Merge branch '5.2.3'

Shorewall/Perl/Shorewall/Config.pm

@@ -5441,6 +5441,7 @@ sub update_config_file( $ ) {
     update_default( 'PAGER',                 $shorewallrc1{DEFAULT_PAGER} );
     update_default( 'LOGFORMAT',             'Shorewall:%s:%s:' );
     update_default( 'LOGLIMIT',              '' );
+    update_default( 'AUTOMAKE',              'No' );
 
     if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );

Shorewall/Perl/Shorewall/Rules.pm

@@ -721,7 +721,13 @@ sub process_a_policy1($$$$$$$) {
 
     require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
 
-    my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    my ( $policy, $pactions );
+
+    if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
+	( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
+    } else {
+	( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    }
 
     fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
 
@@ -1604,8 +1610,8 @@ sub merge_levels ($$) {
 
     return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
 
-    my @supparts = split /:/, $superior;
-    my @subparts = split /:/, $subordinate;
+    my @supparts = split_list2( $superior ,    'Action' );
+    my @subparts = split_list2( $subordinate , 'Action' );
 
     my $subparts = @subparts;
 

Shorewall/manpages/shorewall-rules.xml

@@ -674,15 +674,15 @@
                 the keyword <emphasis role="bold">bypass</emphasis> can be
                 given. By default, if no userspace program is listening on an
                 NFQUEUE, then all packets that are to be queued are dropped.
-                When this option is used, the NFQUEUE rule is silently
-                bypassed instead. The packet will move on to the next rule.
-                Also beginning in Shorewall 4.6.10, a second queue number
-                (<replaceable>queuenumber2</replaceable>) may be specified.
-                This specifies a range of queues to use. Packets are then
-                balanced across the given queues. This is useful for multicore
-                systems: start multiple instances of the userspace program on
-                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
-                the same connection are put into the same nfqueue.</para>
+                When this option is used, the NFQUEUE rule behaves like ACCEPT
+                instead. Also beginning in Shorewall 4.6.10, a second queue
+                number (<replaceable>queuenumber2</replaceable>) may be
+                specified. This specifies a range of queues to use. Packets
+                are then balanced across the given queues. This is useful for
+                multicore systems: start multiple instances of the userspace
+                program on queues x, x+1, .. x+n and use "x:x+n". Packets
+                belonging to the same connection are put into the same
+                nfqueue.</para>
 
                 <para>Beginning with Shorewall 5.1.0, queuenumber2 may be
                 followed by the letter 'c' to indicate that the CPU ID will be

docs/FTP.xml

@@ -431,7 +431,7 @@ CT:helper:ftp           loc             -               tcp     21</programlisti
     <para><filename>/etc/shorewall/rules:</filename></para>
 
     <programlisting>#ACTION         SOURCE         DEST                 PROTO     DPORT
-DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }the</programlisting>
+DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }</programlisting>
 
     <para>That entry will accept ftp connections on port 12345 from the net
     and forward them to host 192.168.1..2 and port 21 in the loc zone.</para>