Bring trunk up to date with branch/4.0

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7668 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/Makefile

@@ -1,5 +1,5 @@
 # Shorewall Makefile to restart if config-files are newer than last restart
-VARDIR=/var/lib/shorewall
+VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
 RESTOREFILE?=.restore
 all: $(VARDIR)/${RESTOREFILE}

Shorewall-common/changelog.txt

@@ -1,3 +1,29 @@
+Changes in 4.0.6
+
+1)  Fix hyphenated service names in DNAT/REDIRECT rules.
+
+2)  Fix long dest ports list bug.
+
+3)  Fix many day-one bugs in REDIRECT port handling.
+
+4)  Add support for '--physdev-is-bridged'.
+
+5)  Add support for embedded shell and Perl scripts.
+
+6)  Add support for manual chains.
+
+7)  Don't require GATEWAY in tunnels file.
+
+8)  Fix HIGH_ROUTE_MARKS fsck-up.
+
+9)  Fix Makefiles for VARDIR
+
+10) Add -t option to hits command.
+
+11) Add DONT_LOAD option
+
+12) Add support for --random.
+
 Changes in 4.0.5
 
 1)  Delete 'detectnets' from Shorewall-perl

Shorewall-common/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.0.5
+VERSION=4.0.6
 
 usage() # $1 = exit status
 {

Shorewall-common/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.0.5
+VERSION=4.0.6
 
 usage() # $1 = exit status
 {

Shorewall-common/lib.base

@@ -35,7 +35,7 @@
 #
 
 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40003
+SHOREWALL_CAPVERSION=40006
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -212,7 +212,7 @@ loadmodule() # $1 = module name, $2 - * arguments
     local modulefile
     local suffix
 
-    if ! list_search $modulename $MODULES ; then
+    if ! list_search $modulename $MODULES $DONT_LOAD ; then
 	shift
 
 	for suffix in $MODULE_SUFFIX ; do
@@ -983,6 +983,7 @@ determine_capabilities() {
     XMULTIPORT=
     POLICY_MATCH=
     PHYSDEV_MATCH=
+    PHYSDEV_BRIDGE=
     IPRANGE_MATCH=
     RECENT_MATCH=
     OWNER_MATCH=
@@ -1020,6 +1021,7 @@ determine_capabilities() {
 
     if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then
 	PHYSDEV_MATCH=Yes
+	qt $IPTABLES -A fooX1234 -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes
 	if [ -z "${KLUDGEFREE}" ]; then
 	    qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
 	fi
@@ -1112,6 +1114,7 @@ report_capabilities() {
 	report_capability "Packet Type Match" $USEPKTTYPE
 	report_capability "Policy Match" $POLICY_MATCH
 	report_capability "Physdev Match" $PHYSDEV_MATCH
+	report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
 	report_capability "Packet length Match" $LENGTH_MATCH
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
@@ -1157,6 +1160,7 @@ report_capabilities1() {
     report_capability1 USEPKTTYPE
     report_capability1 POLICY_MATCH
     report_capability1 PHYSDEV_MATCH
+    report_capability1 PHYSDEV_BRIDGE
     report_capability1 LENGTH_MATCH
     report_capability1 IPRANGE_MATCH
     report_capability1 RECENT_MATCH

Shorewall-common/lib.cli

@@ -541,6 +541,9 @@ show_command() {
 		$IPTABLES -t $table -L $IPT_OPTIONS
 	    fi
 	    ;;
+	vardir)
+	    echo $VARDIR;
+	    ;;
 	*)
 	    if [ "$PRODUCT" = Shorewall ]; then
 		case $1 in
@@ -916,17 +919,49 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
 # 'hits' commmand executor
 #
 hits_command() {
+    local finished=0 today=
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			t*)
+			    today=$(date +'^%b %_d.*')
+			    option=${option#t}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    [ $# -eq 0 ] || usage 1
+
     clear_term
     echo "$PRODUCT $version Hits at $HOSTNAME - $(date)"
     echo
 
     timeout=30
 
-    if [ $( $LOGREAD | grep -c 'IN=.* OUT=' ) -gt 0 ] ; then
+    if $LOGREAD | grep -q "${today}IN=.* OUT=" ; then
 	echo "   HITS IP	        DATE"
 	echo "   ---- --------------- ------"
-	$LOGREAD | grep 'IN=.* OUT=' | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn | \
+	$LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn | while read count address month day; do
-	    while read count address month day; do
 	    printf '%7d %-15s %3s %2d\n' $count $address $month $day
 	done
 
@@ -934,10 +969,9 @@ hits_command() {
 
 	echo "   HITS IP	        PORT"
 	echo "   ---- --------------- -----"
-	$LOGREAD | grep 'IN=.* OUT=' | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
+	$LOGREAD | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
 						t
-						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | \
+						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do
-						    while read count address port; do
 	    printf '%7d %-15s %d\n' $count $address $port
 	done
 
@@ -945,8 +979,7 @@ hits_command() {
 
 	echo "   HITS DATE"
 	echo "   ---- ------"
-	$LOGREAD | grep 'IN=.* OUT=' | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | \
+	$LOGREAD | grep  "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do
-	    while read count month day; do
 	    printf '%7d %3s %2d\n' $count $month $day
 	done
 
@@ -954,8 +987,7 @@ hits_command() {
 
 	echo "   HITS  PORT SERVICE(S)"
 	echo "   ---- ----- ----------"
-	$LOGREAD | grep 'IN=.* OUT=.*DPT' | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
+	$LOGREAD | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do
-	    while read count port ; do
 	    # List all services defined for the given port
 	    srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u)
 	    srv=$(echo $srv | sed 's/ /,/g')

Shorewall-common/lib.config

@@ -1746,6 +1746,7 @@ do_initialize() {
     EXPORTPARAMS=
     KEEP_TC_RULES=
     DELETE_THEN_ADD=
+    DONT_LOAD=
     #
     # Packet Disposition
     #
@@ -1830,6 +1831,7 @@ do_initialize() {
     # capabilities when module autoloading isn't enabled.
     #
     PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
+    [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | sed 's/,/ /g' )"
 
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 

Shorewall-common/macro.AllowICMPs

@@ -6,8 +6,8 @@
 #	This macro ACCEPTs needed ICMP types
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 ACCEPT	-	-	icmp	fragmentation-needed
 ACCEPT	-	-	icmp	time-exceeded
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Amanda

@@ -8,8 +8,8 @@
 #	files from those nodes.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,

Shorewall-common/macro.Auth

@@ -6,7 +6,7 @@
 #	This macro handles Auth (identd) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	113
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.BitTorrent

@@ -6,8 +6,8 @@
 #	This macro handles BitTorrent traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	6881:6889
 #
 # It may also be necessary to allow UDP traffic:

Shorewall-common/macro.CVS

@@ -6,7 +6,7 @@
 #	This macro handles connections to the CVS pserver.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	2401
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.DNS

@@ -6,8 +6,8 @@
 #	This macro handles DNS traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	53
 PARAM	-	-	tcp	53
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Distcc

@@ -6,7 +6,7 @@
 #	This macro handles connections to the Distributed Compiler service.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	3632
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Drop

@@ -11,8 +11,8 @@
 #		Drop	net	all
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 #
 # Don't log 'auth' REJECT
 #

Shorewall-common/macro.DropDNSrep

@@ -6,7 +6,7 @@
 #	This macro silently drops DNS UDP replies
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 DROP	-	-	udp	-	53
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.DropUPnP

@@ -6,7 +6,7 @@
 #	This macro silently drops UPnP probes on UDP port 1900
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 DROP	-	-	udp	1900
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Edonkey

@@ -28,8 +28,8 @@
 #	applications such as aMule WebServer or aMuleCMD.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	4662
 PARAM	-	-	udp	4665
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.FTP

@@ -6,7 +6,7 @@
 #	This macro handles FTP traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	21
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Finger

@@ -7,7 +7,7 @@
 #	your finger information to internet.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	79
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.GRE

@@ -6,8 +6,8 @@
 #	This macro (bi-directional) handles Generic Routing Encapsulation traffic (RFC 1701)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	47	# GRE
 PARAM	DEST	SOURCE	47	# GRE
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Gnutella

@@ -6,8 +6,8 @@
 #	This macro handles Gnutella traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	6346
 PARAM	-	-	udp	6346
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.HTTP

@@ -6,7 +6,7 @@
 #	This macro handles plaintext HTTP (WWW) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	80
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.HTTPS

@@ -6,7 +6,7 @@
 #	This macro handles HTTPS (WWW over SSL) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	443
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.ICQ

@@ -6,7 +6,7 @@
 #	This macro handles ICQ, now called AOL Instant Messenger (or AIM).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	5190
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.IMAP

@@ -7,7 +7,7 @@
 #	see macro.IMAPS.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	143
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.IMAPS

@@ -7,7 +7,7 @@
 #	(not recommended), see macro.IMAP.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	993
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.IPIP

@@ -6,8 +6,8 @@
 #	This macro (bidirectional) handles IPIP capsulation traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	94	# IPIP
 PARAM	DEST	SOURCE	94	# IPIP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.IPP

@@ -6,7 +6,7 @@
 #	This macro handles Internet Printing Protocol (IPP).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	631
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.IPPserver

@@ -23,8 +23,8 @@
 #		IPPserver/ACCEPT $FW loc
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	SOURCE	DEST	tcp	631
 PARAM	DEST	SOURCE	udp	631
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.IPsec

@@ -6,8 +6,8 @@
 #	This macro (bidirectional) handles IPsec traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	500	500	# IKE
 PARAM	-	-	50			# ESP
 PARAM	DEST	SOURCE	udp	500	500	# IKE

Shorewall-common/macro.IPsecah

@@ -7,8 +7,8 @@
 #       This is insecure. You should use ESP with encryption for security.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	500	500	# IKE
 PARAM	-	-	51			# AH
 PARAM	DEST	SOURCE	udp	500	500	# IKE

Shorewall-common/macro.IPsecnat

@@ -6,8 +6,8 @@
 #	This macro (bidirectional) handles IPsec traffic and Nat-Traversal
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	500	# IKE
 PARAM	-	-	udp	4500	# NAT-T
 PARAM	-	-	50		# ESP

Shorewall-common/macro.JabberPlain

@@ -6,7 +6,7 @@
 #	This macro accepts Jabberd intercommunication traffic
 #
 ###############################################################################
-#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#TARGET	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	5269
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.JabberSecure

@@ -6,7 +6,7 @@
 #	This macro accepts Jabber traffic (plaintext).
 #
 ###############################################################################
-#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#TARGET	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	5222
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Jabberd

@@ -6,7 +6,7 @@
 #	This macro accepts Jabber traffic (ssl).
 #
 ###############################################################################
-#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#TARGET	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	5223
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Jetdirect

@@ -6,7 +6,7 @@
 #	This macro handles HP Jetdirect printing.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	9100
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.L2TP

@@ -6,8 +6,8 @@
 #	This macro (bidirectional) handles Layer 2 Tunneling Protocol traffic (RFC 2661)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	1701	# L2TP
 PARAM	DEST	SOURCE	udp	1701	# L2TP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.LDAP

@@ -11,7 +11,7 @@
 #	Consult your LDAP server documentation for details.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	389
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.LDAPS

@@ -11,7 +11,7 @@
 #	Consult your LDAP server documentation for details.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	636
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.MySQL

@@ -6,7 +6,7 @@
 #	This macro handles connections to the MySQL server.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	3306
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.NNTP

@@ -7,7 +7,7 @@
 #	encrypted NNTP, see macro.NNTPS.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	119
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.NNTPS

@@ -7,7 +7,7 @@
 #	plaintext NNTP, see macro.NNTP.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	563
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.NTP

@@ -7,7 +7,7 @@
 #	For broadcast NTP traffic, use NTPbrd Macro.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	123
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.NTPbrd

@@ -11,8 +11,8 @@
 #	Netfilter doesn't track connections for broadcast traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-		-		udp	123
 PARAM	-		-		udp	1024:	123
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.PCA

@@ -6,8 +6,8 @@
 #	This macro handles PCAnywere (tm)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	5632
 PARAM	-	-	tcp	5631
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.POP3

@@ -7,7 +7,7 @@
 #	see macro.POP3S.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	110
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.POP3S

@@ -7,7 +7,7 @@
 #	see macro.POP3.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	995	# Secure POP3
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Ping

@@ -6,7 +6,7 @@
 #	This macro handles 'ping' requests.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	icmp	8
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.PostgreSQL

@@ -6,7 +6,7 @@
 #	This macro handles connections to the PostgreSQL server.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	5432
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Printer

@@ -6,7 +6,7 @@
 #	This macro handles Line Printer protocol printing.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	515
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.RDP

@@ -6,7 +6,7 @@
 #	This macro handles Microsoft RDP (Remote Desktop) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	3389
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Rdate

@@ -10,7 +10,7 @@
 #	use Time macro instead.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	37
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Reject

@@ -12,8 +12,8 @@
 #
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 #
 # Don't log 'auth' REJECT
 #

Shorewall-common/macro.Rsync

@@ -6,7 +6,7 @@
 #	This macro handles connections to the rsync server.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	873
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.SMB

@@ -10,8 +10,8 @@
 #	between hosts you fully trust.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
 PARAM	-	-	udp	137:139
 PARAM	-	-	udp	1024:	137

Shorewall-common/macro.SMBBI

@@ -10,8 +10,8 @@
 #	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
 PARAM	-	-	udp	137:139
 PARAM	-	-	udp	1024:	137

Shorewall-common/macro.SMBswat

@@ -7,7 +7,7 @@
 #	(SWAT).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	901
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.SMTP

@@ -14,7 +14,7 @@
 #	the POP3 or IMAP macros.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	25
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.SMTPS

@@ -11,7 +11,7 @@
 #	the POP3(S) or IMAP(S) macros.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	465
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.SNMP

@@ -6,8 +6,8 @@
 #	This macro handles SNMP traffic (including traps).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	161:162
 PARAM	-	-	tcp	161
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.SPAMD

@@ -6,7 +6,7 @@
 #	This macro handles Spam Assassin SPAMD traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	783
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.SSH

@@ -6,7 +6,7 @@
 #	This macro handles secure shell (SSH) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	22
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.SVN

@@ -7,7 +7,7 @@
 #
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	3690
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.SixXS

@@ -6,7 +6,7 @@
 #	This macro handles SixXS -- An IPv6 Deployment and Tunnel Broken
 #
 ###############################################################################
-#ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	RATE	USER/
+#ACTION		SOURCE		PROTO	DEST	SOURCE	RATE	USER/
 #						PORT	PORT(S)	LIMIT	GROUP
 PARAM		-		-	tcp	3874      # Used for retrieving the tunnel information (eg by AICCU)
 PARAM		-		-	udp	3740      # Used for signaling where the current IPv4 endpoint

Shorewall-common/macro.Submission

@@ -6,7 +6,7 @@
 #	This macro handles mail message submission traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	587
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Syslog

@@ -6,7 +6,7 @@
 #	This macro handles syslog UDP traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	514
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.TFTP

@@ -8,7 +8,7 @@
 #	Internet.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	69
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Telnet

@@ -7,7 +7,7 @@
 #	internet, telnet is inappropriate; use SSH instead
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	23
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Telnets

@@ -7,7 +7,7 @@
 #	For traffic over the internet, SSH might be more practical.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	992
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Time

@@ -8,7 +8,7 @@
 #	you shouldn't be using this.  NTP is a superior alternative.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	37
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Trcrt

@@ -6,8 +6,8 @@
 #	This macro handles Traceroute (for up to 30 hops).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	33434:33524 # UDP Traceroute
 PARAM	-	-	icmp	8	    # ICMP Traceroute
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.VNC

@@ -6,7 +6,7 @@
 #	This macro handles VNC traffic for VNC display's 0 - 9.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	5900:5909
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.VNCL

@@ -7,7 +7,7 @@
 #	mode.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	5500
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Web

@@ -8,8 +8,8 @@
 #	is recommended.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	80	# HTTP (plaintext)
 PARAM	-	-	tcp	443	# HTTPS (over SSL)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Webmin

@@ -6,7 +6,7 @@
 #	This macro handles Webmin traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	10000
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/macro.Whois

@@ -6,7 +6,7 @@
 #	This macro handles whois (nicname) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	43
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-common/shorewall

@@ -62,6 +62,7 @@
 #	   shorewall show tc			   Display traffic control info
 #	   shorewall show classifiers		   Display classifiers
 #          shorewall show capabilities             Display iptables/kernel capabilities
+#          shorewall show vardir                   Display the VARDIR setting.
 #	   shorewall version			   Display the installed version id
 #	   shorewall check [ -e ] [ <directory> ]  Dry-run compilation.
 #	   shorewall try <directory> [ <timeout> ] Try a new configuration and if
@@ -1283,7 +1284,7 @@ usage() # $1 = exit status
     echo "   export [ -C {shell|perl} ] [ <directory1> ] [<user>@]<system>[:<directory2>]"
     echo "   forget [ <file name> ]"
     echo "   help"
-    echo "   hits"
+    echo "   hits [ -t ]"
     echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
     echo "   ipdecimal { <address> | <integer> }"
     echo "   iprange <address>-<address>"
@@ -1298,7 +1299,7 @@ usage() # $1 = exit status
     echo "   restart [ -n ] [ -C {shell|perl} ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|zones} ]"
+    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]"
     echo "   start [ -f ] [ -n ] [ -C {shell|perl} ] [ <directory> ]"
     echo "   stop [ -f ]"
     echo "   status"
@@ -1633,8 +1634,8 @@ case "$COMMAND" in
     hits)
 	get_config Yes No Yes
 	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] || usage 1
+	shift
-	hits_command
+	hits_command $@
 	;;
     version)
 	shift

Shorewall-common/shorewall-common.spec

@@ -1,5 +1,5 @@
 %define name shorewall-common
-%define version 4.0.5
+%define version 4.0.6
 %define release 1
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -153,6 +153,9 @@ fi
 %attr(0644,root,root) /usr/share/shorewall/macro.IPsec
 %attr(0644,root,root) /usr/share/shorewall/macro.IPsecah
 %attr(0644,root,root) /usr/share/shorewall/macro.IPsecnat
+%attr(0644,root,root) /usr/share/shorewall/macro.Jabberd
+%attr(0644,root,root) /usr/share/shorewall/macro.JabberPlain
+%attr(0644,root,root) /usr/share/shorewall/macro.JabberSecure
 %attr(0644,root,root) /usr/share/shorewall/macro.Jetdirect
 %attr(0644,root,root) /usr/share/shorewall/macro.L2TP
 %attr(0644,root,root) /usr/share/shorewall/macro.LDAP
@@ -240,6 +243,14 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
 
 %changelog
+* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-1
+* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC3
+* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC2
+* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC1
 * Tue Oct 03 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.5-1
 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net

Shorewall-common/shorewall.conf

@@ -171,6 +171,8 @@ DELETE_THEN_ADD=Yes
 
 MULTICAST=No
 
+DONT_LOAD=
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-common/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.0.5
+VERSION=4.0.6
 
 usage() # $1 = exit status
 {

Shorewall-lite/Makefile

@@ -1,12 +1,11 @@
 # Shorewall Lite Makefile to restart if firewall script is newer than last restart
-VARDIR=/var/lib/shorewall-lite
+VARDIR=$(shell /sbin/shorewall-lite show vardir)
 SHAREDIR=/usr/share/shorewall-lite
 RESTOREFILE?=.restore
-include $(SHAREDIR)/configpath
 
 all: $(VARDIR)/${RESTOREFILE}
 
-$(VARDIR)/${RESTOREFILE}: $(LITEDIR)/firewall
+$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
 	@/sbin/shorewall-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.0.5
+VERSION=4.0.6
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.0.5
+VERSION=4.0.6
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite

@@ -49,6 +49,7 @@
 #     shorewall-lite show tc			   Display traffic control info
 #     shorewall-lite show classifiers		   Display classifiers
 #     shorewall-lite show capabilities             Display iptables/kernel capabilities
+#     shorewall-lite show vardir                   Display VARDIR setting
 #     shorewall-lite version			   Display the installed version id
 #     shorewall-lite logwatch [ refresh-interval ] Monitor the local log for Shorewall
 #						   messages.
@@ -356,7 +357,7 @@ usage() # $1 = exit status
     echo "   dump [ -x ]"
     echo "   forget [ <file name> ]"
     echo "   help"
-    echo "   hits"
+    echo "   hits [ -t ]"
     echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
     echo "   ipdecimal { <address> | <integer> }"
     echo "   iprange <address>-<address>"
@@ -368,7 +369,7 @@ usage() # $1 = exit status
     echo "   restart [ -n ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [ -f ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|ip|log|mangle|nat|routing|tc|zones} ]"
+    echo "   show [ -x ] [ -m ] [ -f ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|ip|log|mangle|nat|routing|tc|vardir|zones} ]"
     echo "   start [ -f ] [ -n ]"
     echo "   stop"
     echo "   status"
@@ -597,8 +598,8 @@ case "$COMMAND" in
 	;;
     hits)
 	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] || usage 1
+	shift
-	hits_command
+	hits_command $@
 	;;
     version)
 	echo $version Lite

Shorewall-lite/shorewall-lite.spec

@@ -1,5 +1,5 @@
 %define name shorewall-lite
-%define version 4.0.5
+%define version 4.0.6
 %define release 1
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -98,6 +98,14 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-1
+* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC3
+* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC2
+* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC1
 * Tue Oct 03 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.5-1
 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.0.5
+VERSION=4.0.6
 
 usage() # $1 = exit status
 {

Shorewall-perl/Shorewall/Accounting.pm

@@ -25,17 +25,17 @@
 #
 package Shorewall::Accounting;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::Chains qw(:DEFAULT :internal);
 
 use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = 4.0.3;
+our $VERSION = 4.0.6;
 
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
@@ -174,19 +174,14 @@ sub process_accounting_rule( $$$$$$$$$ ) {
 
 sub setup_accounting() {
 
-    my $first_entry = 1;
-
     my $fn = open_file 'accounting';
 
+    first_entry "$doing $fn...";
+
     while ( read_a_line ) {
 
 	my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    $first_entry = 0;
-	}
-
 	if ( $action eq 'COMMENT' ) {
 	    process_comment;
 	} else {

Shorewall-perl/Shorewall/Actions.pm

@@ -25,9 +25,9 @@
 #
 package Shorewall::Actions;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::Chains qw(:DEFAULT :internal);
 
 use strict;
 
@@ -54,7 +54,7 @@ our @EXPORT = qw( merge_levels
 		  %macros
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.0.4;
+our $VERSION = 4.0.6;
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -400,7 +400,7 @@ sub process_macro1 ( $$ ) {
 	$targettype = 0 unless defined $targettype;
 
 	fatal_error "Invalid target ($mtarget)"
-	    unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ ) );
+	    unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ | CHAIN ) );
     }
 
     progress_message "   ..End Macro $macrofile";
@@ -418,7 +418,7 @@ sub process_action1 ( $$ ) {
     my $targettype = $targets{$target};
 
     if ( defined $targettype ) {
-	return if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $targettype & ( LOGRULE |  NFQ ) );
+	return if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $targettype & ( LOGRULE |  NFQ | CHAIN ) );
 
 	fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD;
 
@@ -640,7 +640,7 @@ sub process_action3( $$$$$ ) {
 	    if ( $action2type & ACTION ) {
 		$target2 = (find_logactionchain ( $target = $target2 ))->{name};
 	    } else {
-		fatal_error "Internal Error" unless $action2type == MACRO || $action2type & ( LOGRULE | NFQ );
+		fatal_error "Internal Error" unless $action2type == MACRO || $action2type & ( LOGRULE | NFQ | CHAIN );
 	    }
 	}
 

Shorewall-perl/Shorewall/Chains.pm

@@ -27,14 +27,28 @@
 package Shorewall::Chains;
 require Exporter;
 
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
-
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( STANDARD
+our @EXPORT = qw( 
+		  add_rule
+		  insert_rule
+		  new_chain
+		  new_manual_chain
+		  ensure_manual_chain
+		  log_rule_limit
+
+		  %chain_table
+		  $nat_table
+		  $mangle_table
+		  $filter_table
+		  );
+
+our %EXPORT_TAGS = ( 
+		    internal => [  qw( STANDARD
 				       NATRULE
 				       BUILTIN
 				       NONAT
@@ -44,6 +58,7 @@ our @EXPORT = qw( STANDARD
 				       MACRO
 				       LOGRULE
 				       NFQ
+				       CHAIN
 				       NO_RESTRICT
 				       PREROUTE_RESTRICT
 				       INPUT_RESTRICT
@@ -51,15 +66,12 @@ our @EXPORT = qw( STANDARD
 				       POSTROUTE_RESTRICT
 				       ALL_RESTRICT
 				       
+				       add_command
+				       add_commands
 				       process_comment
 				       clear_comment
 				       incr_cmd_level
 				       decr_cmd_level
-		  add_command
-		  add_commands
-		  mark_referenced
-		  add_rule
-		  insert_rule
 				       chain_base 
 				       forward_chain
 				       input_chain
@@ -76,18 +88,19 @@ our @EXPORT = qw( STANDARD
 				       snat_chain
 				       ecn_chain
 				       first_chains
-		  new_chain
+				       mark_referenced
 				       ensure_chain
-		  ensure_filter_chain
 				       ensure_mangle_chain
 				       new_standard_chain
 				       new_builtin_chain
+				       ensure_filter_chain
 				       initialize_chain_table
 				       finish_section
 				       setup_zone_mss
 				       newexclusionchain
 				       clearrule
-		  validate_portrange
+				       validate_port
+				       proto_name
 				       do_proto
 				       mac_match
 				       verify_mark
@@ -105,7 +118,6 @@ our @EXPORT = qw( STANDARD
 				       match_orig_dest
 				       match_ipsec_in
 				       match_ipsec_out
-		  log_rule_limit
 				       log_rule
 				       expand_rule
 				       addnatjump
@@ -116,27 +128,26 @@ our @EXPORT = qw( STANDARD
 				       set_global_variables
 				       create_netfilter_load
 				       create_chainlist_reload
-
-		  %chain_table
-		  $nat_table
-		  $mangle_table
-		  $filter_table
 				       $section
 				       %sections
 				       %targets
+				     ) ],
 		   );
-our @EXPORT_OK = qw( initialize );
+
-our $VERSION = 4.0.5;
+Exporter::export_ok_tags('internal');
+
+our $VERSION = 4.0.6;
 
 #
 # Chain Table
 #
 #    %chain_table { <table> => { <chain1>  => { name         => <chain name>
 #                                               table        => <table name>
-#                                               is_policy    => 0|1
+#                                               is_policy    => undef|1 -- if 1, this is a policy chain
-#                                               is_optional  => 0|1
+#                                               is_optional  => undef|1 -- See below.
-#                                               referenced   => 0|1 -- If 1, will be written to the iptables-restore-input.
+#                                               referenced   => undef|1 -- If 1, will be written to the iptables-restore-input.
-#                                               builtin      => 0|1 -- If 1, one of Netfilter's built-in chains.
+#                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
+#                                               manual       => undef|1 -- If 1, a manual chain.
 #                                               log          => <logging rule number for use when LOGRULENUMBERS>
 #                                               policy       => <policy>
 #                                               policychain  => <name of policy chain> -- self-reference if this is a policy chain
@@ -156,7 +167,7 @@ our $VERSION = 4.0.5;
 #                 }
 #
 #       'is_optional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be
-#       replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are optional.
+#       replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with is_optional == 1.
 #
 #       Only 'referenced' chains get written to the iptables-restore input.
 #
@@ -186,6 +197,7 @@ use constant { STANDARD => 1,              #defined by Netfilter
 	       MACRO    => 128,            #A Macro
 	       LOGRULE  => 256,            #'LOG'
 	       NFQ      => 512,            #'NFQUEUE'
+	       CHAIN    => 1024,           #Manual Chain
 	   };
 
 our %targets;
@@ -423,6 +435,7 @@ sub add_rule($$;$)
 		    if ( ++$count == 15 ) {
 			if ( $separator eq ':' ) {
 			    unshift @ports, $port, ':';
+			    chop $newports;
 			    last;
 			} else {
 			    $newports .= $port;
@@ -676,6 +689,22 @@ sub new_standard_chain($) {
     $chainref;
 }
 
+sub new_manual_chain($) {
+    my $chain = $_[0];
+    fatal_error "Duplicate Chain Name ($chain)" if $targets{$chain} || $filter_table->{$chain};
+    $targets{$chain} = CHAIN;
+    ( my $chainref = ensure_filter_chain( $chain, 0) )->{manual} = 1;
+    $chainref->{referenced} = 1;
+    $chainref;
+}
+
+sub ensure_manual_chain($) {
+    my $chain = $_[0];
+    my $chainref = $filter_table->{$chain} || new_manual_chain($chain);
+    fatal_error "$chain exists and is not a manual chain" unless $chainref->{manual};
+    $chainref;
+}
+
 #
 # Add all builtin chains to the chain table
 #
@@ -869,25 +898,6 @@ sub validate_portpair( $$ ) {
 
 }
 
-sub validate_portrange( $$ ) {
-    my ($proto, $portpair) = @_;
-
-    if ( $portpair =~ tr/-/-/ > 1 || substr( $portpair,  0, 1 ) eq '-' || substr( $portpair, -1, 1 ) eq '-' ) {
-	fatal_error "Invalid port range ($portpair)";
-    }
-
-    my @ports = split /-/, $portpair, 2;
-
-    $_ = validate_port( proto_name( $proto ), $_) for ( @ports );
-
-    if ( @ports == 2 ) {
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
-    }
-
-    join '-', @ports;
-
-}
-
 sub validate_port_list( $$ ) {
     my $result = '';
     my ( $proto, $list ) = @_;
@@ -1208,7 +1218,11 @@ sub match_dest_dev( $ ) {
     my $interface = shift;
     my $interfaceref =  find_interface( $interface );
     if ( $interfaceref && $interfaceref->{options}{port} ) {
+	if ( $capabilities{PHYSDEV_BRIDGE} ) {
+	    "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface ";
+	} else {
 	    "-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
+	}
     } else {
 	"-o $interface ";
     }

Shorewall-perl/Shorewall/Compiler.pm

@@ -24,8 +24,8 @@
 
 package Shorewall::Compiler;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
-use Shorewall::Chains;
+use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Policy;
 use Shorewall::Nat;
@@ -41,7 +41,7 @@ use Shorewall::Proxyarp;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = 4.0.4;
+our $VERSION = 4.0.6;
 
 our $export;
 
@@ -133,6 +133,8 @@ sub generate_script_1() {
 
     propagateconfig;
 
+    my @dont_load = split /,/, $config{DONT_LOAD};
+
     emit ( '[ -n "${COMMAND:=restart}" ]',
 	   '[ -n "${VERBOSE:=0}" ]',
 	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
@@ -140,6 +142,7 @@ sub generate_script_1() {
 	   qq(VERSION="$globals{VERSION}") ,
 	   qq(PATH="$config{PATH}") ,
 	   'TERMINATOR=fatal_error' ,
+	   qq(DONT_LOAD="@dont_load") ,
 	   ''
 	   );
 
@@ -735,6 +738,10 @@ sub compiler( $$$$$ ) {
 	generate_script_1;
     }
 
+    #
+    # Allow user to load Perl modules
+    #
+    run_user_exit1 'compile';
     #
     # Process the zones file.
     #

Shorewall-perl/Shorewall/Config.pm

@@ -36,13 +36,23 @@ use File::Basename;
 use File::Temp qw/ tempfile tempdir /;
 use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
+use Scalar::Util 'reftype';
 
 our @ISA = qw(Exporter);
 #
 # Imported variables should be treated as read-only by importers
 #
 our @EXPORT = qw(
-		 create_temp_object
+		 warning_message
+		 fatal_error
+		 progress_message
+		 progress_message2
+		 progress_message3
+                );
+
+our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall);
+
+our %EXPORT_TAGS = ( internal => [ qw( create_temp_object 
 				       finalize_object
 				       emit
 				       emit_unindented
@@ -51,22 +61,18 @@ our @EXPORT = qw(
 				       set_timestamp
 				       set_verbose
 				       set_command
-		 progress_message
-		 progress_message2
-		 progress_message3
 				       push_indent
 				       pop_indent
 				       copy
 				       create_temp_aux_config
 				       finalize_aux_config
-		 warning_message
-		 fatal_error
 				       set_shorewall_dir
 				       set_debug
 				       find_file
 				       split_line
 				       split_line1
 				       split_line2
+				       first_entry
 				       open_file
 				       close_file
 				       push_open
@@ -91,10 +97,12 @@ our @EXPORT = qw(
 				       $currentline
 				       %config
 				       %globals
-		 %capabilities );
+				       %capabilities
+				     ) ] );	       
 
-our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path );
+Exporter::export_ok_tags('internal');
-our $VERSION = 4.0.5;
+
+our $VERSION = 4.0.6;
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -156,6 +164,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 USEPKTTYPE      => 'Packet Type Match',
 		 POLICY_MATCH    => 'Policy Match',
 		 PHYSDEV_MATCH   => 'Physdev Match',
+		 PHYSDEV_BRIDGE  => 'Physdev-is-bridged support',
 		 LENGTH_MATCH    => 'Packet length Match',
 		 IPRANGE_MATCH   => 'IP Range Match',
 		 RECENT_MATCH    => 'Recent Match',
@@ -197,6 +206,10 @@ our $currentline;             # Current config file line image
 our $currentfile;             # File handle reference
 our $currentfilename;         # File NAME
 our $currentlinenumber;       # Line number
+our $scriptfile;              # File Handle Reference to current temporary file being written by an in-line Perl script
+our $scriptfilename;          # Name of that file.
+our @tempfiles;               # Files that need unlinking at END
+our $first_entry;             # Message to output or function to call on first non-blank line of a file
 
 our $shorewall_dir;           # Shorewall Directory
 
@@ -230,8 +243,8 @@ sub initialize() {
 		    ORIGINAL_POLICY_MATCH => '',
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
-		    VERSION =>  '4.0.5',
+		    VERSION =>  '4.0.6',
-		    CAPVERSION => 40003 ,
+		    CAPVERSION => 40006 ,
 		  );
     #
     # From shorewall.conf file
@@ -324,6 +337,7 @@ sub initialize() {
 		KEEP_RT_TABLES => undef,
 		DELETE_THEN_ADD => undef,
 		MULTICAST => undef,
+		DONT_LOAD => '',
 		#
 		# Packet Disposition
 		#
@@ -344,6 +358,7 @@ sub initialize() {
 	       USEPKTTYPE => undef,
 	       POLICY_MATCH => undef,
 	       PHYSDEV_MATCH => undef,
+	       PHYSDEV_BRIDGE => undef,
 	       LENGTH_MATCH => undef,
 	       IPRANGE_MATCH => undef,
 	       RECENT_MATCH => undef,
@@ -385,6 +400,7 @@ sub initialize() {
     $currentfile = undef;     # File handle reference
     $currentfilename = '';    # File NAME
     $currentlinenumber = 0;   # Line number
+    $first_entry = 0;         # Message to output or function to call on first non-blank file entry
 
     $shorewall_dir = '';      #Shorewall Directory
 
@@ -403,11 +419,15 @@ sub warning_message
     my $linenumber = $currentlinenumber || 1;
     my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
 
+    $| = 1;
+
     if ( $debug ) {
 	print STDERR longmess( "   WARNING: @_$currentlineinfo" );
     } else {
 	print STDERR "   WARNING: @_$currentlineinfo\n";
     }
+
+    $| = 0;
 }
 
 #
@@ -416,10 +436,17 @@ sub warning_message
 sub fatal_error	{
     my $linenumber = $currentlinenumber || 1;
     my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
+    $| = 1;
     confess "   ERROR: @_$currentlineinfo" if $debug;
     die "   ERROR: @_$currentlineinfo\n";
 }
 
+sub fatal_error1	{
+    $| = 1;
+    confess "   ERROR: @_" if $debug;
+    die "   ERROR: @_\n";
+}
+
 #
 # Write the arguments to the object file (if any) with the current indentation.
 #
@@ -793,14 +820,9 @@ sub open_file( $ ) {
 }
 
 #
-# This function is normally called below in read_a_line() when EOF is reached. Clients of the
+# Pop the include stack
-# module may also call the function to close the file before EOF
 #
-
+sub pop_include() {
-sub close_file() {
-    if ( $currentfile ) {
-	close $currentfile;
-
     my $arrayref = pop @includestack;
 
     if ( $arrayref ) {
@@ -809,6 +831,23 @@ sub close_file() {
 	$currentfile = undef;
     }
 }    
+
+#
+# This function is normally called below in read_a_line() when EOF is reached. Clients of the
+# module may also call the function to close the file before EOF
+#
+
+sub close_file() {
+    if ( $currentfile ) {
+	my $result = close $currentfile;
+
+	pop_include;
+	
+	fatal_error "SHELL Script failed" unless $result;
+
+	$first_entry = 0;
+
+    }
 }
 
 #
@@ -828,13 +867,143 @@ sub push_open( $ ) {
 
 sub pop_open() {
     @includestack = @{pop @openstack};
+    pop_include;
+}
 
-    my $arrayref = pop @includestack;
+sub shorewall {
+    unless ( $scriptfile ) {
+	fatal_error "shorewall() may not be called in this context" unless $currentfile;
 
-    if ( $arrayref ) {
+	$dir ||= '/tmp/';
-	( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref;
+
-    } else {
+	eval {
+	    ( $scriptfile, $scriptfilename ) = tempfile ( 'scriptfileXXXX' , DIR => $dir );
+	};
+
+	fatal_error "Unable to create temporary file in directory $dir" if $@;
+    }
+
+    print $scriptfile "@_\n";
+}
+
+#
+# We don't announce that we are checking/compiling a file until we determine that the file contains 
+# at least one non-blank, non-commentary line.
+#
+# The argument to this function may be either a scalar or a function reference. When the first
+# non-blank/non-commentary line is reached: 
+#
+# - if a function reference was passed to first_entry(), that function is called
+# - otherwise, the argument to first_entry() is passed to progress_message2().
+#
+# We do this processing in read_a_line() rather than in the higher-level routines because
+# Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement
+# until we get back to the caller of read_a_line(), we could issue error messages about parsing and 
+# running scripts in the file before we'd even indicated that we are processing it.
+#
+sub first_entry( $ ) {
+    $first_entry = $_[0];
+    my $reftype = reftype $first_entry;
+    if ( $reftype ) {
+	fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE';
+    }
+}   
+
+sub embedded_shell( $ ) {
+    my $multiline = shift;
+
+    fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+    my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber );
+    
+    if ( $multiline ) {
+	#
+	# Multi-line script
+	#
+	fatal_error "Invalid BEGIN SHELL directive" unless $currentline =~ /^\s*$/;
+	$command .= "\n";
+
+	my $last = 0;
+		    
+	while ( <$currentfile> ) {
+	    $currentlinenumber++;
+	    last if $last = s/^\s*END(\s+SHELL)?\s*;?//;
+	    $command .= $_;
+	}
+	
+	fatal_error ( "Missing END SHELL" ) unless $last;
+	fatal_error ( "Invalid END SHELL directive" ) unless /^\s*$/;
+    }
+
+    $command .= q(');
+    
+    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
     $currentfile = undef;
+    open $currentfile , '-|', $command or fatal_error qq(Shell Command failed);
+    $currentfilename = "SHELL\@$currentfilename:$currentlinenumber";
+    $currentline = '';
+    $currentlinenumber = 0;
+}
+
+sub embedded_perl( $ ) {
+    my $multiline = shift;
+		
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );		
+
+    if ( $multiline ) {
+	#
+	# Multi-line script
+	#
+	fatal_error "Invalid BEGIN PERL directive" unless $currentline =~ /^\s*$/;
+	$command .= "\n";
+		    
+	my $last = 0;
+		    
+	while ( <$currentfile> ) {
+	    $currentlinenumber++;
+	    last if $last = s/^\s*END(\s+PERL)?\s*;?//;
+	    $command .= $_;
+	}
+	
+	fatal_error ( "Missing END PERL" ) unless $last;
+	fatal_error ( "Invalid END PERL directive" ) unless /^\s*$/;
+    }
+    
+    unless (my $return = eval $command ) {
+	if ( $@ ) {
+	    #
+	    # Perl found the script offensive or the script itself died
+	    #
+	    $@ =~ s/, <\$currentfile> line \d+//g;
+	    fatal_error1 "$@";
+	}
+	
+	unless ( defined $return ) {
+	    fatal_error "Perl Script failed: $!" if $!; 
+	    fatal_error "Perl Script failed";
+	} 
+
+	fatal_error "Perl Script Returned False";
+    }
+    
+    if ( $scriptfile ) {
+	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+
+	close $scriptfile or fatal_error "Internal Error in embedded_perl()";
+	
+	$scriptfile = undef;
+	
+	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+	$currentfile = undef;
+	
+	open $currentfile, '<', $scriptfilename or fatal_error "Unable to open Perl Script $scriptfilename";
+
+	push @tempfiles, $scriptfilename unless unlink $scriptfilename; #unlink fails on Cygwin
+	
+	$scriptfilename = '';
+	
+	$currentfilename = "PERL\@$currentfilename:$linenumber";
+	$currentline = '';
+	$currentlinenumber = 0;
     }
 }
 
@@ -844,6 +1013,7 @@ sub pop_open() {
 #   - Ignore blank or comment-only lines.
 #   - Remove trailing comments.
 #   - Handle Line Continuation
+#   - Handle embedded SHELL and PERL scripts
 #   - Expand shell variables from $ENV.
 #   - Handle INCLUDE <filename>
 #
@@ -871,7 +1041,22 @@ sub read_a_line() {
 	    # Ignore ( concatenated ) Blank Lines
 	    #
 	    $currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
-
+	    #
+	    # Line not blank -- Handle any first-entry message/capabilities check
+	    #
+	    if ( $first_entry ) {
+		reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry );
+		$first_entry = 0;
+	    }
+	    #
+	    # Must check for shell/perl before doing variable expansion
+	    #
+	    if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
+		embedded_shell( $1 );
+	    } elsif ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
+		embedded_perl( $1 );
+	    } else {
+		my $count = 0;
 		#
 		# Expand Shell Variables using %ENV
 		#
@@ -880,6 +1065,7 @@ sub read_a_line() {
 		    my $val = $ENV{$3};
 		    $val = '' unless defined $val;
 		    $currentline = join( '', $1 , $val , $4 );
+		    fatal_error "Variable Expansion Loop" if ++$count > 100;
 		}
 		
 		if ( $currentline =~ /^\s*INCLUDE\s/ ) {
@@ -887,7 +1073,7 @@ sub read_a_line() {
 		    my @line = split ' ', $currentline;
 		    
 		    fatal_error "Invalid INCLUDE command"    if @line != 2;
-		fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+		    fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
 		    
 		    my $filename = find_file $line[1];
 		    
@@ -907,6 +1093,7 @@ sub read_a_line() {
 		    return 1;
 		}
 	    }
+	}
 
 	close_file;
     }
@@ -1085,6 +1272,10 @@ sub load_kernel_modules( ) {
     if ( $moduleloader && open_file 'modules' ) {
 	my %loadedmodules;
 
+	for ( split /,/, $config{DONT_LOAD} ) {
+	    $loadedmodules{$_} = 1;
+	}
+
 	progress_message "Loading Modules...";
 
 	open LSMOD , '-|', 'lsmod' or fatal_error "Can't run lsmod";
@@ -1156,6 +1347,7 @@ sub determine_capabilities( $ ) {
 
     if ( qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) {
 	$capabilities{PHYSDEV_MATCH}  = 1;
+	$capabilities{PHYSDEV_BRIDGE} = qt( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" );
 	unless ( $capabilities{KLUDGEFREE} ) {
 	    $capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" );
 	}
@@ -1389,12 +1581,20 @@ sub get_configuration( $ ) {
 
     my $export = $_[0];
 
+    our ( $once, @originalinc );
+    
+    @originalinc = @INC unless $once++;
+
     ensure_config_path;
 
     process_shorewall_conf;
 
     ensure_config_path;
 
+    @INC = @originalinc;
+
+    unshift @INC, @config_path;
+
     default 'PATH' , '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
 
     default 'MODULE_PREFIX', 'o gz ko o.gz ko.gz';
@@ -1641,10 +1841,17 @@ sub run_user_exit( $ ) {
     if ( -f $file ) {
 	progress_message "Processing $file...";
 
-	unless (my $return = eval `cat $file` ) {
+	my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
+
+	unless (my $return = eval $command ) {
 	    fatal_error "Couldn't parse $file: $@" if $@;
-	    fatal_error "Couldn't do $file: $!"    unless defined $return;
+	    
-	    fatal_error "Couldn't run $file";
+	    unless ( defined $return ) {
+		fatal_error "Couldn't do $file: $!" if $!;    
+		fatal_error "Couldn't do $file";
+	    }    
+	    
+	    fatal_error "$file returned a false value";
 	}
     }
 }
@@ -1662,16 +1869,23 @@ sub run_user_exit1( $ ) {
 	if ( read_a_line ) {
 	    close_file;
 
-	    unless (my $return = eval `cat $file` ) {
+	    my $command = qq(package Shorewall::User;\n# line 1 "$file"\n) . `cat $file`;
+
+	    unless (my $return = eval $command ) {
 		fatal_error "Couldn't parse $file: $@" if $@;
-		fatal_error "Couldn't do $file: $!"    unless defined $return;
+
-		fatal_error "Couldn't run $file";
+		unless ( defined $return ) {
-	    }
+		    fatal_error "Couldn't do $file: $!" if $!;
+		    fatal_error "Couldn't do $file";
 		}
 
+		fatal_error "$file returned a false value";
+	    }
+	} else {
 	    pop_open;
 	}
     }
+}
 
 sub run_user_exit2( $$ ) {
     my ($file, $chainref) = ( find_file $_[0], $_[1] );
@@ -1688,8 +1902,13 @@ sub run_user_exit2( $$ ) {
 
 	    unless (my $return = eval `cat $file` ) {
 		fatal_error "Couldn't parse $file: $@" if $@;
-		fatal_error "Couldn't do $file: $!"    unless defined $return;
+
-		fatal_error "Couldn't run $file";
+		unless ( defined $return ) {
+		    fatal_error "Couldn't do $file: $!" if $!;
+		    fatal_error "Couldn't do $file";
+		}
+
+		fatal_error "$file returned a false value";
 	    }
 	}
 
@@ -1733,10 +1952,17 @@ sub generate_aux_config() {
 }
 
 END {
-    if ( $object ) {
+    #
-	close $object;
+    # Close files first in case we're running under Cygwin
-	unlink $tempfile;
+    #
-    }
+    close  $object         if $object;
+    close  $scriptfile     if $scriptfile;
+    #
+    # Unlink temporary files
+    #
+    unlink $tempfile       if $tempfile;
+    unlink $scriptfilename if $scriptfilename;
+    unlink $_ for @tempfiles; 
 }
 
 1;

Shorewall-perl/Shorewall/Nat.pm

@@ -25,10 +25,10 @@
 #
 package Shorewall::Nat;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 
 use strict;
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = 4.0.3;
+our $VERSION = 4.0.6;
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -188,17 +188,25 @@ sub setup_one_masq($$$$$$$)
 
     my $detectaddress = 0;
     my $exceptionrule = '';
+    my $randomize     = '';
     #
     # Parse the ADDRESSES column
     #
     if ( $addresses ne '-' ) {
+	if ( $addresses eq 'random' ) {
+	    $randomize = '--random ';
+	} else {
+	    $addresses =~ s/:random$// and $randomize = '--random ';
+
 	    if ( $addresses =~ /^SAME:nodst:/ ) {
+		fatal_error "':random' is not supported by the SAME target" if $randomize;
 		$target = '-j SAME --nodst ';
 		$addresses =~ s/.*://;
 		for my $addr ( split /,/, $addresses ) {
 		    $target .= "--to $addr ";
 		}
 	    } elsif ( $addresses =~ /^SAME:/ ) {
+		fatal_error "':random' is not supported by the SAME target" if $randomize;
 		$target = '-j SAME ';
 		$addresses =~ s/.*://;
 		for my $addr ( split /,/, $addresses ) {
@@ -231,6 +239,9 @@ sub setup_one_masq($$$$$$$)
 		
 		$target .= $addrlist;
 	    }
+	}
+
+	$target .= $randomize;
     } else {
 	$add_snat_aliases = 0;
     }
@@ -284,17 +295,11 @@ sub setup_one_masq($$$$$$$)
 #
 sub setup_masq()
 {
-    my $first_entry = 1;
-
     my $fn = open_file 'masq';
 
-    while ( read_a_line ) {
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
     
-	if ( $first_entry ) {
+    while ( read_a_line ) {
-	    progress_message2 "$doing $fn...";
-	    require_capability( 'NAT_ENABLED' , 'a non-empty masq file' , 's' );
-	    $first_entry = 0;
-	}
 
 	my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file';
 
@@ -395,17 +400,11 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {
 
-    my $first_entry = 1;
-
     my $fn = open_file 'nat';
 
-    while ( read_a_line ) {
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
     
-	if ( $first_entry ) {
+    while ( read_a_line ) {
-	    progress_message2 "$doing $fn...";
-	    require_capability( 'NAT_ENABLED' , 'a non-empty nat file', 's' );
-	    $first_entry = 0;
-	}
 
 	my ( $external, $interface, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
 
@@ -425,17 +424,11 @@ sub setup_nat() {
 #
 sub setup_netmap() {
 
-    my $first_entry = 1;
-
     my $fn = open_file 'netmap';
 
-    while ( read_a_line ) {
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
 
-	if ( $first_entry ) {
+    while ( read_a_line ) {
-	    progress_message2 "$doing $fn...";
-	    require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' , 's' );
-	    $first_entry = 0;
-	}
 
 	my ( $type, $net1, $interface, $net2 ) = split_line 4, 4, 'netmap file';
 

Shorewall-perl/Shorewall/Policy.pm

@@ -24,9 +24,9 @@
 #
 package Shorewall::Policy;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::Chains qw( :DEFAULT :internal) ;
 use Shorewall::Actions;
 
 use strict;
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
 our @EXPORT_OK = qw(  );
-our $VERSION = 4.0.5;
+our $VERSION = 4.0.6;
 
 # @policy_chains is a list of references to policy chains in the filter table
 
@@ -207,15 +207,10 @@ sub validate_policy()
 
     my $fn = open_file 'policy';
 
-    my $first_entry = 1;
+    first_entry "$doing $fn...";
 
     while ( read_a_line ) {
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    $first_entry = 0;
-	}
-
 	my ( $client, $server, $policy, $loglevel, $synparams ) = split_line 3, 5, 'policy file';
 
 	$loglevel  = '' if $loglevel  eq '-';

Shorewall-perl/Shorewall/Proc.pm

@@ -27,9 +27,8 @@
 #
 package Shorewall::Proc;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
-use Shorewall::Chains;
 
 use strict;
 
@@ -42,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = 4.0.1;
+our $VERSION = 4.0.6;
 
 #
 # ARP Filtering

Shorewall-perl/Shorewall/Providers.pm

@@ -25,17 +25,17 @@
 #
 package Shorewall::Providers;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::Chains qw(:DEFAULT :internal);
 
 use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces);
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.0.3;
+our $VERSION = 4.0.6;
 
 use constant { LOCAL_NUMBER   => 255,
 	       MAIN_NUMBER    => 254,
@@ -84,7 +84,6 @@ INIT {
 #
 sub setup_route_marking() {
     my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF';
-    my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark';
 
     require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' , 's' );
     require_capability( 'CONNMARK' ,       'the provider \'track\' option' , 's' );
@@ -96,7 +95,7 @@ sub setup_route_marking() {
 
     while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) {
 	add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
-	add_rule $chainref, " -i $interface -j MARK $mark_op $mark";
+	add_rule $chainref, " -i $interface -j MARK --set-mark $mark";
     }
 
     add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask";
@@ -476,17 +475,12 @@ sub setup_providers() {
 
 	if ( $fn ) {
 
-	    my $first_entry = 0;
+	    first_entry "$doing $fn...";
 	    
 	    emit '';
 
 	    while ( read_a_line ) {
 
-		if ( $first_entry ) {
-		    progress_message2 "$doing $fn...";
-		    $first_entry = 0;
-		}
-
 		my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
 
 		add_an_rtrule( $source, $dest, $provider , $priority );

Shorewall-perl/Shorewall/Proxyarp.pm

@@ -23,7 +23,7 @@
 #
 package Shorewall::Proxyarp;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 
 use strict;
@@ -35,7 +35,7 @@ our @EXPORT = qw(
 		  );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.0.1;
+our $VERSION = 4.0.6;
 
 our @proxyarp;
 

Shorewall-perl/Shorewall/Rules.pm

@@ -24,10 +24,10 @@
 #
 package Shorewall::Rules;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Actions;
 use Shorewall::Policy;
 use Shorewall::Proc;
@@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos
 		  dump_rule_chains
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = 4.0.5;
+our $VERSION = 4.0.6;
 
 #
 # Keep track of chains for the /var/lib/shorewall[-lite]/chains file
@@ -98,17 +98,14 @@ sub process_tos() {
 	
 	my ( $pretosref, $outtosref );
 
+	first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } );
+
 	while ( read_a_line ) {
 
-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		$pretosref = ensure_chain 'mangle' , $chain;
-		$outtosref = ensure_chain 'mangle' , 'outtos';
-		$first_entry = 0;
-	    }
-
 	    my ($src, $dst, $proto, $sports, $ports , $tos, $mark ) = split_line 6, 7, 'tos file entry';
 
+	    $first_entry = 0;
+
 	    fatal_error "A value must be supplied in the TOS column" if $tos eq '-';
 	    
 	    if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
@@ -166,15 +163,10 @@ sub setup_ecn()
 
     if ( my $fn = open_file 'ecn' ) {
 
-	my $first_entry = 1;
+	first_entry "$doing $fn...";
 
 	while ( read_a_line ) {
 
-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		$first_entry = 0;
-	    }
-
 	    my ($interface, $hosts ) = split_line 1, 2, 'ecn file entry';
 
 	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@@ -229,15 +221,10 @@ sub setup_rfc1918_filteration( $ ) {
 
     my $fn = open_file 'rfc1918';
 
-    my $first_entry = 1;
+    first_entry "$doing $fn...";
 
     while ( read_a_line ) {
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    $first_entry = 0;
-	}
-
 	my ( $networks, $target ) = split_line 2, 2, 'rfc1918 file';
 
 	my $s_target;
@@ -298,6 +285,8 @@ sub setup_blacklist() {
 
 	    my $first_entry = 1;
 	    
+	    first_entry "$doing $fn...";
+
 	    while ( read_a_line ) {
 
 		if ( $first_entry ) {
@@ -307,7 +296,6 @@ sub setup_blacklist() {
 			last BLACKLIST;
 		    }
 
-		    progress_message2 "$doing $fn...";
 		    $first_entry = 0;
 		}
 
@@ -353,17 +341,12 @@ sub process_criticalhosts() {
 
     my $fn = open_file 'routestopped';
 
-    my $first_entry = 1;
+    first_entry "$doing $fn for critical hosts...";
 
     while ( read_a_line ) {
 
 	my $routeback = 0;
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn for critical hosts...";
-	    $first_entry = 0;
-	}
-
 	my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file';
 
 	fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@@ -399,17 +382,12 @@ sub process_routestopped() {
 
     my $fn = open_file 'routestopped';
 
-    my $first_entry = 1;
+    first_entry "$doing $fn...";
 
     while ( read_a_line ) {
 
 	my $routeback = 0;
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    $first_entry = 0;
-	}
-
 	my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file';
 
 	fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@@ -724,15 +702,10 @@ sub setup_mac_lists( $ ) {
 
 	my $fn = open_file 'maclist';
 
-	my $first_entry = 1;
+	first_entry "$doing $fn...";
 
 	while ( read_a_line ) {
 
-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		$first_entry = 0;
-	    }
-
 	    my ( $disposition, $interface, $mac, $addresses  ) = split_line1 3, 4, 'maclist file';
 
 	    if ( $disposition eq 'COMMENT' ) {
@@ -937,7 +910,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 
     if ( $actiontype == MACRO ) {
 	#
-	# Will call process_rule1() recursively for each rule in the macro body
+	# process_macro() will call process_rule1() recursively for each rule in the macro body
 	#
 	fatal_error "Macro invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;
 
@@ -975,7 +948,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
     }
     #
-    # We can now dispense with the postfix characters
+    # We can now dispense with the postfix character
     #
     $action =~ s/[\+\-!]$//;
     #
@@ -992,7 +965,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
     #
     if ( $actiontype & REDIRECT ) {
 	if ( $dest eq '-' ) {
-	    $dest = firewall_zone;
+	    $dest = join( '', firewall_zone, '::' , $ports =~ /[:,]/ ? '' : $ports );
 	} else {
 	    $dest = join( '', firewall_zone, '::', $dest ) unless $dest =~ /:/;
 	}
@@ -1050,6 +1023,11 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	}
     }
 
+    #
+    # For compatibility with older Shorewall versions
+    #
+    $origdest = ALLIPv4 if $origdest eq 'all';
+
     #
     # Take care of chain
     #
@@ -1079,17 +1057,13 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
     #
     $chainref = ensure_filter_chain $chain, 1;
     #
-    # For compatibility with older Shorewall versions
-    #
-    $origdest = ALLIPv4 if $origdest eq 'all';
-    #
     # Generate Fixed part of the rule
     #
     $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) );
 
     unless ( $section eq 'NEW' ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
-	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & NONAT;
+	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
 	$rule .= "-m state --state $section "
     }
 
@@ -1098,23 +1072,42 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
     #
     if ( $actiontype & NATRULE ) {
 	my ( $server, $serverport );
-	fatal_error "$target rules not allowed in the $section SECTION"  if $section ne 'NEW';
+	my $randomize = $dest =~ s/:random$// ? '--random ' : '';
+
 	require_capability( 'NAT_ENABLED' , "$basictarget rules", '' );
 	#
 	# Isolate server port 
 	#
 	if ( $dest =~ /^(.*)(:(.+))$/ ) {
-	    $server = $1;
+	    #
-	    $serverport = validate_portrange $proto, $3;
+	    # Server IP and Port
+	    #
+	    $server = $1;      # May be empty
+	    $serverport = $3;  # Not Empty due to RE 
+	    if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
+		#
+		# Server Port Range
+		#
+		fatal_error "Invalid port range ($serverport)" unless $1 < $2;
+		my @ports = ( $1, $2 );
+		$_ = validate_port( proto_name( $proto ), $_) for ( @ports );
+		( $ports = $serverport ) =~ tr/-/:/;
 	    } else {
+		$serverport = $ports = validate_port( proto_name( $proto ), $serverport );
+	    }
+	} elsif ( $dest eq ':' ) {
+	    #
+	    # Rule with no server IP or port ( zone:: )
+	    #
+	    $server = $serverport = '';
+	} else {
+	    #
+	    # Simple server IP address (may be empty or "-")
+	    #
 	    $server = $dest;
 	    $serverport = '';
 	}
 
-	#
-	# After DNAT, dest port will be the server port. Capture it here because $serverport gets modified below.
-	#
-	my $servport = $serverport ne '' ? $serverport : $ports;
 	#
 	# Generate the target
 	#
@@ -1122,7 +1115,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 
 	if ( $actiontype  & REDIRECT ) {
 	    fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server;
-	    $target = '-j REDIRECT --to-port ' . $servport;
+	    $target  = '-j REDIRECT ';
+	    $target .= "--to-port $serverport " if $serverport;
 	    if ( $origdest eq '' || $origdest eq '-' ) {
 		$origdest = ALLIPv4;
 	    } elsif ( $origdest eq 'detect' ) {
@@ -1142,6 +1136,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	    if ( $action eq 'SAME' ) {
 		fatal_error 'Port mapping not allowed in SAME rules' if $serverport;
 		fatal_error 'SAME not allowed with SOURCE=$FW'       if $sourcezone eq firewall_zone;
+		fatal_error "':random' is not supported by the SAME target" if $randomize;
+		warning_message 'Netfilter support for SAME is being dropped in early 2008';
 		$target = '-j SAME ';
 		for my $serv ( split /,/, $server ) {
 		    $target .= "--to $serv ";
@@ -1165,6 +1161,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	    }
 	}
 
+	$target .= $randomize;
+
 	#
 	# And generate the nat table rule(s)
 	#
@@ -1180,14 +1178,13 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 		      $serverport ? do_proto( $proto, '', '' ) : '' );
 	#
 	# After NAT:
-	#   - the destination port will be the server port
+	#   - the destination port will be the server port ($ports) -- we did that above
-	#   - the destination IP   will be the server IP
+	#   - the destination IP   will be the server IP   ($dest)
 	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#   - the target will be ACCEPT.
 	#
 	unless ( $actiontype & NATONLY ) {
-	    $servport =~ tr/-/:/ if $servport ne '-';
+	    $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) );
-	    $rule = join( '', do_proto( $proto, $servport, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) );
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';
@@ -1348,15 +1345,10 @@ sub process_rules() {
 
     my $fn = open_file 'rules';
 
-    my $first_entry = 1;
+    first_entry "$doing $fn...";
 
     while ( read_a_line ) {
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    $first_entry = 0;
-	}
-
 	my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark ) = split_line2 1, 10, 'rules file';
 
 	if ( $target eq 'COMMENT' ) {
@@ -1398,7 +1390,7 @@ sub process_rules() {
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
 #
-# The function traverses the full "source-zone X destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules.
+# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules.
 #
 sub generate_matrix() {
     #

Shorewall-perl/Shorewall/Tc.pm

@@ -29,9 +29,9 @@
 #
 package Shorewall::Tc;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Providers;
 
 use strict;
@@ -39,7 +39,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = 4.0.5;
+our $VERSION = 4.0.6;
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -269,8 +269,6 @@ sub process_tc_rule( $$$$$$$$$$ ) {
 
 	    fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes'
 		if $cmd && $chain eq 'tcpre' && numeric_value( $cmd ) <= 0xFF && $config{HIGH_ROUTE_MARKS};
-
-	    $target =~ s/set-mark/or-mark/ if numeric_value( $cmd ) > 0xFF && ( $chain eq 'tcpre' || $chain eq 'tcout' );
 	}
     }
 
@@ -408,15 +406,10 @@ sub setup_traffic_shaping() {
     my $fn = open_file 'tcdevices';
 
     if ( $fn ) {
-	my $first_entry = 1;
+	first_entry "$doing $fn...";
 
 	while ( read_a_line ) {
 
-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		$first_entry = 0;
-	    }
-
 	    my ( $device, $inband, $outband ) = split_line 3, 3, 'tcdevices';
 
 	    fatal_error "Invalid tcdevices entry" if $outband eq '-';
@@ -427,15 +420,10 @@ sub setup_traffic_shaping() {
     $fn = open_file 'tcclasses';
 
     if ( $fn ) {
-	my $first_entry = 1;
+	first_entry "$doing $fn...";
 
 	while ( read_a_line ) {
 
-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		$first_entry = 0;
-	    }
-
 	    my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 4, 6, 'tcclasses file';
 
 	    validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options );
@@ -550,8 +538,6 @@ sub setup_traffic_shaping() {
 #
 sub setup_tc() {
 
-    my $first_entry = 1;
-
     if ( $capabilities{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
 	ensure_mangle_chain 'tcout';
@@ -595,13 +581,9 @@ sub setup_tc() {
 
     if ( my $fn = open_file 'tcrules' ) {
 
-	while ( read_a_line ) {
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
 
-	    if ( $first_entry ) {
+	while ( read_a_line ) {
-		progress_message2 "$doing $fn...";
-		require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's' );
-		$first_entry = 0;
-	    }
 
 	    my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line1 2, 10, 'tcrules file';