Document fix for IPSET_MATCH detection.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/Universal/shorewall.conf

@@ -29,8 +29,6 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
@@ -39,8 +37,6 @@ LOGTAGONLY=No
 
 LOGLIMIT=
 
-LOGRATE=
-
 MACLIST_LOG_LEVEL=info
 
 SFILTER_LOG_LEVEL=info
@@ -134,8 +130,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=Yes
 
 FORWARD_CLEAR_MARK=

Samples/one-interface/shorewall.conf

@@ -40,8 +40,6 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
@@ -50,8 +48,6 @@ LOGTAGONLY=No
 
 LOGLIMIT=
 
-LOGRATE=
-
 MACLIST_LOG_LEVEL=info
 
 SFILTER_LOG_LEVEL=info
@@ -145,8 +141,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=

Samples/three-interfaces/shorewall.conf

@@ -38,8 +38,6 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
@@ -48,8 +46,6 @@ LOGTAGONLY=No
 
 LOGLIMIT=
 
-LOGRATE=
-
 MACLIST_LOG_LEVEL=info
 
 SFILTER_LOG_LEVEL=info
@@ -143,8 +139,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=

Samples/two-interfaces/shorewall.conf

@@ -41,8 +41,6 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
@@ -51,8 +49,6 @@ LOGTAGONLY=No
 
 LOGLIMIT=
 
-LOGRATE=
-
 MACLIST_LOG_LEVEL=info
 
 SFILTER_LOG_LEVEL=info
@@ -146,8 +142,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=

Samples6/Universal/shorewall6.conf

@@ -28,16 +28,12 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGLIMIT=
 
-LOGRATE=
-
 LOGTAGONLY=No
 
 MACLIST_LOG_LEVEL=info
@@ -125,8 +121,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=Yes
 
 FORWARD_CLEAR_MARK=

Samples6/one-interface/shorewall6.conf

@@ -28,16 +28,12 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGLIMIT=
 
-LOGRATE=
-
 LOGTAGONLY=No
 
 MACLIST_LOG_LEVEL=info
@@ -125,8 +121,6 @@ EXPAND_POLICIES=No
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=

Samples6/three-interfaces/shorewall6.conf

@@ -28,16 +28,12 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGLIMIT=
 
-LOGRATE=
-
 LOGTAGONLY=No
 
 MACLIST_LOG_LEVEL=info
@@ -125,8 +121,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=

Samples6/two-interfaces/shorewall6.conf

@@ -28,16 +28,12 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGLIMIT=
 
-LOGRATE=
-
 LOGTAGONLY=No
 
 MACLIST_LOG_LEVEL=info
@@ -125,8 +121,6 @@ EXPAND_POLICIES=No
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=

Shorewall-init/install.sh

@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.20.1
+VERSION=4.4.20.4
 
 usage() # $1 = exit status
 {

Shorewall-init/shorewall-init.spec

@@ -1,6 +1,6 @@
 %define name shorewall-init
 %define version 4.4.20
-%define release 1
+%define release 4
 
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -119,6 +119,12 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Wed Jun 15 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-4
+* Sun Jun 12 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-3
+* Tue Jun 07 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-2
 * Mon Jun 06 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.20-1
 * Tue May 31 2011 Tom Eastep tom@shorewall.net

Shorewall-init/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.20.1
+VERSION=4.4.20.4
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.20.1
+VERSION=4.4.20.4
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.20
-%define release 1
+%define release 4
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -103,6 +103,12 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Wed Jun 15 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-4
+* Sun Jun 12 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-3
+* Tue Jun 07 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-2
 * Mon Jun 06 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.20-1
 * Tue May 31 2011 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.20.1
+VERSION=4.4.20.4
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Chains.pm

@@ -1026,6 +1026,10 @@ sub use_forward_chain($$) {
 
     return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
     #
+    # Use it if we already have jumps to it
+    #
+    return 1 if keys %{$chainref->{references}};
+    #
     # We must use the interfaces's chain if the interface is associated with multiple zones
     #
     return 1 if ( keys %{interface_zones $interface} ) > 1;
@@ -1592,24 +1596,24 @@ sub initialize_chain_table($) {
 		    'DEL'             => STANDARD + SET,
 		   );
 
-	for my $chain qw(OUTPUT PREROUTING) {
+	for my $chain ( qw(OUTPUT PREROUTING) ) {
 	    new_builtin_chain 'raw', $chain, 'ACCEPT';
 	}
 
-	for my $chain qw(INPUT OUTPUT FORWARD) {
+	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
 
-	for my $chain qw(PREROUTING POSTROUTING OUTPUT) {
+	for my $chain ( qw(PREROUTING POSTROUTING OUTPUT) ) {
 	    new_builtin_chain 'nat', $chain, 'ACCEPT';
 	}
 
-	for my $chain qw(PREROUTING INPUT OUTPUT ) {
+	for my $chain ( qw(PREROUTING INPUT OUTPUT ) ) {
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
 
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    for my $chain qw( FORWARD POSTROUTING ) {
+	    for my $chain ( qw( FORWARD POSTROUTING ) ) {
 		new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	    }
 	}
@@ -1635,19 +1639,19 @@ sub initialize_chain_table($) {
 		    'DEL'             => STANDARD + SET,
 		   );
 
-	for my $chain qw(OUTPUT PREROUTING) {
+	for my $chain ( qw(OUTPUT PREROUTING) ) {
 	    new_builtin_chain 'raw', $chain, 'ACCEPT';
 	}
 
-	for my $chain qw(INPUT OUTPUT FORWARD) {
+	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
 
-	for my $chain qw(PREROUTING POSTROUTING OUTPUT) {
+	for my $chain ( qw(PREROUTING POSTROUTING OUTPUT) ) {
 	    new_builtin_chain 'nat', $chain, 'ACCEPT';
 	}
 
-	for my $chain qw(PREROUTING INPUT OUTPUT FORWARD POSTROUTING ) {
+	for my $chain ( qw(PREROUTING INPUT OUTPUT FORWARD POSTROUTING ) ) {
 	    new_builtin_chain 'mangle', $chain, 'ACCEPT';
 	}
     }
@@ -1662,7 +1666,7 @@ sub initialize_chain_table($) {
 	    $builtin_target{AUDIT} = 1;
 	}
 
-	dont_move   new_standard_chain 'reject';
+	dont_move new_standard_chain 'reject';
     }
 }
 
@@ -2884,6 +2888,8 @@ sub get_set_flags( $$ ) {
     my ( $setname, $option ) = @_;
     my $options = $option;
 
+    require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
+
     $ipset_rules++;
 
     $setname =~ s/^!//; # Caller has already taken care of leading !
@@ -2982,7 +2988,6 @@ sub match_source_net( $;$\$ ) {
     }
 
     if ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?/ ) {
-	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
 	return join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
     }
 
@@ -3032,7 +3037,6 @@ sub match_dest_net( $ ) {
     }
 
     if ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?$/ ) {
-	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '');
 	return join( '', '-m set ', $1 ? '! ' : '',  get_set_flags( $net, 'dst' ) );
     }
 
@@ -4830,7 +4834,7 @@ sub create_chainlist_reload($) {
 
 	enter_cat_mode;
 
-	for $table qw(raw nat mangle filter) {
+	for $table ( qw(raw nat mangle filter) ) {
 	    my $tableref=$chains{$table};
 
 	    next unless $tableref;

Shorewall/Perl/Shorewall/Compiler.pm

@@ -108,7 +108,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF
 
-    for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -116,7 +116,7 @@ EOF
 	emit '}';
     }
 
-    for my $exit qw/isusable findgw/ {
+    for my $exit ( qw/isusable findgw/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file($exit, 1) or emit 'true';

Shorewall/Perl/Shorewall/Config.pm

@@ -420,7 +420,7 @@ sub initialize( $ ) {
 		    EXPORT     => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
-		    VERSION    => "4.4.20.1",
+		    VERSION    => "4.4.20.4",
 		    CAPVERSION => 40417 ,
 		  );
     #
@@ -3474,7 +3474,7 @@ sub get_configuration( $ ) {
     fatal_error 'IPSECFILE=ipsec is not supported by Shorewall ' . $globals{VERSION} if $config{IPSECFILE} eq 'ipsec';
     fatal_error "Invalid IPSECFILE value ($config{IPSECFILE}"                    unless $config{IPSECFILE} eq 'zones';
 
-    for my $default qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ {
+    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
     }
 
@@ -3679,7 +3679,7 @@ sub generate_aux_config() {
 
     emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
 
-    for my $option qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE) ) {
 	conditionally_add_option $option;
     }
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -477,6 +477,7 @@ sub add_common_rules() {
     my $interface;
     my $chainref;
     my $target;
+    my $target1;
     my $rule;
     my $list;
     my $chain;
@@ -496,15 +497,14 @@ sub add_common_rules() {
 
     setup_mss;
 
-    if ( $config{FASTACCEPT} ) {
-	add_rule( $filter_table->{$_} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT OUTPUT );
-    }
+    add_rule( $filter_table->{OUTPUT} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) if ( $config{FASTACCEPT} );
 
     my $policy   = $config{SFILTER_DISPOSITION};
     $level       = $config{SFILTER_LOG_LEVEL};
     my $audit    = $policy =~ s/^A_//;
+    my $ipsec    = have_ipsec ? '-m policy --pol none --dir in '  : '';
 
-    if ( $level || $audit ) {
+    if ( $level || $audit || $ipsec ) {
 	$chainref = new_standard_chain 'sfilter';
 
 	log_rule $level , $chainref , $policy , '' if $level ne '';
@@ -514,10 +514,26 @@ sub add_common_rules() {
 	add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1;
 	
 	$target = 'sfilter';
+
+	if ( $ipsec ) {
+	    $chainref = new_standard_chain 'sfilter1';
+
+	    add_rule ( $chainref, '-m policy --pol ipsec --dir out -j RETURN' );
+
+	    log_rule $level , $chainref , $policy , '' if $level ne '';
+	
+	    add_rule( $chainref, '-j AUDIT --type ' . lc $policy ) if $audit;
+	
+	    add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1;
+	
+	    $target1 = 'sfilter1';
+	}
     } elsif ( ( $target = $policy ) eq 'REJECT' ) {
 	$target = 'reject';
     }
 
+    $target1 = $target unless $target1;
+
     for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
 	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
 
@@ -530,21 +546,34 @@ sub add_common_rules() {
 	    $chainref = $filter_table->{forward_chain $interface};
 	
 	    if ( @filters ) {
-		add_jump( $chainref , $target, 1, match_source_net( $_ ) ), $chainref->{filtered}++ for @filters;
+		add_jump( $chainref  , $target1, ! $ipsec, match_source_net( $_ ) . $ipsec ), $chainref->{filtered}++ for @filters;
 	    } elsif ( $interfaceref->{bridge} eq $interface ) {
-		add_jump( $chainref , $target, 1, match_dest_dev( $interface ) ), $chainref->{filtered}++ unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter};
+		add_jump( $chainref , $target1, ! $ipsec, match_dest_dev( $interface ) . $ipsec ), $chainref->{filtered}++
+		    unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter} || $interfaceref->{physical} eq '+';
 	    }
-	
-	    add_rule( $chainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ), $chainref->{filtered}++ if $config{FASTACCEPT};
+
+	    add_rule( $chainref,  "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ), $chainref->{filtered}++ if $config{FASTACCEPT};
 	    add_jump( $chainref, $dynamicref, 0, $state ), $chainref->{filtered}++ if $dynamicref;
 
+	    $chainref = $filter_table->{input_chain $interface};
+	
+	    if ( @filters ) {
+		add_jump( $chainref  , $target, 1, match_source_net( $_ ) . $ipsec ), $chainref->{filtered}++ for @filters;
+	    }
+	
+	    add_rule( $chainref,  "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ), $chainref->{filtered}++ if $config{FASTACCEPT};
+	    add_jump( $chainref, $dynamicref, 0, $state ), $chainref->{filtered}++ if $dynamicref;
 	}
     }
 
     #
-    # Delete 'sfilter' chain unless there are referenced to it
+    # Delete 'sfilter' chains unless there are referenced to them
     #
-    $chainref->{referenced} = 0 unless keys %{($chainref = $filter_table->{sfilter})->{references}};
+    for ( qw/sfilter sfilter1/ ) {
+	if ( $chainref = $filter_table->{$_} ) {
+	    $chainref->{referenced} = 0 unless keys %{$chainref->{references}};
+	}
+    }
 
     run_user_exit1 'initdone';
 
@@ -1796,7 +1825,7 @@ sub generate_matrix() {
     }
 
     if ( $config{LOGALLNEW} ) {
-	for my $table qw/mangle nat filter/ {
+	for my $table ( qw/mangle nat filter/ ) {
 	    for my $chain ( @{$builtins{$table}} ) {
 		log_rule_limit
 		    $config{LOGALLNEW} ,

Shorewall/Perl/Shorewall/Rules.pm

@@ -460,7 +460,7 @@ sub process_policies()
     my $firewall = firewall_zone;
     our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
 
-    for my $option qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) {
+    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
 	my $action = $config{$option};
 	next if $action eq 'none';
 	my $actiontype = $targets{$action};

Shorewall/Perl/Shorewall/Tc.pm

@@ -1309,6 +1309,13 @@ sub process_tc_priority() {
 	return;
     }
 
+    fatal_error "Invalid tcpri entry" if ( $proto     eq '-' &&
+					   $ports     eq '-' &&
+					   $address   eq '-' &&
+					   $interface eq '-' &&
+					   $helper    eq '-' );
+
+
     my $val = numeric_value $band;
 
     fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
@@ -1402,7 +1409,7 @@ sub setup_traffic_shaping() {
 	validate_tc_device while read_a_line;
     }
 
-    my $sfq = $devnum;
+    my $sfq = 0;
     my $sfqinhex;
 
     $devnum = $devnum > 10 ? 10 : 1;
@@ -1546,7 +1553,9 @@ sub setup_traffic_shaping() {
 	    }
 
 	    if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
-		$sfqinhex = in_hexp( ++$sfq);
+		1 while $devnums[++$sfq];
+
+		$sfqinhex = in_hexp( $sfq);
 		if ( $devref->{qdisc} eq 'htb' ) {
 		    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
 		} else {

Shorewall/Perl/Shorewall/Zones.pm

@@ -745,6 +745,8 @@ sub add_group_to_zone($$$$$)
 			     hosts   => \@newnetworks,
 			     ipsec   => $type == IPSEC ? 'ipsec' : 'none' ,
 			     exclusions => \@exclusions };
+
+    $interfaces{$interface}{options}{routeback} ||= ( $type != IPSEC && $options->{routeback} );
 }
 
 #
@@ -1059,10 +1061,7 @@ sub process_interface( $$ ) {
 		    #
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
-		    warning_message "sfilter is ineffective with FASTACCEPT=Yes" if $config{FASTACCEPT};
-
 		    $filterref = [ split_list $value, 'address' ];
-		    
 		    validate_net( $_, 1) for @{$filterref}
 		} else {
 		    assert(0);
@@ -1835,6 +1834,8 @@ sub validate_hosts_file()
 
     $have_ipsec = $ipsec || haveipseczones;
 
+    $_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
+
 }
 
 #

Shorewall/changelog.txt

@@ -1,3 +1,27 @@
+Changes in Shorewall 4.4.20.4
+
+1)  Have AUTOMAKE follow CONFIG_PATH
+
+2)  Be sure to detect IPSET_MATCH before OLD_IPSET_MATCH.
+
+Changes in Shorewall 4.4.20.3
+
+1)  Remove deprecated options from the .conf files.
+
+2)  Exempt wildcard interfaces from sfilter.
+
+Changes in Shorewall 4.4.20.2
+
+1)  Reject degenerate tcpri entries.
+
+2)  Correct tc defect.
+
+3)  Apply sfilters to INPUT traffic.
+
+4)  Exclude ipsec traffic from sfilter.
+
+5)  Fix an interesting defect.
+
 Changes in Shorewall 4.4.20.1
 
 1)  Corrected FSF address.

Shorewall/configfiles/masq

@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-###############################################################################
+#############################################################################################
 #INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP

Shorewall/configfiles/shorewall.conf

@@ -29,14 +29,10 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
 
-LOGRATE=
-
 LOGTAGONLY=No
 
 LOGLIMIT=
@@ -134,8 +130,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.20.1
+VERSION=4.4.20.4
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -1,4 +1,70 @@
 1)  On systems running Upstart, shorewall-init cannot reliably secure
     the firewall before interfaces are brought up.
 
-   
+2)  The 4.4.20 Shorewall6 installer always installs the 'plain'
+    (unannotated) version of shorewall6.conf, regardless of the '-p'
+    option.
+
+    Corrected in 4.4.20.1
+
+3)  Fixed item 1 from 4.4.19.4 was inadvertently omitted from
+    4.4.20.
+
+    Corrected in 4.4.20.2
+
+2)  A defect introduced in 4.4.20 can cause the following failure at
+    start/restart:
+
+	ERROR: Command "tc qdisc add dev eth0 parent 1:11 handle 1:
+                        sfq quantum 12498 limit 127 perturb 10" failed
+
+    The error occurs when explicit interface numbers are assigned in
+    /etc/shorewall/tcdevices and the default HTB queuing discipline is
+    used.
+
+    Corrected in 4.4.20.2
+
+3)  The 'sfilter' interface option introduced in 4.4.20 is not applied
+    to traffic addressed to the firewall itself.
+
+    Corrected in 4.4.20.2
+
+4)  IPSEC traffic is incorrectly included in the rules generated by
+    sfiltering.
+
+    Corrected in 4.4.20.2
+
+5)  Shorewall 4.4.20 can, under some circumstances, fail during
+    iptables-restore with a message such as the following:
+
+    iptables-restore v1.4.10: Couldn't load target
+    `dsl0_fwd':/usr/lib/xtables/libipt_dsl0_fwd.so: cannot open shared object
+    file: No such file or directory
+
+    Error occurred at line: 113
+    Try `iptables-restore -h' or 'iptables-restore --help' for more
+    information.
+
+    ERROR: iptables-restore Failed. Input is in
+    	   /var/lib/shorewall/.iptables-restore-input
+
+    Corrected in 4.4.20.2
+
+6)  The following extraneous warning message may be ignored:
+
+    	WARNING: sfilter is ineffective with FASTACCEPT=Yes
+
+    Corrected in 4.4.20.2
+
+7)  A simple configuration like the 'Universal' sample that includes a
+    single wildcard interface ('+' in the INTERFACE column) produces a
+    ruleset that blocks all incoming packets.
+
+    Workaround: Add the 'routeback' option to the entry in
+    /etc/shorewall/interfaces.
+
+    Corrected in 4.4.20.3
+ 
+8)  AUTOMAKE only searches /etc/shorewall[6] for files newer than the
+    current compiled script (/var/lib/shorewall[6]/firewall) and not
+    the entire CONFIG_PATH.

Shorewall/releasenotes.txt

@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                   S H O R E W A L L  4 . 4 . 20 . 1
+                   S H O R E W A L L  4 . 4 . 20 . 3
 ----------------------------------------------------------------------------
 
 I.    PROBLEMS CORRECTED IN THIS RELEASE
@@ -12,6 +12,64 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 ----------------------------------------------------------------------------
   I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
+4.4.20.4
+
+1)  Previously, AUTOMAKE only searched /etc/shorewall[6] for files
+    newer than the current compiled script
+    (/var/lib/shorewall[6]/firewall). Now it searches the entire
+    CONFIG_PATH for such files.
+
+2)  With LOAD_HELPERS_ONLY=Yes, the compiler could use the deprectated
+    --set parameter to the ipset match when --match-set was
+    appropriate. 
+
+4.4.20.3
+
+1)  Deprecated options have been removed from the .conf files. 
+    They remain in the man pages.
+
+2)  A simple configuration like the 'Universal' sample that includes a
+    single wildcard interface ('+' in the INTERFACE column) produces a
+    ruleset that blocks all incoming packets.
+
+    As part of correcting this defect, which was introduced in
+    4.4.20.2, one or more superfluous rules (which could never match)
+    have been eliminated from most configurations.
+
+4.4.20.2
+
+1)  Problem Corrected #1 from 4.4.19.4 was inadvertently omitted from
+    4.4.20. It is now included.
+
+2)  A defect introduced in 4.4.20 could cause the following failure at
+    start/restart:
+
+	ERROR: Command "tc qdisc add dev eth0 parent 1:11 handle 1:
+                        sfq quantum 12498 limit 127 perturb 10" failed
+
+3)  The 'sfilter' interface option introduced in 4.4.20 was only
+    applied to forwarded traffic. Now it is also applied to traffic
+    addressed to the firewall itself.
+
+4)  IPSEC traffic is now (correctly) excluded from sfilter.
+
+5)  Shorewall 4.4.20 could, under some circumstances, fail during
+    iptables-restore with a message such as the following:
+
+    iptables-restore v1.4.10: Couldn't load target
+    `dsl0_fwd':/usr/lib/xtables/libipt_dsl0_fwd.so: cannot open shared object
+    file: No such file or directory
+
+    Error occurred at line: 113
+    Try `iptables-restore -h' or 'iptables-restore --help' for more
+    information.
+
+    ERROR: iptables-restore Failed. Input is in
+    	   /var/lib/shorewall/.iptables-restore-input
+
+6)  The following incorrect warning message has been eliminated:
+
+    	WARNING: sfilter is ineffective with FASTACCEPT=Yes
 
 4.4.20.1
 

Shorewall/shorewall

@@ -330,7 +330,24 @@ startup_error() {
 # Determine if there are config files newer than the passed object
 #
 uptodate() {
-    [ -f $1 ] && [ -z "$(find ${CONFDIR} -newer $1)" ]
+    [ -f $1 ] || return 1
+
+    local dir
+    local ifs
+
+    ifs="$IFS"
+    IFS=':'
+
+    for dir in $CONFIG_PATH; do
+	if [ -n "$(find ${dir} -newer $1)" ]; then
+	    IFS="$ifs"
+	    return 1;
+	fi
+    done
+
+    IFS="$ifs"
+
+    return 0
 }
 
 #

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.20
-%define release 1
+%define release 4
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -111,6 +111,12 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
 
 %changelog
+* Wed Jun 15 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-4
+* Sun Jun 12 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-3
+* Tue Jun 07 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-2
 * Mon Jun 06 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.20-1
 * Tue May 31 2011 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.20.1
+VERSION=4.4.20.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.20.1
+VERSION=4.4.20.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.20
-%define release 1
+%define release 4
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -94,6 +94,12 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Wed Jun 15 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-4
+* Sun Jun 12 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-3
+* Tue Jun 07 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-2
 * Mon Jun 06 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.20-1
 * Tue May 31 2011 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.20.1
+VERSION=4.4.20.4
 
 usage() # $1 = exit status
 {

Shorewall6/configfiles/shorewall6.conf

@@ -28,16 +28,12 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGLIMIT=
 
-LOGRATE=
-
 LOGTAGONLY=No
 
 MACLIST_LOG_LEVEL=info
@@ -125,8 +121,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=Yes

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.20.1
+VERSION=4.4.20.4
 
 usage() # $1 = exit status
 {

Shorewall6/shorewall6

@@ -330,7 +330,24 @@ startup_error() {
 # Determine if there are config files newer than the passed object
 #
 uptodate() {
-    [ -f $1 ] && [ -z "$(find ${CONFDIR} -newer $1)" ]
+    [ -f $1 ] || return 1
+
+    local dir
+    local ifs
+
+    ifs="$IFS"
+    IFS=':'
+
+    for dir in $CONFIG_PATH; do
+	if [ -n "$(find ${dir} -newer $1)" ]; then
+	    IFS="$ifs"
+	    return 1;
+	fi
+    done
+
+    IFS="$ifs"
+
+    return 0
 }
 
 #

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.20
-%define release 1
+%define release 4
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -101,6 +101,12 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
+* Wed Jun 15 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-4
+* Sun Jun 12 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-3
+* Tue Jun 07 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.20-2
 * Mon Jun 06 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.20-1
 * Tue May 31 2011 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.20.1
+VERSION=4.4.20.4
 
 usage() # $1 = exit status
 {

manpages/shorewall-interfaces.xml

@@ -312,18 +312,6 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term>filter=(<emphasis>net</emphasis>[,...])</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.4.20. This option should be used on
-                bridges or other interfaces with the
-                <option>routeback</option> option. On these interfaces, it
-                should list those local networks that are not routed out of
-                the bridge or interface.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis
               role="bold">logmartians[={0|1}]</emphasis></term>
@@ -564,6 +552,49 @@ loc     eth2            -</programlisting>
                 <para>This option can also be enabled globally in the <ulink
                 url="shorewall.conf.html">shorewall.conf</ulink>(5)
                 file.</para>
+
+                <note>
+                  <para>There are certain cases where
+                  <option>routefilter</option> cannot be used on an
+                  interface:</para>
+
+                  <itemizedlist>
+                    <listitem>
+                      <para>If USE_DEFAULT_RT=Yes in <ulink
+                      url="shorewall.conf.html">shorewall.conf</ulink>(5) and
+                      the interface is listed in <ulink
+                      url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
+                    </listitem>
+
+                    <listitem>
+                      <para>If there is an entry for the interface in <ulink
+                      url="shorewall-providers.html">shorewall-providers</ulink>(5)
+                      that doesn't specify the <option>balance</option>
+                      option.</para>
+                    </listitem>
+
+                    <listitem>
+                      <para>If IPSEC is used to allow a road-warrior to have a
+                      local address, then any interface through which the
+                      road-warrior might connect cannot specify
+                      <option>routefilter</option>.</para>
+                    </listitem>
+                  </itemizedlist>
+                </note>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>sfilter=(<emphasis>net</emphasis>[,...])</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.20. This option provides an
+                anti-spoofing alternative to <option>routefilter</option> on
+                interfaces where that option cannot be used, but where the
+                <option>routeback</option> option is required (on a bridge,
+                for example). On these interfaces, <option>sfilter</option>
+                should list those local networks that are connected to the
+                firewall through other interfaces.</para>
               </listitem>
             </varlistentry>
 

manpages/shorewall-providers.xml

@@ -166,7 +166,7 @@
 
                 <para>Beginning with Shorewall 4.4.3, <option>track</option>
                 defaults to the setting of the TRACK_PROVIDERS option in
-                <ulink url="shorwewall.conf.html">shorewall.conf</ulink> (5).
+                <ulink url="shorewall.conf.html">shorewall.conf</ulink> (5).
                 If you set TRACK_PROVIDERS=Yes and want to override that
                 setting for an individual provider, then specify
                 <option>notrack</option> (see below).</para>
@@ -340,12 +340,13 @@
     url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-tcdevices.xml

@@ -137,7 +137,7 @@
           qdisc.Must be set to zero if the REDIRECTED INTERFACES column is
           non-empty.</para>
 
-          <para>The optional burst option was added in Shorewall 4.4.13. The
+          <para>The optional burst option was added in Shorewall 4.4.18. The
           default <replaceable>burst</replaceable> is 10kb. A larger
           <replaceable>burst</replaceable> can help make the
           <replaceable>bandwidth</replaceable> more accurate; often for fast

manpages/shorewall.conf.xml

@@ -576,10 +576,11 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
 
       <varlistentry>
         <term><emphasis role="bold">EXPORTPARAMS=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}
-        (Deprecated beginning with Shorewall 4.4.17)</term>
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
 
         <listitem>
+          <para>Deprecated in Shorewall 4.4.17.</para>
+
           <para>Beginning with Shorewall 4.4.17, the variables set in the
           'params' file at compile time are available at run time with
           EXPORTPARAMS=No. As a consequence, beginning with that version the
@@ -965,10 +966,11 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
 
             <important>
               <para>To help insure that all packets in the NEW state are
-              logged, rate limiting (LOGBURST and LOGRATE) should be disabled
-              when using LOGALLNEW. Use LOGALLNEW at your own risk; it may
-              cause high CPU and disk utilization and you may not be able to
-              control your firewall after you enable this option.</para>
+              logged, rate limiting (LOGLIMIT or deprecated options LOGBURST
+              and LOGRATE) should be disabled when using LOGALLNEW. Use
+              LOGALLNEW at your own risk; it may cause high CPU and disk
+              utilization and you may not be able to control your firewall
+              after you enable this option.</para>
             </important>
 
             <para></para>
@@ -1054,7 +1056,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">LOGBURST=</emphasis>[<emphasis>burst</emphasis>]</term>
 
         <listitem>
-          <para></para>
+          <para>Deprecated in Shorewall 4.4.12.</para>
         </listitem>
       </varlistentry>
 

manpages6/shorewall6-interfaces.xml

@@ -204,18 +204,6 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term>filter=(<emphasis>net</emphasis>[,...])</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.4.20. This option should be used on
-                bridges or other interfaces with the
-                <option>routeback</option> option. On these interfaces, it
-                should list those local networks that are not routed out of
-                the bridge or interface.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
 
@@ -349,6 +337,23 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>sfilter=(<emphasis>net</emphasis>[,...])</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.20. At this writing (spring
+                2011), Linux does not support reverse path filtering (RFC3704)
+                for IPv6. In its absence, <option>sfilter</option> may be used
+                as an anti-spoofing measure.</para>
+
+                <para>This option should be used on bridges or other
+                interfaces with the <option>routeback</option> option. On
+                these interfaces, <option>sfilter</option> should list those
+                local networks that are connected to the firewall through
+                other interfaces.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">tcpflags</emphasis></term>
 

manpages6/shorewall6-tcdevices.xml

@@ -138,7 +138,7 @@
           qdisc.Must be set to zero if the REDIRECTED INTERFACES column is
           non-empty.</para>
 
-          <para>The optional burst option was added in Shorewall6 4.4.13. The
+          <para>The optional burst option was added in Shorewall6 4.4.18. The
           default <replaceable>burst</replaceable> is 10kb. A larger
           <replaceable>burst</replaceable> can help make the
           <replaceable>bandwidth</replaceable> more accurate; often for fast

manpages6/shorewall6.conf.xml

@@ -499,10 +499,11 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
 
       <varlistentry>
         <term><emphasis role="bold">EXPORTPARAMS=</emphasis>{<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}
-        (Deprecated beginning with Shorewall 4.4.17)</term>
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
 
         <listitem>
+          <para>Deprecated beginning with Shorewall 4.4.17.</para>
+
           <para>Beginning with Shorewall 4.4.17, the variables set in the
           'params' file at compile time are available at run time with
           EXPORTPARAMS=No. As a consequence, beginning with that version the
@@ -842,10 +843,11 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
 
             <important>
               <para>To help insure that all packets in the NEW state are
-              logged, rate limiting (LOGBURST and LOGRATE) should be disabled
-              when using LOGALLNEW. Use LOGALLNEW at your own risk; it may
-              cause high CPU and disk utilization and you may not be able to
-              control your firewall after you enable this option.</para>
+              logged, rate limiting (LOGLIMIT or deprecated options LOGBURST
+              and LOGRATE) should be disabled when using LOGALLNEW. Use
+              LOGALLNEW at your own risk; it may cause high CPU and disk
+              utilization and you may not be able to control your firewall
+              after you enable this option.</para>
             </important>
 
             <para></para>
@@ -930,7 +932,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">LOGBURST=</emphasis>[<emphasis>burst</emphasis>]</term>
 
         <listitem>
-          <para></para>
+          <para>Deprecated in Shorewall 4.4.12.</para>
         </listitem>
       </varlistentry>
 
@@ -942,7 +944,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
 
         <listitem>
           <para>As of Shorewall 4.4.12, these parameters are
-          deprecated.</para>
+          Deprecated.</para>
 
           <para>These parameters set the match rate and initial burst size for
           logged packets. Please see ip6tables(8) for a description of the