Don't apply HTB quantum to HFSC

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples6/three-interfaces/zones

@@ -15,6 +15,6 @@
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
 fw	firewall
-net	ipv4
-loc	ipv4
-dmz	ipv4
+net	ipv6
+loc	ipv6
+dmz	ipv6

Shorewall-init/install.sh

@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.19.1
+VERSION=4.4.19.4
 
 usage() # $1 = exit status
 {

Shorewall-init/shorewall-init.spec

@@ -1,6 +1,6 @@
 %define name shorewall-init
 %define version 4.4.19
-%define release 1
+%define release 4
 
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -119,6 +119,12 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Wed May 11 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-4
+* Sat May 07 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-3
+* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-1
 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net

Shorewall-init/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.19.1
+VERSION=4.4.19.4
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.19.1
+VERSION=4.4.19.4
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.19
-%define release 1
+%define release 4
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -103,6 +103,12 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Wed May 11 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-4
+* Sat May 07 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-3
+* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-1
 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.19.1
+VERSION=4.4.19.4
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Chains.pm

@@ -244,6 +244,7 @@ our $mangle_table;
 our $filter_table;
 our $comment;
 our @comments;
+my  $export;
 
 #
 # Target Types
@@ -281,13 +282,14 @@ use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i an
 # See initialize() below for additional comments on these variables
 #
 our $iprangematch;
-our $chainseq;
+our %chainseq;
 our $idiotcount;
 our $idiotcount1;
 our $warningcount;
 our $hashlimitset;
 our $global_variables;
 our $ipset_rules;
+
 #
 # Determines the commands for which a particular interface-oriented shell variable needs to be set
 #
@@ -388,8 +390,8 @@ our %builtin_target = ( ACCEPT      => 1,
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $$ ) {
-    ( $family, my $hard ) = @_;
+sub initialize( $$$ ) {
+    ( $family, my $hard, $export ) = @_;
 
     %chain_table = ( raw    => {},
 		     mangle => {},
@@ -406,9 +408,9 @@ sub initialize( $$ ) {
     $comment  = '';
     @comments = ();
     #
-    # Used to sequence chain names.
+    # Used to sequence chain names in each table.
     #
-    $chainseq = 0;
+    %chainseq = () if $hard;
     #
     # Used to suppress duplicate match specifications for old iptables binaries.
     #
@@ -747,10 +749,10 @@ sub insert_rule($$$) {
 sub delete_chain( $ ) {
     my $chainref = shift;
 
-    $chainref->{referenced} = 0;
-    $chainref->{blacklist}  = 0;
-    $chainref->{rules}      = [];
-    $chainref->{references} = {};
+    $chainref->{referenced}  = 0;
+    $chainref->{blacklist}   = 0;
+    $chainref->{rules}       = [];
+    $chainref->{references}  = {};
     trace( $chainref, 'X', undef, '' ) if $debug;
     progress_message "  Chain $chainref->{name} deleted";
 }
@@ -1197,14 +1199,14 @@ sub new_chain($$)
 
     assert( $chain_table{$table} && ! ( $chain_table{$table}{$chain} || $builtin_target{ $chain } ) );
 
-    my $chainref = { name         => $chain,
-		     rules        => [],
-		     table        => $table,
-		     loglevel     => '',
-		     log          => 1,
-		     cmdlevel     => 0,
-		     references   => {},
-		     blacklist    => 0 };
+    my $chainref = { name           => $chain,
+		     rules          => [],
+		     table          => $table,
+		     loglevel       => '',
+		     log            => 1,
+		     cmdlevel       => 0,
+		     references     => {},
+		     blacklist => 0 };
 
     trace( $chainref, 'N', undef, '' ) if $debug;
 
@@ -2093,13 +2095,13 @@ sub setup_zone_mss() {
     }
 }
 
-sub newexclusionchain() {
-    my $seq = $chainseq++;
+sub newexclusionchain( $ ) {
+    my $seq = $chainseq{$_[0]}++;
     "~excl${seq}";
 }
 
-sub newlogchain() {
-    my $seq = $chainseq++;
+sub newlogchain( $ ) {
+    my $seq = $chainseq{$_[0]}++;
     "~log${seq}";
 }
 
@@ -2116,7 +2118,7 @@ sub logchain( $$$$$$ ) {
     my $logchainref = $chainref->{logchains}{$key};
 
     unless ( $logchainref ) {
-	$logchainref = $chainref->{logchains}{$key} = new_chain $chainref->{table}, newlogchain;
+	$logchainref = $chainref->{logchains}{$key} = new_chain $chainref->{table}, newlogchain( $chainref->{table} ) ;
 	#
 	# Now add the log rule and target rule without matches to the log chain.
 	#
@@ -2136,7 +2138,7 @@ sub logchain( $$$$$$ ) {
 }
 
 sub newnonatchain() {
-    my $seq = $chainseq++;
+    my $seq = $chainseq{nat}++;
     "nonat${seq}";
 }
 
@@ -2168,7 +2170,9 @@ sub source_exclusion( $$ ) {
 
     return $target unless @$exclusions;
 
-    my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain );
+    my $table = reftype $target ? $target->{table} : 'filter';
+
+    my $chainref = new_chain( $table , newexclusionchain( $table ) );
 
     add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions;
     add_jump( $chainref, $target, 1 );
@@ -2181,7 +2185,9 @@ sub dest_exclusion( $$ ) {
 
     return $target unless @$exclusions;
 
-    my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain );
+    my $table = reftype $target ? $target->{table} : 'filter';
+
+    my $chainref = new_chain( $table , newexclusionchain( $table ) );
 
     add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions;
     add_jump( $chainref, $target, 1 );
@@ -2819,6 +2825,10 @@ sub get_set_flags( $$ ) {
 
     $setname =~ s/^\+//;
 
+    unless ( $export || $> != 0 ) {
+	warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
+    }
+
     fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/;
 
     have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
@@ -2870,7 +2880,7 @@ sub conditional_rule_end( $ ) {
     add_commands( $chainref , "fi\n" );
 }	
 
-sub mysplit( $ );
+sub mysplit( $;$ );
 
 #
 # Match a Source.
@@ -2901,7 +2911,7 @@ sub match_source_net( $;$\$ ) {
 
     if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my $result = '';
-	my @sets = mysplit $1;
+	my @sets = mysplit $1, 1;
 
 	require_capability 'KLUDGEFREE', 'Multiple ipset matches', '' if @sets > 1;
 
@@ -2951,7 +2961,7 @@ sub match_dest_net( $ ) {
 
     if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my $result = '';
-	my @sets = mysplit $1;
+	my @sets = mysplit $1, 1;
 
 	require_capability 'KLUDGEFREE', 'Multiple ipset matches', '' if @sets > 1;
 
@@ -3229,10 +3239,14 @@ sub addnatjump( $$$ ) {
 # Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists
 # where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
 #
-sub mysplit( $ ) {
-    my @input = split_list $_[0], 'host';
+sub mysplit( $;$ ) {
+    my ( $input, $loose ) = @_;
 
-    return @input unless $_[0] =~ /\[/;
+    my @input = split_list $input, 'host';
+
+    return @input unless $input =~ /\[/;
+
+    my $exclude = 0;
 
     my @result;
 
@@ -3245,7 +3259,14 @@ sub mysplit( $ ) {
 		$element .= ( ',' . shift @input );
 	    }
 
+	    unless ( $loose ) {
+		fatal_error "Invalid host list ($input)" if $exclude && $element =~ /!/;
+		$exclude ||= $element =~ /^!/ || $element =~ /\]!/;
+	    }
+
 	    fatal_error "Mismatched [...] ($element)" unless $element =~ tr/[/[/ == $element =~ tr/]/]/;
+	} else {
+	    $exclude ||= $element =~ /!/ unless $loose;
 	}
 
 	push @result, $element;
@@ -3340,7 +3361,7 @@ sub mark_firewall_not_started() {
     if ( $family == F_IPV4 ) {
 	emit ( 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall' );
     } else {
-	emit ( 'qt1 $IPTABLES6 -L shorewall -n && qt1 $IPTABLES6 -F shorewall && qt1 $IPTABLES6 -X shorewall' );
+	emit ( 'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall' );
     }
 }
 
@@ -3961,7 +3982,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' );
 
 	unless ( $inets || $iexcl =~ /^\+\[/ || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
-	    my @iexcl = mysplit $iexcl;
+	    my @iexcl = mysplit $iexcl, 1;
 	    if ( @iexcl == 1 ) {
 		$rule .= match_source_net "!$iexcl" , $restriction;
 		$iexcl = '';
@@ -3979,7 +4000,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	( $dnets, $dexcl ) = handle_network_list( $dnets, 'DEST' );
 
 	unless ( $dnets || $dexcl =~ /^\+\[/ ) {
-	    my @dexcl = mysplit $dexcl;
+	    my @dexcl = mysplit $dexcl, 1;
 	    if ( @dexcl == 1 ) {
 		$rule .= match_dest_net "!$dexcl";
 		$dexcl = '';
@@ -4043,7 +4064,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    #
 	    # Create the Exclusion Chain
 	    #
-	    my $echain = newexclusionchain;
+	    my $echain = newexclusionchain( $table );
 
 	    my $echainref = new_chain $table, $echain;
 	    #
@@ -4661,13 +4682,21 @@ sub create_chainlist_reload($) {
 
     my $chains = $_[0];
 
-    my @chains = split_list $chains, 'chain';
+    my @chains;
 
-    unless ( @chains ) {
-	@chains = qw( blacklst ) if $filter_table->{blacklst};
-	push @chains, 'blackout' if $filter_table->{blackout};
-	push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-	$chains = join( ',', @chains ) if @chains;
+    unless ( $chains eq ':none:' ) {
+	if ( $chains eq ':refresh:' ) {
+	    $chains = '';
+	} else {
+	    @chains =  split_list $chains, 'chain';
+	}
+
+	unless ( @chains ) {
+	    @chains = qw( blacklst ) if $filter_table->{blacklst};
+	    push @chains, 'blackout' if $filter_table->{blackout};
+	    push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+	    $chains = join( ',', @chains ) if @chains;
+	}
     }
 
     $mode = NULL_MODE;
@@ -4690,21 +4719,33 @@ sub create_chainlist_reload($) {
 
 	my %chains;
 
+	my %tables;
+
 	for my $chain ( @chains ) {
 	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
 
 	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
 
-	    $chains{$table} = [] unless $chains{$table};
+	    $chains{$table} = {} unless $chains{$table};
 
 	    if ( $chain ) {
-		fatal_error "No $table chain found with name $chain" unless  $chain_table{$table}{$chain};
-		fatal_error "Built-in chains may not be refreshed" if $chain_table{table}{$chain}{builtin};
-		push @{$chains{$table}}, $chain;
-	    } else {
-		while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) {
-		    push @{$chains{$table}}, $chain if $chainref->{referenced} && ! $chainref->{builtin};
+		my $chainref;
+		fatal_error "No $table chain found with name $chain" unless $chainref = $chain_table{$table}{$chain};
+		fatal_error "Built-in chains may not be refreshed" if $chainref->{builtin};
+		
+		if ( $chainseq{$table} && @{$chainref->{rules}} ) {
+		    warning_message "The entire $table table will be refreshed" unless $tables{$table}++;
+		} else {
+		    $chains{$table}{$chain} = $chainref;
 		}
+	    } else {
+		$tables{$table} = 1;
+	    }
+	}
+
+	for $table ( keys %tables ) {
+	    while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) {
+		$chains{$table}{$chain} = $chainref if $chainref->{referenced} && ! $chainref->{builtin};
 	    }
 	}
 
@@ -4713,14 +4754,14 @@ sub create_chainlist_reload($) {
 	enter_cat_mode;
 
 	for $table qw(raw nat mangle filter) {
-	    next unless $chains{$table};
+	    my $tableref=$chains{$table};
+
+	    next unless $tableref;
+
+	    @chains = sort keys %$tableref;
 
 	    emit_unindented "*$table";
 
-	    my $tableref=$chain_table{$table};
-
-	    @chains = sort @{$chains{$table}};
-
 	    for my $chain ( @chains ) {
 		my $chainref = $tableref->{$chain};
 		emit_unindented ":$chainref->{name} - [0:0]";

Shorewall/Perl/Shorewall/Compiler.pm

@@ -54,7 +54,7 @@ our $family;
 #
 sub initialize_package_globals() {
     Shorewall::Config::initialize($family);
-    Shorewall::Chains::initialize ($family, 1);
+    Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family);
     Shorewall::Nat::initialize;
     Shorewall::Providers::initialize($family);
@@ -817,7 +817,7 @@ sub compiler {
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
 	#
-	Shorewall::Chains::initialize( $family, 0 );
+	Shorewall::Chains::initialize( $family, 0 , $export );
 	initialize_chain_table;
 	#
 	#                           S T O P _ F I R E W A L L
@@ -881,7 +881,7 @@ sub compiler {
 	# Re-initialize the chain table so that process_routestopped() has the same
 	# environment that it would when called by compile_stop_firewall().
 	#
-	Shorewall::Chains::initialize( $family , 0 );
+	Shorewall::Chains::initialize( $family , 0 , $export );
 	initialize_chain_table;
 
 	if ( $debug ) {

Shorewall/Perl/Shorewall/Config.pm

@@ -61,6 +61,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       disable_script
 		                       numeric_value
 		                       numeric_value1
+				       normalize_hex
 		                       hex_value
 		                       in_hex
 		                       in_hex2
@@ -411,7 +412,7 @@ sub initialize( $ ) {
 		    EXPORT     => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
-		    VERSION    => "4.4.19.1",
+		    VERSION    => "4.4.19.4",
 		    CAPVERSION => 40417 ,
 		  );
     #
@@ -819,6 +820,16 @@ sub hex_value( $ ) {
     use warnings;
 }
 
+#
+# Strip off superfluous leading zeros from a hex number
+#
+sub normalize_hex( $ ) {
+    my $val = lc shift;
+
+    $val =~ s/^0// while $val =~ /^0/ && length $val > 1;
+    $val;
+}
+
 #
 # Return the argument expressed in Hex
 #

Shorewall/Perl/Shorewall/Providers.pm

@@ -466,6 +466,7 @@ sub add_a_provider( ) {
 
     if ( $gateway ) {
 	$address = get_interface_address $interface unless $address;
+	emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
 	emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
     }

Shorewall/Perl/Shorewall/Rules.pm

@@ -1751,6 +1751,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 
 	fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
 	fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
+	fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone;
     }
 
     if ( $actiontype & NATONLY ) {
@@ -2013,6 +2014,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';
+	    $origdest = ALLIP if  $origdest =~ /[+]/;
 	}
     } elsif ( $actiontype & NONAT ) {
 	#

Shorewall/Perl/Shorewall/Tc.pm

@@ -252,10 +252,23 @@ sub process_tc_rule( ) {
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 
 	} else {
-	    fatal_error "Invalid MARK ($originalmark)"   unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/;
+	    fatal_error "Invalid MARK ($originalmark)"   unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
 
 	    if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
+		$originalmark = join( ':', normalize_hex( $mark ), normalize_hex( $designator ) );
 		fatal_error "Unknown Class ($originalmark)}" unless ( $device = $classids{$originalmark} );
+		fatal_error "IFB Classes may not be specified in tcrules" if @{$tcdevices{$device}{redirected}};
+
+		unless ( $tcclasses{$device}{hex_value $designator}{leaf} ) {
+		    warning_message "Non-leaf Class ($originalmark) - tcrule ignored";
+		    return;
+		}
+
+		if ( $dest eq '-' ) {
+		    $dest = $device;
+		} else {
+		    $dest = join( ':', $device, $dest ) unless $dest =~ /^[[:alpha:]]/;
+		}
 	    }
 
 	    $chain   = 'tcpost';
@@ -404,6 +417,8 @@ sub process_tc_rule( ) {
 	}
     }
 
+    fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) ); 
+
     if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 				     $restrictions{$chain} | $restriction,
 				     do_proto( $proto, $ports, $sports) .
@@ -602,15 +617,16 @@ sub validate_tc_device( ) {
 	fatal_error "Invalid NUMBER:INTERFACE ($device:$number:$rest)" if defined $rest;
 
 	if ( defined $number ) {
+	    $number = normalize_hex( $number );
 	    $devnumber = hex_value( $number );
-	    fatal_error "Invalid interface NUMBER ($number)" unless defined $devnumber && $devnumber;
+	    fatal_error "Invalid device NUMBER ($number)" unless defined $devnumber && $devnumber && $devnumber < 256;
 	    fatal_error "Duplicate interface number ($number)" if defined $devnums[ $devnumber ];
 	    $devnum = $devnumber if $devnumber > $devnum;
 	} else {
 	    fatal_error "Missing interface NUMBER";
 	}
-    } else {
-	$devnumber = ++$devnum;
+    } elsif ( ( $devnumber = ++$devnum ) > 255 ) {
+	fatal_error "Attempting to assign a device number > 255";
     }
 
     $devnums[ $devnumber ] = $device;
@@ -745,7 +761,6 @@ sub dev_by_number( $ ) {
     }
 
     ( $dev , $devref );
-
 }
 
 sub validate_tc_class( ) {
@@ -761,7 +776,7 @@ sub validate_tc_class( ) {
 	( $device, my ($number, $subnumber, $rest ) )  = split /:/, $device, 4;
 	fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest;
 
-	if ( $device =~ /^(\d+|0x[\da-fA-F]+)$/ ) {
+	if ( $device =~ /^[\da-fA-F]+$/ && ! $tcdevices{$device} ) {
 	    ( $number , $classnumber ) = ( hex_value $device, hex_value $number );
 	    ( $device , $devref) = dev_by_number( $number );
 	} else {
@@ -777,7 +792,8 @@ sub validate_tc_class( ) {
 		$classnumber = hex_value $subnumber;
 	    }
 
-	    fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber;
+	    fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber && $classnumber < 0x8000;
+	    fatal_error "Reserved class number (1)" if $classnumber == 1;
 	    fatal_error "Duplicate interface:class number ($number:$classnumber}" if $tcclasses{$device}{$classnumber};
 	} else {
 	    fatal_error "Missing interface NUMBER";
@@ -824,9 +840,11 @@ sub validate_tc_class( ) {
 	# Nested Class
 	#
 	$parentref = $tcref->{$parentclass};
-	fatal_error "Unknown Parent class ($parentclass)" unless $parentref && $parentref->{occurs} == 1;
-	fatal_error "The class ($parentclass) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
-	fatal_error "The class ($parentclass) specifies flow; it cannot serve as a parent"             if $parentref->{flow}; 
+	my $parentnum = in_hexp $parentclass;
+	fatal_error "Unknown Parent class ($parentnum)" unless $parentref && $parentref->{occurs} == 1;
+	fatal_error "The class ($parentnum) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
+	fatal_error "The class ($parentnum) specifies flow; it cannot serve as a parent"             if $parentref->{flow};
+	fatal_error "The default class ($parentnum) may not have sub-classes"                        if $devref->{default} == $parentclass;
 	$parentref->{leaf} = 0;
 	$ratemax  = $parentref->{rate};
 	$ratename = q(the parent class's RATE);
@@ -845,6 +863,7 @@ sub validate_tc_class( ) {
 	$dmax = convert_delay( $dmax );
 	$umax = convert_size( $umax );
 	fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
+	$parentclass ||= 1;
     } else {
 	$rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename );
     }
@@ -976,9 +995,15 @@ sub process_tc_filter() {
 
     my ( $ip, $ip32, $prio , $lo ) = $family == F_IPV4 ? ('ip', 'ip', 10, 2 ) : ('ipv6', 'ip6', 11 , 4 );
 
-    ( $device , my $devref ) = dev_by_number( $device );
+    my $devref;
 
-    my $devnum = $devref->{number};
+    if ( $device =~ /^[\da-fA-F]+$/ && ! $tcdevices{$device} ) {
+	( $device, $devref ) = dev_by_number( hex_value( $device ) );
+    } else {
+	( $device , $devref ) = dev_by_number( $device );
+    }
+
+    my $devnum = in_hexp $devref->{number};
 
     my $tcref = $tcclasses{$device};
 
@@ -993,6 +1018,13 @@ sub process_tc_filter() {
     fatal_error "Unknown CLASS ($devclass)"                  unless $tcref && $tcref->{occurs};
     fatal_error "Filters may not specify an occurring CLASS" if $tcref->{occurs} > 1;
 
+    unless ( $tcref->{leaf} ) {
+	warning_message "Filter specifying a non-leaf CLASS ($devnum:$class) ignored";
+	return;
+    }
+
+    my $have_rule = 0;
+
     if ( $devref->{physical} ne $lastdevice ) {
 	if ( $lastdevice ) {
 	    pop_indent;
@@ -1009,11 +1041,13 @@ sub process_tc_filter() {
     if ( $source ne '-' ) {
 	my ( $net , $mask ) = decompose_net( $source );
 	$rule .= "\\\n   match $ip32 src $net/$mask";
+	$have_rule = 1;
     }
 
     if ( $dest ne '-' ) {
 	my ( $net , $mask ) = decompose_net( $dest );
 	$rule .= "\\\n   match $ip32 dst $net/$mask";
+	$have_rule = 1;
     }
 
     if ( $tos ne '-' ) {
@@ -1032,6 +1066,7 @@ sub process_tc_filter() {
 	}
 
 	$rule .= "\\\n  match $ip32 tos $tosval $mask";
+	$have_rule = 1;
     }
 
     if ( $length ne '-' ) {
@@ -1039,6 +1074,7 @@ sub process_tc_filter() {
 	my $mask = $validlengths{$len};
 	fatal_error "Invalid LENGTH ($length)" unless $mask;
 	$rule .="\\\n   match u16 0x0000 $mask at $lo";
+	$have_rule = 1;
     }
 
     my $protonumber = 0;
@@ -1046,13 +1082,20 @@ sub process_tc_filter() {
     unless ( $proto eq '-' ) {
 	$protonumber = resolve_proto $proto;
 	fatal_error "Unknown PROTO ($proto)" unless defined $protonumber;
-	$rule .= "\\\n   match $ip32 protocol $protonumber 0xff" if $protonumber;
+	if ( $protonumber ) {
+	    $rule .= "\\\n   match $ip32 protocol $protonumber 0xff";
+	    $have_rule = 1;
+	}
     }
 
     if ( $portlist eq '-' && $sportlist eq '-' ) {
-	emit( "\nrun_tc $rule\\" ,
-	      "   flowid $devref->{number}:$class" ,
-	      '' );
+	if ( $have_rule ) {
+	    emit( "\nrun_tc $rule\\" ,
+		  "   flowid $devnum:$class" ,
+		  '' );
+	} else {
+	    warning_message "Degenerate tcfilter ignored";
+	}
     } else {
 	fatal_error "Ports may not be specified without a PROTO" unless $protonumber;
 	our $lastrule;
@@ -1113,7 +1156,7 @@ sub process_tc_filter() {
 
 		    emit( "\nrun_tc $rule\\" ,
 			  "   $rule1\\" ,
-			  "   flowid $devref->{number}:$class" );
+			  "   flowid $devnum:$class" );
 		}
 	    }
 	} else {
@@ -1131,7 +1174,7 @@ sub process_tc_filter() {
 		    $rule1   .= "\\\n   match icmp code $icmpcode 0xff" if defined $icmpcode;
 		    emit( "\nrun_tc ${rule}\\" ,
 			  "$rule1\\" ,
-			  "   flowid $devref->{number}:$class" );
+			  "   flowid $devnum:$class" );
 		} elsif ( $protonumber == IPv6_ICMP ) {
 		    fatal_error "IPv6 ICMP not allowed with IPv4" unless $family == F_IPV4;
 		    fatal_error "SOURCE PORT(S) are not allowed with IPv6 ICMP" if $sportlist ne '-';
@@ -1142,7 +1185,7 @@ sub process_tc_filter() {
 		    $rule1   .= "\\\n   match icmp6 code $icmpcode 0xff" if defined $icmpcode;
 		    emit( "\nrun_tc ${rule}\\" ,
 			  "$rule1\\" ,
-			  "   flowid $devref->{number}:$class" );
+			  "   flowid $devnum:$class" );
 		} else {
 		    my @portlist = expand_port_range $protonumber , $portrange;
 
@@ -1162,7 +1205,7 @@ sub process_tc_filter() {
 			if ( $sportlist eq '-' ) {
 			    emit( "\nrun_tc ${rule}\\" ,
 				  "   $rule1\\" ,
-				  "   flowid $devref->{number}:$class" );
+				  "   flowid $devnum:$class" );
 			} else {
 			    for my $sportrange ( split_list $sportlist , 'port list' ) {
 				my @sportlist = expand_port_range $protonumber , $sportrange;
@@ -1183,7 +1226,7 @@ sub process_tc_filter() {
 				    emit( "\nrun_tc ${rule}\\",
 					  "   $rule1\\" ,
 					  "   $rule2\\" ,
-					  "   flowid $devref->{number}:$class" );
+					  "   flowid $devnum:$class" );
 				}
 			    }
 			}
@@ -1264,6 +1307,13 @@ sub process_tc_priority() {
 	return;
     }
 
+    fatal_error "Invalid tcpri entry" if ( $proto     eq '-' &&
+					   $ports     eq '-' &&
+					   $address   eq '-' &&
+					   $interface eq '-' &&
+					   $helper    eq '-' );
+
+
     my $val = numeric_value $band;
 
     fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
@@ -1376,6 +1426,8 @@ sub setup_traffic_shaping() {
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};
 
+	fatal_error "No default class defined for device $device" unless $devref->{default};
+
 	$device = physical_name $device;
 
 	my $dev = chain_base( $device );
@@ -1500,7 +1552,11 @@ sub setup_traffic_shaping() {
 
 	    if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
 		$sfqinhex = in_hexp( ++$sfq);
-		emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
+		if ( $devref->{qdisc} eq 'htb' ) {
+		    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
+		} else {
+		    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
+		}
 	    }
 	    #
 	    # add filters
@@ -1513,7 +1569,7 @@ sub setup_traffic_shaping() {
 	    #
 	    # options
 	    #
-	    emit "run_tc filter add dev $device parent $devref->{number}:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
+	    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
 
 	    for my $tospair ( @{$tcref->{tos}} ) {
 		my ( $tos, $mask ) = split q(/), $tospair;

Shorewall/Perl/compiler.pl

@@ -73,7 +73,7 @@ my $shorewall_dir = '';
 my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
-my $chains        = '';
+my $chains        = ':none:';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;

Shorewall/Perl/prog.header

@@ -509,10 +509,10 @@ undo_routing() {
 #
 save_default_route() {
     awk \
-    'BEGIN        {default=0;}; \
-     /^default /  {default=1; print; next}; \
-     /nexthop/    {if (default == 1 ) {print ; next} }; \
-                  { default=0; };'
+    'BEGIN        {defroute=0;};
+     /^default /  {deroute=1; print; next};
+     /nexthop/    {if (defroute == 1 ) {print ; next} };
+                  { defroute=0; };'
 }
 
 #

Shorewall/Perl/prog.header6

@@ -497,10 +497,10 @@ undo_routing() {
 #
 save_default_route() {
     awk \
-    'BEGIN        {default=0;}; \
-     /^default /  {default=1; print; next}; \
-     /nexthop/    {if (default == 1 ) {print ; next} }; \
-                  { default=0; };'
+    'BEGIN        {defroute=0;};
+     /^default /  {defroute=1; print; next};
+     /nexthop/    {if (defroute == 1 ) {print ; next} };
+                  { defroute=0; };'
 }
 
 #

Shorewall/changelog.txt

@@ -1,3 +1,36 @@
+Changes in Shorewall 4.4.19.4
+
+1)  Disallow degenerate entry in tcpri.
+
+2)  More fixes to LIBEXEC/TCPRI
+
+3)  Don't allow filters and tcrules to refer to non-leaf classes.
+
+4)  Issue warning on missing ipset.
+
+5)  Fix logging and exclusion vs 'refresh'.
+
+6)  Fix deletion of IPv6 'shorewall' chain.
+
+Changes in Shorewall 4.4.19.3
+
+1)  Eliminate issue with 'gawk'.
+
+2)  Ensure that a host route to the gateway exists in the main table.
+
+3)  Only allow USER/GROUP in the OUTPUT chain.
+
+4)  Restrict output interface in CLASSIFY TC rules.
+
+Changes in Shorewall 4.4.19.2
+
+1)  Restore the ability to have IPSET names in the ORIGINAL DEST column
+    of a DNAT or REDIRECT rule.
+
+2)  Correct several complex TC issues reported by Mr Dash4.
+
+3)  Detect double exclusion involving ipset expressions.
+
 Changes in Shorewall 4.4.19.1
 
 1)  Eliminate silly duplicate rule when stopped.

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.19.1
+VERSION=4.4.19.4
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -20,3 +20,94 @@
 
     Corrected in Shorewall 4.4.19.1 
 
+4)  There are several known problems in Complex TC:
+
+    a) The following entry in /etc/shorewall/tcclasses
+
+       	A:1 - 10*full/100:50ms 20*full/100 1 tcp-ack
+
+       produces this error:
+
+        ERROR: Unknown INTERFACE (A) : /etc/shorewall/tcclasses
+
+    b) Shorewall reserves class number 1 for the root class of the
+       queuing discipline. Definining class 1 in
+       /etc/shorewall/tcclasses results in a run-time error.
+
+    c) The compiler does not complain if a CLASSID specified in the MARK
+       column of tcrules refers to an IFB class. Such a rule is
+       nonsensical since packets are passed through the IFB before
+       they are passed through any marking rules.
+
+    d) Where there are more than 10 tcdevices, tcfilter entries can
+       generate invalid rules.
+
+    These problems are corrected in Shorewall 4.4.19.2.
+
+3)  Double exclusion involving ipset lists is not detected,
+    resulting in anomalous behavior.
+
+    Example:
+
+	ACCEPT:info $FW net:!10.1.0.7,10.1.0.9,+[!my-host[src]]]
+
+    Corrected in Shorewall 4.4.19.2.
+
+4)  The changes in 4.4.19.1 that corrected long-standing issues with
+    default route save/restore are incompatible with 'gawk'. When
+    'gawk' is installed (rather than 'mawk'), awk syntax errors having
+    to do with the symbol 'default' were issued.
+
+    Workaround: Install mawk
+
+    Corrected in Shorewall 4.4.19.3.
+
+5)  An entry in the USER/GROUP column in the rules and tcrules files
+    can cause run-time start/restart failures if the rule(s) being
+    added did not have the firewall as the source or and was not being
+    added to the POSTROUTING chain.
+
+    Workaround: Insure that all USER/GROUP matches are only specified
+    when the SOURCE is $FW (rules file) or is being added to the
+    POSTROUTING chain (:T designator in the tcrules file).
+
+    Corrected in Shorewall 4.4.19.3.
+
+6)  The compiler allow degenerate entries (only the BAND column
+    specified) in /etc/shorewall/tcpri. Such entries cause a run-time
+    failure during start/restart.
+
+    Corrected in Shorewall 4.4.19.4.
+
+7)  It is possible to specify tcfilters and tcrules that classify
+    traffic with the class-id of a non-leaf HFSC class. Such
+    classes are not capabable of handling packets.
+
+    If a non-leaf class is specified as the default class, then
+    a run-time start/restart failure occurs.
+
+    Corrected in Shorewall 4.4.19.4.
+
+8)  Shorewall does not check for the existance of ipsets mentioned in
+    the configuration, potentially resulting in a run-time
+    start/restart failure.
+
+    Corrected in Shorewall 4.4.19.4.
+
+9)  As currently implemented, the 'refresh' command can fail or
+    can result in a ruleset other than what was intended. If there
+    have been changes in the ruleset since it was originally
+    started/restarted/restored that added or deleted sequenced chains
+    (chains such as ~lognnn and ~exclnnn), the resulting ruleset can
+    jump to the wrong such chains or can fail to 'refresh'
+    successfully.
+
+    Workaround: Use 'restart' rather than 'refresh'
+
+    Corrected in Shorewall 4.4.19.4.
+
+10) 'shorewall6 refresh' issues a harmless 'ip6tables: Chain exists'
+    error message.
+
+    Corrected in Shorewall 4.4.19.4.
+

Shorewall/releasenotes.txt

@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 9 . 1
+                      S H O R E W A L L  4 . 4 . 1 9 . 4
 ----------------------------------------------------------------------------
 
 I.    PROBLEMS CORRECTED IN THIS RELEASE
@@ -13,6 +13,144 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
   I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
+4.4.19.4
+
+1)  Previously, the compiler would allow a degenerate entry (only the
+    BAND specified) in /etc/shorewall/tcpri. Such an entry now raises a
+    compilation error.
+
+2)  Previously, it was possible to specify tcfilters and tcrules that
+    classified traffic with the class-id of a non-leaf HFSC class. Such
+    classes are not capabable of handling packets.
+
+    Shorewall now generates a compile-time warning in this case and
+    ignores the entry.
+
+    If a non-leaf class is specified as the default class, then
+    Shorewall now generates a compile-time error since that
+    configuration allows no network traffic to flow.
+
+3)  Traditionally, Shorewall has not checked for the existance of
+    ipsets mentioned in the configuration, potentially resulting in a
+    run-time start/restart failure. Now, the compiler will issue a
+    WARNING if:
+
+    a) The compiler is being run by root.
+    b) The compilation isn't producing a script to run on a remote
+       system under a -lite product.
+    c) An ipset appearing in the configuration does not exist on the
+       local system.
+
+4)  As previously implemented, the 'refresh' command could fail or
+    could result in a ruleset other than what was intended. If there
+    had been changes in the ruleset since it was originally
+    started/restarted/restored that added or deleted sequenced chains
+    (chains such as ~lognnn and ~exclnnn), the resulting ruleset could
+    jump to the wrong such chains or could fail to 'refresh'
+    successfully.
+
+    This issue has been corrected as follows. When a 'refresh' is done
+    and individual chains are involved, then each table that contains
+    both sequenced chains and one of the chains being refreshed is
+    refreshed in its entirety.
+
+    For example, if 'shorwall refresh foo' is issued and the filter
+    table (which is the default) contains any sequenced chains, then
+    the entire table is reloaded. Note that this reload operation is
+    atomic so no packets are passed through an inconsistent
+    configuration.
+
+5)  When 'shorewall6 refresh' was run previously, a harmless
+    'ip6tables: Chain exists' message was generated.
+
+4.4.19.3
+
+1)  The changes in 4.4.19.1 that corrected long-standing issues with
+    default route save/restore were incompatible with 'gawk'. When
+    'gawk' was installed (rather than 'mawk'), awk syntax errors having
+    to do with the symbol 'default' were issued.
+
+    This incompatibility has been corrected.
+
+2)  Previously, an entry in the USER/GROUP column in the rules and
+    tcrules files could cause run-time start/restart failures if the
+    rule(s) being added did not have the firewall as the source (rules
+    file) and were not being added to the POSTROUTING chain (:T
+    designator in the tcrules file). This error is now caught by
+    the compiler.
+
+3)  Shorewall now insures that a route to a default gateway exists in
+    the main table before it attempts to add a default route through
+    that gateway in a provider table. This prevents start/restart
+    failures in the rare event that such a route does not exist.
+
+4)  CLASSIFY TC rules can apply to traffic exiting only the interface
+    associated with the class-id specified in the first column. In a
+    Multi-ISP configuration, a naive user might create this TC rule:
+
+        1:2     -       1.2.3.4
+
+    This will work fine when 1.2.3.4 can only be routed out of a single
+    interface. However, if we assume that eth0 is interface 1, then the
+    above rule only works for traffic leaving via eth0. 
+
+    Beginning with this release, the Shorewall compiler will interpret
+    the above rule as this one:
+
+        1.2     -       eth0:1.2.3.4
+
+4.4.19.2
+
+1)  In Shorewall-shell, there was the ability to specify IPSET names in
+    the ORIGINAL DEST column of DNAT and REDIRECT rules. That ability,
+    inadvertently dropped in Shorewall-perl, has been restored.
+
+    CAUTION: When an IPSET is used in this way, the server port is
+    opened from the SOURCE zone. 
+
+    Example:
+
+	DNAT	net	dmz:10.1.1.2	tcp	80	-	+foo
+
+    will implicitly add this rule
+
+	ACCEPT	net	dmz:10.1.1.2	tcp	80
+
+2)  Several problems with complex TC have been corrected:
+
+    a) The following entry in /etc/shorewall/tcclasses
+
+       	A:1 - 10*full/100:50ms 20*full/100 1 tcp-ack
+
+       produced this error:
+
+        ERROR: Unknown INTERFACE (A) : /etc/shorewall/tcclasses
+
+       This has been corrected.
+
+    b) Shorewall reserves class number 1 for the root class of the
+       queuing discipline. Definining class 1 in
+       /etc/shorewall/tcclasses was previoulsly escaping detection by
+       the compiler, resulting in a run-time error.
+
+    c) The compiler did not complain if a CLASSID specified in the MARK
+       column of tcrules referred to an IFB class. Such a rule would be
+       nonsensical since packets are passed through the IFB before
+       they are passed through any marking rules. Such a configuration
+       now results in a compilation error.
+
+    d) Where there are more than 10 tcdevices, tcfilter entries could
+       generate invalid rules.
+
+3)  Double exclusion involving ipset lists was previously not detected,
+    resulting in anomalous behavior.
+
+    Example:
+
+	ACCEPT:info $FW net:!10.1.0.7,10.1.0.9,+[!my-host[src]]]
+
+    Such cases now result in a compilation error.
+
 4.4.19.1
 
 1)  A duplicate ACCEPT rule in the INPUT chain has been eliminated when

Shorewall/shorewall

@@ -363,11 +363,12 @@ compiler() {
 	PERL=/usr/bin/perl
     fi
 
-    if [ $g_perllib = share/shorewall ]; then
-	$PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
-    else
-	PERL5LIB=$g_perllib $PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
+    if [ $g_perllib != ${g_libexec}/shorewall ]; then
+	PERL5LIB=/usr/$g_perllib
+	export PERL5LIB
     fi
+    
+    $PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
 }
 
 #
@@ -825,6 +826,8 @@ refresh_command() {
 	    g_refreshchains="$g_refreshchains,$1"
 	    shift
 	done
+    else
+	g_refreshchains=:refresh:
     fi
 
     shorewall_is_started || fatal_error "Shorewall is not running"
@@ -1469,7 +1472,7 @@ g_verbose_offset=0
 g_use_verbosity=
 g_debug=
 g_export=
-g_refreshchains=
+g_refreshchains=:none:
 
 #
 # Make sure that these variables are cleared

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.19
-%define release 1
+%define release 4
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -109,6 +109,12 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
 
 %changelog
+* Wed May 11 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-4
+* Sat May 07 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-3
+* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-1
 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.19.1
+VERSION=4.4.19.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.19.1
+VERSION=4.4.19.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.19
-%define release 1
+%define release 4
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -94,6 +94,12 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Wed May 11 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-4
+* Sat May 07 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-3
+* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-1
 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.19.1
+VERSION=4.4.19.4
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.19.1
+VERSION=4.4.19.4
 
 usage() # $1 = exit status
 {

Shorewall6/shorewall6

@@ -300,11 +300,12 @@ compiler() {
 	PERL=/usr/bin/perl
     fi
 
-    if [ $g_perllib = share/shorewall ]; then
-	$command $PERL $debugflags $pc $options $@
-    else
-	$command PERL5LIB=$g_perllib $PERL $debugflags $pc $options $@
+    if [ $g_perllib != ${g_libexec}/shorewall ]; then
+	PERL5LIB=$g_perllib
+	export PERL5LIB
     fi
+    
+    $command $PERL $debugflags $pc $options $@
 }    
 
 #
@@ -756,6 +757,8 @@ refresh_command() {
 	    g_refreshchains="$g_refreshchains,$1"
 	    shift
 	done
+    else
+	g_refreshchains=:refresh:
     fi
 
     shorewall6_is_started || fatal_error "Shorewall6 is not running"
@@ -1377,6 +1380,7 @@ g_verbose_offset=0
 g_use_verbosity=
 g_debug=
 g_export=
+g_refreshchains=:none:
 
 g_noroutes=
 g_purge=

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.19
-%define release 1
+%define release 4
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -98,6 +98,12 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
+* Wed May 11 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-4
+* Sat May 07 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-3
+* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.19-2
 * Wed Apr 13 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.19-1
 * Sat Apr 09 2011 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.19.1
+VERSION=4.4.19.4
 
 usage() # $1 = exit status
 {

docs/starting_and_stopping_shorewall.xml

@@ -652,9 +652,10 @@
 
             <entry>firewall stop</entry>
 
-            <entry>Only traffic to/from hosts listed in /etc/shorewall/hosts
-            is passed to/from/through the firewall. If ADMINISABSENTMINDED=Yes
-            in /etc/shorewall/shorewall.conf then in addition, all existing
+            <entry>Only traffic to/from hosts listed in
+            /etc/shorewall/routestopped is passed to/from/through the
+            firewall. If ADMINISABSENTMINDED=Yes in
+            /etc/shorewall/shorewall.conf then in addition, all existing
             connections are retained and all connection requests from the
             firewall are accepted.</entry>
           </row>

docs/three-interface.xml

@@ -258,7 +258,7 @@ dmz     ipv4</programlisting>Zone names are defined in
     <filename>/etc/shorewall/zones</filename>.</para>
 
     <para>Note that Shorewall recognizes the firewall system as its own zone.
-    When the /etc/shorewall/zones file is processed, he name of the firewall
+    When the /etc/shorewall/zones file is processed, the name of the firewall
     zone is stored in the shell variable <firstterm>$FW</firstterm> which may
     be used throughout the Shorewall configuration to refer to the firewall
     zone.</para>

manpages/shorewall-blacklist.xml

@@ -38,7 +38,10 @@
         <listitem>
           <para>Host address, network address, MAC address, IP address range
           (if your kernel and iptables contain iprange match support) or ipset
-          name prefaced by "+" (if your kernel supports ipset match).</para>
+          name prefaced by "+" (if your kernel supports ipset match).
+          Exclusion (<ulink
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) is
+          supported.</para>
 
           <para>MAC addresses must be prefixed with "~" and use "-" as a
           separator.</para>

manpages/shorewall-tcclasses.xml

@@ -134,7 +134,8 @@
           classify option is not given, you may still specify a
           <emphasis>class</emphasis> or you may have Shorewall generate a
           class number from the MARK value. Interface numbers and class
-          numbers are always assumed to be specified in hex.</para>
+          numbers are always assumed to be specified in hex and class number 1
+          is reserved as the root class of the queuing discipline.</para>
 
           <para>You may NOT specify wildcards here, e.g. if you have multiple
           ppp interfaces, you need to put them all in here!</para>
@@ -500,12 +501,13 @@
     url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-tcinterfaces.xml

@@ -126,7 +126,12 @@
           <para>Optional. If given specifies whether the interface is
           <emphasis role="bold">external</emphasis> (facing toward the
           Internet) or <emphasis role="bold">internal</emphasis> (facing
-          toward a local network) and enables SFQ flow classification.</para>
+          toward a local network) and enables SFQ flow classification.
+          <emphasis role="bold">external</emphasis> causes the traffic
+          generated by each unique source IP address to be treated as a single
+          flow. <emphasis role="bold">internal</emphasis> causes the traffic
+          generated by each unique destination IP address to be treated as a
+          single flow. </para>
 
           <note>
             <para>Simple traffic shaping is only useful on interfaces where
@@ -203,12 +208,13 @@
     url="http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcpri(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcpri(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-tcrules.xml

@@ -80,18 +80,19 @@
               marks (see below).</para>
 
               <para>May optionally be followed by <emphasis
+              role="bold">:P</emphasis>, <emphasis
+              role="bold">:F</emphasis>,<emphasis role="bold">:T</emphasis> or
+              <emphasis role="bold">:I</emphasis> where<emphasis role="bold">
+              :P</emphasis> indicates that marking should occur in the
+              PREROUTING chain, <emphasis role="bold">:F</emphasis> indicates
+              that marking should occur in the FORWARD chain, <emphasis
+              role="bold">:I </emphasis>indicates that marking should occur in
+              the INPUT chain (added in Shorewall 4.4.13), and <emphasis
+              role="bold">:T</emphasis> indicates that marking should occur in
+              the POSTROUTING chain. If neither <emphasis
               role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
-              or <emphasis role="bold">:T</emphasis> where<emphasis
-              role="bold"> :P</emphasis> indicates that marking should occur
-              in the PREROUTING chain, <emphasis role="bold">:F</emphasis>
-              indicates that marking should occur in the FORWARD chain, :I
-              indicates that marking should occur in the INPUT chain (added in
-              Shorewall 4.4.13), and <emphasis role="bold">:T</emphasis>
-              indicates that marking should occur in the POSTROUTING chain. If
-              neither <emphasis role="bold">:P</emphasis>, <emphasis
-              role="bold">:F</emphasis> nor <emphasis
-              role="bold">:T</emphasis> follow the mark value then the chain
-              is determined as follows:</para>
+              nor <emphasis role="bold">:T</emphasis> follow the mark value
+              then the chain is determined as follows:</para>
 
               <para>- If the SOURCE is <emphasis
               role="bold">$FW</emphasis>[<emphasis
@@ -106,13 +107,17 @@
               MARK_IN_FORWARD_CHAIN in <ulink
               url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
 
+              <para>Please note that <emphasis role="bold">:I</emphasis> is
+              included for completeness and affects neither traffic shaping
+              nor policy routing.</para>
+
               <para>If your kernel and iptables include CONNMARK support then
               you can also mark the connection rather than the packet.</para>
 
               <para>The mark value may be optionally followed by "/" and a
               mask value (used to determine those bits of the connection mark
               to actually be set). The mark and optional mask are then
-              followed by one of:+</para>
+              followed by one of:</para>
 
               <variablelist>
                 <varlistentry>
@@ -147,6 +152,16 @@
                     <para>Mark the connecdtion in the POSTROUTING chain</para>
                   </listitem>
                 </varlistentry>
+
+                <varlistentry>
+                  <term>CI</term>
+
+                  <listitem>
+                    <para>Mark the connection in the INPUT chain. This option
+                    is included for completeness and has no applicability to
+                    traffic shaping or policy routing.</para>
+                  </listitem>
+                </varlistentry>
               </variablelist>
 
               <para><emphasis role="bold">Special considerations for If
@@ -432,6 +447,11 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               packets originating on the firewall. May not be used with a
               chain qualifier (:P, :F, etc.) in the MARK column.</para>
             </listitem>
+
+            <listitem>
+              <para><replaceable>address-or-range</replaceable> may include
+              ipsets.</para>
+            </listitem>
           </orderedlist>
 
           <para>MAC addresses must be prefixed with "~" and use "-" as a
@@ -474,6 +494,11 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               itself or qualified by an address list. This causes marking to
               occur in the INPUT chain.</para>
             </listitem>
+
+            <listitem>
+              <para><replaceable>address-or-range</replaceable> may include
+              ipsets.</para>
+            </listitem>
           </orderedlist>
 
           <para>You may exclude certain hosts from the set already defined
@@ -598,7 +623,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">TEST</emphasis> - [<emphasis
+        <term><emphasis role="bold">TEST</emphasis> (Optional) - [<emphasis
         role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
         role="bold">:C</emphasis>]</term>
 
@@ -665,7 +690,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">TOS</emphasis> -
+        <term><emphasis role="bold">TOS</emphasis> (Optional) -
         <emphasis>tos</emphasis></term>
 
         <listitem>
@@ -681,7 +706,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">CONNBYTES</emphasis> -
+        <term><emphasis role="bold">CONNBYTES</emphasis> (Optional) -
         [!]<emphasis>min</emphasis>:[<emphasis>max</emphasis>[:{<emphasis
         role="bold">O</emphasis>|<emphasis role="bold">R</emphasis>|<emphasis
         role="bold">B</emphasis>}[:{<emphasis
@@ -728,7 +753,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">HELPER -
+        <term><emphasis role="bold">HELPER (Optional) -
         </emphasis><emphasis>helper</emphasis></term>
 
         <listitem>
@@ -805,10 +830,10 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
-    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
     shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
     shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
     shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>

manpages6/shorewall6-blacklist.xml

@@ -38,8 +38,10 @@
         <listitem>
           <para>Host address, network address, MAC address, IP address range
           (if your kernel and ip6tables contain iprange match support) or
-          ipset name prefaced by "+" (if your kernel supports ipset
-          match).</para>
+          ipset name prefaced by "+" (if your kernel supports ipset match).
+          Exclusion (<ulink
+          url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)) is
+          supported.</para>
 
           <para>MAC addresses must be prefixed with "~" and use "-" as a
           separator.</para>

manpages6/shorewall6-tcclasses.xml

@@ -117,7 +117,7 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">INTERFACE</emphasis> -
-        <emphasis>interface</emphasis>[:<emphasis>class</emphasis>]</term>
+        <emphasis>interface</emphasis>[[:<emphasis>parent</emphasis>]:<emphasis>class</emphasis>]</term>
 
         <listitem>
           <para>Name of <emphasis>interface</emphasis>. Each interface may be
@@ -141,7 +141,8 @@
           file.</para>
 
           <para>Normally, all classes defined here are sub-classes of a root
-          class that is implicitly defined from the entry in <ulink
+          class (class number 1) that is implicitly defined from the entry in
+          <ulink
           url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5). You
           can establish a class hierarchy by specifying a
           <emphasis>parent</emphasis> class -- the number of a class that you
@@ -454,8 +455,8 @@
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
     shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
     shorewall6-providers(5), shorewall6-route_rules(5),
-    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-tcinterfaces.xml

@@ -126,7 +126,12 @@
           <para>Optional. If given specifies whether the interface is
           <emphasis role="bold">external</emphasis> (facing toward the
           Internet) or <emphasis role="bold">internal</emphasis> (facing
-          toward a local network) and enables SFQ flow classification.</para>
+          toward a local network) and enables SFQ flow classification.
+          <emphasis role="bold">external</emphasis> causes the traffic
+          generated by each unique source IP address to be treated as a single
+          flow. <emphasis role="bold">internal</emphasis> causes the traffic
+          generated by each unique destination IP address to be treated as a
+          single flow. </para>
 
           <note>
             <para>Simple traffic shaping is only useful on interfaces where

manpages6/shorewall6-tcrules.xml

@@ -103,6 +103,10 @@
               MARK_IN_FORWARD_CHAIN in <ulink
               url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
 
+              <para>Please note that <emphasis role="bold">:I</emphasis> is
+              included for completeness and affects neither traffic shaping
+              nor policy routing.</para>
+
               <para>If your kernel and ip6tables include CONNMARK support then
               you can also mark the connection rather than the packet.</para>
 
@@ -144,6 +148,16 @@
                     <para>Mark the connection in the POSTROUTING chain</para>
                   </listitem>
                 </varlistentry>
+
+                <varlistentry>
+                  <term>CI</term>
+
+                  <listitem>
+                    <para>Mark the connection in the INPUT chain. This option
+                    is included for completeness and has no applicability to
+                    traffic shaping or policy routing.</para>
+                  </listitem>
+                </varlistentry>
               </variablelist>
 
               <para><emphasis role="bold">Special considerations for If
@@ -292,11 +306,12 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
           names, IP addresses, MAC addresses and/or subnets for packets being
           routed through a common path. List elements may also consist of an
           interface name followed by ":" and an address (e.g.,
-          eth1:&lt;2002:ce7c:92b4::/48&gt;). For example, all packets for
-          connections masqueraded to eth0 from other interfaces can be matched
-          in a single rule with several alternative SOURCE criteria. However,
-          a connection whose packets gets to eth0 in a different way, e.g.,
-          direct from the firewall itself, needs a different rule.</para>
+          eth1:&lt;2002:ce7c:92b4::/48&gt;) or an ipset. For example, all
+          packets for connections masqueraded to eth0 from other interfaces
+          can be matched in a single rule with several alternative SOURCE
+          criteria. However, a connection whose packets gets to eth0 in a
+          different way, e.g., direct from the firewall itself, needs a
+          different rule.</para>
 
           <para>Accordingly, use $<emphasis role="bold">FW</emphasis> in its
           own separate rule for packets originating on the firewall. In such a
@@ -330,8 +345,8 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
           addresses and/or subnets. If your kernel and ip6tables include
           iprange match support, IP address ranges are also allowed. List
           elements may also consist of an interface name followed by ":" and
-          an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;). If the
-          <emphasis role="bold">MARK</emphasis> column specificies a
+          an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;) or an ipset. If
+          the <emphasis role="bold">MARK</emphasis> column specificies a
           classification of the form
           <emphasis>major</emphasis>:<emphasis>minor</emphasis> then this
           column may also contain an interface name.</para>
@@ -452,7 +467,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">TEST</emphasis> - [<emphasis
+        <term><emphasis role="bold">TEST</emphasis>(Optional) - [<emphasis
         role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
         role="bold">:C</emphasis>]</term>
 
@@ -519,7 +534,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">TOS</emphasis> -
+        <term><emphasis role="bold">TOS</emphasis> (Optional) -
         <emphasis>tos</emphasis></term>
 
         <listitem>
@@ -535,7 +550,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">CONNBYTES</emphasis> -
+        <term><emphasis role="bold">CONNBYTES</emphasis> (Optional) -
         [!]<emphasis>min</emphasis>:[<emphasis>max</emphasis>[:{<emphasis
         role="bold">O</emphasis>|<emphasis role="bold">R</emphasis>|<emphasis
         role="bold">B</emphasis>}[:{<emphasis
@@ -582,7 +597,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">HELPER -
+        <term><emphasis role="bold">HELPER (Optional) -
         </emphasis><emphasis>helper</emphasis></term>
 
         <listitem>