Merge branch 'bf-typo' into 'master'

Fix path to fail2ban/action.d

See merge request shorewall/code!17

Shorewall-core/Shorewall-core-targetname

@@ -1 +1 @@
-5.2.6-base
+5.2.8-RC1

Shorewall-core/install.sh

@@ -324,6 +324,15 @@ install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
 
 echo
 echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
+#
+# Install stop_service
+#
+if [ -n "${STOPSERVICEFILE}" ]; then
+    install_file ${STOPSERVICEFILE} ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service 0755
+
+    echo
+    echo "${STOPSERVICEFILE} installed in ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service"
+fi
 
 #
 # Install the libraries

Shorewall-core/lib.cli

@@ -247,10 +247,39 @@ search_log() # $1 = IP address to search for
 #
 # Show traffic control information
 #
-show_tc1() {
+show_one_classifier() {
+    local class
 
+    qt tc -s filter ls root dev $1 && tc -s filter ls root dev $device | grep -v '^$'
+    tc filter show dev $1
+    tc class show dev $1 | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
+	if [ -n "$class" ]; then
+	    echo
+	    echo Node $class
+	    tc filter show dev $device parent $class
+	fi
+    done
+    echo
+}
+
+show_classifier1() {
+    local device
+    local qdisc
+
+    device=${1%@*}
+    qdisc=$(tc qdisc list dev $device)
+    if [ -n "$qdisc" ]; then
+	echo Device $device:
+	show_one_classifier $device
+    fi
+}
+
+show_tc1() {
     show_one_tc() {
 	local device
+	local qdisc
+	local ingress
+
 	device=${1%@*}
 	qdisc=$(tc qdisc list dev $device)
 
@@ -260,6 +289,7 @@ show_tc1() {
 	    echo
 	    tc -s -d class show dev $device
 	    echo
+	    show_one_classifier $device "$qdisc"
 	fi
     }
 
@@ -270,7 +300,6 @@ show_tc1() {
 	    show_one_tc ${interface%:}
 	done
     fi
-
 }
 
 show_tc() {
@@ -291,28 +320,8 @@ show_tc() {
 #
 show_classifiers() {
 
-    show_one_classifier() {
-	local device
-	device=${1%@*}
-	qdisc=$(tc qdisc list dev $device)
-
-	if [ -n "$qdisc" ]; then
-	    echo Device $device:
-	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
-	    tc filter show dev $device
-	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
-		if [ -n "$class" ]; then
-		    echo
-		    echo Node $class
-		    tc filter show dev $device parent $class
-		fi
-	    done
-	    echo
-	fi
-    }
-
     ip -o link list | while read inx interface details; do
-	show_one_classifier ${interface%:}
+	show_classifier1 ${interface%:}
     done
 
 }
@@ -640,9 +649,9 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -6 -o route list table $table | grep -vF cache | sort_routes
+		ip -6 -o route list table $table 2>/dev/null | grep -vF cache | sort_routes
 	    else
-		ip -4 -o route list table $table | sort_routes
+		ip -4 -o route list table $table 2>/dev/null | sort_routes
 	    fi
 	done
 
@@ -993,30 +1002,11 @@ show_table() {
     $g_tool -t $table -L $g_ipt_options | $output_filter
 }
 
-show_nat() {
-    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
-    echo
-    show_reset
-    $g_tool -t nat -L $g_ipt_options | $output_filter
-}
-
-show_raw() {
-    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
-    echo
-    show_reset
-    $g_tool -t raw -L $g_ipt_options | $output_filter
-}
-
-show_mangle() {
-    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
-    echo
-    show_reset
-    $g_tool -t mangle -L $g_ipt_options | $output_filter
-}
-
 show_classifiers_command() {
     echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
     echo
+    echo "Warning: This command is deprecated in favor of the 'show tc' command"
+    echo
     show_classifiers
 }
 
@@ -1237,7 +1227,7 @@ show_command() {
     local finished
     finished=0
     local table
-    table=filter
+    table=
     local table_given
     table_given=
     local output_filter
@@ -1350,20 +1340,31 @@ show_command() {
 	    only_root
 	    eval show_connections $@ $g_pager
 	    ;;
-	nat)
+	filter|nat|raw|mangle)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    eval show_nat $g_pager
+
+	    if [ -n "$table_given" ]; then
+		if [ $table != $1 ] ; then
+		    fatal_error "\"$1\" is not allowed when \"-t $table\" is given"
+		fi
+	    else
+		table=$1
+	    fi
+
+	    eval show_table $g_pager
 	    ;;
-	raw)
+	tos)
 	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    eval show_raw $g_pager
-	    ;;
-	tos|mangle)
-	    only_root
-	    [ $# -gt 1 ] && too_many_arguments $2
-	    eval show_mangle $g_pager
+
+	    if [ -z "$table_given" ] ; then
+		table=mangle
+	    else
+		[ "$table" = mangle ] || fatal_error "\"show tos\" is only valid in the mangle table"
+	    fi
+
+	    eval show_table $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && too_many_arguments $2
@@ -1590,15 +1591,20 @@ show_command() {
 		    return;
                 fi
 
-		[ -n "$table_given" ] || for chain in $*; do
-		    if ! qt $g_tool -t $table -L $chain $g_ipt_options; then
-			error_message "ERROR: Chain '$chain' is not recognized by $g_tool."
-			exit 1
-		    fi
-					 done
+		if [ -z "$table_given" ]; then
+		    table=filter
+
+		    for chain in $*; do
+			if ! qt $g_tool -t $table -L $chain $g_ipt_options; then
+			    error_message "ERROR: Chain '$chain' is not recognized by $g_tool."
+			    exit 1
+			fi
+		    done
+		fi
 
 		eval show_chains $@ $g_pager
 	    else
+		[ -n "$table_given" ] || table=filter
 		eval show_table $g_pager
 	    fi
 	    ;;
@@ -1904,8 +1910,6 @@ do_dump_command() {
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
 	show_tc1
-	heading "TC Filters"
-	show_classifiers
 	fi
 }
 
@@ -3596,7 +3600,7 @@ status_command() {
 
     [ $# -eq 0 ] || missing_argument
 
-    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
+    [ $VERBOSITY -ge 1 ] && echo "${g_product} $SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
     show_status
     [ -n "$interfaces" ] && show_interfaces
     exit $status
@@ -4010,9 +4014,15 @@ setup_dbl() {
 # the Standard CLI by loading lib.cli-std
 ################################################################################
 #
-# Set the configuration variables from shorewall[6]-lite.conf.
+# Set the configuration variables from shorewall[6]-lite.conf. This function
+# is replaced by the one in lib.cli-std (Shorewall product) when Shorewall or
+# Shorewall6 is being run.
 #
-get_config() {
+#     $1 = Yes: read the params file
+#     $2 = Yes: check for STARTUP_ENABLED
+#     $3 = Yes: Check for LOGFILE
+#
+lite_get_config() {
     local config
     local lib
 
@@ -4161,7 +4171,7 @@ get_config() {
 
 	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 
-	    g_pager="| $g_pager"
+	    g_pager="2>&1 | $g_pager"
 	fi
     fi
 
@@ -4174,10 +4184,22 @@ get_config() {
     [ -f $lib ] && . $lib
 
 }
+
+#
+# get_config() -- calls the appropriate xxx_get_config()
+#
+get_config() {
+    if [ -z "$g_lite" ]; then
+	std_get_config $@
+    else
+	lite_get_config $@
+    fi
+}
+
 #
 # Start Command Executor
 #
-start_command() {
+lite_start_command() {
     local finished
     finished=0
 
@@ -4264,10 +4286,21 @@ start_command() {
     do_it
 }
 
+#
+# start_command() -- calls the appropriate xxx_start_command()
+#
+start_command() {
+    if [ -z "$g_lite" ]; then
+	std_start_command $@
+    else
+	lite_start_command $@
+    fi
+}
+
 #
 # Reload/Restart Command Executor
 #
-restart_command() {
+lite_restart_command() {
     local finished
     finished=0
     local rc
@@ -4336,6 +4369,17 @@ restart_command() {
     return $rc
 }
 
+#
+# restart_command() -- calls the appropriate xxx_restart_command()
+#
+restart_command() {
+    if [ -z "$g_lite" ]; then
+	std_restart_command $@
+    else
+	lite_restart_command $@
+    fi
+}
+
 run_command() {
     if [ -x $g_firewall ] ; then
 	run_it $g_firewall $@
@@ -4439,12 +4483,11 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] arptables"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
-    echo "   [ show | list | ls ] classifiers"
+    echo "   [ show | list | ls ] {classifiers|filters)"
     echo "   [ show | list | ls ] config"
     echo "   [ show | list | ls ] connections"
     echo "   [ show | list | ls ] event [ <event> ...]"
     echo "   [ show | list | ls ] events"
-    echo "   [ show | list | ls ] filters"
     echo "   [ show | list | ls ] ip"
 
     if [ $g_family -eq 4 ]; then
@@ -4705,7 +4748,7 @@ shorewall_cli() {
 	exit 1
     fi
 
-    banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
+    banner="${g_product} ${SHOREWALL_VERSION} Status at $g_hostname -"
 
     COMMAND=$1
 
@@ -4795,7 +4838,7 @@ shorewall_cli() {
 	logwatch)
 	    only_root
 	    get_config Yes Yes Yes
-	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
+	    banner="${g_product} $SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)

Shorewall-core/lib.common

@@ -639,7 +639,7 @@ find_first_interface_address_if_any() # $1 = interface
 #Determines if the passed interface is a loopback interface
 #
 loopback_interface() { #$1 = Interface name
-    [ "$1" = lo ] || $IP link show $1 | fgrep -q LOOPBACK
+    [ "$1" = lo ] || $IP link show $1 2>/dev/null | fgrep -q LOOPBACK
 }
 
 #

Shorewall-core/manpages/shorewall.xml

@@ -981,7 +981,22 @@
               <td><command>shorewall -6</command> or <command>shorewall
               -6l</command></td>
             </tr>
+
+            <tr>
+              <td><command>shorewall</command></td>
+
+              <td><command>shorewall -l</command></td>
+            </tr>
           </table>
+
+          <para>Note that when Shorewall isn't installed, the 'shorewall'
+          command behaves like shorewall-lite. The same is not true with
+          respect to Shorewall6, "shorewall6" and 'shorewall6-lite". You can
+          make 'shorewall6' behave like 'shorewallt-lite' by adding the
+          following command to root's .profile file (or to .bashrc, if root's
+          shell is bash):</para>
+
+          <programlisting>    alias shorewall6=shorewall6-lite</programlisting>
         </listitem>
       </varlistentry>
 
@@ -2458,8 +2473,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis>
-              [-<option>x</option>]</term>
+              <term><emphasis role="bold">[-<option>x</option>]
+              bl|blacklists</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -2527,7 +2542,9 @@
               <listitem>
                 <para>Displays information about the packet classifiers
                 defined on the system as a result of traffic shaping
-                configuration.</para>
+                configuration. Beginning with Shorewall 5.2.8, this command is
+                deprecated, as its output is included in the information
+                displayed by the 'show tc' command.</para>
               </listitem>
             </varlistentry>
 
@@ -2904,9 +2921,9 @@
           listed in <ulink
           url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
           or permitted by the ADMINISABSENTMINDED option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> The only
-          new traffic permitted through the firewall is from systems listed in
-          <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>, are taken
+          down. The only new traffic permitted through the firewall is from
+          systems listed in <ulink
           url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
           or by ADMINISABSENTMINDED.</para>
         </listitem>

Shorewall-core/shorewallrc.debian.systemd

@@ -22,3 +22,4 @@ SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
 DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
+STOPSERVICEFILE=stop_service.debian	#Name of script to stop systemd service that honours `SAFESTOP`.

Shorewall-core/stop_service.debian

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+PRODUCT=$1
+
+. /etc/default/${PRODUCT}
+
+if [ "$SAFESTOP" = 1 ]; then
+  COMMAND=stop
+else
+  COMMAND=clear
+fi
+
+if [ "${PRODUCT}" = shorewall6 ]; then
+  EXEC="/sbin/shorewall -6"
+else
+  EXEC="/sbin/${PRODUCT}"
+fi
+
+exec ${EXEC} ${OPTIONS} ${COMMAND}

Shorewall-core/uninstall.sh

@@ -134,6 +134,7 @@ fi
 
 remove_directory ${SHAREDIR}/shorewall
 remove_file ~/.shorewallrc
+remove_file ${SBINDIR}/shorewall
 
 #
 # Report Success

Shorewall-init/shorewall-init.service

@@ -12,7 +12,6 @@ Wants=network-pre.target
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
-StandardOutput=syslog
 ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop
 

Shorewall-init/shorewall-init.service.debian

@@ -6,6 +6,7 @@
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
+Documentation=man:shorewall-init(8)
 Before=network.target
 
 [Service]

Shorewall-lite/init.debian.sh

@@ -13,8 +13,8 @@
 
 . /lib/lsb/init-functions
 
-SRWL='/sbin/shorewall -l'
-SRWL_OPTS="-tvv"
+SRWL=/sbin/shorewall
+SRWL_OPTS="-ltvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
 
 [ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0

Shorewall-lite/shorewall-lite.service

@@ -13,7 +13,6 @@ Conflicts=iptables.service firewalld.service
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
-StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 

Shorewall-lite/shorewall-lite.service.debian

@@ -6,6 +6,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
+Documentation=man:shorewall-lite(8)
 Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
@@ -16,7 +17,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall-lite
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
 
 [Install]

Shorewall/Actions/action.AllowICMPs

@@ -20,22 +20,23 @@ DEFAULTS ACCEPT
 
 # The following should have a ttl of 255 and must be allowed to transit a bridge
     @1	-		-	ipv6-icmp	router-solicitation
-    @1	-		-	ipv6-icmp	router-advertisement
     @1	-		-	ipv6-icmp	neighbour-solicitation
     @1	-		-	ipv6-icmp	neighbour-advertisement
-    @1	-		-	ipv6-icmp	137	# Redirect
     @1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
     @1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
 
-# The following should have a link local source address and must be allowed to transit a bridge
+# The following must have a link local source address and must be allowed to transit a bridge
     @1	fe80::/10	-	ipv6-icmp	130	# Listener query
     @1	fe80::/10	-	ipv6-icmp	131	# Listener report
     @1	fe80::/10	-	ipv6-icmp	132	# Listener done
+    @1	fe80::/10	-	ipv6-icmp	router-advertisement
+    @1	::		-	ipv6-icmp	143	# Listener report v2
     @1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
 
 # The following should be received with a ttl of 255 and must be allowed to transit a bridge
-    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
-    @1	-		-	ipv6-icmp	149	# Certificate path advertisement
+    @1	::		-	ipv6-icmp	148	# Certificate path solicitation
+    @1	fe80::/10	-	ipv6-icmp	148	# Certificate path solicitation
+    @1	fe80::/10	-	ipv6-icmp	149	# Certificate path advertisement
 
 # The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
     @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement

Shorewall/Macros/macro.NFS

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.NFS
+#
+# This macro handles NFS v4.1+ traffic with default ports.
+# You should only allow NFS traffic between hosts you fully trust.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	111		# portmapper, rpcbind
+PARAM	-	-	tcp	2049		# nfs
+PARAM	-	-	tcp	20048		# mountd

Shorewall/Macros/macro.TorMetrics

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorMetrics
+#
+# Macro for handling Tor Onion Network traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9035	

Shorewall/Perl/Shorewall/Chains.pm

@@ -186,6 +186,9 @@ our %EXPORT_TAGS = (
 				       use_forward_chain
 				       input_chain
 				       input_option_chain
+				       nodbl_src_chain
+				       nodbl_dst_chain
+				       nodbl_classic_chain
 				       zone_input_chain
 				       use_interface_chain
 				       output_chain
@@ -696,7 +699,7 @@ use constant { UNIQUE      => 1,       # Simple header matches - only allowed on
 	       TARGET      => 2,       # Rule target or its options
 	       EXCLUSIVE   => 4,       # 'state' or 'conntrack --ctstate'
 	       MATCH       => 8,       # Currently means 'policy ...'
-	       CONTROL     => 16,      # Unsed internally by the compiler - does not contribute to the iptables rule
+	       CONTROL     => 16,      # Used internally by the compiler - does not contribute to the iptables rule
 	       COMPLEX     => 32,      # Currently means 'contrack --cstate'
 	       NFACCT      => 64,      # nfacct match
 	       EXPENSIVE   => 128,     # Has high match-processing cost in the kernel
@@ -1000,7 +1003,7 @@ sub validate_port_list( $$ ) {
 #
 # Example:
 #
-#       DB<3> @foo = Shorewall::IPAddrs::expand_port_range( 6, '110:' ); print "@foo\n"
+#       DB<3> @foo = Shorewall::Chains::expand_port_range( 6, '110:' ); print "@foo\n"
 #       006e fffe 0070 fff0 0080 ff80 0100 ff00 0200 fe00 0400 fc00 0800 f800 1000 f000 2000 e000 4000 c000 8000 8000
 #
 sub expand_port_range( $$ ) {
@@ -2438,6 +2441,30 @@ sub output_option_chain($) {
     ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_oop';
 }
 
+#
+# Blacklist Source Exclusion Chain for an interface
+#
+sub nodbl_src_chain($) {
+    my $interface = shift;
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_nobl';
+}
+
+#
+# Blacklist Destination Exclusion Chain for an interface
+#
+sub nodbl_dst_chain($) {
+    my $interface = shift;
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_ndbl';
+}
+
+#
+# Blacklist Destination Exclusion Chain for an interface
+#
+sub nodbl_classic_chain($) {
+    my $interface = shift;
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_ncbl';
+}
+
 #
 # Forward Option Chain for an interface
 #
@@ -7478,9 +7505,9 @@ sub have_address_variables() {
 #
 # Generate setting of run-time global shell variables
 #
-sub set_global_variables( $$ ) {
+sub set_global_variables( $$$ ) {
 
-    my ( $setall, $conditional ) = @_;
+    my ( $setall, $conditional, $call_generate_all_acasts ) = @_;
 
     if ( $conditional ) {
 	my ( $interface, @interfaces );
@@ -7513,16 +7540,17 @@ sub set_global_variables( $$ ) {
     }
 
     if ( $setall ) {
-	emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
-	emit $interfacenets{$_}         for sortkeysiftest %interfacenets;
+	if ( $conditional ) {
+	    emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
+	    emit $interfacenets{$_}         for sortkeysiftest %interfacenets;
+	}
 
 	unless ( have_capability( 'ADDRTYPE' ) ) {
-
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
 		emit $interfacebcasts{$_} for sortkeysiftest %interfacebcasts;
 	    } else {
-		emit 'ALL_ACASTS="$(get_all_acasts)"';
+		emit $call_generate_all_acasts;
 		emit $interfaceacasts{$_} for sortkeysiftest %interfaceacasts;
 	    }
 	}
@@ -8891,10 +8919,10 @@ sub ensure_ipsets( @ ) {
     my $set;
     my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
 
-    if ( $_[0] eq $globals{DBL_IPSET} ) {
+    if ( $_[0] eq $globals{DBL_IPSET_NAME} ) {
 	shift;
 
-	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
+	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET_NAME}; then));
 
 	push_indent;
 
@@ -8902,12 +8930,12 @@ sub ensure_ipsets( @ ) {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout 0${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET_NAME}  hash:net family inet timeout 0${counters}) );
 	} else {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout 0${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET_NAME} hash:net family inet6 timeout 0${counters}) );
 	}
 
 	pop_indent;
@@ -9130,7 +9158,7 @@ sub create_load_ipsets() {
 	if ( $config{SAVE_IPSETS} || @{$globals{SAVED_IPSETS}} ) {
 	    emit( '    if [ -f ${VARDIR}/ipsets.save ]; then' );
 
-	    if ( my $set = $globals{DBL_IPSET} ) {
+	    if ( my $set = $globals{DBL_IPSET_NAME} ) {
 		emit( '        #',
 		      '        # Update the dynamic blacklisting ipset timeout value',
 		      '        #',

Shorewall/Perl/Shorewall/Compiler.pm

@@ -276,12 +276,18 @@ sub generate_script_2() {
 
     emit "}\n"; # End of initialize()
 
+    #
+    # Conditionally emit the 'generate_all_acasts() function
+    #
+    my $call_generate_all_acasts = $family == F_IPV6 && ! have_capability( 'ADDRTYPE' ) ? generate_all_acasts : '';
+
     emit( '' ,
 	  '#' ,
 	  '# Set global variables holding detected IP information' ,
 	  '#' ,
 	  'detect_configuration()',
-	  '{' );
+	  '{'
+	);
 
     my $global_variables    = have_global_variables;
     my $optional_interfaces = find_interfaces_by_option( 'optional' );
@@ -312,7 +318,7 @@ sub generate_script_2() {
 
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 		verify_required_interfaces(0);
-		set_global_variables(0, 0);
+		set_global_variables( $family == F_IPV6, 0, $call_generate_all_acasts );
 		handle_optional_interfaces;
 	    }
 
@@ -326,7 +332,7 @@ sub generate_script_2() {
 	}
 
 	verify_required_interfaces(1);
-	set_global_variables(1,1);
+	set_global_variables(1, 1, $call_generate_all_acasts );
 	handle_optional_interfaces;
 
 	if ( $global_variables & NOT_RESTORE ) {

Shorewall/Perl/Shorewall/Config.pm

@@ -313,6 +313,16 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       OPTIMIZE_POLICY_MASK
 				       OPTIMIZE_RULESET_MASK
 				       OPTIMIZE_ALL
+
+				       DBL_NONE
+				       DBL_SRC
+				       DBL_DST
+				       DBL_SRC_DST
+				       DBL_IPSET
+				       DBL_CLASSIC
+				       DBL_DISCONNECT
+				       DBL_LOG
+				       DBL_NOUPDATE
 				     ) , ] ,
 		   protocols => [ qw (
 				       TCP
@@ -822,6 +832,19 @@ our %filecache;
 our $compiletime;
 
 our $test;
+#
+# Dynamic blacklisting values
+#
+use constant { DBL_NONE       => 0,
+	       DBL_SRC        => 1,
+	       DBL_DST        => 2,
+	       DBL_SRC_DST    => 3,
+	       DBL_CLASSIC    => 4,
+	       DBL_IPSET      => 8,
+	       DBL_DISCONNECT => 16,
+	       DBL_LOG        => 32,
+	       DBL_NOUPDATE   => 64
+             };
 
 sub process_shorewallrc($$);
 sub add_variables( \% );
@@ -884,7 +907,7 @@ sub initialize($;$$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => '5.2.7-Beta1',
+		    VERSION                 => '5.2.9-Beta1',
 		    CAPVERSION              => 50207 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -894,8 +917,11 @@ sub initialize($;$$$$) {
 		    RPFILTER_LOG_TAG        => '',
 		    INVALID_LOG_TAG         => '',
 		    UNTRACKED_LOG_TAG       => '',
-		    DBL_IPSET               => '',
+		    DBL                     => DBL_NONE,
+		    DBL_IPSET_NAME          => '',
 		    DBL_TIMEOUT             => 0,
+		    DBL_TAG                 => '',
+		    DBL_LEVEL               => '',
 		    POSTROUTING             => 'POSTROUTING',
 		  );
     #
@@ -1067,7 +1093,7 @@ sub initialize($;$$$$) {
 	);
 
     #
-    # Line numbers in shorewall6.conf where options are specified
+    # Line numbers in shorewall[6].conf where options are specified
     #
     %origin = ();
     #
@@ -1507,7 +1533,7 @@ sub qt1( $ ) {
 }
 
 #
-# Delete the test chains
+# Delete the test chains and IP sets
 #
 sub cleanup_iptables() {
     qt1( "$iptables $iptablesw -F $sillyname" );
@@ -1530,6 +1556,12 @@ sub cleanup_iptables() {
 	qt1( "$iptables $iptablesw -t raw -X $sillyname" );
     }
 
+    my $ipset  = $config{IPSET} || 'ipset';
+    $ipset = which( $ipset ) unless $ipset =~ '/';
+    if ( $ipset && -x $ipset ) {
+	qt( "$ipset -X $sillyname" );
+    }
+
     $sillyname = $sillyname1 = '';
 }
 
@@ -1574,7 +1606,7 @@ sub cleanup() {
     unlink ( $perlscriptname ), $perlscriptname = undef if $perlscriptname;
     unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
     #
-    # Delete temporary chains
+    # Delete temporary chains and IP sets
     #
     cleanup_iptables if $sillyname;
 }
@@ -5322,7 +5354,7 @@ sub determine_capabilities() {
     fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
 	unless
 	    qt1( "$iptables $iptablesw -A $sillyname -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT") ||
-	    qt1( "$iptables $iptablesw -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");;
+	    qt1( "$iptables $iptablesw -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");
 
     $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE';
 }
@@ -5683,6 +5715,11 @@ sub process_shorewall_conf( $$ ) {
 	$globals{CONFIGDIR} =  $configfile = $file;
 	$globals{CONFIGDIR} =~ s/$product.conf//;
 
+	if ( $export ) {
+	    use Sys::Hostname;
+	    $globals{CONFIGDIR} = join( ':', hostname, $globals{CONFIGDIR} );
+	}
+
 	if ( -r _ ) {
 	    open_file $file;
 
@@ -5737,7 +5774,7 @@ sub process_shorewall_conf( $$ ) {
     # Now update the config file if asked
     #
     if ( $update ) {
-	update_config_file( $annotate ); 
+	update_config_file( $annotate );
 	#
 	# Config file update requires that the option values not have
 	# Shell variables expanded. We do that now.
@@ -5811,9 +5848,10 @@ sub get_capabilities($)
 	fatal_error "Can't find $toolname executable" unless $iptables = which $toolname;
     }
     #
-    # Determine if iptables supports the -w option
+    # Determine if iptables supports the -w option unless we already have
+    # existing capabilities
     #
-    $iptablesw = qt1( "$iptables -w -L -n") ? '-w' : '';
+    $iptablesw = qt1( "$iptables -w -n -L INPUT") ? '-w' : '' unless $_[0];
 
     my $iptables_restore=$iptables . '-restore';
 
@@ -6707,26 +6745,38 @@ sub get_configuration( $$$ ) {
 
     if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
-	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1, 'log' => 1, 'noupdate' => 1, );
+	    my $setting = DBL_IPSET;
+
+	    $setting |= DBL_SRC;
+	    $setting |= DBL_CLASSIC unless ( $val =~ /^ipset-only/ );
+	    $setting |= DBL_DST     if     ( $val =~ /,(src-)?dst[,:]/ );
+
+	    my %simple_options = ( 'src-dst'    => DBL_SRC_DST,
+				   'disconnect' => DBL_DISCONNECT,
+				   'log'        => DBL_LOG,
+				   'noupdate'   => DBL_NOUPDATE,
+		);
 
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
 
 	    ( $key , my @options ) = split_list( $key, 'option' );
 
-	    my $options = '';
-
 	    for ( @options ) {
-		if ( $simple_options{$_} ) {
-		    $options = join( ',' , $options, $_ );
-		} elsif ( $_ =~ s/^timeout=(\d+)$// ) {
+		my $tmp;
+
+		if ( $_ =~ s/^timeout=(\d+)$// ) {
 		    $globals{DBL_TIMEOUT} = $1;
+		} elsif ( $tmp = $simple_options {$_} ) {
+		    $setting |= $tmp;
 		} else {
-		    fatal_error "Invalid ipset option ($_)";
+		    if ( $_ =~ /^timeout=(.+)/ ) {
+			fatal_error( "Invalid Timeout ($1)" )
+		    } else {
+			fatal_error "Invalid ipset option ($_)";
+		    }
 		}
 	    }
 
-	    $globals{DBL_OPTIONS} = $options;
-
 	    fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?$/ || defined $rest;
 
 	    if ( supplied( $set ) ) {
@@ -6735,7 +6785,7 @@ sub get_configuration( $$$ ) {
 		$set = 'SW_DBL' . $family;
 	    }
 
-	    add_ipset( $globals{DBL_IPSET} = $set );
+	    add_ipset( $globals{DBL_IPSET_NAME} = $set );
 	    
 	    $level = validate_level( $level );
 
@@ -6748,11 +6798,16 @@ sub get_configuration( $$$ ) {
 	    $variables{SW_DBL_IPSET}   = $set;
 	    $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
 
+	    $globals{DBL}       = $setting;
+	    $globals{DBL_LEVEL} = $level;
+	    $globals{DBL_TAG}   = $tag;
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
+	    $globals{DBL} = $config{DYNAMIC_BLACKLIST} ? DBL_CLASSIC : DBL_NONE;
 	}
     } else {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
+	$globals{DBL} = $config{DYNAMIC_BLACKLIST} ? DBL_CLASSIC : DBL_NONE;
     }
 
     add_variables( %variables );

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -149,14 +149,13 @@ sub validate_4address( $$ ) {
 
     unless ( valid_4address $addr ) {
 	fatal_error "Invalid IP Address ($addr)" unless $allow_name;
-	fatal_error "Unknown Host ($addr)" unless  @addrs = gethostbyname( $addr );
+	my ( $err, @addr_structs ) = Socket::getaddrinfo( $addr, 0, {
+	    family => Socket::AF_INET,
+	    protocol => Socket::IPPROTO_TCP,
+	} );
+	fatal_error "Unknown Host ($addr)" if $err != 0;
 
-	if ( defined wantarray ) {
-	    shift @addrs for (1..4);
-	    for ( @addrs ) {
-		$_ = ( inet_ntoa( $_ ) );
-	    }
-	}
+	@addrs = translate_addr_structs( @addr_structs );
     }
 
     defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
@@ -164,14 +163,14 @@ sub validate_4address( $$ ) {
 
 sub resolve_4dnsname( $ ) {
     my $net = $_[0];
-    my @addrs;
 
-    fatal_error "Unknown Host ($net)" unless  @addrs = gethostbyname( $net );
+    my ( $err, @addr_structs ) = Socket::getaddrinfo( $net, 0, {
+	family => Socket::AF_INET,
+	protocol => Socket::IPPROTO_TCP,
+    } );
+    fatal_error "Unknown Host ($net)" if $err != 0;
 
-    shift @addrs for (1..4);
-    for ( @addrs ) {
-	$_ = ( inet_ntoa( $_ ) );
-    }
+    my @addrs = translate_addr_structs( @addr_structs );
 
     @addrs;
 } 
@@ -508,15 +507,13 @@ sub validate_6address( $$ ) {
 
     unless ( valid_6address $addr ) {
 	fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name;
-	require Socket6;
-	fatal_error "Unknown Host ($addr)" unless (@addrs = Socket6::gethostbyname2( $addr, Socket6::AF_INET6()));
+	my ( $err, @addr_structs ) = Socket::getaddrinfo( $addr, 0, {
+	    family => Socket::AF_INET6,
+	    protocol => Socket::IPPROTO_TCP,
+	} );
+	fatal_error "Unknown Host ($addr)" if $err != 0;
 
-	if ( defined wantarray ) {
-	    shift @addrs for (1..4);
-	    for ( @addrs ) {
-		$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
-	    }
-	}
+	@addrs = translate_addr_structs( @addr_structs );
     }
 
     defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
@@ -524,15 +521,14 @@ sub validate_6address( $$ ) {
 
 sub resolve_6dnsname( $ ) {
     my $net = $_[0];
-    my @addrs;
     
-    require Socket6;
-    fatal_error "Unknown Host ($net)" unless (@addrs = Socket6::gethostbyname2( $net, Socket6::AF_INET6()));
+    my ( $err, @addr_structs ) = Socket::getaddrinfo( $net, 0, {
+	family => Socket::AF_INET6,
+	protocol => Socket::IPPROTO_TCP,
+    } );
+    fatal_error "Unknown Host ($net)" if $err != 0;
 
-    shift @addrs for (1..4);
-    for ( @addrs ) {
-	$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
-    }
+    my @addrs = translate_addr_structs( @addr_structs );
 
     @addrs;
 }
@@ -661,6 +657,19 @@ sub validate_6host( $$ ) {
     }
 }
 
+sub translate_addr_structs {
+    my @addr_structs = @_;
+
+    my @addrs;
+    foreach my $addr_struct ( @addr_structs ) {
+	my ( $err, $ip_addr ) = Socket::getnameinfo( $addr_struct->{addr},
+	    Socket::NI_NUMERICHOST, Socket::NIx_NOSERV );
+        push @addrs, $ip_addr if $err == 0;
+    }
+
+    return @addrs;
+}
+
 my %ipv6_icmp_types = ( any                          => 'any',
 			'destination-unreachable'    => 1,
 			'no-route'                   => '1/0',

Shorewall/Perl/Shorewall/Misc.pm

@@ -733,9 +733,9 @@ sub add_common_rules ( $ ) {
     my $dbl_ipset;
     my $dbl_level;
     my $dbl_tag;
+    my $dbl_timeout;
     my $dbl_src_target;
     my $dbl_dst_target;
-    my $dbl_options;
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -785,20 +785,25 @@ sub add_common_rules ( $ ) {
     #
     create_docker_rules if $config{DOCKER};
 
-    if ( my $val = $config{DYNAMIC_BLACKLIST} ) {
-	( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $val );
-
-	unless ( $dbl_type =~ /^ipset-only/ ) {
+    if ( my $dbl = $globals{DBL} ) {
+	if ( $dbl & DBL_CLASSIC ) {
+	    #
+	    # Classic chain-based backlisting
+	    #
 	    add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);
 	    add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
 	    $dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
 	    add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
 	}
 
-	if ( $dbl_ipset ) {
-	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		$dbl_options    = $globals{DBL_OPTIONS};
-		$dbl_src_target = $dbl_options =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+	if ( $dbl & DBL_IPSET ) {
+	    #
+	    # ipset-based blacklisting - not mutually exclusive with the classic type
+	    #
+	    ( $dbl_ipset, $dbl_level, $dbl_tag , $dbl_timeout) = ( $globals{DBL_IPSET_NAME}, $globals{DBL_LEVEL}, $globals{DBL_TAG}, $globals{DBL_TIMEOUT} );
+
+	    if ( $dbl_timeout ) {
+		$dbl_src_target = ( ($dbl & DBL_SRC_DST) == DBL_SRC_DST ) ? 'dbl_src' : 'dbl_log';
 
 		my $chainref = new_standard_chain( $dbl_src_target );
 
@@ -811,7 +816,7 @@ sub add_common_rules ( $ ) {
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ) unless $dbl_options =~ /noupdate/;
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $globals{DBL_TIMEOUT}", $origin{DYNAMIC_BLACKLIST} ) unless $dbl & DBL_NOUPDATE;;
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 
 		if ( $dbl_src_target eq 'dbl_src' ) {
@@ -826,7 +831,7 @@ sub add_common_rules ( $ ) {
 				    'add',
 				    '',
 				    $origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		    add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset dst --exist --timeout $globals{DBL_TIMEOUT}", $origin{DYNAMIC_BLACKLIST} );
 		    add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 		} else {
 		    $dbl_dst_target = $dbl_src_target;
@@ -856,12 +861,13 @@ sub add_common_rules ( $ ) {
 	add_ijump_extended( $filter_table->{OUTPUT} , j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )
     }
 
-    my $policy   = $config{SFILTER_DISPOSITION};
-    $level       = $config{SFILTER_LOG_LEVEL};
-    $tag         = $config{SFILTER_LOG_TAG};
-    my $audit    = $policy =~ s/^A_//;
-    my @ipsec    = have_ipsec ? ( policy => '--pol none --dir in' ) : ();
-    my $origin   = $origin{SFILTER_DISPOSITION};
+    my $policy     = $config{SFILTER_DISPOSITION};
+    $level         = $config{SFILTER_LOG_LEVEL};
+    $tag           = $config{SFILTER_LOG_TAG};
+    my $audit      = $policy =~ s/^A_//;
+    my $have_ipsec = have_ipsec;
+    my @ipsec      = $have_ipsec ? ( policy => '--pol none --dir in' ) : ();
+    my $origin     = $origin{SFILTER_DISPOSITION};
 
     if ( $level || $audit ) {
 	#
@@ -919,7 +925,9 @@ sub add_common_rules ( $ ) {
 	#
 	$target1 = $target;
     }
-
+    #
+    # Interface-specific processing
+    #
     for $interface ( all_real_interfaces ) {
 	ensure_chain( 'filter', $_ )->{origin} = interface_origin( $interface )
 	    for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
@@ -927,6 +935,9 @@ sub add_common_rules ( $ ) {
 	my $interfaceref = find_interface $interface;
 
 	unless ( $interfaceref->{physical} eq loopback_interface ) {
+	    #
+	    # sfilter
+	    #
 	    unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {
 
 		my @filters = @{$interfaceref->{filter}};
@@ -950,36 +961,180 @@ sub add_common_rules ( $ ) {
 		    add_ijump_extended( $chainref , g => $target, $origin, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
 		}
 	    }
+	    #
+	    # Dynamic Blacklisting
+	    #
+	    my ( $input_option_chainref,
+		 $forward_option_chainref,
+		 $output_option_chainref,
+		 $classic_target_chain,
+		)
+	    =
+		(  $filter_table->{input_option_chain($interface)},
+		   $filter_table->{forward_option_chain($interface)},
+		   $filter_table->{output_option_chain($interface)},
+		   $dynamicref,
+		);
 
-	    if ( $dbl_ipset && ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) ne '0:0' ) ) {
+	    if ( ( my $setting = get_interface_option( $interface, 'dbl' ) ) != DBL_NONE ) {
+		#
+		# Dynamic blacklisting
+		#
 
-		my ( $in, $out ) = split /:/, $setting;
+		#
+		# Generate a rule to match the DBL ipset - called when there is no exclusion
+		#
+		sub add_ipset_dbl_ijump( $$$@) {
+		    my ( $chainref, $target, $ipset_dir )  = ( shift, shift, shift );
 
-		if ( $in  == 1 ) {
-		    #
-		    # src
-		    #
-		    add_ijump_extended( $filter_table->{input_option_chain($interface)},   j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_src_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
-		} elsif ( $in == 2 ) {
-		    add_ijump_extended( $filter_table->{forward_option_chain($interface)}, j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		    add_ijump_extended( $chainref, j => $target, $origin{DYNAMIC_BLACKLIST}, @_, "set --match-set" => $ipset_dir );
 		}
 
-		if ( $out == 2 ) {
+		#
+		# Add a simple exclusion rule - called when there is more than one excluded subnet. Excluded subnets cause the
+		# current chain to be exited. 
+		#
+		sub add_host_exclusion_ijump( $$$@ ) {
+		    my ( $chainref, $hostref, $src ) = ( shift, shift, shift );
+
+		    my $nets       = $hostref->{hosts};
+		    my $origin     = $hostref->{origin};
+
+		    for my $net ( @$nets ) {
+			if ( $src ) {
+			    add_ijump_extended( $chainref , j => 'RETURN', $origin, imatch_source_net( $net ), @_ )
+			} else {
+			    add_ijump_extended( $chainref , j => 'RETURN', $origin, imatch_dest_net( $net ),   @_ );
+			}
+		    }
+		}
+
+		#
+		# This one is called when there is a single excluded network. The generated rule tests against the DBL ipset
+		# unless the source or destination address matches the set
+		#
+		sub add_dbl_exclusion_ijump( $$$$@ ) {
+		    my ( $chainref, $dest, $hostref, $ipset, $src ) = ( shift, shift, shift, shift, shift );
+
+		    my $nets       = $hostref->{hosts};
+		    my $origin     = $hostref->{origin};
+
+		    for my $net ( @$nets ) {
+			if ( $src ) {
+			    add_ijump_extended( $chainref , j => $dest, $origin, imatch_source_net( "!$net" ), @_, "set --match-set" => "$ipset src" );
+			} else {
+			    add_ijump_extended( $chainref , j => $dest, $origin, imatch_dest_net( "!$net" ),   @_, "set --match-set" => "$ipset dst" );
+			}
+		    }
+		}
+
+		my @nodbl = @{$interfaceref->{nodbl}};
+
+		my @in_policy  = $have_ipsec ? ( policy => "--pol none --dir in" )  : ();
+		my @out_policy = $have_ipsec ? ( policy => "--pol none --dir out" ) : ();
+
+		if ( @nodbl ) {
 		    #
-		    # dst
+		    # We have blacklisting exclusions defined in the hosts file
 		    #
-		    add_ijump_extended( $filter_table->{output_option_chain($interface)},  j => $dbl_dst_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" );
+		    my $hostref = $nodbl[0];
+
+		    if ( @nodbl > 1 || @{$hostref->{hosts}} > 1 ) {
+			#
+			# Complex case - we need to create an intermediate chain
+			#
+			$chainref = new_standard_chain( nodbl_src_chain( $interface ));
+
+			for $hostref (@nodbl) {
+			    add_host_exclusion_ijump( $chainref, 'RETURN', $hostref, 1 );
+			}
+
+			add_ijump( $input_option_chainref,   j => $chainref->{name} , @in_policy );
+			add_ijump( $forward_option_chainref, j => $chainref->{name} , @in_policy );
+
+			$input_option_chainref = $forward_option_chainref = $chainref;
+
+			if ( $dbl_src_target ne $dbl_dst_target ) {
+			    $chainref = new_standard_chain( nodbl_dst_chain( $interface ));
+
+			    for $hostref (@nodbl) {
+				add_host_exclusion_ijump( $chainref, 'RETURN', $hostref, 0 );
+			    }
+
+			    add_ijump( $forward_option_chainref, j => $chainref->{name} , @out_policy );
+			    add_ijump( $output_option_chainref,  j => $chainref->{name},  @out_policy );
+
+			    $output_option_chainref = $chainref, 
+			}
+
+			@in_policy = @out_policy = ();
+
+		    } elsif ( $dbl_ipset ) {
+			#
+			# Easy case
+			#
+			if ( $setting & DBL_SRC ) {
+			    add_dbl_exclusion_ijump( $input_option_chainref,   $dbl_src_target, $hostref, $dbl_ipset, 1, @state , @in_policy );
+			    add_dbl_exclusion_ijump( $forward_option_chainref, $dbl_src_target, $hostref, $dbl_ipset, 1, @state , @in_policy );
+			}
+
+			if ( $setting & DBL_DST ) {
+			    add_dbl_exclusion_ijump( $forward_option_chainref, $dbl_dst_target, $hostref, $dbl_ipset, 0, @state, @out_policy );
+			    add_dbl_exclusion_ijump( $output_option_chainref,  $dbl_dst_target, $hostref, $dbl_ipset, 0, @state, @out_policy );
+			}
+
+			$dbl_ipset = ''; # All ipset jumps have been added
+		    }
+
+		    if ( $setting & DBL_CLASSIC ) {
+			$chainref = new_standard_chain( nodbl_classic_chain( $interface ));
+
+			for my $hostref (@nodbl) {
+			    add_host_exclusion_ijump( $chainref, 'RETURN', $hostref, 1 );
+			}
+
+			add_ijump( $chainref, j => $dynamicref->{name} );
+
+			$classic_target_chain = $chainref;
+		    }
+
+		}
+
+		if ( $dbl_ipset ) {
+			if ( $setting & DBL_SRC) {
+			    #
+			    # src or src-dst
+			    #
+			    add_ipset_dbl_ijump( $input_option_chainref,   $dbl_src_target, "$dbl_ipset src", @state, @in_policy );
+			    add_ipset_dbl_ijump( $forward_option_chainref, $dbl_src_target, "$dbl_ipset src", @state, @in_policy);
+			}
+
+			if ( $setting & DBL_DST ) {
+			    #
+			    # src-dst
+			    #
+			    add_ipset_dbl_ijump( $forward_option_chainref, $dbl_dst_target, "$dbl_ipset dst", @state, @out_policy );
+			    add_ipset_dbl_ijump( $output_option_chainref,  $dbl_dst_target, "$dbl_ipset dst", @state, @out_policy );
+			}
+		    }
+
+		if ( $setting & DBL_CLASSIC ) {
+		    add_ijump_extended( $input_option_chainref,   j => $classic_target_chain, $origin{DYNAMIC_BLACKLIST}, @state, @in_policy );
+		    add_ijump_extended( $forward_option_chainref, j => $classic_target_chain, $origin{DYNAMIC_BLACKLIST}, @state, @in_policy );
+		}
+
+	    } # Dynamic Blacklisting
+	    #
+	    # Finish FASTACCEPT
+	    #
+	    if ( $config{FASTACCEPT} ) {
+		for ( option_chains( $interface ) ) {
+		    add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '';
 		}
 	    }
-	    
-	    for ( option_chains( $interface ) ) {
-		add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref && ( get_interface_option( $interface, 'dbl' ) ne '0:0' );
-		add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT',    $origin{FASTACCEPT},        state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
-	    }
-	}
-    }
 
+	} #Not loopback interface
+    } # Interface Loop
     #
     # Delete 'sfilter' chains unless there are referenced to them
     #
@@ -988,7 +1143,9 @@ sub add_common_rules ( $ ) {
 	    $chainref->{referenced} = 0 unless keys %{$chainref->{references}};
 	}
     }
-
+    #
+    # rfilter
+    #
     $list = find_interfaces_by_option('rpfilter');
 
     if ( @$list ) {
@@ -1058,7 +1215,9 @@ sub add_common_rules ( $ ) {
     } elsif ( -f ( my $fn = find_file 'blacklist' ) ) {
 	warning_message "The blacklist file is no longer supported -- use '$product update' to convert $fn to the equivalent blrules file";
     }
-
+    #
+    # Smurfs
+    #
     $list = find_hosts_by_option 'nosmurfs';
 
     if ( @$list ) {
@@ -1123,7 +1282,7 @@ sub add_common_rules ( $ ) {
 	    $interface     = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
 	    my $net        = $hostref->[2];
-	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && $have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    my $origin     = $hostref->[5];
 
@@ -1132,7 +1291,9 @@ sub add_common_rules ( $ ) {
 	    }
 	}
     }
-
+    #
+    # DHCP
+    #
     $list = find_interfaces_by_option 'dhcp';
 
     if ( @$list ) {
@@ -1165,7 +1326,9 @@ sub add_common_rules ( $ ) {
 	    }
 	}
     }
-
+    #
+    # tcpflags
+    #
     $list = find_hosts_by_option 'tcpflags';
 
     if ( @$list ) {
@@ -1227,7 +1390,7 @@ sub add_common_rules ( $ ) {
 	    my $interface  = $hostref->[0];
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && $have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $origin     = $hostref->[5];
 
 	    for $chain ( option_chains $interface ) {
@@ -1237,7 +1400,9 @@ sub add_common_rules ( $ ) {
     }
 
     my $announced = 0;
-
+    #
+    # upnp
+    #
     $list = find_interfaces_by_option 'upnp';
 
     if ( @$list ) {
@@ -1261,7 +1426,9 @@ sub add_common_rules ( $ ) {
 	    add_ijump_extended $nat_table->{$globals{POSTROUTING}} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
 	}
     }
-
+    #
+    # upnp client
+    #
     $list = find_interfaces_by_option 'upnpclient';
 
     if ( @$list ) {
@@ -2801,6 +2968,7 @@ EOF
     emit '
     rm -f ${VARDIR}/*.address
     rm -f ${VARDIR}/*.gateway
+    rm -f ${VARDIR}/*.status
 
     run_stopped_exit';
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -1553,6 +1553,15 @@ sub start_providers() {
 
     unless ( $config{KEEP_RT_TABLES} ) {
 	emit( "\n#\n# Update the routing table database\n#",
+	      'if ! [ -d /etc/iproute2 ] ; then',
+	      '    mkdir /etc/iproute2 2> /dev/null',
+	      'fi',
+	      '',
+	      'if ! [ -f /etc/iproute2/rt_tables ]; then',
+	      '    cp /usr/share/iproute2/rt_tables /etc/iproute2/ 2> /dev/null',
+	      '    chmod 644 /etc/iproute2/rt_tables 2> /dev/null',
+	      'fi',
+	      '',
 	      'if [ -w /etc/iproute2/rt_tables ]; then',
 	      '    cat > /etc/iproute2/rt_tables <<EOF' );
 
@@ -1865,6 +1874,8 @@ EOF
 	    emit( "        stop_$providerref->{what}_$provider",
 		  '    elif [ -z "$2" ]; then',
 		  "        startup_error \"Interface $providerref->{physical} is already disabled\"",
+		  "    else",
+		  "        echo 1 > \${VARDIR}/$providerref->{physical}.status",
 		  '    fi',
 		  '    ;;'
 		);

Shorewall/Perl/Shorewall/Rules.pm

@@ -748,7 +748,7 @@ sub process_a_policy1($$$$$$$) {
 	fatal_error "NONE policy not allowed to/from firewall zone"
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
     } elsif ( $policy eq 'BLACKLIST' ) {
-	fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
+	fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $globals{DBL} & DBL_IPSET;
     }
 
     unless ( $clientwild || $serverwild ) {
@@ -1078,12 +1078,10 @@ sub add_policy_rules( $$$$$ ) {
 	assert( $target );
 
 	if ( $target eq 'BLACKLIST' ) {
-	    my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
-
 	    if ( my $timeout = $globals{DBL_TIMEOUT} ) {
-		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $timeout" );
+		add_ijump( $chainref, j => "SET --add-set $globals{DBL_IPSET_NAME} src --exist --timeout $globals{DBL_TIMEOUT}" );
 	    } else {
-		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist" );
+		add_ijump( $chainref, j => "SET --add-set $globals{DBL_IPSET_NAME} src --exist" );
 	    }
 
 	    $target = 'DROP';

Shorewall/Perl/Shorewall/Tc.pm

@@ -72,6 +72,9 @@ our %flow_keys = ( 'src'            => 1,
 #                              out_bandwidth => <value> ,
 #                              number        => <number>,
 #                              classify      => 0|1
+#                              flow          => Comma-separated flow tupple
+#                              classify      => 0|1
+#                              pfifo         => 0|1
 #                              tablenumber   => <next u32 table to be allocated for this device>
 #                              default       => <default class mark value>
 #                              redirected    => [ <dev1>, <dev2>, ... ]
@@ -80,6 +83,13 @@ our %flow_keys = ( 'src'            => 1,
 #                              qdisc         => htb|hfsc
 #                              guarantee     => <total RATE of classes seen so far>
 #                              name          => <interface>
+#                              filters       => [ filter, ... ]
+#                              linklayer     => <type> (optional)
+#                              overhead      => <number>
+#                              mtu           => <number>
+#                              tsize         => <number>
+#                              filterpri     => <number> (initially 0)
+#                              connmark      => 0|1
 #                                               }
 #
 our @tcdevices;
@@ -139,12 +149,14 @@ sub initialize( $ ) {
 sub rate_to_kbit( $ ) {
     my $rate = $_[0];
 
-    return 0           if $rate eq '-';
-    return $1          if $rate =~ /^((\d+)(\.\d+)?)kbit$/i;
-    return $1 * 1000   if $rate =~ /^((\d+)(\.\d+)?)mbit$/i;
-    return $1 * 8000   if $rate =~ /^((\d+)(\.\d+)?)mbps$/i;
-    return $1 * 8      if $rate =~ /^((\d+)(\.\d+)?)kbps$/i;
-    return ($1/125)    if $rate =~ /^((\d+)(\.\d+)?)(bps)?$/;
+    return 0              if $rate eq '-';
+    return $1             if $rate =~ /^((\d+)(\.\d+)?)kbit$/i;
+    return $1 * 1000      if $rate =~ /^((\d+)(\.\d+)?)mbit$/i;
+    return $1 * 1000000   if $rate =~ /^((\d+)(\.\d+)?)gbit$/i;
+    return $1 * 8000000   if $rate =~ /^((\d+)(\.\d+)?)gbps$/i;
+    return $1 * 8000      if $rate =~ /^((\d+)(\.\d+)?)mbps$/i;
+    return $1 * 8         if $rate =~ /^((\d+)(\.\d+)?)kbps$/i;
+    return ($1/125)       if $rate =~ /^((\d+)(\.\d+)?)(bps)?$/;
     fatal_error "Invalid Rate ($rate)";
 }
 
@@ -202,7 +214,7 @@ sub process_in_bandwidth( $ ) {
     } else {
 	if ( $in_band =~ /:/ ) {
 	    ( $in_band, $burst ) = split /:/, $in_rate, 2;
-	    fatal_error "Invalid burst ($burst)" unless $burst  =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
+	    fatal_error "Invalid burst ($burst)" unless $burst  =~ /^\d+(k|kb|m|mb|g|gb|gbit|mbit|kbit|b)?$/;
 	    $in_burst = $burst;
 	}
 
@@ -314,7 +326,7 @@ sub process_simple_device() {
 	my $command = "run_tc qdisc add dev $physical root handle $number: tbf rate ${out_bandwidth}kbit";
 
 	if ( supplied $burst ) {
-	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|g|gb|gbit|mbit|kbit|b)?$/;
 	    $command .= " burst $burst";
 	} else {
 	    $command .= ' burst 10kb';
@@ -330,12 +342,12 @@ sub process_simple_device() {
 	$command .= ' mpu 64'; #Assume Ethernet
 
 	if ( supplied $peak ) {
-	    fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|g|gb|gbit|mbit|kbit|b)?$/;
 	    $command .= " peakrate $peak";
 	}
 
 	if ( supplied $minburst ) {
-	    fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|g|gb|gbit|mbit|kbit|b)?$/;
 	    $command .= " minburst $minburst";
 	}
 
@@ -365,9 +377,7 @@ sub process_simple_device() {
 
     emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" .
 	  "\\\n    match ip6 protocol 6 0xff" .
-	  "\\\n    match u8 0x05 0x0f at 0" .
-	  "\\\n    match u16 0x0000 0xffc0 at 2" .
-	  "\\\n    match u8 0x10 0xff at 33 flowid $number:1\n" );
+	  "\\\n    match u8 0x10 0xff at 53 flowid $number:1\n" );
 
     save_progress_message_short qq("   TC Device $physical defined.");
 
@@ -2394,7 +2404,6 @@ sub setup_tc( $ ) {
     }
 
     if ( $config{MANGLE_ENABLED} ) {
-
 	if ( $convert ) {
 	    my $have_tcrules;
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -103,6 +103,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_zone_hosts_by_option
 		    find_zones_by_option
 		    have_ipsec
+		    generate_all_acasts
 		 ),
 	      );
 
@@ -176,7 +177,8 @@ our %reservedName = ( all => 1,
 #				      number	  => <ordinal position in the interfaces file>
 #				      physical	  => <physical interface name>
 #				      base	  => <shell variable base representing this interface>
-#				      wildcard	  => undef|1 # Wildcard Name
+#				      wildcard	  => undef|1 # Wildcard Logical Name
+#				      physwild	  => undef|1 # Wildcard Physical Name
 #				      zones	  => { zone1 => 1, ... }
 #				      origin	  => <where defined>
 #				    }
@@ -408,6 +410,7 @@ sub initialize( $$ ) {
 			     destonly => 1,
 			     sourceonly => 1,
 			     mss => 1,
+	                     nodbl => 1
 			    );
 
 	%zonetypes = ( 1   => 'firewall',
@@ -418,7 +421,8 @@ sub initialize( $$ ) {
 		       32  => 'loopback',
 		       64  => 'local' );
     } else {
-	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
+	%validinterfaceoptions = (
+				    accept_ra	=> NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
@@ -430,6 +434,7 @@ sub initialize( $$ ) {
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+				    omitanycast	=> SIMPLE_IF_OPTION + IF_OPTION_WILDOK,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
@@ -452,6 +457,7 @@ sub initialize( $$ ) {
 			     routeback => 1,
 			     tcpflags => 1,
 			     mss => 1,
+	                     nodbl => 1
 			    );
 
 	%zonetypes = ( 1   => 'firewall',
@@ -609,7 +615,7 @@ sub process_zone( \$ ) {
 
 	fatal_error 'Subzones of a Vserver zone not allowed' if $ptype & VSERVER;
 	fatal_error 'Subzones of firewall zone not allowed'  if $ptype & FIREWALL;
-	fatal_error 'Loopback zones may only be subzones of other loopback zones' if ( $type | $ptype ) & LOOPBACK && $type != $ptype;
+	fatal_error 'Loopback zones may only be subzones of other loopback zones' if ( $type | $ptype ) & LOOPBACK && $type != $ptype && ! $test;
 	fatal_error 'Local zones may only be subzones of other local zones'       if ( $type | $ptype ) & LOCAL    && $type != $ptype;
 
 	set_super( $zones{$p} ) if $type & IPSEC && ! ( $ptype & IPSEC );
@@ -973,18 +979,22 @@ sub add_group_to_zone($$$$$$)
 
     $zoneref->{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback};
 
-    push @{$interfaceref}, { options => $options,
-			     hosts   => \@newnetworks,
-			     ipsec   => $type & IPSEC ? 'ipsec' : 'none' ,
-			     exclusions => \@exclusions ,
-			     origin  => shortlineinfo( '' ) ,
-                            };
+    my $hostref = { options => $options,
+		    hosts   => \@newnetworks,
+		    ipsec   => $type & IPSEC ? 'ipsec' : 'none' ,
+		    exclusions => \@exclusions ,
+		    origin  => shortlineinfo( '' ) ,
+    };
+
+    push @{$interfaceref}, $hostref;
 
     if ( $type != IPSEC ) {
 	my $optref = $interfaces{$interface}{options};
 	$optref->{routeback} ||= $options->{routeback};
 	$optref->{allip}     ||= $allip;
     }
+
+    return $hostref;
 }
 
 #
@@ -1315,7 +1325,8 @@ sub process_interface( $$ ) {
     my %options;
 
     $options{port} = 1 if $port;
-    $options{dbl}  = $config{DYNAMIC_BLACKLIST} =~ /^ipset(-only)?.*,src-dst/ ? '1:2' : $config{DYNAMIC_BLACKLIST} ? '1:0' : '0:0';
+
+    $options{dbl} = $globals{DBL};
 
     my $hostoptionsref = {};
 
@@ -1358,7 +1369,7 @@ sub process_interface( $$ ) {
 			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
 		    }
 		} elsif ( $option eq 'nodbl' ) {
-		    $options{dbl} = '0:0';
+		    $options{dbl} = DBL_NONE;
 		} else {
 		    $options{$option} = 1;
 		    $hostoptions{$option} = 1 if $hostopt;
@@ -1370,7 +1381,7 @@ sub process_interface( $$ ) {
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
 		if ( $option eq 'arp_ignore' ) {
-		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $wildcard;
+		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $physwild;
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
 			    $options{arp_ignore} = $value;
@@ -1381,10 +1392,15 @@ sub process_interface( $$ ) {
 			$options{arp_ignore} = 1;
 		    }
 		} elsif ( $option eq 'dbl' ) {
-		    my %values = ( none => '0:0', src => '1:0', dst => '2:0', 'src-dst' => '1:2' );
+		    my %values = ( src => DBL_SRC, dst => DBL_DST, 'src-dst' => DBL_SRC_DST );
 
 		    fatal_error q(The 'dbl' option requires a value) unless defined $value;
-		    fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( $options{dbl} = $values{$value} );
+		    if ( $value eq 'none' ) {
+			$options{dbl} = DBL_NONE;
+		    } else {
+			fatal_error qq(Invalid setting ($value) for 'dbl') unless defined ( my $setting = $values{$value} );
+			$options{dbl} |= $setting;
+		    }
 		} else {
 		    assert( 0 );
 		}
@@ -1487,7 +1503,7 @@ sub process_interface( $$ ) {
 
 	if ( $options{bridge} ) {
 	    require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
-	    fatal_error "Bridges may not have wildcard names" if $wildcard;
+	    fatal_error "Bridges may not have wildcard names" if $physwild;
 	    $hostoptions{routeback} = $options{routeback} = 1 unless supplied $options{routeback};
 	}
 
@@ -1536,7 +1552,8 @@ sub process_interface( $$ ) {
 						   zones      => {},
 						   origin     => shortlineinfo( '' ),
 						   wildcard   => $wildcard,
-						   physwild   => $physwild, # Currently unused
+						   physwild   => $physwild,
+						   nodbl      => [],
 					         };
 
     $interfaces{$physical} = $interfaceref if $physical ne $interface;
@@ -1545,7 +1562,10 @@ sub process_interface( $$ ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
 
 	if ( $options{loopback} ) {
-	    fatal_error "Only a loopback zone may be assigned to '$physical'" unless $zoneref->{type} == LOOPBACK;
+	    unless ( $test ) {
+		fatal_error "Only a loopback zone may be assigned to '$physical'" unless $zoneref->{type} == LOOPBACK;
+	    }
+
 	    fatal_error "Invalid definition of '$physical'"                   if $bridge ne $interface;
 	    
 	    for ( qw/arp_filter
@@ -1717,6 +1737,7 @@ sub known_interface($)
 					       physical => $physical ,
 					       base     => $interfaceref->{base} ,
 					       wildcard => $interfaceref->{wildcard} ,
+					       physwild => $interfaceref->{physwild} ,
 					       zones    => $interfaceref->{zones} ,
 		                              };
 		return $interfaceref;
@@ -2168,23 +2189,26 @@ sub process_host( ) {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
     } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/               ||
-	      $hosts =~ /^([\w.@%-]+\+?)\[(.*)\]$/              ||
+	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/             ||
 	      $hosts =~ /^([\w.@%-]+\+?):(!?\[.+\](?:\/\d+)?)$/ ||
 	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/             ||
 	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
 	$hosts = $2;
-
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
-	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
 	$interface = $interfaceref->{name};
-	if ( $interfaceref->{physical} eq $loopback_interface ) {
+    } else {
+	fatal_error "Invalid HOST(S) column contents: $hosts";
+    }
+
+    fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
+
+    if ( $interfaceref->{physical} eq $loopback_interface ) {
+	unless ($test) {
 	    fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
-	} else {
-	    fatal_error "Loopback zones may only be associated with the loopback interface ($loopback_interface)" if $type == LOOPBACK;
 	}
     } else {
-	fatal_error "Invalid HOST(S) column contents: $hosts"
+	fatal_error "Loopback zones may only be associated with the loopback interface ($loopback_interface)" if ( $type == LOOPBACK && ! $test );
     }
 
     if ( $hosts =~ /^!?\+/ ) {
@@ -2224,6 +2248,9 @@ sub process_host( ) {
 		require_capability 'TCPMSS_TARGET', $option, 's';
 		$options{mss} = $1;
 		$zoneref->{options}{complex} = 1;
+	    } elsif ( $option eq 'nodbl' ) {
+		fatal_error "The 'nodbl' option is only allowed in 'ip' zones" unless $type & IP;
+		$options{nodbl} = 1;
 	    } elsif ( $validhostoptions{$option}) {
 		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type & VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
@@ -2267,13 +2294,19 @@ sub process_host( ) {
 	$optionsref->{dynamic} = 1;
 	add_ipset($set);
     }
-
+    #
     #
     # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
     #
     $interface = '%vserver%' if $type & VSERVER;
 
-    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );
+    my $hostref = add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref, 0 );
+    #
+    # Push 'nodbl' info to the interface
+    #
+    if ( $optionsref->{nodbl} ) {
+	push @{$interfaceref->{nodbl}}, $hostref ;
+    }
 
     progress_message "   Host \"$currentline\" validated";
 
@@ -2385,4 +2418,110 @@ sub find_zones_by_option( $$ ) {
     \@zns;
 }
 
+#
+# Generate the shell code to populate the ALL_ACASTS run-time variable
+#
+
+sub generate_all_acasts() {
+    my ( @acasts, @noacasts, @wildacasts, @wildnoacasts );
+
+    for my $interface ( @interfaces ) {
+	my $interfaceref = $interfaces{$interface};
+	my $physical     = $interfaceref->{physical};
+
+	next if ( $interfaceref->{options}{port} ||
+		  $interfaceref->{options}{unmanaged} );
+
+	if ( $interfaceref->{physwild} ) {
+	    $physical =~ s/\+/*/;
+
+	    if ( $interfaceref->{options}{omitanycast} ) {
+		if ( $physical eq '*' ) {
+		    @wildnoacasts = ( '*' );
+		} else {
+		    push @wildnoacasts, $physical;
+		}
+	    } else {
+		if ( $physical eq '*' ) {
+		    @wildacasts = ( '*' );
+		} else {
+		    push @wildacasts, $physical;
+		}
+	    }
+	} else {
+	    if ( $interfaceref->{options}{omitanycast} ) {
+		push @noacasts, $physical;
+	    } else {
+		push @acasts, $physical;
+	    }
+	}
+    }
+
+    return 'ALL_ACASTS="$(get_all_acasts)"' unless @noacasts || @wildnoacasts;
+
+    @wildacasts = '*' unless @wildacasts;
+
+    emit( "#\n# Populate the ALL_ACASTS variable\n#",
+	  'generate_all_acasts()',
+	  '{' );
+    push_indent;
+
+    emit( 'ALL_ACASTS=',
+	  '',
+	  'for iface in $(find_all_interfaces1); do' );
+
+    push_indent;
+
+    emit( 'case $iface in' );
+
+    push_indent;
+
+    if ( @noacasts ) {
+	unless ( @wildacasts ) {
+	    push @noacasts, @wildnoacasts;
+	    @wildnoacasts = ();
+	}
+
+	emit( join( '|', @noacasts) . ')',
+	      '    ;;' );
+    }
+
+    if ( @wildnoacasts ) {
+	if ( @acasts ) {
+	    emit( join( '|', @acasts) . ')',
+		  '    if [ -n "$ALL_ACASTS" ]; then',
+		  '        ALL_ACASTS="$ALL_ACASTS $(get_interface_acasts $iface)"',
+		  '    else',
+		  '        ALL_ACASTS="$(get_interface_acasts $iface)"',
+		  '    fi',
+		  '    ;;' );
+	}
+
+	emit( join( '|', @wildnoacasts) . ')',
+	      '    ;;' );
+
+    } else {
+	@wildacasts = ( '*' );
+    }
+
+    if ( @wildacasts ) {
+	emit( join( '|', @wildacasts ) . ')',
+	      '    if [ -n "$ALL_ACASTS" ]; then',
+	      '        ALL_ACASTS="$ALL_ACASTS $(get_interface_acasts $iface)"',
+	      '    else',
+	      '        ALL_ACASTS="$(get_interface_acasts $iface)"',
+	      '    fi',
+	      '    ;;' );
+    }
+
+    pop_indent;
+    emit( 'esac');
+    pop_indent;
+    emit( 'done');
+    pop_indent;
+    emit( "}\n" );
+
+    return 'generate_all_acasts';
+}
+
 1;

Shorewall/Perl/compiler.pl

@@ -47,7 +47,7 @@
 #
 use strict;
 use FindBin;
-use lib "$FindBin::Bin";
+use lib "$FindBin::Bin"; # Required to allow modules to reside in ${BASEDIR}/Shorewall/
 use Shorewall::Compiler;
 use Getopt::Long;
 

Shorewall/Perl/lib.runtime

@@ -36,7 +36,7 @@
 #					interface
 #	    refresh			Refresh the firewall
 #	    reload			Reload the firewall
-#	    restart			Restarts the firewall
+#	    restart			Restart the firewall
 #	    restore			Restore a saved configuration
 #	    reset			Reset byte and packet counters
 #	    run				Call a function in this program
@@ -878,7 +878,7 @@ detect_dynamic_gateway() { # $1 = interface
     gateway=$(run_findgw_exit $1);
 
     if [ -z "$gateway" ]; then
-	gateway=$( find_peer $($IP addr list $interface ) )
+	gateway=$( find_peer $($IP addr list $interface 2>/dev/null ) )
     fi
 
     file="${VARLIB}/dhcpcd/dhcpcd-${1}.info"
@@ -923,9 +923,9 @@ detect_gateway() # $1 = interface $2 = table number
     #
     # Maybe there's a default route through this gateway already
     #
-    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
+    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface 2>/dev/null | grep ^default))
 
-    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 | grep ^default))
+    [ -z "$gateway" -a -n "$2" ] && gateway=$(find_gateway $($IP -4 route list dev $interface table $2 2>/dev/null | grep ^default))
     #
     # Last hope -- is there a load-balancing route through the interface?
     #
@@ -1312,11 +1312,11 @@ detect_gateway() # $1 = interface
     #
     # First assume that this is some sort of point-to-point interface
     #
-    gateway=$( find_peer $($IP -6 addr list $interface ) )
+    gateway=$( find_peer $($IP -6 addr list $interface 2>/dev/null ) )
     #
     # Maybe there's a default route through this gateway already
     #
-    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
+    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface 2>/dev/null | grep '^default'))
     #
     # Last hope -- is there a load-balancing route through the interface?
     #

Shorewall/Samples/Universal/shorewall.conf

@@ -141,7 +141,7 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
-AUTOHELPERS=Yes
+AUTOHELPERS=No
 
 AUTOMAKE=Yes
 

Shorewall/Samples/one-interface/shorewall.conf

@@ -152,7 +152,7 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
-AUTOHELPERS=Yes
+AUTOHELPERS=No
 
 AUTOMAKE=Yes
 

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -149,7 +149,7 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
-AUTOHELPERS=Yes
+AUTOHELPERS=No
 
 AUTOMAKE=Yes
 

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -152,7 +152,7 @@ ADMINISABSENTMINDED=Yes
 
 AUTOCOMMENT=Yes
 
-AUTOHELPERS=Yes
+AUTOHELPERS=No
 
 AUTOMAKE=Yes
 

Shorewall/Shorewall-targetname

@@ -1 +1 @@
-5.2.7-Beta1
+5.2.8-base

Shorewall/lib.cli-std

@@ -29,7 +29,7 @@
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
 #
-get_config() {
+std_get_config() {
     local prog
     local lib
 
@@ -216,6 +216,8 @@ get_config() {
 		echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
 		SHOREWALL_SHELL=/bin/sh
 	    fi
+	else
+	    SHOREWALL_SHELL=/bin/sh
 	fi
 
 	if [ -n "$IP" ]; then
@@ -332,7 +334,7 @@ get_config() {
 
 	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 
-	    g_pager="| $g_pager"
+	    g_pager="2>&1 | $g_pager"
 	fi
     fi
 
@@ -379,36 +381,31 @@ uptodate() {
     [ -x $1 ] || return 1
 
     local dir
-    local busybox
     local find
+    local quit=-quit
+    local maxdepth
 
     find=$(mywhich find)
 
     [ -n "${find}" ] || return 1
-    [ -h "${find}" ] && busybox=Yes
-    find="${find} -L"
+
+    if [ -h "${find}" ] && ! qt ${find} . -name foo -print -quit ; then
+	#
+	# 'Find' is provided by Busybox and this old versions don't support -quit.
+	#
+        quit=
+    fi
+
+    if [ "$AUTOMAKE" = recursive ]; then
+	maxdepth=
+    elif [ -z "$AUTOMAKE" ]; then
+	maxdepth="-maxdepth 1"
+    else
+	maxdepth="-maxdepth $AUTOMAKE"
+    fi
 
     for dir in $g_shorewalldir $(split $CONFIG_PATH); do
-	if [ -n "${busybox}" ]; then
-	    #
-	    # Busybox 'find' doesn't support -quit.
-	    #
-	    if [ $AUTOMAKE = recursive ]; then
-		if [ -n "$(${find} ${dir} -newer $1 -print)" ]; then
-		    return 1;
-		fi
-	    elif  [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print)" ]; then
-		return 1;
-	    fi
-	elif [ "$AUTOMAKE" = recursive ]; then
-	    if [ -n "$(${find} ${dir} -newer $1 -print -quit)" ]; then
-		return 1;
-	    fi
-	elif [ -z "$AUTOMAKE" ]; then
-	    if [ -n "$(${find} ${dir} -maxdepth 1 -type f -newer $1 -print -quit)" ]; then
-		return 1;
-	    fi
-	elif [ -n "$(${find} ${dir} -maxdepth $AUTOMAKE -type f -newer $1 -print -quit)" ]; then
+	if [ -n "$(${find} -L ${dir} ${maxdepth} -newer $1 -print ${quit})" ]; then
 	    return 1;
 	fi
     done
@@ -566,7 +563,7 @@ compiler() {
 #
 # Start Command Executor
 #
-start_command() {
+std_start_command() {
     local finished
     finished=0
     local rc
@@ -965,7 +962,7 @@ update_command() {
 #
 # Reload/Restart Command Executor
 #
-restart_command() {
+std_restart_command() {
     local finished
     finished=0
     local rc

Shorewall/manpages/shorewall-hosts.xml

@@ -31,8 +31,8 @@
 
     <para>The order of entries in this file is not significant in determining
     zone composition. Rather, the order that the zones are declared in <ulink
-    url="shorewall-zones.html">shorewall-zones</ulink>(5) determines
-    the order in which the records in this file are interpreted.</para>
+    url="shorewall-zones.html">shorewall-zones</ulink>(5) determines the order
+    in which the records in this file are interpreted.</para>
 
     <warning>
       <para>The only time that you need this file is when you have more than
@@ -41,9 +41,9 @@
 
     <warning>
       <para>If you have an entry for a zone and interface in <ulink
-      url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-      then do not include any entries in this file for that same (zone,
-      interface) pair.</para>
+      url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) then do
+      not include any entries in this file for that same (zone, interface)
+      pair.</para>
     </warning>
 
     <para>The columns in the file are as follows.</para>
@@ -55,8 +55,8 @@
 
         <listitem>
           <para>The name of a zone declared in <ulink
-          url="shorewall-zones.html">shorewall-zones</ulink>(5). You
-          may not list the firewall zone in this column.</para>
+          url="shorewall-zones.html">shorewall-zones</ulink>(5). You may not
+          list the firewall zone in this column.</para>
         </listitem>
       </varlistentry>
 
@@ -69,9 +69,9 @@
 
         <listitem>
           <para>The name of an interface defined in the <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          file followed by a colon (":") and a comma-separated list whose
-          elements are either:</para>
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) file
+          followed by a colon (":") and a comma-separated list whose elements
+          are either:</para>
 
           <orderedlist numeration="loweralpha">
             <listitem>
@@ -171,8 +171,8 @@
                 <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
                 that if the zone named in the ZONE column is specified as an
                 IPSEC zone in the <ulink
-                url="shorewall-zones.html">shorewall-zones</ulink>(5)
-                file then you do NOT need to specify the 'ipsec' option
+                url="shorewall-zones.html">shorewall-zones</ulink>(5) file
+                then you do NOT need to specify the 'ipsec' option
                 here.</para>
               </listitem>
             </varlistentry>
@@ -183,8 +183,8 @@
               <listitem>
                 <para>Connection requests from these hosts are compared
                 against the contents of <ulink
-                url="shorewall-maclist.html">shorewall-maclist</ulink>(5).
-                If this option is specified, the interface must be an Ethernet
+                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
+                this option is specified, the interface must be an Ethernet
                 NIC or equivalent and must be up before Shorewall is
                 started.</para>
               </listitem>
@@ -214,8 +214,8 @@
 
                 <para>Smurfs will be optionally logged based on the setting of
                 SMURF_LOG_LEVEL in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5).
-                After logging, the packets are dropped.</para>
+                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
+                logging, the packets are dropped.</para>
               </listitem>
             </varlistentry>
 
@@ -243,6 +243,24 @@
                 according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>nodbl</term>
+
+              <listitem>
+                <para>This option was added in Shorewall 5.2.9. It causes
+                addresses in the HOSTS column to be exempted from ipset-based
+                dynamic blacklisting
+                (DYNAMIC_BLACKLIST={<option>ipset</option>|<option>ipsec-only</option>)...
+                in <ulink
+                url="shorewall.conf.html">Shorewall.conf</ulink>(5)). It may
+                only be specified if the <replaceable>zone-name</replaceable>
+                listed in the ZONE column is defined as an <option>ip</option>
+                (<option>ip</option>, <option>ip4</option>, or
+                <option>ip6</option>) zone in <ulink
+                url="shorewall-zones.html">shorewall-zones</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>

Shorewall/manpages/shorewall-interfaces.xml

@@ -653,6 +653,56 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>omitanycast</term>
+
+              <listitem>
+                <para>IPv6 only. Added in Shorewall 5.2.8.</para>
+
+                <para>Shorewall6 has traditionally generated rules for IPv6
+                <emphasis>anycast</emphasis> addresses. These rules
+                include:</para>
+
+                <orderedlist numeration="loweralpha">
+                  <listitem>
+                    <para>Packets with these destination IP addresses are
+                    dropped by REJECT rules.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Packets with these source IP addresses are dropped
+                    by the 'nosmurfs' interface option and by the 'dropSmurfs'
+                    action.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Packets with these destination IP addresses are not
+                    logged during policy enforcement.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Packets with these destination IP addresses are
+                    processes by the 'Broadcast' action.</para>
+                  </listitem>
+                </orderedlist>
+
+                <para>This can be inhibited for individual interfaces by
+                specifying <emphasis role="bold">noanycast</emphasis> for
+                those interfaces.</para>
+
+                <note>
+                  <para>RFC 2526 describes IPv6 subnet anycast addresses. The
+                  RFC makes a distinction between subnets with "IPv6 address
+                  types required to have 64-bit interface identifiers in
+                  EUI-64 format" and all other subnets. When generating these
+                  anycast addresses, the Shorewall compiler does not make this
+                  distinction and unconditionally assumes that the last 128
+                  addresses in the subnet are reserved as anycast
+                  addresses.</para>
+                </note>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">optional</emphasis></term>
 

Shorewall/manpages/shorewall-snat.xml

@@ -207,9 +207,6 @@
                 the IP addresses configured on the interface named in the DEST
                 column and substitute them in this column.</para>
 
-                <para>Finally, you may also specify a comma-separated list of
-                ranges and/or addresses in this column.</para>
-
                 <para>DNS Names names are not allowed.</para>
 
                 <para>Normally, Netfilter will attempt to retain the source
@@ -805,21 +802,16 @@
         <term>IPv4 Example 6:</term>
 
         <listitem>
-          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
-          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
-          (Shorewall 4.5.9 and later).</para>
+          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 randomly
+          to addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 (Shorewall 5.0.0 and
+          later).</para>
 
-          <programlisting>/etc/shorewall/tcrules:
-
-       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
-       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
-
-/etc/shorewall/snat:
+          <programlisting>/etc/shorewall/snat:
 
        #ACTION                 SOURCE          DEST
-       SNAT(1.1.1.1)           192.168.1.0/24  eth0  { mark=1:C }
-       SNAT(1.1.1.3)           192.168.1.0/24  eth0  { mark=2:C }
-       SNAT(1.1.1.9)           192.168.1.0/24  eth0  { mark=3:C }</programlisting>
+       SNAT(1.1.1.1)           192.168.1.0/24  eth0  { probability=0.33 }
+       SNAT(1.1.1.3)           192.168.1.0/24  eth0  { probability=0.50 }
+       SNAT(1.1.1.9)           192.168.1.0/24  eth0</programlisting>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-tcclasses.xml

@@ -54,6 +54,14 @@
             </listitem>
           </varlistentry>
 
+          <varlistentry>
+            <term><emphasis role="bold">gbps</emphasis></term>
+
+            <listitem>
+              <para>Gigabytes per second.</para>
+            </listitem>
+          </varlistentry>
+
           <varlistentry>
             <term><emphasis role="bold">kbit</emphasis></term>
 
@@ -70,6 +78,14 @@
             </listitem>
           </varlistentry>
 
+          <varlistentry>
+            <term><emphasis role="bold">gbit</emphasis></term>
+
+            <listitem>
+              <para>Gigabits per second.</para>
+            </listitem>
+          </varlistentry>
+
           <varlistentry>
             <term><emphasis role="bold">bps</emphasis> or <emphasis
             role="bold">number</emphasis></term>

Shorewall/manpages/shorewall-tcdevices.xml

@@ -61,6 +61,14 @@
             </listitem>
           </varlistentry>
 
+          <varlistentry>
+            <term><emphasis role="bold">gbps</emphasis></term>
+
+            <listitem>
+              <para>Gigabytes per second.</para>
+            </listitem>
+          </varlistentry>
+
           <varlistentry>
             <term><emphasis role="bold">kbit</emphasis></term>
 
@@ -77,6 +85,14 @@
             </listitem>
           </varlistentry>
 
+          <varlistentry>
+            <term><emphasis role="bold">gbit</emphasis></term>
+
+            <listitem>
+              <para>Gigabits per second.</para>
+            </listitem>
+          </varlistentry>
+
           <varlistentry>
             <term><emphasis role="bold">bps</emphasis> or <emphasis
             role="bold">number</emphasis></term>

Shorewall/manpages/shorewall-tcinterfaces.xml

@@ -59,6 +59,14 @@
             </listitem>
           </varlistentry>
 
+          <varlistentry>
+            <term><emphasis role="bold">gbps</emphasis></term>
+
+            <listitem>
+              <para>Gigabytes per second.</para>
+            </listitem>
+          </varlistentry>
+
           <varlistentry>
             <term><emphasis role="bold">kbit</emphasis></term>
 
@@ -75,6 +83,14 @@
             </listitem>
           </varlistentry>
 
+          <varlistentry>
+            <term><emphasis role="bold">gbit</emphasis></term>
+
+            <listitem>
+              <para>Gigabits per second.</para>
+            </listitem>
+          </varlistentry>
+
           <varlistentry>
             <term><emphasis role="bold">bps</emphasis> or <emphasis
             role="bold">number</emphasis></term>
@@ -88,7 +104,7 @@
             <term>k or kb</term>
 
             <listitem>
-              <para>Kilo bytes.</para>
+              <para>Kilobytes.</para>
             </listitem>
           </varlistentry>
 
@@ -99,6 +115,14 @@
               <para>Megabytes.</para>
             </listitem>
           </varlistentry>
+
+          <varlistentry>
+            <term>g or gb</term>
+
+            <listitem>
+              <para>Gigabytes.</para>
+            </listitem>
+          </varlistentry>
         </variablelist>
       </listitem>
 

Shorewall/manpages/shorewall.conf.xml

@@ -888,14 +888,14 @@
           name is SW_DBL4 and the default IPv6 set name is SW_DBL6. The
           default log level is <option>none</option> (no logging). If
           <option>ipset-only</option> is given, then chain-based dynamic
-          blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
+          blacklisting is disabled just as if DYNAMIC_BLACKLIST=No had been
           specified.</para>
 
           <para>Possible <replaceable>option</replaceable>s are:</para>
 
           <variablelist>
             <varlistentry>
-              <term>src-dst</term>
+              <term><option>src-dst</option></term>
 
               <listitem>
                 <para>Normally, only packets whose source address matches an
@@ -943,7 +943,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>log</term>
+              <term><option>log</option></term>
 
               <listitem>
                 <para>Added in Shorewall 5.2.5. When specified, successful
@@ -953,7 +953,7 @@
             </varlistentry>
 
             <varlistentry>
-              <term>noupdate</term>
+              <term><option>noupdate</option></term>
 
               <listitem>
                 <para>Added in Shorewall 5.2.5. Normally, once an address has

Shorewall/shorewall.service

@@ -13,7 +13,6 @@ Conflicts=iptables.service firewalld.service
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
-StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall $OPTIONS stop
 ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS

Shorewall/shorewall.service.debian

@@ -6,6 +6,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall
+Documentation=man:shorewall(8)
 Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
@@ -16,7 +17,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall
 StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall
 ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
 
 [Install]

Shorewall/uninstall.sh

@@ -149,7 +149,9 @@ if [ $configure -eq 1 ]; then
     fi
 fi
 
-remove_file ${SBINDIR}/$PRODUCT
+if [ $PRODUCT = shorewall6 ]; then
+    remove_file ${SBINDIR}/shorewall6
+fi
 
 if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
     FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)

Shorewall6-lite/init.debian.sh

@@ -13,8 +13,8 @@
 
 . /lib/lsb/init-functions
 
-SRWL='/sbin/shorewall6-lite -6'
-SRWL_OPTS="-tvv"
+SRWL=/sbin/shorewall
+SRWL_OPTS="-6ltvv"
 test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
 
 [ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0

Shorewall6-lite/shorewall6-lite.service

@@ -15,7 +15,6 @@ Conflicts=ip6tables.service firewalld.service
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
-StandardOutput=syslog
 ExecStart=/sbin/shorewall -6l $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall -6l $OPTIONS stop
 ExecReload=/sbin/shorewall -6l $OPTIONS reload $RELOADOPTIONS

Shorewall6-lite/shorewall6-lite.service.debian

@@ -5,6 +5,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall (lite)
+Documentation=man:shorewall6-lite(8)
 Wants=network-online.target
 After=network-online.target
 After=shorewall-lite.service
@@ -16,7 +17,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/sbin/shorewall6-lite $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall6-lite
 ExecReload=/sbin/shorewall6-lite $OPTIONS reload
 
 [Install]

Shorewall6/configfiles/tcpri

@@ -6,5 +6,6 @@
 # See https://shorewall.org/simple_traffic_shaping.htm for additional
 # information.
 #
+?FORMAT 2
 ###############################################################################
 #BAND	PROTO	DPORT	SPORT	ADDRESS		INTERFACE	HELPER

Shorewall6/init.debian.sh

@@ -12,8 +12,8 @@
 
 . /lib/lsb/init-functions
 
-SRWL='/sbin/shorewall -6'
-SRWL_OPTS="-tvv"
+SRWL=/sbin/shorewall
+SRWL_OPTS="-6tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
 test -n ${INITLOG:=/var/log/shorewall6-init.log}
 

Shorewall6/shorewall6.service

@@ -14,7 +14,6 @@ Conflicts=ip6tables.service firewalld.service
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6
-StandardOutput=syslog
 ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall -6 $OPTIONS stop
 ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS

Shorewall6/shorewall6.service.debian

@@ -6,6 +6,7 @@
 #
 [Unit]
 Description=Shorewall IPv6 firewall
+Documentation=man:shorewall6(8)
 Wants=network-online.target
 After=network-online.target
 After=shorewall.service
@@ -17,7 +18,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall6
 StandardOutput=syslog
 ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall -6 $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall6
 ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS
 
 [Install]

docs/6to4.xml

@@ -39,7 +39,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Accounting.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Actions.xml

@@ -41,7 +41,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Anatomy.xml

@@ -35,7 +35,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Anti-Spoofing.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Audit.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Build.xml

@@ -31,7 +31,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/CompiledPrograms.xml

@@ -29,7 +29,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/ConnectionRate.xml

@@ -29,7 +29,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Docker.xml

@@ -33,7 +33,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Documentation_Index.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Dynamic.xml

@@ -29,7 +29,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/ECN.xml

@@ -35,7 +35,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Events.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/FAQ.xml

@@ -29,7 +29,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled <quote>
       <ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink>
       </quote>.</para>
@@ -2592,7 +2592,7 @@ eth0            External        50mbit:200kb            5.0mbit:100kb:200ms:100m
       <programlisting><emphasis role="bold">ethtool -K eth<emphasis>N</emphasis> tso off gso off</emphasis></programlisting>
     </section>
 
-    <section>
+    <section id="faq97a">
       <title>(FAQ 97a) I enable Shorewall traffic shaping and now my download
       rate is way below what I specified</title>
 

docs/FAQ_fr.xml

@@ -56,7 +56,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled <quote>
       <ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink>
       </quote>.</para>
@@ -2458,4 +2458,4 @@ loc                $FW                     ACCEPT           </programlisting>
       avec les deux politiques fixées ci-dessus.</para>
     </section>
   </section>
-</article>
+</article>

docs/FTP.xml

@@ -33,7 +33,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/FoolsFirewall.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/GenericTunnels.xml

@@ -33,7 +33,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/GettingStarted.xml

@@ -35,7 +35,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Helpers.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/IPIP.xml

@@ -35,7 +35,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/IPP2P.xml

@@ -35,7 +35,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/IPSEC-2.6.xml

@@ -47,7 +47,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/IPSEC.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/IPv6Support.xml

@@ -33,7 +33,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/ISO-3661.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>
@@ -57,11 +57,8 @@
 </programlisting>
 
     <para>Using this feature requires the <firstterm>GeoIP Match</firstterm>
-    capability in your iptables and kernel. As of this writing, that
-    capability requires installing <ulink
-    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink> 1.33
-    or later and <ulink
-    url="http://xtables-addons.sourceforge.net/geoip.php">creating a
+    capability in your iptables and kernel. That capability requires <ulink
+    url="https://dev.maxmind.com/geoip/geoip2/geolite2/">creating a
     country-code database</ulink>.</para>
 
     <para>The Shorewall compiler uses the geoip country-code database to
@@ -83,11 +80,19 @@
     <para>To accomodate both big-endian and little-endian machines as well as
     any future ability to install the database at another location, Shorewall
     supports a GEOIPDIR option in <ulink
-    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
-    url="manpages/shorewall.conf.html">shorewall6.conf</ulink> (5). The
-    default value of that option is
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and <ulink
+    url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5). The default
+    value of that option is
     <filename>/usr/share/xt_geoip/LE</filename>.</para>
 
+    <important>
+      <para>Recent versions of the country-code database are installed in
+      <filename>/usr/share/xt_geoip/, regardless of endian convention. This
+      requires modifying the setting of GEOIPDIR in <ulink
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
+      url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</filename></para>
+    </important>
+
     <para>The country codes at the time of this writing are shown in the
     following two sections.</para>
   </section>

docs/Install.xml

@@ -33,7 +33,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Install_fr.xml

@@ -56,7 +56,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>
@@ -712,4 +712,4 @@ tar -xzvf /mnt/package2.lrp
     <para>Voir <quote><ulink url="fallback.htm">Fallback and
     Uninstall</ulink></quote>.</para>
   </section>
-</article>
+</article>

docs/Internals.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Introduction.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink type="" url="Copyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/KVM.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/LXC.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Laptop.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/LennyToSqueeze.xml

@@ -30,7 +30,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/MAC_Validation.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Macros.xml

@@ -35,7 +35,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Manpages.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/ManualChains.xml

@@ -29,7 +29,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/MultiISP.xml

@@ -29,7 +29,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/Multiple_Zones.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/MyNetwork.xml

@@ -29,7 +29,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/NAT.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/NetfilterOverview.xml

@@ -29,7 +29,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/NewRelease.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/OPENVPN.xml

@@ -41,7 +41,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/OpenVZ.xml

@@ -27,7 +27,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/PPTP.xml

@@ -39,7 +39,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/PacketHandling.xml

@@ -33,7 +33,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>

docs/PacketMarking.xml

@@ -30,7 +30,7 @@
       <para>Permission is granted to copy, distribute and/or modify this
       document under the terms of the GNU Free Documentation License, Version
       1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      no Invariant Sections, no Front-Cover Texts, and no Back-Cover
       Texts. A copy of the license is included in the section entitled
       <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
       License</ulink></quote>.</para>