Merge branch '5.0.7'

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -8172,6 +8172,15 @@ else
     rm -f \${VARDIR}/.dynamic
 fi
 EOF
+	if ( $config{MINIUPNPD} ) {
+	    emit << "EOF";
+if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
+    $tool -t nat -S MINIUPNPD-POSTROUTING | tail -n +2 > \${VARDIR}/.MINIUPNPD-POSTROUTING
+else
+    rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING
+fi
+EOF
+	}
     } else {
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
@@ -8192,6 +8201,15 @@ else
     rm -f \${VARDIR}/.dynamic
 fi
 EOF
+	if ( $config{MINIUPNPD} ) {
+	    emit << "EOF";
+if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
+    $utility -t nat | grep '^-A MINIUPNPD-POSTROUTING' > \${VARDIR}/.MINIUPNPD-POSTROUTING
+else
+    rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING    
+fi
+EOF
+	}
     }
 
     pop_indent;
@@ -8627,12 +8645,12 @@ sub preview_netfilter_load() {
 			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode1 unless $mode = CMD_MODE;
+			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
 		    } else {		    
-			enter_cmd_mode1 unless $mode = CMD_MODE;
+			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
 		    }
 		} else {

Shorewall/Perl/Shorewall/Config.pm

@@ -885,6 +885,7 @@ sub initialize( $;$$) {
 	  RESTART => undef ,
 	  DOCKER => undef ,
 	  PAGER => undef ,
+	  MINIUPNPD => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1477,9 +1478,9 @@ sub hex_value( $ ) {
 # Strip off superfluous leading zeros from a hex number
 #
 sub normalize_hex( $ ) {
-    my $val = lc shift;
+    my $val = lc $_[0];
 
-    $val =~ s/^0// while $val =~ /^0/ && length $val > 1;
+    $val =~ s/^0+/0/;
     $val;
 }
 
@@ -5942,7 +5943,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'INLINE_MATCHES'             , '';
     default_yes_no 'BASIC_FILTERS'              , '';
     default_yes_no 'WORKAROUNDS'                , 'Yes';
-    default_yes_no 'DOCKER'                      , '';
+    default_yes_no 'DOCKER'                     , '';
 
     if ( $config{DOCKER} ) {
 	fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
@@ -6002,8 +6003,9 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'IGNOREUNKNOWNVARIABLES'     , 'Yes';
     default_yes_no 'WARNOLDCAPVERSION'          , 'Yes';
     default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
+    default_yes_no 'MINIUPNPD'                  , 'No';
 
-    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset'; 
+    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
 
     require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -1095,10 +1095,18 @@ sub add_common_rules ( $ ) {
 
 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
 
+	    my $chainref1;
+
+	    if ( $config{MINIUPNPD} ) {
+		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
+		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
+	    }
+
 	    $announced = 1;
 
 	    for $interface ( @$list ) {
-		add_ijump_extended $nat_table->{PREROUTING} , j => 'UPnP', get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{PREROUTING} ,  j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{POSTROUTING} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
 	    }
 	}
 

Shorewall/Perl/Shorewall/Nat.pm

@@ -173,7 +173,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
 
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
-	unless ( $interfaceref->{root} ) {
+	if ( $interfaceref->{root} ) {
+	    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+	} else {
 	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}
@@ -457,7 +459,9 @@ sub do_one_nat( $$$$$ )
 
     fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
-    unless ( $interfaceref->{root} ) {
+    if ( $interfaceref->{root} ) {
+	$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+    } else {
 	$rulein  = match_source_dev $interface;
 	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
@@ -559,7 +563,9 @@ sub setup_netmap() {
 		    $net1 = validate_net $net1, 0;
 		    $net2 = validate_net $net2, 0;
 
-		    unless ( $interfaceref->{root} ) {
+		    if ( $interfaceref->{root} ) {
+			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+		    } else {
 			@rulein  = imatch_source_dev( $interface );
 			@ruleout = imatch_dest_dev( $interface );
 			$interface = $interfaceref->{name};

Shorewall/Perl/Shorewall/Rules.pm

@@ -1798,6 +1798,7 @@ sub process_action(\$\$$) {
     my ( $action, $level, $tag, undef, $param ) = split /:/, $wholeaction, ACTION_TUPLE_ELEMENTS;
     my $type = $targets{$action};
     my $actionref = $actions{$action};
+    my $matches   = fetch_inline_matches;
 
     if ( $type & BUILTIN ) {
 	$level = '' if $level =~ /none!?/;
@@ -1910,14 +1911,15 @@ sub process_action(\$\$$) {
 				      $dscp ,
 				      $state,
 				      $time );
+		set_inline_matches( $matches );
 	    }
 	} else {
-	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );
+	    my ($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper );
 
 	    if ( $file_format == 1 ) {
 		fatal_error( "FORMAT-1 actions are no longer supported" );
 	    } else {
-		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
+		($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
 		    = split_line2( 'action file',
 				   \%rulecolumns,
 				   $action_commands,
@@ -1941,26 +1943,32 @@ sub process_action(\$\$$) {
 		next;
 	    }
 
-	    process_rule( $chainref,
+	    for my $proto ( split_list( $protos, 'Protocol' ) ) {
-			  '',
+		for my $user ( split_list( $users, 'User/Group' ) ) {
-			  '',
+		    process_rule( $chainref,
-			  $nolog ? $target : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $target ),
+				  '',
-			  '',
+				  '',
-			  $source,
+				  $nolog ? $target : merge_levels( join(':', @actparams{'chain','loglevel','logtag'}), $target ),
-			  $dest,
+				  '',
-			  $proto,
+				  $source,
-			  $ports,
+				  $dest,
-			  $sports,
+				  $proto,
-			  $origdest,
+				  $ports,
-			  $rate,
+				  $sports,
-			  $user,
+				  $origdest,
-			  $mark,
+				  $rate,
-			  $connlimit,
+				  $user,
-			  $time,
+				  $mark,
-			  $headers,
+				  $connlimit,
-			  $condition,
+				  $time,
-			  $helper,
+				  $headers,
-			  0 );
+				  $condition,
+				  $helper,
+				  0 );
+
+		    set_inline_matches( $matches );
+		}
+	    }
 	}
     }
 
@@ -2198,7 +2206,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
     my $generated = 0;
 
 
-    my $macrofile = $macros{$macro};
+    my $macrofile    = $macros{$macro};
+    my $save_matches = fetch_inline_matches;
 
     progress_message "..Expanding Macro $macrofile...";
 
@@ -2208,7 +2217,7 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 
     while ( read_a_line( NORMAL_READ ) ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);
+	my ( $mtarget, $msource, $mdest, $mprotos, $mports, $msports, $morigdest, $mrate, $musers, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);
 
 	if ( $file_format == 1 ) {
 	    fatal_error( "FORMAT-1 macros are no longer supported" );
@@ -2216,12 +2225,12 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 	    ( $mtarget,
 	      $msource,
 	      $mdest,
-	      $mproto,
+	      $mprotos,
 	      $mports,
 	      $msports,
 	      $morigdest,
 	      $mrate,
-	      $muser,
+	      $musers,
 	      $mmark,
 	      $mconnlimit,
 	      $mtime,
@@ -2282,28 +2291,33 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 	    $mdest = '';
 	}
 
-	$generated |= process_rule(
+	for my $mp ( split_list( $mprotos, 'Protocol' ) ) {
-				   $chainref,
+	    for my $mu ( split_list( $musers, 'User/Group' ) ) {
-	                           $matches,
+		$generated |= process_rule( $chainref,
-	                           $matches1,
+					    $matches,
-				   $mtarget,
+					    $matches1,
-				   $param,
+					    $mtarget,
-				   $msource,
+					    $param,
-				   $mdest,
+					    $msource,
-				   merge_macro_column( $mproto,     $proto ) ,
+					    $mdest,
-				   merge_macro_column( $mports,     $ports ) ,
+					    merge_macro_column( $mp,         $proto ) ,
-				   merge_macro_column( $msports,    $sports ) ,
+					    merge_macro_column( $mports,     $ports ) ,
-				   merge_macro_column( $morigdest,  $origdest ) ,
+					    merge_macro_column( $msports,    $sports ) ,
-				   merge_macro_column( $mrate,      $rate ) ,
+					    merge_macro_column( $morigdest,  $origdest ) ,
-				   merge_macro_column( $muser,      $user ) ,
+					    merge_macro_column( $mrate,      $rate ) ,
-				   merge_macro_column( $mmark,      $mark ) ,
+					    merge_macro_column( $mu,         $user ) ,
-				   merge_macro_column( $mconnlimit, $connlimit) ,
+					    merge_macro_column( $mmark,      $mark ) ,
-				   merge_macro_column( $mtime,      $time ),
+					    merge_macro_column( $mconnlimit, $connlimit) ,
-				   merge_macro_column( $mheaders,   $headers ),
+					    merge_macro_column( $mtime,      $time ),
-				   merge_macro_column( $mcondition, $condition ),
+					    merge_macro_column( $mheaders,   $headers ),
-				   merge_macro_column( $mhelper,    $helper ),
+					    merge_macro_column( $mcondition, $condition ),
-				   $wildcard
+					    merge_macro_column( $mhelper,    $helper ),
-				  );
+					    $wildcard
+		                          );
+
+		set_inline_matches( $save_matches );
+	    }
+	}
 
 	progress_message "   Rule \"$currentline\" $done";
     }
@@ -2333,10 +2347,11 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 					 $chainref->{name} ,
 				       );
 
-    my $actionref  = $actions{$inline};
+    my $actionref    = $actions{$inline};
-    my $inlinefile = $actionref->{file};
+    my $inlinefile   = $actionref->{file};
-    my $options    = $actionref->{options};
+    my $options      = $actionref->{options};
-    my $nolog      = $options & NOLOG_OPT;
+    my $nolog        = $options & NOLOG_OPT;
+    my $save_matches = fetch_inline_matches;
 
     setup_audit_action( $inline ) if $options & AUDIT_OPT;
 
@@ -2350,12 +2365,12 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 	my  ( $mtarget,
 	      $msource,
 	      $mdest,
-	      $mproto,
+	      $mprotos,
 	      $mports,
 	      $msports,
 	      $morigdest,
 	      $mrate,
-	      $muser,
+	      $musers,
 	      $mmark,
 	      $mconnlimit,
 	      $mtime,
@@ -2420,28 +2435,33 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 	    $mdest = '';
 	}
 
-	$generated |= process_rule(
+	for my $mp ( split_list( $mprotos, 'Protocol' ) ) {
-				   $chainref,
+	    for my $mu ( split_list( $musers, 'User/Group' ) ) {
-	                           $matches,
+		$generated |= process_rule( $chainref,
-	                           $matches1,
+					    $matches,
-				   $mtarget,
+					    $matches1,
-				   $param,
+					    $mtarget,
-				   $msource,
+					    $param,
-				   $mdest,
+					    $msource,
-				   merge_macro_column( $mproto,     $proto ) ,
+					    $mdest,
-				   merge_macro_column( $mports,     $ports ) ,
+					    merge_macro_column( $mp,          $proto ) ,
-				   merge_macro_column( $msports,    $sports ) ,
+					    merge_macro_column( $mports,     $ports ) ,
-				   merge_macro_column( $morigdest,  $origdest ) ,
+					    merge_macro_column( $msports,    $sports ) ,
-				   merge_macro_column( $mrate,      $rate ) ,
+					    merge_macro_column( $morigdest,  $origdest ) ,
-				   merge_macro_column( $muser,      $user ) ,
+					    merge_macro_column( $mrate,      $rate ) ,
-				   merge_macro_column( $mmark,      $mark ) ,
+					    merge_macro_column( $mu,         $user ) ,
-				   merge_macro_column( $mconnlimit, $connlimit) ,
+					    merge_macro_column( $mmark,      $mark ) ,
-				   merge_macro_column( $mtime,      $time ),
+					    merge_macro_column( $mconnlimit, $connlimit) ,
-				   merge_macro_column( $mheaders,   $headers ),
+					    merge_macro_column( $mtime,      $time ),
-				   merge_macro_column( $mcondition, $condition ),
+					    merge_macro_column( $mheaders,   $headers ),
-				   merge_macro_column( $mhelper,    $helper ),
+					    merge_macro_column( $mcondition, $condition ),
-				   $wildcard
+					    merge_macro_column( $mhelper,    $helper ),
-				  );
+					    $wildcard
+		                          );
+
+		set_inline_matches( $save_matches );
+	    }
+	}
 
 	progress_message "   Rule \"$currentline\" $done";
     }
@@ -3021,8 +3041,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
 	my $generated = process_inline( $basictarget,
 					$chainref,
-					$prerule . $rule . $raw_matches,
+					$prerule . $rule,
-					$matches1,
+					$matches1 . $raw_matches,
 					$loglevel,
 					$target,
 					$param,
@@ -3662,10 +3682,6 @@ sub process_raw_rule ( ) {
 					   $wild ) ) {
 			    $generated = 1;
 			}
-			#
-			# Clear inline matches
-			#
-			set_inline_matches( '' );
 		    }
 		}
 	    }
@@ -3787,6 +3803,7 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 					 $chainref->{name} );
 
     my $inlinefile = $actions{$inline}{file};
+    my $matches    = fetch_inline_matches;
 
     progress_message "..Expanding inline action $inlinefile...";
 
@@ -3881,6 +3898,8 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 	}
 
 	progress_message "   Rule \"$currentline\" $done";
+
+	set_inline_matches( $matches );
     }
 
     pop_comment( $save_comment );
@@ -4169,7 +4188,9 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    minparams      => 0,
 	    maxparams      => 0,
 	    function       => sub () {
-		fatal_error 'DIVERT is only allowed in the PREROUTING chain' if $designator && $designator != PREROUTING;
+		fatal_error 'DIVERT is only allowed in the PREROUTING chain' if $designator && 
+		    $designator != PREROUTING &&
+		    $designator != REALPREROUTING;
 		my $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
 
 		unless ( $divertref ) {

Shorewall/Samples/Universal/shorewall.conf

@@ -192,6 +192,8 @@ MANGLE_ENABLED=Yes
 
 MAPOLDACTIONS=No
 
+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No
 
 MODULE_SUFFIX="ko ko.xz"

Shorewall/Samples/one-interface/shorewall.conf

@@ -203,6 +203,8 @@ MANGLE_ENABLED=Yes
 
 MAPOLDACTIONS=No
 
+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No
 
 MODULE_SUFFIX="ko ko.xz"

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -200,6 +200,8 @@ MANGLE_ENABLED=Yes
 
 MAPOLDACTIONS=No
 
+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No
 
 MODULE_SUFFIX="ko ko.xz"

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -203,6 +203,8 @@ MANGLE_ENABLED=Yes
 
 MAPOLDACTIONS=No
 
+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No
 
 MODULE_SUFFIX="ko ko.xz"

Shorewall/configfiles/shorewall.conf

@@ -194,6 +194,8 @@ MAPOLDACTIONS=No
 
 MARK_IN_FORWARD_CHAIN=No
 
+MINIUPNPD=No
+
 MODULE_SUFFIX=ko
 
 MULTICAST=No

Shorewall/manpages/shorewall-mangle.xml

@@ -390,7 +390,7 @@ DIVERTHA        -               -               tcp</programlisting>
                 <para>Allows you to place your own ip[6]tables matches at the
                 end of the line following a semicolon (";"). If an
                 <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                 specified in this column. If no action is specified, then you
                 may include your own jump ("-j
                 <replaceable>target</replaceable>

Shorewall/manpages/shorewall-rules.xml

@@ -1441,7 +1441,7 @@
           <para>When <option>s:</option> or <option>d:</option> is specified,
           the rate applies per source IP address or per destination IP address
           respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
           connections. If not given, the name <emphasis
           role="bold">shorewallN</emphasis> (where N is a unique integer) is
           assumed. Where more than one rule or POLICY specifies the same name,

Shorewall/manpages/shorewall.conf.xml

@@ -998,7 +998,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           iptables text in a rule. You may simply preface that text with a
           pair of semicolons (";;"). If alternate input is also specified in
           the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
         </listitem>
       </varlistentry>
 
@@ -1548,6 +1548,18 @@ LOG:info:,bar                        net                    fw</programlisting>
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. If set to Yes, Shorewall will create
+          a chain in the nat table named MINIUPNPD-POSTROUTING and will add
+          jumps from POSTROUTING to that chain for each interface with the
+          <option>upnpd</option> option specified. Default is No.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
@@ -1636,7 +1648,7 @@ LOG:info:,bar                        net                    fw</programlisting>
 
       <varlistentry>
         <term><emphasis
-        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
+        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
         role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>
 
         <listitem>
@@ -1647,6 +1659,10 @@ LOG:info:,bar                        net                    fw</programlisting>
           where <emphasis role="bold">uname</emphasis> holds the output of
           '<command>uname -r</command>' and <emphasis
           role="bold">g_family</emphasis> holds '4'.</para>
+
+          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
+          causes the listed pathnames to be appended to the default list
+          above.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-mangle.xml

@@ -401,7 +401,7 @@ DIVERTHA        -               -               tcp</programlisting>
                 <para>Allows you to place your own ip[6]tables matches at the
                 end of the line following a semicolon (";"). If an
                 <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                 specified in this column. If no action is specified, then you
                 may include your own jump ("-j
                 <replaceable>target</replaceable>

Shorewall6/manpages/shorewall6-rules.xml

@@ -1306,7 +1306,7 @@
           <para>When <option>s:</option> or <option>d:</option> is specified,
           the rate applies per source IP address or per destination IP address
           respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
           connections. If not given, the name <emphasis
           role="bold">shorewallN</emphasis> (where N is a unique integer) is
           assumed. Where more than one rule or POLICY specifies the same name,

Shorewall6/manpages/shorewall6.conf.xml

@@ -846,7 +846,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           iptables text in a rule. You may simply preface that text with a
           pair of semicolons (";;"). If alternate input is also specified in
           the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
         </listitem>
       </varlistentry>
 
@@ -1436,7 +1436,7 @@ LOG:info:,bar                        net                    fw</programlisting>
 
       <varlistentry>
         <term><emphasis
-        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
+        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
         role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>
 
         <listitem>
@@ -1447,6 +1447,10 @@ LOG:info:,bar                        net                    fw</programlisting>
           where <emphasis role="bold">uname</emphasis> holds the output of
           '<command>uname -r</command>' and <emphasis
           role="bold">g_family</emphasis> holds '6'.</para>
+
+          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
+          causes the listed pathnames to be appended to the default list
+          above.</para>
         </listitem>
       </varlistentry>
 

docs/configuration_file_basics.xml

@@ -175,20 +175,23 @@
 
         <listitem>
           <para><filename>/etc/shorewall/init</filename> - commands that you
-          wish to execute at the beginning of a <quote>shorewall start</quote>
+          wish to execute at the beginning of a <quote>shorewall
-          or <quote>shorewall restart</quote>.</para>
+          start</quote>, "shorewall reload" or <quote>shorewall
+          restart</quote>.</para>
         </listitem>
 
         <listitem>
           <para><filename>/etc/shorewall/start</filename> - commands that you
           wish to execute near the completion of a <quote>shorewall
-          start</quote> or <quote>shorewall restart</quote></para>
+          start</quote>, "shorewall reload" or <quote>shorewall
+          restart</quote></para>
         </listitem>
 
         <listitem>
           <para><filename>/etc/shorewall/started</filename> - commands that
           you wish to execute after the completion of a <quote>shorewall
-          start</quote> or <quote>shorewall restart</quote></para>
+          start</quote>, "shorewall reload" or <quote>shorewall
+          restart</quote></para>
         </listitem>
 
         <listitem>
@@ -1779,6 +1782,10 @@ SSH(ACCEPT)    net:$MYIP      $FW
         <para><ulink url="Macros.html">Macro</ulink> files</para>
       </listitem>
 
+      <listitem>
+        <para><ulink url="Actions.html">Action</ulink> files</para>
+      </listitem>
+
       <listitem>
         <para><ulink
         url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
@@ -2011,7 +2018,7 @@ SSH(ACCEPT)    net:$MYIP      $FW
     <para>In this simple form, the expression is evaluated by the compiler
     without having to invoke the (expensive) Perl exec() function. The
     'passed' function may also be used in more complex expressions, but exec()
-    will be invoked to evaluate those expressions. </para>
+    will be invoked to evaluate those expressions.</para>
   </section>
 
   <section id="Conditional">
@@ -2570,6 +2577,44 @@ Shorewall has detected the following iptables/netfilter capabilities:
     "!tcp").</para>
   </section>
 
+  <section id="Ranges">
+    <title>Port Ranges</title>
+
+    <para>If you need to specify a range of ports, the proper syntax is
+    &lt;low port number&gt;:&lt;high port number&gt;. For example, if you want
+    to forward the range of tcp ports 4000 through 4100 to local host
+    192.168.1.3, the entry in /etc/shorewall/rules is:</para>
+
+    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
+DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100</emphasis></programlisting>
+
+    <para>If you omit the low port number, a value of zero is assumed; if you
+    omit the high port number, a value of 65535 is assumed.</para>
+
+    <para>Also, unless otherwise documented, a port range can be preceded by
+    '!' to specify "All ports except those in this range" (e.g.,
+    "!4000:4100").</para>
+  </section>
+
+  <section id="Portlists">
+    <title>Port Lists</title>
+
+    <para>In most cases where a port or port range may appear, a
+    comma-separated list of ports or port ranges may also be entered.
+    Shorewall requires the Netfilter <emphasis
+    role="bold">multiport</emphasis> match capability if ports lists are used
+    (see the output of "<emphasis role="bold">shorewall show
+    capabilities</emphasis>").</para>
+
+    <para>Also, unless otherwise documented, a port list can be preceded by
+    '!' to specify "All ports except these" (e.g., "!80,443").</para>
+
+    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
+    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
+    (5) file may specify no more than 15 ports; port ranges appearing in a
+    list count as two ports each.</para>
+  </section>
+
   <section id="ICMP">
     <title>ICMP and ICMP6 Types and Codes</title>
 
@@ -2646,44 +2691,6 @@ redirect                      =&gt; 137</programlisting>
     Shorewall 4.4.19.</para>
   </section>
 
-  <section id="Ranges">
-    <title>Port Ranges</title>
-
-    <para>If you need to specify a range of ports, the proper syntax is
-    &lt;low port number&gt;:&lt;high port number&gt;. For example, if you want
-    to forward the range of tcp ports 4000 through 4100 to local host
-    192.168.1.3, the entry in /etc/shorewall/rules is:</para>
-
-    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
-DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100</emphasis></programlisting>
-
-    <para>If you omit the low port number, a value of zero is assumed; if you
-    omit the high port number, a value of 65535 is assumed.</para>
-
-    <para>Also, unless otherwise documented, a port range can be preceded by
-    '!' to specify "All ports except those in this range" (e.g.,
-    "!4000:4100").</para>
-  </section>
-
-  <section id="Portlists">
-    <title>Port Lists</title>
-
-    <para>In most cases where a port or port range may appear, a
-    comma-separated list of ports or port ranges may also be entered.
-    Shorewall requires the Netfilter <emphasis
-    role="bold">multiport</emphasis> match capability if ports lists are used
-    (see the output of "<emphasis role="bold">shorewall show
-    capabilities</emphasis>").</para>
-
-    <para>Also, unless otherwise documented, a port list can be preceded by
-    '!' to specify "All ports except these" (e.g., "!80,443").</para>
-
-    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
-    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
-    (5) file may specify no more than 15 ports; port ranges appearing in a
-    list count as two ports each.</para>
-  </section>
-
   <section id="MAC">
     <title>Using MAC Addresses</title>
 
@@ -2736,9 +2743,7 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
     url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
 
     <simplelist>
-      <member>LOGRATE=10/minute</member>
+      <member>LOGLIMIT=10/minute:5</member>
-
-      <member>LOGBURST=5</member>
     </simplelist>
 
     <para>For each logging rule, the first time the rule is reached, the
@@ -2750,11 +2755,6 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
     30 seconds, the burst will be fully recharged; back where we
     started.</para>
 
-    <note>
-      <para>The LOGRATE and LOGBURST options are deprecated in favor of
-      LOGLIMIT.</para>
-    </note>
-
     <para>Shorewall also supports per-IP rate limiting.</para>
 
     <para>Another example from <ulink
@@ -2788,8 +2788,7 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
     <firstterm>Condition Match Support</firstterm> and you must be running
     Shorewall 4.4.24 or later. See the output of <command>shorewall show
     capabilities</command> and <command>shorewall version</command> to
-    determine if you can use this feature. As of this writing, Condition Match
+    determine if you can use this feature.</para>
-    Support requires that you install xtables-addons.</para>
 
     <para>The SWITCH column contains the name of a
     <firstterm>switch.</firstterm> Each switch is initially in the <emphasis
@@ -2953,8 +2952,8 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
         <para>If <emphasis role="bold">detect</emphasis> is specified in the
         ADDRESS column of an entry in <ulink
         url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) then the
-        firewall still start if the optional interface in the INTERFACE column
+        firewall still startS if the optional interface in the INTERFACE
-        does not have an IP address.</para>
+        column does not have an IP address.</para>
       </listitem>
     </itemizedlist>
 
@@ -2972,7 +2971,8 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
 
     <para>Shorewall allows you to have configuration directories other than
     <filename class="directory">/etc/shorewall</filename>. The shorewall
-    check, start and restart commands allow you to specify an alternate
+    <command>check</command>, <command>start</command> and
+    <command>restart</command> commands allow you to specify an alternate
     configuration directory and Shorewall will use the files in the alternate
     directory rather than the corresponding files in /etc/shorewall. The
     alternate directory need not contain a complete configuration; those files

docs/three-interface.xml

@@ -854,22 +854,16 @@ DNAT      net       dmz:10.10.11.2:80   tcp        5000</programlisting></para>
             with:<programlisting>#ACTION   SOURCE    DEST            PROTO  DPORT         SPORT    ORIGDEST
 DNAT      loc       dmz:10.10.11.2  tcp    80            -        <emphasis>&lt;external IP&gt;</emphasis></programlisting>If
             you have a dynamic IP then you must ensure that your external
-            interface is up before starting Shorewall and you must take steps
+            interface is up before starting Shorewall and you must code the
-            as follows (assume that your external interface is <filename
+            rule as follows (assume that your external interface is <filename
-            class="devicefile">eth0</filename>):<orderedlist>
+            class="devicefile">eth0</filename>):</para>
-                <listitem>
-                  <para>Include the following in /etc/shorewall/params:</para>
 
-                  <para><command>ETH0_IP=$(find_interface_address
+            <programlisting>#ACTION   SOURCE    DEST             PROTO   DPORT         SPORT    ORIGDEST
-                  eth0)</command></para>
+DNAT      loc       dmz:10.10.11.2   tcp     80            -        &amp;eth0</programlisting>
-                </listitem>
 
-                <listitem>
+            <para>'&amp;eth0' expands to the IP address of eth0 (see <ulink
-                  <para>Make your <literal>loc-&gt;dmz</literal> rule:
+            url="configuration_file_basics.htm#AddressVariables">this
-                  <programlisting>#ACTION   SOURCE    DEST             PROTO   DPORT         SPORT    ORIGDEST
+            article</ulink>).</para>
-DNAT      loc       dmz:10.10.11.2   tcp     80            -        $ETH0_IP</programlisting></para>
-                </listitem>
-              </orderedlist></para>
           </listitem>
 
           <listitem>