From 0c8365001d68a5fce381fb6db3f8e64bf4ba9055 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Fri, 28 Mar 2014 08:55:00 -0700
Subject: [PATCH 1/7] Avoid spurious comments on jumps to section chains.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Rules.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 2e3bb54cd..8e3965aa2 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2497,10 +2497,12 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		my $auxref   = $filter_table->{$auxchain};
 
 		unless ( $auxref ) {
+		    my $save_comment = push_comment;
 		    $auxref = new_chain 'filter', $auxchain;
 		    $auxref->{blacklistsection} = 1 if $blacklist;
 
 		    add_ijump( $chainref, j => $auxref, state_imatch( $section_states{$section} ) );
+		    pop_comment( $save_comment );
 		}
 
 		$chain    = $auxchain;

From 72869adcd678a76f032b27302b9f0c17e58c8ccf Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Fri, 28 Mar 2014 08:55:23 -0700
Subject: [PATCH 2/7] Correct missing comment in trace entry.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Chains.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index c932f7cde..23d4714a4 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1217,7 +1217,7 @@ sub push_rule( $$ ) {
     push @{$chainref->{rules}}, $ruleref;
     $chainref->{referenced} = 1;
     $chainref->{optflags} |= RETURNS_DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
-    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" ) if $debug;
+    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1] $ruleref->{comment}" ) if $debug;
 
     $chainref->{complete} = 1 if $complete;
 

From 58700b23012fa70c6c5487c8f357ced524003d96 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 31 Mar 2014 07:28:30 -0700
Subject: [PATCH 3/7] Correct the behavior of rpfilter when FASTACCEPT=Yes

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Misc.pm | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 21ed51f2d..c1cdca468 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -843,26 +843,28 @@ sub add_common_rules ( $ ) {
 
 	my $interfaceref = find_interface $interface;
 
-	unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} || $interfaceref->{physical} eq 'lo' ) {
+	unless ( $interfaceref->{physical} eq 'lo' ) {
+	    unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {
 
-	    my @filters = @{$interfaceref->{filter}};
+		my @filters = @{$interfaceref->{filter}};
 
-	    $chainref = $filter_table->{forward_option_chain $interface};
+		$chainref = $filter_table->{forward_option_chain $interface};
 
-	    if ( @filters ) {
-		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
-	    } elsif ( $interfaceref->{bridge} eq $interface ) {
-		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
-		    unless( $config{ROUTE_FILTER} eq 'on' ||
-			    $interfaceref->{options}{routeback} ||
-			    $interfaceref->{options}{routefilter} ||
-			    $interfaceref->{physical} eq '+' );
-	    }
+		if ( @filters ) {
+		    add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
+		} elsif ( $interfaceref->{bridge} eq $interface ) {
+		    add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
+			unless( $config{ROUTE_FILTER} eq 'on' ||
+				$interfaceref->{options}{routeback} ||
+				$interfaceref->{options}{routefilter} ||
+				$interfaceref->{physical} eq '+' );
+		}
 
 
-	    if ( @filters ) {
-		$chainref = $filter_table->{input_option_chain $interface};
-		add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
+		if ( @filters ) {
+		    $chainref = $filter_table->{input_option_chain $interface};
+		    add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
+		}
 	    }
 
 	    for ( option_chains( $interface ) ) {

From 670c33d20b792b04094eba55ffd824935b3ed288 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 1 May 2014 11:43:00 -0700
Subject: [PATCH 4/7] Update install files to secure the .service files as 644
 rather than 600.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall-init/install.sh | 2 +-
 Shorewall-lite/install.sh | 2 +-
 Shorewall/install.sh      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh
index a39a3e7f5..bf914673b 100755
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -318,7 +318,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}${SYSTEMD}
     [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 600 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
     if [ -n "$DESTDIR" ]; then
diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh
index 128a25f01..798ff20d9 100755
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -383,7 +383,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}${SYSTEMD}
     [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 600 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi
diff --git a/Shorewall/install.sh b/Shorewall/install.sh
index bf12507c8..1021a8c59 100755
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -420,7 +420,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
     mkdir -p ${DESTDIR}${SYSTEMD}
     [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 600 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
     echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi

From 954cddc37a4f5de17dc27c8191db2097267e029d Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 25 May 2014 08:57:01 -0700
Subject: [PATCH 5/7] Enable 1:1 NAT in IPv6

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Compiler.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index a6ff12195..996b2f6b6 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -816,7 +816,7 @@ sub compiler {
     #
     # Setup Nat
     #
-    setup_nat if $family == F_IPV4;
+    setup_nat;
     #
     # Setup NETMAP
     #

From 4e3394884463b7e194d116ff6ab86b2b7d26ff3e Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 25 May 2014 12:57:15 -0700
Subject: [PATCH 6/7] Make 'show filters' work with Simple TC

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Conflicts:

	Shorewall-core/lib.cli
---
 Shorewall-core/lib.cli | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index e696a1737..f9af11edb 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -252,7 +252,15 @@ show_classifiers() {
 
 	if [ -n "$qdisc" ]; then
 	    echo Device $device:
-	    tc -s filter ls dev $device
+	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
+	    tc filter show dev $device
+	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
+		if [ -n "$class" ]; then
+		    echo
+		    echo Node $class
+		    tc filter show dev $device parent $class
+		fi
+	    done
 	    echo
 	fi
     }

From 8657dd97f7dfcccff1c17c452f13140cf737bbca Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Fri, 6 Jun 2014 10:04:42 -0700
Subject: [PATCH 7/7] Apply pi-rho's patch for rpfilter.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Misc.pm | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index c1cdca468..546318dc8 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -867,10 +867,10 @@ sub add_common_rules ( $ ) {
 		}
 	    }
 
-	    for ( option_chains( $interface ) ) {
-		add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
-		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
-	    }
+	}
+	for ( option_chains( $interface ) ) {
+	    add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
+	    add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	}
     }