Add a known problem

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.7
+VERSION=4.4.7.6
 
 usage() # $1 = exit status
 {

Shorewall-lite/init.debian.sh

@@ -2,8 +2,8 @@
 
 ### BEGIN INIT INFO
 # Provides:          shorewall-lite
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -42,6 +42,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
   fi
 
+  exit 1
 }
 
 not_configured () {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7
+VERSION=4.4.7.6
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.7
-%define release 0base
+%define release 6
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -100,7 +100,19 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Sat Feb 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-6
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-5
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-4
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-3
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-2
+* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-1
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7
+VERSION=4.4.7.6
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Chains.pm

@@ -262,6 +262,7 @@ our $chainseq;
 our $idiotcount;
 our $idiotcount1;
 our $warningcount;
+our $hashlimitset;
 
 our $global_variables;
 
@@ -373,6 +374,7 @@ sub initialize( $ ) {
     $idiotcount         = 0;
     $idiotcount1        = 0;
     $warningcount       = 0;
+    $hashlimitset       = 0;
     #
     # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
     #
@@ -633,7 +635,7 @@ sub add_jump( $$$;$$$ ) {
 	#
 	# Ensure that we have the chain unless it is a builtin like 'ACCEPT'
 	#
-	$toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{ $to };
+	$toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{$to} || $to =~ / --/; #If the target has options, it must be a builtin. 
     }
 
     #
@@ -1596,7 +1598,7 @@ sub optimize_ruleset() {
 			    #
 			    # Not so easy -- the rule contains matches
 			    #
-			    if ( $chainref->{builtin} ) {
+			    if ( $chainref->{builtin} || ! have_capability 'KLUDGEFREE' ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain for
 				# now.
@@ -2026,20 +2028,36 @@ sub do_ratelimit( $$ ) {
 
 	my $limit = "-m hashlimit ";
 	my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
+	my $units;
 
 	if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	    $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
-	    $limit .= $2 ? $2 : 'shorewall';
+	    $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
 	    $limit .= ' --hashlimit-mode ';
+	    $units = $5;
 	} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
 	    $limit .= "--$match $3 --hashlimit-name ";
-	    $limit .= $2 ? $2 : 'shorewall';
+	    $limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
 	    $limit .= ' --hashlimit-mode ';
+	    $units = $5;
 	} else {
 	    fatal_error "Invalid rate ($rate)";
 	}
 
 	$limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
+
+	if ( $units && $units ne 'sec' ) {
+	    my $expire = 60000; # 1 minute in milliseconds
+
+	    if ( $units ne 'min' ) {
+		$expire *= 60; #At least an hour
+		$expire *= 24 if $units eq 'day';
+	    }
+
+	    $limit .= "--hashlimit-htable-expire $expire ";
+	} 
+
+	$limit;
     } elsif ( $rate =~ /^(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	"-m limit --limit $1 --limit-burst $4 ";
     } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
@@ -3256,7 +3274,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 
 		    if ( $loglevel ne '' ) {
 			if ( $disposition ne 'LOG' ) {
-			    unless ( $logname ) {
+			    unless ( $logname || $target =~ /-j RETURN\b/ ) {
 				#
 				# Find/Create a chain that both logs and applies the target action
 				# and jump to the log chain if all of the rule's conditions are met
@@ -3270,7 +3288,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 				log_rule_limit(
 					       $loglevel ,
 					       $chainref ,
-					       $logname ,
+					       $logname || $chain,
 					       $disposition ,
 					       '',
 					       $logtag,

Shorewall/Perl/Shorewall/Config.pm

@@ -337,7 +337,7 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.7",
+		    VERSION => "4.4.7.6",
 		    CAPVERSION => 40407 ,
 		  );
 
@@ -2394,7 +2394,9 @@ sub determine_capabilities() {
     fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
 	unless qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");
   
-    unless ( $config{ LOAD_HELPERS_ONLY } ) {
+    if ( $config{ LOAD_HELPERS_ONLY } ) {
+	$capabilities{FLOW_FILTER} = undef;
+    } else {
 	#
 	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
 	# functions but it ensures that %detect_capability is initialized properly.
@@ -2468,6 +2470,7 @@ sub determine_capabilities() {
 	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
+	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
 
 
 	qt1( "$iptables -F $sillyname" );

Shorewall/Perl/Shorewall/Rules.pm

@@ -1182,6 +1182,17 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     #
     # Generate Fixed part of the rule
     #
+    if ( $actiontype & ( NATRULE | NONAT ) && ! ( $actiontype & NATONLY ) ) {
+	#
+	# Either a DNAT, REDIRECT or ACCEPT+ rule; don't apply rate limiting twice
+	#
+	$rule = join( '', 
+		      do_proto($proto, $ports, $sports),
+		      do_user( $user ) ,
+		      do_test( $mark , $globals{TC_MASK} ) ,
+		      do_connlimit( $connlimit ),
+		      do_time( $time ) );
+    } else {
 	$rule = join( '', 
 		      do_proto($proto, $ports, $sports),
 		      do_ratelimit( $ratelimit, $basictarget ) ,
@@ -1189,6 +1200,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		      do_test( $mark , $globals{TC_MASK} ) ,
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) );
+    }
 
     unless ( $section eq 'NEW' ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};

Shorewall/Perl/Shorewall/Tc.pm

@@ -132,7 +132,6 @@ our $devnum;
 our $sticky;
 our $ipp2p;
 
-
 #
 # TCClasses Table
 #
@@ -514,7 +513,7 @@ sub process_simple_device() {
 
     while ( ++$i <= 3 ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
-	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i";
+	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $number:$i";
 	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
     }
@@ -1198,6 +1197,9 @@ sub setup_traffic_shaping() {
 	validate_tc_device while read_a_line;
     }
 
+    my $sfq = $devnum;
+    my $sfqinhex;
+
     $devnum = $devnum > 10 ? 10 : 1;
 
     $fn = open_file 'tcclasses';
@@ -1334,7 +1336,10 @@ sub setup_traffic_shaping() {
 	    }
 	}
 
-	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit $tcref->{limit} perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
+	if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+	    $sfqinhex = in_hexp( ++$sfq);
+	    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
+	}
 	#
 	# add filters
 	#
@@ -1344,7 +1349,7 @@ sub setup_traffic_shaping() {
 	    }
 	}
 
-	emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
+	emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
 	#
 	# options
 	#

Shorewall/changelog.txt

@@ -1,3 +1,37 @@
+Changes in Shorewall 4.4.7.6
+
+1)  Fix Debian init script exit status
+
+2)  Fix NFQUEUE(queue-num) in policy
+
+3)  Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE
+
+Changes in Shorewall 4.4.7.5
+
+1)  Don't create a logging chain for rules with '-j RETURN'.
+
+2)  Avoid duplicate SFQ class numbers.
+
+3)  Fix low per-IP rate limits.
+
+Changes in Shorewall 4.4.7.4
+
+1)  Add $remote_fs to Required-start and Required-stop for Debian.
+
+Changes in Shorewall 4.4.7.3
+
+1)  Detect FLOW_FILTER when LOAD_HELPERS_ONLY=Yes
+
+Changes in Shorewall 4.4.7.2
+
+1)  Fix detection of "Old hashlimit match".
+
+2)  Detect FLOW_FILTER when LOAD_HELPERS_ONLY=No
+
+Changes in Shorewall 4.4.7.1
+
+1)  Don't apply rate limiting twice in NAT rules.
+
 Changes in Shorewall 4.4.7
 
 1)  Backport optimization changes from 4.5.

Shorewall/init.debian.sh

@@ -1,8 +1,8 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          shorewall
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -38,6 +38,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
   fi
 
+  exit 1
 }
 
 not_configured () {

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7
+VERSION=4.4.7.6
 
 usage() # $1 = exit status
 {

Shorewall/known_problems.txt

@@ -1 +1,101 @@
-There are no known problems in Shorewall 4.4.7.
+1)  All versions of Shorewall-perl mishandle per-IP rate limiting in
+    REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
+    the values given in the rule.
+
+    Corrected in 4.4.7.1
+
+2)  Detection of the 'Old hashlimit match' capability was broken in
+    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of 
+    shorecap. This problem only affects users of older distributions
+    such as RHEL5 and derivatives.
+
+    Corrected in 4.4.7.2
+
+3)  On older distributions such as RHEL5 and derivatives, when
+    LOAD_HELPERS_ONLY=No, Shorewall would fail to start if a TYPE was
+    specified in /etc/shorewall/tcinterfaces.
+
+    Corrected in 4.4.7.2
+
+4)  On older distributions such as RHEL5 and derivatives, when
+    LOAD_HELPERS_ONLY=Yes, Shorewall would fail to start if a TYPE was
+    specified in /etc/shorewall/tcinterfaces.
+
+    Corrected in 4.4.7.3
+
+5)  A CONTINUE rule specifying a log level will cause the compiler to
+    generate an incorrect rule sequence. The packet will be logged but
+    the CONTINUE action will not occur.
+
+    To work around the problem break the rule into two rules; a logging
+    rule and a CONTINUE rule.
+
+    Corrected in 4.4.7.5.
+
+6)  If multiple entries are present in /etc/shorewall/tcdevices and
+    globally unique class numbers are not explicitly specified in
+    /etc/shorewall/tcclasses, then 'shorewall start' will fail with a
+    diagnostic such as:
+
+    Setting up Traffic Control...
+    RTNETLINK answers: File exists
+      ERROR: Command "tc qdisc add dev eth1 parent 2:2 handle 2: sfq quantum
+             1500 limit 127 perturb 10" Failed
+    Processing /etc/shorewall/stop ...
+
+    Corrected in 4.4.7.5.
+
+7)  If a low per-IP rate limit (such as 1/hour) is specified, the
+    effective enforced rate is much higher (approximately 6/min). The
+    Shorewall compiler now configures the hashlimit table idle timeout
+    based on the rate units (min, hour, ...) so that the rate is more
+    accurately enforced.
+
+    Corrected in 4.4.7.5.
+
+    As part of this change, a unique hash table name is assigned to
+    each per-IP rate limiting rule that does not specify a table name
+    in the rule. The assigned names are of the form 'shorewallN' where
+    N is an integer. Previously, all such rules shared a single
+    'shorewall' table which lead to unexpected results.
+
+8)  All prior versions of Shorewall-perl mishandle per-IP rate limiting
+    in REDIRECT, DNAT and ACCEPT+ rules. The effective rate and burst
+    are 1/2 of the values given in the rule.
+
+    Corrected in 4.4.7.5.
+
+9)  If a queue-number is specified in an NFQUEUE policy (e.g.,
+    NFQUEUE(0)), invalid iptables-restore input is generated.
+
+    Corrected in 4.4.7.6.
+
+10) The Debian init scripts return exit status 0, even when the command
+    fails.
+
+    Corrected in 4.4.7.6.
+
+11) Previously, with optimization 4, users of ipsec on older releases
+    such as RHEL5 and CentOS, could encounter an error similar to this
+    one:
+
+    Running /sbin/iptables-restore...
+    iptables-restore v1.3.5: Unknown arg `out'
+    Error occurred at line: 93
+    Try `iptables-restore -h' or 'iptables-restore --help' for more
+        information.
+    	ERROR: iptables-restore Failed. Input is in
+               /var/lib/shorewall/.iptables-restore-input
+
+    Corrected in 4.4.7.6.
+
+12) If optimization 4 is enabled, the 'blacklst' chain may be optimized
+    away. If that occurs, then if the 'blacklist' file is subsequently
+    updated, the 'shorewall refresh' command will succeed but the
+    changes will not be included in the active ruleset.
+
+    Workaround: Use 'shorewall restart' to install the changes.
+
+    Will be corrected in 4.4.8.
+
+

Shorewall/lib.base

@@ -956,7 +956,7 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
     qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
     if [ -z "$HASHLIMIT_MATCH" ]; then
-	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
+	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
     fi	
     qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes

Shorewall/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.4.7
+Shorewall 4.4.7 Patch Release 6.
 
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 4  H I G H L I G H T S
@@ -183,6 +183,101 @@ Shorewall 4.4.7
     unless you choose to replace your current shorewall.conf with the
     one from the release (not recommended).
 
+----------------------------------------------------------------------------
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 6
+----------------------------------------------------------------------------
+
+1)  Previously, when a supported command failed, the Debian Shorewall
+    init script would still return a success (zero) exit status. It now
+    returns a failure status (1) when the command fails.
+
+2)  Previously, if a queue number was specified in an NFQUEUE policy
+    (e.g., NFQUEUE(0)), invalid iptables-restore input would be
+    generated.
+
+3)  Previously, with optimization 4, users of ipsec on older releases
+    such as RHEL5 and CentOS, could encounter an error similar to this
+    one:
+
+    Running /sbin/iptables-restore...
+    iptables-restore v1.3.5: Unknown arg `out'
+    Error occurred at line: 93
+    Try `iptables-restore -h' or 'iptables-restore --help' for more
+        information.
+    	ERROR: iptables-restore Failed. Input is in
+               /var/lib/shorewall/.iptables-restore-input
+
+----------------------------------------------------------------------------
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 5
+----------------------------------------------------------------------------
+
+1)  A CONTINUE rule specifying a log level would cause the compiler to 
+    generate an incorrect rule sequence. The packet would be logged
+    but the CONTINUE action would not occur.
+
+2)  If multiple entries were present in /etc/shorewall/tcdevices and
+    globally unique class numbers were not explicitly specified in
+    /etc/shorewall/tcclasses, then 'shorewall start' would fail with a
+    diagnostic such as:
+
+    Setting up Traffic Control...
+    RTNETLINK answers: File exists
+      ERROR: Command "tc qdisc add dev eth1 parent 2:2 handle 2: sfq quantum
+             1500 limit 127 perturb 10" Failed
+    Processing /etc/shorewall/stop ...
+
+3)  Previously, when a low per-IP rate limit (such as 1/hour) was
+    specified, the effective enforced rate was much higher
+    (approximately 6/min). The Shorewall compiler now configures the
+    hashlimit table idle timeout based on the rate units (min, hour,
+    ...) so that the rate is more accurately enforced.
+
+    As part of this change, a unique hashlimit table name is assigned
+    to each per-IP rate limiting rule that does not specify a table name
+    in the rule. The assigned names are of the form 'shorewallN' where
+    N is an integer. Previously, all such rules shared a single
+    'shorewall' table which lead to unexpected results.
+
+4)  All prior versions of Shorewall-perl mishandle per-IP rate limiting
+    ACCEPT+ rules. The effective rate and burst are 1/2 of the values
+    given in the rule. This problem has been corrected so that the
+    specified rate is now the effective rate.
+
+----------------------------------------------------------------------------
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 4
+----------------------------------------------------------------------------
+
+1)  The Debian init scripts are modified to include $remote_fs in the 
+    Required-start and Required-stop specifications.
+
+----------------------------------------------------------------------------
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 3
+----------------------------------------------------------------------------
+
+1)  On older distributions such as RHEL5 and derivatives, when
+    LOAD_HELPERS_ONLY=Yes, Shorewall would fail to start if a TYPE was
+    specified in /etc/shorewall/tcinterfaces.
+
+----------------------------------------------------------------------------
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 2
+----------------------------------------------------------------------------
+
+1)  Detection of the 'Old hashlimit match' capability was broken in
+    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of 
+    shorecap.
+
+2)  On older distributions such as RHEL5 and derivatives, when
+    LOAD_HELPERS_ONLY=No, Shorewall would fail to start if a TYPE was
+    specified in /etc/shorewall/tcinterfaces.
+ 
+----------------------------------------------------------------------------
+       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 1
+----------------------------------------------------------------------------
+
+1)  All versions of Shorewall-perl mishandle per-IP rate limiting in
+    REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
+    the values given in the rule.
+
 ----------------------------------------------------------------------------
           P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7
 ----------------------------------------------------------------------------

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.7
-%define release 0base
+%define release 6
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -107,7 +107,19 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Sat Feb 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-6
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-5
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-4
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-3
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-2
+* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-1
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7
+VERSION=4.4.7.6
 
 usage() # $1 = exit status
 {

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.7
+VERSION=4.4.7.6
 
 usage() # $1 = exit status
 {

Shorewall6-lite/init.debian.sh

@@ -2,8 +2,8 @@
 
 ### BEGIN INIT INFO
 # Provides:          shorewall6-lite
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -42,6 +42,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
   fi
 
+  exit 1
 }
 
 not_configured () {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7
+VERSION=4.4.7.6
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.7
-%define release 0base
+%define release 6
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -91,7 +91,19 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Sat Feb 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-6
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-5
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-4
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-3
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-2
+* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-1
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7
+VERSION=4.4.7.6
 
 usage() # $1 = exit status
 {

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.7
+VERSION=4.4.7.6
 
 usage() # $1 = exit status
 {

Shorewall6/init.debian.sh

@@ -1,8 +1,8 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          shorewall6
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -38,6 +38,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
   fi
 
+  exit 1
 }
 
 not_configured () {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.7
+VERSION=4.4.7.6
 
 usage() # $1 = exit status
 {

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.7
-%define release 0base
+%define release 6
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -96,7 +96,19 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+* Sat Feb 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-6
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-5
+* Mon Feb 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-4
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-3
+* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-2
+* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-1
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.7
+VERSION=4.4.7.6
 
 usage() # $1 = exit status
 {

docs/FAQ.xml

@@ -1203,33 +1203,34 @@ LOGBURST=""</programlisting>
         </literallayout>
 
         <para>I personally use <ulink
-        url="http://www.logwatch.org">Logwatch</ulink>. It emails me a report
-        each day from my various systems with each report summarizing the
-        logged activity on the corresponding system. I use the brief report
-        format; here's a sample:</para>
+        url="http://www.cert.uni-stuttgart.de.projects/fwlogwatch">fwlogwatch</ulink>.
+        It emails me a report each day from my various systems with each
+        report summarizing the logged activity on the corresponding system;
+        here's a sample:</para>
 
         <blockquote>
-          <programlisting> --------------------- iptables firewall Begin ------------------------ 
+          <programlisting>fwlogwatch summary
+Generated Monday March 01 12:05:04 PST 2010 by root.
+840 (and 166 older than 86400 seconds) of 1006 entries in 2 input files are packet logs, 178 have unique characteristics.
+First packet log entry: Feb 28 12:56:49, last: Mar 01 12:00:38.
+All entries were logged by the same host: "gateway".
+All entries have the same target: "-".
 
- Dropped 111 packets on interface eth0
-   From 58.20.162.142 - 5 packets to tcp(1080) 
-   From 62.163.19.50 - 1 packet to udp(6348) 
-   From 66.111.45.60 - 9 packets to tcp(192) 
-   From 69.31.82.50 - 18 packets to tcp(3128) 
-   From 72.232.183.102 - 2 packets to tcp(3128) 
-   From 82.96.96.3 - 6 packets to tcp(808,1080,1978,7600,65506) 
-   From 128.48.51.209 - 5 packets to tcp(143) 
-   From 164.77.223.150 - 12 packets to tcp(873) 
-   From 165.233.109.23 - 8 packets to tcp(22) 
-   From 202.99.172.175 - 4 packets to udp(2,4081) 
-   From 206.59.41.101 - 2 packets to tcp(5900) 
-   From 217.91.30.224 - 24 packets to tcp(873) 
-   From 218.87.47.114 - 6 packets to tcp(3128) 
-   From 220.110.219.234 - 4 packets to tcp(22) 
-   From 220.133.116.173 - 5 packets to tcp(3128) 
- 
- ---------------------- iptables firewall End -------------------------</programlisting>
+net-fw DROP  eth0 72 packets from 174.37.159.222 to 76.104.233.98
+net-fw DROP  eth2 30 packets from 66.249.65.20 to 206.124.146.176
+net-fw DROP  eth0 22 packets from 85.247.221.191 to 76.104.233.98
+net-dmz DROP  eth2 18 packets from 60.217.65.115 to 206.124.146.178
+net-fw DROP  eth2 18 packets from 60.217.65.115 to 206.124.146.180
+net-fw DROP  eth2 18 packets from 60.217.65.115 to 206.124.146.176
+net-fw DROP  eth2 18 packets from 60.217.65.115 to 206.124.146.179
+net-fw DROP  eth0 18 packets from 221.195.73.86 to 76.104.233.98
+net-dmz DROP  eth2 16 packets from 60.217.65.115 to 206.124.146.177
+net-fw DROP  eth0 16 packets from 24.30.147.199 to 76.104.233.98
+...</programlisting>
         </blockquote>
+
+        <para>Fwlogwatch contains a built-in web server that allows monitoring
+        recent activity in summary fashion.</para>
       </section>
 
       <section id="faq6b">

docs/configuration_file_basics.xml

@@ -1140,9 +1140,9 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
     '!' to specify "All ports except these" (e.g., "!80,443").</para>
 
     <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
-    url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
-    file may specify no more than 15 ports; port ranges appearing in a list
-    count as two ports each.</para>
+    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
+    (5) file may specify no more than 15 ports; port ranges appearing in a
+    list count as two ports each.</para>
   </section>
 
   <section id="MAC">
@@ -1186,6 +1186,32 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
     </note>
   </section>
 
+  <section id="RateLimit">
+    <title>Rate Limiting (Rate and Burst)</title>
+
+    <para>Shorewall supports rate limiting in a number of ways. When
+    specifying a rate limit, both a <firstterm>rate</firstterm> and a
+    <firstterm>burst</firstterm> value are given.</para>
+
+    <para>Example from <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5): </para>
+
+    <simplelist>
+      <member>LOGRATE=10/minute</member>
+
+      <member>LOGBURST=5</member>
+    </simplelist>
+
+    <para> For each logging rule, the first time the rule is reached, the
+    packet will be logged; in fact, since the burst is 5, the first five
+    packets will be logged. After this, it will be 6 seconds (1 minute divided
+    by the rate of 10) before a message will be logged from the rule,
+    regardless of how many packets reach it. Also, every 6 seconds which
+    passes without matching a packet, one of the bursts will be regained; if
+    no packets hit the rule for 30 seconds, the burst will be fully recharged;
+    back where we started.</para>
+  </section>
+
   <section id="Logical">
     <title>Logical Interface Names</title>
 

manpages/shorewall-rules.xml

@@ -891,10 +891,10 @@
           respectively. The <replaceable>name</replaceable> may be chosen by
           the user and specifies a hash table to be used to count matching
           connections. If not give, the name <emphasis
-          role="bold">shorewall</emphasis> is assumed. Where more than one
-          rule specifies the same name, the connections counts for the rules
-          are aggregated and the individual rates apply to the aggregated
-          count.</para>
+          role="bold">shorewallN</emphasis> (where N is a unique integer) is
+          assumed. Where more than one rule specifies the same name, the
+          connections counts for the rules are aggregated and the individual
+          rates apply to the aggregated count.</para>
 
           <para>Example: <emphasis role="bold">s:ssh:3/min:5</emphasis></para>
         </listitem>

manpages6/shorewall6-rules.xml

@@ -692,10 +692,10 @@
           respectively. The <replaceable>name</replaceable> may be chosen by
           the user and specifies a hash table to be used to count matching
           connections. If not give, the name <emphasis
-          role="bold">shorewall</emphasis> is assumed. Where more than one
-          POLICY specifies the same name, the connections counts for the rules
-          are aggregated and the individual rates apply to the aggregated
-          count.</para>
+          role="bold">shorewallN</emphasis> (where N is a unique integer) is
+          assumed. Where more than one POLICY specifies the same name, the
+          connections counts for the rules are aggregated and the individual
+          rates apply to the aggregated count.</para>
         </listitem>
       </varlistentry>