Delete temporary nat chain used in capabilities detection.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.5
+VERSION=4.4.5.5
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5
+VERSION=4.4.5.5
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.5
-%define release 0base
+%define release 5
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -100,6 +100,16 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Mon Dec 28 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-5
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Sun Dec 20 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-2
+* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-1
 * Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5
+VERSION=4.4.5.5
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Config.pm

@@ -243,6 +243,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 PERSISTENT_SNAT => 'Persistent SNAT',
 		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 CAPVERSION      => 'Capability Version',
+		 KERNELVERSION   => 'Kernel Version',
 	       );
 #
 # Directories to search for configuration files
@@ -327,8 +328,8 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.5",
-		    CAPVERSION => 40402 ,
+		    VERSION => "4.4.5.5",
+		    CAPVERSION => 40406 ,
 		  );
 
     #
@@ -620,6 +621,7 @@ sub initialize( $ ) {
 	       PERSISTENT_SNAT => undef,
 	       OLD_HL_MATCH => undef,
 	       CAPVERSION => undef,
+	       KERNELVERSION => undef,
 	       );
     #
     # Directories to search for configuration files
@@ -1844,8 +1846,8 @@ sub check_trivalue( $$ ) {
 sub report_capability( $ ) {
     my $cap = $_[0];
     print "   $capdesc{$cap}: ";
-    if ( $cap eq 'CAPVERSION' ) {
-	my $version = $capabilities{CAPVERSION};
+    if ( $cap eq 'CAPVERSION' || $cap eq 'KERNELVERSION') {
+	my $version = $capabilities{$cap};
 	printf "%d.%d.%d\n", int( $version / 10000 ) , int ( ( $version % 10000 ) / 100 ) , int ( $version % 100 );
     } else {
 	print $capabilities{$cap} ? "Available\n" : "Not Available\n";
@@ -1947,6 +1949,19 @@ sub qt1( $ ) {
     $? == 0;
 }
 
+#
+# Get the current kernel version
+#
+sub determine_kernelversion() {
+    my $kernelversion=`uname -r`;
+
+    if ( $kernelversion =~ /^(\d+)\.(\d+).(\d+)/ ) {
+	$capabilities{KERNELVERSION} = sprintf "%d%02d%02d", $1 , $2 , $3;
+    } else {
+	fatal_error "Inrecognized Kernel Version Format ($kernelversion)";
+    }
+}
+
 #
 # Determine which optional facilities are supported by iptables/netfilter
 #
@@ -1962,8 +1977,8 @@ sub determine_capabilities( $ ) {
     if ( $capabilities{NAT_ENABLED} ) {
 	if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
 	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
-	    qt1( "$iptables -t NAT -F $sillyname" );
-	    qt1( "$iptables -t NAT -X $sillyname" );
+	    qt1( "$iptables -t nat -F $sillyname" );
+	    qt1( "$iptables -t nat -X $sillyname" );
 	}
     }
 
@@ -2106,6 +2121,8 @@ sub determine_capabilities( $ ) {
     qt1( "$iptables -X $sillyname1" );
 
     $capabilities{CAPVERSION} = $globals{CAPVERSION};
+
+    determine_kernelversion;
 }
 
 #
@@ -2221,6 +2238,11 @@ sub read_capabilities() {
     } else {
 	warning_message "Your capabilities file may not contain all of the capabilities defined by $Product version $globals{VERSION}";
     }
+
+    unless ( $capabilities{KERNELVERSION} ) {
+	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
+	$capabilities{KERNELVERSION} = 20630;
+    }
 }
 
 #
@@ -2328,7 +2350,28 @@ sub get_configuration( $ ) {
     }
 
     check_trivalue ( 'IP_FORWARDING', 'on' );
-    check_trivalue ( 'ROUTE_FILTER',  '' );    fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6;
+    
+    my $val;
+
+    if ( $capabilities{KERNELVERSION} < 20631 ) {
+	check_trivalue ( 'ROUTE_FILTER',  '' );
+    } else {
+	$val = $config{ROUTE_FILTER};
+	if ( defined $val ) {
+	    if ( $val =~ /\d+/ ) {
+		fatal_error "Invalid value ($val) for ROUTE_FILTER" unless $val < 3;
+	    } else {
+		check_trivalue( 'ROUTE_FILTER', '' );
+	    }
+	} else {
+	    check_trivalue( 'ROUTE_FILTER' , '' );
+	}
+    }
+
+    if ( $family == F_IPV6 ) {
+	$val = $config{ROUTE_FILTER};	
+	fatal_error "ROUTE_FILTER=$val is not supported in IPv6" unless $val eq 'off' || $val eq '';
+    }
 
     if ( $family == F_IPV4 ) {
 	check_trivalue ( 'LOG_MARTIANS',  'on' );
@@ -2416,8 +2459,6 @@ sub get_configuration( $ ) {
     default_yes_no 'WIDE_TC_MARKS'              , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
 
-    my $val;
-
     if ( defined ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
     } else {

Shorewall/Perl/Shorewall/Proc.pm

@@ -96,16 +96,18 @@ sub setup_arp_filtering() {
 sub setup_route_filtering() {
 
     my $interfaces = find_interfaces_by_option 'routefilter';
+    my $config     = $config{ROUTE_FILTER};
 
-    if ( @$interfaces || $config{ROUTE_FILTER} ) {
+    if ( @$interfaces || $config ) {
 
 	progress_message2 "$doing Kernel Route Filtering...";
 
 	save_progress_message "Setting up Route Filtering...";
 
+	my $val = '';
 
-	if ( $config{ROUTE_FILTER} ) {
-	    my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
+	if ( $config{ROUTE_FILTER} ne '' ) {
+	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;
 
 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
 		   "    [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
@@ -128,14 +130,14 @@ sub setup_route_filtering() {
 	    emit   "fi\n";
 	}
 
-	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
-
-	if ( $config{ROUTE_FILTER} eq 'on' ) {
-	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
-	} elsif (  $config{ROUTE_FILTER} eq 'off' ) {
-	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
+	if ( $capabilities{KERNELVERSION} < 20631 ) {
+	    emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
+	} elsif ( $val ne '' ) {
+	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
 	}
 
+	emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';
+
 	emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
     }
 }

Shorewall/Perl/Shorewall/Rules.pm

@@ -2007,7 +2007,7 @@ sub generate_matrix() {
 			my $match_source_dev = '';
 			my $forwardchainref = $filter_table->{forward_chain $interface};
 
-			if ( use_forward_chain $interface || ( @{$forwardchainref->{rules} } && ! $chainref ) ) {
+			if ( use_forward_chain( $interface ) || ( @{$forwardchainref->{rules} } && ! $chainref ) ) {
 			    #
 			    # Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
 			    #

Shorewall/Perl/Shorewall/Zones.pm

@@ -178,6 +178,10 @@ use constant { SIMPLE_IF_OPTION   => 1,
 
 our %validinterfaceoptions;
 
+our %defaultinterfaceoptions = ( routefilter => 1 );
+
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 );
+
 our %validhostoptions;
 
 #
@@ -217,7 +221,7 @@ sub initialize( $ ) {
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
-				  routefilter => BINARY_IF_OPTION ,
+				  routefilter => NUMERIC_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  upnp        => SIMPLE_IF_OPTION,
@@ -248,7 +252,7 @@ sub initialize( $ ) {
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
-				    forward     => NUMERIC_IF_OPTION,
+				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
@@ -665,7 +669,7 @@ sub add_group_to_zone($$$$$)
 
     fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
 
-    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions );
+    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ) || $options->{routeback};
 
     push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
@@ -850,9 +854,10 @@ sub process_interface( $ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
+		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
-		fatal_error "Invalid value ($value) for option $option" unless defined $numval;
+		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {

Shorewall/changelog.txt

@@ -1,3 +1,23 @@
+Changes in Shorewall 4.4.5.5
+
+1)  Prevent jump to non-existant chain.
+
+Changes in Shorewall 4.4.5.4
+
+1)  Fix breakage in Shorewall6 'forward' interface option.
+
+Changes in Shorewall 4.4.5.3
+
+1)  Yet another fix for the ^%$& ROUTE_FILTER mess.
+
+Changes in Shorewall 4.4.5.2
+
+1)  Allow KERNELVERSION in capabilities file.
+
+Changes in Shorewall 4.4.5.1
+
+1)  Handle rp_filter and kernel's 2.6.31 and later.
+
 Changes in Shorewall 4.4.5
 
 1)  Fix 15-port limit removal change.

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5
+VERSION=4.4.5.5
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -1 +1,53 @@
-There are no known problems in Shorewall version 4.4.5
+1)  In kernel 2.6.31, the handling of the rp_filter interface option was
+    changed incompatibly. Previously, the effective value was determined
+    by the setting of net.ipv4.config.dev.rp_filter logically ANDed with
+    the setting of net.ipv4.config.all.rp_filter.
+
+    Beginning with kernel 2.6.31, the value is the arithmetic MAX of
+    those two values. 
+
+    Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
+    there are any interfaces specifying 'routefilter', specifying
+    'routefilter' on any interface has the effect of setting the option
+    on all interfaces.
+
+    A workaround for this problem is included in Shorewall 4.4.5.1.
+
+2)  When using an up-to-date capabilities file with Shorewall 4.4.5.1, the
+    following warning messages were issued.
+
+       WARNING: Unknown capability (KERNELVERSION) 
+         ignored : /etc/shorewall2/capabilities (line 49)
+       WARNING: Your capabilities file does not contain a Kernel Version --
+         using 2.6.30
+
+    This defect was corrected in 4.4.5.2.
+
+3)  'shorewall6 start' on Shorewall 4.4.5.2 generates a Perl run-time
+    error. Also, handling of ROUTE_FILTER on kernel 2.6.31 and later
+    was broken.
+
+    This was fixed in 4.4.5.3.
+
+4)  With Shorewall 4.4.5.3, using a capabilities file with Shorewall6
+    will result in the following warnings during compilation:
+
+       WARNING: Your capabilities file is out of date -- it does not
+          contain all of the capabilities defined by Shorewall6 version
+          4.4.5.3
+
+       WARNING: Your capabilities file does not contain a Kernel
+          Version -- using 2.6.30
+
+    Corrected in 4.4.5.4.
+
+5)  The change in Shorewall 4.4.5.1 broke the 'forward' interface
+    option in Shorewall6.
+
+    Corrected in 4.4.5.4.
+
+6)  Under circumstances, the Netfilter ruleset generated by Shorewall
+    can include jumps to non-existent chains. This problem was
+    apparently introduced between 4.4.0 and 4.4.5.
+
+    Corrected in 4.4.5.5.

Shorewall/lib.base

@@ -30,7 +30,7 @@
 #
 
 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40402
+SHOREWALL_CAPVERSION=40406
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -965,6 +965,7 @@ determine_capabilities() {
     qt $IPTABLES -X $chain1
 
     CAPVERSION=$SHOREWALL_CAPVERSION
+    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
 
 report_capabilities() {
@@ -1087,6 +1088,7 @@ report_capabilities1() {
     report_capability1 PERSISTENT_SNAT
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
+    echo KERNELVERSION=$KERNELVERSION
 }
 
 # Function to truncate a string -- It uses 'cut -b -<n>'

Shorewall/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.4.5
+Shorewall 4.4.5 Patch Release 5.
 
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 4  H I G H L I G H T S
@@ -169,6 +169,98 @@ Shorewall 4.4.5
     now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
     then it may have no additional members in /etc/shorewall/hosts.
 
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5 . 5
+----------------------------------------------------------------------------
+
+1)  Under rare circumstances, the Netfilter ruleset generated by
+    Shorewall could include jumps to non-exitent chains.
+
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5 . 4
+----------------------------------------------------------------------------
+
+1)  With Shorewall 4.4.5.3, using a capabilities file with Shorewall6
+    will result in the following warnings during compilation:
+
+       WARNING: Your capabilities file is out of date -- it does not
+          contain all of the capabilities defined by Shorewall6 version
+          4.4.5.3
+
+       WARNING: Your capabilities file does not contain a Kernel
+          Version -- using 2.6.30
+
+2)  The change in Shoreawll 4.4.5.1 broke the 'forward' interface
+    option in Shorewall6.
+
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5 . 3
+----------------------------------------------------------------------------
+
+1)  'shorewall6 start' on Shorewall 4.4.5.2 generates a Perl run-time
+    error. Also, handling of ROUTE_FILTER on kernel 2.6.31 and later
+    was broken.
+
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5 . 2
+----------------------------------------------------------------------------
+
+1)  When using an up-to-date capabilities file with Shorewall 4.4.5.1, the
+    following warning messages were issued.
+
+       WARNING: Unknown capability (KERNELVERSION) 
+         ignored : /etc/shorewall2/capabilities (line 49)
+       WARNING: Your capabilities file does not contain a Kernel Version --
+         using 2.6.30
+
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5 . 1
+----------------------------------------------------------------------------
+
+1)  In kernel 2.6.31, the handling of the rp_filter interface option was
+    changed incompatibly. Previously, the effective value was determined
+    by the setting of net.ipv4.config.dev.rp_filter logically ANDed with
+    the setting of net.ipv4.config.all.rp_filter.
+
+    Beginning with kernel 2.6.31, the value is the arithmetic MAX of
+    those two values. 
+
+    Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
+    there are any interfaces specifying 'routefilter', specifying
+    'routefilter' on any interface has the effect of setting the option
+    on all interfaces.
+
+    To allow Shorewall to handle this issue, a number of changes were
+    necessary:
+
+    a)  There is no way to safely determine if a kernel supports the
+        new semantics or the old so the Shorewall compiler uses the
+        kernel version reported by uname.
+
+    b)  This means that the kernel version is now recorded in
+        the capabilities file. So if you use capabilities files, you
+        need to regenerate the files with Shorewall[-lite] 4.4.5.1.
+
+    c)  If the capabilities file does not contain a kernel version,
+        the compiler assumes version 2.6.30 (the old rp_filter
+        behavior).
+
+    d)  The ROUTE_FILTER option in shorewall.conf now accepts the
+    	following values:
+
+	0 or No  - Shorewall sets net.ipv4.config.all.rp_filter to 0.
+	1 or Yes - Shorewall sets net.ipv4.config.all.rp_filter to 1.
+	2        - Shorewall sets net.ipv4.config.all.rp_filter to 2.
+	Keep	 - Shorewall does not change the setting of
+	           net.ipv4.config.all.rp_filter if the kernel version
+		   is 2.6.31 or later.
+        
+	The default remains Keep.
+
+    e)  The 'routefilter' interface option can have values 0,1 or 2. If
+    	'routefilter' is specified without a value, the value 1 is
+    	assumed. 
+
 ----------------------------------------------------------------------------
           P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5
 ----------------------------------------------------------------------------

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.5
-%define release 0base
+%define release 5
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -106,6 +106,18 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
+* Mon Dec 28 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-5
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Mon Dec 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-3
+* Sun Dec 20 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-2
+* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-1
 * Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5
+VERSION=4.4.5.5
 
 usage() # $1 = exit status
 {

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.5
+VERSION=4.4.5.5
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5
+VERSION=4.4.5.5
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.5
-%define release 0base
+%define release 5
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -91,6 +91,16 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Mon Dec 28 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-5
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Sun Dec 20 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-2
+* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-1
 * Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5
+VERSION=4.4.5.5
 
 usage() # $1 = exit status
 {

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.5
+VERSION=4.4.5.5
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.5
+VERSION=4.4.5.5
 
 usage() # $1 = exit status
 {

Shorewall6/lib.base

@@ -33,7 +33,7 @@
 #
 
 SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40402
+SHOREWALL_CAPVERSION=40406
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -872,6 +872,7 @@ determine_capabilities() {
     qt $IP6TABLES -X $chain1
 
     CAPVERSION=$SHOREWALL_CAPVERSION
+    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
 
 report_capabilities() {
@@ -988,6 +989,7 @@ report_capabilities1() {
     report_capability1 LOG_TARGET
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
+    echo KERNELVERSION=$KERNELVERSION    
 }
 
 detect_gateway() # $1 = interface

Shorewall6/lib.cli

@@ -696,8 +696,8 @@ dump_command() {
 
     show_routing
 
-    heading "ARP"
-    arp -na
+    heading "Neighbors"
+    ip -6 neigh ls
 
     if qt mywhich lsmod; then
 	heading "Modules"

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.5
-%define release 0base
+%define release 5
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -95,6 +95,16 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
+* Mon Dec 28 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-5
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Sun Dec 20 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-2
+* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-1
 * Fri Nov 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.5
+VERSION=4.4.5.5
 
 usage() # $1 = exit status
 {

manpages/shorewall-interfaces.xml

@@ -499,7 +499,7 @@ loc     eth2            -</programlisting>
 
             <varlistentry>
               <term><emphasis
-              role="bold">routefilter[={0|1}]</emphasis></term>
+              role="bold">routefilter[={0|1|2}]</emphasis></term>
 
               <listitem>
                 <para>Turn on kernel route filtering for this interface
@@ -510,7 +510,10 @@ loc     eth2            -</programlisting>
                 changes; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
-                <para></para>
+                <para>The value 2 is only available with Shorewall 4.4.5.1 and
+                later when the kernel version is 2.6.31 or later. It specifies
+                a <firstterm>loose</firstterm> form of reverse path
+                filtering.</para>
 
                 <note>
                   <para>This option does not work with a wild-card

manpages/shorewall.conf.xml

@@ -1291,24 +1291,28 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
 
       <varlistentry>
         <term><emphasis role="bold">ROUTE_FILTER=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis
-        role="bold">No</emphasis>|Keep]</term>
+        role="bold">Yes</emphasis>|1|<emphasis
+        role="bold">No|0</emphasis>|2|Keep]</term>
 
         <listitem>
           <para>If this parameter is given the value <emphasis
           role="bold">Yes</emphasis> or <emphasis role="bold">yes</emphasis>
-          then route filtering (anti-spoofing) is enabled on all network
+          or 1 then route filtering (anti-spoofing) is enabled on all network
           interfaces which are brought up while Shorewall is in the started
           state. The default value is <emphasis
-          role="bold">no</emphasis>.</para>
+          role="bold">Keep</emphasis>.</para>
 
           <para>The value <emphasis role="bold">Keep</emphasis> causes
           Shorewall to ignore the option. If the option is set to <emphasis
-          role="bold">Yes</emphasis>, then route filtering occurs on all
+          role="bold">Yes</emphasis> or 1, then route filtering occurs on all
           interfaces. If the option is set to <emphasis
           role="bold">No</emphasis>, then route filtering is disabled on all
           interfaces except those specified in <ulink
           url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
+
+          <para>The value 2 is only available with Shorewall 4.4.5.1 and later
+          running on kernel 2.6.31 or later. It specifies a looser form of
+          reverse path filtering than the value Yes (1).</para>
         </listitem>
       </varlistentry>
 

manpages6/shorewall6-interfaces.xml

@@ -133,6 +133,16 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">forward</emphasis>[={0|1}]</term>
+
+              <listitem>
+                <para>Sets the /proc/sys/net/ipv6/conf/interface/forwarding
+                option to the specified value. If no value is supplied, then 1
+                is assumed.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis
               role="bold">mss</emphasis>=<emphasis>number</emphasis></term>
@@ -178,7 +188,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>physical=<emphasis
+              <term><emphasis role="bold">physical</emphasis>=<emphasis
               role="bold"><emphasis>name</emphasis></emphasis></term>
 
               <listitem>
@@ -220,7 +230,7 @@ loc     eth2            -</programlisting>
                 <para>If this option is not specified for an interface, then
                 source-routed packets will not be accepted from that interface
                 (sets
-                /proc/sys/net/ipv6/conf/<emphasis></emphasis>/accept_source_route
+                /proc/sys/net/ipv6/conf/<emphasis>interface</emphasis>/accept_source_route
                 to 1). Only set this option if you know what you are doing.
                 This might represent a security risk and is not usually
                 needed.</para>
@@ -251,7 +261,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>proxyndp[={0|1}]</term>
+              <term><emphasis role="bold">proxyndp</emphasis>[={0|1}]</term>
 
               <listitem>
                 <para>Sets