diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 03f0bc9ee..40d8d654a 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -5441,6 +5441,7 @@ sub update_config_file( $ ) {
update_default( 'PAGER', $shorewallrc1{DEFAULT_PAGER} );
update_default( 'LOGFORMAT', 'Shorewall:%s:%s:' );
update_default( 'LOGLIMIT', '' );
+ update_default( 'AUTOMAKE', 'No' );
if ( $family == F_IPV4 ) {
update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 7499b692c..2744c2e7a 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -721,7 +721,13 @@ sub process_a_policy1($$$$$$$) {
require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
- my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+ my ( $policy, $pactions );
+
+ if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
+ ( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
+ } else {
+ ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+ }
fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
@@ -1604,8 +1610,8 @@ sub merge_levels ($$) {
return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
- my @supparts = split /:/, $superior;
- my @subparts = split /:/, $subordinate;
+ my @supparts = split_list2( $superior , 'Action' );
+ my @subparts = split_list2( $subordinate , 'Action' );
my $subparts = @subparts;
diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml
index 98d600f32..d5cc8ee60 100644
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -674,15 +674,15 @@
the keyword bypass can be
given. By default, if no userspace program is listening on an
NFQUEUE, then all packets that are to be queued are dropped.
- When this option is used, the NFQUEUE rule is silently
- bypassed instead. The packet will move on to the next rule.
- Also beginning in Shorewall 4.6.10, a second queue number
- (queuenumber2) may be specified.
- This specifies a range of queues to use. Packets are then
- balanced across the given queues. This is useful for multicore
- systems: start multiple instances of the userspace program on
- queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
- the same connection are put into the same nfqueue.
+ When this option is used, the NFQUEUE rule behaves like ACCEPT
+ instead. Also beginning in Shorewall 4.6.10, a second queue
+ number (queuenumber2) may be
+ specified. This specifies a range of queues to use. Packets
+ are then balanced across the given queues. This is useful for
+ multicore systems: start multiple instances of the userspace
+ program on queues x, x+1, .. x+n and use "x:x+n". Packets
+ belonging to the same connection are put into the same
+ nfqueue.
Beginning with Shorewall 5.1.0, queuenumber2 may be
followed by the letter 'c' to indicate that the CPU ID will be
diff --git a/docs/FTP.xml b/docs/FTP.xml
index d2c13d953..55b16eb1e 100644
--- a/docs/FTP.xml
+++ b/docs/FTP.xml
@@ -431,7 +431,7 @@ CT:helper:ftp loc - tcp 21/etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DPORT
-DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }the
+DNAT net loc:192.168.1.2:21 tcp 12345 { helper=ftp }
That entry will accept ftp connections on port 12345 from the net
and forward them to host 192.168.1..2 and port 21 in the loc zone.