Add $remote_fs to Required-start and Required-stop for Debian

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.7
+VERSION=4.4.7.4
 
 usage() # $1 = exit status
 {

Shorewall-lite/init.debian.sh

@@ -2,8 +2,8 @@
 
 ### BEGIN INIT INFO
 # Provides:          shorewall-lite
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7
+VERSION=4.4.7.4
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.7
-%define release 0base
+%define release 4
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -100,7 +100,15 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-4
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-3
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-2
+* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-1
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7
+VERSION=4.4.7.4
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Config.pm

@@ -337,7 +337,7 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.7",
+		    VERSION => "4.4.7.4",
 		    CAPVERSION => 40407 ,
 		  );
 
@@ -2394,7 +2394,9 @@ sub determine_capabilities() {
     fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
 	unless qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");
   
-    unless ( $config{ LOAD_HELPERS_ONLY } ) {
+    if ( $config{ LOAD_HELPERS_ONLY } ) {
+	$capabilities{FLOW_FILTER} = undef;
+    } else {
 	#
 	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
 	# functions but it ensures that %detect_capability is initialized properly.
@@ -2468,6 +2470,7 @@ sub determine_capabilities() {
 	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
+	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
 
 
 	qt1( "$iptables -F $sillyname" );

Shorewall/Perl/Shorewall/Rules.pm

@@ -1182,13 +1182,25 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     #
     # Generate Fixed part of the rule
     #
-    $rule = join( '', 
-		  do_proto($proto, $ports, $sports),
-		  do_ratelimit( $ratelimit, $basictarget ) ,
-		  do_user( $user ) ,
-		  do_test( $mark , $globals{TC_MASK} ) ,
-		  do_connlimit( $connlimit ),
-		  do_time( $time ) );
+    if ( ( $actiontype & ( NATRULE | NATONLY ) ) == NATRULE ) {
+	#
+	# Don't apply rate limiting twice
+	#
+	$rule = join( '', 
+		      do_proto($proto, $ports, $sports),
+		      do_user( $user ) ,
+		      do_test( $mark , $globals{TC_MASK} ) ,
+		      do_connlimit( $connlimit ),
+		      do_time( $time ) );
+    } else {
+	$rule = join( '', 
+		      do_proto($proto, $ports, $sports),
+		      do_ratelimit( $ratelimit, $basictarget ) ,
+		      do_user( $user ) ,
+		      do_test( $mark , $globals{TC_MASK} ) ,
+		      do_connlimit( $connlimit ),
+		      do_time( $time ) );
+    }
 
     unless ( $section eq 'NEW' ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};

Shorewall/changelog.txt

@@ -1,3 +1,21 @@
+Changes in Shorewall 4.4.7.4
+
+1)  Add $remote_fs to Required-start and Required-stop for Debian.
+
+Changes in Shorewall 4.4.7.3
+
+1)  Detect FLOW_FILTER when LOAD_HELPERS_ONLY=Yes
+
+Changes in Shorewall 4.4.7.2
+
+1)  Fix detection of "Old hashlimit match".
+
+2)  Detect FLOW_FILTER when LOAD_HELPERS_ONLY=No
+
+Changes in Shorewall 4.4.7.1
+
+1)  Don't apply rate limiting twice in NAT rules.
+
 Changes in Shorewall 4.4.7
 
 1)  Backport optimization changes from 4.5.

Shorewall/init.debian.sh

@@ -1,8 +1,8 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          shorewall
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7
+VERSION=4.4.7.4
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -1 +1,24 @@
-There are no known problems in Shorewall 4.4.7.
+1)  All versions of Shorewall-perl mishandle per-IP rate limiting in
+    REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
+    the values given in the rule.
+
+    Corrected in 4.4.7.1
+
+2)  Detection of the 'Old hashlimit match' capability was broken in
+    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of 
+    shorecap. This problem only affects users of older distributions
+    such as RHEL5 and derivatives.
+
+    Corrected in 4.4.7.2
+
+3)  On older distributions such as RHEL5 and derivatives, when
+    LOAD_HELPERS_ONLY=No, Shorewall would fail to start if a TYPE was
+    specified in /etc/shorewall/tcinterfaces.
+
+    Corrected in 4.4.7.2
+
+4)  On older distributions such as RHEL5 and derivatives, when
+    LOAD_HELPERS_ONLY=Yes, Shorewall would fail to start if a TYPE was
+    specified in /etc/shorewall/tcinterfaces.
+
+    Corrected in 4.4.7.3

Shorewall/lib.base

@@ -956,7 +956,7 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
     qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
     if [ -z "$HASHLIMIT_MATCH" ]; then
-	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
+	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
     fi	
     qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes

Shorewall/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.4.7
+Shorewall 4.4.7 Patch Release 4.
 
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 4  H I G H L I G H T S
@@ -184,7 +184,41 @@ Shorewall 4.4.7
     one from the release (not recommended).
 
 ----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 4
+----------------------------------------------------------------------------
+1)  The Debian init scripts are modified to include $remote_fs in the 
+    Required-start and Required-stop specifications.
+
+----------------------------------------------------------------------------
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 3
+----------------------------------------------------------------------------
+
+1)  On older distributions such as RHEL5 and derivatives, when
+    LOAD_HELPERS_ONLY=Yes, Shorewall would fail to start if a TYPE was
+    specified in /etc/shorewall/tcinterfaces.
+
+----------------------------------------------------------------------------
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 2
+----------------------------------------------------------------------------
+
+1)  Detection of the 'Old hashlimit match' capability was broken in
+    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of 
+    shorecap.
+
+2)  On older distributions such as RHEL5 and derivatives, when
+    LOAD_HELPERS_ONLY=No, Shorewall would fail to start if a TYPE was
+    specified in /etc/shorewall/tcinterfaces.
+ 
+----------------------------------------------------------------------------
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 1
+----------------------------------------------------------------------------
+
+1)  All versions of Shorewall-perl mishandle per-IP rate limiting in
+    REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
+    the values given in the rule.
+
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7
 ----------------------------------------------------------------------------
 
 1)  The tcinterfaces and tcpri files are now installed by the

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.7
-%define release 0base
+%define release 4
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -107,7 +107,15 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-4
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-3
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-2
+* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-1
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7
+VERSION=4.4.7.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.7
+VERSION=4.4.7.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/init.debian.sh

@@ -2,8 +2,8 @@
 
 ### BEGIN INIT INFO
 # Provides:          shorewall6-lite
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7
+VERSION=4.4.7.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.7
-%define release 0base
+%define release 4
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -91,7 +91,15 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-4
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-3
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-2
+* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-1
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7
+VERSION=4.4.7.4
 
 usage() # $1 = exit status
 {

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.7
+VERSION=4.4.7.4
 
 usage() # $1 = exit status
 {

Shorewall6/init.debian.sh

@@ -1,8 +1,8 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          shorewall6
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7
+VERSION=4.4.7.4
 
 usage() # $1 = exit status
 {

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.7
-%define release 0base
+%define release 4
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -96,7 +96,15 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-4
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-3
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-2
+* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-1
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7
+VERSION=4.4.7.4
 
 usage() # $1 = exit status
 {

docs/configuration_file_basics.xml

@@ -1140,9 +1140,9 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
     '!' to specify "All ports except these" (e.g., "!80,443").</para>
 
     <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
-    url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
-    file may specify no more than 15 ports; port ranges appearing in a list
-    count as two ports each.</para>
+    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
+    (5) file may specify no more than 15 ports; port ranges appearing in a
+    list count as two ports each.</para>
   </section>
 
   <section id="MAC">
@@ -1186,6 +1186,32 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
     </note>
   </section>
 
+  <section id="RateLimit">
+    <title>Rate Limiting (Rate and Burst)</title>
+
+    <para>Shorewall supports rate limiting in a number of ways. When
+    specifying a rate limit, both a <firstterm>rate</firstterm> and a
+    <firstterm>burst</firstterm> value are given.</para>
+
+    <para>Example from <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5): </para>
+
+    <simplelist>
+      <member>LOGRATE=10/minute</member>
+
+      <member>LOGBURST=5</member>
+    </simplelist>
+
+    <para> For each logging rule, the first time the rule is reached, the
+    packet will be logged; in fact, since the burst is 5, the first five
+    packets will be logged. After this, it will be 6 seconds (1 minute divided
+    by the rate of 10) before a message will be logged from the rule,
+    regardless of how many packets reach it. Also, every 6 seconds which
+    passes without matching a packet, one of the bursts will be regained; if
+    no packets hit the rule for 30 seconds, the burst will be fully recharged;
+    back where we started.</para>
+  </section>
+
   <section id="Logical">
     <title>Logical Interface Names</title>