Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure.pl

@@ -100,7 +100,7 @@ if ( defined $vendor ) {
     } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ '^Cygwin' ) {
+    } elsif ( `uname` =~ /^Cygwin/i ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
     } else {

Shorewall-core/install.sh

@@ -187,7 +187,7 @@ INSTALLD='-D'
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)

Shorewall-lite/install.sh

@@ -195,7 +195,7 @@ T='-T'
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -242,7 +242,7 @@ if [ -z "$BUILD" ]; then
 fi
 
 case $BUILD in
-    cygwin*)
+    cygwin*|CYGWIN*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;

Shorewall/Macros/macro.ILO

@@ -0,0 +1,23 @@
+#
+# Shorewall version 4 - ILO Macro
+#
+# /usr/share/shorewall/macro.ILO
+#
+#	This macro handles console redirection with HP ILO 2+,
+#	Use this macro to open access to your ILO interface from management
+#	workstations.
+#
+###############################################################################
+?FORMAT 2
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	3002		# Raw serial data
+PARAM	-	-	tcp	9300		# Shared Remote Console
+PARAM	-	-	tcp	17988		# Virtual Media
+PARAM	-	-	tcp	17990		# Console Replay
+HTTP
+HTTPS
+RDP
+SSH
+Telnet						# Remote Console/Telnet

Shorewall/Macros/macro.IPMI

@@ -3,7 +3,10 @@
 #
 # /usr/share/shorewall/macro.IPMI
 #
-#	This macro handles IPMI console redirection with Dell and Supermicro.
+#	This macro handles IPMI console redirection with Asus (AMI),
+#	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
+#	Use this macro to open access to your IPMI interface from management
+#	workstations.
 #
 ###############################################################################
 ?FORMAT 2
@@ -11,7 +14,13 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	623		# RMCP
-PARAM	-	-	tcp	5900,5901	# Remote Console
+PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
+PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
+PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
+PARAM	-	-	tcp	7578		# Remote Console (AMI)
 PARAM	-	-	udp	623		# RMCP
 HTTP
 HTTPS
+SNMP
+SSH						# Serial over Lan
+Telnet

Shorewall/Perl/Shorewall/Chains.pm

@@ -6723,20 +6723,25 @@ sub interface_mac( $$ ) {
 #
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
-sub get_interface_mac( $$$ ) {
-    my ( $ipaddr, $logical , $table ) = @_;
+sub get_interface_mac( $$$$ ) {
+    my ( $ipaddr, $logical , $table, $mac ) = @_;
 
     my $interface = get_physical( $logical );
     my $variable = interface_mac( $interface , $table );
 
     $global_variables |= NOT_RESTORE;
-
-    if ( interface_is_optional $logical ) {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
+    
+    if ( $mac ) {
+	$interfacemacs{$table} = qq($variable=$mac);
     } else {
-	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
+	if ( interface_is_optional $logical ) {
+	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
+	} else {
+	    $interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
 [ -n "\$$variable" ] || startup_error "Unable to determine the MAC address of $ipaddr through interface \\"$interface\\""
 );
+
+       }
     }
 
     "\$$variable";

Shorewall/Perl/Shorewall/Providers.pm

@@ -258,7 +258,7 @@ sub copy_and_edit_table( $$$$$ ) {
     emit '';
 
     if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
     } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
     }
@@ -442,10 +442,11 @@ sub process_a_provider( $ ) {
 
     fatal_error 'INTERFACE must be specified' if $interface eq '-';
 
-    ( $interface, my $address ) = split /:/, $interface;
+    ( $interface, my $address ) = split /:/, $interface, 2;
 
     my $shared = 0;
     my $noautosrc = 0;
+    my $mac = '';
 
     if ( defined $address ) {
 	validate_address $address, 0;
@@ -469,7 +470,17 @@ sub process_a_provider( $ ) {
 	$gateway = get_interface_gateway $interface;
 	$gatewaycase = 'detect';
     } elsif ( $gateway && $gateway ne '-' ) {
+	( $gateway, $mac ) = split_host_list( $gateway, 0 );
 	validate_address $gateway, 0;
+
+	if ( defined $mac ) {
+	    $mac =~ tr/-/:/;
+	    $mac =~ s/^~//;
+	    fatal_error "Invalid MAC address ($mac)" unless $mac =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+	} else {
+	    $mac = '';
+	}
+
 	$gatewaycase = 'specified';
     } else {
 	$gatewaycase = 'none';
@@ -644,6 +655,7 @@ sub process_a_provider( $ ) {
 			   loose       => $loose ,
 			   duplicate   => $duplicate ,
 			   address     => $address ,
+			   mac         => $mac ,
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
@@ -720,6 +732,7 @@ sub add_a_provider( $$ ) {
     my $loose       = $providerref->{loose};
     my $duplicate   = $providerref->{duplicate};
     my $address     = $providerref->{address};
+    my $mac         = $providerref->{mac};
     my $local       = $providerref->{local};
     my $tproxy      = $providerref->{tproxy};
     my $load        = $providerref->{load};
@@ -733,7 +746,7 @@ sub add_a_provider( $$ ) {
     my $realm = '';
 
     if ( $shared ) {
-	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
+	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table, $mac );
 	$realm = "realm $number";
 	start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
     } elsif ( $pseudo ) {

Shorewall/Perl/Shorewall/Tc.pm

@@ -423,7 +423,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    function       => sub () {
 		require_capability 'DSCP_TARGET', 'The DSCP action', 's';
 		my $dscp = numeric_value( $params );
-		$dscp = $dscpmap{$1} unless defined $dscp;
+		$dscp = $dscpmap{$params} unless defined $dscp;
 		fatal_error( "Invalid DSCP ($params)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 		$target = 'DSCP --set-dscp ' . in_hex( $dscp );
 	    },
@@ -562,7 +562,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
 	RESTORE    => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -591,7 +591,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
 	SAVE       => {
 	    defaultchain   => 0,
-	    allowedchains  => PREROUTING | FORWARD | POSTROUTING,
+	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
 	    minparams      => 0,
 	    maxparams      => 1,
 	    function       => sub () {
@@ -1076,7 +1076,7 @@ sub process_mangle_rule( ) {
 	                 1 );
 	$headers = '-';
     } else {
-	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
 	    split_line2( 'tcrules file',
 			 { mark => 0,
 			   action => 0,

Shorewall/Samples/one-interface/README.txt

@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/shorewall.conf

@@ -2,7 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for one-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/one-interface/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/masq

@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Masq file for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 3.4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
-# Copyright (C) 2006 by the Shorewall Team
-#               2011 by Thomas M. Eastep
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/three-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall/Samples/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/masq

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Masq file for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
+# Copyright (C) 2006-2014,2007 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -2,8 +2,7 @@
 #
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
-# Copyright (C) 2006,2007 by the Shorewall Team
-#               2011 by Thomas M. Eastep
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/Samples/two-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall/install.sh

@@ -205,7 +205,7 @@ done
 
 if [ -z "$BUILD" ]; then
     case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -399,7 +399,7 @@ fi
 #
 # Create /etc/$PRODUCT and other directories
 #
-mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles

Shorewall/manpages/shorewall-providers.xml

@@ -129,11 +129,15 @@
 
       <varlistentry>
         <term><emphasis role="bold">GATEWAY</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>|<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>mac</emphasis>]|<emphasis
         role="bold">detect</emphasis>}</term>
 
         <listitem>
-          <para>The IP address of the provider's gateway router.</para>
+          <para>The IP address of the provider's gateway router. Beginning
+          with Shorewall 4.6.2, you may also specify the MAC address of the
+          gateway when there are multiple providers serviced through the same
+          interface. When the MAC is not specified, Shorewall will detect the
+          MAC during firewall start or restart.</para>
 
           <para>You can enter "detect" here and Shorewall will attempt to
           detect the gateway automatically.</para>

Shorewall/manpages/shorewall.xml

@@ -1805,7 +1805,7 @@
           Shorewall-configured firewall.</para>
 
           <para>The <option>-i </option>option was added in Shorewall 4.6.2
-          and causes the status of each optional interface to be
+          and causes the status of each optional or provider interface to be
           displayed.</para>
         </listitem>
       </varlistentry>

Shorewall6/Samples6/one-interface/README.txt

@@ -3,7 +3,7 @@ For instructions on using this sample configuration, please see
 http://www.shorewall.net/standalone.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall6/Samples6/one-interface/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Interfaces File for one-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/one-interface/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Policy File for one-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/one-interface/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Rules File for one-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/one-interface/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Zones File for one-interface IPv6 configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/three-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall6/Samples6/three-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Interfaces File for three-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall6 Version 4 - Sample Policy File for three-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Rules File for three-interface configuration.
-# Copyright (C) 2006,2007,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.5 Sample Stoppedrules File for three-interface configuration.
-# Copyright (C) 2012 by the Shorewall Team
+# Copyright (C) 2012-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/three-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Zones File for three-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/README.txt

@@ -3,7 +3,7 @@ For instructions on using these sample configurations, please see
 http://www.shorewall.net/two-interface.htm
 
     Shorewall Samples
-    Copyright (C) 2006 by the following authors:
+    Copyright (C) 2006-2014 by the following authors:
 	Thomas M. Eastep
 	Paul D. Gear
 	Cristian Rodriguez

Shorewall6/Samples6/two-interfaces/interfaces

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Interfaces File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/policy

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4 - Sample Policy File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/rules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Rules File for two-interface configuration.
-# Copyright (C) 2006-2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/stoppedrules

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.5 Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012 by the Shorewall Team
+# Copyright (C) 2012-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/Samples6/two-interfaces/zones

@@ -1,6 +1,6 @@
 #
 # Shorewall6 version 4.0 - Sample Zones File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Copyright (C) 2006-2014 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public

Shorewall6/manpages/shorewall6.xml

@@ -1641,7 +1641,7 @@
           Shorewall6-configured firewall.</para>
 
           <para>The <option>-i </option>option was added in Shorewall 4.6.2
-          and causes the status of each optional interface to be
+          and causes the status of each optional or provider interface to be
           displayed.</para>
         </listitem>
       </varlistentry>

docs/Events.xml

@@ -701,5 +701,87 @@ ResetEvent(SSH,DROP:info)        </programlisting>
 #                                                         PORT(S)
 Knock                 net            $FW       tcp        22,1599-1601          </programlisting>
     </section>
+
+    <section id="Stateful">
+      <title>Stateful Port Knocking (knock with a sequence of ports)</title>
+
+      <para>Gerhard Wiesinger has contributed a Perl module that allows you to
+      define portknocking sequences. Download <ulink
+      url="pub/shorewall/contrib/PortKnocking/KnockEnhanced.pm">the
+      module</ulink> and copy it into your site_perl directory.</para>
+
+      <para>Using Gerhard's module, a port-knocking rule is defined via a
+      '?PERL' statement. This example opens the SSH port from net-&gt;fw using
+      the knock sequence 52245, 15623, 19845:</para>
+
+      <programlisting>?BEGIN PERL
+use KnockEnhanced;
+KnockEnhanced 'net', '$FW', {name =&gt; 'SSH1', log_level =&gt; 3, proto =&gt; 'tcp', target =&gt; 'ssh', knocker =&gt; [52245,15623,19845]};
+?END PERL</programlisting>
+
+      <para>A few notes on the parameters:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>The first parameter is the rule SOURCE</para>
+        </listitem>
+
+        <listitem>
+          <para>The second parameter is the rule DEST</para>
+        </listitem>
+
+        <listitem>
+          <para>The third parameter is a Perl hash reference that defines the
+          remaining parameters. Each parameter is specified via
+          <replaceable>param</replaceable> =&gt;
+          <replaceable>value</replaceable>.</para>
+
+          <itemizedlist>
+            <listitem>
+              <para><emphasis role="bold">proto</emphasis> is the protocol --
+              if not specified, the default is tcp</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">seconds</emphasis> is the timeout
+              between successive events -- default is 60 seconds.</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">original_dest</emphasis> is the rule
+              ORIGINAL DEST</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">target</emphasis> is the port(s)
+              that you are trying to open. May either be a single name or
+              number, or it may be a list of names and/or numbers separated by
+              commas and enclosed in square brackets ("[...]").</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">name</emphasis> is a name used as
+              the base for event and chain names. If not supplied, the first
+              <emphasis role="bold">target</emphasis> is used, in which case
+              the first target must be a port name.</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">log_level </emphasis>specifies
+              logging for the generated rules</para>
+            </listitem>
+          </itemizedlist>
+
+          <note>
+            <para>Port names and numbers may be optionally followed by a colon
+            (":") and a protocol name or number to override the specified
+            protocol.</para>
+          </note>
+        </listitem>
+      </itemizedlist>
+
+      <para>The module itself contains additional examples of its
+      usage.</para>
+    </section>
   </section>
 </article>

docs/FAQ.xml

@@ -20,7 +20,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2013</year>
+      <year>2001-2014</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -2304,6 +2304,15 @@ gateway:~# </programlisting>
         </listitem>
       </orderedlist>
     </section>
+
+    <section id="faq103">
+      <title>(FAQ 103) Shorewall fails to start at boot but will start
+      immediately after</title>
+
+      <para>Answer: This is usually associated with SELinux. <ulink
+      url="https://lists.fedoraproject.org/pipermail/selinux/2010-June/012680.html">Here</ulink>
+      is an example.</para>
+    </section>
   </section>
 
   <section id="MultiISP">

docs/MultiISP.xml

@@ -750,8 +750,10 @@ eth1             0.0.0.0/0            130.252.99.27</programlisting>
       <title>Martians</title>
 
       <para>One problem that often arises with Multi-ISP configuration is
-      'Martians'. If your Internet interfaces are configured with the
-      <emphasis role="bold">routefilter</emphasis> option in
+      'Martians'. If you set ROUTE_FILTER=Yes in
+      <filename>/etc/shorewall/shorewall.conf</filename> or if your Internet
+      interfaces are configured with the <emphasis
+      role="bold">routefilter</emphasis> option in
       <filename>/etc/shorewall/interfaces</filename> (remember that if you set
       that option, you should also select <emphasis
       role="bold">logmartians</emphasis>), then things may not work correctly
@@ -810,6 +812,18 @@ DROP:info        net:192.168.1.0/24         all</programlisting>
 
       <para>Be sure the above rule is added before any other rules with
       <emphasis>net</emphasis> in the SOURCE column.</para>
+
+      <important>
+        <para>If you set ROUTE_FILTER=Yes in
+        <filename>/etc/shorewall/shorewall.conf</filename>, then setting
+        <emphasis role="bold">routefilter</emphasis>=0 in <ulink
+        url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+        (5) will not disable route filtering on a given interface. You must
+        set ROUTE_FILTER=No in <ulink
+        url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+        (5), then set the <emphasis role="bold">routefilter</emphasis> option
+        on those interfaces on which you want route filtering.</para>
+      </important>
     </section>
 
     <section id="Example1">

docs/traffic_shaping.xml

@@ -818,7 +818,7 @@ ppp0           6000kbit         500kbit</programlisting>
               SFQ. See tc-fq_codel (8) for additional information.</para>
 
               <para>See <ulink
-              url="manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>
+              url="manpages/shorewall-tcclasses.html">shorewall-tcclasses</ulink>
               (5) for a description of the allowable
               <replaceable>codloptions</replaceable>.</para>
             </listitem>