Correct release notes

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.7
+VERSION=4.4.7.5
 
 usage() # $1 = exit status
 {

Shorewall-lite/init.debian.sh

@@ -2,8 +2,8 @@
 
 ### BEGIN INIT INFO
 # Provides:          shorewall-lite
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7
+VERSION=4.4.7.5
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.7
-%define release 0base
+%define release 5
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -100,7 +100,17 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-5
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-4
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-3
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-2
+* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-1
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7
+VERSION=4.4.7.5
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Chains.pm

@@ -262,6 +262,7 @@ our $chainseq;
 our $idiotcount;
 our $idiotcount1;
 our $warningcount;
+our $hashlimitset;
 
 our $global_variables;
 
@@ -373,6 +374,7 @@ sub initialize( $ ) {
     $idiotcount         = 0;
     $idiotcount1        = 0;
     $warningcount       = 0;
+    $hashlimitset       = 0;
     #
     # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
     #
@@ -2026,20 +2028,36 @@ sub do_ratelimit( $$ ) {
 
 	my $limit = "-m hashlimit ";
 	my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
+	my $units;
 
 	if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	    $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
-	    $limit .= $2 ? $2 : 'shorewall';
+	    $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
 	    $limit .= ' --hashlimit-mode ';
+	    $units = $5;
 	} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
 	    $limit .= "--$match $3 --hashlimit-name ";
-	    $limit .= $2 ? $2 : 'shorewall';
+	    $limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
 	    $limit .= ' --hashlimit-mode ';
+	    $units = $5;
 	} else {
 	    fatal_error "Invalid rate ($rate)";
 	}
 
 	$limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
+
+	if ( $units && $units ne 'sec' ) {
+	    my $expire = 60000; # 1 minute in milliseconds
+
+	    if ( $units ne 'min' ) {
+		$expire *= 60; #At least an hour
+		$expire *= 24 if $units eq 'day';
+	    }
+
+	    $limit .= "--hashlimit-htable-expire $expire ";
+	} 
+
+	$limit;
     } elsif ( $rate =~ /^(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	"-m limit --limit $1 --limit-burst $4 ";
     } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
@@ -3256,7 +3274,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 
 		    if ( $loglevel ne '' ) {
 			if ( $disposition ne 'LOG' ) {
-			    unless ( $logname ) {
+			    unless ( $logname || $target =~ /-j RETURN\b/ ) {
 				#
 				# Find/Create a chain that both logs and applies the target action
 				# and jump to the log chain if all of the rule's conditions are met
@@ -3270,7 +3288,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 				log_rule_limit(
 					       $loglevel ,
 					       $chainref ,
-					       $logname ,
+					       $logname || $chain,
 					       $disposition ,
 					       '',
 					       $logtag,

Shorewall/Perl/Shorewall/Config.pm

@@ -337,7 +337,7 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.7",
+		    VERSION => "4.4.7.5",
 		    CAPVERSION => 40407 ,
 		  );
 
@@ -2394,7 +2394,9 @@ sub determine_capabilities() {
     fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
 	unless qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");
   
-    unless ( $config{ LOAD_HELPERS_ONLY } ) {
+    if ( $config{ LOAD_HELPERS_ONLY } ) {
+	$capabilities{FLOW_FILTER} = undef;
+    } else {
 	#
 	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
 	# functions but it ensures that %detect_capability is initialized properly.
@@ -2468,6 +2470,7 @@ sub determine_capabilities() {
 	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
+	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
 
 
 	qt1( "$iptables -F $sillyname" );

Shorewall/Perl/Shorewall/Rules.pm

@@ -1182,6 +1182,17 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     #
     # Generate Fixed part of the rule
     #
+    if ( $actiontype & ( NATRULE | NONAT ) && ! ( $actiontype & NATONLY ) ) {
+	#
+	# Either a DNAT, REDIRECT or ACCEPT+ rule; don't apply rate limiting twice
+	#
+	$rule = join( '', 
+		      do_proto($proto, $ports, $sports),
+		      do_user( $user ) ,
+		      do_test( $mark , $globals{TC_MASK} ) ,
+		      do_connlimit( $connlimit ),
+		      do_time( $time ) );
+    } else {
 	$rule = join( '', 
 		      do_proto($proto, $ports, $sports),
 		      do_ratelimit( $ratelimit, $basictarget ) ,
@@ -1189,6 +1200,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		      do_test( $mark , $globals{TC_MASK} ) ,
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) );
+    }
 
     unless ( $section eq 'NEW' ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};

Shorewall/Perl/Shorewall/Tc.pm

@@ -132,7 +132,6 @@ our $devnum;
 our $sticky;
 our $ipp2p;
 
-
 #
 # TCClasses Table
 #
@@ -514,7 +513,7 @@ sub process_simple_device() {
 
     while ( ++$i <= 3 ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
-	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i";
+	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $number:$i";
 	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
     }
@@ -1198,6 +1197,9 @@ sub setup_traffic_shaping() {
 	validate_tc_device while read_a_line;
     }
 
+    my $sfq = $devnum;
+    my $sfqinhex;
+
     $devnum = $devnum > 10 ? 10 : 1;
 
     $fn = open_file 'tcclasses';
@@ -1334,7 +1336,10 @@ sub setup_traffic_shaping() {
 	    }
 	}
 
-	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit $tcref->{limit} perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
+	if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+	    $sfqinhex = in_hexp( ++$sfq);
+	    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
+	}
 	#
 	# add filters
 	#
@@ -1344,7 +1349,7 @@ sub setup_traffic_shaping() {
 	    }
 	}
 
-	emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
+	emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
 	#
 	# options
 	#

Shorewall/changelog.txt

@@ -1,3 +1,29 @@
+Changes in Shorewall 4.4.7.5
+
+1)  Don't create a logging chain for rules with '-j RETURN'.
+
+2)  Avoid duplicate SFQ class numbers.
+
+3)  Fix low per-IP rate limits.
+
+Changes in Shorewall 4.4.7.4
+
+1)  Add $remote_fs to Required-start and Required-stop for Debian.
+
+Changes in Shorewall 4.4.7.3
+
+1)  Detect FLOW_FILTER when LOAD_HELPERS_ONLY=Yes
+
+Changes in Shorewall 4.4.7.2
+
+1)  Fix detection of "Old hashlimit match".
+
+2)  Detect FLOW_FILTER when LOAD_HELPERS_ONLY=No
+
+Changes in Shorewall 4.4.7.1
+
+1)  Don't apply rate limiting twice in NAT rules.
+
 Changes in Shorewall 4.4.7
 
 1)  Backport optimization changes from 4.5.

Shorewall/init.debian.sh

@@ -1,8 +1,8 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          shorewall
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7
+VERSION=4.4.7.5
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -1 +1,66 @@
-There are no known problems in Shorewall 4.4.7.
+1)  All versions of Shorewall-perl mishandle per-IP rate limiting in
+    REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
+    the values given in the rule.
+
+    Corrected in 4.4.7.1
+
+2)  Detection of the 'Old hashlimit match' capability was broken in
+    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of 
+    shorecap. This problem only affects users of older distributions
+    such as RHEL5 and derivatives.
+
+    Corrected in 4.4.7.2
+
+3)  On older distributions such as RHEL5 and derivatives, when
+    LOAD_HELPERS_ONLY=No, Shorewall would fail to start if a TYPE was
+    specified in /etc/shorewall/tcinterfaces.
+
+    Corrected in 4.4.7.2
+
+4)  On older distributions such as RHEL5 and derivatives, when
+    LOAD_HELPERS_ONLY=Yes, Shorewall would fail to start if a TYPE was
+    specified in /etc/shorewall/tcinterfaces.
+
+    Corrected in 4.4.7.3
+
+5)  A CONTINUE rule specifying a log level will cause the compiler to
+    generate an incorrect rule sequence. The packet will be logged but
+    the CONTINUE action will not occur.
+
+    To work around the problem break the rule into two rules; a logging
+    rule and a CONTINUE rule.
+
+    Corrected in 4.4.7.5.
+
+6)  If multiple entries are present in /etc/shorewall/tcdevices and
+    globally unique class numbers are not explicitly specified in
+    /etc/shorewall/tcclasses, then 'shorewall start' will fail with a
+    diagnostic such as:
+
+    Setting up Traffic Control...
+    RTNETLINK answers: File exists
+      ERROR: Command "tc qdisc add dev eth1 parent 2:2 handle 2: sfq quantum
+             1500 limit 127 perturb 10" Failed
+    Processing /etc/shorewall/stop ...
+
+    Corrected in 4.4.7.5.
+
+7)  If a low per-IP rate limit (such as 1/hour) is specified, the
+    effective enforced rate is much higher (approximately 6/min). The
+    Shorewall compiler now configures the hashlimit table idle timeout
+    based on the rate units (min, hour, ...) so that the rate is more
+    accurately enforced.
+
+    Corrected in 4.4.7.5.
+
+    As part of this change, a unique hash table name is assigned to
+    each per-IP rate limiting rule that does not specify a table name
+    in the rule. The assigned names are of the form 'shorewallN' where
+    N is an integer. Previously, all such rules shared a single
+    'shorewall' table which lead to unexpected results.
+
+8)  All prior versions of Shorewall-perl mishandle per-IP rate limiting
+    in REDIRECT, DNAT and ACCEPT+ rules. The effective rate and burst
+    are 1/2 of the values given in the rule.
+
+    Corrected in 4.4.7.5.

Shorewall/lib.base

@@ -956,7 +956,7 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
     qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
     if [ -z "$HASHLIMIT_MATCH" ]; then
-	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
+	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
     fi	
     qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes

Shorewall/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.4.7
+Shorewall 4.4.7 Patch Release 5.
 
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 4  H I G H L I G H T S
@@ -183,6 +183,77 @@ Shorewall 4.4.7
     unless you choose to replace your current shorewall.conf with the
     one from the release (not recommended).
 
+----------------------------------------------------------------------------
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 5
+----------------------------------------------------------------------------
+
+1)  A CONTINUE rule specifying a log level would cause the compiler to 
+    generate an incorrect rule sequence. The packet would be logged
+    but the CONTINUE action would not occur.
+
+2)  If multiple entries were present in /etc/shorewall/tcdevices and
+    globally unique class numbers were not explicitly specified in
+    /etc/shorewall/tcclasses, then 'shorewall start' would fail with a
+    diagnostic such as:
+
+    Setting up Traffic Control...
+    RTNETLINK answers: File exists
+      ERROR: Command "tc qdisc add dev eth1 parent 2:2 handle 2: sfq quantum
+             1500 limit 127 perturb 10" Failed
+    Processing /etc/shorewall/stop ...
+
+3)  Previously, when a low per-IP rate limit (such as 1/hour) was
+    specified, the effective enforced rate was much higher
+    (approximately 6/min). The Shorewall compiler now configures the
+    hashlimit table idle timeout based on the rate units (min, hour,
+    ...) so that the rate is more accurately enforced.
+
+    As part of this change, a unique hashlimit table name is assigned
+    to each per-IP rate limiting rule that does not specify a table name
+    in the rule. The assigned names are of the form 'shorewallN' where
+    N is an integer. Previously, all such rules shared a single
+    'shorewall' table which lead to unexpected results.
+
+4)  All prior versions of Shorewall-perl mishandle per-IP rate limiting
+    ACCEPT+ rules. The effective rate and burst are 1/2 of the values
+    given in the rule. This problem has been corrected so that the
+    specified rate is now the effective rate.
+
+----------------------------------------------------------------------------
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 4
+----------------------------------------------------------------------------
+
+1)  The Debian init scripts are modified to include $remote_fs in the 
+    Required-start and Required-stop specifications.
+
+----------------------------------------------------------------------------
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 3
+----------------------------------------------------------------------------
+
+1)  On older distributions such as RHEL5 and derivatives, when
+    LOAD_HELPERS_ONLY=Yes, Shorewall would fail to start if a TYPE was
+    specified in /etc/shorewall/tcinterfaces.
+
+----------------------------------------------------------------------------
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 2
+----------------------------------------------------------------------------
+
+1)  Detection of the 'Old hashlimit match' capability was broken in
+    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of 
+    shorecap.
+
+2)  On older distributions such as RHEL5 and derivatives, when
+    LOAD_HELPERS_ONLY=No, Shorewall would fail to start if a TYPE was
+    specified in /etc/shorewall/tcinterfaces.
+ 
+----------------------------------------------------------------------------
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 1
+----------------------------------------------------------------------------
+
+1)  All versions of Shorewall-perl mishandle per-IP rate limiting in
+    REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
+    the values given in the rule.
+
 ----------------------------------------------------------------------------
           P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7
 ----------------------------------------------------------------------------

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.7
-%define release 0base
+%define release 5
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -107,7 +107,17 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-5
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-4
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-3
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-2
+* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-1
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7
+VERSION=4.4.7.5
 
 usage() # $1 = exit status
 {

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.7
+VERSION=4.4.7.5
 
 usage() # $1 = exit status
 {

Shorewall6-lite/init.debian.sh

@@ -2,8 +2,8 @@
 
 ### BEGIN INIT INFO
 # Provides:          shorewall6-lite
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7
+VERSION=4.4.7.5
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.7
-%define release 0base
+%define release 5
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -91,7 +91,17 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-5
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-4
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-3
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-2
+* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-1
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7
+VERSION=4.4.7.5
 
 usage() # $1 = exit status
 {

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.7
+VERSION=4.4.7.5
 
 usage() # $1 = exit status
 {

Shorewall6/init.debian.sh

@@ -1,8 +1,8 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          shorewall6
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7
+VERSION=4.4.7.5
 
 usage() # $1 = exit status
 {

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.7
-%define release 0base
+%define release 5
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -96,7 +96,17 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-5
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-4
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-3
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-2
+* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-1
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7
+VERSION=4.4.7.5
 
 usage() # $1 = exit status
 {

docs/configuration_file_basics.xml

@@ -1140,9 +1140,9 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
     '!' to specify "All ports except these" (e.g., "!80,443").</para>
 
     <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
-    url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
-    file may specify no more than 15 ports; port ranges appearing in a list
-    count as two ports each.</para>
+    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
+    (5) file may specify no more than 15 ports; port ranges appearing in a
+    list count as two ports each.</para>
   </section>
 
   <section id="MAC">
@@ -1186,6 +1186,32 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
     </note>
   </section>
 
+  <section id="RateLimit">
+    <title>Rate Limiting (Rate and Burst)</title>
+
+    <para>Shorewall supports rate limiting in a number of ways. When
+    specifying a rate limit, both a <firstterm>rate</firstterm> and a
+    <firstterm>burst</firstterm> value are given.</para>
+
+    <para>Example from <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5): </para>
+
+    <simplelist>
+      <member>LOGRATE=10/minute</member>
+
+      <member>LOGBURST=5</member>
+    </simplelist>
+
+    <para> For each logging rule, the first time the rule is reached, the
+    packet will be logged; in fact, since the burst is 5, the first five
+    packets will be logged. After this, it will be 6 seconds (1 minute divided
+    by the rate of 10) before a message will be logged from the rule,
+    regardless of how many packets reach it. Also, every 6 seconds which
+    passes without matching a packet, one of the bursts will be regained; if
+    no packets hit the rule for 30 seconds, the burst will be fully recharged;
+    back where we started.</para>
+  </section>
+
   <section id="Logical">
     <title>Logical Interface Names</title>
 

manpages/shorewall-rules.xml

@@ -891,10 +891,10 @@
           respectively. The <replaceable>name</replaceable> may be chosen by
           the user and specifies a hash table to be used to count matching
           connections. If not give, the name <emphasis
-          role="bold">shorewall</emphasis> is assumed. Where more than one
-          rule specifies the same name, the connections counts for the rules
-          are aggregated and the individual rates apply to the aggregated
-          count.</para>
+          role="bold">shorewallN</emphasis> (where N is a unique integer) is
+          assumed. Where more than one rule specifies the same name, the
+          connections counts for the rules are aggregated and the individual
+          rates apply to the aggregated count.</para>
 
           <para>Example: <emphasis role="bold">s:ssh:3/min:5</emphasis></para>
         </listitem>

manpages6/shorewall6-rules.xml

@@ -692,10 +692,10 @@
           respectively. The <replaceable>name</replaceable> may be chosen by
           the user and specifies a hash table to be used to count matching
           connections. If not give, the name <emphasis
-          role="bold">shorewall</emphasis> is assumed. Where more than one
-          POLICY specifies the same name, the connections counts for the rules
-          are aggregated and the individual rates apply to the aggregated
-          count.</para>
+          role="bold">shorewallN</emphasis> (where N is a unique integer) is
+          assumed. Where more than one POLICY specifies the same name, the
+          connections counts for the rules are aggregated and the individual
+          rates apply to the aggregated count.</para>
         </listitem>
       </varlistentry>