Another fix for reference counting.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-init/install.sh

@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.21
+VERSION=xxx #The Build script inserts the actual version.
 
 usage() # $1 = exit status
 {

Shorewall-init/shorewall-init.spec

@@ -1,6 +1,6 @@
 %define name shorewall-init
 %define version 4.4.21
-%define release 0base
+%define release 2
 
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -119,8 +119,16 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
+* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-2
+* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-1
+* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.21-0base
+* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-0RC3
+* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-0RC2
 * Thu Jun 23 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.21-0RC1
 * Sun Jun 19 2011 Tom Eastep tom@shorewall.net

Shorewall-init/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.21
+VERSION=xxx  #The Build script inserts the actual version
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.21
+VERSION=xxx #The Build script inserts the actual version
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.21
-%define release 0base
+%define release 2
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -103,8 +103,16 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
+* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-2
+* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-1
+* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.21-0base
+* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-0RC3
+* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-0RC2
 * Thu Jun 23 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.21-0RC1
 * Sun Jun 19 2011 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.21
+VERSION=xxx  #The Build script inserts the actual version
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Accounting.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.21';
+our $VERSION = '4.4_21';
 
 #
 # Per-IP accounting tables. Each entry contains the associated network.

Shorewall/Perl/Shorewall/Chains.pm

@@ -587,6 +587,8 @@ sub handle_port_list( $$$$$$ );
 sub handle_port_list( $$$$$$ ) {
     my ($chainref, $rule, $dport, $first, $ports, $rest) = @_;
 
+    our $splitcount;
+
     if ( port_count( $ports ) > 15 ) {
 	#
 	# More than 15 ports specified
@@ -621,12 +623,14 @@ sub handle_port_list( $$$$$$ ) {
 		handle_port_list( $chainref, $newrule, 0, $1, $2, $3 );
 	    } else {
 		push_rule ( $chainref, $newrule );
+		$splitcount++;
 	    }
 	}
     } elsif ( $dport && $rule =~  /^(.* --sports\s+)([^ ]+)(.*)$/ ) {
 	handle_port_list( $chainref, $rule, 0, $1, $2, $3 );
     } else {
 	push_rule ( $chainref, $rule );
+	$splitcount++;
     }
 }
 
@@ -636,7 +640,8 @@ sub handle_port_list( $$$$$$ ) {
 sub handle_icmptype_list( $$$$ ) {
     my ($chainref, $first, $types, $rest) = @_;
     my @ports = split ',', $types;
-    push_rule ( $chainref, join ( '', $first, shift @ports, $rest ) ) while @ports;
+    our $splitcount;
+    push_rule ( $chainref, join ( '', $first, shift @ports, $rest ) ), $splitcount++ while @ports;
 }
 
 #
@@ -647,6 +652,8 @@ sub handle_icmptype_list( $$$$ ) {
 sub add_rule($$;$) {
     my ($chainref, $rule, $expandports) = @_;
 
+    our $splitcount;
+
     assert( ! reftype $rule );
 
     $iprangematch = 0;
@@ -678,15 +685,24 @@ sub add_rule($$;$) {
 		handle_icmptype_list( $chainref, $first, $types, $rest );
 	    } else {
 		push_rule( $chainref, $rule );
+		$splitcount++;
 	    }
 	} else {
 	    push_rule ( $chainref, $rule );
+	    $splitcount++;
 	}
     } else {
 	push_rule( $chainref, $rule );
     }
 }
 
+sub add_counted_rule($$) {
+    my ( $chainref, $rule ) = @_;
+    our $splitcount = 0;
+    add_rule( $chainref, $rule, 1 );
+    return $splitcount;
+}
+
 #
 # Make the first chain a referent of the second
 #
@@ -1339,6 +1355,13 @@ sub add_jump( $$$;$$$ ) {
     }
 }
 
+sub add_counted_jump( $$$ ) {
+    my ( $chainref, $to, $rule ) = @_;
+    our $splitcount = 0;
+    add_jump( $chainref, $to, 0, $rule, 1 );
+    return $splitcount - 1;
+}
+
 #
 # Delete jumps previously added via add_jump. If the target chain is empty, reset its
 # referenced flag
@@ -3364,7 +3387,7 @@ sub log_rule_limit( $$$$$$$$ ) {
 	    $prefix = "-j $level --nflog-prefix \"$prefix\" ";
 	} elsif ( $level =~ '^LOGMARK' ) {
 	    $prefix = join( '', substr( $prefix, 0, 12 ) , ':' ) if length $prefix > 13;
-	    $prefix = "-j LOGMARK --log-level $level --log-prefix \"$prefix\" ";
+	    $prefix = "-j $level --log-prefix \"$prefix\" ";
 	} else {
 	    $prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" ";
 	}
@@ -3864,6 +3887,7 @@ sub expand_rule( $$$$$$$$$$;$ )
     my $table = $chainref->{table};
     my $jump  = $target ? '-j ' . $target : '';
     my $mac;
+    my $rulecount = 0;
 
     our @ends = ();
     #
@@ -3910,7 +3934,7 @@ sub expand_rule( $$$$$$$$$$;$ )
     #
     # Isolate Source Interface, if any
     #
-    if ( $source ) {
+    if ( supplied $source ) {
 	if ( $source eq '-' ) {
 	    $source = '';
 	} elsif ( $family == F_IPV4 ) {
@@ -3924,7 +3948,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    } else {
 		$iiface = $source;
 	    }
-	} elsif  ( $source =~ /^(.+?):<(.+)>\s*$/ || $source =~ /^(.+?):\[(.+)\]\s*$/ ) {
+	} elsif  ( $source =~ /^(.+?):<(.+)>\s*$/ || $source =~ /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(!?\+.+)$/ ) {
 	    $iiface = $1;
 	    $inets  = $2;
 	} elsif ( $source =~ /:/ ) {
@@ -3945,7 +3969,7 @@ sub expand_rule( $$$$$$$$$$;$ )
     #
     # Verify Interface, if any
     #
-    if ( $iiface ) {
+    if ( supplied $iiface ) {
 	fatal_error "Unknown Interface ($iiface)" unless known_interface $iiface;
 
 	if ( $restriction & POSTROUTE_RESTRICT ) {
@@ -3981,7 +4005,7 @@ sub expand_rule( $$$$$$$$$$;$ )
     #
     # Isolate Destination Interface, if any
     #
-    if ( $dest ) {
+    if ( supplied $dest ) {
 	if ( $dest eq '-' ) {
 	    $dest = '';
 	} elsif ( ( $restriction & PREROUTE_RESTRICT ) && $dest =~ /^detect:(.*)$/ ) {
@@ -4023,7 +4047,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    } else {
 		$diface = $dest;
 	    }
-	} elsif ( $dest =~ /^(.+?):<(.+)>\s*$/ || $dest =~ /^(.+?):\[(.+)\]\s*$/) {
+	} elsif ( $dest =~ /^(.+?):<(.+)>\s*$/ || $dest =~ /^(.+?):\[(.+)\]\s*$/ || $dest =~ /^(.+?):(!?\+.+)$/ ) {
 	    $diface = $1;
 	    $dnets  = $2;
 	} elsif ( $dest =~ /:/ ) {
@@ -4032,7 +4056,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    } else {
 		$dnets = $dest;
 	    }
-	} elsif ( $dest =~ /^(?:\+|&|\..*\.)/ ) {
+	} elsif ( $dest =~ /(?:\+|&|\..*\.)/ ) {
 	    $dnets = $dest;
 	} else {
 	    $diface = $dest;
@@ -4044,7 +4068,7 @@ sub expand_rule( $$$$$$$$$$;$ )
     #
     # Verify Destination Interface, if any
     #
-    if ( $diface ) {
+    if ( supplied $diface ) {
 	fatal_error "Unknown Interface ($diface)" unless known_interface $diface;
 
 	if ( $restriction & PREROUTE_RESTRICT ) {
@@ -4246,8 +4270,8 @@ sub expand_rule( $$$$$$$$$$;$ )
 		    my $source_match = match_source_net( $inet, $restriction, $mac ) if have_capability( 'KLUDGEFREE' );
 
 		    for my $dnet ( mysplit $dnets ) {
-			$source_match = match_source_net( $inet, $restriction, $mac ) unless have_capability( 'KLUDGEFREE' );
-			add_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ), 1 );
+			$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
+			$rulecount += add_counted_jump( $chainref, $echainref, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ) );
 		    }
 
 		    conditional_rule_end( $chainref ) if $cond;
@@ -4255,6 +4279,11 @@ sub expand_rule( $$$$$$$$$$;$ )
 
 		conditional_rule_end( $chainref ) if $cond;
 	    }
+
+	    while ( $rulecount-- > 0 ) {
+		add_reference $chainref, $echainref;
+	    }
+		
 	    #
 	    # Generate RETURNs for each exclusion
 	    #
@@ -4290,7 +4319,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    #
 	    # Generate Final Rule
 	    #
-	    add_rule $fromref = $echainref, $exceptionrule . $jump , 1 unless $disposition eq 'LOG';
+	    $rulecount = add_counted_rule( $fromref = $echainref, $exceptionrule . $jump ) unless $disposition eq 'LOG';
 
 	    $done = 1;
 	}
@@ -4323,7 +4352,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 			#
 			# No logging -- add the target rule with matches to the rule chain
 			#
-			add_rule( $fromref = $chainref, $matches . $jump , 1 );
+			$rulecount = add_counted_rule( $fromref = $chainref, $matches . $jump );
 		    } elsif ( $disposition eq 'LOG' || $disposition eq 'COUNT' ) {
 			#
 			# The log rule must be added with matches to the rule chain
@@ -4349,7 +4378,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 				       'add',
 				       $matches );
 			
-			add_rule( $fromref = $chainref, $matches . $jump, 1 );
+			$rulecount = add_counted_rule( $fromref = $chainref, $matches . $jump );
 		    } else {
 			#
 			# Find/Create a chain that both logs and applies the target action
@@ -4380,9 +4409,12 @@ sub expand_rule( $$$$$$$$$$;$ )
 	my $targetref = $chain_table{$table}{$target};
 	if ( $targetref ) {
 	    $targetref->{referenced} = 1;
+	    
+	    for ( my $i = 0; $i < $rulecount; $i++ ) {
 		add_reference $fromref, $targetref;
 	    }
 	}
+    }
 
     while ( @ends ) {
 	decr_cmd_level $chainref;

Shorewall/Perl/Shorewall/Config.pm

@@ -242,6 +242,7 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 OWNER_MATCH     => 'Owner Match',
 		 IPSET_MATCH     => 'Ipset Match',
 		 OLD_IPSET_MATCH => 'Old Ipset Match',
+		 IPSET_V5        => 'Version 5 IPSETs',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
@@ -2131,10 +2132,21 @@ sub validate_level( $ ) {
 	    return $rawlevel;
 	}
 
-	if ( $level eq 'LOGMARK' ) {
+	if ( $level =~ /^LOGMARK --/ ) {
+	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
+	    return $rawlevel;
+	}
+
+	if ( $level =~ /LOGMARK[(](.*)[)]$/ ) {
+	    my $sublevel = $1;
+	    
+	    $sublevel = $validlevels{$sublevel} unless $sublevel =~ /^[0-7]$/;
+
+	    level_error( $level ) unless defined $sublevel  =~ /^[0-7]$/; 
+	    
 	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
 	    require_capability( 'LOGMARK_TARGET' , 'LOGMARK', 's' );
-	    return 'LOGMARK';
+	    return "LOGMARK --log-level $sublevel";
 	}
 
 	level_error( $rawlevel );

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -536,6 +536,7 @@ sub valid_6address( $ ) {
     }
 
     return 0 if @address > $max;
+    return 0 unless $address =~ /^[a-f:\d]+$/;
     return 0 unless ( @address == $max ) || $address =~ /::/;
     return 0 if $address =~ /:::/ || $address =~ /::.*::/;
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -1222,7 +1222,7 @@ sub add_interface_jumps {
 		    unless get_interface_option( $interface, 'port' );
 	    }
 	} else {
-	    add_rule ( $filter_table->{FORWAR}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
+	    add_rule ( $filter_table->{FORWARD}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
 
 	    add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
 	    add_jump( $filter_table->{INPUT}   , $inputref ,   0, match_source_dev( $interface ) ) unless $input_jump_added{$interface}   || ! use_input_chain $interface, $inputref;

Shorewall/Perl/Shorewall/Nat.pm

@@ -163,8 +163,8 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
-		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
-		$addresses =~ s/:random$//     and $randomize  = '--random ';
+		$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
+		$addresses =~ s/:random$//     and $randomize  = ' --random ';
 
 		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -1163,7 +1163,7 @@ sub dropBcast( $$$$ ) {
 	    if ( $family == F_IPV4 ) {
 		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	    } else {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '' );
 	    }
 	}
 	
@@ -1180,13 +1180,13 @@ sub dropBcast( $$$$ ) {
 	add_jump $chainref, $target, 0, "-d \$address ";
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
-
-	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
     }
 
     if ( $family == F_IPV4 ) {
+	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
     } else {
+	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST . ' ' ) if $level ne '';
 	add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
     }
 }
@@ -1199,11 +1199,14 @@ sub allowBcast( $$$$ ) {
     if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
+	    if ( $family == F_IPV4 ) {
+		log_rule_limit $level, $chainref, 'dropBcast' , 'ACCECT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
+	    } else {
+		log_rule_limit $level, $chainref, 'dropBcast' , 'ACCEPT', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST . ' ' );
+	    }
 	}
 
 	add_jump $chainref, $target, 0, "-m addrtype --dst-type BROADCAST ";
-	add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
     } else {
 	if ( $family == F_IPV4 ) {
 	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
@@ -1216,14 +1219,14 @@ sub allowBcast( $$$$ ) {
 	add_rule $chainref, "-d \$address -j $target";
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
+    }
 
     if ( $family == F_IPV4 ) {
 	log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
     } else {
 	log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
-	    add_jump $chainref, $target, 0, join ( ' ', '-d', IPv6_MULTICAST, ' ' );
-	}
+	add_jump $chainref, $target, 0, join ( ' ', '-d', IPv6_MULTICAST . ' ' );
     }
 }
 

Shorewall/Perl/Shorewall/Tc.pm

@@ -205,7 +205,15 @@ sub process_tc_rule( ) {
 
     my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
 
-    fatal_error "Invalid MARK ($originalmark)" if defined $remainder || ! defined $mark || $mark eq '';
+    fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
+
+    if ( $remainder ) { 
+	if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
+	    $mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list
+	} else {
+	    fatal_error "Invalid MARK ($originalmark)";
+	}
+    }
 
     my $chain  = $globals{MARKING_CHAIN};
     my $target = 'MARK --set-mark';
@@ -376,6 +384,10 @@ sub process_tc_rule( ) {
 			$target .= " --on-port $port";
 
 			if ( supplied $ip ) {
+			    if ( $family == F_IPV6 ) {
+				$ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
+			    }
+
 			    validate_address $ip, 1;
 			    $target .= " --on-ip $ip";
 			}

Shorewall/Perl/Shorewall/Zones.pm

@@ -1725,26 +1725,28 @@ sub process_host( ) {
 	if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
 	    $interface = $1;
 	    $hosts = $2;
-
-	    if ( $hosts =~ /^\+/ ) {
-		$zoneref->{options}{complex} = 1;
-		fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
-		fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
-	    }
-
 	    fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
-    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ || $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]\s*$/ || $hosts =~ /^([\w.@%-]+\+?):(dynamic)\s*$/   ) {
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/   ||
+	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/   ||
+	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
 	$hosts = $2;
-	$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
     } else {
 	fatal_error "Invalid HOST(S) column contents: $hosts" 
     }
 
+    if ( $hosts =~ /^!?\+/ ) {
+	$zoneref->{options}{complex} = 1;
+	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
+	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
+    }
+
     if ( $type == BPORT ) {
 	if ( $zoneref->{bridge} eq '' ) {
 	    fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};

Shorewall/action.Drop

@@ -36,7 +36,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is 
 # 'audit'.
 #
-BEGIN PERL
+BEGIN PERL;
 use Shorewall::Config;
 
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -54,7 +54,7 @@ if ( defined $p1 ) {
 
 1;
 
-END PERL
+END PERL;
 
 DEFAULTS -,REJECT,DROP,ACCEPT,DROP
 

Shorewall/action.Reject

@@ -32,7 +32,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is 
 # 'audit'.
 #
-BEGIN PERL
+BEGIN PERL;
 use Shorewall::Config;
 
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -50,7 +50,7 @@ if ( defined $p1 ) {
 
 1;
 
-END PERL
+END PERL;
 
 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
 

Shorewall/changelog.txt

@@ -1,5 +1,35 @@
+Changes in Shorewall 4.4.21.2
+
+1)  Correct reference accounting when long port lists are split.
+
+Changes in Shorewall 4.4.21.1
+
+1)  Update release documents.
+
+2)  Add IPSET_V5 to %capdesc.
+
+3)  Correct addition of orphan chain FORWAR.
+
+4)  Fix -j SNAT --to-address ... --persistent
+
+5)  Fix LOGMARK.
+
 Changes in Shorewall 4.4.21 Final
 
+1)  Update release documents.
+
+2)  Correct handling of IPv6 address in TPROXY.
+
+Changes in Shorewall 4.4.21 RC 3
+
+1) Make shorewall[6].conf quoting consistent with 'update'.
+
+2) Implement parameterized default actions in IPv6
+
+3) Use local config in load and reload
+
+Changes in Shorewall 4.4.21 RC 2
+
 1) Correct code generated by TPROXY.
 
 2) Make 'fallback' and 'balance' mutually exclusive.

Shorewall/configfiles/shorewall.conf

@@ -51,7 +51,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
 
 IPTABLES=
 
@@ -61,7 +61,7 @@ IPSET=
 
 MODULESDIR=
 
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
 
 PERL=/usr/bin/perl
 
@@ -77,11 +77,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT=none
+DROP_DEFAULT=Drop
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT=Reject
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.21
+VERSION=xxx #The Build script inserts the actual version
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -1,2 +1,38 @@
 1)  On systems running Upstart, shorewall-init cannot reliably secure
     the firewall before interfaces are brought up.
+
+2)  A harmless 'unitialized variable' diagnostic is issued by the 
+    compiler when it is displaying the capabilities.
+
+    Corrected in Shorewall 4.4.21.
+
+3)  As the result of a typo, an orphan filter chain named FORWAR can
+    be created under rare circumstances. This chain is deleted by
+    OPTIMIZE level 4.
+
+    Corrected in Shorewall 4.4.21.
+
+4)  The SNAT options --persistent and --randomize (/etc/shorewall/masq)
+    generate invalid iptables input.
+
+    Corrected in Shorewall 4.4.21.
+
+5)  The LOGMARK log level was generated invalid iptables  input making
+    it unusable.
+
+    Corrected in Shorewall 4.4.21.
+
+6)  Under rare conditions, long port lists (>15 ports) can result in
+    the following failure when optimization level 4 is enabled.
+
+       Use of uninitialized value in numeric gt (>) 
+       at /usr/share/shorewall/Shorewall/Chains.pm line 1264.
+
+       ERROR: Internal error in
+       Shorewall::Chains::decrement_reference_count at
+       /usr/share/shorewall/Shorewall/Chains.pm line 1264
+
+
+
+
+

Shorewall/modules.ipset

@@ -13,6 +13,7 @@
 #  copy.
 #
 ###############################################################################
+loadmodule xt_set
 loadmodule ip_set
 loadmodule ip_set_iphash
 loadmodule ip_set_ipmap

Shorewall/releasenotes.txt

@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 2 1
+                    S H O R E W A L L  4 . 4 . 2 1 . 1
 ----------------------------------------------------------------------------
 
 I.    PROBLEMS CORRECTED IN THIS RELEASE
@@ -13,6 +13,37 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
   I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
+4.4.21.1
+
+1)  A harmless Perl runtime "uninitialized variable" diagnostic has
+    been eliminated from the compiler. The diagnostic was issued while
+    displaying the capabilities.
+
+2)  As the result of a typo, an orphan filter chain named FORWAR could
+    be created under rare circumstances. This chain was deleted by
+    OPTIMIZE level 4.
+
+3)  The SNAT options --persistent and --randomize now work properly
+    (/etc/shorewall/masq).
+
+4)  The LOGMARK log level was previously generated invalid iptables 
+    input making it unusable. That has been corrected.
+
+    The syntax for LOGMARK is now:
+
+    	LOGMARK(<priority>) 
+
+    where <priority> is a syslog priority (1-7 or debug, info, notice,
+    etc.).
+
+    Example rule:
+
+    	    #ACTION		SOURCE	DEST	PROTO	DEST
+	    #						PORT(S)
+	    LOG:LOGMARK(info)	lan	dmz	udp	1234
+
+4.4.21 Final
+
 1)  All problems corrections included in Shorewall 4.4.20.1 - 4.4.20.3
     (see below).
 
@@ -42,6 +73,42 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
     have always been mutually exclusive but the compiler previously
     didn't enforce that restriction. Now it does.
 
+5)  The Shorewall and Shorewall6 'load' and 'reload' commands
+    previously used the setting of RSH_COMMAND and RCP_COMMAND from
+    /etc/shorewall/shorewall.conf (/etc/shorewall6/shorewall6.conf).
+
+    These commands now use the .conf file in the current working
+    directory.
+
+6)  The ipset modules are now automatically loaded by Shorewall6 when
+    LOAD_HELPERS_ONLY=No is specified in shorewall6.conf. Additionally,
+    there is now a /usr/share/shorewall6/modules.ipset file that lists
+    all of the required modules.
+
+7)  TPROXY was previously not described in shorewall-tcrules(5) or
+    shorewall6-tcrules(5). These descriptions have been added.
+
+    In addition, Shorewall6 now correctly handles the third TPROXY
+    parameter (<ip address>). Previously, the following error was
+    generated:
+
+	ERROR: Invalid MARK (TPROXY(10,3128,::1)) :
+    	       /etc/shorewall6/tcrules (line 4)
+
+8)  With LOAD_HELPERS_ONLY=Yes, the compiler could use the deprectated
+    --set parameter to the ipset match when --match-set was
+    appropriate.
+
+9)  If 'shorewall clear' was executed when there was no
+    /var/lib/shorewall/firewall file, the following incorrect error
+    message was produced:
+
+    	    ERROR: Shorewall6 has never been started
+
+    The message now reads:
+
+    	    ERROR: Shorewall has never been started
+
 ----------------------------------------------------------------------------
            I I.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
@@ -65,7 +132,9 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 
     Where <def1> is the default value for the first parameter, <def2>
     is the default value for the second parameter and so on. To specify
-    an empty default, use '-'.
+    an empty default, use '-'. Note that the corresponding parameter
+    variable ($n) will still expand to '-' but will be treated as empty
+    by the builtin actions such as dropInvalid.
 
     The DEFAULTS directive also determines the maximum number of
     parameters that an action may have. If more parameters are passed

Shorewall/shorewall

@@ -1278,12 +1278,17 @@ reload_command() # $* = original arguments less the command.
 	[ -f $capabilities ] || getcaps=Yes
     fi
 
-    if [ -n "$getcaps" ]; then
     if [ -f $directory/shorewall.conf ]; then
+	if [ -f $directory/params ]; then
+	    . $directory/params
+	fi
+
 	. $directory/shorewall.conf
+	
 	ensure_config_path
     fi
 
+    if [ -n "$getcaps" ]; then
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
 
 	progress_message "Getting Capabilities on system $system..."

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.21
-%define release 0base
+%define release 2
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -111,8 +111,16 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
 
 %changelog
-* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
+* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-2
+* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-1
+* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.21-0base
+* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-0RC3
+* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-0RC2
 * Thu Jun 23 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.21-0RC1
 * Sun Jun 19 2011 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.21
+VERSION=xxx #The Build script inserts the actual version
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.21
+VERSION=xxx #The build script will insert the actual version
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.21
-%define release 0base
+%define release 2
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -94,8 +94,16 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
+* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-2
+* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-1
+* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.21-0base
+* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-0RC3
+* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-0RC2
 * Thu Jun 23 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.21-0RC1
 * Sun Jun 19 2011 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.21
+VERSION=xxx  #The Build script inserts the actual version
 
 usage() # $1 = exit status
 {

Shorewall6/action.AllowICMPs

@@ -8,33 +8,37 @@
 ###############################################################################
 #TARGET	SOURCE		DEST	PROTO		DEST
 #						PORT(S)	
+
+FORMAT 2
+DEFAULTS ACCEPT
+
 COMMENT Needed ICMP types (RFC4890)
 
-ACCEPT	-		-	ipv6-icmp	destination-unreachable
-ACCEPT	-		-	ipv6-icmp	packet-too-big
-ACCEPT	-		-	ipv6-icmp	time-exceeded
-ACCEPT	-	-		ipv6-icmp	parameter-problem
+$1	-		-	ipv6-icmp	destination-unreachable
+$1	-		-	ipv6-icmp	packet-too-big
+$1	-		-	ipv6-icmp	time-exceeded
+$1	-		-	ipv6-icmp	parameter-problem
 
 # The following should have a ttl of 255 and must be allowed to transit a bridge
-ACCEPT	-		-	ipv6-icmp	router-solicitation
-ACCEPT	-		-	ipv6-icmp	router-advertisement
-ACCEPT	-		-	ipv6-icmp	neighbour-solicitation
-ACCEPT	-		-	ipv6-icmp	neighbour-advertisement
-ACCEPT	-		-	ipv6-icmp	137	# Redirect
-ACCEPT	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
-ACCEPT	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
+$1	-		-	ipv6-icmp	router-solicitation
+$1	-		-	ipv6-icmp	router-advertisement
+$1	-		-	ipv6-icmp	neighbour-solicitation
+$1	-		-	ipv6-icmp	neighbour-advertisement
+$1	-		-	ipv6-icmp	137	# Redirect
+$1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
+$1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
 
 # The following should have a link local source address and must be allowed to transit a bridge
-ACCEPT	fe80::/10	-	ipv6-icmp	130	# Listener query
-ACCEPT	fe80::/10	-	ipv6-icmp	131	# Listener report
-ACCEPT	fe80::/10	-	ipv6-icmp	132	# Listener done
-ACCEPT	fe80::/10	-	ipv6-icmp	143	# Listener report v2
+$1	fe80::/10	-	ipv6-icmp	130	# Listener query
+$1	fe80::/10	-	ipv6-icmp	131	# Listener report
+$1	fe80::/10	-	ipv6-icmp	132	# Listener done
+$1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
 
 # The following should be received with a ttl of 255 and must be allowed to transit a bridge
-ACCEPT	-		-	ipv6-icmp	148	# Certificate path solicitation
-ACCEPT	-		-	ipv6-icmp	149	# Certificate path advertisement
+$1	-		-	ipv6-icmp	148	# Certificate path solicitation
+$1	-		-	ipv6-icmp	149	# Certificate path advertisement
 
 # The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
-ACCEPT	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
-ACCEPT	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
-ACCEPT	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
+$1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
+$1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
+$1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination

Shorewall6/action.Drop

@@ -15,38 +15,78 @@
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
+#  The action accepts five optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#           depending on the setting of the first parameter.
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
+#           A_ACCEPT depending on the first parameter.
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
+#           is DROP or A_DROP depending on the first parameter.
+#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
+FORMAT 2
+#
+# The following magic provides different defaults for $2 thru $5, when $1 is 
+# 'audit'.
+#
+BEGIN PERL;
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) { 
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
+	set_action_param( 3, 'A_DROP')     unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
+    }
+}
+
+1;
+
+END PERL;
+
+DEFAULTS -,REJECT,DROP,ACCEPT,DROP
+
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Reject 'auth'
 #
-Auth(REJECT)
+Auth($2)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs	-	-	ipv6-icmp
+AllowICMPs($4)	-	-	ipv6-icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-dropBcast
+dropBcast($1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
-dropInvalid
+dropInvalid($1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(DROP)
+SMB($3)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-dropNotSyn	-	-	tcp
+dropNotSyn($1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep
+DropDNSrep($5)

Shorewall6/action.Reject

@@ -12,39 +12,79 @@
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
+#  The action accepts five optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
+#           A_ACCEPT depending on the first parameter.
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
+#           is DROP or A_DROP depending on the first parameter.
+#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
+FORMAT 2
+#
+# The following magic provides different defaults for $2 thru $5, when $1 is 
+# 'audit'.
+#
+BEGIN PERL;
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) { 
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
+	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
+    }
+}
+
+1;
+
+END PERL;
+
+DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
+
 #TARGET		SOURCE	DEST	PROTO
 #
 # Don't log 'auth' -- REJECT
 #
-Auth(REJECT)
+Auth($2)
 #
 # Drop Multicasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-AllowICMPs	-	-	ipv6-icmp
+AllowICMPs($4)	-	-	ipv6-icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-dropBcast
+dropBcast($1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
-dropInvalid
+dropInvalid($1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(REJECT)
+SMB($3)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-dropNotSyn	-	-	tcp
+dropNotSyn($1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep
+DropDNSrep($5)

Shorewall6/configfiles/shorewall6.conf

@@ -50,7 +50,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
+CONFIG_PATH="/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall"
 
 IP6TABLES=
 
@@ -62,7 +62,7 @@ MODULESDIR=
 
 PERL=/usr/bin/perl
 
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
 
 RESTOREFILE=restore
 
@@ -76,11 +76,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT=none
+DROP_DEFAULT=Drop
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT=Reject
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.21
+VERSION=xxx #The build script will insert the actual version
 
 usage() # $1 = exit status
 {

Shorewall6/lib.cli

@@ -1670,8 +1670,8 @@ determine_capabilities() {
 
 	if qt ipset -N $chain hash:ip family inet6; then
 	    IPSET_V5=Yes
-	    if qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
-		qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
+	    if qt $IP6TABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
+		qt $IP6TABLES -D $chain -m set --match-set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
 	    elif qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
 		qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT

Shorewall6/modules

@@ -26,6 +26,10 @@ INCLUDE modules.xtables
 #
 INCLUDE helpers
 #
+# Ipset
+#
+INCLUDE modules.ipset
+#
 # Traffic Shaping
 #
 INCLUDE modules.tc

Shorewall6/modules.ipset

@@ -0,0 +1,27 @@
+#
+# Shorewall version 4 - IP Set Modules File
+#
+# /usr/share/shorewall6/modules.ipset
+#
+#	This file loads the modules that may be needed by the firewall.
+#
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
+#	before you load M2.
+#
+#  If you need to modify this file, copy it to /etc/shorewall6 and modify the
+#  copy.
+#
+###############################################################################
+loadmodule xt_set
+loadmodule ip_set
+loadmodule ip_set_iphash
+loadmodule ip_set_ipmap
+loadmodule ip_set_ipporthash
+loadmodule ip_set_iptree
+loadmodule ip_set_iptreemap
+loadmodule ip_set_macipmap
+loadmodule ip_set_nethash
+loadmodule ip_set_portmap
+loadmodule ipt_SET
+loadmodule ipt_set

Shorewall6/shorewall6

@@ -1279,12 +1279,17 @@ reload_command() # $* = original arguments less the command.
 	[ -f $capabilities ] || getcaps=Yes
     fi
 
-    if [ -n "$getcaps" ]; then
     if [ -f $directory/shorewall6.conf ]; then
+	if [ -f $directory/params ]; then
+	    . $directory/params
+	fi
+
 	. $directory/shorewall6.conf
+
 	ensure_config_path
     fi
 
+    if [ -n "$getcaps" ]; then
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
 
 	progress_message "Getting Capabilities on system $system..."

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.21
-%define release 0base
+%define release 2
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -101,8 +101,16 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Wed Jun 29 2011 Tom Eastep tom@shorewall.net
+* Sat Jul 23 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-2
+* Mon Jul 11 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-1
+* Wed Jul 06 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.21-0base
+* Mon Jul 04 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-0RC3
+* Sun Jul 03 2011 Tom Eastep tom@shorewall.net
+- Updated to 4.4.21-0RC2
 * Thu Jun 23 2011 Tom Eastep tom@shorewall.net
 - Updated to 4.4.21-0RC1
 * Sun Jun 19 2011 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.21
+VERSION=xxx #The Build script inserts the actual version
 
 usage() # $1 = exit status
 {

docs/Actions.xml

@@ -372,10 +372,7 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
 
       <para>Example: ACTION(REDIRECT,-,info)</para>
 
-      <para>In the above example, $2 would expand to nothing.</para>
-
-      <para>If you want to make '-' a parameter value, use '--' (e.g.,
-      ACTION(REDIRECT,--.info)).</para>
+      <para>In the above example, $2 would expand to '-'.</para>
 
       <para>Beginning with Shorewall 4.4.21, you can specify the default
       values of your FORMAT-2 actions:</para>

docs/Build.xml

@@ -130,6 +130,15 @@
       <para>The files from the web site that are maintained in HTML format.
       are kept in this directory.</para>
     </section>
+
+    <section>
+      <title>release</title>
+
+      <para>Added in Shorewall 4.4.22, this directory contains the files that
+      contain release-dependent information (change.txt, releasenotes.txt,
+      .spec files, etc). This is actually a symbolic link to ../release which
+      has it's own Git repository.</para>
+    </section>
   </section>
 
   <section>
@@ -156,7 +165,7 @@
     </section>
 
     <section>
-      <title>build44</title>
+      <title>build</title>
 
       <para>This is the script that builds Shorewall 4.4 packages from
       Git.</para>
@@ -270,8 +279,8 @@
       <para>The general form of the build command is:</para>
 
       <blockquote>
-        <para><command>build44</command> [ -<replaceable>options</replaceable>
-        ] <replaceable>release</replaceable> [ <replaceable>prior
+        <para><command>build</command> [ -<replaceable>options</replaceable> ]
+        <replaceable>release</replaceable> [ <replaceable>prior
         release</replaceable> ]</para>
       </blockquote>
 
@@ -383,28 +392,27 @@
       4.3.6:</para>
 
       <blockquote>
-        <para><command>build44 4.3.7 4.3.6</command></para>
+        <para><command>build 4.3.7 4.3.6</command></para>
       </blockquote>
 
       <para>Example 2 - Build Shorewall 4.2.7.1 Shorewall and generate patches
       against 4.2.7:</para>
 
       <blockquote>
-        <para><command>build44 -trc 4.3.7.1 4.3.7</command></para>
+        <para><command>build -trc 4.3.7.1 4.3.7</command></para>
       </blockquote>
     </section>
 
     <section>
-      <title>upload44</title>
+      <title>upload</title>
 
       <para>This script is used to upload a release to www1.shorewall.net. The
-      command is run in the build directory for the major release of the
+      command is run in the build directory for the minor release of the
       product.</para>
 
       <blockquote>
-        <para><command>upload44</command> [
-        -<replaceable>products</replaceable> ]
-        <replaceable>release</replaceable></para>
+        <para><command>upload</command> [ -<replaceable>products</replaceable>
+        ] <replaceable>release</replaceable></para>
       </blockquote>
 
       <para>where</para>
@@ -474,13 +482,13 @@
       <para>Example 1 - Upload release 4.3.7:</para>
 
       <blockquote>
-        <para><command>upload44 4.3.7</command></para>
+        <para><command>upload 4.3.7</command></para>
       </blockquote>
 
       <para>Example 2 - Upload shorewall-4.3.7.3:</para>
 
       <blockquote>
-        <para><command>upload44 -c 4.3.7.3</command></para>
+        <para><command>upload -c 4.3.7.3</command></para>
       </blockquote>
     </section>
 

docs/FAQ.xml

@@ -341,6 +341,12 @@ DNAT    net:<emphasis>address</emphasis>   loc:<emphasis>local-IP-address</empha
                 sniffer such as tcpdump or Wireshark to further diagnose the
                 problem.</para>
               </listitem>
+
+              <listitem>
+                <para>The traffic is entering your firewall on a different
+                interface (interfaces reversed in
+                <filename>/etc/shorewall/interfaces</filename>?).</para>
+              </listitem>
             </itemizedlist>
           </listitem>
 
@@ -2810,5 +2816,39 @@ EXT_IF:192.168.1.1	     	0.0.0.0/0		192.168.1.254
       If you simply want to allow all traffic between ports, then see <ulink
       url="SimpleBridge.html">http://www.shorewall.net/SimpleBridge.html</ulink>.</para>
     </section>
+
+    <section id="faq95">
+      <title>(FAQ 95) What is this $FW that I see in the configuration files
+      and documentation?</title>
+
+      <para><emphasis role="bold">Answer: FW</emphasis> is a <ulink
+      url="configuration_file_basics.htm#Variables">shell variable</ulink>
+      that expands to the name that you gave to the firewall zone in <ulink
+      url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5). The
+      default name for the firewall zone is <emphasis
+      role="bold">fw</emphasis>:</para>
+
+      <programlisting>#ZONE            TYPE             OPTIONS
+<emphasis role="bold">fw</emphasis>               firewall</programlisting>
+
+      <para>So, using the default or sample configurations, writing <emphasis
+      role="bold">$FW</emphasis> is the same as writing <emphasis
+      role="bold">fw</emphasis>. If you give the firewall zone a different
+      name, <emphasis role="bold">gate</emphasis> for example, then writing
+      <emphasis role="bold">$FW</emphasis> would be the same as writing
+      <emphasis role="bold">gate</emphasis>.</para>
+
+      <programlisting>#ZONE            TYPE             OPTIONS
+<emphasis role="bold">gate</emphasis>             firewall</programlisting>
+
+      <section id="faq95a">
+        <title>Why was that done?</title>
+
+        <para><emphasis role="bold">Answer:</emphasis> The firewall zone has
+        special semantics, so having a way to refer to it in a
+        configuration-independent way makes writing the documentation,
+        examples, macros, etc. easier.</para>
+      </section>
+    </section>
   </section>
 </article>

docs/FTP.xml

@@ -421,6 +421,15 @@ FTP(ACCEPT)   dmz        net</programlisting>
 
     <programlisting>Apr 28 23:55:09 gateway kernel: conntrack_ftp: partial PORT 715014972+1</programlisting>
 
+    <para>or this one:</para>
+
+    <programlisting>21:37:40 insert-master kernel: [832161.057782] <emphasis
+        role="bold">nf_ct_ftp: dropping 
+packet</emphasis> IN=eth4 OUT= MAC=00:0a:cd:1a:d1:95:00:22:6b:be:3c:41:08:00 
+SRC=66.199.187.46 DST=192.168.41.1 LEN=102 TOS=0x00 PREC=0x00 TTL=45 
+ID=30239 DF PROTO=TCP SPT=21 DPT=50892 SEQ=698644583 ACK=3438176321 
+WINDOW=46 RES=0x00 ACK PSH URGP=0 OPT (0101080A932DFE0231935CF7) MARK=0x1</programlisting>
+
     <para>I see this problem occasionally with the FTP server in my DMZ. My
     solution is to add the following rule:</para>
 

docs/configuration_file_basics.xml

@@ -1598,6 +1598,30 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
     passes, one of the bursts will be regained; if no packets hit the rule for
     30 seconds, the burst will be fully recharged; back where we
     started.</para>
+
+    <note>
+      <para>The LOGRATE and LOGBURST options are deprecated in favor of
+      LOGLIMIT.</para>
+    </note>
+
+    <para>Shorewall also supports per-IP rate limiting. </para>
+
+    <para>Another example from <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
+
+    <simplelist>
+      <member>LOGLIMIT="s:5/min:5"</member>
+    </simplelist>
+
+    <para>Here, the leading "s:" indicates that logging is to be limited by
+    source IP address ("d:" would indicate limiting by destination IP
+    address).</para>
+
+    <para>"s:" is followed by the rate (5 messages per minute) and the burst
+    (5).</para>
+
+    <para>The rate and limit arguments have the same meaning as in the example
+    above.</para>
   </section>
 
   <section id="Logical">

manpages/shorewall-tcrules.xml

@@ -43,26 +43,11 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
-        {<emphasis>value</emphasis>|<emphasis>major</emphasis><emphasis
-        role="bold">:</emphasis><emphasis>minor</emphasis>|<emphasis
-        role="bold">RESTORE</emphasis>[<emphasis
-        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
-        role="bold">SAVE</emphasis>[<emphasis
-        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
-        role="bold">CONTINUE</emphasis>|<emphasis
-        role="bold">SAME</emphasis>|<emphasis
-        role="bold">COMMENT</emphasis>|<emphasis
-        role="bold">IPMARK</emphasis>[([(<emphasis
-        role="bold">src</emphasis>|<emphasis
-        role="bold">dst</emphasis>}][,[<emphasis>mask1</emphasis>][,[<emphasis>mask2</emphasis>][,[<emphasis>shift</emphasis>]]]]])]}[<emphasis
-        role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
-        role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
-        role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
-        role="bold">CP</emphasis>|<emphasis
-        role="bold">CT</emphasis>|I:CI}]</term>
+        <replaceable>mark</replaceable></term>
 
         <listitem>
-          <para>May assume one of the following values.</para>
+          <para>Where <replaceable>mark</replaceable> may assume one of the
+          following values.</para>
 
           <orderedlist numeration="arabic">
             <listitem>
@@ -397,6 +382,39 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               above so that all of your <replaceable>minor</replaceable>
               classes will have a value &gt; 256.</para>
             </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
+
+              <para>Transparently redirects a packet without altering the IP
+              header. Requires a local provider to be defined in <ulink
+              url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
+
+              <para>There are three parameters to TPROXY - only the first
+              (mark) is required:</para>
+
+              <itemizedlist>
+                <listitem>
+                  <para><replaceable>mark</replaceable> - the MARK value
+                  corresponding to the local provider in <ulink
+                  url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
+                </listitem>
+
+                <listitem>
+                  <para><replaceable>port</replaceable> - the port on which
+                  the proxy server is listening. If omitted, the original
+                  destination port.</para>
+                </listitem>
+
+                <listitem>
+                  <para><replaceable>address</replaceable> - a local (to the
+                  firewall) IP address on which the proxy server is listening.
+                  If omitted, the IP address of the interface on which the
+                  request arrives.</para>
+                </listitem>
+              </itemizedlist>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>

manpages/shorewall.conf.xml

@@ -72,7 +72,19 @@
     from <ulink
     url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>
     and can be configured to log all Shorewall messages to their own log
-    file</para>
+    file.</para>
+
+    <para>Beginning with Shorewall 4.4.22, LOGMARK is also a valid level which
+    logs the packet's mark value along with the other usual information. The
+    syntax is:</para>
+
+    <simplelist>
+      <member><emphasis
+      role="bold">LOGMARK</emphasis><replaceable>(priority)</replaceable></member>
+    </simplelist>
+
+    <para>where <replaceable>priority</replaceable> is one of the levels
+    listed in the list above.</para>
 
     <para>The following options may be set in shorewall.conf.</para>
 

manpages6/shorewall6-tcrules.xml

@@ -43,22 +43,11 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
-        {<emphasis>value</emphasis>|<emphasis>major</emphasis><emphasis
-        role="bold">:</emphasis><emphasis>minor</emphasis>|<emphasis
-        role="bold">RESTORE</emphasis>[<emphasis
-        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
-        role="bold">SAVE</emphasis>[<emphasis
-        role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
-        role="bold">CONTINUE</emphasis>|<emphasis
-        role="bold">COMMENT</emphasis>}[<emphasis
-        role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
-        role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
-        role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
-        role="bold">CP</emphasis>|<emphasis
-        role="bold">CT</emphasis>|I|CI}]</term>
+        <replaceable>mark</replaceable></term>
 
         <listitem>
-          <para>May assume one of the following values.</para>
+          <para><replaceable>mark</replaceable> may assume one of the
+          following values.</para>
 
           <orderedlist numeration="arabic">
             <listitem>
@@ -290,6 +279,39 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               <para>To stop the comment from being attached to further rules,
               simply include COMMENT on a line by itself.</para>
             </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
+
+              <para>Transparently redirects a packet without altering the IP
+              header. Requires a local provider to be defined in <ulink
+              url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
+
+              <para>There are three parameters to TPROXY - only the first
+              (mark) is required:</para>
+
+              <itemizedlist>
+                <listitem>
+                  <para><replaceable>mark</replaceable> - the MARK value
+                  corresponding to the local provider in <ulink
+                  url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
+                </listitem>
+
+                <listitem>
+                  <para><replaceable>port</replaceable> - the port on which
+                  the proxy server is listening. If omitted, the original
+                  destination port.</para>
+                </listitem>
+
+                <listitem>
+                  <para><replaceable>address</replaceable> - a local (to the
+                  firewall) IP address on which the proxy server is listening.
+                  If omitted, the IP address of the interface on which the
+                  request arrives.</para>
+                </listitem>
+              </itemizedlist>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>