Document chain name length restriction fix

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-init/install.sh

@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.16
+VERSION=4.4.16.1
 
 usage() # $1 = exit status
 {

Shorewall-init/shorewall-init.spec

@@ -1,6 +1,6 @@
 %define name shorewall-init
 %define version 4.4.16
-%define release 0base
+%define release 1
 
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -119,6 +119,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.16-1
 * Mon Jan 03 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.16-0base
 * Thu Dec 30 2010 Tom Eastep tom@shorewall.net

Shorewall-init/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.16
+VERSION=4.4.16.1
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.16
+VERSION=4.4.16.1
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.16
-%define release 0base
+%define release 1
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -102,6 +102,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.16-1
 * Mon Jan 03 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.16-0base
 * Thu Dec 30 2010 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.16
+VERSION=4.4.16.1
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Chains.pm

@@ -1257,6 +1257,7 @@ sub ensure_accounting_chain( $$ )
     if ( $chainref ) {
 	fatal_error "Non-accounting chain ($chain) used in an accounting rule" unless $chainref->{accounting};
     } else {
+	fatal_error "Chain name ($chain) too long" if length $chain > 29;
 	$chainref = new_chain 'filter' , $chain;
 	$chainref->{accounting} = 1;
 	$chainref->{referenced} = 1;
@@ -1344,6 +1345,7 @@ sub new_nat_chain($) {
 
 sub new_manual_chain($) {
     my $chain = $_[0];
+    fatal_error "Chain name ($chain) too long" if length $chain > 29;
     fatal_error "Duplicate Chain Name ($chain)" if $targets{$chain} || $filter_table->{$chain};
     $targets{$chain} = CHAIN;
     ( my $chainref = ensure_filter_chain( $chain, 0) )->{manual} = 1;
@@ -3509,7 +3511,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    $iiface = $1;
 	    $inets  = $2;
 	} elsif ( $source =~ /:/ ) {
-	    if ( $source =~ /^<(.+)>$/ || $source =~ /^<\[.+\]>$/ ) {
+	    if ( $source =~ /^<(.+)>$/ || $source =~ /^\[(.+)\]$/ ) {
 		$inets = $1;
 	    } else {
 		$inets = $source;

Shorewall/Perl/Shorewall/Config.pm

@@ -359,7 +359,7 @@ sub initialize( $ ) {
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.16",
+		    VERSION => "4.4.16.1",
 		    CAPVERSION => 40415 ,
 		  );
 
@@ -2168,12 +2168,16 @@ sub load_kernel_modules( ) {
 	my $uname = `uname -r`;
 	fatal_error "The command 'uname -r' failed" unless $? == 0;
 	chomp $uname;
-	$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset";
+	$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/ipv6/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset";
     }
 
-    my @moduledirectories = split /:/, $modulesdir;
+    my @moduledirectories; 
 
-    if ( $moduleloader && open_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' ) ) {
+    for ( split /:/, $modulesdir ) {
+	push @moduledirectories, $_ if -d $_;
+    }
+
+    if ( $moduleloader &&  @moduledirectories && open_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' ) ) {
 	my %loadedmodules;
 
 	$loadedmodules{$_}++ for split_list( $config{DONT_LOAD}, 'module' );
@@ -2206,7 +2210,7 @@ sub load_kernel_modules( ) {
 			    } else {
 				system( "modprobe $module $arguments" );
 			    }
-
+				    
 			    $loadedmodules{ $module } = 1;
 			}
 		    }
@@ -2952,7 +2956,7 @@ sub get_params() {
 		if ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
 		} elsif ( /^declare -x (.*?)="(.*)$/ ) {
-		    $params{$variable=$1}="${2}\n";
+		    $params{$variable=$1} = $2 eq '"' ? '' : "${2}\n";
 		} elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) {
 		    $params{$1} = '';
 		} else {
@@ -2976,7 +2980,7 @@ sub get_params() {
 		if ( /^export (.*?)="(.*[^\\])"$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
 		} elsif ( /^export (.*?)="(.*)$/ ) {
-		    $params{$variable=$1}="${2}\n";
+		    $params{$variable=$1} = $2 eq '"' ? '' : "${2}\n";
 		} elsif ( /^export (.*)\s+$/ || /^export (.*)=""$/ ) {
 		    $params{$1} = '';
 		} else {

Shorewall/changelog.txt

@@ -1,3 +1,25 @@
+Changes in Shorewall 4.4.16.3
+
+1)  Fix silly bug in expand_rule().
+
+2)  Correct two defects in compiler module loading.
+
+3)  Ensure that manual and accounting chains aren't too long.
+
+Changes in Shorewall 4.4.16.2
+
+1)  Add sch_prio to modules file.
+
+Changes in Shorewall 4.4.16.1
+
+1)  Fix empty variable handling where /bin/sh is bash
+
+Changes in Shorewall 4.4.16 RC 1
+
+1) Fix logging for jump to nat chain.
+
+2) Minor code refactoring.
+
 Changes in Shorewall 4.4.16 Beta 8
 
 1)  Complete parameterized actions.

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.16
+VERSION=4.4.16.1
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -1,3 +1,47 @@
 1)  On systems running Upstart, shorewall-init cannot reliably secure
     the firewall before interfaces are brought up.
 
+2)  Beginning with 4.4.16, compilation will fail if an empty shell
+    variable was referenced in a config file on a system where /bin/sh
+    is the Bourne Again Shell (bash).
+
+    Corrected in 4.4.16.1.
+
+3)  Startup can fail on a system where module autoloading is not
+    available and where TC_ENABLED=Simple is specified in
+    shorewall.conf.
+
+    Workaround: 
+
+    If LOAD_HELPERS_ONLY=No,
+
+       a) Copy /usr/share/shorewall/modules to /etc/shorewall/
+       b) Add 'loadmodule sch_prio' to the copy
+
+    If LOAD_HELPERS_ONLY=Yes,
+
+       a) Copy /usr/share/shorewall/helpers to /etc/shorewall/
+       b) Add 'loadmodule sch_prio' to the copy
+
+4)  If the SOURCE column in /etc/shorewall6/rules contains an address
+    enclosed in [...], a spurious error is generated:
+
+    Example:
+
+      net:[::/0]
+
+      ERROR: Invalid VLSM (0]) : /etc/shorewall6/rules (line 20)
+
+    Workaround:
+
+    Enclose the address in <...>.  In the example above, use
+    net:<::/0>.
+
+3)  Currently, Shorewall does not check the length of the names of
+    accounting chains and manual chains. This can result in 
+    errors when loading the resulting ruleset if a chain name is longer
+    than 29 characters.
+
+
+
+

Shorewall/modules

@@ -125,6 +125,7 @@ loadmodule sch_sfq
 loadmodule sch_ingress
 loadmodule sch_hfsc
 loadmodule sch_htb
+loadmodule sch_prio
 loadmodule cls_u32
 loadmodule cls_fw
 loadmodule cls_flow

Shorewall/releasenotes.txt

@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 6
+                    S H O R E W A L L  4 . 4 . 1 6 . 3
 ----------------------------------------------------------------------------
 
 I.    PROBLEMS CORRECTED IN THIS RELEASE
@@ -12,17 +12,50 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 ----------------------------------------------------------------------------
   I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
+4.4.16.3
+
+1)  If the SOURCE column in /etc/shorewall6/rules contained [<address>],
+    a spurious error was generated:
+
+      ERROR: Invalid VLSM (0]) : /etc/shorewall6/rules (line 20)
+
+2)  Two compiler defects in module loading have been corrected:
+
+    a) Previously, the kernel/net/ipv6/netfilter/ directory was not
+       searched.
+       
+    b) A Perl diagnostic was issued when running on a monolithic kernel
+       when the modutils package was installed.
+
+3)  Previously, Shorewall did not check the length of the names of
+    accounting chains and manual chains. This could result in 
+    errors when loading the resulting ruleset. Now, the compiler issues
+    an error for chain names longer than 29 characters.
+
+4.4.16.2
+
+1)  Startup could previously fail on a system where module autoloading
+    was not available and where TC_ENABLED=Simple was specified in
+    shorewall.conf.
+
+4.4.16.1
+
+1)  Beginning with 4.4.16, compilation would fail if an empty shell
+    variable was referenced in a config file on a system where /bin/sh
+    is the Bourne Again Shell (bash).
+
+4.4.16
 
 1)  If the output of 'env' contained a multi-line value, then
     compilation failed with an Internal Error. The code has been
     changed so that the compiler now handles multi-line values
     correctly.
 
-2)  In 4.4.15, output to Standard Out (FD 2) generated by
+2)  In 4.4.15, output to Standard Out (FD 1) generated by
     /etc/shorewall/params (/etc/shorewall6/params) was redirected to
     /dev/null. It is now redirected to Standard Error (FD 2).
 
-3)  2)  If a params file did not appear in the CONFIG_PATH, compilation
+3)  If a params file did not appear in the CONFIG_PATH, compilation
     failed with the error:
 
     	   .: 31: Can't open /etc/shorewall6/params 

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.16
-%define release 0base
+%define release 1
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -109,6 +109,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
 
 %changelog
+* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.16-1
 * Mon Jan 03 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.16-0base
 * Thu Dec 30 2010 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.16
+VERSION=4.4.16.1
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.16
+VERSION=4.4.16.1
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.16
-%define release 0base
+%define release 1
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,6 +93,8 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.16-1
 * Mon Jan 03 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.16-0base
 * Thu Dec 30 2010 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.16
+VERSION=4.4.16.1
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.16
+VERSION=4.4.16.1
 
 usage() # $1 = exit status
 {

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.16
-%define release 0base
+%define release 1
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -98,6 +98,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
+* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.16-1
 * Mon Jan 03 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.16-0base
 * Thu Dec 30 2010 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.16
+VERSION=4.4.16.1
 
 usage() # $1 = exit status
 {

docs/FAQ.xml

@@ -2196,7 +2196,7 @@ gateway:~#
 </programlisting>
       </blockquote>
 
-      <para>then it means that somehing outside of Shorewall has deleted the
+      <para>then it means that something outside of Shorewall has deleted the
       chain. This usually means that you were running another firewall package
       before you installed Shorewall and that other package has replaced
       Shorewall's Netfilter configuration with its own. You must remove (or at

docs/Shorewall-4.xml

@@ -103,7 +103,7 @@
     that current users of the shell-based compiler migrate before upgrading to
     4.4 so that both compilers are available during the migration.</para>
 
-    <para>Shorewall 4.4 contains four packages:</para>
+    <para>Shorewall 4.4 contains five packages:</para>
 
     <itemizedlist>
       <listitem>
@@ -126,6 +126,23 @@
         equivalent of Shorewall Lite. Can run scripts generated by Shoreall on
         another system.</para>
       </listitem>
+
+      <listitem>
+        <para><emphasis role="bold">Shorewall-init</emphasis> - An add-on
+        package for any of the other packages which can:</para>
+
+        <orderedlist>
+          <listitem>
+            <para>Secure the firewall(s) prior to bringing up the interfaces
+            (does not work with systems running Upstart)</para>
+          </listitem>
+
+          <listitem>
+            <para>React to ifup/ifdown events and restart the firewall(s) if
+            needed</para>
+          </listitem>
+        </orderedlist>
+      </listitem>
     </itemizedlist>
   </section>
 

docs/standalone.xml

@@ -161,7 +161,7 @@
         Shorewall documentation directory is, you can find the samples using
         this command:</para>
 
-        <programlisting>~# rpm -ql shorewall-common | fgrep one-interface
+        <programlisting>~# rpm -ql shorewall | fgrep one-interface
 /usr/share/doc/packages/shorewall/Samples/one-interface
 /usr/share/doc/packages/shorewall/Samples/one-interface/interfaces
 /usr/share/doc/packages/shorewall/Samples/one-interface/policy
@@ -186,7 +186,7 @@
       <listitem>
         <para>If you installed using a Shorewall 4.x .deb, the samples are in
         <filename
-        class="directory">/usr/share/doc/shorewall-common/examples/one-interface</filename>..
+        class="directory">/usr/share/doc/shorewall/examples/one-interface</filename>..
         You do not need the shorewall-doc package to have access to the
         samples.</para>
       </listitem>
@@ -201,7 +201,7 @@
       class="directory">/etc/shorewall</filename> directory is empty. This is
       intentional. The released configuration file skeletons may be found on
       your system in the directory <filename
-      class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
+      class="directory">/usr/share/doc/shorewall/default-config</filename>.
       Simply copy the files you need from that directory to <filename
       class="directory">/etc/shorewall</filename> and modify the
       copies.</para>

docs/two-interface.xml

@@ -160,7 +160,7 @@
         class="directory">/etc/shorewall</filename> directory is empty. This
         is intentional. The released configuration file skeletons may be found
         on your system in the directory <filename
-        class="directory">/usr/share/doc/shorewall-common/default-config</filename>.
+        class="directory">/usr/share/doc/shorewall/default-config</filename>.
         Simply copy the files you need from that directory to <filename
         class="directory">/etc/shorewall</filename> and modify the
         copies.</para>
@@ -179,7 +179,7 @@
             documentation directory is, you can find the samples using this
             command:</para>
 
-            <programlisting>~# rpm -ql shorewall-common | fgrep two-interfaces
+            <programlisting>~# rpm -ql shorewall | fgrep two-interfaces
 /usr/share/doc/packages/shorewall/Samples/two-interfaces
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/interfaces
 /usr/share/doc/packages/shorewall/Samples/two-interfaces/masq