Merge branch '4.4.8' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall into 4.4.8

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.8
+VERSION=4.4.8.4
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.8
+VERSION=4.4.8.4
 
 usage() # $1 = exit status
 {
@@ -329,34 +329,37 @@ if [ -z "$PREFIX" ]; then
     ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
 fi
 
-if [ -z "$PREFIX" -a -n "$first_install" ]; then
-    if [ -n "$DEBIAN" ]; then
-	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
-	ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
-	echo "Shorewall Lite will start automatically at boot"
-	touch /var/log/shorewall-init.log
-    else
-	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-	    if insserv /etc/init.d/shorewall-lite ; then
-		echo "Shorewall Lite will start automatically at boot"
-	    else
+if [ -z "$PREFIX" ]; then
+    touch /var/log/shorewall-lite-init.log
+
+    if [ -n "$first_install" ]; then
+	if [ -n "$DEBIAN" ]; then
+	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
+	    ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+	    echo "Shorewall Lite will start automatically at boot"
+	else
+	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+		if insserv /etc/init.d/shorewall-lite ; then
+		    echo "Shorewall Lite will start automatically at boot"
+		else
+		    cant_autostart
+		fi
+	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+		if chkconfig --add shorewall-lite ; then
+		    echo "Shorewall Lite will start automatically in run levels as follows:"
+		    chkconfig --list shorewall-lite
+		else
+		    cant_autostart
+		fi
+	    elif [ -x /sbin/rc-update ]; then
+		if rc-update add shorewall-lite default; then
+		    echo "Shorewall Lite will start automatically at boot"
+		else
+		    cant_autostart
+		fi
+	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
-	elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-	    if chkconfig --add shorewall-lite ; then
-		echo "Shorewall Lite will start automatically in run levels as follows:"
-		chkconfig --list shorewall-lite
-	    else
-		cant_autostart
-	    fi
-	elif [ -x /sbin/rc-update ]; then
-	    if rc-update add shorewall-lite default; then
-		echo "Shorewall Lite will start automatically at boot"
-	    else
-		cant_autostart
-	    fi
-	elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
-	    cant_autostart
 	fi
     fi
 fi

Shorewall-lite/logrotate

@@ -1,4 +1,4 @@
-/var/log/shorewall-init.log {
+/var/log/shorewall-lite-init.log {
   missingok
   notifempty
   create 0600 root root

Shorewall-lite/shorewall-lite.conf

@@ -4,12 +4,11 @@
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.
 #
-#  This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#  This file should be placed in /etc/shorewall-lite
-#
-#  (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
+#  For information about the settings in this file, type
+#  "man shorewall-lite.conf"
 #
+#  Manpage also online at
+#  http://www.shorewall.net/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.8
-%define release 0base
+%define release 4
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -101,6 +101,14 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Fri Apr 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-4
+* Mon Apr 19 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-3
+* Wed Apr 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-2
+* Thu Mar 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-1
 * Fri Mar 19 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.8-0base
 * Tue Mar 16 2010 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.8
+VERSION=4.4.8.4
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Chains.pm

@@ -674,22 +674,34 @@ sub move_rules( $$ ) {
     my ($chain1, $chain2 ) = @_;
 
     if ( $chain1->{referenced} ) {
-	my $name  = $chain1->{name};
-	my $rules = $chain2->{rules};
-	my $count = @{$chain1->{rules}};
+	my $name1    = $chain1->{name};
+	my $name2    = $chain2->{name};
+	my $rules    = $chain2->{rules};
+	my $count    = @{$chain1->{rules}};
+	my $tableref = $chain_table{$chain1->{table}}; 
 	#
 	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
 	#
-	$name =~ s/\+/\\+/;
+	$name1 =~ s/\+/\\+/;
 
-	( s/\-([AI]) $name /-$1 $chain2->{name} / ) for @{$chain1->{rules}};
+	for ( @{$chain1->{rules}} ) {
+	    if ( s/\-([AI]) $name1 /-$1 $name2 / ) {
+		if ( / -[jg] ([^\s]+)\b/ ) {
+		    my $toref =  $tableref->{$1};
+		    if ( $toref && ! $toref->{builtin} ) {
+			delete $toref->{references}{$name1} unless --$toref->{references}{$name1} > 0;
+			$toref->{references}{$name2}++;
+		    }
+		}
+	    }
+	}	    
 
-	splice @{$rules}, 0, 0, @{$chain1->{rules}};
+	unshift @{$rules}, @{$chain1->{rules}};
 	#
 	# In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain.
 	# This hack avoids that.
 	#
-	shift @{$rules} if @{$rules} > 1 && $rules->[0] eq $rules->[1];
+	shift @{$rules} while @{$rules} > 1 && $rules->[0] eq $rules->[1];
 
 	$chain2->{referenced} = 1;
 	$chain1->{referenced} = 0;
@@ -1322,7 +1334,7 @@ sub optimize_chain( $ ) {
 
 	pop @$rules, $count++ while @$rules && $rules->[-1] =~ /-j ACCEPT\b/;
 
-	if ( @${rules} ) {
+	if ( @${rules} || $chainref->{dont_delete} ) {
 	    add_rule $chainref, '-j ACCEPT';
 	    progress_message "  $count ACCEPT rules deleted from policy chain $chainref->{name}" if $count;
 	} else {
@@ -1374,6 +1386,9 @@ sub replace_references( $$ ) {
     my ( $chainref, $target ) = @_;
     my $table    = $chainref->{table};
     my $count    = 0;
+    my $name     = $chainref->{name};
+
+    $name =~ s/\+/\\+/;
 
     if ( defined $chain_table{$table}{$target}  && ! $chain_table{$table}{$target}{builtin} ) {
 	#
@@ -1381,7 +1396,12 @@ sub replace_references( $$ ) {
 	#
 	for my $fromref ( map $chain_table{$table}{$_} , keys %{$chainref->{references}} ) {
 	    if ( $fromref->{referenced} ) {
-		defined && s/ -([jg]) $chainref->{name}(\b)/ -$1 ${target}$2/ && $count++ for @{$fromref->{rules}};
+		for ( @{$fromref->{rules}} ) {
+		    if ( defined && s/ -([jg]) $name(\b)/ -$1 ${target}$2/ ) {
+			add_reference( $fromref, $chain_table{$table}{$target} );
+			$count++;
+		    }
+		}
 	    }
 	}
     } else {
@@ -1390,7 +1410,7 @@ sub replace_references( $$ ) {
 	#
 	for my $fromref ( map $chain_table{$table}{$_} , keys %{$chainref->{references}} ) {
 	    if ( $fromref->{referenced} ) {
-		defined && s/ -[jg] $chainref->{name}(\b)/ -j ${target}$1/ && $count++ for @{$fromref->{rules}};
+		defined && s/ -[jg] $name(\b)/ -j ${target}$1/ && $count++ for @{$fromref->{rules}};
 	    }
 	}
     }
@@ -1408,6 +1428,9 @@ sub replace_references1( $$$ ) {
     my ( $chainref, $target, $matches ) = @_;
     my $table    = $chainref->{table};
     my $count    = 0;
+    my $name     = $chainref->{name};
+
+    $name =~ s/\+/\\+/;
     #
     # Note: If $matches is non-empty, then it begins with white space
     #
@@ -1417,13 +1440,18 @@ sub replace_references1( $$$ ) {
 	#
 	for my $fromref ( map $chain_table{$table}{$_} , keys %{$chainref->{references}} ) {
 	    if ( $fromref->{referenced} ) {
+		my $fromname = $fromref->{name};
+		
+		$fromname =~ s/\+/\\+/;
+		
 		for ( @{$fromref->{rules}} ) {
-		    if ( defined && /^-A $fromref->{name} .*-[jg] $chainref->{name}\b/ ) {
+		    if ( defined && /^-A $fromname .*-[jg] $name\b/ ) {
 			#
 			# Prevent multiple '-p' matches
 			#
 			s/ -p [^ ]+ / /	if / -p / && $matches =~ / -p /;
-			s/\s+-([jg]) $chainref->{name}(\b)/$matches -$1 ${target}$2/;
+			s/\s+-([jg]) $name(\b)/$matches -$1 ${target}$2/;
+			add_reference( $fromref, $chain_table{$table}{$target} );
 			$count++;
 		    }
 		}
@@ -1435,13 +1463,17 @@ sub replace_references1( $$$ ) {
 	#
 	for my $fromref ( map $chain_table{$table}{$_} , keys %{$chainref->{references}} ) {
 	    if ( $fromref->{referenced} ) {
+		my $fromname = $fromref->{name};
+		
+		$fromname =~ s/\+/\\+/;
+		
 		for ( @{$fromref->{rules}} ) {
-		    if ( defined && /^-A $fromref->{name} .*-[jg] $chainref->{name}\b/ ) {
+		    if ( defined && /^-A $fromname .*-[jg] $name\b/ ) {
 			#
 			# Prevent multiple '-p' matches
 			#
 			s/ -p [^ ]+ / /	if / -p / && $matches =~ / -p /;
-			s/\s+-[jg] $chainref->{name}(\b)/$matches -j ${target}$1/;
+			s/\s+-[jg] $name(\b)/$matches -j ${target}$1/;
 			$count++;
 		    }
 		}
@@ -1569,7 +1601,11 @@ sub optimize_ruleset() {
 			#
 			# Chain has a single non-nil rule which is in $firstrule
 			#
-			if ( $firstrule =~ /^-A $chainref->{name} -[jg] (.*)$/ ) {
+			my $name = $chainref->{name};
+
+			$name =~ s/\+/\\+/;
+
+			if ( $firstrule =~ /^-A $name -[jg] (.*)$/ ) {
 			    #
 			    # Easy case -- the rule is a simple jump
 			    #
@@ -1596,7 +1632,7 @@ sub optimize_ruleset() {
 				replace_references $chainref, $1;
 				$progress = 1;
 			    }
-			} elsif ( $firstrule =~ /-A $chainref->{name}( +.+) -[jg] (.*)$/ ) {
+			} elsif ( $firstrule =~ /-A $name( +.+) -[jg] (.*)$/ ) {
 			    #
 			    # Not so easy -- the rule contains matches
 			    #

Shorewall/Perl/Shorewall/Compiler.pm

@@ -823,7 +823,7 @@ sub compiler {
 	#
 	generate_matrix;
 
-	if ( $config{OPTIMIZE} > 0 && $config{OPTIMIZE} & 6 ) {
+	if ( $config{OPTIMIZE} & 6 ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains

Shorewall/Perl/Shorewall/Config.pm

@@ -338,7 +338,7 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.8",
+		    VERSION => "4.4.8.4",
 		    CAPVERSION => 40408 ,
 		  );
 
@@ -3050,7 +3050,8 @@ sub get_configuration( $ ) {
 #
 sub propagateconfig() {
     for my $option ( @propagateconfig ) {
-	my $value = $config{$option} || '';
+	my $value = $config{$option};
+	$value = '' unless defined $value;
 	emit "$option=\"$value\"";
     }
 }

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -118,6 +118,7 @@ sub setup_proxy_arp() {
 		}
 
 		$interface = get_physical $interface;
+		$external  = get_physical $external;
 
 		$set{$interface}  = 1;
 		$reset{$external} = 1 unless $set{$external};

Shorewall/Perl/Shorewall/Rules.pm

@@ -223,9 +223,12 @@ sub setup_blacklist() {
     my $chainref;
     my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
     my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
-
+    #
+    # We go ahead and generate the blacklist chain and jump to it, even if it turns out to be empty. That is necessary
+    # for 'refresh' to work properly.
+    #
     if ( @$hosts ) {
-	$chainref = new_standard_chain 'blacklst';
+	$chainref = dont_delete new_standard_chain 'blacklst';
 
 	if ( defined $level && $level ne '' ) {
 	    my $logchainref = new_standard_chain 'blacklog';

Shorewall/Perl/Shorewall/Tc.pm

@@ -1374,7 +1374,7 @@ sub setup_tc() {
 		# This is overloading TRACK_PROVIDERS a bit but sending tracked packets through PREROUTING is a PITA for users
 		#
 		for my $interface ( @routemarked_interfaces ) {
-		    add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
+		    add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, match_source_dev( $interface );
 		}
 	    }
 	}

Shorewall/Perl/Shorewall/Zones.pm

@@ -76,7 +76,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_7';
+our $VERSION = '4.4_8';
 
 #
 # IPSEC Option types
@@ -926,7 +926,7 @@ sub process_interface( $ ) {
 	if ( $options{bridge} ) {
 	    require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
 	    fatal_error "Bridges may not have wildcard names" if $wildcard;
-	    $options{routeback} = 1;
+	    $hostoptions{routeback} = $options{routeback} = 1;
 	}
 
 	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};

Shorewall/Perl/prog.footer

@@ -71,11 +71,11 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			VERBOSITY=$(($VERBOSITY + 1 ))
+			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			VERBOSITY=$(($VERBOSITY - 1 ))
+			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
 			option=${option#q}
 			;;
 		    n*)
@@ -260,7 +260,7 @@ case "$COMMAND" in
 	;;
     status)
 	[ $# -ne 1 ] && usage 2
-	echo "$g_product-$SHORWEALL_VERSION Status at $(hostname) - $(date)"
+	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	echo
 	if shorewall_is_started; then
 	    echo "$g_product is running"

Shorewall/Perl/prog.footer6

@@ -71,11 +71,11 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			VERBOSITY=$(($VERBOSITY + 1 ))
+			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			VERBOSITY=$(($VERBOSITY - 1 ))
+			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
 			option=${option#q}
 			;;
 		    n*)

Shorewall/changelog.txt

@@ -1,3 +1,34 @@
+Changes in Shorewall 4.4.8.4
+
+1)  Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2.
+
+2)  Set IP before sourcing the params file.
+
+Changes in Shorewall 4.4.8.3
+
+1)  Make wildcard interfaces play well with optimize 4.
+
+2)  Fix another add_rule() that should have been an add_jump().
+
+3)  Fix install scripts.
+
+Changes in Shorewall 4.4.8.2
+
+1)  Fix OPTIMIZE 4 bug.
+
+2)  Rationalize startup logs.
+
+3)  Do proper accounting in move_rules().
+
+Changes in Shorewall 4.4.8.1
+
+1)  Correct handling of a logical interface name in the EXTERNAL column
+    of proxyarp.
+
+2)  Fix find_first_interface_address() error reporting.
+
+3)  Fix propagation of zero-valued config variables.
+
 Changes in Shorewall 4.4.8
 
 1)  Correct handling of RATE LIMIT on NAT rules.
@@ -35,6 +66,8 @@ Changes in Shorewall 4.4.8
 
 17) Issue warnings when 'blacklist' but no blacklist file entries.
 
+18) Don't optimize 'blacklst'.
+
 Changes in Shorewall 4.4.7
 
 1)  Backport optimization changes from 4.5.

Shorewall/configfiles/shorewall.conf

@@ -1,19 +1,10 @@
 ###############################################################################
-#  /etc/shorewall/shorewall.conf Version 4 - Change the following variables to
-#  match your setup
 #
-#  This program is under GPL
-#  [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#  This file should be placed in /etc/shorewall
-#
-#  (c) 1999,2000,2001,2002,2003,2004,2005,
-#      2006,2007,2008 - Tom Eastep (teastep@shorewall.net)
+#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
-#  Additional information is available at 
-#  http://www.shorewall.net/Documentation.htm#Conf
+#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.8
+VERSION=4.4.8.4
 
 usage() # $1 = exit status
 {
@@ -264,6 +264,7 @@ fi
 run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf ${PREFIX}/usr/share/shorewall/configfiles/shorewall.conf
 
 perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall|;' ${PREFIX}/usr/share/shorewall/configfiles/shorewall.conf
+perl -p -w -i -e 's|^STARTUP_LOG=.*|STARTUP_LOG=/var/log/shorewall-lite-init.log|;' ${PREFIX}/usr/share/shorewall/configfiles/shorewall.conf
 
 if [ ! -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
    run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf ${PREFIX}/etc/shorewall/shorewall.conf
@@ -272,7 +273,7 @@ if [ ! -f ${PREFIX}/etc/shorewall/shorewall.conf ]; then
        #
        # Make a Debian-like shorewall.conf
        #
-       perl -p -w -i -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|;' ${PREFIX}/etc/shorewall.conf
+       perl -p -w -i -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|;' ${PREFIX}/etc/shorewall/shorewall.conf
    fi
 
    echo "Config file installed as ${PREFIX}/etc/shorewall/shorewall.conf"

Shorewall/known_problems.txt

@@ -1 +1,84 @@
-There are no known problems in Shorewall 4.4.8
+Known problems in Shorewall 4.4.8
+
+1)  Logical interface names in the EXTERNAL column of
+    /etc/shorewall/proxyarp were previously not mapped to their
+    corresponding physical interface names. This could cause 'start' or
+    'restart' to fail.
+
+    Corrected in Shorewall 4.4.8.1
+
+2)  If find_first_interface_address() cannot determine the address of
+    the passed interface, the following message is issued and the
+    process continues:
+
+    	    /usr/share/shorewall/lib.common: line 438:
+                startup_error: command not found
+
+    Corrected in Shorewall 4.4.8.1
+
+3)  If LOG_VERBOSITY=0 in shorewall.conf, then when the compiled script
+    is executed, messages such as the following will be issued:
+
+       /var/lib/shorewall6/.restart: line 65: [: -gt: unary operator
+                                              expected
+
+    Corrected in Shorewall 4.4.8.1
+
+4)  With optimize 4, if an unnecessary NONAT rule is included in
+    /etc/shorewall/rules, 'shorewall start' and/or 'shorewall restart'
+    can fail with invalid iptables-restore input.
+
+    Corrected in Shorewall 4.4.8.2
+
+5)  The -lite products are inconsistent in how they referred to their
+    startup log. Some references included '-lite' where some did
+    not. This was particularly bad in the case of the Shorewall-lite
+    logrotate file which duplicated the name used by the Shorewall
+    package. This inconsistency could cause logrotate to fail if both
+    packages were installed.
+
+    Corrected in Shorewall 4.4.8.2
+
+6)  Wildcard interface names (those ending in '+') can result in
+    iptables-restore failure with optimize 4.
+
+    Corrected in Shorewall 4.4.8.3
+
+7)  Invalid iptables-restore input involving the 'tcpre'
+    mangle chain is possible with optimize 4.
+
+    Corrected in Shorewall 4.4.8.3
+
+8)  A couple of fixes to the 4.4.8.2 change for startup log naming are
+    included. The main symptom occurred on Debian systems where perl
+    reported that /etc/shorewall.conf did not exist.
+
+    Corrected in Shorewall 4.4.8.3
+
+9)  If OPTIMIZE 2 and there are no OUTPUT rules and the only effective
+    output policy is $FW->all ACCEPT, then the OUTPUT chain is empty
+    and no packets can be sent.
+
+    Corrected in Shorewall 4.4.8.4
+
+10) If find_first_interface_address() is called in the params file, a
+    startup error occurs.
+
+    Workaround 1:
+
+    Surround the code that calls find_first_interface_address() with:
+
+    if [ -n "$IP" ]; then
+    
+	<code that calls find_first_interface_address()>
+
+    fi
+
+    Workaround 2:
+
+    At the top of /etc/shorewall/params, place this line:
+
+    [ -n "${IP:=$(which ip)" ]
+
+    Corrected in Shorewall 4.4.8.4
+

Shorewall/releasenotes.txt

@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                       S H O R E W A L L  4 . 4 . 8
+                      S H O R E W A L L  4 . 4 . 8 . 4
 ----------------------------------------------------------------------------
 
 I.    RELEASE 4.4 HIGHLIGHTS
@@ -217,6 +217,62 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 ----------------------------------------------------------------------------
 I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
+4.4.8.4
+
+1)  If OPTIMIZE 2 and there were no OUTPUT rules and the only effective
+    output policy was $FW->all ACCEPT, then the OUTPUT chain was empty
+    and no packets could be sent.
+
+2)  If find_first_interface_address() was called in the params file, a
+    fatal error occured on start/restart.
+
+4.4.8.3
+
+1)  A problem with optimize 4 and wildcard interface names (those
+    ending in '+' has been corrected. The most likely symptom of this
+    problem would be iptables-restore failure.
+
+2)  A second problem with optimize 4 has been corrected. This one
+    manifested as invalid iptables-restore input involving the 'tcpre'
+    mangle chain.
+
+3)  A couple of fixes to the 4.4.8.2 change for startup log naming are
+    included. The main symptom occurred on Debian systems where perl
+    reported that /etc/shorewall.conf did not exist.
+
+4.4.8.2
+
+1)  With optimize 4, if an unnecessary NONAT rule was included in
+    /etc/shorewall/rules, 'shorewall start' and/or 'shorewall restart'
+    could fail with invalid iptables-restore input.
+
+2)  The -lite products previously were inconsistent in how they
+    referred to their startup log. Some references included '-lite'
+    where some did not. This was particularly bad in the case of the
+    Shorewall-lite logrotate file which duplicated the name used by the
+    Shorewall package. This inconsistency could cause logrotate to
+    fail if both packages were installed.
+
+4.4.8.1
+
+1)  Logical interface names in the EXTERNAL column of
+    /etc/shorewall/proxyarp were previously not mapped to their
+    corresponding physical interface names. This could cause 'start' or
+    'restart' to fail.
+
+2)  If find_first_interface_address() cannot determine the address of
+    the passed interface, the following message is issued and the
+    process continues:
+
+    	    /usr/share/shorewall/lib.common: line 438:
+                startup_error: command not found
+
+3)  If LOG_VERBOSITY=0 in shorewall.conf, then when the compiled script
+    was executed, messages such as the following would be issued:
+
+       /var/lib/shorewall6/.restart: line 65: [: -gt: unary operator
+                                              expected
+4.4.8
 
 1)  A CONTINUE rule specifying a log level would cause the compiler to 
     generate an incorrect rule sequence. The packet would be logged
@@ -281,6 +337,16 @@ I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
     	ERROR: iptables-restore Failed. Input is in
                /var/lib/shorewall/.iptables-restore-input
 
+11) Previously, with optimization 4, the 'blacklst' chain could be
+    optimized away. If the blacklist file was then changed and a
+    'shorewall refresh' executed, those new changes would not be included
+    in the active ruleset.
+
+12) In 4.4.7, it was documented that setting the 'bridge' option in an
+    interfaces file entry also set 'routeback'. That feature was
+    incomplete with the result that 'routeback' still needed to be
+    specified.
+
 ----------------------------------------------------------------------------
            I V. K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------

Shorewall/shorewall

@@ -39,6 +39,8 @@ get_config() {
     ensure_config_path
 
     if [ "$1" = Yes ]; then
+	[ -n "${IP:=ip}" ]
+
 	params=$(find_file params)
 
 	if [ -f $params ]; then
@@ -300,15 +302,20 @@ get_config() {
     esac
 }
 
+#
+# Fatal error
+#
+startup_error() {
+    echo "   ERROR: $@" >&2
+    kill $$
+    exit 1
+}
+
 #
 # Run the compiler
 #
 compiler() {
-    startup_error() {
-	echo "   ERROR: $@" >&2
-	exit 1
-    }
-    
+   
     if [ $(id -u) -ne 0 ]; then
 	if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then
 	    startup_error "Ordinary users may not compile the /etc/shorewall configuration"

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.8
-%define release 0base
+%define release 4
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -108,6 +108,14 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
+* Fri Apr 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-4
+* Mon Apr 19 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-3
+* Wed Apr 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-2
+* Thu Mar 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-1
 * Fri Mar 19 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.8-0base
 * Tue Mar 16 2010 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.8
+VERSION=4.4.8.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.8
+VERSION=4.4.8.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.8
+VERSION=4.4.8.4
 
 usage() # $1 = exit status
 {
@@ -327,34 +327,37 @@ if [ -z "$PREFIX" ]; then
     ln -s ${DEST}/${INIT} /usr/share/shorewall6-lite/init
 fi
 
-if [ -z "$PREFIX" -a -n "$first_install" ]; then
-    if [ -n "$DEBIAN" ]; then
-	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
-	ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
-	echo "Shorewall6 Lite will start automatically at boot"
-	touch /var/log/shorewall-init.log
-    else
-	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-	    if insserv /etc/init.d/shorewall6-lite ; then
-		echo "Shorewall6 Lite will start automatically at boot"
-	    else
+if [ -z "$PREFIX" ]; then
+    touch /var/log/shorewall6-lite-init.log
+
+    if [ -n "$first_install" ]; then
+	if [ -n "$DEBIAN" ]; then
+	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
+	    ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
+	    echo "Shorewall6 Lite will start automatically at boot"
+	else
+	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+		if insserv /etc/init.d/shorewall6-lite ; then
+		    echo "Shorewall6 Lite will start automatically at boot"
+		else
+		    cant_autostart
+		fi
+	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+		if chkconfig --add shorewall6-lite ; then
+		    echo "Shorewall6 Lite will start automatically in run levels as follows:"
+		    chkconfig --list shorewall6-lite
+		else
+		    cant_autostart
+		fi
+	    elif [ -x /sbin/rc-update ]; then
+		if rc-update add shorewall6-lite default; then
+		    echo "Shorewall6 Lite will start automatically at boot"
+		else
+		    cant_autostart
+		fi
+	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
-	elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-	    if chkconfig --add shorewall6-lite ; then
-		echo "Shorewall6 Lite will start automatically in run levels as follows:"
-		chkconfig --list shorewall6-lite
-	    else
-		cant_autostart
-	    fi
-	elif [ -x /sbin/rc-update ]; then
-	    if rc-update add shorewall6-lite default; then
-		echo "Shorewall6 Lite will start automatically at boot"
-	    else
-		cant_autostart
-	    fi
-	elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
-	    cant_autostart
 	fi
     fi
 fi

Shorewall6-lite/logrotate

@@ -1,4 +1,4 @@
-/var/log/shorewall6-init.log {
+/var/log/shorewall6-lite-init.log {
   missingok
   notifempty
   create 0600 root root

Shorewall6-lite/shorewall6-lite.conf

@@ -1,15 +1,14 @@
 ###############################################################################
-#  /etc/shorewall6-lite/shorewall-lite.conf Version 4 - Change the following 
+#  /etc/shorewall6-lite/shorewall6-lite.conf Version 4 - Change the following 
 #  variables to override the values in the shorewall.conf file used to
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.
 #
-#  This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#  This file should be placed in /etc/shorewall-lite
-#
-#  (c) 2006,2007,2008 - Tom Eastep (teastep@shorewall.net)
+#  For information about the settings in this file, type
+#  "man shorewall6-lite.conf"
 #
+#  Manpage also online at
+#  http://www.shorewall.net/manpages6/shorewall6-lite.conf.html.
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.8
-%define release 0base
+%define release 4
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -92,6 +92,14 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Fri Apr 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-4
+* Mon Apr 19 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-3
+* Wed Apr 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-2
+* Thu Mar 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-1
 * Fri Mar 19 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.8-0base
 * Tue Mar 16 2010 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.8
+VERSION=4.4.8.4
 
 usage() # $1 = exit status
 {

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.8
+VERSION=4.4.8.4
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.8
+VERSION=4.4.8.4
 
 usage() # $1 = exit status
 {
@@ -256,10 +256,19 @@ fi
 #
 run_install $OWNERSHIP -m 0644 shorewall6.conf ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf
 
-qt mywhich perl && perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6|;' ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf
+perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6|;' ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf
+perl -p -w -i -e 's|^STARTUP_LOG=.*|STARTUP_LOG=/var/log/shorewall6-lite-init.log|;' ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf
 
 if [ ! -f ${PREFIX}/etc/shorewall6/shorewall6.conf ]; then
    run_install $OWNERSHIP -m 0644 shorewall6.conf ${PREFIX}/etc/shorewall6/shorewall6.conf
+
+   if [ -n "$DEBIAN" ] && mywhich perl; then
+       #
+       # Make a Debian-like shorewall6.conf
+       #
+       perl -p -w -i -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|;' ${PREFIX}/etc/shorewall6/shorewall6.conf
+   fi
+
    echo "Config file installed as ${PREFIX}/etc/shorewall6/shorewall6.conf"
 fi
 

Shorewall6/shorewall6

@@ -39,6 +39,8 @@ get_config() {
     ensure_config_path
 
     if [ "$1" = Yes ]; then
+	[ -n "${IP:=ip}" ]
+
 	params=$(find_file params)
 
 	if [ -f $params ]; then
@@ -226,17 +228,21 @@ get_config() {
     esac
 }
 
+#
+# Issue an error message and die
+#
+startup_error() {
+    echo "   ERROR: $@" >&2
+    kill $$
+    exit 1
+}
+    
 #
 # Run the appropriate compiler
 #
 compiler() {
     pc=${PERLSHAREDIR}/compiler.pl
 
-    startup_error() {
-	echo "   ERROR: $@" >&2
-	exit 1
-    }
-    
     local command
     command=$1
 

Shorewall6/shorewall6.conf

@@ -1,19 +1,11 @@
 ###############################################################################
-#  /etc/shorewalls/shorewall6.conf Version 4 - Change the following variables to
-#  match your setup
 #
-#  This program is under GPL
-#  [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#  This file should be placed in /etc/shorewall
-#
-#  (c) 1999,2000,2001,2002,2003,2004,2005,
-#      2006,2007,2008 - Tom Eastep (teastep@shorewall.net)
+#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
 #
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
-#  Additional information is available at 
-#  http://www.shorewall.net/Documentation.htm#Conf
+#  Manpage also online at
+#  http://www.shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.8
-%define release 0base
+%define release 4
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -97,6 +97,14 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
+* Fri Apr 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-4
+* Mon Apr 19 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-3
+* Wed Apr 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-2
+* Thu Mar 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-1
 * Fri Mar 19 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.8-0base
 * Tue Mar 16 2010 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.8
+VERSION=4.4.8.4
 
 usage() # $1 = exit status
 {

docs/FTP.xml

@@ -413,6 +413,10 @@ FTP(DNAT)    net       loc:192.168.1.5</programlisting>
 #                                                 PORT(S)    PORT(S)     DESTINATION
 FTP(ACCEPT)   dmz        net</programlisting>
       </example></para>
+  </section>
+
+  <section>
+    <title id="Issues">Issues</title>
 
     <para>Note that the FTP connection tracking in the kernel cannot handle
     cases where a PORT command (or PASV reply) is broken across two packets or

docs/MultiISP.xml

@@ -1522,7 +1522,7 @@ EOF
    # Since LSM assumes that interfaces start in the 'up' state, remove any
    # existing status files that might have an interface in the down state
    #
-   rm -f /etc/shorewall/*.status
+   rm -f /var/lib/shorewall/*.status
    #
    # Run LSM -- by default, it forks into the background
    #

docs/SplitDNS.xml

@@ -86,6 +86,46 @@
 
 127.0.0.1       localhost
 
+<emphasis role="bold">172.20.0.1      openvpn.shorewall.net   openvpn
+172.20.0.2      vpn02.shorewall.net     vpn02
+172.20.0.3      vpn03.shorewall.net     vpn03
+172.20.0.4      vpn04.shorewall.net     vpn04
+172.20.0.5      vpn05.shorewall.net     vpn05
+172.20.0.6      vpn06.shorewall.net     vpn06
+172.20.0.7      vpn07.shorewall.net     vpn07
+172.20.0.8      vpn08.shorewall.net     vpn08
+172.20.0.9      vpn09.shorewall.net     vpn09
+172.20.0.10     vpn10.shorewall.net     vpn10
+172.20.0.11     vpn11.shorewall.net     vpn11
+172.20.0.12     vpn12.shorewall.net     vpn12
+172.20.0.13     vpn13.shorewall.net     vpn13
+172.20.0.14     vpn14.shorewall.net     vpn14
+172.20.0.15     vpn15.shorewall.net     vpn15
+172.20.0.16     vpn16.shorewall.net     vpn16
+
+172.20.1.1      linksys.shorewall.net   linksys
+172.20.1.100    hp8500.shorewall.net    hp8500
+172.20.1.102    ursa.shorewall.net      ursa
+172.20.1.105    tarry.shorewall.net     tarry
+172.20.1.107    teastep.shorewall.net   teastep
+172.20.1.109    hpmini.shorewall.net    hpmini
+
+172.20.1.130    lanursa.shorewall.net   lanursa
+172.20.1.131    wookie.shorewall.net    wookie
+172.20.1.132    tipper.shorewall.net    tipper
+172.20.1.133    nasty.shorewall.net     nasty
+172.20.1.134    ursadog.shorewall.net   ursadog
+172.20.1.135    opensuse.shorewall.net  opensuse
+172.20.1.136    centos.shorewall.net    centos
+172.20.1.137    fedora.shorewall.net    fedora
+172.20.1.138    debian.shorewall.net    debian
+172.20.1.139    archlinux.shorewall.net archlinux
+172.20.1.140    foobar.shorewall.net    foobar
+172.20.1.141    deblap.shorewall.net    deblap
+172.20.1.254    firewall.shorewall.net  firewall
+
+206.124.146.254 blarg.shorewall.net     blarg
+</emphasis>
 # special IPv6 addresses
 ::1             localhost ipv6-localhost ipv6-loopback
 
@@ -95,24 +135,18 @@ ff00::0         ipv6-mcastprefix
 ff02::1         ipv6-allnodes
 ff02::2         ipv6-allrouters
 ff02::3         ipv6-allhosts
-127.0.0.2       ursa.shorewall.net ursa
-<emphasis role="bold">172.20.1.1      linksys.shorewall.net     linksys
-192.168.0.1     opensuse.shorewall.net    opensuse
-192.168.0.2     debian.shorewall.net      debian
-192.168.0.3     ubuntu.shorewall.net      ubuntu
-192.168.0.4     fedora.shoreawll.net      fedora
-192.168.0.5     opensuse11.shorewall.net  opensuse11
-192.168.0.6     centos.shorewall.net      centos
-192.168.0.7     debian32.shorewall.net    debian32
-192.168.0.8     fedora9.shorewall.net     fedora9</emphasis>
-206.124.146.254 blarg.shorewall.net       blarg
+
+<emphasis role="bold">2002:ce7c:92b4::1       gateway6.shorewall.net  gateway6
+2002:ce7c:92b4:1::2     mail6.shorewall.net     mail6
+2002:ce7c:92b4:1::2     lists6.shorewall.net    lists6
+2002:ce7c:92b4:2::2     server6.shorewall.net   server6</emphasis>
+
 </programlisting></para>
       </listitem>
 
       <listitem>
-        <para>Configure your local network hosts to use the firewall/router as
-        their DNS server. If your local hosts are configured using DHCP, that
-        is a simple one-line change to the DHCP configuration.</para>
+        <para> If your local hosts are configured using DHCP, that is a simple
+        one-line change to the DHCP configuration.</para>
       </listitem>
     </orderedlist>
 
@@ -128,8 +162,45 @@ ff02::3         ipv6-allhosts
 linksys.shorewall.net has address 206.124.146.180
 gateway:~ # </programlisting></para>
 
-    <para>From ubuntu (192.168.0.3):<programlisting>teastep@ubuntu:~$ host linksys
+    <para>From Tipper (192.168.1.132):<programlisting>teastep@tipper:~$ host linksys
 linksys.shorewall.net has address 172.20.1.1
-teastep@ubuntu:~$ </programlisting></para>
+teastep@tipper:~$ </programlisting></para>
+
+    <para>As a bonus, dnsmasq can also act as a DHCP server. Here are some
+    exerpts from the corresponding /etc/dnsmasq.conf:</para>
+
+    <programlisting>interface=eth1
+
+dhcp-range=172.20.1.210,172.20.1.219,24h
+
+dhcp-host=00:11:85:89:da:9b,172.20.1.220
+
+dhcp-host=00:1A:73:DB:8C:35,172.20.1.102
+dhcp-host=00:25:B3:9F:5B:FD,172.20.1.100
+dhcp-host=00:1F:E1:07:53:CA,172.20.1.105
+dhcp-host=00:1F:29:7B:04:04,172.20.1.107
+dhcp-host=00:24:2b:59:96:e2,172.20.1.109
+
+dhcp-host=00:1B:24:CB:2B:CC,172.20.1.130
+dhcp-host=00:21:5a:22:ac:e0,172.20.1.131
+dhcp-host=08:00:27:B1:46:a9,172.20.1.132
+dhcp-host=08:00:27:31:45:83,172.20.1.133
+dhcp-host=08:00:27:28:64:50,172.20.1.134
+dhcp-host=08:00:27:4b:38:88,172.20.1.135
+dhcp-host=08:00:27:f6:4d:65,172.20.1.136
+dhcp-host=08:00:27:dc:cd:94,172.20.1.137
+dhcp-host=08:00:27:0f:d3:8f,172.20.1.138
+dhcp-host=08:00:27:42:9c:01,172.20.1.139
+dhcp-host=08:00:27:5a:6c:d8,172.20.1.140
+dhcp-host=08:00:27:da:96:78,172.20.1.141
+
+dhcp-option=19,0           # option ip-forwarding off
+dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
+dhcp-option=45,0.0.0.0     # netbios datagram distribution server
+dhcp-option=46,8           # netbios node type
+dhcp-option=47             # empty netbios scope.
+
+dhcp-option=option:domain-search,shorewall.net
+</programlisting>
   </section>
-</article>
+</article>

manpages/shorewall.conf.xml

@@ -935,7 +935,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           logged packets. Please see iptables(8) for a description of the
           behavior of these parameters (the iptables option --limit is set by
           LOGRATE and --limit-burst is set by LOGBURST). If both parameters
-          are set empty, no rate-limiting will occur.</para>
+          are set empty, no rate-limiting will occur. If you supply one of
+          these, then you should also supply the other.</para>
 
           <para>Example:</para>
 
@@ -1222,6 +1223,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
                   <para>action chains (user-defined)</para>
                 </listitem>
 
+                <listitem>
+                  <para>'blacklst' chain</para>
+                </listitem>
+
                 <listitem>
                   <para>dynamic</para>
                 </listitem>

manpages6/shorewall6.conf.xml

@@ -812,7 +812,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
           logged packets. Please see ip6tables(8) for a description of the
           behavior of these parameters (the ip6tables option --limit is set by
           LOGRATE and --limit-burst is set by LOGBURST). If both parameters
-          are set empty, no rate-limiting will occur.</para>
+          are set empty, no rate-limiting will occur. If you supply one of
+          these, then you should also supply the other.</para>
 
           <para>Example:</para>
 
@@ -1010,6 +1011,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
                   <para>action chains (user-defined)</para>
                 </listitem>
 
+                <listitem>
+                  <para>'blacklst' chain</para>
+                </listitem>
+
                 <listitem>
                   <para>dynamic</para>
                 </listitem>