1 = exit status
 {

contrib/shoregen/AUTHORS

@@ -0,0 +1 @@
+Paul Gear <paul@gear.dyndns.org>

contrib/shoregen/BUGS

@@ -0,0 +1 @@
+None known at present.

contrib/shoregen/COPYING

@@ -0,0 +1,340 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.

contrib/shoregen/ChangeLog

@@ -0,0 +1,14 @@
+0.1.1	Paul Gear <paul@gear.dyndns.org>  No idea when
+	- Initial release.
+
+0.1.2	Paul Gear <paul@gear.dyndns.org>  No idea when
+	- Removed filtering of zones that are on the same interface.
+	  This caused problems when a zone was accessible via more than
+	  one interface.
+
+0.1.3	Paul Gear <paul@gear.dyndns.org>  No idea when
+	- Optimisation to detect whether system is a router and remove
+	  redundant zones from rules and policies if so.
+
+3.2.0-beta1	Paul Gear <paul@gear.dyndns.org>
+	- First attempt at compatibility with Shorewall 3.2.x.

contrib/shoregen/README

@@ -0,0 +1,124 @@
+Shoreline Firewall configuration generator
+(c) Copyright 2004-2006 Paul D. Gear <paul@gear.dyndns.org>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+SHOREWALL
+
+The quick plug:
+
+  - Shorewall is the only firewall i trust.
+
+The IT Manager plug:
+
+  - Shorewall is a policy-driven firewall which lets you think about your
+    firewall at a higher level than iptables commands.
+
+The hard sell to you crazy people still maintaining manual firewall scripts:
+
+  - Shorewall is a wrapper around the kernel iptables, so your existing
+    Linux firewall skills transfer.  I converted from a 900-plus-line
+    ipchains shell script to around 50 lines of shorewall configuration in
+    less than 4 hours, with no prior experience.
+
+
+ISSUES
+
+  - I'm paranoid - i want more than one firewall between me and the world.
+
+  - Configuring multiple firewalls separately is a recipe for getting your
+    rules out of sync, and allowing security problems to creep in.
+
+  - IT Manager types (like me) like to know their policy is consistently
+    implemented.
+
+
+SOLUTION
+
+Shoregen is a script that generates shorewall configurations for multiple
+firewalls from a common set of rules and policies.  Only the minimal
+information necessary for operation is stored on each firewall, so, for
+example, your DMZ server doesn't need to know about the rules on your
+internal network, but at the same time, it gets consistent rules to your
+outer guard.
+
+
+PHILOSOPHY
+
+Shoregen assumes the X-Files approach to firewall design: trust no one.
+That is, paranoia is a virtue.  All access should be as limited as possible
+for things to work.  If you don't already agree with this philosophy, you
+may find some of the things shoregen does frustrating, but then again,
+you're probably not reading this document.  :-)
+
+
+DESIGN
+
+Shoregen distinguishes between two different types of shorewall
+configuration files.  Most shorewall configuration files are simply
+concatenated together from parts constructed from common and host-specific
+parts.  These are called simple configs; shoregen doesn't substantially
+alter them, and uses little information from them.
+
+Configs with which shoregen is more concerned are treated separately, and
+additional features beyond the scope of shorewall itself are implemented.
+Most importantly, two new policy/rule keywords are introduced: WARN and
+BAN.  These keywords are not included in shoregen's output, but when a
+subsequent rule or policy is encountered which matches a rule or policy
+marked WARN or BAN, an error message is issued.  In the case of BAN, the
+offending line is also dropped from the output, and a non-zero return code
+issued.
+
+
+PREREQUISITES
+
+The tools you will need to use shoregen are:
+	perl	The main shoregen script is written in Perl
+	rsync	Used to keep /etc/shorewall directories on your firewalls
+		in sync with the central repository
+	ssh	Encrypted transport for rsync
+	make	Optional, but saves a few keystrokes.
+
+
+USAGE
+
+Put shoregen and install_shoregen in a directory on your PATH.
+
+Make a central directory for your configs.  I recommend somewhere in a
+trusted user's home directory or central system admin repository.  This
+directory should be on a trusted machine in the most secure part of your
+network.  Put all of your policies, rules, and zones together in the
+correct order in files in the top level of this directory.
+
+For each of the simple configs you want to generate centrally, create a
+directory, with a file called COMMON (if necessary) containing the content
+you want to see in that file on all hosts, and a file named for each host
+for host-specific content.  I recommend that the default shorewall
+configuration file be placed in the COMMON file of the corresponding
+directory, with directives that are not appropriate commented out.
+
+When shoregen is run, it places the generated files in the directory 
+SPOOL/<host>, where <host> is the hostname of the target firewall.  The
+files in this directory are synchronised and the firewall checked and/or
+restarted by a simple wrapper script called install_shoregen.
+
+See the samples directory for a starting point configuration.  It provides
+some suggested policies & rules for the network shown in example1.png.  The
+sample configuration has not been tested in any way.
+
+I hope you find shoregen useful.  I welcome your comments, contributions,
+criticisms, and questions.
+

contrib/shoregen/TODO

@@ -0,0 +1,21 @@
+
+- Make it possible for a host to have the same $FW name as the zone in
+  which it belongs, and have shoregen automatically create appropriate
+  rules.
+
+- At the moment, if a fully-expanded policy file (such as is shown 
+
+- Better rule & policy sanitisation.
+
+- Hosts and interfaces could be reduced based on what's used in the policy
+  and rules files.
+
+- The Makefile could be improved to detect changes in the lower level
+  config files and call shoregen automatically when they are out-of-date.
+  At the moment, shoregen is so simple (and thus fast) that the amount of
+  time that would be saved by a clever Makefile (in comparison to the
+  rsync, ssh, and shorewall steps) is probably not worth the trouble to
+  code.
+
+- Automatic generation of firewall hosts & interfaces files.
+

contrib/shoregen/install_shoregen

@@ -0,0 +1,116 @@
+#!/bin/sh
+#
+# $Id: install_shoregen,v 1.5 2004/04/22 11:12:51 paulgear Exp $
+# 
+# Wrapper script to install shoregen-generated shorewall configuration files.
+#
+
+# 
+# (c) Copyright 2004 Paul D. Gear <paul@gear.dyndns.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA, or go to
+# <http://www.gnu.org/licenses/old-licenses/gpl-2.0.txtl> on the World Wide Web.
+
+VERBOSE=0
+RESTART=0
+CHECK=1
+TIME=0
+
+usage()
+{
+    echo "Usage:	$0 [--verbose] [--restart] host ...
+	Generates and installs shorewall configuration on the given hosts" >&2
+    exit 1
+}
+
+error()
+{
+    echo "$0: ERROR -" "$@" >&2
+}
+
+while :; do
+    case "$1" in
+
+    -v|--verbose)
+    	VERBOSE=1
+	shift
+	;;
+
+    -r|--restart)
+	RESTART=1
+	shift
+	;;
+
+    -c|--nocheck)
+	CHECK=0
+	shift
+	;;
+
+    -t|--notime)
+	TIME=0
+	shift
+	;;
+
+    --)
+	shift
+	break 2
+    	;;
+
+    --*)
+	error "Unrecognised option $1"
+	usage
+	;;
+
+    *)
+	break 2
+    	;;
+
+    esac
+done
+
+set -e
+set -u
+
+if [ "$#" -lt 1 ]; then
+    usage
+fi
+
+USER=root
+RSYNC_ARGS="--recursive --backup --times --cvs-exclude --rsh=ssh"
+#--progress 
+if [ "$VERBOSE" -gt 0 ]; then
+    RSYNC_ARGS="$RSYNC_ARGS --verbose"
+fi
+DIR=/etc/shorewall
+SW_PATH=/sbin/shorewall
+
+PATH=$PATH:
+
+if [ "$TIME" -gt 0 ]; then
+    TIME="time"
+else
+    TIME=""
+fi
+
+for HOST; do
+    shoregen $HOST
+    rsync $RSYNC_ARGS SPOOL/$HOST/ $USER@$HOST:$DIR/
+    if [ "$CHECK" -gt 0 ]; then
+	$TIME ssh -l $USER -t $HOST $SW_PATH check
+    fi
+    if [ "$RESTART" -gt 0 ]; then
+	$TIME ssh -l $USER -t $HOST $SW_PATH restart
+    fi
+done

contrib/shoregen/samples/Makefile

@@ -0,0 +1,10 @@
+FLAGS=-c -r
+HOSTS=ig proxy mail og
+
+default:	$(HOSTS)
+
+$(HOSTS):
+	shoregen $@
+
+install:	$(HOSTS)
+	install_shoregen -c -r $(HOSTS)

contrib/shoregen/samples/hosts/ig

@@ -0,0 +1,13 @@
+# ZONE		HOST(S)				OPTIONS
+
+# I used the vi command
+#	!Gsort -k2 -k1 
+# to sort this file, starting at the next line.
+mail		eth0:$MAIL
+og		eth0:$OG
+proxy		eth0:$PROXY
+net		eth0:0.0.0.0/0
+lan		eth1:$LAN
+other		eth1:0.0.0.0/0
+guest		eth2:$GUEST
+other		eth2:0.0.0.0/0

contrib/shoregen/samples/hosts/mail

@@ -0,0 +1,7 @@
+# ZONE		HOST(S)				OPTIONS
+guest		eth0:$GUEST
+ig		eth0:$IG
+lan		eth0:$LAN
+og		eth0:$OG
+proxy		eth0:$PROXY
+net		eth0:0.0.0.0/0

contrib/shoregen/samples/hosts/og

@@ -0,0 +1,7 @@
+# ZONE		HOST(S)				OPTIONS
+guest		eth0:$GUEST
+ig		eth0:$IG
+lan		eth0:$LAN
+mail		eth0:$MAIL
+proxy		eth0:$PROXY
+other		eth0:0.0.0.0/0

contrib/shoregen/samples/hosts/proxy

@@ -0,0 +1,7 @@
+# ZONE		HOST(S)				OPTIONS
+guest		eth0:$GUEST
+ig		eth0:$IG
+lan		eth0:$LAN
+mail		eth0:$MAIL
+og		eth0:$OG
+net		eth0:0.0.0.0/0

contrib/shoregen/samples/interfaces/ig

@@ -0,0 +1,5 @@
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	eth0		detect		-
+-	eth1		detect		dhcp
+-	eth2		detect		dhcp
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/interfaces/mail

@@ -0,0 +1,3 @@
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	eth0		detect		-
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/interfaces/og

@@ -0,0 +1,5 @@
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	eth0		detect		-
+net	eth1		detect		norfc1918,blacklist,dhcp
+net	ppp+		detect		norfc1918,blacklist
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/interfaces/proxy

@@ -0,0 +1,3 @@
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	eth0		detect		-
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/params/COMMON

@@ -0,0 +1,9 @@
+# These are parameterised firstly so they only live in one place, and
+# secondly because they can appear on different interfaces, but with a
+# constant address.
+OG=10.1.1.1
+MAIL=10.1.1.2
+PROXY=10.1.1.3
+IG=10.1.1.4
+LAN=10.1.2.0/24
+GUEST=10.1.3.0/24

contrib/shoregen/samples/policy

@@ -0,0 +1,112 @@
+#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST EXT
+
+#
+# Meta-policies - no ACCEPT/DNAT rules contravening these may be defined in
+# the policy or rules file.  These are not part of shorewall and do not
+# actually block any traffic.  They are about stopping the firewall
+# administrator from activating silly rules.  Note that these rules should
+# always be accompanied by a corresponding REJECT/BAN policy as they don't
+# actually set the shorewall policy (see below for these).
+#
+# These policies are samples only and are not suggested for your
+# environment.  You must decide on the policies that are right for you.
+#
+
+guest		lan		BAN
+proxy		lan		BAN
+mail		lan		BAN
+og		lan		BAN
+net		lan		BAN
+
+proxy		guest		BAN
+mail		guest		BAN
+og		guest		BAN
+net		guest		BAN
+
+proxy		ig		BAN
+mail		ig		BAN
+og		ig		BAN
+net		ig		BAN
+
+net		proxy		BAN
+
+proxy		og		BAN
+mail		og		BAN
+net		og		BAN
+
+ig		net		BAN
+
+
+#
+# Now the normal policies.  We define each set of zone pairs individually
+# so that Shorewall produces more meaningful error messages.
+#
+
+lan		guest		ACCEPT		info
+lan		ig		REJECT		info
+lan		proxy		REJECT		info
+lan		mail		REJECT		info
+lan		og		REJECT		info
+lan		net		REJECT		info
+lan		other		REJECT		info
+lan		all		REJECT		info
+
+guest		lan		REJECT		info
+guest		ig		REJECT		info
+guest		proxy		REJECT		info
+guest		mail		REJECT		info
+guest		og		REJECT		info
+guest		net		ACCEPT		info
+guest		other		REJECT		info
+guest		all		REJECT		info
+
+ig		lan		REJECT		info
+ig		guest		REJECT		info
+ig		proxy		REJECT		info
+ig		mail		REJECT		info
+ig		og		REJECT		info
+ig		net		REJECT		info
+ig		other		REJECT		info
+ig		all		REJECT		info
+
+proxy		lan		REJECT		info
+proxy		guest		REJECT		info
+proxy		ig		REJECT		info
+proxy		mail		REJECT		info
+proxy		og		REJECT		info
+proxy		net		ACCEPT
+proxy		other		REJECT		info
+proxy		all		REJECT		info
+
+mail		lan		REJECT		info
+mail		guest		REJECT		info
+mail		ig		REJECT		info
+mail		proxy		REJECT		info
+mail		og		REJECT		info
+mail		net		REJECT		info
+mail		other		REJECT		info
+mail		all		REJECT		info
+
+og		lan		REJECT		info
+og		guest		REJECT		info
+og		ig		REJECT		info
+og		proxy		REJECT		info
+og		mail		REJECT		info
+og		net		REJECT		info
+og		other		REJECT		info
+og		all		REJECT		info
+
+net		lan		DROP		info
+net		guest		DROP		info
+net		ig		DROP		info
+net		proxy		DROP		info
+net		mail		DROP		info
+net		og		DROP		info
+net		other		DROP		info
+net		all		DROP		info
+
+# Catch-all policies
+other		all		DROP		info
+all		all		DROP		info
+
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

contrib/shoregen/samples/rules

@@ -0,0 +1,187 @@
+#
+# $Id: rules,v 1.4 2004/04/24 12:26:25 paulgear Exp $
+#
+# Master Rules File
+#
+# This file is organised into 4 main sections:
+#   1.	Rules that need to transcend the more general WARN/BAN rules.  The
+#	reason for this is typically system administration and
+#	troubleshooting.  This section should be kept as small as possible.
+#   2.	WARN/BAN rules to put restrictions on which rules contravening
+#	policies may be created.  This section should be as large as
+#	possible, if you take a traditional (i.e. paranoid) approach to
+#	firewall design.
+#   3.	Noise-reducing rules for illegitimate traffic.  This is typically
+#	small, but may grow as time goes on.
+#   4.	Normal rules which define the holes in your firewall.  Again, this
+#	should include only the rules you need and no more.  However, even
+#	on a simple home network like mine, this section tends to get
+#	large!
+#
+
+#
+# Order by port, protocol, dest zone (in->out order), src zone (in->out
+# order).
+#
+
+#ACTION		CLIENT(S) SERVER(S)	PROTO	PORT(S)	CLIENT PORT(S) ADDRESS
+
+#
+# Section 1: Rules that need to transcend WARN/BAN rules in section 2.
+#
+# Nearly all of these rules should be limited to system administration
+# terminals.  These would be better put in a separate zone.
+#
+
+# ping (more below)
+ACCEPT		lan	og		icmp	8
+
+# ssh (more below)
+ACCEPT		lan	og		tcp	22
+ACCEPT		ig	og		tcp	22
+
+# SNMP (more below) - for MRTG stats run from LAN
+ACCEPT		lan	og		udp	161	
+
+# syslog (more below)
+ACCEPT		ig	lan		udp	514
+
+# Squid - this wouldn't be necessary except that a lot of OS updates are
+# rather large...
+ACCEPT		mail	proxy		tcp	3128
+
+#
+# Section 2: WARN/BAN rule directives
+#
+
+BAN		ig	lan
+BAN		mail	proxy
+BAN		lan	og
+BAN		ig	og
+
+#
+# Section 3: Drop noisy junk
+#
+
+# auth - reverse of the SMTP rules below
+REJECT		mail	lan		tcp	113
+REJECT		mail	guest		tcp	113
+REJECT		mail	ig		tcp	113
+REJECT		mail	proxy		tcp	113
+REJECT		mail	og		tcp	113
+REJECT		net	og		tcp	113
+REJECT		mail	net		tcp	113
+
+# KaZaA file sharing
+DROP		net	og		tcp	1214
+
+# Gnutella server
+REJECT		net	og		tcp	6346,6347
+
+# Half-Life
+REJECT		net	og		udp	27015,27016
+
+
+#
+# Section 4: Normal traffic
+#
+
+# ping (more above)
+ACCEPT		lan	ig		icmp	8
+ACCEPT		lan	proxy		icmp	8
+ACCEPT		lan	mail		icmp	8
+ACCEPT		ig	proxy		icmp	8
+ACCEPT		ig	mail		icmp	8
+ACCEPT		og	proxy		icmp	8
+ACCEPT		og	mail		icmp	8
+ACCEPT		og	net		icmp	8
+
+# FTP
+ACCEPT		proxy	net		tcp	21
+
+# ssh (more above)
+ACCEPT		lan	ig		tcp	22
+ACCEPT		lan	proxy		tcp	22
+ACCEPT		lan	mail		tcp	22
+ACCEPT		lan	net		tcp	22
+ACCEPT		ig	proxy		tcp	22
+ACCEPT		ig	mail		tcp	22
+ACCEPT		proxy	mail		tcp	22
+ACCEPT		proxy	net		tcp	22
+
+# SMTP
+ACCEPT		lan	mail		tcp	25
+ACCEPT		guest	mail		tcp	25
+ACCEPT		ig	mail		tcp	25
+ACCEPT		proxy	mail		tcp	25
+ACCEPT		og	mail		tcp	25
+DNAT		net	mail:$MAIL	tcp	25
+ACCEPT		mail	net		tcp	25
+
+# DNS - assumes split DNS, with internal DNS run in LAN, external DNS on
+# proxy, and mail independent of the rest (proxy & mail should run their
+# own caches).
+ACCEPT		lan	proxy		tcp	53
+ACCEPT		lan	proxy		udp	53
+ACCEPT		guest	proxy		tcp	53
+ACCEPT		guest	proxy		udp	53
+ACCEPT		ig	proxy		tcp	53
+ACCEPT		ig	proxy		udp	53
+ACCEPT		og	proxy		tcp	53
+ACCEPT		og	proxy		udp	53
+ACCEPT		proxy	net		tcp	53
+ACCEPT		proxy	net		udp	53
+ACCEPT		mail	net		tcp	53
+ACCEPT		mail	net		udp	53
+
+# HTTP
+ACCEPT		proxy	net		tcp	80
+
+# POP3 - must be proxied through mail
+ACCEPT		mail	net		tcp	110
+ACCEPT		lan	mail		tcp	110
+
+# NNTP - application layer proxy (e.g. leafnode) on proxy
+ACCEPT		lan	proxy		tcp	119
+ACCEPT		proxy	net		tcp	119
+
+# NTP - we really need more than 2 servers, but this is only an example.  :-)
+ACCEPT		lan	proxy		udp	123
+ACCEPT		lan	mail		udp	123
+ACCEPT		ig	proxy		udp	123
+ACCEPT		ig	mail		udp	123
+ACCEPT		proxy	net		udp	123
+ACCEPT		mail	net		udp	123
+ACCEPT		og	proxy		udp	123
+ACCEPT		og	mail		udp	123
+
+# IMAP
+ACCEPT		lan	mail		tcp	143
+ACCEPT		guest	mail		tcp	143
+
+# SNMP (more above) - for MRTG stats
+ACCEPT		lan	ig		udp	161
+ACCEPT		lan	proxy		udp	161
+ACCEPT		lan	mail		udp	161
+
+# HTTPS
+ACCEPT		proxy	net		tcp	443
+
+# syslog (more above) - DMZ & OG hosts log to mail, IG & LAN hosts log to LAN
+ACCEPT		og	mail		udp	514
+ACCEPT		proxy	mail		udp	514
+
+# Squid
+ACCEPT		lan	proxy		tcp	3128
+ACCEPT		guest	proxy		tcp	3128
+ACCEPT		ig	proxy		tcp	3128
+ACCEPT		og	proxy		tcp	3128
+
+# Webmin
+ACCEPT		lan	proxy		tcp	10000
+ACCEPT		guest	proxy		tcp	10000
+ACCEPT		ig	proxy		tcp	10000
+ACCEPT		og	proxy		tcp	10000
+
+
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

contrib/shoregen/samples/shorewall.conf/COMMON

@@ -0,0 +1,569 @@
+##############################################################################
+#  /etc/shorewall/shorewall.conf V1.4 - Change the following variables to
+#  match your setup
+#
+#  This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#  This file should be placed in /etc/shorewall
+#
+#  (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
+##############################################################################
+#                              L O G G I N G
+##############################################################################
+#
+# General note about log levels. Log levels are a method of describing
+# to syslog (8) the importance of a message and a number of parameters
+# in this file have log levels as their value.
+#
+# Valid levels are:
+#
+#	7	debug
+#	6	info
+#	5	notice
+#	4	warning
+#	3	err
+#	2	crit
+#	1	alert
+#	0	emerg
+#
+# For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
+# log messages are generated by NetFilter and are logged using facility
+# 'kern' and the level that you specifify. If you are unsure of the level
+# to choose, 6 (info) is a safe bet. You may specify levels by name or by
+# number.
+#
+# If you have build your kernel with ULOG target support, you may also
+# specify a log level of ULOG (must be all caps). Rather than log its
+# messages to syslogd, Shorewall will direct netfilter to log the messages
+# via the ULOG target which will send them to a process called 'ulogd'.
+# ulogd is available from http://www.gnumonks.org/projects/ulogd and can be
+# configured to log all Shorewall message to their own log file
+################################################################################
+#
+# LOG FILE LOCATION
+#
+# This variable tells the /sbin/shorewall program where to look for Shorewall
+# log messages. If not set or set to an empty string (e.g., LOGFILE="") then
+# /var/log/messages is assumed.
+#
+# WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
+#          look for Shorewall messages.It does NOT control the destination for
+#          these messages. For information about how to do that, see
+#
+#              http://www.shorewall.net/shorewall_logging.html
+
+LOGFILE=/var/log/messages
+
+#
+# LOG FORMAT
+#
+# Shell 'printf' Formatting template for the --log-prefix value in log messages
+# generated by Shorewall to identify Shorewall log messages. The supplied
+# template is expected to accept either two or three arguments; the first is
+# the chain name, the second (optional) is the logging rule number within that
+# chain and the third is the ACTION specifying the disposition of the packet
+# being logged. You must use the %d formatting type for the rule number; if your
+# template does not contain %d then the rule number will not be included.
+#
+# If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
+#
+#	LOGFORMAT="fp=%s:%d a=%s "
+#
+# If not specified or specified as empty (LOGFORMAT="") then the value
+# "Shorewall:%s:%s:" is assumed.
+# 
+# CAUTION: /sbin/shorewall uses the leading part of the LOGFORMAT string (up 
+# to but not including the first '%') to find log messages in the 'show log',
+# 'status' and 'hits' commands. This part should not be omitted (the 
+# LOGFORMAT should not begin with "%") and the leading part should be
+# sufficiently unique for /sbin/shorewall to identify Shorewall messages.
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+#
+# LOG RATE LIMITING
+#
+# The next two variables can be used to control the amount of log output
+# generated. LOGRATE is expressed as a number followed by an optional
+# `/second',  `/minute', `/hour', or `/day' suffix and specifies the maximum
+# rate at which a particular message will occur. LOGBURST determines the
+# maximum initial burst size that will be logged. If set empty, the default
+# value of 5 will be used.
+#
+# Example:
+#
+#	LOGRATE=10/minute
+#	LOGBURST=5
+#
+# If BOTH variables are set empty then logging will not be rate-limited.
+#
+
+LOGRATE=10/minute
+LOGBURST=5
+
+#
+# LEVEL AT WHICH TO LOG 'UNCLEAN' PACKETS
+#
+# This variable determines the level at which Mangled/Invalid packets are logged
+# under the 'dropunclean' interface option. If you set this variable to an
+# empty value (e.g., LOGUNCLEAN= ), Mangled/Invalid packets will be dropped
+# silently.
+#
+# The value of this variable also determines the level at which Mangled/Invalid
+# packets are logged under the 'logunclean' interface option. If the variable
+# is empty, these packets will still be logged at the 'info' level.
+#
+# See the comment at the top of this section for a description of log levels
+#
+
+LOGUNCLEAN=info
+
+#
+# BLACKLIST LOG LEVEL
+#
+# Set this variable to the syslogd level that you want blacklist packets logged
+# (beware of DOS attacks resulting from such logging). If not set, no logging
+# of blacklist packets occurs.
+#
+# See the comment at the top of this section for a description of log levels
+#
+BLACKLIST_LOGLEVEL=
+
+#
+# LOGGING 'New not SYN' rejects
+#
+# This variable only has an effect when NEWNOTSYN=No (see below).
+#
+# When a TCP packet that does not have the SYN flag set and the ACK and RST
+# flags clear then unless the packet is part of an established connection,
+# it will be rejected by the firewall. If you want these rejects logged,
+# then set LOGNEWNOTSYN to the syslog log level at which you want them logged.
+#
+# See the comment at the top of this section for a description of log levels
+#
+# Example: LOGNEWNOTSYN=debug
+
+
+LOGNEWNOTSYN=info
+
+#
+# MAC List Log Level
+#
+# Specifies the logging level for connection requests that fail MAC
+# verification. If set to the empty value (MACLIST_LOG_LEVEL="") then
+# such connection requests will not be logged.
+#
+# See the comment at the top of this section for a description of log levels
+#
+
+MACLIST_LOG_LEVEL=info
+
+#
+# TCP FLAGS Log Level
+#
+# Specifies the logging level for packets that fail TCP Flags
+# verification. If set to the empty value (TCP_FLAGS_LOG_LEVEL="") then
+# such packets will not be logged.
+#
+# See the comment at the top of this section for a description of log levels
+#
+
+TCP_FLAGS_LOG_LEVEL=info
+
+#
+# RFC1918 Log Level
+#
+# Specifies the logging level for packets that fail RFC 1918
+# verification. If set to the empty value (RFC1918_LOG_LEVEL="") then
+# RFC1918_LOG_LEVEL=info is assumed.
+#
+# See the comment at the top of this section for a description of log levels
+#
+
+RFC1918_LOG_LEVEL=info
+
+################################################################################
+#       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S
+################################################################################
+#
+# PATH - Change this if you want to change the order in which Shorewall
+#        searches directories for executable files.
+#
+#PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+
+#
+# SHELL
+#
+# The firewall script is normally interpreted by /bin/sh. If you wish to change
+# the shell used to interpret that script, specify the shell here.
+
+SHOREWALL_SHELL=/bin/sh
+
+# SUBSYSTEM LOCK FILE
+#
+# Set this to the name of the lock file expected by your init scripts. For
+# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
+# use lock files, set this to "".
+#
+
+SUBSYSLOCK=/var/lock/subsys/shorewall
+
+#
+# SHOREWALL TEMPORARY STATE DIRECTORY
+#
+# This is the directory where the firewall maintains state information while
+# it is running
+#
+
+STATEDIR=/var/lib/shorewall
+
+#
+# KERNEL MODULE DIRECTORY
+#
+# If your netfilter kernel modules are in a directory other than
+# /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
+# directory in this variable. Example: MODULESDIR=/etc/modules.
+
+MODULESDIR=
+
+################################################################################
+#                       F I R E W A L L   O P T I O N S
+################################################################################
+
+# NAME OF THE FIREWALL ZONE
+#
+# Name of the firewall zone -- if not set or if set to an empty string, "fw"
+# is assumed.
+#
+#FW=fw
+
+#
+# ENABLE IP FORWARDING
+#
+# If you say "On" or "on" here, IPV4 Packet Forwarding is enabled. If you
+# say "Off" or "off", packet forwarding will be disabled. You would only want
+# to disable packet forwarding if you are installing Shorewall on a
+# standalone system or if you want all traffic through the Shorewall system
+# to be handled by proxies.
+#
+# If you set this variable to "Keep" or "keep", Shorewall will neither
+# enable nor disable packet forwarding.
+#
+#IP_FORWARDING=On
+
+#
+# AUTOMATICALLY ADD NAT IP ADDRESSES
+#
+# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
+# for each NAT external address that you give in /etc/shorewall/nat. If you say
+# "No" or "no", you must add these aliases youself.
+#
+ADD_IP_ALIASES=Yes
+
+#
+# AUTOMATICALLY ADD SNAT IP ADDRESSES
+#
+# If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
+# for each SNAT external address that you give in /etc/shorewall/masq. If you say
+# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
+# you are sure that you need it -- most people don't!!!
+#
+ADD_SNAT_ALIASES=No
+
+#
+# ENABLE TRAFFIC SHAPING
+#
+# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
+# you say "No" or "no" then traffic shaping is not enabled. If you enable traffic
+# shaping you must have iproute[2] installed (the "ip" and "tc" utilities) and
+# you must enable packet mangling above.
+#
+TC_ENABLED=No
+
+#
+# Clear Traffic Shapping/Control
+#
+# If this option is set to 'No' then Shorewall won't clear the current
+# traffic control rules during [re]start. This setting is intended
+# for use by people that prefer to configure traffic shaping when
+# the network interfaces come up rather than when the firewall
+# is started. If that is what you want to do, set TC_ENABLED=Yes and
+# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
+# way, your traffic shaping rules can still use the 'fwmark'
+# classifier based on packet marking defined in /etc/shorewall/tcrules.
+#
+# If omitted, CLEAR_TC=Yes is assumed.
+
+CLEAR_TC=Yes
+
+#
+# Mark Packets in the forward chain
+#
+# When processing the tcrules file, Shorewall normally marks packets in the
+# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
+# this to "Yes". If not specified or if set to the empty value (e.g.,
+# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
+#
+# Marking packets in the FORWARD chain has the advantage that inbound
+# packets destined for Masqueraded/SNATed local hosts have had their destination
+# address rewritten so they can be marked based on their destination. When
+# packets are marked in the PREROUTING chain, packets destined for
+# Masqueraded/SNATed local hosts still have a destination address corresponding
+# to the firewall's external interface.
+#
+# Note: Older kernels do not support marking packets in the FORWARD chain and
+#       setting this variable to Yes may cause startup problems.
+
+MARK_IN_FORWARD_CHAIN=No
+
+#
+# MSS CLAMPING
+#
+# Set this variable to "Yes" or "yes" if you want the TCP "Clamp MSS to PMTU"
+# option. This option is most commonly required when your internet
+# interface is some variant of PPP (PPTP or PPPoE). Your kernel must
+# have CONFIG_IP_NF_TARGET_TCPMSS set.
+#
+# [From the kernel help:
+#
+#    This option adds a `TCPMSS' target, which allows you to alter the
+#    MSS value of TCP SYN packets, to control the maximum size for that
+#    connection (usually limiting it to your outgoing interface's MTU
+#    minus 40).
+#
+#    This is used to overcome criminally braindead ISPs or servers which
+#    block ICMP Fragmentation Needed packets.  The symptoms of this
+#    problem are that everything works fine from your Linux
+#    firewall/router, but machines behind it can never exchange large
+#    packets:
+#        1) Web browsers connect, then hang with no data received.
+#	 2) Small mail works fine, but large emails hang.
+#	 3) ssh works fine, but scp hangs after initial handshaking.
+# ]
+#
+# If left blank, or set to "No" or "no", the option is not enabled.
+#
+CLAMPMSS=No
+
+#
+# ROUTE FILTERING
+#
+# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
+# interfaces started while Shorewall is started (anti-spoofing measure).
+#
+# If this variable is not set or is set to the empty value, "No" is assumed.
+# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
+# on individual interfaces using the 'routefilter' option in the
+# /etc/shorewall/interfaces file.
+
+ROUTE_FILTER=yes
+
+#
+# NAT BEFORE RULES
+#
+# Shorewall has traditionally processed static NAT rules before port forwarding
+# rules. If you would like to reverse the order, set this variable to "No".
+#
+# If this variable is not set or is set to the empty value, "Yes" is assumed.
+
+NAT_BEFORE_RULES=Yes
+
+# DNAT IP ADDRESS DETECTION
+#
+# Normally when Shorewall encounters the following rule:
+#
+#	DNAT	net	loc:192.168.1.3	tcp	80
+#
+# it will forward TCP port 80 connections from the net to 192.168.1.3
+# REGARDLESS OF THE ORIGINAL DESTINATION ADDRESS. This behavior is
+# convenient for two reasons:
+#
+#	a) If the the network interface has a dynamic IP address, the
+#	   firewall configuration will work even when the address
+#	   changes.
+#
+#	b) It saves having to configure the IP address in the rule
+#	   while still allowing the firewall to be started before the
+#	   internet interface is brought up.
+#
+# This default behavior can also have a negative effect. If the
+# internet interface has more than one IP address then the above
+# rule will forward connection requests on all of these addresses;
+# that may not be what is desired.
+#
+# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply
+# only if the original destination address is the primary IP address of
+# one of the interfaces associated with the source zone. Note that this
+# requires all interfaces to the source zone to be up when the firewall
+# is [re]started.
+
+DETECT_DNAT_IPADDRS=No
+
+#
+# MUTEX TIMEOUT
+#
+# The value of this variable determines the number of seconds that programs
+# will wait for exclusive access to the Shorewall lock file. After the number
+# of seconds corresponding to the value of this variable, programs will assume
+# that the last program to hold the lock died without releasing the lock.
+#
+# If not set or set to the empty value, a value of 60 (60 seconds) is assumed.
+#
+# An appropriate value for this parameter would be twice the length of time
+# that it takes your firewall system to process a "shorewall restart" command.
+
+MUTEX_TIMEOUT=60
+
+#
+# NEWNOTSYN
+#
+# TCP connections are established using the familiar three-way "handshake":
+#
+#	CLIENT			SERVER
+#
+#	SYN-------------------->
+#            <------------------SYN,ACK
+#       ACK-------------------->
+#
+# The first packet in that exchange (packet with the SYN flag on and the ACK
+# and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
+# A packet is said to be NEW if it is not part of or related to an already
+# established connection.
+#
+# The NETNOTSYN option determines the handling of non-SYN packets (those with
+# SYN off or with ACK or RST on) that are not associated with an already
+# established connection.
+# 
+# If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
+# part of an already established connection, it will be dropped by the
+# firewall. The setting of LOGNEWNOTSYN above determines if these packets are
+# logged before they are dropped.
+#
+# If NEWNOTSYN is set to "Yes" or "yes" then such packets will not be
+# dropped but will pass through the normal rule/policy processing.
+#
+# Users with a High-availability setup with two firewall's and one acting
+# as a backup should set NEWNOTSYN=Yes. Users with asymmetric routing may
+# also need to select NEWNOTSYN=Yes.
+#
+# The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis 
+# using the 'newnotsyn' option in /etc/shorewall/interfaces.
+#
+# I find that NEWNOTSYN=No tends to result in lots of "stuck"
+# connections because any network timeout during TCP session tear down
+# results in retries being dropped (Netfilter has removed the
+# connection from the conntrack table but the end-points haven't
+# completed shutting down the connection).  I therefore have chosen
+# NEWNOTSYN=Yes as the default value.
+
+NEWNOTSYN=Yes
+
+#
+# FOR ADMINS THAT REPEATEDLY SHOOT THEMSELVES IN THE FOOT
+#
+# Normally, when a "shorewall stop" command is issued or an error occurs during
+# the execution of another shorewall command, Shorewall puts the firewall into
+# a state where only traffic to/from the hosts listed in
+# /etc/shorewall/routestopped is accepted. 
+#
+# When performing remote administration on a Shorewall firewall, it is
+# therefore recommended that the IP address of the computer being used for
+# administration be added to the firewall's /etc/shorewall/routestopped file.
+#
+# Some administrators have a hard time remembering to do this with the result
+# that they get to drive across town in the middle of the night to restart
+# a remote firewall (or worse, they have to get someone out of bed to drive 
+# across town to restart a very remote firewall).
+#
+# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
+# when the firewall enters the 'stopped' state:
+#
+# All traffic that is part of or related to established connections is still
+# allowed and all OUTPUT traffic is allowed. This is in addition to traffic
+# to and from hosts listed in /etc/shorewall/routestopped.
+#
+# If this variable is not set or it is set to the null value then
+# ADMINISABSENTMINDED=No is assumed.
+#
+ADMINISABSENTMINDED=Yes
+
+#
+# BLACKLIST Behavior
+#
+# Shorewall offers two types of blacklisting:
+#
+#	- static blacklisting through the /etc/shorewall/blacklist file together
+#	  with the 'blacklist' interface option.
+#	- dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
+#
+# The following variable determines whether the blacklist is checked for each
+# packet or for each new connection.
+#
+#	BLACKLISTNEWONLY=Yes	Only consult blacklists for new connection
+#				requests
+#
+#	BLACKLISTNEWONLY=No	Consult blacklists for all packets.
+#
+# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
+# BLACKLISTNEWONLY=No is assumed.
+#
+BLACKLISTNEWONLY=Yes
+
+# MODULE NAME SUFFIX
+#
+# When loading a module named in /etc/shorewall/modules, Shorewall normally
+# looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
+# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
+# naming convention then you can specify the suffix (extension) for module 
+# names in this variable.
+#
+# To see what suffix is used by your distribution:
+#
+#     ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
+#
+# All of the file names listed should have the same suffix (extension). Set
+# MODULE_SUFFIX to that suffix.
+#
+# Examples: 
+#
+#	If all file names end with ".kzo" then set MODULE_SUFFIX="kzo"
+#	If all file names end with ".kz.o" then set MODULE_SUFFIX="kz.o"
+#
+
+MODULE_SUFFIX=
+
+################################################################################
+#                       P A C K E T   D I S P O S I T I O N
+################################################################################
+#
+# BLACKLIST DISPOSITION
+#
+# Set this variable to the action that you want to perform on packets from
+# Blacklisted systems. Must be DROP or REJECT. If not set or set to empty,
+# DROP is assumed.
+#
+BLACKLIST_DISPOSITION=DROP
+
+#
+# MAC List Disposition
+#
+# This variable determines the disposition of connection requests arriving
+# on interfaces that have the 'maclist' option and that are from a device
+# that is not listed for that interface in /etc/shorewall/maclist. Valid
+# values are ACCEPT, DROP and REJECT. If not specified or specified as
+# empty (MACLIST_DISPOSITION="") then REJECT is assumed
+
+MACLIST_DISPOSITION=REJECT
+
+#
+# TCP FLAGS Disposition
+#
+# This variable determins the disposition of packets having an invalid
+# combination of TCP flags that are received on interfaces having the
+# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
+# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
+
+TCP_FLAGS_DISPOSITION=DROP
+
+#LAST LINE -- DO NOT REMOVE

contrib/shoregen/samples/shorewall.conf/ig

@@ -0,0 +1,2 @@
+FW=ig
+IP_FORWARDING=On

contrib/shoregen/samples/shorewall.conf/mail

@@ -0,0 +1,2 @@
+FW=enoch
+IP_FORWARDING=Off

contrib/shoregen/samples/shorewall.conf/og

@@ -0,0 +1,2 @@
+FW=og
+IP_FORWARDING=On

contrib/shoregen/samples/shorewall.conf/proxy

@@ -0,0 +1,2 @@
+FW=dmz
+IP_FORWARDING=Off

contrib/shoregen/samples/zones

@@ -0,0 +1,10 @@
+#ZONE	DISPLAY		COMMENTS
+lan	LAN		Local network
+guest	Guest		Untrusted LAN hosts
+ig	IG		Inner Guard
+og	OG		Outer Guard
+mail	Mail		Mail server
+proxy	Proxy		Proxy server
+net	Net		Internet 
+other	Other		Basket for things that don't fit elsewhere
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

contrib/shoregen/shoregen

@@ -0,0 +1,443 @@
+#!/usr/bin/perl -w
+#
+# shoregen: Generate shorewall configuration for a host from central
+# configuration files.
+#
+
+#
+# (c) Copyright 2004-2006 Paul D. Gear <paul@gear.dyndns.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
+# Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA, or go to
+# <http://www.gnu.org/licenses/old-licenses/gpl-2.0.txtl> on the World Wide Web.
+#
+
+use strict;
+
+my $VERBOSE = 1;
+my $DEBUG = 1;
+my $DATE = scalar localtime;
+my $HEADER = "#\n# Shorewall %s - constructed by $0 on $DATE\n#\n\n";
+my $ret = 0;		# return code to shell
+
+if ($#ARGV != 0) {
+    print STDERR "Usage: $0 <hostname>\n";
+    exit 1;
+}
+
+my $base = ".";
+my $host = $ARGV[ 0 ];
+my $spool = "$base/SPOOL";
+my $dir = "$spool/$host";
+
+
+#
+# Messaging routines for use by the program itself - any errors that are
+# generated externally (e.g. file opening problems) are reported using the
+# usual perl 'die' or 'warn' functions.
+#
+
+sub info
+{
+    print "$0: @_\n";
+}
+
+sub mesg
+{
+    my $type = shift;
+    print STDERR "$0: $type - @_\n";
+}
+
+sub warning
+{
+    mesg "WARNING", @_;
+}
+
+sub error
+{
+    mesg "ERROR", @_;
+    ++$ret;
+}
+
+sub fatal
+{
+    mesg "FATAL", @_;
+    ++$ret;
+    exit $ret;
+}
+
+
+#
+# These bits make the files that actually get copied to the target host
+#
+
+sub stripfile
+{
+    open( my $file, $_[ 0 ] ) or die "Can't open $_[ 0 ] for reading: $!";
+    my @file;
+
+    for (<$file>) {
+	s/\s*#.*$//g;		# remove all comments
+	next if m/^\s*$/;	# skip blank lines
+	push @file, $_;
+    }
+
+    close $file or warn "Can't close $_[ 0 ] after reading: $!";
+
+    return @file;
+}
+
+
+#
+# Construct a configuration file given a number of input files
+#
+sub constructfile
+{
+    my $confname = shift;
+    my $dst = shift;
+    my $foundone = 0;
+
+    info "Constructing $confname" if $VERBOSE > 1;
+
+    open( my $DST, ">$dst" ) or die "Can't create $dst: $!";
+    printf $DST $HEADER, $confname;
+
+    for my $file (@_) {
+	if (-r $file) {
+	    $foundone = 1;
+	    print $DST "##$file\n" if $DEBUG > 1;
+	    print $DST stripfile $file;
+	}
+    }
+
+    close $DST or warn "Can't close $dst: $!";
+
+    if (!$foundone) {
+	warning "\"$confname\" not present.  " .
+	    "Existing file on $host will be preserved." if $VERBOSE > 2;
+	unlink $dst;
+    }
+}
+
+#
+# main
+#
+
+my $fw;			# Firewall zone for this host
+my $router;		# Is this host a router?
+my @globalzones;	# All known zones
+my %globalzones;
+my %hostzones;		# zones applicable to this host
+my $outfile;		# filename holders
+my $conf;		# config file we're processing at present
+my %warnban;		# meta-rules/policies
+
+
+# Change to the base configuration directory
+die "Configuration directory $base doesn't exist!" if ! -d $base;
+chdir $base or die "Can't change directory to $base: $!";
+
+# Create spool directories if necessary
+if (! -d "$spool") {
+    mkdir "$spool" or die "Can't create spool directory $spool: $!";
+}
+if (! -d $dir) {
+    mkdir $dir or die "Can't create host spool directory $dir: $!";
+}
+
+
+#
+# Construct all the simple config files.
+#
+
+# Config files for which the host-specific file is included *first*
+my @hostfirstconfigs = qw(
+    accounting
+    actions
+    blacklist
+    bogons
+    continue
+    ecn
+    hosts
+    interfaces
+    maclist
+    masq
+    nat
+    netmap
+    proxyarp
+    rfc1918
+    routestopped
+    route_rules
+    start
+    started
+    stop
+    stopped
+    tcclasses
+    tcdevices
+    tos
+    tunnels
+);
+
+# Config files for which the host-specific file is included *last*
+my @hostlastconfigs = qw(
+    common
+    configpath
+    init
+    initdone
+    ipsec
+    modules
+    params
+    providers
+    shorewall.conf
+    tcrules
+);
+
+
+for my $conf (@hostfirstconfigs) {
+    constructfile "$conf", "$dir/$conf", "$conf/$host", "$conf/COMMON";
+}
+
+for my $conf (@hostlastconfigs) {
+    constructfile "$conf", "$dir/$conf", "$conf/COMMON", "$conf/$host";
+}
+
+#
+# The remaining config files (policy, rules, zones) are processed uniquely.
+#
+
+# Find the firewall name of this host
+open( my $infile, "$dir/shorewall.conf" ) or
+    die "Can't open $dir/shorewall.conf: $!";
+
+for (<$infile>) {
+    if (/^\s*FW=(\S+)/) {
+	$fw = $1 unless defined $fw;
+    }
+    if (/^\s*IP_FORWARDING=(\S+)/) {
+	$router = $1 unless defined $router;
+    }
+}
+
+close $infile;
+
+
+# The firewall name must be defined
+unless (defined $fw) {
+    fatal "Can't find firewall name (FW variable) for $host in $dir/shorewall.conf";
+}
+
+# Router must be defined
+unless (defined $router) {
+    fatal "Can't find IP_FORWARDING setting for $host in $dir/shorewall.conf";
+}
+if ($router =~ m/On|Yes/i) {
+    $router = 1;
+}
+else {
+    $router = 0;
+}
+print "fw=$fw, router=$router\n" if $DEBUG > 3;
+
+# Find all valid zones
+unless (-r "zones") {
+    fatal "You must provide a global zone file";
+}
+
+
+for (stripfile "zones") {
+    chomp;
+    my ($zone, $details) = split /[\s:]+/, $_, 2;
+    push @globalzones, $zone;
+    $globalzones{ $zone } = $details;
+}
+
+#
+# Work out which zones apply to this host from the combination of hosts &
+# interfaces.  The first field in both files is the zone name, and the
+# second (minus any trailing ips) is the interface, which we save as well
+# for later reference.
+#
+
+for my $infile ("$dir/hosts", "$dir/interfaces") {
+    if (-r $infile) {
+	for (stripfile $infile) {
+	    chomp;
+	    my @F = split;
+	    next if $#F < 0;
+	    next if $F[ 0 ] eq "-";
+	    my @IF = split /:/, $F[ 0 ]; # strip off parent zone, if present
+	    $hostzones{ $IF[ 0 ] } = 1;
+	}
+    }
+}
+
+$conf = "zones";
+
+#
+# Create the zones file from the intersection of the above - note the order
+# from the original zone file must be preserved, hence the need for the
+# array as well as the hash.
+#
+
+open( $outfile, ">$dir/$conf" ) or
+    die "Can't open $dir/$conf for writing: $!";
+
+printf $outfile $HEADER, "$conf";
+my %tmpzones = %hostzones;		# Take a copy of all the zones,
+
+for my $zone (@globalzones) {
+    if (exists $tmpzones{ $zone }) {
+	print $outfile "$zone	$globalzones{ $zone }\n";
+	delete $tmpzones{ $zone };	# deleting those found as we go along.
+    }
+}
+
+close $outfile or warn "Can't close $dir/$conf after writing: $!";
+
+for my $zone (sort keys %tmpzones) {	# Warn if we've got any zones left now.
+    #next if $zone eq "-";
+    warning "No entry for $zone in global zones file - ignored";
+}
+undef %tmpzones;
+
+
+my @tmp = sort keys %hostzones;
+info "FW zone for $host: $fw" if $VERBOSE > 0;
+info "Other zones for $host: @tmp" if $VERBOSE > 0;
+
+#
+# Add 'all' as a valid source or destination.  Added here so it doesn't get
+# checked in %tmpzones check above.  Also add firewall itself.  (The
+# numbers are not important as long as they are non-zero.)
+#
+
+$hostzones{"all"} = 1;
+$hostzones{$fw} = 1;
+
+#
+# Create the policy file, including only the applicable zones.
+#
+
+$conf = "policy";
+if (! -r $conf) {
+    fatal "You must provide a global \"$conf\" file";
+}
+
+open( $outfile, ">$dir/$conf" ) or
+    die "Can't open $dir/$conf for writing: $!";
+printf $outfile $HEADER, "$conf";
+
+for (stripfile $conf) {
+    chomp;
+
+    my ($src, $dst, $pol, $rest) = split /\s+/, $_, 4;
+
+    print "$src, $dst, $pol, $rest\n" if $DEBUG > 3;
+
+    # Both source and destination zones must be valid on this host for this
+    # policy to apply.
+    next unless defined $hostzones{$src} and defined $hostzones{$dst};
+
+    # Source and destination zones must be on different interfaces as well,
+    # except for the case of all2all.
+    #next if ($hostzones{$src} eq $hostzones{$dst} && $src ne "all");
+
+    # Save WARN & BAN details for later rules processing
+    if ($pol eq "WARN"  or  $pol eq "BAN") {
+	if (exists $warnban{$src}{$dst}) {
+	    error "Duplicate WARN/BAN rule: $src,$dst,$pol - possible typo?";
+	}
+	$warnban{$src}{$dst} = $pol;
+	next;
+    }
+
+    printf $outfile "%s\n", $_;
+}
+close $outfile or warn "Can't close $dir/$conf for writing: $!";
+
+
+#
+# Create the rules file, only including the applicable zones and taking
+# into account any WARN or BAN policies.
+#
+
+$conf = "rules";
+if (! -r $conf) {
+    fatal "You must provide a global \"$conf\" file";
+}
+
+open( $outfile, ">$dir/$conf" ) or
+    die "Can't open $dir/$conf for writing: $!";
+printf $outfile $HEADER, "$conf";
+
+for my $infile ("$conf.COMMON", "$conf.$host", "$conf") {
+    next unless -r $infile;
+    for (stripfile $infile) {
+	chomp;
+
+	my ($act, $src, $dst, $rest) = split /\s+/, $_, 4;
+
+	$act =~ s/:.*//;	# strip off logging directives
+	$src =~ s/:.*//;	# strip off host & port specifiers
+	$dst =~ s/:.*//;	# strip off host & port specifiers
+
+	print "$act, $src, $dst, $rest\n" if $DEBUG > 3;
+
+	# Both source and destination zones must be valid on this host
+	# for this rule to apply.
+	next unless defined $hostzones{$src} and defined $hostzones{$dst};
+
+	# If host is not a router, either the source or destination zone
+	# must be the firewall itself.
+	if (!$router) {
+	    next unless $src eq $fw
+		     or $dst eq $fw
+		     or $src eq "all"
+		     or $dst eq "all";
+	}
+
+	# Save additional WARN/BAN rules
+	if ($act eq "WARN"  or  $act eq "BAN") {
+	    if (exists $warnban{$src}{$dst}) {
+		error "Duplicate WARN/BAN rule: $src,$dst,$act - possible typo?";
+	    }
+	    $warnban{$src}{$dst} = $act;
+	    next;
+	}
+
+	# Check against WARN/BAN rules
+	if (exists $warnban{$src}{$dst} && $act =~ /^(ACCEPT|Allow|DNAT)/) {
+	    if ($warnban{$src}{$dst} eq "WARN") {
+		warning "Rule contravenes WARN policy:\n\t$_";
+	    }
+	    else { # $warnban{$src}{$dst} eq "BAN"
+		error "Rule contravenes BAN policy (omitted):\n\t$_";
+		next;
+	    }
+	}
+
+	# Mangle DNAT rules if the destination is the local machine
+	if ($act =~ /^DNAT/  &&  $dst eq $fw) {
+	    $_ =~ s/\bDNAT(-)?/ACCEPT/;	# change rule type
+	    $_ =~ s/\b$fw:\S+/$dst/;	# strip trailing server address/port
+	}
+
+	printf $outfile "%s\n", $_;
+    }
+}
+close $outfile or warn "Can't close $dir/$conf for writing: $!";
+
+
+# Finished - return whatever we produced above...
+exit $ret;

contrib/shoregen/spec/description

@@ -0,0 +1,3 @@
+Shoregen is a script that generates Shoreline Firewall configurations for
+multiple firewalls from a common set of rules and policies.  Only the
+minimal information necessary for operation is stored on each firewall.

contrib/shoregen/spec/files

@@ -0,0 +1,4 @@
+# $Id: files,v 1.2 2004/04/24 13:15:14 paulgear Exp $
+/usr/bin/%{name}
+/usr/bin/install_%{name}
+%doc /usr/share/doc/%{name}-%{version}/

contrib/shoregen/spec/header

@@ -0,0 +1,10 @@
+# $Id: header,v 1.1 2004/04/24 12:53:04 paulgear Exp $
+Summary:	Shoreline Firewall configuration generator
+License:	GPL
+Group:		Applications/System
+BuildArch:	noarch
+URL:		http://paulgear.webhop.net/linux/#shoregen
+Packager:	Paul Gear <paul@gear.dyndns.org>
+Requires:	openssh
+Requires:	perl
+Requires:	rsync

contrib/shoregen/spec/install

@@ -0,0 +1,9 @@
+# $Id: install,v 1.6 2004/04/24 13:15:14 paulgear Exp $
+
+install -d -m 0700 $RPM_BUILD_ROOT/usr/bin/
+install -m 0555 install_%{name} %{name} $RPM_BUILD_ROOT/usr/bin/
+
+install -d -m 0755 $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
+install -m 0444 AUTHORS BUGS COPYING README TODO $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
+cp -r samples $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/
+chmod -R go=u-w $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{version}/

contrib/shoregen/spec/type

@@ -0,0 +1,2 @@
+install
+# $Id: type,v 1.2 2004/04/24 13:13:57 paulgear Exp $

docs/6to4.xml

@@ -135,20 +135,20 @@ GATEWAY=::192.88.99.1</programlisting></para>
 1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 16436 
     inet6 ::1/128 scope host 
        valid_lft forever preferred_lft forever
-1: eth1: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
-    inet6 fe80::202:e3ff:fe08:484c/64 scope link 
-       valid_lft forever preferred_lft forever
-2: eth2: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
+2: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
 <emphasis role="bold">    inet6 2002:ce7c:92b4:1::1/64 scope global 
        valid_lft forever preferred_lft forever</emphasis>
     inet6 fe80::202:e3ff:fe08:55fa/64 scope link 
        valid_lft forever preferred_lft forever
-3: eth4: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
+3: eth1: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
+    inet6 fe80::202:e3ff:fe08:484c/64 scope link 
+       valid_lft forever preferred_lft forever
+4: eth2: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qlen 1000
 <emphasis role="bold">    inet6 2002:ce7c:92b4:2::1/64 scope global 
        valid_lft forever preferred_lft forever</emphasis>
     inet6 fe80::2a0:ccff:fed2:353a/64 scope link 
        valid_lft forever preferred_lft forever
-4: sit1@NONE: &lt;NOARP,UP,LOWER_UP&gt; mtu 1480 
+24: sit1@NONE: &lt;NOARP,UP,LOWER_UP&gt; mtu 1480 
 <emphasis role="bold">    inet6 ::206.124.146.180/128 scope global 
        valid_lft forever preferred_lft forever
     inet6 2002:ce7c:92b4::1/128 scope global 
@@ -156,24 +156,24 @@ GATEWAY=::192.88.99.1</programlisting></para>
 gateway:~ # ip -6 route ls
 <emphasis role="bold">::/96 via :: dev sit1  metric 256  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
 <emphasis role="bold">2002:ce7c:92b4::1 dev sit1  metric 256  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
-2002:ce7c:92b4:1::/64 dev eth2  metric 256  expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295
-2002:ce7c:92b4:2::/64 dev eth4  metric 256  expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
-fe80::/64 dev eth1  metric 256  expires 20748424sec mtu 1500 advmss 1440 hoplimit 4294967295
+2002:ce7c:92b4:1::/64 dev eth0  metric 256  expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295
+2002:ce7c:92b4:2::/64 dev eth2  metric 256  expires 21333315sec mtu 1500 advmss 1440 hoplimit 4294967295</emphasis>
+fe80::/64 dev eth0  metric 256  expires 20748424sec mtu 1500 advmss 1440 hoplimit 4294967295
+fe80::/64 dev eth1  metric 256  expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
 fe80::/64 dev eth2  metric 256  expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
-fe80::/64 dev eth4  metric 256  expires 20748431sec mtu 1500 advmss 1440 hoplimit 4294967295
 fe80::/64 dev sit1  metric 256  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295
 <emphasis role="bold">default via ::192.88.99.1 dev sit1  metric 1  expires 21333315sec mtu 1480 advmss 1420 hoplimit 4294967295</emphasis>
 gateway:~ # </programlisting></para>
       </blockquote>
 
-      <para>You will notice that sit1, eth2 and eth4 each have an IPv6 address
+      <para>You will notice that sit1, eth0 and eth2 each have an IPv6 address
       beginning with 2002: -- All 6to4 IPv6 addresses have that in their most
       significant 16 bits. The next 32-bits (ce7c:92b4) encode the IPv4
       ADDRESS (206.124.146.180). So once you start the 6to4 tunnel, you are
       the proud owner of 2<superscript>80</superscript> IPv6 addresses! In the
       case shown here, 2002:ce7c:92b4::/48. The SLA is used to assign each
       interface in INTERFACES, a subnet of 2<superscript>64</superscript>
-      addresses; in the case of eth2, 2002:ce7c:92b4:1::/64.</para>
+      addresses; in the case of eth0, 2002:ce7c:92b4:1::/64.</para>
 
       <para>I run <ulink url="http://www.litech.org/radvd/">radvd</ulink> on
       the firewall to allow hosts conntected to eth2 and eth4 to automatically
@@ -232,7 +232,7 @@ interface eth4 {
       </note>
 
       <para>Here is the automatic IPv6 configuration on my server attached to
-      eth4:</para>
+      eth2:</para>
 
       <blockquote>
         <para><programlisting>webadmin@lists:~/ftpsite/contrib/IPv6&gt; /sbin/ip -6 addr ls
@@ -281,7 +281,7 @@ ursa:~ #</programlisting></para>
 
       <para>Here is the resulting simple IPv6 Network:</para>
 
-      <graphic align="center" fileref="images/Network2009b.png" />
+      <graphic align="center" fileref="images/Network2008c.png" />
     </section>
 
     <section>
@@ -404,7 +404,7 @@ iface sit1 inet6 v4tunnel
 
       <para>That file produces the following IPv6 network.</para>
 
-      <graphic align="center" fileref="images/Network2008c.png" />
+      <graphic align="center" fileref="images/Network2009b.png" />
     </section>
 
     <section>
@@ -429,15 +429,14 @@ iface sit1 inet6 v4tunnel
       instructions above, you should have a completely functional IPv6
       network. Try:</para>
 
-      <programlisting><emphasis role="bold">ping6 www.kame.net
-ping6 ipv6.chat.eu.freenode.net</emphasis>
+      <programlisting><emphasis role="bold">ping6 2001:19f0:feee::dead:beef:cafe</emphasis>
 </programlisting>
 
-      <para>If neither of those work from your firewall and from any local
-      IPv6 systems that you have behind your firewall, do not go any further
-      until one of them does work. If you ask for help from the Shorewall
-      team, the first question we will ask is 'With Shorewall6 cleared, can
-      you ping6 kame or freenode?'.</para>
+      <para>If that doesn't work from your firewall and from any local IPv6
+      systems that you have behind your firewall, do not go any further until
+      it does work. If you ask for help from the Shorewall team, the first
+      question we will ask is 'With Shorewall6 cleared, can you ping6
+      2001:19f0:feee::dead:beef:cafe?'.</para>
 
       <para>The Shorewall6 configuration on my firewall is a very basic
       three-interface one.</para>

docs/Actions.xml

@@ -193,6 +193,17 @@ ACCEPT   -              -               tcp     135,139,445
         action begins with a capital letter; that way, the name won't conflict
         with a Shorewall-defined chain name.</para>
 
+        <para>The name of the action may be optionally followed by a colon
+        (<quote>:</quote>) and ACCEPT, DROP or REJECT. When this is done, the
+        named action will become the <emphasis>default action</emphasis> for
+        policies of type ACCEPT, DROP or REJECT, respectively. The default
+        action is applied immediately before the policy is enforced (before
+        any logging is done under that policy) and is used mainly to suppress
+        logging of uninteresting traffic which would otherwise clog your logs.
+        The same policy name can appear in multiple actions; the last such
+        action for each policy name is the one which Shorewall will
+        use.</para>
+
         <para>Shorewall includes pre-defined actions for DROP and REJECT --
         see above.</para>
       </listitem>
@@ -235,8 +246,8 @@ ACCEPT   -              -               tcp     135,139,445
         <para>You may also use a <ulink url="Macros.html">macro</ulink> in
         your action provided that the macro's expansion only results in the
         ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
-        <filename>/usr/share/shorewall/action.Drop</filename> for an example
-        of an action that users macros extensively.</para>
+        <filename>/usr/share/shorewall/Drop</filename> for an example of an
+        action that users macros extensively.</para>
       </listitem>
 
       <listitem>
@@ -495,6 +506,74 @@ ACCEPT:debug -          -        tcp      22
 bar:debug</programlisting>
       </listitem>
     </orderedlist>
+
+    <para>If you define an action <quote>acton</quote> and you have an
+    <filename>/etc/shorewall/acton</filename> script, when that script is
+    invoked, the following three variables will be set for use by the
+    script:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>$CHAIN = the name of the chain where your rules are to be
+        placed. When logging is used on an action invocation, Shorewall
+        creates a chain with a slightly different name from the action
+        itself.</para>
+      </listitem>
+
+      <listitem>
+        <para>$LEVEL = Log level. If empty, no logging was specified.</para>
+      </listitem>
+
+      <listitem>
+        <para>$TAG = Log Tag.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Example:</para>
+
+    <para><filename>/etc/shorewall/rules</filename>:</para>
+
+    <programlisting>#ACTION          SOURCE           DEST
+acton:info:test  $FW              net</programlisting>
+
+    <para>Your <filename>/etc/shorewall/acton</filename> file will be run
+    with:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>$CHAIN=<quote>%acton1</quote></para>
+      </listitem>
+
+      <listitem>
+        <para>$LEVEL=<quote>info</quote></para>
+      </listitem>
+
+      <listitem>
+        <para>$TAG=<quote>test</quote></para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Shorewall-perl sets lexical variables as follows:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para><emphasis role="bold">$chainref</emphasis> is a reference to the
+        chain-table entry for the chain where your rules are to be
+        placed.</para>
+      </listitem>
+
+      <listitem>
+        <para><emphasis role="bold">$level</emphasis> is the log level. If
+        false, no logging was specified.</para>
+      </listitem>
+
+      <listitem>
+        <para><emphasis role="bold">$tag</emphasis> is the log tag.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>For an example of how to use these variablesl, see <ulink
+    url="PortKnocking.html">this article</ulink>.</para>
   </section>
 
   <section id="Extension">
@@ -512,29 +591,6 @@ bar:debug</programlisting>
     <example id="Example">
       <title>An action to drop all broadcast packets</title>
 
-      <para>If you define an action <quote>acton</quote> and you have an
-      <filename>/etc/shorewall/acton</filename> script, the rules compiler
-      sets lexical variables as follows:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para><emphasis role="bold">$chainref</emphasis> is a reference to
-          the chain-table entry for the chain where your rules are to be
-          placed.</para>
-        </listitem>
-
-        <listitem>
-          <para><emphasis role="bold">$level</emphasis> is the log level. If
-          false, no logging was specified.</para>
-        </listitem>
-
-        <listitem>
-          <para><emphasis role="bold">$tag</emphasis> is the log tag.</para>
-        </listitem>
-      </itemizedlist>
-
-      <para>Example:</para>
-
       <para>/etc/shorewall/actions<programlisting>DropBcasts</programlisting></para>
 
       <para>/etc/shorewall/action.DropBcasts<programlisting># This file is empty</programlisting>/etc/shorewall/DropBcasts<programlisting>use Shorewall::Chains;

docs/Build.xml

@@ -305,6 +305,14 @@
                 </listitem>
               </varlistentry>
 
+              <varlistentry>
+                <term>S</term>
+
+                <listitem>
+                  <para>sign the packages using GnuPg</para>
+                </listitem>
+              </varlistentry>
+
               <varlistentry>
                 <term>c</term>
 
@@ -374,16 +382,15 @@
     </section>
 
     <section>
-      <title>upload44</title>
+      <title>upload</title>
 
       <para>This script is used to upload a release to lists.shorewall.net.
       The command is run in the build directory for the major release of the
       product.</para>
 
       <blockquote>
-        <para><command>upload44</command> [
-        -<replaceable>products</replaceable> ]
-        <replaceable>release</replaceable></para>
+        <para><command>upload</command> [ -<replaceable>products</replaceable>
+        ] <replaceable>release</replaceable></para>
       </blockquote>
 
       <para>where</para>

docs/Documentation_Index.xml

@@ -208,8 +208,7 @@
             <entry><ulink url="Multiple_Zones.html"><ulink
             url="OPENVPN.html">OpenVPN</ulink></ulink></entry>
 
-            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
-            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
           </row>
 
           <row>
@@ -219,7 +218,7 @@
 
             <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
 
-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
           </row>
 
           <row>
@@ -228,7 +227,8 @@
             <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
             Shorewall</ulink></entry>
 
-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            Creation</ulink></entry>
           </row>
 
           <row>
@@ -238,8 +238,8 @@
             <entry><ulink url="PacketMarking.html">Packet
             Marking</ulink></entry>
 
-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
-            Creation</ulink></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
           </row>
 
           <row>
@@ -250,8 +250,8 @@
             <entry><ulink url="PacketHandling.html">Packet Processing in a
             Shorewall-based Firewall</ulink></entry>
 
-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
           </row>
 
           <row>
@@ -260,8 +260,7 @@
 
             <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
 
-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry></entry>
           </row>
 
           <row>

docs/FAQ.xml

@@ -91,8 +91,8 @@
     </section>
 
     <section id="faq75">
-      <title>(FAQ 75) I can't find the Shorewall 4.0 (or 4.2) shorewall-common
-      RPM. Where is it?</title>
+      <title>(FAQ 75) I can't find the Shorewall 4.x shorewall-common RPM.
+      Where is it?</title>
 
       <para><emphasis role="bold">Answer:</emphasis> If you use Simon Matter's
       Redhat/Fedora/CentOS rpms, be aware that Simon calls the
@@ -118,15 +118,15 @@
     <title>Upgrading Shorewall</title>
 
     <section id="faq66">
-      <title>(FAQ 66) I'm trying to upgrade to Shorewall 4.0 (or 4.2); where
-      is the 'shorewall' package?</title>
+      <title>(FAQ 66) I'm trying to upgrade to Shorewall 4.x; where is the
+      'shorewall' package?</title>
 
       <para><emphasis role="bold">Answer:</emphasis> Please see the <ulink
       url="upgrade_issues.htm">upgrade issues.</ulink></para>
 
       <section id="faq66a">
-        <title>(FAQ 66a) I'm trying to upgrade to Shorewall 4.0 (or 4.2); do I
-        have to uninstall the 'shorewall' package?</title>
+        <title>(FAQ 66a) I'm trying to upgrade to Shorewall 4.x; do I have to
+        uninstall the 'shorewall' package?</title>
 
         <para><emphasis role="bold">Answer:</emphasis> Please see the <ulink
         url="upgrade_issues.htm">upgrade issues.</ulink></para>
@@ -539,13 +539,6 @@ REDIRECT        net           22          tcp          9022</programlisting>
       you use ACCEPT unless you need to hijack connections as they go through
       your firewall and handle them on the firewall box itself; in that case,
       you use a REDIRECT rule.</para>
-
-      <note>
-        <para>The preceding answer should <emphasis>not</emphasis> be
-        interpreted to mean that DNAT can only be used in conjunction with
-        SNAT. But in common configurations using private local addresses, that
-        is the most common usage.</para>
-      </note>
     </section>
 
     <section id="faq8">
@@ -683,15 +676,6 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
           <para>Using this technique, you will want to configure your
           DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
           time that you get a new IP address.</para>
-
-          <note>
-            <para>For optional interfaces, use the function <emphasis
-            role="bold">find_first_interface_address_if_any()</emphasis>
-            rather than <emphasis
-            role="bold">find_first_interface_address()</emphasis>. The former
-            will return 0.0.0.0 if the interface has no configured IP address;
-            the latter terminates the calling program.</para>
-          </note>
         </listitem>
       </itemizedlist>
 
@@ -811,15 +795,6 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
           save</command> and <command>shorewall[-lite]
           restore</command></ulink>.</para>
         </warning>
-
-        <note>
-          <para>For optional interfaces, use the function <emphasis
-          role="bold">find_first_interface_address_if_any()</emphasis> rather
-          than <emphasis
-          role="bold">find_first_interface_address()</emphasis>. The former
-          will return 0.0.0.0 if the interface has no configured IP address;
-          the latter terminates the calling program.</para>
-        </note>
       </section>
 
       <section id="faq2c">
@@ -1125,25 +1100,6 @@ to debug/develop the newnat interface.</programlisting></para>
           will not prevent the above message from being issued.</para>
         </note></para>
     </section>
-
-    <section id="faq85">
-      <title>(FAQ 85) Shorewall is rejecting connections from my local lan
-      because it thinks they are coming from the 'net' zone.</title>
-
-      <para>I'm seeing this in my log:</para>
-
-      <programlisting>Aug 31 16:51:24 fw22 kernel: Shorewall:net2fw:DROP:IN=eth5 OUT= MAC=00:0c:29:74:9c:0c:08:00:20:b2:5f:db:08:00
-                                       SRC=10.1.50.14 DST=10.1.50.7 LEN=57 TOS=0x00 PREC=0x00 TTL=255 ID=32302 DF
-                                       PROTO=UDP SPT=53289 DPT=53 LEN=37</programlisting>
-
-      <para><emphasis role="bold">Answer</emphasis>: This occurs when the
-      external interface and an internal interface are connected to the same
-      switch or hub. See <ulink url="FoolsFirewall.html">this article</ulink>
-      for details. The solution is to never connect more than one firewall
-      interface to the same hub or switch (an obvious exception is that when
-      you have a switch that supports VLAN tagging and the interfaces are
-      associated with different VLANs).</para>
-    </section>
   </section>
 
   <section id="Logging">
@@ -1934,16 +1890,16 @@ iptables: Invalid argument
       <para><command>/sbin/shorewall stop</command> places the firewall in a
       <firstterm>safe state</firstterm>, the details of which depend on your
       <filename>/etc/shorewall/routestopped</filename> file (<ulink
-      url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5))
+      url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(8))
       and on the setting of ADMINISABSENTMINDED in
       <filename>/etc/shorewall/shorewall.conf</filename> (<ulink
-      url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink>(8)).</para>
 
       <para><command>/etc/init.d/shorewall stop</command> may or may not do
       the same thing. In the case of <trademark>Debian</trademark> systems for
       example, that command actually executes <command>/sbin/shorewall
       clear</command> which opens the firewall completely. In other words, in
-      the init script, <command>stop</command> reverses the effect of
+      the init script's <command>stop</command> reverses the effect of
       <command>start</command>.</para>
 
       <para>One way to avoid these differences is to install Shorewall from
@@ -1990,35 +1946,6 @@ iptables: Invalid argument
       <filename><ulink
       url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink></filename>.</para>
     </section>
-
-    <section id="faq86">
-      <title>(FAQ 86) My distribution (Ubuntu) uses NetworkManager to manage
-      my interfaces. I want to specify the upnpclient option for my interfaces
-      which requires them to be up and configured when Shorewall starts but
-      Shorewall is being started before NetworkManager.</title>
-
-      <para>Answer: I faced a similar problem which I solved as
-      follows:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>Don't start Shorewall at boot time (Debian and Ubuntu users
-          may simply set startup=0 in
-          <filename>/etc/default/shorewall</filename>).</para>
-        </listitem>
-
-        <listitem>
-          <para>In <filename>/etc/network/ip-up.d</filename>, I added a
-          <filename>shorewall</filename> script as follows:</para>
-
-          <programlisting>#!/bin/sh
-
-shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall if it isn't already running</programlisting>
-
-          <para>Be sure to secure the script for execute access.</para>
-        </listitem>
-      </itemizedlist>
-    </section>
   </section>
 
   <section id="MultiISP">
@@ -2226,6 +2153,42 @@ We have an error talking to the kernel
       url="http://linuxman.wikispaces.com/Clustering+Shorewall">This article
       by Paul Gear</ulink> should help you get started.</para>
     </section>
+
+    <section id="faq80">
+      <title>(FAQ 80) Does Shorewall support IPV6?</title>
+
+      <para>Answer: <ulink url="IPv6Support.html">Shorewall IPv6
+      support</ulink> is currently available in Shorewall 4.2.4 and
+      later.</para>
+
+      <section id="faq80a">
+        <title>(FAQ 80a) Why does Shorewall lPv6 Support Require Kernel 2.6.24
+        or later?</title>
+
+        <para><emphasis role="bold">Answer:</emphasis> Shorewall implements a
+        stateful firewall which requires connection tracking be present in
+        ip6tables and in the kernel. Linux kernel's before 2.6.20 didn't
+        support connection tracking for IPv6. So we could not even start to
+        develop Shorewall IPv6 support until 2.6.20 and there were significant
+        problems with the facility until at least kernel 2.6.23. When
+        distributions began offering IPv6 connection tracking support, it was
+        with kernel 2.6.25. So that is what we developed IPv6 support on and
+        that's all that we initially tested on. Subsequently, we have tested
+        Shorewall6 on Ubuntu Hardy with kernel 2.6.24. If you are running
+        2.6.20 or later, you can <emphasis role="bold">try</emphasis> to run
+        Shorewall6 by hacking<filename>
+        /usr/share/shorewall/prog.footer6</filename> and changing the kernel
+        version test to check for your kernel version rather than 2.6.24
+        (20624). But after that, you are on your own.</para>
+
+        <programlisting>kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2&gt; /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
+if [ $kernel -lt <emphasis role="bold">20624</emphasis> ]; then
+    error_message "ERROR: $PRODUCT requires Linux kernel <emphasis role="bold">2.6.24</emphasis> or later"
+    status=2
+else 
+ </programlisting>
+      </section>
+    </section>
   </section>
 
   <section id="ALIASES">
@@ -2340,42 +2303,6 @@ rmmod nf_conntrack_sip</programlisting>Then change the DONT_LOAD specification
   <section id="faq40">
     <title>IPv6</title>
 
-    <section id="faq80">
-      <title>(FAQ 80) Does Shorewall support IPV6?</title>
-
-      <para>Answer: <ulink url="IPv6Support.html">Shorewall IPv6
-      support</ulink> is currently available in Shorewall 4.2.4 and
-      later.</para>
-
-      <section id="faq80a">
-        <title>(FAQ 80a) Why does Shorewall lPv6 Support Require Kernel 2.6.24
-        or later?</title>
-
-        <para><emphasis role="bold">Answer:</emphasis> Shorewall implements a
-        stateful firewall which requires connection tracking be present in
-        ip6tables and in the kernel. Linux kernels before 2.6.20 didn't
-        support connection tracking for IPv6. So we could not even start to
-        develop Shorewall IPv6 support until 2.6.20 and there were significant
-        problems with the facility until at least kernel 2.6.23. When
-        distributions began offering IPv6 connection tracking support, it was
-        with kernel 2.6.25. So that is what we developed IPv6 support on and
-        that's all that we initially tested on. Subsequently, we have tested
-        Shorewall6 on Ubuntu Hardy with kernel 2.6.24. If you are running
-        2.6.20 or later, you can <emphasis role="bold">try</emphasis> to run
-        Shorewall6 by hacking<filename>
-        /usr/share/shorewall/prog.footer6</filename> and changing the kernel
-        version test to check for your kernel version rather than 2.6.24
-        (20624). But after that, you are on your own.</para>
-
-        <programlisting>kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2&gt; /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
-if [ $kernel -lt <emphasis role="bold">20624</emphasis> ]; then
-    error_message "ERROR: $PRODUCT requires Linux kernel <emphasis role="bold">2.6.24</emphasis> or later"
-    status=2
-else 
- </programlisting>
-      </section>
-    </section>
-
     <section>
       <title>(FAQ 40) I have an interface that gets its IPv6 configuration
       from radvd. When I start Shorewall6, I immediately loose my default

docs/Introduction.xml

@@ -212,8 +212,8 @@ dmz        eth2          detect        nets=(192.168.1.0/24)</programlisting>
     for 192.168.0.0/23, the <emphasis>loc</emphasis> zone as IPv4 hosts
     192.168.0.0/24 interfacing through eth1 and the <emphasis>dmz</emphasis>
     as IPv4 hosts 192.168.1.0/24 interfacing through eth2 (Note that
-    192.168.0.0/24 together with 192.168.1.0/24 comprises
-    192.168.0.0/23).</para>
+    192.168.0.0/24 together with 192.168.1.0/24 constitutes
+    192.168.0.0.23).</para>
 
     <para>Rules about what traffic to allow and what traffic to deny are
     expressed in terms of zones. <itemizedlist spacing="compact">
@@ -412,11 +412,11 @@ ACCEPT     net           $FW       tcp        22</programlisting>
 
       <listitem>
         <para><emphasis role="bold">Shorewall6-lite</emphasis>. Shorewall
-        allows for central administration of multiple IPv6 firewalls through
-        use of Shorewall6 lite. The full Shorewall and Shorewall6 products are
-        installed on a central administrative system where compiled Shorewall
-        scripts are generated. These scripts are copied to the firewall
-        systems where they run under the control of Shorewall6-lite.</para>
+        allows for central administration of multiple IPv4 firewalls through
+        use of Shorewall lite. The full Shorewall product is installed on a
+        central administrative system where compiled Shorewall scripts are
+        generated. These scripts are copied to the firewall systems where they
+        run under the control of Shorewall-lite.</para>
       </listitem>
     </orderedlist>
   </section>

docs/LennyToSqueeze.xml

@@ -1,963 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<article>
-  <!--$Id$-->
-
-  <articleinfo>
-    <title>Shorewall Issues when Upgrading from Debian Lenny to
-    Squeeze</title>
-
-    <authorgroup>
-      <author>
-        <firstname>Tom</firstname>
-
-        <surname>Eastep</surname>
-      </author>
-    </authorgroup>
-
-    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
-
-    <copyright>
-      <year>2009</year>
-
-      <holder>Thomas M. Eastep</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>Permission is granted to copy, distribute and/or modify this
-      document under the terms of the GNU Free Documentation License, Version
-      1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
-      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
-      License</ulink></quote>.</para>
-    </legalnotice>
-  </articleinfo>
-
-  <section>
-    <title>Introduction</title>
-
-    <para>Debian Lenny includes Shorewall version 4.0.15 while Squeeze will
-    soon include Shorewall 4.4. Because there are significant differences
-    between the two product versions, some users may experience upgrade
-    issues. This article outlines those issues and offers advice for dealing
-    with them.</para>
-
-    <note>
-      <para>Although this article is targeted specifically at Lenny -&gt;
-      Squeeze upgrades, it should be useful to any Shorewall-shell user
-      upgrading to Shorewall 4.4.x. Footnotes are used to flag areas where
-      non-Debian users may experience different results.</para>
-    </note>
-  </section>
-
-  <section id="Packages">
-    <title>Packaging Differences</title>
-
-    <para>The first key difference between Shorewall 4.0 and Shorewall 4.4 is
-    in the packaging<footnote>
-        <para>Most distributions use a similar packaging structure. Note,
-        however, that the 'shorewall' package in Simon Mater's RPMs for
-        RedHat/Fedora/CentOS is like the Lenny shorewall-common
-        package.</para>
-      </footnote>. In Lenny, there are six Shorewall packages:</para>
-
-    <orderedlist>
-      <listitem>
-        <para>shorewall-common — Contains the basic components needed to
-        create an IPv4 firewall.</para>
-      </listitem>
-
-      <listitem>
-        <para>shorewall-shell — The legacy Shorewall configuration compiler
-        written in Bourne shell.</para>
-      </listitem>
-
-      <listitem>
-        <para>shorewall — A transitional package that depends on
-        shorewall-common and shorewall-shell. Installing this package installs
-        both shorewall-common and shorewall-shell.</para>
-      </listitem>
-
-      <listitem>
-        <para>shorewall-perl — A re-implementation of the Shorewall
-        configuration compiler in Perl. This compiler has many advantages over
-        the shell-based compiler:</para>
-
-        <itemizedlist>
-          <listitem>
-            <para>The compiler is much faster</para>
-          </listitem>
-
-          <listitem>
-            <para>The compiler does a much better job of validating the
-            configuration, thus avoiding run-time errors.</para>
-          </listitem>
-
-          <listitem>
-            <para>The compiler produces better and more consistent diagnostic
-            messages.</para>
-          </listitem>
-
-          <listitem>
-            <para>The compiler produces a script that runs much faster and
-            that does not reject/drop connections during start/restart.</para>
-          </listitem>
-        </itemizedlist>
-      </listitem>
-
-      <listitem>
-        <para>shorewall-lite — A small package that can run scripts generated
-        by shorewall-shell or shorewall-perl. Allows centralized firewall
-        administration.</para>
-      </listitem>
-
-      <listitem>
-        <para>shorewall-doc — Documentation.</para>
-      </listitem>
-    </orderedlist>
-
-    <para>In Squeeze, there are five packages:</para>
-
-    <orderedlist>
-      <listitem>
-        <para>shorewall — Contains everything needed to create an IPv4
-        firewall. It combines the former shorewall-common and shorewall-perl
-        packages.</para>
-      </listitem>
-
-      <listitem>
-        <para>shorewall6 — Depends on shorewall. Adds those components needed
-        to create an IPv6 firewall.</para>
-      </listitem>
-
-      <listitem>
-        <para>shorewall-lite — Same as in Lenny; only runs IPv4 firewall
-        scripts.</para>
-      </listitem>
-
-      <listitem>
-        <para>shorewall6-lite — Similar to shorewall-lite, except that it only
-        runs IPv6 firewall scripts.</para>
-      </listitem>
-
-      <listitem>
-        <para>shorewall-doc — Documentation.</para>
-      </listitem>
-    </orderedlist>
-
-    <warning>
-      <para>Do not purge the old packages (shorewall-common, shorewall-shell
-      and shorewall-perl) until after the new shorewall package has been
-      installed.</para>
-    </warning>
-
-    <para>The key change in Squeeze that may produce upgrade issues is that
-    Squeeze does not include the shell-based configuration compiler. As a
-    consequence, unless you are already using Shorewall-perl on Lenny, an
-    upgrade from Lenny to Squeeze will mean that you will be switching from
-    the old shell-based compiler to the new Perl-based compiler<footnote>
-        <para>Note that Perl is a required package on Debian. If you are
-        running an embedded distribution which does not include Perl and it is
-        not feasible to install Perl on your firewall, then you should
-        consider installing Shorewall on another system in your network (may
-        be a <trademark>Windows</trademark> system running
-        <trademark>Cygwin</trademark>) and installing Shorewall-lite on your
-        firewall.</para>
-      </footnote>. While the two compilers are highly compatible, there are
-    some differences. Those differences are detailed in the following
-    sections.</para>
-  </section>
-
-  <section id="Issues">
-    <title>Issues Most Likely to Cause Problems or Concerns</title>
-
-    <section id="conf">
-      <title>shorewall.conf</title>
-
-      <para>As always, when upgrading from one major release of Shorewall to
-      another, the installer will prompt you about replacing your existing
-      <filename>shorewall.conf</filename> with the updated one from the
-      package. Shorewall is designed with the assumption that users will never
-      replace shorewall.conf and retaining your existing file will always
-      produce upward-compatible behavior.</para>
-
-      <para>That having been said, there are a few settings that you may have
-      in your shorewall.conf that will cause compilation warning or error
-      messages after the upgrade.</para>
-
-      <variablelist>
-        <varlistentry>
-          <term>BLACKLISTNEWONLY</term>
-
-          <listitem>
-            <para>If you have BLACKLISTNEWONLY=No together with
-            FASTACCEPT=Yes, you will receive this error:</para>
-
-            <para><emphasis role="bold">ERROR: BLACKLISTNEWONLY=No may not be
-            specified with FASTACCEPT=Yes</emphasis></para>
-
-            <para>To eliminate the error, reverse the setting of one of the
-            options.</para>
-
-            <note>
-              <para>This combination never worked correctly in earlier
-              versions -- to duplicate the earlier behavior, you will want to
-              set BLACKLISTNEWONLY=Yes.</para>
-            </note>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>BRIDGING</term>
-
-          <listitem>
-            <para>If you have set this option to Yes, you will receive the
-            following error:</para>
-
-            <para><emphasis role="bold">ERROR: BRIDGING=Yes is not supported
-            by Shorewall 4.4.x</emphasis></para>
-
-            <para>You should not be receiving this error if you are upgrading
-            from Lenny since BRIDGING=Yes did not work in that
-            release<footnote>
-                <para>If you are upgrading from a release using a kernel
-                earlier than 2.6.20, then BRIDGING=Yes did work correctly with
-                Shorewall-shell.</para>
-              </footnote>. If you have a bridge configuration where you want
-            to control connections through the bridge, you will want to visit
-            <ulink
-            url="http://www.shorewall.net/bridge-Shorewall-perl.html">http://www.shorewall.net/bridge-Shorewall-perl.html</ulink><footnote>
-                <para>Kernel 2.6.20 or later is required.</para>
-              </footnote>.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>DELAYBLACKLISTLOAD</term>
-
-          <listitem>
-            <para>If you have set this option to Yes, you will receive the
-            following warning:</para>
-
-            <para><emphasis role="bold">WARNING: DELAYBLACKLIST=Yes is not
-            supported by Shorewall 4.4.x</emphasis></para>
-
-            <para>To eliminate the warning, set DELAYBLACKLISTLOAD=No or
-            remove the setting altogether.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>DYNAMIC_ZONES</term>
-
-          <listitem>
-            <para>If you have set this option to Yes, you will receive the
-            following warning:</para>
-
-            <para><emphasis role="bold">WARNING: DYNAMIC_ZONES=Yes is not
-            supported by Shorewall 4.4.x</emphasis></para>
-
-            <para>To eliminate the warning, set DYNAMIC_ZONES=No or remove the
-            setting altogether. See <ulink url="Dynamic.html">this
-            article</ulink> to learn how to set up Dynamic Zones under
-            Shorewall 4.4.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry id="FW">
-          <term>FW</term>
-
-          <listitem>
-            <para>If a setting for FW appears in your shorewall.conf file, you
-            will receive this warning:</para>
-
-            <para><emphasis role="bold">WARNING: Unknown configuration option
-            (FW) ignored.</emphasis></para>
-
-            <para>Remove the setting from the file and modify your
-            <filename>/etc/shorewall/zones</filename> file as described <link
-            linkend="zones">below</link>.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>IPSECFILE</term>
-
-          <listitem>
-            <para>If you have specified IPSECFILE=ipsec or IPSECFILE= or if
-            you do not have a setting for IPSECFILE, then you will receive the
-            following error:</para>
-
-            <para><emphasis role="bold">ERROR: IPSECFILE=ipsec is not
-            supported by Shorewall 4.4.x</emphasis></para>
-
-            <para>To eliminate the warning, you will need to:</para>
-
-            <orderedlist>
-              <listitem>
-                <para>Set IPSECFILE=zones</para>
-              </listitem>
-
-              <listitem>
-                <para>Modify your <filename>/etc/shorewall/zones</filename>
-                file as described <link linkend="zones">below</link>.</para>
-              </listitem>
-            </orderedlist>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>PKTTYPE</term>
-
-          <listitem>
-            <para>The PKTTYPE option is ignored by Shorewall-perl.
-            Shorewall-perl will use Address type match if it is available;
-            otherwise, it will behave as if PKTTYPE=No had been
-            specified.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>RFC1918_LOG_LEVEL</term>
-
-          <listitem>
-            <para>If you have specified any setting for this option, you will
-            receive the following warning:</para>
-
-            <para><emphasis role="bold">WARNING: RFC1918_LOG_LEVEL=value
-            ignored. The 'norfc1918' interface/host option is no longer
-            supported.</emphasis></para>
-
-            <para>To eliminate the warning, set RFC1918_LOG_LEVEL= or simply
-            remove the setting altogether.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>RFC1918_STRICT</term>
-
-          <listitem>
-            <para>If you have set this option to Yes, you will receive the
-            following warning:</para>
-
-            <para><emphasis role="bold">WARNING: RFC1918_STRICT=Yes is not
-            supported by Shorewall 4.4.x</emphasis></para>
-
-            <para>To eliminate the warning, set RFC1918_STRICT=No or remove
-            the setting altogether.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>SAVE_IPSETS</term>
-
-          <listitem>
-            <para>Shorewall 4.4 will issue a warning if you set
-            SAVE_IPSETS=Yes in <filename>shorewall.conf</filename>:</para>
-
-            <para><emphasis role="bold">WARNING SAVE_IPSETS=Yes is not
-            supported by Shorewall 4.4.x</emphasis></para>
-
-            <para>To eliminate this message, you will need to set
-            SAVE_IPSETS=No or remove the setting altogether.</para>
-
-            <para>See <link linkend="ipsets">below</link> for additional
-            information regarding ipsets in Shorewall 4.4.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>SHOREWALL_COMPILER</term>
-
-          <listitem>
-            <para>If you have specified SHOREWALL_COMPILER=shell, you will
-            receive the following warning message:</para>
-
-            <para><emphasis role="bold">WARNING: SHOREWALL_COMPILER=shell
-            ignored. Shorewall-shell support has been removed in this
-            release</emphasis></para>
-
-            <para>To eliminate the warning, set SHOREWALL_COMPILER=perl or
-            simply remove the setting altogether.</para>
-          </listitem>
-        </varlistentry>
-
-        <varlistentry>
-          <term>USE_ACTIONS</term>
-
-          <listitem>
-            <para>If you have set this option to No, you will receive the
-            following warning:</para>
-
-            <para><emphasis role="bold">WARNING: USE_ACTIONS=No is not
-            supported by Shorewall 4.4.x</emphasis></para>
-
-            <para>To eliminate the warning, set USE_ACTIONS=Yes or remove the
-            setting altogether.</para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
-    </section>
-
-    <section id="zones">
-      <title>/etc/shorewall/zones</title>
-
-      <para>If the column headings in your /etc/shorewall/zones file look like
-      this:</para>
-
-      <programlisting>#ZONE   DISPLAY         COMMENTS
-net     Net             The big bad net
-loc     Local           The local LAN</programlisting>
-
-      <para>then you are using the original zones file format that has been
-      deprecated since Shorewall 3.0.</para>
-
-      <para>You will need to convert to the new file format which has the
-      following headings:</para>
-
-      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
-#                                       OPTIONS                 OPTIONS</programlisting>
-
-      <para>You will need to add an entry for your firewall zone. The default
-      name for the firewall zone is 'fw' but may have been overriden using
-      <link linkend="FW">the FW option in
-      <filename>shorewall.conf</filename></link>.</para>
-
-      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
-#                                       OPTIONS                 OPTIONS
-fw      firewall</programlisting>
-
-      <para>The remainder of your zones will have type 'ipv4' unless they are
-      mentioned in your /etc/shorewall/ipsec file (see <link
-      linkend="ipsec">below</link>).</para>
-
-      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
-#                                       OPTIONS                 OPTIONS
-fw      firewall
-net     ipv4            # The big bad net
-loc     ipv4            # The local LAN</programlisting>
-    </section>
-
-    <section id="ipsec">
-      <title>/etc/shorewall/ipsec</title>
-
-      <para>This file is no longer used -- its specifications are now included
-      in <filename>/etc/shorewall/zones</filename>.</para>
-
-      <para>Take this example:</para>
-
-      <programlisting>#ZONE   IPSEC    OPTIONS         IN              OUT
-#       ONLY                     OPTIONS         OPTIONS
-ipsec1  Yes
-ipsec2  No</programlisting>
-
-      <para>This would translate to the following entries in
-      <filename>/etc/shorewall/zones</filename>:</para>
-
-      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
-#                                       OPTIONS                 OPTIONS
-ipsec1  ipsec4
-ipsec2  ipv4</programlisting>
-
-      <para>Any OPTIONS, IN OPTIONS and OUT OPTIONS should simply be copied
-      from <filename>/etc/shorewall/ipsec</filename> to
-      <filename>/etc/shorewall/zones</filename>.</para>
-    </section>
-
-    <section id="interfaces">
-      <title>/etc/shorewall/interfaces</title>
-
-      <para>The BROADCAST column is essentially unused in Squeeze. If it
-      contains anything except 'detect' or '-', then you will receive this
-      warning<footnote>
-          <para>Users whose kernel and/or iptables do not include Address Type
-          Match Support can continue to list broadcast addresses in this
-          column; no warning will be issued.</para>
-        </footnote>:</para>
-
-      <blockquote>
-        <para><emphasis role="bold">WARNING: Shorewall no longer uses
-        broadcast addresses in rule generation when Address Type Match is
-        available</emphasis></para>
-      </blockquote>
-
-      <para>To eliminate the warning, replace the contents of the BROADCAST
-      column with '-' or 'detect'.</para>
-
-      <para>The 'norfc1918' option has been removed. If you specify the
-      option, you will receive the following warning:</para>
-
-      <blockquote>
-        <para><emphasis role="bold">WARNING: Support for the norfc1918
-        interface option has been removed from Shorewall</emphasis></para>
-      </blockquote>
-
-      <para>To eliminate the warning, simply remove the 'norfc1918' option
-      from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes
-      as a replacement (see <ulink
-      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
-    </section>
-
-    <section id="hosts">
-      <title>/etc/shorewall/hosts</title>
-
-      <para>The 'norfc1918' option has been removed. If you specify the
-      option, you will receive the following warning:</para>
-
-      <blockquote>
-        <para><emphasis role="bold">WARNING: The 'norfc1918' option is no
-        longer supported</emphasis></para>
-      </blockquote>
-
-      <para>To eliminate the warning, simply remove the 'norfc1918' option
-      from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes
-      as a replacement (see <ulink
-      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
-    </section>
-
-    <section id="policy">
-      <title>/etc/shorewall/policy</title>
-
-      <para>Shorewall 4.4 detects dead policy file entries that result when an
-      entry is masked by an earlier more general entry.</para>
-
-      <para>Example:</para>
-
-      <programlisting>#SOURCE DEST     POLICY    LOG LEVEL
-all     all      REJECT    info
-loc     net      ACCEPT</programlisting>
-
-      <para>Shorewall-shell silently accepted the above even though the
-      loc-&gt;net policy is useless. Shorewall-perl generates a fatal
-      compilation error:</para>
-
-      <blockquote>
-        <para><emphasis role="bold">ERROR: Policy "loc net ACCEPT" duplicates
-        earlier policy "all all REJECT"</emphasis></para>
-      </blockquote>
-    </section>
-
-    <section id="masq">
-      <title>/etc/shorewall/masq</title>
-
-      <para>There is a long tradition of specifying an interface name in the
-      SOURCE column of this file.</para>
-
-      <para>Masquerading/SNAT occurs in the Netfilter POSTROUTING chain where
-      an incoming interface may not be specified in iptables rules.
-      Consequently, while processing the <command>shorewall start</command>
-      and <command>shorewall restart</command> commands, the generated script
-      must examine the firewall's main routing table to determine those
-      networks that are routed out of the interface; the script then adds a
-      MASQUERADE/SNAT rule for connections from each of those networks. This
-      additional processing requires the named interface to be up and
-      configured when Shorewall starts or restarts.</para>
-
-      <para>Users often complain that Shorewall fails to start at boot time
-      because a VPN interface that is named as a masq SOURCE isn't up and
-      configured during boot.</para>
-
-      <para>To emphasize this restriction, if an interface is named in the
-      SOURCE column of one or more entries, a single warning is issued as
-      follows:</para>
-
-      <blockquote>
-        <para><emphasis role="bold">WARNING: Using an interface as the masq
-        SOURCE requires the interface to be up and configured when Shorewall
-        starts/restarts</emphasis></para>
-      </blockquote>
-
-      <para>To suppress this warning, replace the interface name with the list
-      of networks that are routed out of the interface.</para>
-
-      <para>Example.</para>
-
-      <para>Existing entry:</para>
-
-      <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/
-#                                                                                       GROUP
-eth0                    eth1</programlisting>
-
-      <para>Current routing configuration:</para>
-
-      <programlisting>gateway:~# ip route ls dev eth1
-<emphasis role="bold">172.20.1.0/24</emphasis>  proto kernel  scope link  src 172.20.1.254 
-224.0.0.0/4  scope link 
-gateway:~# 
-</programlisting>
-
-      <para>Replacement entry:</para>
-
-      <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/
-#                                                                                       GROUP
-eth0                    <emphasis role="bold">172.20.1.0/24</emphasis></programlisting>
-
-      <para>Note that no entry is included for 224.0.0.0/4 since that is the
-      multicast IP range and there should never be any packets with a SOURCE
-      IP address in that network.</para>
-    </section>
-
-    <section id="rules">
-      <title>/etc/shorewall/rules</title>
-
-      <para>If you include a destination zone in a 'nonat' rule, Shorewall
-      issues the following warning:</para>
-
-      <blockquote>
-        <para><emphasis role="bold">WARNING: Destination zone (zonename)
-        ignored.</emphasis></para>
-      </blockquote>
-
-      <para>Nonat rules include:</para>
-
-      <blockquote>
-        <simplelist>
-          <member>DNAT-</member>
-
-          <member>REDIRECT-</member>
-
-          <member>NONAT</member>
-        </simplelist>
-      </blockquote>
-
-      <para>To eliminate the warning, remove the DEST zone.</para>
-
-      <para>Example.</para>
-
-      <para>Before:</para>
-
-      <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME
-#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
-NONAT           loc             net             tcp     80</programlisting>
-
-      <para>After:</para>
-
-      <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME
-#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
-NONAT           loc             -               tcp     80</programlisting>
-    </section>
-
-    <section id="routestopped">
-      <title>/etc/shorewall/routestopped</title>
-
-      <para>The 'critical' option is no longer needed and hence is no longer
-      supported. If you have critical hosts defined, you will receive this
-      warning:</para>
-
-      <blockquote>
-        <para><emphasis role="bold">WARNING: The 'critical' option is no
-        longer supported (or needed)</emphasis></para>
-      </blockquote>
-
-      <para>To suppress the warning, simply remove the option.</para>
-
-      <para>Shorewall 4.4 also treats the <filename>routestopped</filename>
-      file differently from earlier releases. Previously, the
-      <filename>routestopped</filename> file was parsed during
-      <command>shorewall stop</command> processing so that changes made to the
-      file while Shorewall was running would be applied at the next
-      <command>stop</command>. This is no longer the case -- the
-      <filename>routestopped</filename> file is processed during compilation
-      just like the rest of the configuration files so that when
-      <command>shorewall stop</command> is issued, the firewall will pass
-      traffic based on the contents of the <filename>routestopped</filename>
-      file at the last <command>start</command> or
-      <command>restart</command>.</para>
-    </section>
-
-    <section id="tos">
-      <title>/etc/shorewall/tos</title>
-
-      <para>The <filename>/etc/shorewall/tos</filename> file now has
-      zone-independent SOURCE and DEST columns as do all other files except
-      the rules and policy files.</para>
-
-      <para>The SOURCE column may be one of the following:</para>
-
-      <simplelist>
-        <member>[<command>all</command>:]&lt;<replaceable>address</replaceable>&gt;[,...]</member>
-
-        <member>[<command>all</command>:]&lt;<replaceable>interface</replaceable>&gt;[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
-
-        <member><command>$FW</command>[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
-      </simplelist>
-
-      <para>The DEST column may be one of the following:</para>
-
-      <simplelist>
-        <member>[<command>all</command>:]&lt;<replaceable>address</replaceable>&gt;[,...]</member>
-
-        <member>[<command>all</command>:]&lt;<replaceable>interface</replaceable>&gt;[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
-      </simplelist>
-
-      <para>This is a permanent change. The old zone-based rules have never
-      worked right and this is a good time to replace them. We have tried to
-      make the new syntax cover the most common cases without requiring change
-      to existing files. In particular, it will handle the
-      <filename>tos</filename> file released with Shorewall 1.4 and
-      earlier.</para>
-    </section>
-
-    <section id="extension">
-      <title>Extension Scripts</title>
-
-      <para>With the shell-based compiler, all extension scripts were copied
-      into the compiled script and executed at run-time. In some cases, this
-      approach doesn't work with Shorewall Perl because (almost) the entire
-      rule set is built by the compiler. As a result, Shorewall-perl runs some
-      extension scripts at compile-time rather than at run-time. Because the
-      compiler is written in Perl, these extension scripts from earlier
-      versions will no longer work.</para>
-
-      <para>The following table summarizes when the various extension scripts
-      are run:<informaltable align="left" frame="none">
-          <tgroup cols="3">
-            <tbody>
-              <row>
-                <entry><emphasis role="bold">Compile-time (Must be written in
-                Perl)</emphasis></entry>
-
-                <entry><emphasis role="bold">Run-time</emphasis></entry>
-
-                <entry><emphasis role="bold">Eliminated</emphasis></entry>
-              </row>
-
-              <row>
-                <entry>initdone</entry>
-
-                <entry>clear</entry>
-
-                <entry>continue</entry>
-              </row>
-
-              <row>
-                <entry>maclog</entry>
-
-                <entry>init</entry>
-
-                <entry></entry>
-              </row>
-
-              <row>
-                <entry>Per-chain (including those associated with
-                actions)</entry>
-
-                <entry>start</entry>
-
-                <entry></entry>
-              </row>
-
-              <row>
-                <entry></entry>
-
-                <entry>started</entry>
-
-                <entry></entry>
-              </row>
-
-              <row>
-                <entry></entry>
-
-                <entry>stop</entry>
-
-                <entry></entry>
-              </row>
-
-              <row>
-                <entry></entry>
-
-                <entry>stopped</entry>
-
-                <entry></entry>
-              </row>
-
-              <row>
-                <entry></entry>
-
-                <entry>tcclear</entry>
-
-                <entry></entry>
-              </row>
-            </tbody>
-          </tgroup>
-        </informaltable></para>
-
-      <para>Compile-time extension scripts are executed using the Perl 'eval
-      `cat &lt;file&gt;`' mechanism. Be sure that each script returns a 'true'
-      value; otherwise, the Shorewall-perl compiler will assume that the
-      script failed and will abort the compilation.</para>
-
-      <para>When a script is invoked, the <emphasis
-      role="bold">$chainref</emphasis> scalar variable will usually hold a
-      reference to a chain table entry.</para>
-
-      <simplelist>
-        <member><emphasis role="bold">$chainref-&gt;{name}</emphasis> contains
-        the name of the chain</member>
-
-        <member><emphasis role="bold">$chainref-&gt;{table}</emphasis> holds
-        the table name</member>
-      </simplelist>
-
-      <para>To add a rule to the chain:</para>
-
-      <simplelist>
-        <member>add_rule $chainref,
-        <replaceable>the-rule</replaceable></member>
-      </simplelist>
-
-      <para>Where</para>
-
-      <simplelist>
-        <member><replaceable>the rule</replaceable> is a scalar argument
-        holding the rule text. Do not include "-A
-        <replaceable>chain-name</replaceable>"</member>
-      </simplelist>
-
-      <para>Example:</para>
-
-      <simplelist>
-        <member>add_rule $chainref, '-j ACCEPT';</member>
-      </simplelist>
-
-      <para>To insert a rule into the chain:</para>
-
-      <simplelist>
-        <member>insert_rule $chainref, <replaceable>rulenum</replaceable>,
-        <replaceable>the-rule</replaceable></member>
-      </simplelist>
-
-      <para>The log_rule_limit function works like it does in the shell
-      compiler with three exceptions:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>You pass the chain reference rather than the name of the
-          chain.</para>
-        </listitem>
-
-        <listitem>
-          <para>The commands are 'add' and 'insert' rather than '-A' and
-          '-I'.</para>
-        </listitem>
-
-        <listitem>
-          <para>There is only a single "pass as-is to iptables" argument (so
-          you must quote that part</para>
-        </listitem>
-      </itemizedlist>
-
-      <para>Example:</para>
-
-      <programlisting>    log_rule_limit
-              'info' , 
-              $chainref , 
-              $chainref-&gt;{name},
-              'DROP' , 
-              '',    #Limit
-              '' ,   #Log tag
-              'add'
-              '-p tcp ';         </programlisting>
-
-      <para>Here is an example of an actual initdone script used with
-      Shorewall 3.4:<programlisting>run_iptables -t mangle -I PREROUTING -p esp -j MARK --set-mark 0x50
-run_iptables -t filter -I INPUT -p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT
-run_iptables -t filter -I OUTPUT -p udp --sport 1701 -j ACCEPT
-</programlisting></para>
-
-      <para>Here is the corresponding script used with Shorewall
-      4.4:<programlisting>use Shorewall::Chains;
-
-insert_rule $mangle_table-&gt;{PREROUTING}, 1, "-p esp -j MARK --set-mark 0x50";
-insert_rule $filter_table-&gt;{INPUT},      1, "-p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT";
-insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
-
-1;</programlisting></para>
-
-      <para>The initdone script is unique because the $chainref variable is
-      not set before the script is called. The above script illustrates how
-      the $mangle_table, $filter_table, and $nat_table references can be used
-      to add or insert rules in arbitrary chains.</para>
-    </section>
-
-    <section id="ipsets">
-      <title>Ipsets</title>
-
-      <para>Shorewall 4.4 insists that ipset names begin with a letter and be
-      composed of alphanumeric characters and underscores (_). When used in a
-      Shorewall configuration file, the name must be preceded by a plus sign
-      (+) as with the shell-based compiler.</para>
-
-      <para>Shorewall 4.4 is out of the ipset load/reload business with the
-      exception of ipsets used for dynamic zones. With scripts generated by
-      Shorwall 4.4, the Netfilter rule set is never cleared. That means that
-      there is no opportunity for Shorewall to load/reload your ipsets since
-      that cannot be done while there are any current rules using
-      ipsets.</para>
-
-      <para>So:</para>
-
-      <orderedlist numeration="upperroman">
-        <listitem>
-          <para>Your ipsets must be loaded before Shorewall starts. You are
-          free to try to do that with the following code in
-          <filename>/etc/shorewall/init (it works for me; your mileage may
-          vary)</filename>:</para>
-
-          <programlisting>if [ "$COMMAND" = start ]; then
-    ipset -U :all: :all:
-    ipset -U :all: :default:
-    ipset -F
-    ipset -X
-    ipset -R &lt; /etc/shorewall/ipsets
-fi</programlisting>
-
-          <para>The file <filename>/etc/shorewall/ipsets</filename> will
-          normally be produced using the <command>ipset -S</command> command.
-          I have this in my<filename> /etc/shorewall/stop</filename>
-          file:</para>
-
-          <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
-    mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
-    mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
-fi</programlisting>
-
-          <para>The above extension scripts will work most of the time but
-          will fail in a <command>shorewall stop</command> -
-          <command>shorewall start</command> sequence if you use ipsets in
-          your routestopped file (see <link
-          linkend="routestopped">below</link>).</para>
-        </listitem>
-
-        <listitem>
-          <para>Your ipsets may not be reloaded until Shorewall is stopped or
-          cleared.</para>
-        </listitem>
-
-        <listitem>
-          <para>If you specify ipsets in your routestopped file then Shorewall
-          must be cleared in order to reload your ipsets.</para>
-        </listitem>
-      </orderedlist>
-    </section>
-  </section>
-
-  <section id="Additional">
-    <title>Additional Sources of Information</title>
-
-    <para>The following articles provide additional information.</para>
-
-    <itemizedlist>
-      <listitem>
-        <para><ulink url="Shorewall-perl.html#Incompatibilities">Shorewall
-        Perl Incompatibilities</ulink></para>
-      </listitem>
-
-      <listitem>
-        <para><ulink url="upgrade_issues.htm">Upgrade Issues</ulink></para>
-      </listitem>
-    </itemizedlist>
-  </section>
-</article>

docs/Macros.xml

@@ -248,7 +248,7 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
       </varlistentry>
     </variablelist>
 
-    <para>One additional restriction should be noted: macros that are invoked
+    <para>One remaining restriction should be noted: macros that are invoked
     from actions cannot themselves invoke other actions.</para>
   </section>
 
@@ -554,151 +554,6 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
           2.6.14).</member>
         </simplelist>
       </listitem>
-
-      <listitem>
-        <para>MARK - (Added in Shorewall-4.4.2) Defines a test on the existing
-        packet or connection mark. The rule will match only if the test
-        returns true. Must be empty or '-' if the macro is to be used within
-        an action.</para>
-
-        <programlisting>     [!]<replaceable>value</replaceable>[/<replaceable>mask</replaceable>][:C]</programlisting>
-
-        <variablelist>
-          <varlistentry>
-            <term>!</term>
-
-            <listitem>
-              <para>Inverts the test (not equal)</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><replaceable>value</replaceable></term>
-
-            <listitem>
-              <para>Value of the packet or connection mark.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term><replaceable>mask</replaceable></term>
-
-            <listitem>
-              <para>A mask to be applied to the mark before testing.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term>:C</term>
-
-            <listitem>
-              <para>Designates a connection mark. If omitted, the # packet
-              mark's value is tested.</para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
-      </listitem>
-
-      <listitem>
-        <para>CONNLIMIT - (Added in Shorewall-4.4.2) Must be empty or '-' if
-        the macro is to be used within an action.</para>
-
-        <programlisting>     [!]<replaceable>limit</replaceable>[:<replaceable>mask</replaceable>]</programlisting>
-
-        <para>May be used to limit the number of simultaneous connections from
-        each individual host to limit connections. Requires connlimit match in
-        your kernel and iptables. While the limit is only checked on rules
-        specifying CONNLIMIT, the number of current connections is calculated
-        over all current connections from the SOURCE host. By default, the
-        <replaceable>limit</replaceable> is applied to each host but can be
-        made to apply to networks of hosts by specifying a
-        <replaceable>mask</replaceable>. The mask specifies the width of a
-        VLSM mask to be applied to the source address; the number of current
-        connections is then taken over all hosts in the subnet
-        <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
-        When ! is specified, the rule matches when the number of connection
-        exceeds the limit. </para>
-      </listitem>
-
-      <listitem>
-        <para>TIME - (Added in Shorewall-4.4.2) Must be empty or '-' if the
-        macro is to be used within an action.</para>
-
-        <programlisting>     &lt;timeelement&gt;[&amp;...]</programlisting>
-
-        <para><replaceable>timeelement</replaceable> may be:</para>
-
-        <variablelist>
-          <varlistentry>
-            <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
-
-            <listitem>
-              <para>Defines the starting time of day.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
-
-            <listitem>
-              <para>Defines the ending time of day.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term>utc</term>
-
-            <listitem>
-              <para>Times are expressed in Greenwich Mean Time.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term>localtz</term>
-
-            <listitem>
-              <para>Times are expressed in Local Civil Time (default).</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term>weekdays=ddd[,ddd]...</term>
-
-            <listitem>
-              <para>where <replaceable>ddd</replaceable> is one of
-              <option>Mon</option>, <option>Tue</option>,
-              <option>Wed</option>, <option>Thu</option>,
-              <option>Fri</option>, <option>Sat</option> or
-              <option>Sun</option></para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term>monthdays=dd[,dd],...</term>
-
-            <listitem>
-              <para>where <replaceable>dd</replaceable> is an ordinal day of
-              the month</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
-
-            <listitem>
-              <para>Defines the starting date and time.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
-
-            <listitem>
-              <para>Defines the ending date and time.</para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
-      </listitem>
     </itemizedlist>
 
     <para>Omitted column entries should be entered using a dash ("-:).</para>

docs/MultiISP.xml

@@ -235,22 +235,9 @@
 
               <listitem>
                 <para>Use mark values &gt; 255 for provider marks in this
-                column.</para>
-
-                <itemizedlist>
-                  <listitem>
-                    <para>These mark values must be a multiple of 256 in the
-                    range 256-65280 (hex equivalent 0x100 - 0xFF00 with the
-                    low-order 8 bits being zero); or</para>
-                  </listitem>
-
-                  <listitem>
-                    <para>Set WIDE_TC_MARKS=Yes in <ulink
-                    url="manpages/shorewall.conf.html">shorewall.conf
-                    </ulink>(5) and use mark values in the range 0x10000 -
-                    0xFF0000 with the low-order 16 bits being zero.</para>
-                  </listitem>
-                </itemizedlist>
+                column. These mark values must be a multiple of 256 in the
+                range 256-65280 (hex equivalent 0x100 - 0xFF00 with the
+                low-order 8 bits being zero).</para>
               </listitem>
             </itemizedlist>
 
@@ -278,10 +265,10 @@
 
           <listitem>
             <para>The name of the interface to the provider. Where multiple
-            providers share the same interface, you must follow the name of
-            the interface by a colon (":") and the IP address assigned by this
-            provider (e.g., eth0:206.124.146.176). See <link
-            linkend="Shared">below</link> for additional
+            providers share the same interface (which is not recommended), you
+            must follow the name of the interface by a colon (":") and the IP
+            address assigned by this provider (e.g., eth0:206.124.146.176).
+            See <link linkend="Shared">below</link> for additional
             considerations.</para>
 
             <para>The interface must have been previously defined in <ulink
@@ -423,21 +410,11 @@
                 <term>loose</term>
 
                 <listitem>
-                  <para>Do not generate routing rules that force traffic whose
+                  <para>Do not include routing rules that force traffic whose
                   source IP is an address of the INTERFACE to be routed to
                   this provider. Useful for defining providers that are to be
                   used only when the appropriate packet mark is
                   applied.</para>
-
-                  <para>Shorewall makes no attempt to consolidate the routing
-                  rules added when <emphasis role="bold">loose</emphasis> is
-                  not specified. So, if you have multiple IP addresses on a
-                  provider interface, you may be able to replace the rules
-                  that Shorewall generates with one or two rules in
-                  <filename>/etc/shorewall/route_rules</filename>. In that
-                  case, you can specify <emphasis role="bold">loose</emphasis>
-                  to suppress Shorewall's rule generation. See the <link
-                  linkend="Complete">example</link> below.</para>
                 </listitem>
               </varlistentry>
 
@@ -641,9 +618,8 @@
 
         <listitem>
           <para>Once routing determines where the packet is to go, the
-          firewall (Shorewall) determines if the packet is allowed to go there
-          and controls rewriting of the SOURCE IP address
-          (SNAT/MASQUERADE).</para>
+          firewall (Shorewall) determines if the packet is allowed to go
+          there.</para>
         </listitem>
       </orderedlist>
 
@@ -679,7 +655,7 @@ eth1             0.0.0.0/0            130.252.99.27</programlisting>
       internal subnetwork.</para>
 
       <para>If you have multiple IP addresses on one of your interfaces, you
-      can use a similar technique -- simplY exclude the smallest network that
+      can use a similar technique -- simple exclude the smallest network that
       contains all of those addresses from being masqueraded.</para>
 
       <warning>
@@ -1464,7 +1440,7 @@ defaults {
   warn_email=teastep@shorewall.net
   check_arp=0
   sourceip=
-  ttl=0
+  ttl=64
 }
 
 include /etc/lsm/shorewall.conf</programlisting>

docs/OPENVPN.xml

@@ -2,7 +2,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article id="OPENVPN">
-  <!--Id$-->
+  <!--$Id$-->
 
   <articleinfo>
     <title>OpenVPN Tunnels and Bridges</title>
@@ -420,7 +420,7 @@ verb 3</programlisting>
     <orderedlist>
       <listitem>
         <para>Include the <emphasis role="bold">client-to-client</emphasis>
-        directive in the server's OpenVPN configuration; or</para>
+        directive in the server's OpenVPN configuration; and</para>
       </listitem>
 
       <listitem>
@@ -429,6 +429,11 @@ verb 3</programlisting>
         url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink>.</para>
       </listitem>
     </orderedlist>
+
+    <para>If you want to selectively allow communication between the clients,
+    then see <ulink
+    url="http://marc.zonzon.free.fr/public_html/home.php?section=WRTMemo&amp;subsec=vpnwithshorewall">this
+    article</ulink> by Marc Zonzon</para>
   </section>
 
   <section>

docs/Shorewall-perl.xml

@@ -143,7 +143,7 @@
           </itemizedlist>
         </listitem>
 
-        <listitem id="Extensions">
+        <listitem>
           <para>With the shell-based compiler, extension scripts were copied
           into the compiled script and executed at run-time. In many cases,
           this approach doesn't work with Shorewall Perl because (almost) the
@@ -153,79 +153,67 @@
           extension scripts from earlier versions will no longer work.</para>
 
           <para>The following table summarizes when the various extension
-          scripts are run:</para>
+          scripts are run:<informaltable align="left" frame="none">
+              <tgroup cols="3">
+                <tbody>
+                  <row>
+                    <entry><emphasis role="bold">Compile-time (Must be written
+                    in Perl)</emphasis></entry>
 
-          <informaltable align="left" frame="none">
-            <tgroup cols="3">
-              <tbody>
-                <row>
-                  <entry><emphasis role="bold">Compile-time (Must be written
-                  in Perl)</emphasis></entry>
+                    <entry><emphasis role="bold">Run-time</emphasis></entry>
 
-                  <entry><emphasis role="bold">Run-time</emphasis></entry>
+                    <entry><emphasis role="bold">Eliminated</emphasis></entry>
+                  </row>
 
-                  <entry><emphasis role="bold">Eliminated</emphasis></entry>
-                </row>
+                  <row>
+                    <entry>initdone</entry>
 
-                <row>
-                  <entry>initdone</entry>
+                    <entry>clear</entry>
 
-                  <entry>clear</entry>
+                    <entry>continue</entry>
+                  </row>
 
-                  <entry>continue</entry>
-                </row>
+                  <row>
+                    <entry>maclog</entry>
 
-                <row>
-                  <entry>maclog</entry>
+                    <entry>start</entry>
+                  </row>
 
-                  <entry>init</entry>
+                  <row>
+                    <entry>Per-chain (including those associated with
+                    actions)</entry>
 
-                  <entry></entry>
-                </row>
+                    <entry>started</entry>
 
-                <row>
-                  <entry>Per-chain (including those associated with
-                  actions)</entry>
+                    <entry></entry>
+                  </row>
 
-                  <entry>start</entry>
+                  <row>
+                    <entry></entry>
 
-                  <entry></entry>
-                </row>
+                    <entry>stop</entry>
 
-                <row>
-                  <entry></entry>
+                    <entry></entry>
+                  </row>
 
-                  <entry>started</entry>
+                  <row>
+                    <entry></entry>
 
-                  <entry></entry>
-                </row>
+                    <entry>stopped</entry>
 
-                <row>
-                  <entry></entry>
+                    <entry></entry>
+                  </row>
 
-                  <entry>stop</entry>
+                  <row>
+                    <entry></entry>
 
-                  <entry></entry>
-                </row>
+                    <entry>tcclear</entry>
 
-                <row>
-                  <entry></entry>
-
-                  <entry>stopped</entry>
-
-                  <entry></entry>
-                </row>
-
-                <row>
-                  <entry></entry>
-
-                  <entry>tcclear</entry>
-
-                  <entry></entry>
-                </row>
-              </tbody>
-            </tgroup>
-          </informaltable>
+                    <entry></entry>
+                  </row>
+                </tbody>
+              </tgroup>
+            </informaltable></para>
 
           <para>Compile-time extension scripts are executed using the Perl
           'eval `cat &lt;file&gt;`' mechanism. Be sure that each script
@@ -355,7 +343,7 @@ insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
           the tos file released with Shorewall 1.4 and earlier.</para>
         </listitem>
 
-        <listitem id="SAVE_IPSETS">
+        <listitem>
           <para>Shorewall-perl insists that ipset names begin with a letter
           and be composed of alphanumeric characters and underscores (_). When
           used in a Shorewall configuration file, the name must be preceded by
@@ -559,8 +547,7 @@ DNAT-              net                192.168.1.3      tcp          21</programl
           starts/restarts</para>
 
           <para>To avoid this warning, replace interface names by the
-          corresponding network() in CIDR format (e.g.,
-          192.168.144.0/24).</para>
+          corresponding network addresses (e.g., 192.168.144.0/24).</para>
         </listitem>
       </orderedlist>
     </section>

docs/SimpleBridge.xml

@@ -93,12 +93,6 @@
     bridge-specific changes are restricted to the
     <filename>/etc/shorewall/interfaces</filename> file.</para>
 
-    <note>
-      <para>Older configurations that specify an interface name in the SOURCE
-      column of <filename>/etc/shorewall/masq</filename> will also need to
-      change that file.</para>
-    </note>
-
     <para>This example illustrates the bridging of two Ethernet devices but
     the types of the devices really isn't important. What is shown here would
     apply equally to bridging an Ethernet device to an <ulink
@@ -144,11 +138,5 @@ loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <
 net            eth0            detect         ...
 loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <emphasis
           role="bold">routeback,bridge</emphasis>,...</programlisting></para>
-
-    <para>Your entry in <filename>/etc/shorewall/masq</filename> should be
-    unchanged:</para>
-
-    <programlisting>#INTERFACE     SOURCE          ADDRESS
-eth0           10.0.1.0/24     ...            # 10.0.1.0/24 is the local network on LAN A and LAN B</programlisting>
   </section>
 </article>

docs/configuration_file_basics.xml

@@ -216,7 +216,7 @@
 
         <listitem>
           <para><filename>/usr/share/shorewall/modules</filename> - directs
-          the firewall to load kernel modules.</para>
+          the firewall to load kernel modules. </para>
         </listitem>
 
         <listitem>
@@ -432,79 +432,6 @@ ACCEPT      net:\
     </example>
   </section>
 
-  <section id="SOURCE-DEST">
-    <title>Specifying SOURCE and DEST</title>
-
-    <para>Entries in Shorewall configuration files often deal with the source
-    (SOURCE) and destination (DEST) of connections and Shorewall implements a
-    uniform way for specifying them.</para>
-
-    <para>A SOURCE or DEST consists of one to three parts separated by colons
-    (":"):</para>
-
-    <orderedlist>
-      <listitem>
-        <para>ZONE — The name of a zone declared in
-        <filename>/etc/shorewall/zones</filename> or
-        <filename>/etc/shorewall6/zones</filename>. This part is only
-        available in the rules file (<filename>/etc/shorewall/rules</filename>
-        and <filename>/etc/shorewall6/rules</filename>).</para>
-      </listitem>
-
-      <listitem>
-        <para>INTERFACE — The name of an interface that matches an entry in
-        <filename>/etc/shorewall/interfaces</filename>
-        (<filename>/etc/shorewall6/interfaces</filename>).</para>
-      </listitem>
-
-      <listitem>
-        <para>ADDRESS LIST — A list of one or more addresses (host or network)
-        or address ranges, separated by commas. In an IPv6 configuration, this
-        list must be includes in angled brackets ("&lt;...&gt;"). The list may
-        have <link linkend="Exclusion">exclusion</link>.</para>
-      </listitem>
-    </orderedlist>
-
-    <para>Examples.</para>
-
-    <orderedlist>
-      <listitem>
-        <para>All hosts in the <emphasis role="bold">net</emphasis> zone —
-        <emphasis role="bold">net</emphasis></para>
-      </listitem>
-
-      <listitem>
-        <para>Subnet 192.168.1.0/29 in the <emphasis
-        role="bold">loc</emphasis> zone — <emphasis
-        role="bold">loc:192.168.1.0/29</emphasis></para>
-      </listitem>
-
-      <listitem>
-        <para>All hosts in the net zone connecting through <filename
-        class="devicefile">ppp0</filename> — <emphasis
-        role="bold">net:ppp0</emphasis></para>
-      </listitem>
-
-      <listitem>
-        <para>All hosts interfaced by <filename
-        class="devicefile">eth3</filename> — <emphasis
-        role="bold">eth3</emphasis></para>
-      </listitem>
-
-      <listitem>
-        <para>Subnet 10.0.1.0/24 interfacing through <filename><filename
-        class="devicefile">eth2</filename></filename> — <emphasis
-        role="bold">eth2:10.0.1.0/24</emphasis></para>
-      </listitem>
-
-      <listitem>
-        <para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
-        role="bold">loc</emphasis> zone — <emphasis
-        role="bold">loc:&lt;2002:ce7c:92b4:1:a00:27ff:feb1:46a9&gt;</emphasis></para>
-      </listitem>
-    </orderedlist>
-  </section>
-
   <section id="INCLUDE">
     <title>INCLUDE Directive</title>