Correct pi-rho's patch to not deal with the loopback interface

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -98,7 +98,7 @@ if [ -z "$vendor" ]; then
 	eval $(cat /etc/os-release | grep ^ID=)
 
 	case $ID in
-	    fedora)
+	    fedora|rhel)
 		vendor=redhat
 		;;
 	    debian|ubuntu)

Shorewall-core/configure.pl

@@ -64,7 +64,7 @@ unless ( defined $vendor ) {
 
 	$id =~ s/ID=//;
 	
-	if ( $id eq 'fedora' ) {
+	if ( $id eq 'fedora' || $id eq 'rhel' ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';

Shorewall-core/install.sh

@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)

Shorewall-core/lib.cli

@@ -252,7 +252,15 @@ show_classifiers() {
 
 	if [ -n "$qdisc" ]; then
 	    echo Device $device:
-	    tc -s filter ls dev $device
+	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
+	    tc filter show dev $device
+	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
+		if [ -n "$class" ]; then
+		    echo
+		    echo Node $class
+		    tc filter show dev $device parent $class
+		fi
+	    done
 	    echo
 	fi
     }

Shorewall-init/install.sh

@@ -191,7 +191,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID=)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian|ubuntu)

Shorewall-lite/install.sh

@@ -206,7 +206,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)

Shorewall/Macros/macro.AMQP

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - AMQP Macro
+#
+# /usr/share/shorewall/macro.AMQP
+#
+#	This macro handles AMQP traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	5672
+PARAM	-	-	udp	5672

Shorewall/Macros/macro.IPMI

@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - IPMI Macro
+#
+# /usr/share/shorewall/macro.IPMI
+#
+#	This macro handles IPMI console redirection with Dell and Supermicro.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	623		# RMCP
+PARAM	-	-	tcp	5900,5901	# Remote Console
+PARAM	-	-	udp	623		# RMCP
+HTTP
+HTTPS

Shorewall/Macros/macro.MongoDB

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - MongoDB Macro
+#
+# /usr/share/shorewall/macro.MongoDB
+#
+#	This macro handles MongoDB Daemon/Router traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	27017

Shorewall/Macros/macro.Redis

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Redis Macro
+#
+# /usr/share/shorewall/macro.Redis
+#
+#	This macro handles Redis traffic.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	6379

Shorewall/Macros/macro.Sieve

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Sieve Macro
+#
+# /usr/share/shorewall/macro.Sieve
+#
+#	This macro handles sieve aka ManageSieve protocol.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	4190

Shorewall/Perl/Shorewall/Compiler.pm

@@ -730,7 +730,7 @@ sub compiler {
     #
     # Do all of the zone-independent stuff (mostly /proc)
     #
-    add_common_rules( $convert );
+    add_common_rules( $convert, $tcrules );
     #
     # More /proc
     #
@@ -819,7 +819,7 @@ sub compiler {
     #
     # Setup Nat
     #
-    setup_nat if $family == F_IPV4;
+    setup_nat;
     #
     # Setup NETMAP
     #

Shorewall/Perl/Shorewall/Misc.pm

@@ -775,8 +775,8 @@ sub process_stoppedrules() {
 
 sub setup_mss();
 
-sub add_common_rules ( $ ) {
-    my $upgrade = shift;
+sub add_common_rules ( $$ ) {
+    my ( $upgrade_blacklist, $upgrade_tcrules ) = @_;
     my $interface;
     my $chainref;
     my $target;
@@ -929,8 +929,8 @@ sub add_common_rules ( $ ) {
 	    
     run_user_exit1 'initdone';
 
-    if ( $upgrade ) {
-	exit 0 unless convert_blacklist;
+    if ( $upgrade_blacklist ) {
+	exit 0 unless convert_blacklist || $upgrade_tcrules;
     } else {
 	setup_blacklist;
     }

Shorewall/configfiles/blrules

@@ -6,7 +6,7 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-###################################################################################################################################################################################################
-#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+################################################################################################################################################################################################
+#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS		SWITCH
 #									PORT	PORT(S)		DEST		LIMIT		GROUP
 

Shorewall/configfiles/clear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/clear
 #
-#	Add commands below that you want to be executed after Shorewall
-#       has processed the 'clear' command.
+# Add commands below that you want to be executed after Shorewall has
+# processed the 'clear' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/findgw

@@ -3,12 +3,12 @@
 #
 # /etc/shorewall/findgw
 #
-#    The code in this file is executed when Shorewall is trying to detect the
-#    gateway through an interface in /etc/shorewall/providers that has GATEWAY
-#    specified as 'detect'.
+# The code in this file is executed when Shorewall is trying to detect the
+# gateway through an interface in /etc/shorewall/providers that has GATEWAY
+# specified as 'detect'.
 #
-#    The function should echo the IP address of the gateway if it knows what
-#    it is; the name of the interface is in $1.
+# The function should echo the IP address of the gateway if it knows what
+# it is; the name of the interface is in $1.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/lib.private

@@ -3,9 +3,9 @@
 #
 # /etc/shorewall/lib.private
 #
-#	Use this file to declare shell functions to be called in the other
-#	run-time extension scripts. The file will be copied into the generated
-#       firewall script.
+# Use this file to declare shell functions to be called in the other
+# run-time extension scripts. The file will be copied into the generated
+# firewall script.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/mangle

@@ -9,7 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
 #							PORT(S)	PORT(S)
-

Shorewall/configfiles/refresh

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/refresh
 #
-#	Add commands below that you want to be executed before Shorewall
-#       has processed the 'refresh' command.
+# Add commands below that you want to be executed before Shorewall
+# has processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/refreshed

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/refreshed
 #
-#	Add commands below that you want to be executed after Shorewall
-#       has processed the 'refresh' command.
+# Add commands below that you want to be executed after Shorewall has
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/scfilter

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/scfilter
 #
-#	Replace the 'cat' command below to filter the output of
-#       'show connections.
+# Replace the 'cat' command below to filter the output of
+# 'show connections'.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/shorewall.conf

@@ -12,13 +12,13 @@
 STARTUP_ENABLED=No
 
 ###############################################################################
-#		              V E R B O S I T Y
+#			     V E R B O S I T Y
 ###############################################################################
 
 VERBOSITY=1
 
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
 
 BLACKLIST_LOG_LEVEL=
@@ -100,7 +100,7 @@ QUEUE_DEFAULT=none
 REJECT_DEFAULT=Reject
 
 ###############################################################################
-#                        R S H / R C P  C O M M A N D S
+#			 R S H / R C P	C O M M A N D S
 ###############################################################################
 
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
@@ -271,8 +271,8 @@ MASK_BITS=
 ZONE_BITS=0
 
 ################################################################################
-#                            L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
+#			     L E G A C Y  O P T I O N
+#		       D O  N O T  D E L E T E	O R  A L T E R
 ################################################################################
 
 IPSECFILE=zones

Shorewall/configfiles/tcclasses

@@ -7,4 +7,4 @@
 #
 ###############################################################################
 #INTERFACE:CLASS	MARK	RATE:		CEIL	PRIORITY	OPTIONS
-#                               DMAX:UMAX
+#				DMAX:UMAX

Shorewall/configfiles/tcclear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/tcclear
 #
-#	Add commands below that you want to be executed before Shorewall
-#       clears the traffic shaping configuration.
+# Add commands below that you want to be executed before Shorewall clears
+# the traffic shaping configuration.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/tcfilters

@@ -6,5 +6,5 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ########################################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE	TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)

Shorewall/install.sh

@@ -216,7 +216,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)

Shorewall/manpages/shorewall-masq.xml

@@ -143,7 +143,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term>(Formerly called SUBNET) -
+        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
+        -
         {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>
 

Shorewall/manpages/shorewall-nat.xml

@@ -136,6 +136,80 @@
     </variablelist>
   </refsect1>
 
+  <refsect1>
+    <title>RESTRICTIONS</title>
+
+    <para>DNAT rules always preempt one-to-one NAT rules. This has subtile
+    consequences when there are sub-zones on an
+    <replaceable>interface</replaceable>. Consider the following:</para>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>#ZONE   TYPE    OPTIONS                 IN                      OUT
+#                                       OPTIONS                 OPTIONS
+fw      firewall
+net     ipv4
+loc     ipv4
+smc:net ipv4</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE   INTERFACE       OPTIONS
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians</programlisting>
+
+    <para><filename>/etc/shorewall/hosts</filename>:</para>
+
+    <programlisting>#ZONE   HOST(S)                                 OPTIONS
+smc     eth0:10.1.10.0/24</programlisting>
+
+    <para><filename>/etc/shorewall/nat</filename>:</para>
+
+    <programlisting>#EXTERNAL       INTERFACE       INTERNAL        ALL             LOCAL
+#                                               INTERFACES
+10.1.10.100     eth0            172.20.1.100
+</programlisting>
+
+    <para>Note that the EXTERNAL address is in the <emphasis
+    role="bold">smc</emphasis> zone.</para>
+
+    <para><filename>/etc/shorewall/rules</filename>:</para>
+
+    <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME            HEADERS     SWITCH           HELPER
+#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+?SECTION ALL
+?SECTION ESTABLISHED
+?SECTION RELATED
+?SECTION INVALID
+?SECTION UNTRACKED
+?SECTION NEW
+...
+DNAT            net             loc:172.20.1.4  tcp     80</programlisting>
+
+    <para>For the one-to-one NAT to work correctly in this configuration, one
+    of two approaches can be taken:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>Define a CONTINUE policy with <emphasis
+        role="bold">smc</emphasis> as the SOURCE zone (preferred):</para>
+
+        <programlisting>#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
+<emphasis role="bold">smc		$FW		CONTINUE</emphasis>
+loc		net		ACCEPT
+net		all		DROP		info
+# THE FOLLOWING POLICY MUST BE LAST
+all		all		REJECT		info
+</programlisting>
+      </listitem>
+
+      <listitem>
+        <para>Set IMPLICIT_CONTINUE=Yes in <ulink
+        url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+      </listitem>
+    </orderedlist>
+  </refsect1>
+
   <refsect1>
     <title>FILES</title>
 

Shorewall6/configfiles/actions

@@ -7,7 +7,6 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-###############################################################################
 ########################################################################################
 #ACTION    OPTIONS              COMMENT (place '# ' below the 'C' in comment followed by
 #                               v        a comment describing the action)

Shorewall6/configfiles/blrules

@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
-###########################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME	HEADERS	SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Shorewall6/configfiles/clear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/clear
 #
-#	Add commands below that you want to be executed after Shorewall6
-#       has processed the 'clear' command.
+# Add commands below that you want to be executed after Shorewall6 has
+# processed the 'clear' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/lib.private

@@ -3,9 +3,9 @@
 #
 # /etc/shorewall6/lib.private
 #
-#	Use this file to declare shell functions to be called in the other
-#	run-time extension scripts. The file will be copied into the generated
-#       firewall script.
+# Use this file to declare shell functions to be called in the other
+# run-time extension scripts. The file will be copied into the generated
+# firewall script.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/mangle

@@ -1,7 +1,7 @@
 #
 # Shorewall6 version 4 - Mangle File
 #
-# For information about entries in this file, type "man shorewall6-mangle
+# For information about entries in this file, type "man shorewall6-mangle"
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
@@ -9,6 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-###########################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY DSCP
+############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	HEADERS	PROBABILITY	DSCP
 #							PORT(S)	PORT(S)

Shorewall6/configfiles/refresh

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/refresh
 #
-#	Add commands below that you want to be executed before Shorewall6
-#       has processed the 'refresh' command.
+# Add commands below that you want to be executed before Shorewall6 has
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/refreshed

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/refreshed
 #
-#	Add commands below that you want to be executed after Shorewall6
-#       has processed the 'refresh' command.
+# Add commands below that you want to be executed after Shorewall6 has
+# processed the 'refresh' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/scfilter

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall/scfilter
 #
-#	Replace the 'cat' command below to filter the output of
-#       'show connections.
+# Replace the 'cat' command below to filter the output of
+# 'show connections'.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/shorewall6.conf

@@ -13,7 +13,7 @@
 STARTUP_ENABLED=No
 
 ###############################################################################
-#		              V E R B O S I T Y
+#			     V E R B O S I T Y
 ###############################################################################
 
 VERBOSITY=1
@@ -97,7 +97,7 @@ QUEUE_DEFAULT=none
 REJECT_DEFAULT=Reject
 
 ###############################################################################
-#                        R S H / R C P  C O M M A N D S
+#			 R S H / R C P	C O M M A N D S
 ###############################################################################
 
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

Shorewall6/configfiles/tcclear

@@ -3,8 +3,8 @@
 #
 # /etc/shorewall6/tcclear
 #
-#	Add commands below that you want to be executed before Shorewall6
-#       clears the traffic shaping configuration.
+# Add commands below that you want to be executed before Shorewall6 clears
+# the traffic shaping configuration.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/tcfilters

@@ -6,5 +6,5 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ########################################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE	TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)

Shorewall6/manpages/shorewall6-masq.xml

@@ -530,7 +530,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 8:</term>
+        <term>Example 2:</term>
 
         <listitem>
           <para>Your sit1 interface has two public IP addresses:

docs/FAQ.xml

@@ -746,6 +746,12 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
           DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
           time that you get a new IP address.</para>
 
+          <note>
+            <para>If your local interface is a bridge, see <link
+            linkend="faq2e">FAQ 2e</link> for additional configuration
+            steps.</para>
+          </note>
+
           <note>
             <para>For optional interfaces, use the function <emphasis
             role="bold">find_first_interface_address_if_any()</emphasis>
@@ -915,6 +921,59 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
         INTERFACES column of each entry in <ulink
         url="manpages/shorewall-nat.html">/etc/shorewall/nat</ulink>.</para>
       </section>
+
+      <section id="faq2e">
+        <title>(FAQ 2e) I have the situation in FAQ 2 but my local interface
+        is a bridge and the solution in FAQ 2 doesn't work</title>
+
+        <para><emphasis role="bold">Answer</emphasis>: Assume that the bridge
+        is br0 and that eth2 is the bridge port that connects to the LAN
+        containing 192.168.1.5</para>
+
+        <para>In addition to the steps in FAQ 2 (replacing eth1 with br0), you
+        also need to:</para>
+
+        <orderedlist>
+          <listitem>
+            <para>Set the <firstterm>hairpin</firstterm> option on
+            eth2.</para>
+
+            <programlisting>brctl hairpin br0 eth2 on</programlisting>
+
+            <para>On Debian and derivitives, you can place that command in
+            /etc/network/interfaces as a post-up command:</para>
+
+            <programlisting>auto br0
+iface br0 inet static
+        bridge_ports    eth2
+        bridge_fd       0
+        bridge_maxwait  0
+        address         192.168.1.1
+        netmask         255.255.255.0
+        <emphasis role="bold">post-up /sbin/brctl hairpin br0 eth2 on</emphasis></programlisting>
+          </listitem>
+
+          <listitem>
+            <para>Install ebtables if it is not already installed.</para>
+          </listitem>
+
+          <listitem>
+            <para>Be sure that all traffic going out of eth2 has the correct
+            MAC address.</para>
+
+            <programlisting>ebtables -t nat -A POSTROUTING -o eth2 -j snat --to-source <emphasis>br0-MAC-address</emphasis> </programlisting>
+
+            <para>where br0-MAC-address is the MAC address of br0.</para>
+
+            <para>Here's a working example of /etc/shorewall/start that
+            executes the above command.</para>
+
+            <programlisting>if [ $(ebtables -t nat -L POSTROUTING | wc -l) -lt 4 ]; then
+   <emphasis role="bold">ebtables -t nat -A POSTROUTING -o eth2 -j snat --to-source 0:19:21:d0:61:65</emphasis>
+fi</programlisting>
+          </listitem>
+        </orderedlist>
+      </section>
     </section>
   </section>
 
@@ -940,6 +999,12 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
         url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
         to implement blacklisting by destination IP address.</para>
       </note>
+
+      <note>
+        <para>Beginning with Shorewall 4.4.26, you can use <ulink
+        url="manpages/shorewall-blrules.html">/etc/shorewall/blrules</ulink>
+        to implement arbitrary blacklist rules.</para>
+      </note>
     </section>
 
     <section id="faq84">

docs/IPSEC.xml

@@ -200,12 +200,12 @@ vpn          eth0:192.168.1.0/24</programlisting>
 
       <para>/etc/shorewall/masq - System A</para>
 
-      <programlisting>#INTERFACE            SUBNET                ADDRESS
+      <programlisting>#INTERFACE            SOURCE                ADDRESS
 eth0:!10.0.0.0/8      192.168.1.0/24</programlisting>
 
       <para>/etc/shorewall/masq - System B</para>
 
-      <programlisting>#INTERFACE            SUBNET                ADDRESS
+      <programlisting>#INTERFACE            SOURCE                ADDRESS
 eth0:!192.168.1.0/24  10.0.0.0/8</programlisting>
     </blockquote>
 
@@ -425,8 +425,8 @@ ipsec       net        0.0.0.0/0       vpn1,vpn2,vpn3</programlisting>
     Shorewall will issue warnings to that effect. These warnings may be safely
     ignored. FreeS/Wan may now be configured to have three different Road
     Warrior connections with the choice of connection being based on X-509
-    certificates or some other means. Each of these connections will utilize
-    a different updown script that adds the remote station to the appropriate
+    certificates or some other means. Each of these connections will utilize a
+    different updown script that adds the remote station to the appropriate
     zone when the connection comes up and that deletes the remote station when
     the connection comes down. For example, when 134.28.54.2 connects for the
     vpn2 zone the <quote>up</quote> part of the script will issue the

docs/Shorewall-4.xml

@@ -147,16 +147,16 @@
   </section>
 
   <section>
-    <title>Shorewall 4.5</title>
+    <title>Shorewall 4.5/4.6</title>
 
-    <para>Shorewall 4.5 adds an additional <emphasis
+    <para>Shorewall 4.5 added an additional <emphasis
     role="bold">Shorewall-core</emphasis> package. This package contains the
     core Shorewall shell libraries that are required by the other
     packages.</para>
   </section>
 
   <section id="Prereqs">
-    <title>Prerequisites for using the Shorewall Version 4.2/4.4/4.5
+    <title>Prerequisites for using the Shorewall Version 4.2/4.4/4.5/4.6
     Perl-based Compiler</title>
 
     <itemizedlist>

docs/XenMyWay-Routed.xml

@@ -624,7 +624,7 @@ $EXT_IF:192.168.99.1    192.168.98.1    192.168.1.98
 
 COMMENT Masquerade Local Network
 
-$EXT_IF                 $INT_IF 206.124.146.179
+$EXT_IF                 192.168.1.0/24  206.124.146.179
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
 
         <para><filename>/etc/shorewall/proxyarp</filename>:</para>

docs/support.xml

@@ -42,7 +42,7 @@
     <itemizedlist>
       <listitem>
         <para>The currently-supported Shorewall <ulink
-        url="ReleaseModel.html">major release</ulink> is 4.5.</para>
+        url="ReleaseModel.html">major release</ulink>s are 4.5 and 4.6.</para>
 
         <note>
           <para>Shorewall versions earlier than 4.5.0 are no longer supported;
@@ -60,7 +60,7 @@
 
       <listitem>
         <para>The <ulink url="FAQ.htm">FAQ</ulink> has solutions to more than
-        90 common problems.</para>
+        100 common problems.</para>
       </listitem>
 
       <listitem>