Shorewall 2.0.3 Beta 1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1396 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-06-12 16:39:54 +00:00 · 2004-06-12 16:39:54 +00:00 · 68571cbbdc
commit 68571cbbdc
parent 1fc8ddbc82
9 changed files with 360 additions and 129 deletions
--- a/Lrp2/etc/shorewall/shorewall.conf
+++ b/Lrp2/etc/shorewall/shorewall.conf
@ -258,6 +258,24 @@ MODULESDIR=
 # CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 #
 # RESTORE SCRIPT
 #
 # This option determines the script to be run in the following cases:
 #
 #	shorewall -f start
 #	shorewall restore
 #	shorewall save
 #	shorewall forget
 #	Failure of shorewall start or shorewall restart
 #
 # The value of the option must be the name of an executable file in the
 # directory /var/lib/shorewall. If this option is not set or if it is
 # set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
 # assumed.
 RESTOREFILE=
 ################################################################################
 #                       F I R E W A L L   O P T I O N S
 ################################################################################
--- a/Lrp2/sbin/shorewall
+++ b/Lrp2/sbin/shorewall
@ -76,14 +76,17 @@
 #						   listed address(es)
 #	   shorewall allow <address> ...	   Reenable address(es) previously
 #						   disabled with "drop" or "reject"
-#	   shorewall save			   Save the list of "rejected" and
+#	   shorewall save [ <file> ]		   Save the list of "rejected" and
 #						   "dropped" addresses so that it will
 #						   be automatically reinstated the
 #						   next time that Shorewall starts.
 #                                                  Save the current state so that 'shorewall
 #                                                  restore' can be used.
 #
-#          shorewall forget                        Discard the data saved by 'shorewall save'
+#          shorewall forget [ <file> ]             Discard the data saved by 'shorewall save'
 #
 #          shorewall restore [ <file> ]            Restore the state of the firewall from
 #                                                  previously saved information.
 #
 #          shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
 #
@ -131,6 +134,19 @@ showchain() # $1 = name of chain
    fi
 }
 #
 # Validate the value of RESTOREFILE
 #
 validate_restorefile() # $* = label
 {
    case $RESTOREFILE in
 	*/*)
 	    echo "   ERROR: $@ must specify a simple file name: $RESTOREFILE" >&2
 	    exit 2
 	    ;;
    esac    
 }
 #
 # Set the configuration variables from shorewall.conf
 #
@ -160,11 +176,17 @@ get_config() {
    if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -e "$SHOREWALL_SHELL" ]; then
-	    echo "The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
+	    echo "   ERROR: The program specified in SHOREWALL_SHELL does not exist or is not executable" >&2
 	    exit 2
 	fi
    fi
    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
    validate_restorefile RESTOREFILE
    export RESTOREFILE
 }
 #
@ -535,7 +557,7 @@ help()
 #
 usage() # $1 = exit status
 {
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] <command>"
+    echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] [ -f ] <command>"
    echo "where <command> is one of:"
    echo "   add <interface>[:<host>] <zone>"
    echo "   allow <address> ..."
@ -543,7 +565,7 @@ usage() # $1 = exit status
    echo "   clear"
    echo "   delete <interface>[:<host>] <zone>"
    echo "   drop <address> ..."
-    echo "   forget"
+    echo "   forget [ <file name> ]"
    echo "   help [ <command > | host | address ]"
    echo "   hits"
    echo "   ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
@ -554,8 +576,8 @@ usage() # $1 = exit status
    echo "   reject <address> ..."
    echo "   reset"
    echo "   restart"
-    echo "   restore"
+    echo "   restore [ <file name> ]"
-    echo "   save"
+    echo "   save [ <file name> ]"
    echo "   show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
    echo "   start"
    echo "   stop"
@ -735,11 +757,14 @@ case "$1" in
 	[ $# -ne 1 ] && usage 1
 	get_config
 	if [ -n "$FAST" ]; then
-	    if [ -f /var/lib/shorewall/restore ]; then
+	    
 	    RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
 	    if [ -x $RESTOREPATH ]; then
 		echo Restoring Shorewall...
-		. /var/lib/shorewall/restore
+		$RESTOREPATH
 		date > $STATEDIR/restarted
-		echo Shorewall restored
+		echo Shorewall restored from $RESTOREPATH
 	    else
 		exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
 	    fi
@ -963,38 +988,86 @@ case "$1" in
 	;;
    save)
    	[ -n "$debugging" ] && set -x
-	[ $# -ne 1 ] && usage 1
+
 	get_config
 	case $# in
 	1)
 	    ;;
 	2)
 	    RESTOREFILE="$2"
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
 	    usage 1
 	    ;;
 	esac
 	RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
 	mutex_on
 	if qt iptables -L shorewall -n; then
-	    [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
+	    [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
 	    if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
 		echo "   ERROR: $RESTOREPATH exists and is not a saved Shorewall configuration"
 	    else
 		case $RESTOREFILE in
 		    save|restore-base)
 			echo "   ERROR: Reserved file name: save"
 			;;
 		    *)
 			if iptables -L dynamic -n > /var/lib/shorewall/save; then
 			    echo "   Dynamic Rules Saved"
 			    if [ -f /var/lib/shorewall/restore-base ]; then
 				cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
 				if iptables-save >> /var/lib/shorewall/restore-$$ ; then
-			echo EOF >> /var/lib/shorewall/restore-$$
+				    echo __EOF__ >> /var/lib/shorewall/restore-$$
-			mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore
+				    mv -f /var/lib/shorewall/restore-$$ $RESTOREPATH
-			chmod +x /var/lib/shorewall/restore
+				    chmod +x $RESTOREPATH
-			echo "   Currently-running Configuration Saved"
+				    echo "   Currently-running Configuration Saved to $RESTOREPATH"
 				else
 				    rm -f /var/lib/shorewall/restore-$$
 				    echo "   ERROR: Currently-running Configuration Not Saved"
 				fi
 			    else
 				echo "   ERROR: /var/lib/shorewall/restore-base does not exist"
 			    fi
 			else
 			    echo "Error Saving the Dynamic Rules"
 			fi
 			;;
 		esac
 	    fi
 	else
 	    echo "Shorewall isn't started"
 	fi
 	mutex_off
 	;;
    forget)
-	rm -f /var/lib/shorewall/restore
+	get_config
-	rm -f /var/lib/shorewall/save
+	case $# in
-	echo "   Previously saved information discarded"
+	1)
 	    ;;
 	2)
 	    RESTOREFILE="$2"
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
 	    usage 1
 	    ;;
 	esac
 	RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
 	if [ -x $RESTOREPATH ]; then
 	    rm -f $RESTOREPATH
 	    echo "    $RESTOREPATH removed"
 	elif [ -f $RESTOREPATH ]; then
 	    echo "   ERROR: $RESTOREPATH is not a restore script"
 	fi
 	;;
    ipcalc)
    	[ -n "$debugging" ] && set -x
@ -1032,12 +1105,26 @@ case "$1" in
 	esac
 	;;
    restore)
-	if [ -f /var/lib/shorewall/restore ]; then
+	get_config
 	case $# in
 	1)
 	    ;;
 	2)
 	    RESTOREFILE="$2"
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
 	    usage 1
 	    ;;
 	esac
 	RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
 	if [ -x $RESTOREPATH ]; then
 	    echo Restoring Shorewall...
-	    . /var/lib/shorewall/restore
+	    $RESTOREPATH && echo "Shorewall restored from /var/lib/shorewall/$RESTOREFILE"
            echo Shorewall restored
 	else
-	    echo "File /var/lib/shorewall/restore: file not found"
+	    echo "File /var/lib/shorewall/$RESTOREFILE: file not found"
            exit 2
        fi
        ;;
--- a/Lrp2/usr/share/shorewall/action.Drop
+++ b/Lrp2/usr/share/shorewall/action.Drop
@ -10,6 +10,6 @@ RejectAuth
 dropBcast
 DropSMB
 DropUPnP
-dropNonSyn
+dropNotSyn
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp2/usr/share/shorewall/action.Reject
+++ b/Lrp2/usr/share/shorewall/action.Reject
@ -10,6 +10,6 @@ RejectAuth
 dropBcast
 RejectSMB
 DropUPnP
-dropNonSyn
+dropNotSyn
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Lrp2/usr/share/shorewall/actions.std
+++ b/Lrp2/usr/share/shorewall/actions.std
@ -6,6 +6,13 @@
 #
 #    dropBcast          #Silently Drop Broadcast/multicast
 #    dropNonSyn         #Silently Drop Non-syn TCP packets
 #    rejNonSyn          #Silently Reject Non-syn TCP packets
 #    logNonSyn          #Log Non-syn TCP packets with disposition LOG
 #    dLogNonSyn         #Log Non-syn TCP packets with disposition DROP
 #    rLogNonSyn          #Log Non-syn TCP packets with disposition REJECT
 #
 # The NonSyn logging builtins log at the level specified by LOGNEWNOTSYN in
 # shorewall.conf. If that option isn't specified then 'info' is used.
 #
 #ACTION
--- a/Lrp2/usr/share/shorewall/firewall
+++ b/Lrp2/usr/share/shorewall/firewall
@ -51,11 +51,6 @@ my_mutex_off() {
    [ -n "$have_mutex" ] && { mutex_off; have_mutex=; }
 }
 progress_message() # $* = Message
 {
    [ -n "$QUIET" ] || echo "$@"
 }
 #
 # Message to stderr
 #
@ -108,6 +103,17 @@ save_command()
    echo "$@" >> /var/lib/shorewall/restore-$$
 }
 #
 # Write a progress_message command to /var/lib/shorewall/restore-$$
 #
 save_progress_message() 
 {
    echo                           >> /var/lib/shorewall/restore-$$
    echo "progress_message \"$@\"" >> /var/lib/shorewall/restore-$$
    echo                           >> /var/lib/shorewall/restore-$$
 }
 #
 # Save the passed command in the restore script then run it -- returns the status of the command
 # If the command involves file redirection then it must be enclosed in quotes as in:
@ -133,12 +139,13 @@ ensure_and_save_command()
 }
 #
-# Append a file to /var/lib/shorewall/restore-$$
+# Append a file in $STATEDIR to /var/lib/shorewall/restore-$$
 #
-append_file() {
+append_file() # $1 = File Name
-    save_command "cat > $STATEDIR/$1 << EOF"
+{
    save_command "cat > $STATEDIR/$1 << __EOF__"
    cat $STATEDIR/$1 >> /var/lib/shorewall/restore-$$
-    save_command EOF
+    save_command __EOF__
 }
 #
@ -576,7 +583,7 @@ known_interface() # $1 = interface name
 match_source_dev()
 {
    if [ -n "$BRIDGING" ]; then
-	known_interface $1 && echo -i $1 || physdev_echo "--physdev-in $1"
+	list_search $1 $all_ports && physdev_echo "--physdev-in $1" || echo -i $1
    else
 	echo -i $1
    fi
@ -585,12 +592,17 @@ match_source_dev()
 match_dest_dev()
 {
    if [ -n "$BRIDGING" ]; then
-	known_interface $1 && echo -o $1 || physdev_echo "--physdev-out $1"
+	list_search $1 $all_ports && physdev_echo "--physdev-out $1" || echo -o $1
    else
 	echo -o $1
    fi
 }
 verify_interface()
 {
    known_interface $1 || { [ -n $BRIDGING ] && list_search $1 $all_ports ; }
 }
 #
 #
 # Find hosts in a given zone
@ -765,7 +777,7 @@ validate_interfaces_file() {
 		    if [ -z "$found_obsolete_option" ]; then
 			found_obsolete_option=yes
 			error_message \
-			    "Warning: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0"
+			    "WARNING: The 'dropunclean' and 'logunclean' options are not supported by Shorewall 2.0"
 			error_message \
 			    "         PLEASE STAND BY WHILE SHOREWALL REFORMATS YOUR HARD DRIVE TO REMOVE THESE OPTIONS..."
 			sleep 5
@ -798,6 +810,13 @@ validate_interfaces_file() {
 validate_hosts_file() {
   local z hosts options r interface host option port ports
   check_bridge_port() 
   {
       list_search $1 $ports || ports="$ports $1"
       list_search ${interface}:${1} $zports || zports="$zports ${interface}:${1}"
       list_search $1 $all_ports || all_ports="$all_ports $1"
   }
    while read z hosts options; do
 	expandv z hosts options
 	r="$z $hosts $options"
@ -820,17 +839,14 @@ validate_hosts_file() {
 		*:*)
 		    known_interface ${host%:*} && \
 			startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
-		    port=${host%%:*}
+		    check_bridge_port ${host%%:*}
 		    list_search $port $ports || ports="$ports $port"
 		    list_search ${interface}:${port} $zports || zports="$zports ${interface}:${port}"
 		    ;;
 		*.*.*.*)
 		    ;;
 		*)
 		    known_interface $host && \
 			startup_error "Bridged interfaces may not be defined in /etc/shorewall/interfaces: $host"
-		    list_search $host $ports || ports="$ports $host"
+		    check_bridge_port $host
 		    list_search ${interface}:${host} $zports || zports="$zports ${interface}:${host}"
 		    ;;
 	    esac
@ -855,6 +871,8 @@ validate_hosts_file() {
 	fi
    done < $TMP_DIR/hosts
    [ -n "$all_ports" ] && echo "   Bridge ports are: $all_ports"
 }
 #
@ -1178,6 +1196,9 @@ log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates fo
 # Set /proc/sys/net/ipv4/ip_forward based on $IP_FORWARDING
 #
 setup_forwarding() {
    save_progress_message "Restoring IP Forwarding..."
    case "$IP_FORWARDING" in
    [Oo][Nn])
 	run_and_save_command "echo 1 > /proc/sys/net/ipv4/ip_forward"
@ -1198,6 +1219,7 @@ disable_ipv6() {
    if [ -n "$foo" ]; then
 	if qt which ip6tables; then
 	    save_progress_message "Disabling IPV6..."
 	    ip6tables -P FORWARD DROP && save_command ip6tables -P FORWARD DROP
 	    ip6tables -P INPUT DROP   && save_command ip6tables -P INPUT DROP
 	    ip6tables -P OUTPUT DROP  && save_command ip6tables -P OUTPUT DROP
@ -1226,10 +1248,15 @@ stop_firewall() {
 	    ;;
 	*)
 	    set +x
-	    if [ -f /var/lib/shorewall/restore ]; then
+
 	    [ -z "$RESTOREFILE" ] && RESTOREFILE=restore
 	    RESTOREPATH=/var/lib/shorewall/$RESTOREFILE
 	    if [ -x $RESTOREPATH ]; then
 		echo Restoring Shorewall...
-		. /var/lib/shorewall/restore
+		$RESTOREPATH
-		echo Shorewall restored
+		echo "Shorewall restored from $RESTOREPATH"
 		my_mutex_off
 		kill $$
 		exit 2
@ -1640,6 +1667,8 @@ setup_proxy_arp() {
    > ${STATEDIR}/proxyarp
    save_progress_message "Restoring Proxy ARP..."
    while read address interface external haveroute persistent; do
 	expandv address interface external haveroute persistent
 	setup_one_proxy_arp
@ -1840,6 +1869,8 @@ setup_nat() {
    #
    > ${STATEDIR}/nat
    save_progress_message "Restoring one-to-one NAT..."
    while read external interface internal allints localnat; do
 	expandv external interface internal allints localnat
@ -1995,10 +2026,8 @@ process_tc_rule()
 		    chain=tcout
 		    ;;
 		*)
 		    if [ -z "$BRIDGING" ] && ! list_search $source $all_interfaces; then
 			fatal_error "Unknown interface $source in rule \"$rule\""
 		    fi
 		    verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
 		    r="$(match_source_dev) $source "
 		    ;;
 	    esac
@ -2023,7 +2052,11 @@ process_tc_rule()
 	    esac
 	fi
-	[ "x$dest"   = "x-"  ] || r="${r}-d $dest "
+	if [ "x$dest" != "x-"  ]; then
 	    verify_interface $dest || fatal_error "Unknown interface $dest in rule \"$rule\""
 	    r="${r}$(match_dest_dev $dest) "
 	fi
 	[ "$proto"   = "all" ] || r="${r}-p $proto "
 	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
 	[ "x$sport"  = "x-"  ] || r="${r}--sport $sport "
@ -2095,6 +2128,8 @@ setup_tc1() {
    run_iptables -t mangle -A OUTPUT     -j tcout
    run_user_exit tcstart
    save_progress_message "Restoring Traffic Control..."
    save_command . $(find_file tcstart)
 }
@ -2118,6 +2153,8 @@ delete_tc()
    }
    save_progress_message "Clearing Traffic Control/QOS"
    run_user_exit tcclear
    run_ip link list | \
@ -2144,6 +2181,14 @@ process_accounting_rule() {
 	error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport
    }
    accounting_interface_error() {
 	error_message "Warning: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport
    }
    accounting_interface_verify() {
 	verify_interface $1 || accounting_interface_error $1
    }
    jump_to_chain() {
 	if ! havechain $jumpchain; then
 	    if ! createchain2 $jumpchain No; then
@ -2157,6 +2202,7 @@ process_accounting_rule() {
    case $source in
 	*:*)
 	    accounting_interface_verify ${source%:*}
 	    rule="-s ${source#*:} $(match_source_dev ${source%:*})"
 	    ;;
 	*.*.*.*)
@ -2165,12 +2211,16 @@ process_accounting_rule() {
 	-|all|any)
 	    ;;
 	*)
-	    [ -n "$source" ] && rule="$(match_source_dev $source)"
+	    if [ -n "$source" ]; then
 		accounting_interface_verify $source
 		rule="$(match_source_dev $source)"
 	    fi
 	    ;;
    esac
    [ -n "$dest" ] && case $dest in
 	*:*)
 	    accounting_interface_verify ${dest%:*}
 	    rule="$rule -d ${dest#*:} $(match_dest_dev ${dest%:*})"
 	    ;;
 	*.*.*.*)
@ -2179,6 +2229,7 @@ process_accounting_rule() {
 	-|all|any)
 	    ;;
 	*)
 	    accounting_interface_verify $dest
 	    rule="$rule $(match_dest_dev $dest)"
 	    ;;
    esac
@ -2233,8 +2284,8 @@ process_accounting_rule() {
    ensurechain1 $chain
-    if iptables -A $chain $rule ; then
+    if iptables -A $chain $(fix_bang $rule) ; then
-	[ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2
+	[ -n "$rule2" ] && run_iptables2 -A $jumpchain $rule2
 	progress_message "   Accounting rule" $action $chain $source $dest $proto $port $sport Added
    else
 	accounting_error
@ -2409,6 +2460,16 @@ add_an_action()
 	fi
    }
    interface_error()
    {
 	fatal_error "Unknown interface $1 in rule: \"$rule\""
    }
    action_interface_verify()
    {
 	verify_interface $1 || interface_error $1
    }
    # Set source variables. The 'cli' variable will hold the client match predicate(s).
    cli=
@ -2417,6 +2478,7 @@ add_an_action()
    -)
 	;;
    *:*)
 	action_interface_verify ${client%:*}
 	cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
 	;;
    *.*.*)
@ -2426,7 +2488,10 @@ add_an_action()
 	cli=$(mac_match $client)
 	;;
    *)
-	[ -n "$client" ] && cli="$(match_source_dev $client)"
+	if [ -n "$client" ]; then
 	    action_interface_verify $client
 	    cli="$(match_source_dev $client)"
 	fi
 	;;
    esac
@ -2445,7 +2510,10 @@ add_an_action()
 	fatal_error "Rule \"$rule\" - Destination may not be specified by MAC Address"
 	;;
    *)
-	[ -n "$server" ] && dest_interface="$(match_dest_dev $server)"
+	if [ -n "$server" ]; then
 	    action_interface_verify $server
 	    dest_interface="$(match_dest_dev $server)"
 	fi
 	;;
    esac
@ -2496,7 +2564,6 @@ add_an_action()
 			    $(fix_bang $proto $sports $multiport $cli -d $srv $dports)
 		    fi
 		    [ "$logtarget" = LOG ] || \
 		    run_iptables2 -A $action $proto $multiport $cli $sports \
 			-d $srv $dports $ratelimit $userandgroup -j $target
 		done
@ -2507,7 +2574,6 @@ add_an_action()
 		    $(fix_bang $proto $sports $multiport $cli $dports)
 	    fi
 	    [ "$logtarget" = LOG ] || \
 	    run_iptables2 -A $action $proto $multiport $cli $sports \
 		$dports $ratelimit $userandgroup -j $target
 	fi
@ -2682,33 +2748,9 @@ createactionchain() # $1 = chain name
 #
 process_actions1() {
    #
    # Add the builtin actions
    #
    add_builtin_actions() {
-	if [ "$COMMAND" != check ]; then
+    ACTIONS="dropBcast dropNonSyn dropNotSyn rejNotSyn logNotSyn rLogNotSyn dLogNotSyn"
-	    createchain dropBcast no
+    USEDACTIONS=
 	    qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
 	    if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
                #
                # No pkttype support -- do it the hard way
                #
 		for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
 		    run_iptables -A dropBcast -d $address -j DROP
 		done
 	    fi
 	    createchain dropNonSyn no
 	    run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
 	fi
 	ACTIONS="dropBcast dropNonSyn"
 	USEDACTIONS="dropBcast dropNonSyn"
    }
    add_builtin_actions
    strip_file actions
@ -2821,6 +2863,10 @@ process_actions2() {
 	process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
    }
    log_action() {
 	[ "$COMMAND" != check ] && log_rule ${LOGNEWNOTSYN:-info} $1 $2 "" "" -p tcp ! --syn
    }
    #
    # Generate the transitive closure of $USEDACTIONS
    #
@ -2844,7 +2890,38 @@ process_actions2() {
    #
    for xaction in $USEDACTIONS; do
 	case $xaction in
-	    dropNonSyn|dropBcast)
+	    dropBcast)
 		if [ "$COMMAND" != check ]; then
 		    qt iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
 		    if ! qt iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP; then
                        #
                        # No pkttype support -- do it the hard way
                        #
 			for address in $(find_broadcasts) 255.255.255.255 224.0.0.0/4 ; do
 			    run_iptables -A dropBcast -d $address -j DROP
 			done
 		    fi
 		fi
 		;;		
 	    dropNonSyn)
 		error_message "WARNING: \"dropNonSyn\" has been replaced by \"dropNotSyn\""
 		[ "$COMMAND" != check ] && run_iptables -A dropNonSyn -p tcp ! --syn -j DROP
 		;;
 	    dropNotSyn)
 		[ "$COMMAND" != check ] && run_iptables -A dropNotSyn -p tcp ! --syn -j DROP
 		;;
 	    rejNotSyn)
 		[ "$COMMAND" != check ] && run_iptables -A rejectNotSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
 		;;
 	    logNotSyn)
 		log_action logNotSyn LOG
 		;;
 	    rLogNotSyn)
 		log_action rLogNotSyn REJECT
 		;;
 	    dLogNotSyn)
 		log_action dLogNotSyn DROP		
 		;;
 	    *)
 		f=action.$xaction
@ -3091,6 +3168,16 @@ add_a_rule()
 	fi
    }
    interface_error()
    {
 	fatal_error "Unknown interface $1 in rule: \"$rule\""
    }
    rule_interface_verify()
    {
 	verify_interface $1 || interface_error $1
    }
    # Set source variables. The 'cli' variable will hold the client match predicate(s).
    cli=
@ -3099,6 +3186,7 @@ add_a_rule()
    -)
 	;;
    *:*)
 	rule_interface_verify ${client%:*}
 	cli="$(match_source_dev ${client%:*}) -s ${client#*:}"
 	;;
    *.*.*)
@ -3108,7 +3196,10 @@ add_a_rule()
 	cli=$(mac_match $client)
 	;;
    *)
-	[ -n "$client" ] && cli="$(match_source_dev $client)"
+	if [ -n "$client" ]; then
 	    rule_interface_verify $client
 	    cli="$(match_source_dev $client)"
 	fi
 	;;
    esac
@ -3128,7 +3219,8 @@ add_a_rule()
 	;;
    *)
 	if [ -n "$server" ]; then
-	    [ -n "$nonat" ] && fatal_error "Destination interface not allowe with $logtarget"
+	    [ -n "$nonat" ] && fatal_error "Destination interface not allowed with $logtarget"
 	    rule_interface_verify $server
 	    dest_interface="$(match_dest_dev $server)"
 	fi
 	;;
@ -3708,6 +3800,11 @@ process_tos_rule() {
 	    #
 	    # Assume that this is a device name
 	    #
 	    if ! verify_interface $src ; then
 		error_message "Warning: Unknown Interface in rule \"$rule\" ignored"
 		return
 	    fi
 	    src="$(match_source_dev $src)"
 	    ;;
    esac
@ -4285,7 +4382,7 @@ setup_masq()
    strip_file masq $1
-    [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:"
+    [ -n "$NAT_ENABLED" ] && echo "Masqueraded Networks and Hosts:" && save_progress_message "Restoring Masquerading/SNAT..."
    while read fullinterface networks addresses proto ports; do
 	expandv fullinterface networks addresses proto ports
@ -4507,6 +4604,8 @@ add_ip_aliases()
    set -- $aliases_to_add
    save_progress_message "Restoring IP Addresses..."
    while [ $# -gt 0 ]; do
 	external=$1
 	interface=$2
@ -4529,7 +4628,7 @@ add_ip_aliases()
 #
 load_kernel_modules()
 {
-    local save_modules_dir=$MODULESDIR
+    save_modules_dir=$MODULESDIR
    [ -z "$MODULESDIR" ] && \
 	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
@ -4537,7 +4636,7 @@ load_kernel_modules()
    modules=$(find_file modules)
    if [ -f $modules -a -d $MODULESDIR ]; then
-	echo "Loading Modules..."
+ 	progress_message "Loading Modules..."
 	. $modules
    fi
@ -4547,12 +4646,10 @@ load_kernel_modules()
 save_load_kernel_modules()
 {
    [ -z "$MODULESDIR" ] && \
 	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
    modules=$(find_file modules)
-    save_command "reload_kernel_modules <<EOF"
+    save_progress_message "Loading kernel modules..."
    save_command "reload_kernel_modules <<__EOF__"
    while read command; do
 	case "$command" in
@ -4562,7 +4659,7 @@ save_load_kernel_modules()
 	esac
    done < $modules
-    save_command EOF
+    save_command __EOF__
 }
@ -4721,7 +4818,7 @@ initialize_netfilter () {
 	    run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags ACK ACK -j ACCEPT
 	    run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags RST RST -j ACCEPT
 	    run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -p tcp --tcp-flags FIN FIN -j ACCEPT
-	    run_iptables -A newnotsyn -i $interface $(match_source_hosts $network) -j RETURN
+	    run_iptables -A newnotsyn -i $interface $(match_source_hosts ${host#*:}) -j RETURN
 	done
 	run_user_exit newnotsyn
@ -5028,6 +5125,8 @@ add_common_rules() {
    #
    # ARP Filtering
    #
    save_progress_message "Restoring ARP filtering..."
    for f in /proc/sys/net/ipv4/conf/*/arp_filter; do
 	run_and_save_command "echo 0 > $f"
    done
@ -5055,6 +5154,8 @@ add_common_rules() {
    if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
 	echo "Setting up Kernel Route Filtering..."
 	save_progress_message "Restoring Route Filtering..."
 	for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
 	    run_and_save_command "echo 0 > $f"
 	done
@ -5419,7 +5520,10 @@ define_firewall() # $1 = Command (Start or Restart)
    [ -d /var/lib/shorewall ] || mkdir -p /var/lib/shorewall
    echo '#bin/sh' > /var/lib/shorewall/restore-$$
-    echo ". /usr/share/shorewall/functions" >> /var/lib/shorewall/restore-$$
+    save_command "#"
    save_command "# Restore base file generated by Shorewall $version - $(date)"
    save_command "#"
    save_command ". /usr/share/shorewall/functions"
    save_command "MODULESDIR=\"$MODULESDIR\""
    save_command "MODULE_SUFFIX=\"$MODULE_SUFFIX\""
@ -5476,9 +5580,11 @@ define_firewall() # $1 = Command (Start or Restart)
    save_command "date > $STATEDIR/restarted"
-    save_command 'iptables-restore << EOF'
+    save_progress_message "Restoring Netfilter Configuration..."
-    # 'shorewall save' appends the iptables-save output and 'EOF'
+    save_command 'iptables-restore << __EOF__'
    # 'shorewall save' appends the iptables-save output and '__EOF__'
    mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore-base
@ -5948,10 +6054,10 @@ do_initialize() {
    ensure_config_path
    #
    # Determine the capabilities of the installed iptables/netfilter
-    # We load the kernel modules so that capabilities can be 
+    # We load the kernel modules here to acurately determine 
-    # accurately detected when kernel module autoloading is not
+    # capabilities when module autoloading isn't enabled.
    # enabled.
    #
    [ -n "$MODULE_SUFFIX" ] || MODULE_SUFFIX="o gz ko o.gz ko.gz"
    load_kernel_modules
    determine_capabilities
--- a/Lrp2/usr/share/shorewall/functions
+++ b/Lrp2/usr/share/shorewall/functions
@ -33,6 +33,14 @@ list_count() {
    list_count1 $(separate_list $1)
 }
 #
 # Conditionally produce message
 #
 progress_message() # $* = Message
 {
    [ -n "$QUIET" ] || echo "$@"
 }
 #
 # Suppress all output for a command
 #
--- a/Lrp2/usr/share/shorewall/help
+++ b/Lrp2/usr/share/shorewall/help
@ -117,9 +117,9 @@ drop)
 	;;
 forget)
-	echo "forget: forget
+	echo "forget: forget [ <file name> ]
-    Deletes /var/lib/shorewall/save and /var/lib/shorewall/restore. Those
+    Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
-    files are created by the 'shorewall save' command
+    the file specified by RESTOREFILE in shorewall.conf is removed.
    See also \"help save\""
 	;;
@ -194,18 +194,22 @@ restart)
 	;;
 restore)
-	echo "restore: restore
+	echo "restore: restore [ <file name> ]
-    Restore Shorewall to its last state saved using the 'save' command
+    Restore Shorewall to a state saved using the 'save' command
-    Existing connections are maintained.
+    Existing connections are maintained. The <file name> names a restore file in 
    /var/lib/shorewall created using "shorewall save"; if no <file name> is given 
    then Shorewall will be restored from the file specified by the RESTOREFILE
    option in shorewall.conf.
    See also \"help save\" and \"help forget\""
 	;;
 save)
-	echo "save: save
+	echo "save: save [ <file name> ]
    The dynamic data is stored in /var/lib/shorewall/save. The state of the 
-    firewall is stored in /var/lib/shorewall/restore for use by the 'shorewall restore'
+    firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
-    and 'shorewall -f start' commands.
+    and 'shorewall -f start' commands. If <file name> is not given then the state is saved
    in the file specified by the RESTOREFILE option in shorewall.conf.
    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
@ -240,8 +244,9 @@ start)
    Start shorewall.  Existing connections through shorewall managed
    interfaces are untouched.  New connections will be allowed only
    if they are allowed by the firewall rules or policies.
-    If \"-q\" is specified, less detain is displayed making it easier to spot warnings
+    If \"-q\" is specified, less detail is displayed making it easier to spot warnings
-    If \"-f\" is specified, the last saved configuraton if any will be restored"
+    If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
    in shorewall.conf will be restored if that saved configuration exists"
 	;;
 stop)
--- a/Lrp2/usr/share/shorewall/version
+++ b/Lrp2/usr/share/shorewall/version
@ -1 +1 @@
-2.0.2f
+2.0.3-Beta1