Shorewall 4.2.10 Patch release 1

----------------------------------------------------------------------------
               R E L E A S E  4 . 2  H I G H L I G H T S
----------------------------------------------------------------------------
1) Support is included for multiple internet providers through the same
   ethernet interface.

2) Support for NFLOG has been added.

3) Enhanced operational logging.

4) The tarball installers now work under Cygwin.

5) Shorewall-perl now supports IFB devices which allow traffic shaping of
   incoming traffic.

6) Shorewall-perl supports definition of u32 traffic classification
   filters.

7) Support for IPv6 is available beginning with Shorewall 4.2.4.

   Minimun system requirements for IPv6 support:

   - Kernel 2.6.24 or later.
   - iptables 1.4.0 or later with 1.4.1 or later strongly recommended.
   - Perl 5.10 if you wish to use DNS names in your IPv6 config files. 
     In that case you will also have to install Perl Socket6 support.

Problems corrected in Shorewall-perl 4.2.10.1

1)  Users that set TC_ENABLED=Internal and have entries in
    /etc/shorewall/tcdevices and /etc/shorewall/tcclasses may experience
    startup error such as the following:

    ERROR: Command "tc qdisc add dev eth1 root handle 1: htb default 12 r2q 20.8" Failed

Problems corrected in Shorewall 4.2.10

1)  A 'large quantum' warning log message during restart has been
    eliminated. The log message occurred when an interface with a large
    OUT-BANDWIDTH was defined in /etc/shorewall/tcdevices.

2)  When a REJECT rule included a log entry, the disposition in the log
    message was incorrectly shown as 'reject' rather than 'REJECT'.

3)  When 'forward' was specified on one or more interfaces in
    /etc/shorewall6/interfaces, the progress message "Compiling
    Interface forwarding..." was issued multiple times. Now, only one
    instance of the message is generated.

4)  A typing error in the IPv6 two-interface sample shorewall6.conf
    file has been corrected. This error prevented the compiler from
    being able to find macros in /usr/share/shorewall/.

Known Problems Remaining:

1)  When exclusion is used in an entry in /etc/shorewall/hosts, then
    Shorewall-shell produces an invalid iptables rule if any of the 
    following OPTIONS are also specified in the entry:    

        blacklist
	maclist
	norfc1918
	tcpflags

2)  Shorewall-shell generates inversion rules which produce
    warnings with iptables 1.4.3.  

    Example:

        iptables -A  lan2fw  -p 6  --dport 999  -s ! 192.168.20.1  -j ACCEPT

    with iptables 1.4.3.1 the following information message is produced:

    Using intrapositioned negation (`--option ! this`) is deprecated in
    favor of extrapositioned (`! --option this`).

    We don't intend to fix this. It's time to migrate to Shorewall-perl
    anyway.

New Features in Shorewall 4.2.10

1)  Shorewall's suppport for dynamic gateways on interfaces managed by
    dhclient works on OpenSuSE systems but not on some other
    distributions.

    In order to generalize support for learning the gateway for dynamic
    interfaces, a new 'findgw' extension script (user exit) has been
    added.

    The exit will be invoked in a function that has a single argument:

        $1 = <name of an interface>

    If the function can determine the gateway for the passed interface,
    it should write the gateway to standard out. Here is a sample
    /etc/shorewall/findgw that works with dhclient (dhcp3) in Debian
    Lenny:

    if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then
       grep 'option routers' /var/lib/dhcp3/dhclient.${1}.leases |\
          tail -n 1 |\
          while read j1 j2 gateway; do\
              echo $gateway | sed 's/;//';\
          done
    fi

    The same code works on Ubuntu Jaunty if you replace the first '.'
    with '-' and replace '.leases' with '.lease' (don't you just love
    the consistency between distributions?).

    That code also works on CentOS if you replace 'dhcp3' by
    'dhclient'.

    'findgw' files that have been customized for various distributions
    may be found at
    http://www.shorewall.net/pub/shorewall/contrib/findgw.

Migration Issues.

1)  Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
    mark values < 256 to be assigned in the OUTPUT chain. This has been
    changed so that only high mark values may be assigned
    there. Packet marking rules for traffic shaping of packets
    originating on the firewall must be coded in the POSTROUTING chain.

2)  Previously, Shorewall did not range-check the value of the
    VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.2:

    a) A VERBOSITY setting outside the range -1 through 2 is rejected.
    b) After the -v and -q options are applied, the resulting value is
       adjusted to fall within the range -1 through 2.

3)  Specifying a destination zone in a NAT-only rule now generates a
    warning and the destination zone is ignored. NAT-only rules are:

             NONAT
             REDIRECT-
             DNAT-

4)  The default value for LOG_MARTIANS has been changed. Previously,
    the defaults were:

        Shorewall-perl - 'Off'
        Shorewall-shell - 'No'

    The new default values are:

        Shorewall-perl - 'On'
        Shorewall-shell - 'Yes'.

    Shorewall-perl users may:

    a) Accept the new default -- martians will be logged from all
       interfaces with route filtering except those with log_martians=0
       in /etc/shorewall/interfaces.

    b) Explicitly set LOG_MARTIANS=Off to maintain compatibility with
       prior versions of Shorewall.

    Shorewall-shell users may:

    a) Accept the new default -- martians will be logged from all
       interfaces with the route filtering enabled.

    b) Explicitly set LOG_MARTIONS=No to maintain compatibility with 
       prior versions of Shorewall.

5)  The value of IMPLICIT_CONTINUE in shorewall.conf (and samples) has
    been changed from Yes to No. If you are a Debian or Ubuntu user and
    you select replacement of shorewall.conf during upgrade to
    Shorewall 4.2, you will want to change IMPLICIT_CONTINUE back to
    'Yes' if you have nested zones that rely on IMPLICIT_CONTINUE=Yes
    for proper operation.

6)  The 'norfc1918' option is deprecated. Use explicit rules instead.
    Note that there is a new 'Rfc1918' macro that acts on addresses
    reserved by RFC 1918.

7)  DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl. Use
    ipset-based zones instead.

8)  The generated firewall script produced by Shorewall-perl can now
    detect the GATEWAY of an interface configured with dhclient.

New Features in Shorewall 4.2

1)  Shorewall 4.2 contains support for multiple Internet providers
    through a single ethernet interface. Configuring two providers
    through a single interface differs from two providers through two
    interfaces in several ways.

    a) Only ethernet (or ethernet-like) interfaces can be used. For
       inbound traffic, the MAC addresses of the gateway routers is used
       to determine which provider a packet was received through. Note
       that only routed traffic can be categorized using this technique.

    b) You must specify the address on the interface that corresponds to
       a particular provider in the INTERFACE column by following the
       interface name with a colon (":") and the address.
 
    c) Entries in /etc/shorewall/masq must be qualified by the provider
       name (or number).

    d) This feature requires Realm Match support in your kernel and
       iptables. If you use a capabilities file, you need to regenerate
       the file with Shorewall 4.2 or Shorewall-lite 4.2.
 
    e) You must add route_rules entries for networks that are accessed
       through a particular provider.

    f) If you have additional IP addresses through either provider,
       you must add route_rules to direct traffic FROM each of those
       addresses through the appropriate provider.

    g) You must add MARK rules for any traffic that you know originates
       from a particular provider.

     Example:

     Providers Blarg (1) and Avvanta (2) are both connected to
     eth0. The firewall's IP address with Blarg is 206.124.146.176/24
     (gateway 206.124.146.254) and the IP address from Avvanta is
     130.252.144.8/24 (gateway 130.252.144.254). We have a second IP
     address (206.124.146.177) from Blarg.

     /etc/shorewall/providers:

       #PROVIDER   NUMBER  MARK    DUPLICATE INTERFACE            GATEWAY
       Blarg       1       1       main      eth0:206.124.146.176 206.124.146.254 ...
       Avvanta     2       2       main      eth0:130.252.144.8   130.252.144.254 ...

     /etc/shorewall/masq:

       #INTERFACE          SOURCE          ADDRESS
       eth0(Blarg)         130.252.144.8   206.124.146.176
       eth0(Avvanta)       206.124.146.176 130.252.144.8
       eth0(Blarg)         eth1            206.124.146.176
       eth0(Avvanta)       eth1            130.252.144.8

     /etc/shorewall/route_rules:

        #SOURCE            DEST                    PROVIDER        PRIORITY
        -                  206.124.146.0/24        Blarg           1000
        -                  130.252.144.0/24        Avvanta         1000
        206.124.146.177    -                       Blarg           26000

     /etc/shorewall/tcrules

        #MARK/CLASSIFY  SOURCE                       DEST
        1                eth0:206.124.146.0/24  0.0.0.0/0
        2                eth0:130.242.144.0/24  0.0.0.0/0

2)  You may now include the name of a table (nat, mangle or filter) in
    a 'shorewall refresh' command by following the table name with a
    colon (e.g., mangle:). This causes all non-builtin chains in the
    table to be reloaded.

    Example:

        shorewall refresh nat:

3)  When no chain name is given to the 'shorewall refresh' command, the
    mangle table is refreshed along with the blacklist chain (if
    any). This allows you to modify /etc/shorewall/tcrules and install
    the changes using 'shorewall refresh'.

4)  Support for the NFLOG log target has been added. NFLOG is a
    successor to ULOG. In addition, both ULOG and NFLOG may be followed
    by a list of up to three numbers in parentheses.

    The first number specifies the netlink group (1-32). If omitted
    (e.g., NFLOG(,0,10)) then a value of 1 is assumed.

    The second number specifies the maximum number of bytes to copy. If
    omitted, 0 (no limit) is assumed.

    The third number specifies the number of log messages that should
    be buffered in the kernel before they are sent to user space. The
    default is 1.

    Examples:

    /etc/shorewall/shorewall.conf:

        MACLIST_LOG_LEVEL=NFLOG(1,0,1)

    /etc/shorewall/rules:

        ACCEPT:NFLOG(1,0,1) vpn fw tcp ssh,time,631,8080

5)  Shorewall-perl 4.2 implements an alternative syntax for macro
    parameters and for the NFQUEUE queue number. Rather than following
    the macro name (or NFQUEUE) with a slash ("/") and the parameter,
    the parameter may be enclosed in parentheses.

    Examples -- each pair shown below are equivalent:

    DNS/ACCEPT          DNS(ACCEPT)
    NFQUEUE/3           NFQUEUE(3)
    
    The old syntax will still be accepted but will cease to be documented
    in some future Shorewall release.

6)  Shorewall 4.2 contains enhanced operational logging capabilities
    through a set of related enhancements to Shorewall-common and
    Shorewall-perl. The enhancements are not supported by
    Shorewall-shell nor are they supported by Shorewall-lite except
    when the script is compiled using Shorewall-perl.

    a)  The STARTUP_LOG option in /etc/shorewall/shorewall.conf gives
        the name of the Shorewall operational log. The log will be
        created if it does not exist.

    b)  The LOG_VERBOSITY option in /etc/shorewall/shorewall.conf gives
        the verbosity at which logging will occur. It uses the same
        value range as VERBOSITY:

        -1    Do not log
        0     Almost quiet
        1     Only major steps
        2     Verbose

    c)  An absolute VERBOSITY may be specified on the command line
        using the -v option followed by -1,0,1 or 2.

        Example:

                shorewall -v2 check

    d)  The /etc/init.d/shorewall script supplied with the
        shorewall.net packages sets '-v0' as the default. This may be
        overridden with the OPTIONS setting in /etc/defaults/shorewall or
        /etc/sysconfig/shorewall.

    Logging occurs on both Shorewall-perl and the generated script when
    the following commands are issued:

        start
        restart
        refresh

    Messages in the log are always timestamped.

    This change implemented two new options to the Shorewall-perl
    compiler (/usr/share/shorewall-perl/compiler.pl).

        --log=<logfile>
        --log_verbosity={-1|0-2}

    The --log option is ignored when --log_verbosity is not supplied or
    is supplied with value -1.

    To avoid a proliferation of parameters to
    Shorewall::Compiler::compile(), that function has been changed to
    use named parameters. Parameter names are:

         object          Object file. If omitted or '', the
                         configuration is syntax checked. 
         directory       Directory. If omitted or '', configuration
                         files are located using
                         CONFIG_PATH. Otherwise, the directory named by
                         this parameter is searched first.
         verbosity       Verbosity; range -1 to 2
         timestamp       0|1 -- timestamp messages.
         debug           0|1 -- include stack trace in warning/error
                         messages. 
         export          0|1 -- compile for export.
         chains          List of chains to be reloaded by 'refresh'.
         log             File to log compiler messages to.
         log_verbosity   Log Verbosity; range -1 to 2.

    Those parameters that are supplied must have defined values.

    Defaults are:

             object         '' ('check' command)
             directory      ''
             verbosity      1
             timestamp      0
             debug          0
             export         0
             chains         ''
             log            ''
             log_verbosity  -1
             

    Example:

    use lib '/usr/share/shorewall-perl/';
    use Shorewall::Compiler;

    compiler( object        => '/root/firewall', 
              log           => '/root/compile.log',
              log_verbosity => 2 );

7)  Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
    mark values < 256 to be assigned in the OUTPUT chain. This has been
    changed so that only high mark values may be assigned
    there. Packet marking rules for traffic shaping of packets
    originating on the firewall must be coded in the POSTROUTING chain.

8)  Previously, Shorewall did not range-check the value of the
    VERBOSITY option in shorewall.conf. Beginning with Shorewall 4.2:

    a) A VERBOSITY setting outside the range -1 through 2 is rejected.
    b) After the -v and -q options are applied, the resulting value is
       adjusted to fall within the range -1 through 2.

9)  The tcdevices file has been extended to include an OPTIONS
    column. Currently only a single option is defined.

    classify   When specified, you must use explicit CLASSIFY tcrules
               to classify traffic by class. Shorewall will not create
               any CLASSIFY rules to classify traffic by mark value.

    See http://www.shorewall.net/traffic_shaping.htm for further
    information.

10) COMMENT lines are now supported in macro bodies by Shorewall-perl
    and are ignored by the Shorewall-shell compiler.

    COMMENT lines in macros work slightly differently from COMMENT
    lines in other files. COMMENT lines in macros are ignored if
    COMMENT support is not available or if there was a COMMENT in use
    when the top-level macro was invoked. This allows the
    following:

        /etc/shorewall/macro.SSH:

            #ACTION SOURCE  PROTO   DEST    SOURCE  RATE    USER/
            #                       PORT(S) PORT(S) LIMIT   GROUP
            COMMENT My SSH Macro
            PARAM   -       -       tcp     22

        /etc/shorewall/rules:

            COMMENT Allow SSH from home
            SSH/ALLOW     net:$MYIP        $FW
            COMMENT
   
        The comment line in macro.SSH will not override the 
        COMMENT line in the rules file and the generated rule will show

                /* Allow SSH from home */

        when displayed through the Shorewall show and dump commands.

    If a macro is invoked and there is no current comment, then the
    name of the macro automatically becomes the current comment. This
    makes macros self-commenting.   

11) If the program named in SHOREWALL_SHELL doesn't exist or is not
    executable, Shorewall and Shorewall-lite now both fall back to
    /bin/sh after issuing a warning message. Previously, both
    terminated with a fatal error.

12) Shorewall-perl now generates fatal error conditions if there are
    no IPv4 zones defined or there are no interfaces defined.

13) Shorewall now unconditionally uses tc filter rules to classify
    traffic by MARK value. Previously, Shorewall used the CLASSIFY
    target in the POSTROUTING chain if it was available.

14) The Shorewall installers (install.sh) now work on Windows
    under Cygwin. By default, they install under the user id and group
    of the person doing the install. This can be overridden by
    specifying OWNER and GROUP explicitly.

    Example:

        OWNER=foo GROUP=bar ./install.sh

    To install Shorewall-perl under Cygwin:

    $ tar -zxf shorewall-perl-4.x.y.tar.bz2
    $ tar -zxf shorewall-common-4.x.y.tar.bz2
    $ cd shorewall-perl-4.x.y
    $ ./install.sh
    $ cd ../shorewall-common-4.x.y
    $ ./install.sh
    
    The 'shorewall' program is installed in /bin/ (a.k.a, /usr/bin/).

15) When installing on Cygwin, /etc/shorewall is no longer fully
    populated. Rather, only the shorewall.conf and params files are
    installed. As always, the full configuration file set is installed
    in /usr/share/shorewall/configfiles.

16) Specifying a destination zone in a NAT-only rule now generates a
    warning and the destination zone is ignored. NAT-only rules are:

             NONAT
             REDIRECT-
             DNAT-

17)  The /etc/shorewall/masq and /etc/shorewall/nat file now accept a
    comma-separated list of interface names where before only a single
    interface name could be listed (Shorewall-perl only).

    This feature is not for beginners. It iterates over the
    list of interfaces, substituting each interface in place of the
    list and processing the resulting entry according to the semantics
    of earlier Shorewall versions. If you don't know where to use this,
    don't try.

    Example 1:

    /etc/shorewall/masq:

    #INTERFACE              SOURCE          ADDRESS
    eth0,eth1               eth2            1.2.3.4

    equivalent to:

    #INTERFACE              SOURCE          ADDRESS
    eth0                    eth2            1.2.3.4
    eth1                    eth2            1.2.3.4

    Example 2:

    /etc/shorewall/masq:

    #INTERFACE                       SOURCE      ADDRESS
    eth0,eth1::192.168.1.0/24        eth2        1.2.3.4

    equivalent to:

    #INTERFACE              SOURCE          ADDRESS
    eth0::192.168.1.0/24    eth2            1.2.3.4
    eth1::192.168.1.0/24    eth2            1.2.3.4

    Example 3:

    /etc/shorewall/nat:

    #EXTERNAL        INTERFACE       INTERNAL
    206.124.146.178  eth0,wlan0      192.168.1.3

    equivalent to:

    #EXTERNAL        INTERFACE       INTERNAL
    206.124.146.178  eth0            192.168.1.3
    206.124.146.178  wlan0           192.168.1.3

18) Previously, the INTERFACE name used in the masq, nat and netmap
    files had to exactly match the name of an interface from the
    interfaces file. Beginning with Shorewall-perl 4.1.4, the
    interface may loosely match a wildcard entry in the interfaces
    file.

    Example:

    /etc/shorewall/interfaces:

        vpn        tun+        

    /etc/shorewall/masq:

        tun1        192.168.4.0/24

19) Previously, Shorewall classified non-firewall zones as either
    'simple' or 'complex'. Attributes of a zone which made it 'complex'
    included:

    - The zone was of type 'ipsec' or 'ipsec4' or it had a hosts
      entry with the 'ipsec' options.
    - The zone had OPTIONS, IN OPTIONS or OUT OPTIONS
    - The zone had more than one network on a given interface
    - The zone had a hosts file entry with an exclusion.
    - The zone had a hosts file entry specifying an ipset.

    The handling of 'simple' and 'complex' zones was different.

    -  complex zones had their own 'forward' chain (named
       '<zone>_frwd').
    -  complex zones with exclusions had their own 'input' and
       'output' chains.

    Beginning with Shorewall-perl 4.2, all non-firewall zones will be
    treated as 'complex'. This will have the effect of one additional
    filter chain per zone but in most cases, the average number of
    filter rules traversed by a connection request will be reduced.

20) The need for interface-specific chains (such as eth0_in, eth4_fwd,
    etc.) in the filter table has been drastically reduced. This has
    the effect of reducing the average number of rules that each packet
    must traverse.

21) The default value for LOG_MARTIANS is now 'Yes' ('On' in
    Shorewall-perl). Previously, the default value was 'No' ('Off' in
    Shorewall-perl). The shorewall.conf file has also been 
    updated to specify a value of 'Yes' (which is interpreted as 'On'
    by Shorewall-perl).

22) Shorewall-perl now generates an error when a MAC address appears in
    a traffic shaping rule in the OUTPUT or POSTROUTING chains.

23) Macros are now self-commenting under control of a new AUTO_COMMENT
    option in shorewall.conf. When this option is set, if there is not
    a current comment when a macro is invoked, the behavior under
    Shorewall-perl is as if the first line of the macro file was
    "COMMENT <macro name>".

    So, if you have this rule:

            SSH/ACCEPT  loc         fw

    then the generated netfilter rule will include "/* SSH */" when
    viewed with 'iptables -L' or 'shorewall show loc2fw' or 'shorewall
    dump'.

    The AUTO_COMMENT option has a default value of 'Yes' and is only
    available under Shorewall-perl. The option is ignored by
    Shorewall-shell.

24) The default value for the IMPLICIT_CONTINUE option has been changed
    to 'No'.

25) Shorewall-perl now supports an 'l2tp' tunnel type. It opens UDP
    port 1701 in both directions and assumes that the source port will
    also be 1701. Some implementations (particularly OS X) use a
    different source port. In that case, you should use
    'generic:udp:1701' rather than 'l2tp'.

26) The /etc/shorewall/tcdevices and /etc/shorewall/tcclasses files
    have undergone some changes, especially when the 'classify' option
    has been specified.

    Normally Shorewall assigns interface numbers sequentially to
    devices listed in /etc/shorewall/tcdevices. Beginning with
    Shorewall 4.1.6, you can explicitly specify inteface numbers by
    prefixing the interface name with the interface number and a colon:

    Example:

     #INTERFACE    IN-BANDWITH     OUT-BANDWIDTH        OPTIONS
     1:eth0        1300kbit        384kbit              classify
     2:eth1        5600kbit        1000kbit        

     In /etc/shorewall/tcclasses:

     a) You can specify the INTERFACE using either the interface name
        or interface number.

     b) classes associated with devices which have the 'classify'
        option _must_ specify a class number by following the interface
        name/number with a colon (":") and the class number. The same
        class number may be used for classes defined on different
        interfaces but a class number may not be the same as any
        interface number.

    A class number may be specified when 'classify' has not been
    specified for the associated device. When a class number has not
    been given, the default class number remains the mark value
    prefixed by "1".

27) Shorewall now supports Intermediate Functional Block (IFB) devices.
    These devices allow shaping of incoming traffic.

    The 'ifb' module is available in the kernels included with today's
    distributions. You must load the module manually:

    If your distribution has modprobe:

       modprobe ifb [ numifbs=<number> ]

    Otherwise:

       insmod <path to net driver modules>/ifb.ko [ numifbs=<number> ]

    By default, the module automatically creates two IFB devices (ifb0
    and ifb1). To create only one, specify 'numifbs=1'.

    Example:

        ursa:~ # modprobe ifb numifbs=1
        ursa:~ # ip link ls
        1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
                link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
                link/ether cc:2b:cb:24:1b:00 brd ff:ff:ff:ff:ff:ff
        3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
                link/ether 00:1a:73:db:8c:35 brd ff:ff:ff:ff:ff:ff
        4: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop qlen 32
               link/ether 26:99:d8:7d:32:26 brd ff:ff:ff:ff:ff:ff
        ursa:~ # 

    After you have created the IFB(s), you must bring it(them) up:

            ip link set dev ifb0 up

    You can place all of this in /etc/shorewall/init as follows:

            modprobe ifb numifbs=1
        ip link set dev ifb0 up

    The /etc/shorewall/tcdevices file has been extended to include an
    additional REDIRECTED DEVICES column. To convert your configuration
    to use an IFB:

    a) Look at your current /etc/shorewall/tcdevices file. Suppose you
       have:

        #INTERFACE  IN-BANDWIDTH  OUT-BANDWIDTH  OPTIONS
        eth0        1300kbit      384kbit        -

        Change it as follows:

        #INTERFACE  IN-BANDWIDTH  OUT-BANDWIDTH  OPTIONS  REDIRECTED
        #                                                 DEVICES
        eth0        -             384kkbit       -
        ifb0        -             1300kbit       -        eth0

       Note that the old IN-BANDWIDTH for eth0 has become the
       OUT-BANDWIDTH for ifb0 and that neither device has an
       IN-BANDWIDTH in the new configuration.

       Finally note that eth0 has been specified as a REDIRECTED device
       for the IFB.

    b) There are no Netfilter hooks between the real device (eth0) and
       the IFB (ifb0). So tcrules cannot be used to specify shaping of
       traffic leaving the IFB. To allow that traffic to be classified,
       a new /etc/shorewall/tcfilters file has been added.

       /etc/shorewall/tcfilters can be used for classifying traffic on
       any interface. When using entries in that file, it is important
       to realize that those entries act on packets as they appear 'on
       the wire'. That means that on output, SNAT/MASQUERADE has been
       applied and on input (output to an IFB), DNAT has not yet been
       applied.

       Columns in the file are:

       INTERFACE:CLASS

                The interface name or number followed by a colon (":")
                and the class number.

       SOURCE
                Source IP address. May be a host or network address.
                Specify "-" if any SOURCE address should match.

       DEST
                Destination IP address. May be a host or network
                address. Specify "-" if any DEST address should match.

       PROTO
                Protocol Name/Number. Specify "-" if any PROTO should
                match.

       DEST PORT(S)
                A comma-separated list of destination ports. May only
                be given if the PROTO is tcp, udp, icmp or
                sctp. Port ranges may be used, except when the PROTO is
                icmp. Specify "-" if any PORT should match.

       SOURCE PORT(S)
                A comma-separated list of source port. May only be
                given if the PROTO is tcp, udp or sctp. Port ranges
                may be used unless the protocol is icmp. Specify "-" if
                any PORT should match.

    Entries in /etc/shorewall/tcfilters generate U32 tc filters which
    may be displayed using the "shorewall show filters" ("shorewall-lite
    show filters") command. Note: The 'show filters' command is an
    alias for the existing 'show classifiers' command.

    Note that /etc/shorewall/tcfilters provides a usable alternative to
    HIGH_ROUTE_MARKS=Yes. You can use marks to select between providers
    and use entries in /etc/shorewall/tcfilters (or CLASSIFY tcrules)
    for traffic shaping.

28) If an interface fails when using balanced multi-ISP routing, the
    default route is lost. If there are remaining working interfaces
    with dynamic gateway addresses, Shorewall will be unable to
    determine those gateways.

    Beginning with Shorewall (Shorewall-lite) 4.1.7, the 'init' script
    may participate in gateway detection by setting variables with
    pre-determined names as follows:

         <gw>_GATEWAY

    where <gw> is the interface name:

          - in upper case
          - with any characters not allowed in shell variable names
            replaced by '_'.

    Example (from OpenWRT): 

          Interface:           eth0.1
          Variable:            ETH0_1_GATEWAY
          /etc/shorewall/init: 

              ETH0_1_GATEWAY=$(uci get /var/state/network.wan0.gateway)

29) A new CONNBYTES column has been added to the tcrules file. The
    column defines a byte or packet range that the connection must fall
    within in order for the rule to match. The contents are:

             [!]<min>:[<max>[:{O|R|B}[:{B|P|A}]]]

    !     matches if the the packet/byte count is not within the range 
          defined by <min> and <max>.

    <min> is an integer which defines the beginning of the byte/packet
          range.

    <max> is an integer which defines the end of the byte/packet range. 
          If omitted, only the beginning of the range is checked.

    The first letter gives the direction which the range refers to:

    O    - The original direction of the connection.
    R    - The opposite direction from the original connection.
    B    - The total of both directions.

    If omitted, 'B' is assumed.

    The second letter determins what the range refers to.

    B    - Bytes
    P    - Packets
    A    - Average packet size.

    If omitted, 'B' is assumed.

    Examples:

        1000000:          - Connection has transferred a total of
                            at least 1,000,000 bytes.

        1000000::R        - Connection has transferred at least
                            1,000,000 bytes in the direction opposite
                            of the original direction (typical of a
                            large download).

        1000000::O:P      - Connection has sent at least 1,000,000
                            packets in the direction of the original
                            connection.

30) A new MANGLE_ENABLED option is added to shorewall.conf. The default
    setting is 'Yes' which causes Shorewall to assume responsibility for
    the Netfilter mangle table.

    When MANGLE_ENABLED is set to 'No', Shorewall assumes no
    responsibility for that table. In this setting:

    a) Shorewall doesn't alter the mangle table.
    b) You may not use Shorewall Traffic Shaping (TC_ENABLED must be
       set to 'No'.
    c) The tcrules file is ignored.
    d) The providers file must be empty.
    e) All entries in tcdevices must specify the 'classify' option and
       traffic classification may only occur using the tcfilters file.

    This allows for another application running on your firewall to
    take over the mangle table and use it for it's own purposes.

31) Shorewall-perl now supports an ORIGINAL DEST column in macro files.
    The column must be left empty if the macro is to be used in the
    body of an action.

    The new column is placed between the SOURCE PORT(S) and RATE LIMIT
    columns. So that Shorewall-perl can determine which column layout
    each macro has, a new FORMAT directive is added:

             FORMAT {1|2}

    The default is FORMAT 1 which is the old format. FORMAT 2 specifies
    that the macro is in the new format.

32) Shorewall-perl implements a new Rfc1918 macro that deals with
    RFC 1918 addresses. This macro should be used in place of 
    the 'norfc1918' interface option which is deprecated.

    The macro body is:

    #ACTION             SOURCE          DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/
    #                                                   PORT(S) PORT(S) DEST            LIMIT   GROUP
    FORMAT 2
    PARAM               SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
                                        DEST    -       -       -       -               -       -
    PARAM               SOURCE          DEST    -       -       -       10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

    The 'norfc1918' option on the interface associated with zone 'z'
    and with RFC1018_STRICT=Yes is equivalent to:

        Rfc1918(DROP)      z    all

33) A better way to perform RFC 1918 filtration is to null-route the
    address ranges reserved by RFC 1918. You can do that by setting the
    new NULL_ROUTE_RFC1918 option to 'Yes' in shorewall.conf.

    It is highly recommended that you also set ROUTE_FILTER=Yes to get
    Martian messages. These will help diagnose problems where you need
    to be able to access hosts with RFC 1918 addresses that are outside
    of your local networks. Sometimes, these can be subtle such as the
    case where your ISP is using RFC 1918 addresses on their DHCP
    servers.

    NULL_ROUTE_RFC1918 defaults to 'No' and is only supported by
    Shorewall-perl; Shorewall-shell ignores the option.

34) There is now a macro.SANE which supports network-attached
    scanners. Shorewall now automatically loads the sane connection
    tracking helper module.

    Thanks for this feature go to Tuomo Soini.

35) Previously, when IP_FORWARDING=Yes in shorewall.conf, Shorewall
    would enable ip forwarding before instantiating the rules. This
    could lead to incorrect connection tracking entries being created
    between the time that forwarding was enabled and when the nat table
    rules were instantiated.

    Beginning with Shorewall 4.0.11 and 4.1.7, enabling of forwarding
    is deferred until after the rules are in place.

36) When using Shorewall-perl, the CEIL and RATE columns must now
    contain arithmetic expressions consisting of:
    
    a) Numeric digits (Hex numbers not allowed).
    b) Parentheses.
    c) The arithmetic operators +-* and /.
    d) The word 'full'.

37) The installers (install.sh) now auto-detect a Cygwin environment
    and install under the current user's ID if OWNER and GROUP are not
    given.

38) The 'start' and 'restart' commands now support a '-p' (purge)
    option which cause all entries to be removed from the Netfilter
    conntrack table. In order to use this option, the 'conntrack'
    utility must be installed on your system. Although it is generally
    not installed by default, Most distributions have this utility in
    their repositories. 

39) A 'save' extension script is added. The script is run after
    iptables-save has completed successfully.

    The 'load' and 'reload' commands copy the save script (if any) to
    /etc/shorewall-lite/ on the remove firewall system. The 'export'
    command copies the file to the same directory as the 'firewall' and
    'firewall.conf' scripts.

    I have the following commands in my 'save' script:

     [ -s /root/ipsets.save ] && cp -a /root/ipsets.save /root/ipsets.save.backup
     ipset -S > /root/ipsets.save

    These commands complement my 'init' script:

     qt modprobe ifb numifbs=1
     qt ip link set dev ifb0 up

     if [ "$COMMAND" = start ]; then
         ipset -U :all: :all:
            ipset -U :all: :default:
            ipset -F
            ipset -X
            ipset -R < /root/ipsets.save
     fi

    Those two scripts allow me to save and restore the contents of my
    ipsets automatically under Shorewall-perl/Shorewall-lite (my
    routestopped file does not use ipsets).

40) A HELPER column is included in the tcrules file. The value in this
    column names one of the Netfilter protocol 'helper' module sets
    (ftp, sip, amanda, etc).

    See http://www.shorewall.net/traffic_shaping.htm for an example.

41) DYNAMIC_ZONES=Yes is no longer supported by Shorewall-perl.

42) Farkas Levante has contributed a macro.Mail macro that covers SMTP,
    SMTPS and submission.

43) Beginning with Shorewall 4.0.0, the -f option was no longer the
    default for '/etc/init.d/shorewall start'. Beginning with 4.0.13
    and 4.2.0-Beta3, this is also true for Shoreawall-lite.

44) A new USE_DEFAULT_RT option has been added to shorewall.conf. When
    set to 'Yes', it causes the Shorewall multi-ISP feature to create
    a different set of routing rules which are resilient to changes in
    the main routing table. Such changes can occur for a number of
    reasons,  VPNs going up and down being an example.

    The idea is to send packets through the main table prior to
    applying any of the Shorewall-generated routing rules. So changes
    to the main table will affect the routing of packets by default. 

    When USE_DEFAULT_RT=Yes:

    a) Both the DUPLICATE and the COPY columns in the providers file
       must remain empty (or contain "-").

    b) The default route is added to the the 'default' table rather
       than to the main table.

    c) 'balance' is assumed unless 'loose' is specified.

    d) Packets are sent through the main routing table by a rule with
       priority 999. In /etc/shorewall/routing_rules, the range 1-998
       may be used for inserting rules that bypass the main table.

    e) All provider gateways must be specified explicitly in the
       GATEWAY column. 'detect' may not be specified.

    f) You should disable all default route management outside of 
       Shorewall. If a default route is added to the main table while
       Shorewall is started, then all policy routing will stop working
       (except for those routing rules in the priority range 1-998).

45) The 'shorewall restart' command now supports an -f option. When
    this option is specified, no compilation occurs; rather, the script
    which last started or restarted Shorewall is used. 

46) A macro supporting RNDC (BIND remote management protocol) traffic
    has been added.  It can be used as any other macro (e.g., RNDC/ACCEPT)
    in the rules file.

47) If 'NONAT' is specified in the ADDRESS column of an entry in 
    /etc/shorewall/masq, then traffic matching that entry is not
    passed to the entries that follow.

New Features added in Shorewall 4.2.1

1)  With the recent renewed interest in DOS attacks, it seems
    appropriate to have connection limiting support in Shorewall. To
    that end, a CONNLIMIT column has been added to both the policy and
    rules files.

    The content of these columns is of the format

    	[!] <limit>[:<mask>]

    where

	<limit> is the limit on simultaneous TCP connections.

	<mask>  specifies the size of the network to which
		the limit applies and is specified as a
		CIDR mask length. The default value for
		<mask> is 32 which means that each remote
		IP address can have <limit> TCP connections
		active at once.

 	!	Not allowed in the policy file. In the rules file, it
		causes connections to match when the number of
		current connections exceeds <limit>.

    When specified in the policy file, the limit is enforced on all
    connections that are subject to the given policy (just like
    LIMIT:BURST). The limit is checked on new connections before the
    connection is passed through the rules in the NEW section of the
    rules file.

    It is important to note that while the limit is only checked for
    those destinations specified in the DEST column, the number of
    current connections is calculated over all destinations and not
    just the destination specified in the DEST column.

    Use of this feature requires the connlimit match capability in your
    kernel and iptables. If you use a capabilities file when compiling
    your Shorewall configuration(s), then you need to regenerate the
    file using Shorewall or Shorewall-lite 4.2.1.

2)  Shorewall now supports time/date restrictions on entries in the 
    rules file via a new TIME column.

    The contents of this column is a series of one or more "time
    elements" separated by apersands ("&"). Possible time elements are:

    utc       	Times are expressed in Greenwich Mean Time.
    localtz 	Times are expressed in local civil time (default)
    timestart=hh:mm[:ss]
    timestop=hh:mm[:ss]   Start and stop time of day for rule
    weekdays=ddd[,ddd]... where ddd is Mon,Tue,Wed,Thu,Fri,Sat or
    			  Sun
    monthdays=dd[,dd]...  where dd is an ordinal day of the month.
    datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
    datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
			  where	      yyyy = Year
                               	first mm   = Month
                                      dd   = Day
                                      hh   = Hour
                                  2nd mm   = Minute
                                      ss   = Second

    Examples:

    1)	utc&timestart=10:00&timestop=12:00

	Between 10am and 12 noon each day, GMT

    2)  datestart=2008-11-01T12:00

        Beginning November 1, 2008 at noon LCT.

    Use of this feature requires the time match capability in your
    kernel and iptables. If you use a capabilities file when compiling
    your Shorewall configuration(s), then you need to regenerate the
    file using Shorewall or Shorewall-lite 4.2.1.

3)  If your kernel and iptables support "-m conntrack --ctorigdstport"
    then Shorewall will utilize that capability to ensure that when you
    do port mapping (change the destination port but not the
    destination IP address), the final destination port is not opened
    as a side effect.

    Example:

    DNAT net loc:206.124.146.177:22 tcp 2222 - 206.124.146.177

    That rule maps port 2222 -> 22 but without this new feature, it
    also opens port 22 directly.

    To use this feature, you must be running Shorewall-perl and the
    output of 'shorewall show capabilities' must show:

       Extended Connection Tracking Match Support: Available

New Featurs in Shorewall 4.2.2

1)  A macro supporting JAP (anonymization protocol) has been added.
    It can be used as any other macro (e.g., JAP/ACCEPT) in the rules
    file.

2)  A macro supporting DAAP (Digital Audio Access Protocol) has been added.
    It can be used as any other macro (e.g., DAAP/ACCEPT) in the rules
    file.

3)  A macro supporting DCC (Distributed Checksum Clearinghouse) has been
    added.  It can be used as any other macro (e.g., DCCP/ACCEPT) in the
    rules file.

4)  A macro supporting GNUnet (secure peer-to-peer networking) has been
    added.  It can be used as any other macro (e.g., GNUnet/ACCEPT) in the
    rules file.

5)  In 4.2.1, a single capability ("Extended conntrack match support")
    was used both to control the use of --ctorigport and to trigger use
    of the new syntax for inversion of --ctorigdst (e.g., "!
    --ctorigdst ..."). In 4.2.2, these are controlled by two separate
    capabilities. If you use a capabilities file when compiling your
    configuration, be sure to generate a new one after installing
    4.2.2.

Problems corrected in Shorewall 4.2.1

1)  A description of the CONNBYTES column has been added to
    shorewall-tcrules(5).

2)  Previously, Shorewall-perl would accept zero as the <max> value in
    the CONNBYTES column of tcrules even when the <min> field was
    non-zero. A value of zero for <max> was equivalent to omitting
    <max>.

3)  iptables 1.4.1 discontinued support of syntax generated by
    shorewall in some cases. Shorewall now detects when the new syntax
    is required and uses it instead.

4)  The Shorewall-perl implementation of the LENGTH column in
    /etc/shorewall/tcrules was incomplete with the result that 
    all LENGTH rules matched. Thanks to Lennart Sorensen for the patch.

5)  The 'export' command no longer fails with the error:

    /sbin/shorewall: 1413: Syntax error: "(" unexpected (expecting "fi")

Problems corrected in Shorewall 4.2.2

1)  Shorewall-perl now insures that each line copied from a
    configuration file or user exit is terminated with a newline
    character.

2) When ipranges were used to define zones, Shorewall-perl could
   generate invalid iptables-restore input if 'Repeat Match' was not
   available. Repeat Match is not a true match -- it rather is a
   feature of recent iptables releases that allows a match to be
   repeated within a rule.

3)  With Shorewall-perl, if a destination port list had exactly 16
    ports, where a port-range counts as two ports, then Shorewall-perl
    would fail to split the rule into multiple rules and an
    iptables-restore error would result.

4)  The change to Shorewall-perl in 4.2.1 that promised iptables 1.4.1
    compatibility contained a typo that prevented it from working
    correctly.

5)  If a no-NAT rule (DNAT-, ACCEPT+, NONAT) included a destination IP
    address and no zone name in the DEST column, Shorewall-perl would
    reject the rule. If a zone name was specified, Shorewall-perl 
    would issue a Warning message.     

Problems corrected in Shorewall 4.2.3

1)  Previously, Shorewall would allow compilation for export of a
    script named 'shorewall' with the unfortunate side effect that
    the 'shorewall.conf' file was overwritten. Scripts named
    'shorewall' now cause a fatal error to be raised.

2)  Previously, Shorewall-perl attempted to do Shell variable
    substitution on the first line in /etc/shorewall/compile.

3)  Following the Netfilter tradition, the IPP2P maintainer has made an
    incompatible syntax change (the --ipp2p option has been
    removed). Shorewall has always used "-m ipp2p --ipp2p" when
    detecting the presence of IPP2P support.

    Shorewall-common and Shorewall-perl have been modified to use 
    "-m ipp2p --edk" instead.

4)  When Extended Conntrack Match support was available, Shorewall-perl
    would create invalid iptables-restore input for certain DNAT rules.

5)  An optimization in all Shorewall-perl 4.2 versions could  cause
    undesirable side effects. The optimization deleted the
    <interface>_in and <interface>_fwd chains and moved their rules
    to the appropriate rules chain (a <zone>2<xxx> chain).

    This worked badly in cases where a zone was associated with more
    than one interface. Rules could be duplicated or, worse, a rule
    that was intended for only input from one of the interfaces would
    be applied to input from all of the zone's interfaces.
    
    This problem has been corrected so that an interface-related
    chains is only deleted if:

    a) the chain has no rules in it; or
    b) the interface is associated with only one zone and that zone is
       associated with only that interface in which case it is safe to
       move the rules.

Other changes in Shorewall 4.2.3

1)  Except with the -e option is specified, the Shorewall-perl compiler
    now verifies user/group names appearing in the USER/GROUP column of
    the rules file.

2)  The output of 'shorewall dump' now includes the output from
    'netstat -tunap'.

3)  Shorewall-perl now accepts '+' as an interface name in
    /etc/shorewall/interfaces. That name matches any interface and is
    useful for defining a zone that will match any interface that might
    be added after Shorewall is started.

    A couple of words of caution are in order. 

    a) Because '+' matches any interface name, Shorewall cannot
       verify interface names appearing in other files when '+' is
       defined in /etc/shorewall/interfaces.

    b) The zone assigned to '+' must be the last one defined in
       /etc/shorewall/zones.

4)  Shorewall-perl now uses the iptables --goto parameter in obvious
    cases.

5)  The 'reset' command now allows you to reset the packet and byte
    counter on individual chains:

    	    shorewall reset chain1 chain2 ...
	    shorewall-lite reset chain1 chain2 ...

Problems Corrected in 4.2.4

1)  Previously, when exclusion was used in an entry in
    /etc/shorewall/hosts, Shorewall-perl ignored the exclusion when
    generating rules for the following OPTIONS in that entry:
 
        blacklist
	maclist
	norfc1918
	tcpflags

2)  Shorewall-perl previously promoted all exclusion in the
    /etc/shorewall/hosts file to the zone level. That meant that
    all traffic to/from the zone passed through exclusion rules 
    rather than only the traffic matching a hosts records that
    specified exclusion.

    Example /etc/shorewall/hosts:

    	    z	eth0:192.168.4.0/24
	    z	eth1:10.0.0.0/24!10.0.0.99

        Traffic entering eth0 from network 192.168.4.0/24 would still
        be checked for '!10.0.0.99'.

    This has been corrected.

Other changes in 4.2.4

1)  Support for IPv6 was added -- see above.

Problems corrected in 4.2.5

1)  If exclusion is used to define a zone in /etc/shorewall/hosts and
    that zone is used as the SOURCE zone in a DNAT or REDIRECT rule,
    then Shorewall-perl can generate invalid iptables-restore input.

2)  A bug in the Perl Cwd module (see
    http://rt.cpan.org/Public/Bug/Display.html?id=13851) causes the
    Shorewall-perl compiler to fail if it doesn't have at least read
    access to its current working directory. 4.2.5 contains a
    workaround.

3)  If 'critical' was specified on an entry in
    /etc/shorewall6/routestopped, Shorewall6 (Shorewall-perl) would
    generate an error. 

4)  In certain cases where exclusion occurred in /etc/shorewall/hosts,
    Shorewall-perl would generate incorrect iptables-restore input.

5)  In certain cases where exclusion occurred in /etc/shorewall/hosts,
    Shorewall-perl would generate invalid iptables-restore input.

6)  The 'shorewall6 refresh' command runs iptables_restore rather than
    ip6tables_restore.

7)  The commands 'shorewall6 save-start', 'shorewall6-save-restart' and
    'shorewall6 restore' were previously broken.

8)  The Debian init script was checking $startup in
    /etc/default/shorewall rather than in /etc/default/shorweall6

9)  The Archlinux init scripts for Shorewall6 and Shorewall6 Lite were
    unconverted Shorewall scripts.

10) When 'detect' is used in the GATEWAY column of
    /etc/shorewall/providers, Shorewall-perl now ensures that the
    gateway was successfully detected. If the gateway cannot be
    detected, action is taken depending on whether the provider is
    'optional' or not. If the provider is optional, it's configuration
    is skipped; if the provider is not optional, the current operation
    is aborted.

11) The command 'shorewall6 debug start' would previously fail with

    	ERROR: Command "/sbin/ip6tables -t nat -F" Failed

12) Both ipv4 and ipv6 compiled programs attempt to run the tcclear 
    script itself at run time rather than running the copy of the
    file in the compiled script. This usually isn't noticable unless
    you are running Shorewall Lite or Shorewall6 Lite in which case,
    the script doesn't get run (since it is on the administrative
    system and not the firewall system).

13) If your iptables/kernel included "Extended Connection Tracking
    Match support" (see the output of "shorewall show capabilities"),
    then a REDIRECT rule that specified a port list or range would
    cause Shorewall-perl to create invalid iptables-restore input:

    Running /usr/sbin/iptables-restore...
    iptables-restore v1.4.2-rc1: conntrack: Bad value for
       "--ctorigdstport" option: "1025:65535"
       Error occurred at line: 191
       Try `iptables-restore -h' or 'iptables-restore --help' for more information.
      ERROR: iptables-restore Failed. Input is in
         /var/lib/shorewall/.iptables-restore-input

New Feature in Shorewall 4.2.5

1)  A new 'fallback' option is added in
    /etc/shorewall/providers. The option works similar to 'balance'
    except that the default route is added in the default routing table
    (253) rather than in the main table (254).

    The option can be used by itself or followed by =<number> (e.g,
    fallback=2).

    When the option is used by itself, a separate (not balanced)
    default route is added with a metric equal to the provider's NUMBER.

    When the option is used with a number, a balanced route is added
    with the weight set to the specified number.

    'fallback' is ignored if USE_DEFAULT_RT=Yes in shorewall.conf and
    is only available with Shorewall-perl.

    'fallback' is useful in situations where:

    - You want all traffic to be sent via one primary provider unless
      there is a compelling reason to use a different provider

    - If the primary provider is down, then you want to balance the
      outgoing traffic among a set of other providers or to a
      ordered list of providers.

    In this case:

    - Do not specify 'balance' on any of the providers.
    - Disable route filtering ('ROUTE_FILTER=No' in shorewall.conf).
    - Specify 'fallback' on those providers that you want to use if 
      the primary is down.
    - Only the primary provider should have a default route in the main
      routing table.

    See http://www.shorewall.net/MultiISP.html#Complete for an example
    of this option's use.

2)  Shorewall-perl now transparently handles the xtables-addon version
    of ipp2p. Shorewall detects whether the installed ipp2p is from
    patch-o-matic-ng or from xtables-addon and proceeds accordingly.

    If the patch-o-matic-ng version is installed:

    a) If no DEST PORT is supplied, the default is "--ipp2p".
    b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
       iptables-restore as "--ipp2p".

    If the xtables-addons version is installed:

    a) If no DEST PORT is supplied, the default is "--edk --gnu --dc
       --kazaa".
    b) If "ipp2p" is supplied as the DEST PORT, it will be passed to
       iptables-restore as "--edk --gnu --dc --kazaa". 

    Shorewall-perl now also accepts a comma-separated list of options
    (e.g., "edk,gnu,dc,kazaa).

    Additionally, Shorewall now looks for modules in /lib/modules/$(uname
    -r)/extra and in /lib/modules/$(uname -r)/extra/ipset

    This change introduced a new capability ("Old IPP2P Match Syntax")
    so if you use a capabilities file, be sure to re-generate the
    file(s) after you have installed 4.2.5.

3)  There is now a macro.Git, which opens git-daemon's port (9418/tcp).

4)  There is also a macro.IRC which open's the Internet Relay Chat port
    (6667/tcp).

Problems corrected in 4.2.6

1)  The CONFIG_PATH in the two- and three-interface Shorewall6 sample
    configurations was incorrect with the result that this error
    occurred on 'shorewall6 check' or 'shorewall6 start'.

   	   ERROR: No IP zones defined

2)  Setting TCP_FLAGS_DISPOSITION=REJECT caused both Shorewall-shell
    and Shorewall-perl to create invalid iptables commands. This has
    been corrected but we still strongly recommend against that
    setting; TCP_FLAGS_DISPOSITION=DROP is preferred.

3)  Shorewall-perl was generating code that checked for state match
    before kernel modules were loaded. This caused start/restart to
    fail on systems without kernel module loading. 

4)  The Shorewall6 and Shorewall6-lite Makefiles were incorrect.

5)  If a service name is used in a port-mapping rule (a DNAT or
    REDIRECT rule that changes the destination port), and if the
    kernel and iptables include Extended Connection Match support, then
    invalid iptables-restore input is produced by Shorewall-perl.

6)  If iptables 1.4.1 or later was installed, Shorewall-perl generated
    incorrect iptables-restore input if exclusion was used in the
    ORIGINAL DEST field of a DNAT or REDIRECT rule.

7)  On kernels earlier than 2.6.20, the 'shorewall show connections'
    command fails.

New Features in Shorewall 4.2.6

1)  A BitTorrent32 macro has been added. This macro matches the
    extended TCP port range used by BitTorrent 3.2 and later.

2)  A new COUNT action has been added to Shorewall-perl. This action
    creates an iptables (ip6tables) rule with no target. Connections
    matching such a rule are simply counted and the packet is passed on
    to the next rule.

    Shorewall-shell ignores COUNT in actions and macros, thus allowing
    the standard actions (action.Drop and action.Reject) to have a
    COUNT rule as their first entry.

3)  A new RESTORE_DEFAULT_ROUTE option has been added to
    shorewall.conf. It is used to determine whether to restore the
    default route saved when there are 'balance' providers defined but
    all of them are down.

    The default is RESTORE_DEFAULT_ROUTE=Yes which preserves the
    pre-4.2.6 behavior. 

    RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a
    default route in the main table (USE_DEFAULT_RT=No) or in the
    default table (USE_DEFAULT_RT=Yes) when there are no balance
    providers available. In that case, RESTORE_DEFAULT_ROUTE=No
    will cause any default route in the relevant table to be deleted.

4)  IPv4 firewall scripts produced by Shorewall-perl now use dhcpcd's
    database when trying to detect the gateway for an interface
    ("detect" in the GATEAWAY column in /etc/shorewall/interfaces).

    As part of this change, it is now permitted to specify 'detect'
    when USE_DEFAULT_RT=Yes; in that case, the script will only detect
    gateways for point-to-point devices and for devices configured by
    dhcpcd.

5)  Shorewall-perl now supports port inversion. A port number or list
    of port numbers may be preceded by '!" which will cause the rule to
    match all ports EXCEPT those listed:

    Example: To blacklist 206.124.146.176 for all tcp ports except 80:

    	     ADDRESS/SUBNET	  PROTO		  PORT(S)
   	     206.124.146.177	  tcp		  !80

6)  Shorewall-perl now supports protocol inversion. A protocol name or
    number may be preceded by '!' to specify all protocols except the
    one following '!'.

    Example: To blacklist 206.124.146.176 for all protocols except 
             UDP:

    	     ADDRESS/SUBNET	  PROTO		  PORT(S)
   	     206.124.146.177	  !udp

    Note that ports may not be specified when protocol inversion
    is used.

7)  When using Shorewall-perl, neither the 'start' nor 'started'
    extension script is run during processing of the 'restore'
    command. To allow extension of that command, we have added a
    'restored' extension script that runs at the successful completion
    of 'restore'. This script is only available with Shorewall-perl.

    With Shorewall-shell, both scripts are run during 'restore' but in
    that case, the run_iptables() function does nothing. So any
    run_iptables() calls in the 'start' script are effectively ignored.

8)  Shorewall-perl now correctly handles 'here documents' quoting
    (<<EOF .... EOF) in run-time extension scripts.

Problems corrected in 4.2.7

1)  Previously, the 'start' command set the permission flags on
    /var/lib/shorewall*/state so that it could be read by
    non-root users while the 'stop' command set the permissions such
    that the file could not be read by those users.

    Beginning with 4.2.7, both commands will secure the file for
    root-only access. If you want the file to be world-readable, then
    add 

    	chmod 744 <file name>

    To your /etc/shorewall/started, /etc/shorewall/stopped and
    /etc/shorewall/restored files.

2)  The 'shorewall6 dump' command now correctly displays the installed
    version of Shorewall-perl. It also displays the IPv6 neighbor table
    contents rather than the ARP table contents.

3)  Under some circumstances, interface options like nosmurfs and
    tcpflags would not be applied to forwarded traffic when using
    Shorewall-perl.

4)  The following rule was badly mis-handled:

       DNAT-	loc	net:1.2.3.4:2525	tcp	25

    The result:

     WARNING: Destination zone (1.2.3.4) ignored : /etc/shorewall/rules (line 459)
     Can't call method "inet_htoa" without a package or object reference at
       /usr/share/shorewall-perl/Shorewall/IPAddrs.pm line 150,
      <$currentfile> line 459.

5)  Previously, OPTIONS were not allowed with a bridge port in
    /etc/shorewall/interfaces. That oversight has been corrected and
    now the following OPTIONS are allowed:

    	blacklist
	maclist
	norfc1918
	nosmurfs
	routeback
	tcpflags

6)  Tuomo Soini provided a workaround patch for a problem seen in some
    kernel's (see FAQ 82) that caused 'shorewall start' to fail when
    USE_DEFAULT_RT=Yes .

New Features in Shorewall 4.2.7

1)  Prior to Shorewall version 3.0.0, rules generated by
    /etc/shorewall/tunnels were traversed before those generated by
    /etc/shorewall/rules. When SECTIONs were added to the rules file in
    3.0.0, traversal of the tunnel rules was deferred until after those
    generated by the NEW section of the rules file. 

    Beginning with Shorewall-perl 4.2.7, the tunnel rules are back
    where they started -- right before the first rule generated by the
    NEW section of /etc/shorewall/rules.

2)  To allow bypassing of connection tracking for certain traffic,
    /etc/shorewall/notrack and /etc/shorewall6/notrack files have been
    added.

    Columns in the file are:

        SOURCE - <zone>[:<interface>][:<address list>]

    	DEST - [<address list>]

    	PROTO - <protocol name or number>

    	DEST PORT(S) - <port number list>

    	SOURCE PORT(S) - <port number list>

    	USER/GROUP - [<user>][:<group>]

            May only be specified if the SOURCE <zone> is $FW.

    Traffic that matches all given criteria will not be subject to
    connection tracking. For such traffic, your policies and/or rules
    must deal with ALL of the packets involved, in both the original
    and the opposite directions. All untracked traffic is passed
    through the relevant rules in the NEW section of the rules
    file. Untracked encapsulated tunnel traffic can be handled by
    entries in /etc/shorewall/tunnels just like tracked traffic
    is. Because every packet of an untracked connection must pass
    through the NEW section rules, it is suggested that rules that deal
    with untracked traffic should appear at the top of the file.

    Example:

    /etc/shorewall/tunnels:

	#TYPE	ZONE	GATEWAY
	6to4	net

    /etc/shorewall/notrack

	#SOURCE		 DEST		PROTO	DEST	SOURCE	USER/
	#               			PORT(S)	PORT(S)	GROUP
	net:!192.88.99.1 -		41

    Given that 192.88.99.1 is an anycast address, many hosts can
    respond to outward traffic to that address. The entry in
    /etc/shorewall/tunnels allows protocol 41 net<->fw. The entry in
    /etc/shorewall/notrack prevents the inbound traffic from creating
    additional useless conntrack entries.

    As part of this change, the 'show' command is enhanced to support a 
    'show raw' command that is an alias for 'show -t raw'. The raw
    table is where NOTRACK rules are created. The dump command is also
    enhanced to display the contents of the raw table.

3)  Shorewall-perl supports three additional columns in the
    /etc/shorewall/routestopped file:

    PROTO          -- Protocol name or number

    DEST PORT(S)   -- comma-separated list of service names and/or port
                      numbers
 
    SOURCE PORT(S) -- comma-separated list of service names and/or port
                      numbers.

    These columns are only meaningful when the "-f" option to
    'shorewall stop' is used.

    As part of this change, the "-f" option to the 'stop' and 'clear'
    commands is now the default when FAST_STOP=Yes in shorewall.conf.
    To override this default, use the "-s" option:

	shorewall stop -s

    Note that if you have entries with one or more of the new columns,
    the -s option will result in warning messages.

    	gateway:~ # shorewall stop -s
	Stopping Shorewall...
   	  WARNING: Unknown routestopped option ignored: notrack
   	  WARNING: Unknown routestopped option ignored: 41
   	  WARNING: Unknown routestopped option ignored: notrack
   	  WARNING: Unknown routestopped option ignored: 41
	done.
	gateway:~ #

4)  Shorewall-perl now handles SOURCE PORT lists of more than 15
    entries by breaking the containing rule into multiple rules.

Problems Corrected in Shorewall 4.2.8

1)  The 'start -f' command would previously skip the compilation step
    unconditionally when the 'make' utility was not installed. Now, the
    compilation step is run unconditionally in this case.

2)  When ADD_IP_ALIASES=Yes in shorewall.conf, entries in
    /etc/shorewall/nat produce this failure at compile time when
    using Shorewall-perl:

    ERROR: Internal Error in emit : /etc/shorewall/nat (line 12)

3)  When LOG_MARTIANS=Yes with Shorewall-perl, setting logmartians=0 in
    an entry in /etc/shorewall/interface failed to suppress martian
    logging on the interface.

4)  Shorewall-perl now generates rules with inversion that are
    compatible with iptables 1.4.3.

5) When a network address was specified in the SOURCE or DEST column of
   /etc/shorewall/tcfilters, Shorewall-perl was generating an incorrect
   netmask.

New Features in 4.2.8

1)  The /usr/share/shorewall/modules and /usr/share/shorewall6/modules
    files have been updated for iptables 1.4.3/kernel 2.6.29.

Problems corrected in Shorewall 4.2.9

1)  The Shorweall-perl 4.2.8 compiler did not rename the output script
    file with the result that:

     a) Shorewall would not start for the first time after
        installation.
     b) Configuration changes were apparently ignored.

2)   Placing a broadcast address in the BROADCAST column of
    /etc/shorewall/interfaces caused Shorewall-perl to generate an
    error:

	ERROR: Invalid BROADCAST address : /etc/shorewall/interfaces\
		 (line 225)

3)  When Shorewall could not determine the MAC address of of a gateway
    router where multiple providers are configured through the same
    interface, invalid iptables-restore input was generated. This
    resulted in an error message similar to the following:

        iptables-restore v1.3.5: Bad mac address `-j'

4)  Shorewall-perl was not processing the tcrules file when
    TC_ENABLED=No.

5)  When 'all' appeared in the SOURCE column of a DNAT rule, no rule to
    redirect output from the firewall itself was generated.
    
6)  The 'shorewall iprange' command failed to produce a minimal list of
    networks.

New Features in Shorewall 4.2.9

1)  Shorewall6 has now been validated on Ubuntu Hardy running kernel
    2.6.24. Shorewall6 is now supported on that kernel version.
