Merge branch '4.4.22'

Shorewall/Perl/Shorewall/Chains.pm

@@ -4786,7 +4786,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 
     if ( $origdest ) {
 	if ( $origdest eq '-' || ! have_capability( 'CONNTRACK_MATCH' ) ) {
-	    $origdest = '';
+	    $onets = $oexcl = '';
 	} elsif ( $origdest =~ /^detect:(.*)$/ ) {
 	    #
 	    # Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column
@@ -4816,7 +4816,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 		$rule .= "-m conntrack --ctorigdst $variable ";
 	    }
 
-	    $origdest = '';
+	    $onets = $oexcl = '';
 	} else {
 	    fatal_error "Invalid ORIGINAL DEST" if  $origdest =~ /^([^!]+)?,!([^!]+)$/ || $origdest =~ /.*!.*!/;
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -152,7 +152,10 @@ sub setup_ecn()
 
     if ( my $fn = open_file 'ecn' ) {
 
-	first_entry "$doing $fn...";
+	first_entry( sub { progress_message2 "$doing $fn...";
+			   require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
+			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
+		       } );
 
 	while ( read_a_line ) {
 
@@ -178,7 +181,7 @@ sub setup_ecn()
 	    for my $interface ( @interfaces ) {
 		my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
 
-		add_ijump $mangle_table->{POSTROUTING} , j => $chainref, p => 'tcp', imatch_dest_dev( $interface );
+		add_ijump $mangle_table->{POSTROUTING} , j => $chainref, p => 'tcp', imatch_dest_dev( $interface ) if have_capability 'MANGLE_FORWARD';
 		add_ijump $mangle_table->{OUTPUT},       j => $chainref, p => 'tcp', imatch_dest_dev( $interface );
 	    }
 

docs/PortKnocking.xml

@@ -108,7 +108,7 @@ if ( $level ) {
                     '',
                     $tag,
                     'add',
-                    '-p tcp --dport ! 22 ' );
+                    '-p tcp ! --dport 22 ' );
 }
 
 add_rule( $chainref, '-p tcp --dport 22   -m recent --rcheck --seconds 60 --name SSH          -j ACCEPT' );