Michael Rash (508):
      New repository initialized by cvs2svn.
      Initial revision
      added the installer
      began code to parse snort rules, added parse_rule_hdr()
      began parsing rule options
      made several hashes to contain snort vs. iptable filter and log
         options
      added %sopt_log
      added some better comments
      better logging format
      better reporting format
      added the fwsnort.conf config file
      removed INTERNAL_NET and EXTERNAL_NET
      added install for Net::IPv4Addr
      Added readconf(), moved commands into fwsnort.conf
      changed to INTERNAL_INTF
      added validateconf() and get_intf_net()
      reinstated interface command line args
      started interpreting the signature source and destination
      added LICENSE
      added VERSION
      better interface validation (including NUM_INTERFACES)
      added NUM_INTERFACES and HTTP vars
      added dump_conf()
      - Added several variables that exist in snort signatures such as     
          SMTP_SERVERS, SHELLCODE_PORTS, etc.     - The ____SERVERS
         variables default to the internal interface on       the firewall
         (similar to the snort defaults of "$HOME_NET").
      minor semicolon fix
      removed variable expansion
      -Added a "Snort Rule Options" section to the comment area at the
         beginning      of the script.     -Began completely reworking
         add_ipt_rule().     -Removed variable expansion in lines of
         fwsnort.conf.     -Added build_port_arr().
      replaced the four snort options hash with a single hash
      added regex and ipt_opt keys to the snort_opt hash
      added iptables_opts hash to map snort opts to iptables opts
      added install routine for Tie::IxHash
      removed commas in log-prefix output
      added comments to iptables rule output, removed Tie::IxHash call
      -Handle "A+" vs "A" tcp flags.     -Fixed regex greediness for snort
         rule fields.     -Removed "log_only" section of %snort_opts (these
         fields have      been put into the "unsupported" section).
      fixed regex match for ipopts
      added add_ipt_chains() and jump_chain()
      started making use of logr()
      added archive()
      -Reworked /etc/fwsnort directory structure (simplified it).    
         -Added ipt_ruleset_hdr().     -Added ip key to %intf_net.
      removed Tie::IxHash
      updated to include version in snort rules directory
      standardized on ipt_blah() function names
      logfile formatting changes
      added code for snort_sid command line option
      added version print
      -Added "sameip" to supported options.     -Reinstated the
         %fwsnort_chains hash and added build_fwsnort_chains().     -Split
         up ipt_build_rule() into ipt_build(), ipt_build_rule(), and     
         ipt_build_opts().     -Removed dependency on NUM_INTERFACES.
      interim commit for source and destination handling
      cleaned up calls to ipt_build_rule()
      finished handling of INPUT chains
      removed NUM_INTERFACES
      updated ipt_jump_chains()
      first stab at handling FORWARD chain rules
      fixed EXTERNAL_NET reference
      fixed ipopts
      interim commit that adds ipt_allow_traffic()
      added verbose mode, wrapped FORWARD chain code with interface
         conditionals
      fixed directional issue in FORWARD chain
      interim commit that adds ipt_allow_traffic()
      separated defined test on DMZ_INTF
      added install routine for IPTables::Parse
      counts for applicable iptables rules works
      fixed echo statements, better verbose mode
      updated usage(), added --no-ipt-log option
      updated logfile path
      added usage() text, added license
      added ipt_test()
      Added the fwsnort.8 man page
      updated all --fw options to --ipt options
      added INSTALL file
      added install_manpage()
      better Copying statement for snort rules files
      added hex-string patch file
      added preliminary README
      added hex-string patch file
      added help for --hex-string
      Added --hex-string patch discussion section
      more docs updates
      added echo command
      added DESCRIPTION section
      added check for NULL chars in hex content, added sids to logfile
      more docs updates
      added config section for iptables script
      added --hex-string discussion
      fixed null chars in --hex-strings within iptables directly
      updated to NULL string handling in parse_hex_string
      minor fixes
      updated to /etc/fwsnort/snort_rules
      handled back tics in content field
      updated to /etc/fwsnort/snort_rules
      bugfix for not handling identical external and internal interfaces
      minor comment fix in ipt_test()
      added defined check for INTERNAL_INTF
      bug fix for INTERNAL_INTF == EXTERNAL_INTF
      bug fix for internal == external interfaces
      updated to snort 2.0 rules
      updated to snort 2.0 rules, added flow, byte_test, byte_jump, etc
         keywords
      added overall totals
      allowed leading whitespace in snort rules
      bugfix for being too strict on rule filenames
      Initial revision
      updated to cipherdyne.org, removed version numbers from directories
         in perl modules
      minor install text change
      bugfix for number of args to logr()
      re-ordered options hashes
      comment testing
      added the CREDITS file
      added write_ipt_script() for iptables script statements
      added in psad in SEE ALSO section psad.8
      removed newlines from logr() and write_ipt_script() calls
      added ChangeLog
      added --no-ipt-jumps (Thomas Bullinger)
      added snort_opts.pl
      added VERSION file
      -Added installation prefix of /usr/lib/fwsnort for perl modules.    
         -Added the ability to download latest snort rules from
         http://www.snort.org     -Added check_commands().
      -Added --update-rules option to download latest rules from snort.org.
             -Properly handle icmp protocol now ("Undefined code" sigs are
         ignored, and      icmp protocol rules are now no longer
         automatically included within      fwsnort.sh).     -Added REJECT
         tcp-reset support for tcp sessions that are to be blocked.
      added text on hex string patch being accepted by iptables maintainers
      more stuff for Thomas Bullinger
      more stuff for 0.2
      added 0.2 options
      added tar and wget commands
      added preserve_config() from psad
      updated to 0.2
      updated to snort-2.1 rules
      removed Data::Dumper
      added test for iptables ttl extension
      incremented to version 0.5
      added tar command path
      bugfix for dmz interface
      bugfix for existing downloaded_snort_rule directory
      -Made only a single call to write_ipt_script() to reduce disk
         accesses.     -Bugfix for protocols that contain non-word chars
         (such as ">").     -Added regex for ip addresses.     -Removed
         "<-" direction parsing for rule header since snort does not     
         even support this.
      bugfix for negated src/dst ports
      bugfix for negated dst port
      -Added check for multiple ip_proto fields.     -Removed "ip" as a
         protocol that can be translated.     -Truncate logfile at startup
         (it is really just a parsing log).
      added 0.6 stuff
      incremented version to 0.6
      minor help updates for ipt_script
      added Paul O., more stuff for Thomas B.
      bugfix for not getting the DMZ interface network
      bugfix for not adding dmz interface rules to INPUT chain
      updated to version 0.6.1
      updated to 0.6.1 stuff
      added --internal-net and --dmz-net
      version 0.6.2
      added icmp-port-unreachable for udp rejects, added --internal-net and
         --dmz-net options
      more verbose explanations
      added Ahmad Almulhem
      added 0.6.2 stuff
      minor bugfix for usage()
      split --ipt-block into --ipt-drop and --ipt-reject, added
         --add-deleted option
      added ignore functionality for both IPs and networks
      added IGNOREIP and IGNORENET
      replace --ipt-block with --ipt-reject and --ipt-drop
      added 0.6.3 stuff
      generic language support for ifconfig output
      Added TODO
      updated to new rules download link on www.snort.org
      added flowbits
      updated to standard logging prefixes [+], [-], and [*]
      updated to Snort-2.3 rules
      updated docs
      added --replace-string patches
      .
      incremented version to 0.6.4
      .
      - Updated to not attempt to download Snort rules from snort.org      
         because the rules are no longer available for automatic downloads 
            - Changed the install.pl script and the --update-rules mode for
               fwsnort to download the latest signature set from      
         http://www.bleedingsnort.com/.       (Snort.org is now offering
         pay-service around their rule sets).     - Added signature test
         for the "flowbits" keyword.
      bleedingsnort vs. snort.org update
      added support for the pass and log actions in Snort rules, added
         general support for the ULOG target
      0.6.6
      - Added support for the "resp" keyword to allow it to drive the      
         Netfilter argument to the REJECT target.     - Added "pcre" to the
         unsupported list... this knocks the fwsnort       translation rate
         down to about 50% for Snort-2.3 rules (pcre is       heavily
         utilized).     - Added "priority" and "rev" to comment lines.
      version 0.7.0
      update Copyright date
      -IP options bugfix to match the ipopts Snort option (several
         arguments are      not supported by the ipv4options extension).   
          -Added IP protocol support in the translation of the Snort rule
         header.
      started separating Snort rule header options and iptables mapping
         hash
      moved iptables options into snort_opts hash
      complete chain restructuring (see ChangeLog)
      minor path update
      removed interface variables for the fwsnort chain restructuring,
         fwsnort now supports Snort header variable resolution
      added --no-ipt-conntrack command line option, added check for
         Netfilter conntrack match
      added the ability to restrict Netfilter rules to a specified
         intefaces, added ability to remove INPUT, OUTPUT, or FORWARD
         processing
      added exclusion for loopback traffic logged via the loopback
         interface
      updated to handle icmp type/code rules, added rule counter in
         fwsnort.sh script
      more 0.8.0 stuff
      bugfix for not excluding rules that contain ip_proto with a < or >
         char
      Added --snort-conf to read variables out of an existing snort.conf
         file, fixed up usage()
      added command line args output to fwsnort.sh
      made use of Netfiler length match to emulate dsize Snort option,
         added negation tests for source and destination IP addresses
      added average packet header length vars for Netfilter length match
         emulation of dsize option
      bugfix for negated networks
      bugfix for icmp-type order, bugfix for src/dst ports in non-tcp/udp
         protocol match
      length bugfix, non-tcp/udp protocol and port number bugfix
      0.8.0 stuff
      added list processing support for --include-types and --exclude-types
      added support for the Snort_inline replace option
      added test for --replace-string support
      .
      finished is_local() function, added --no-addresses option, started on
         --ipt-flush
      bugfix for missing space in src/dst iptables args
      bugfix for rules added counter, bugfix for inappropriate protocol
         mapping based on src/dst ports
      updated preservation code to remove interfaces from old configs
      Initial revision
      added linux-2.4.4_conntrack.patch
      .
      added conntrack patches
      added added chain keywords
      -Added --ipt-list to list rules in fwsnort chains.     -Finished
         --ipt-flush code.     -Updated to use chain names from keywords
         defined in fwsnort.conf.     -Update usage().
      added --no-exclude-lo, the default is now to exclude the loopback
         interface from fwsnort processing
      updated comment wording
      moved to patches/ directory
      added string_replace_kernel.patch
      bugfix for Rules added counter, added support for multiple sids in
         --snort-sids, added --exclude-sids option
      --snort-sids list support
      updated stdout output in --snort-sids mode
      bugfix for excluding the loopback interface
      updated to allow list of interfaces to restrict jump rules to
      .
      added patch to extend packet search length from 1024 to 2048 bytes
         (longer than Ethernet MTU
      l7 usage
      updated man page
      updated to add action to logging prefix if --ipt-drop or --ipt-reject
         is used
      DRP and REJ strings
      updated --ipt-apply argument to just execute fwsnort.sh
      minor bugfix to remove extra content-list hash entry
      minor sids->sid update
      moved --ipt-list and --ipt-flush handlers before archive()
      updated to 8 byte ICMP header
      added snortspoof.pl
      .
      updated version to 0.8.0
      updated to handle the string match extension in the 2.6.14 kernel
      0.8.1 stuff
      added uname command
      .
      0.8.1
      added hostname to fwsnort.sh doc section
      Initial revision
      rpm package
      .
      format fixes
      .
      updated to Snort-2.3.3 rules
      added IPTables::Parse module
      deprecated old IPTables module for IPTables::Parse module
      -Updated to use perl module installation strategy from fwknop to only
         install     modules that don't already exist within the system
         perl module tree.     -Added --Force-mod-regex and
         --force-mod-install command line arguments.
      added patch to fix a bug where repetitive strings could not be
         matched within payload data except at specific offests
      updates for 0.8.2 release
      started on 0.8.2 stuff
      added code to detect whether a previously seen state rule applies to
         the current rule in the policy
      -Added --dumper mode to use Data::Dumper to print Snort rule hashes
         and     corresponding matching Netfilter rules.  This is useful to
         help diagnose     IPTables::Parse to see how fwsnort is doing
         w.r.t. matching Snort rules     to Netfilter rules.     -Added
         'ack' Snort rule option to the unsupported options in fwsnort. 
         The     --log-tcp-sequence iptables argument does log
         acknowledgment numbers     however (psad can make use of them).   
          -Re-worked how fwsnort parses Netfilter policies to use the new  
           IPTables::Parse module (which returns an array of hash refs for
         each set     of rules in a Netfilter chain).     -Added code see
         if state rules apply to current Netfilter rule.     -Added support
         for OUTPUT chain.
      bumped version to 0.8.2
      minor bugfix for Dumper() function call in print() statement
      updated to same format as the psad CREDITS file
      updated to use Net::RawIP
      switched to require Net::RawIP so a normal user can check proper
         compilation, removed unnecessary msg var
      updated snort sig comment
      added GPL and standard header text
      added Id tag expansion
      Added cd_rpmbuilder script to make it easy to automatically build
         fwsnort RPM files
      minor opendir shift fix
      backdoor update for Matrix 2.0 sig
      minor opendir shift fix
      linux-2.6 and string matching note
      Added README.RPM file for automated cd_rpmbuilder
      updated TCP header length
      - Added ipt-file argument to allow an iptables policy to be read from
         a file.     - Added --Dump-ipt and --Dump-snort to allow iptables
         and snort rules to be       dumped to STDOUT.     - Additional
         code cleanups to better handle chain names.     - Added file
         revision
      updated to latest version from psad project
      minor doc updates
      bugfix to not print duplicate rules in --Dump-ipt and --Dump-snort
         modes
      added bleeding-all.rules
      more 0.8.2 stuff
      more 0.8.2 stuff
      0.8.2 release
      0.8.2 release date
      minor fixes for the buildroot and cwd path
      updated to 0.8.2 changes
      Added Revision tag expansion
      updated to force install of IPTables::Parse
      added comment match support for msg fields, added --ipt-rule-nums to
         include rule numbers within fwsnort logging prefixes
      updated to include iptables rule numbers by default (can be disabled
         with --no-ipt-rule-nums)
      updated to latest Bleeding Snort rules
      documentation updates for comment and rule num options
      minor comment update
      added --include-regex and --exclude-regex command line args
      save command line args
      updated to print the entire Snort rule as a comment in the fwsnort.sh
         script without having to use --verbose
      0.9.0 additions
      added generation timestamp to fwsnort.sh
      0.9.0 additions
      implemented true whitelist/blacklist functionality that is driven by
         the fwsnort.conf WHITELIST/BLACKLIST variables
      implemented true whitelist/blacklist functionality that is driven by
         the fwsnort.conf WHITELIST/BLACKLIST variables
      updated to latest Bleeding Snort rules
      added -F and -L command line options to emulate the iptables command
         line a bit
      0.9.0 additions
      minor comment fix
      Bugfix to ensure that traffic directed into the INPUT or coming from
         the     OUTPUT chains is treated as going toward or originating
         from the     HOME_NET.  After all the HOME_NET variable may
         contain an internal     network but omit the IP assigned to an
         external interface on the     firewall.
      Added "--log-ip-options" and "--log-tcp-options" to fwsnort LOG rules
         by     default (in the generated fwsnort.sh script).  This can be
         disabled with     --no-log-ip-opts and --no-log-tcp-opts arguments
         on the fwsnort command     line.
      init scripts
      copyright date update to 2007
      bumped version
      moved the cd_rpmbuilder script into the packaging directory
      added FWSNORT_<chain>_JUMP variables to allow the admin to control
         where in the built-in INPUT, OUTPUT, and FORWARD chains the jump
         rules are added for the FWSNORT chains
      flowbits regex fix
      added string match offset bugfix
      updated to handle multiple content strings and fixed the minimum
         depth criteria
      Updated to handle negative string matches
      bugfix for content matches that contain an escaped semicolon
      update content strings like |00||00| to just |00 00|
      minor update to put rule number echo statement after original snort
         rule
      Added emulation for distance and within from previous content match
         (based on --from and --to and the length of the previous pattern)
      0.9.0 additions
      added fwsnort version to comment string
      fwsnort version in comment match
      minor update Iptables -> iptables
      bugfix to make sure the 'within' criteria is large enough
      bugfix to ensure the LOG target is built correctly if a comment block
         is too large
      version 0.9.0
      Added the SSH_PORTS variable
      update to latest bleeding snort signatures
      minor wording update
      added the DNS cache poisoning signature
      added support for reporting multiple unsupported options in the
         /var/log/fwsnort.log file
      doc updates
      0.9.0 release
      doc update, Netfilter -> iptables
      0.9.0 release date
      - Bug fix to remove any existing jump rules from the built-in INPUT, 
              OUTPUT, and FORWARD chains before creating a new jump rules. 
         This       allows the fwsnort.sh script to be executed multiple
         times without       creating a new jump rule into the fwsnort
         chains for each execution.     - Added the -X command line
         argument to allow fwsnort to delete all of       the fwsnort
         chains; this emulates the iptables command line argument       of
         the same name.
      added copyright line
      major update to add the --QUEUE option to speed-up inline Snort
         implementations with in-kernel string matching
      version update to 1.0
      added URL to standard header
      updated to preserve userspace signatures in --QUEUE mode, updated
         snort_rules_mod/ dir to snort_rules_queue
      Added NFQUEUE target support
      Added support for NFQUEUE number with --queue-num
      updated to include full command line args for the snort_rules_queue/
         files in the preamble section
      Added sid field to iptables comment match
      added 'Finished' echo statement to the fwsnort.sh script
      comment match update
      updated to 1.0 release
      - Bugfix for iptables string match --from and --to values to skip
         past       packet headers.  This is an approximation until a new
         --payload option       can be added to the string match extension.
          Also added an iptables test       for the --payload option.     -
         Added a single iptables rule testing API internally within
         fwsnort;       this adds a measure of consistency and removes some
         duplicate code.
      man page updates to include --NFQUEUE and --QUEUE language
      added --queue-rules-dir option
      added --queue-num command line argument
      1.0 release date
      added Hank L.
      latest update from cipherdyne.org; bugfix for rpmbuild vs. wget path,
         updated to remove md5 sum files
      minor consolidation of push() calls
      Added the ability to automatically resolve command paths if any
         commands     cannot be found at the locations specified in the
         fwsnort.conf file.
      TODO additions
      bugfix for ipt_rule_test() function name.
      bumped version to 1.0.1
      removed ChangeLog.svn file
      bugfix to ensure that header lengths are accounted for with payload
         offsets
      increased average TCP header length to 30 bytes to account for 10
         bytes of options on ACK packets
      version 1.0.2
      Added 1.0.2 release
      Added --include-regex and --exclude-regex options
      added --include-re-caseless and --exclude-re-caseless options to have
         --include-regex and --exclude-regex options match case
         insensitively
      started on 1.0.3 additions
      - Added the ability to interpret basic PCRE's that contain strings
         separated       by ".*" or ".+" as multiple string matches.  The
         only difference between       this strategy and the Snort
         implementation is that the ordering of the       strings is not
         preserved, but most signature developers don't rely on this      
         anyway.     - Added asn1 keyword to unsupported list.
      major signature update from Bleeding Threats to include signatures
         for some of the latest malware and exploits
      fwsnort-1.0.3 additions
      minor comment updates
      fwsnort-1.0.3 release
      updated to latest (last?) Bleeding Threats signature set
      added LC_ALL='C' locale setting, added --Exclude-mod-regex
      version 0.5, applied zero protocol fix from Grant, updated to handle
         ULOG rules
      (Grant) updated to set sport and dport to 0:0 if protocol == all
      Added Grant
      (Grant)  Suggested bugfix to allow negated networks to be specified
         within     iptables allow rules or within the fwsnort.conf file.
      version 1.0.4-pre1
      updated with Grant's last name
      version 1.0.4
      minor usage update
      minor usage update
      minor contributor update
      Franck Joncourt         - Submitted patch to fix double dash format
         in fwsnort man page.
      added deps/ directory
      minor update to include contributors
      added code to handle new deps/ directory
      moved IPTables-Parse and Net-IPv4Addr to the deps/ directory
      added fwsnort-nodeps.spec file, updated fwsnort.spec to handle deps/
         directory
      minor bugfix to include missed skip_module_install var
      update for Franck
      added dependencies discussion
      Updated to import perl modules from /usr/lib/fwsnort, but only if
         this     path actually exists in the filesystem.  This is similar
         to the strategy     implemented by psad.  A new variable
         FWSNORT_LIBS_DIR was added to the     fwsnort.conf to support
         this.
      bumped version to 1.0.5-pre1
      chdir path bugfix
      removed bleeding-all.rules and added emerging-all.rules since Matt
         Jonkman has switched to Emerging Threats
      moved snort_rules directory into deps/, switched to Emerging Threats
         signature set
      added --snort-rdir patch from Franck
      added -nodeps patch from Franck
      updated to handle snort_rules/ directory move to deps/
      version to 1.0.5-pre2
      removed moddir, minor fwsnort URL fix
      minor fwsnort URL fix
      minor update to make sure to always return to the source directory
         when installing perl modules
      applied patch from Franck Joncourt to fix fwsnort man page to replace
         bleeding-all with emerging-all
      removed old 'use lib' call since fwsnort uses the 'require' strategy
         now
      Added support for multiple Snort rule directories as a
         comma-separated     list for the argument to --snort-rdir.
      bugfix to exclude all directories except for the first in --update
         mode if multiple directories are given as a comma-separated list
      added bump_version.pl file
      bumped version to 1.0.5-pre3
      bugfix for IPTables::ChainMgr -> IPTables::Parse
      updated 1.0.5 release date, removed perl module path updating code
      moved 'threshold' to the unsupported list since there will be several
         signatures that use this feature to detect the Dan Kaminsky DNS
         attack
      bumped version to 1.0.5-pre4
      minor dodumentation fixes
      added download of Emerging Threats as a tarball (suggested by Franck
         Joncourt)
      Added support for nodeps RPM's
      updated release date
      version 1.0.5
      updated to correct tar.gz path in --no-deps mode
      minor update to include download directory in status output in
         --update mode
      bugfix in strict mode to use the fact that the threshold keyword is
         already unsupported (Franck Joncourt)
      content match fix for Emerging Threats Snort rule ID 2007975 (Frank
         Joncourt)
      wording updates for the fwsnort(8) man page from Justin B Rye and
         Franck Joncourt
      From: Franck Joncourt <franck.mail@dthconnex.com>     Subject:
         [PATCH] fixes/content_length
      bumped version to 1.0.6-pre1
      - (Franck Joncourt) Updated fwsnort to use the "! <option> <arg>"
         syntax     instead of the older "<option> ! <arg>" for the
         iptables command line.
      - Updated to the latest complete rule set from Emerging Threats (see 
            http://www.emergingthreats.net/).
      updated to version 1.0.6-pre2
      updated to the latest rule set from Emerging Threats
      Bug fix to allow fwsnort to properly translate snort rules that have 
            "content" fields with embedded escaped semicolons (e.g. "\;"). 
         This     allows fwsnort to translate about 85 additional rules
         from the Emerging     Threats rule set.
      updated version to 1.0.6-pre3
      - Bug fix to allow case insensitive matches to work properly with the
               --include-re-caseless and --exclude-re-caseless arguments.  
           - Added the --snort-rfile argument so that a specific Snort
         rules file (or     list of files separated by commas) is parsed.
      minor cleanup (href->hr, aref->ar)
      - Bug fix to move the 'rawbytes' keyword to the list of keywords that
         are     ignored since iptables does a raw match anyway as it
         doesn't run any     preprocessors in the Snort sense.     - Added
         a small hack to choose the first port from a port list until the  
           iptables 'multiport' match is supported.     - Updated to
         consolidate spaces in hex matches in the fwsnort.sh script    
         since the spaces are not part of patterns to be searched anyway.
      bumped version to fwsnort-1.0.6-pre4
      Added the 'BuildRequires: perl-ExtUtils-MakeMaker' statement
      version 1.0.6
      version 1.0.6
      merged: svn merge -r 500:504
         file:///home/mbr/svn/fwsnort_repos/fwsnort/branches/fwsnort-1.0.6
      updated to the latest Emerging Threats rule set
      updated to the latest Emerging Threats rule set
      - Added the --include-perl-triggers command line argument so that    
         translated Snort rules can easily be tested.  This argument
         instructs     fwsnort to include 'perl -e print ... ' commands as
         comments in the     /etc/fwsnort/fwsnort.sh script, and these
         commands can be combined     with netcat to send payloads across
         the wire that match Snort rules.     - Minor documentation fixes.
      - Added the ability to build an fwsnort policy that utilizes
         ip6tables     instead of iptables.  This allows fwsnort filtering
         and altering     capabilities to apply to IPv6 traffic instead of
         just IPv4 traffic.  To     enable ip6tables usage, use the "-6" or
         "--ip6tables" command line     arguments.
      updated version to 1.1
      - Updated fwsnort to create logs in the /var/log/fwsnort/ directory  
             instead of directly in the /var/log/ directory.  The path is
         controlled       by a new variable 'LOG_FILE' in the
         /etc/fwsnort/fwsnort.conf file.     - Added several variables in
         /etc/fwsnort/fwsnort.conf to control paths       to everything
         from the config file to the snort rules path.  Coupled       with
         this is the ability to create variables within path components and
               fwsnort will expand them (e.g. 'CONF_DIR /etc/fwsnort;      
         CONF_FILE $CONF_DIR/fwsnort.conf').     - Added --Last-cmd arg so
         that it is easy to rebuild the fwsnort.sh script       with the
         same command line args as the previous execution.
      bumped version to 1.1-pre2
      added Guillermo Gomez
      bumped version to 1.1-pre3
      added a -6 example to the EXAMPLES section
      bumped version to 1.1
      minor update Snort -> SNORT
      minor version fix (1.1)
      updated GPL license string to mention GPLv2
      Major update to being moving to using the iptables-save format
         instead of the older     strategy to always just execute iptables
         commands directly.
      - Updated the iptables capabilities testing routines to add and
         delete     testing rules to/from the custom chain 'FWS_CAP_TEST'. 
         This maintains a     a cleaner separation between fwsnort and any
         existing iptables policy     even during the capabilities testing
         phase.     - Added the --ipt-check-capabilities argument to have
         fwsnort test the     capabilities of the local iptables firewall
         and exit.
      - Updated to automatically check for the maximum length string that
         the     string match supports, and this is used to through out any
         Snort rules     with content matches longer than this length.
      moved to instantiate the fwsnort iptables-save policy via
         /etc/fwsnort/fwsnort.sh
      minor comments update
      bumped version to 1.5-pre1
      - Added the --rules-url argument so that the URL for updating the    
         Emerging Threats rule set can be specified from the command line. 
         The     default is:
      bumped version to: 1.5-pre2
      updated to point to the correct Emerging Threats rule set, and added
         the --rules-url arg (similiar to fwsnort)
      bug fix to make sure to add the 'COMMIT' and '# Completed ...' lines
         at the end of the generated fwsnort.save file
      updated to default to pulling Snort rules from the rules directory in
         --snort-rfile mode when running as root
      - Updated to the latest complete rule set from Emerging Threats (see 
            http://www.emergingthreats.net/).
      bumped version to 1.5-pre3
      - Added the --string-match-alg argument to allow the string matching 
            algorithm used by fwsnort to be specified from the command
         line.  The     default algorithm is 'bm' for 'Boyer-Moore', but
         'kmp' may also be     specified (short for the
         'Knuth–Morris–Pratt' algorithm).
      bumped to version 1.5-pre4
      minor update to include the GPL version number (v2) suggested by
         Guillermo Gomez
      added the ability to build ip6tables policies in ip6tables-save
         format
      minor wording update to include ip6tables policies
      update to include information about the iptables-save format
      added UPGRADE section
      copyright date update
      bumped version to: 1.5-pre5
      minor date update
      bumped software version to 1.5
      wording fix for the fwsnort-1.5 ChangeLog
      Removed legacy $Id$ tags (for old svn repos)
      Removed old reference to $rev_num
      Bugfix for --log-prefix maximum lengths
      Bugfix for --ipt-list and --ipt-flush
      Added test for conntrack --ctstate
      Added the --Conntrack-state argument
      Bugfix for --ipt-apply to exec fwsnort.sh
      minor ChangeLog update
      Added newer Snort keywords to snort_opts.pl
      Added three Snort signature keywords
      minor man page wording update
      Added support for Snort keyword 'fast_pattern'
      Added 'fast_pattern' support + no patterns bug fix
      Merge branch 'master' of github.com:mrash/fwsnort
      Added content match ordering based on length
      minor comment wording update for TCP options
      Added 'detection_filter' to not supported list
      Fixed fast_pattern support for relative matches
      minor man page wording update
      Moved GetOpt() call to handle_cmd_line()
      Added the --no-fast-pattern-ordering argument
      Implemented tighter 'within' criteria
      Added --no-fast-pattern-order to --help output
      Added iptables 'multiport' match support
      Updated to the latest Emerging Threats Snort rules
      Added support for the Snort 'nocase' keyword
      Minor change to not write args in --help mode.
      Updated to allow non-root users to execute fwsnort.
      Ignore http_uri, http_method, and urilen
      Bugfix to support --NFQUEUE mode
      Added iptables capabilities test for NFQUEUE modes
      Minor man page wording update for NFQUEUE mode
      Added --queue-pre-match-max <num> argument
      Added support for rules updates from several URL's
      Renamed ChangeLog -> ChangeLog.old
      Bumped version from 1.5 to 1.6
      Added the ChangeLog file for 'git log' output.
      Added iptables capabilities test for COMMENT len

