Correct setup of $usedactions{A_REJECT}

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code
2016-04-06 08:18:36 -07:00 · 2016-04-06 07:42:46 -07:00 · 2016-04-06 12:00:41 +03:00 · 2016-04-06 10:23:58 +03:00 · 2016-04-05 20:00:15 -07:00 · 2016-04-05 16:38:39 -07:00
75 changed files with 1024 additions and 1050 deletions
--- a/Shorewall-init/README.txt
+++ b/Shorewall-init/README.txt
@@ -1 +0,0 @@
-This is the Shorewall-init stable 4.4 branch of Git.
--- a/Shorewall-lite/README.txt
+++ b/Shorewall-lite/README.txt
@@ -1 +0,0 @@
-This is the Shorewall-lite stable 4.4 branch of Git.
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -619,7 +619,7 @@ our %builtin_target = ( ACCEPT      => STANDARD + FILTER_TABLE + NAT_TABLE + MAN
 			RAWDNAT     => STANDARD                                           + RAW_TABLE,
 			RAWSNAT     => STANDARD                                           + RAW_TABLE,
 			REDIRECT    => STANDARD                + NAT_TABLE,
-			REJECT      => STANDARD + FILTER_TABLE,
+			REJECT      => STANDARD + FILTER_TABLE + OPTIONS,
 			RETURN      => STANDARD                            + MANGLE_TABLE + RAW_TABLE,
 			SAME        => STANDARD,
 			SECMARK     => STANDARD                            + MANGLE_TABLE,
@@ -2030,7 +2030,7 @@ sub chain_base( $ ) {
 sub forward_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fwd';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_fwd';
 }

 #
@@ -2085,7 +2085,7 @@ sub use_forward_chain($$) {
 #
 sub input_option_chain($) {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_iop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_iop';
 }

 #
@@ -2093,7 +2093,7 @@ sub input_option_chain($) {
 #
 sub output_option_chain($) {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_oop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_oop';
 }

 #
@@ -2101,7 +2101,7 @@ sub output_option_chain($) {
 #
 sub forward_option_chain($) {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fop';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_fop';
 }

 #
@@ -2110,7 +2110,7 @@ sub forward_option_chain($) {
 sub input_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_in';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_in';
 }

 #
@@ -2173,7 +2173,7 @@ sub use_input_chain($$) {
 sub output_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_out';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_out';
 }

 #
@@ -2182,7 +2182,7 @@ sub output_chain($)
 sub prerouting_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_pre';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_pre';
 }

 #
@@ -2191,7 +2191,7 @@ sub prerouting_chain($)
 sub postrouting_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_post';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_post';
 }

 #
@@ -2244,7 +2244,7 @@ sub use_output_chain($$) {
 sub masq_chain($)
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_masq';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_masq';
 }

 #
@@ -2260,7 +2260,7 @@ sub syn_flood_chain ( $ ) {
 sub mac_chain( $ )
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_mac';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_mac';
 }

 sub macrecent_target($)
@@ -2297,7 +2297,7 @@ sub load_chain( $ ) {
 sub snat_chain( $ )
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_snat';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_snat';
 }

 #
@@ -2306,7 +2306,7 @@ sub snat_chain( $ )
 sub ecn_chain( $ )
 {
    my $interface = shift;
-    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_ecn';
+    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : get_logical( $interface ) ) . '_ecn';
 }

 #
@@ -2915,8 +2915,6 @@ sub initialize_chain_table($) {
 		    'A_ACCEPT!'       => STANDARD  + AUDIT,
 		    'A_DROP'          => STANDARD + AUDIT,
 		    'A_DROP!'         => STANDARD + AUDIT,
-		    'A_REJECT'        => STANDARD + AUDIT,
-		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'NONAT'           => STANDARD + NONAT  + NATONLY,
 		    'CONNMARK'        => STANDARD + OPTIONS,
 		    'CONTINUE'        => STANDARD,
@@ -2987,8 +2985,6 @@ sub initialize_chain_table($) {
 		    'A_DROP!'         => STANDARD + AUDIT,
 		    'REJECT'          => STANDARD + OPTIONS,
 		    'REJECT!'         => STANDARD + OPTIONS,
-		    'A_REJECT'        => STANDARD + AUDIT,
-		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'DNAT'            => NATRULE  + OPTIONS,
 		    'DNAT-'           => NATRULE  + NATONLY,
 		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
@@ -8172,6 +8168,15 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
+	if ( $config{MINIUPNPD} ) {
+	    emit << "EOF";
+if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
+    $tool -t nat -S MINIUPNPD-POSTROUTING | tail -n +2 > \${VARDIR}/.MINIUPNPD-POSTROUTING
+else
+    rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING
+fi
+EOF
+	}
    } else {
 	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
@@ -8192,6 +8197,15 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
+	if ( $config{MINIUPNPD} ) {
+	    emit << "EOF";
+if chain_exists 'MINIUPNPD-POSTROUTING -t nat'; then
+    $utility -t nat | grep '^-A MINIUPNPD-POSTROUTING' > \${VARDIR}/.MINIUPNPD-POSTROUTING
+else
+    rm -f \${VARDIR}/.MINIUPNPD-POSTROUTING    
+fi
+EOF
+	}
    }

    pop_indent;
@@ -8627,12 +8641,12 @@ sub preview_netfilter_load() {
 			print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
-			enter_cmd_mode1 unless $mode = CMD_MODE;
+			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
 			enter_cat_mode1;
 		    } else {		    
-			enter_cmd_mode1 unless $mode = CMD_MODE;
+			enter_cmd_mode1 unless $mode == CMD_MODE;
 			print( ":$name - [0:0]\n" );
 		    }
 		} else {
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -885,6 +885,7 @@ sub initialize( $;$$) {
 	  RESTART => undef ,
 	  DOCKER => undef ,
 	  PAGER => undef ,
+	  MINIUPNPD => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1477,9 +1478,9 @@ sub hex_value( $ ) {
 # Strip off superfluous leading zeros from a hex number
 #
 sub normalize_hex( $ ) {
-    my $val = lc shift;
+    my $val = lc $_[0];

-    $val =~ s/^0// while $val =~ /^0/ && length $val > 1;
+    $val =~ s/^0+/0/;
    $val;
 }

@@ -3300,9 +3301,9 @@ sub push_action_params( $$$$$$ ) {
    $actparams{caller}      = $caller;
    $actparams{disposition} = '' if $chainref->{action};
    #
-    # The Shorewall variable '@chain' has the non-word charaters removed
+    # The Shorewall variable '@chain' has non-word characters other than hyphen removed
    #
-    ( $actparams{chain} = $chainref->{name} ) =~ s/[^\w]//g;
+    ( $actparams{chain} = $chainref->{name} ) =~ s/[^\w-]//g;

    \%oldparms;
 }
@@ -6002,6 +6003,7 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'IGNOREUNKNOWNVARIABLES'     , 'Yes';
    default_yes_no 'WARNOLDCAPVERSION'          , 'Yes';
    default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';
+    default_yes_no 'MINIUPNPD'                  , '';

    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -89,6 +89,7 @@ sub setup_ecn()
 {
    my %interfaces;
    my @hosts;
+    my $interfaceref;

    if ( my $fn = open_file 'ecn' ) {

@@ -105,7 +106,13 @@ sub setup_ecn()
 						    2 );

 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
-	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;
+	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface( $interface );
+
+	    if ( $interfaceref->{root} ) {
+		$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+	    } else {
+		$interface = $interfaceref->{name};
+	    }

 	    my $lineinfo = shortlineinfo( '' );

@@ -1095,10 +1102,18 @@ sub add_common_rules ( $ ) {

 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );

+	    my $chainref1;
+
+	    if ( $config{MINIUPNPD} ) {
+		$chainref1 = set_optflags( new_nat_chain( 'MINIUPNPD-POSTROUTING' ), DONT_OPTIMIZE ); 
+		add_commands( $chainref, '[ -s /${VARDIR}/.MINIUPNPD-POSTROUTING ] && cat ${VARDIR}/.MINIUPNPD-POSTROUTING >&3' );
+	    }
+
 	    $announced = 1;

 	    for $interface ( @$list ) {
 		add_ijump_extended $nat_table->{PREROUTING} ,  j => 'UPnP',                   get_interface_origin($interface), imatch_source_dev ( $interface );
+		add_ijump_extended $nat_table->{POSTROUTING} , j => 'MINIUPNPD-POSTROUTING' , $origin{MINIUPNPD}              , imatch_dest_dev   ( $interface ) if $chainref1;
 	    }
 	}

--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -173,7 +173,9 @@ sub process_one_masq1( $$$$$$$$$$$ )

 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

-	unless ( $interfaceref->{root} ) {
+	if ( $interfaceref->{root} ) {
+	    $interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+	} else {
 	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}
@@ -457,7 +459,9 @@ sub do_one_nat( $$$$$ )

    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

-    unless ( $interfaceref->{root} ) {
+    if ( $interfaceref->{root} ) {
+	$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+    } else {
 	$rulein  = match_source_dev $interface;
 	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
@@ -559,7 +563,9 @@ sub setup_netmap() {
 		    $net1 = validate_net $net1, 0;
 		    $net2 = validate_net $net2, 0;

-		    unless ( $interfaceref->{root} ) {
+		    if ( $interfaceref->{root} ) {
+			$interface = $interfaceref->{name} if $interface eq $interfaceref->{physical};
+		    } else {
 			@rulein  = imatch_source_dev( $interface );
 			@ruleout = imatch_dest_dev( $interface );
 			$interface = $interfaceref->{name};
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -230,6 +230,7 @@ use constant { INLINE_OPT           => 1 ,
 	       NAT_OPT              => 128 ,
 	       TERMINATING_OPT      => 256 ,
 	       AUDIT_OPT            => 512 ,
+	       LOGJUMP_OPT          => 1024 ,
 };

 our %options = ( inline      => INLINE_OPT ,
@@ -242,7 +243,10 @@ our %options = ( inline      => INLINE_OPT ,
 		 nat         => NAT_OPT ,
 		 terminating => TERMINATING_OPT ,
 		 audit       => AUDIT_OPT ,
+		 logjump     => LOGJUMP_OPT ,
    );
+
+our %reject_options;
 ################################################################################
 #   Declarations moved from the Tc module in 5.0.7                             #
 ################################################################################
@@ -353,8 +357,27 @@ sub initialize( $ ) {

    if ( $family == F_IPV4 ) {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn allowinUPnP forwardUPnP Limit/;
+	%reject_options = ( 'icmp-net-unreachable'   => 1,
+			    'icmp-host-unreachable'  => 1,
+			    'icmp-port-unreachable'  => 1,
+			    'icmp-proto-unreachable' => 1,
+			    'icmp-net-prohibited'    => 1,
+			    'icmp-host-prohibited'   => 1,
+			    'icmp-admin-prohibited'  => 1,
+			    'icmp-tcp-reset'         => 2,
+	                  );
+			    
    } else {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn/;
+	%reject_options = ( 'icmp6-no-route'         => 1,
+			    'no-route'               => 1,
+			    'icmp6-adm-prohibited'   => 1,
+			    'adm-prohibited'         => 1,
+			    'icmp6-addr-unreachable' => 1,
+			    'addr-unreach'           => 1,
+			    'icmp6-port-unreachable' => 1,
+			    'tcp-reset'              => 2,
+	                  );
    }

    ############################################################################
@@ -1257,8 +1280,14 @@ sub normalize_action( $$$ ) {

    ( $level, my $tag ) = split ':', $level;

+    if ( $actions{$action}{options} & LOGJUMP_OPT ) {
+	$level = 'none';
+	$tag   = '';
+    } else {
 	$level = 'none' unless supplied $level;
 	$tag   = ''     unless defined $tag;
+    }
+
    $param = ''     unless defined $param;
    $param = ''     if $param eq '-';

@@ -1798,6 +1827,7 @@ sub process_action(\$\$$) {
    my ( $action, $level, $tag, undef, $param ) = split /:/, $wholeaction, ACTION_TUPLE_ELEMENTS;
    my $type = $targets{$action};
    my $actionref = $actions{$action};
+    my $matches   = fetch_inline_matches;

    if ( $type & BUILTIN ) {
 	$level = '' if $level =~ /none!?/;
@@ -1819,7 +1849,7 @@ sub process_action(\$\$$) {

    my $oldparms = push_action_params( $action, $chainref, $param, $level, $tag, $caller );
    my $options = $actionref->{options};
-    my $nolog = $options & NOLOG_OPT;
+    my $nolog = $options & ( NOLOG_OPT | LOGJUMP_OPT );

    setup_audit_action( $action ) if $options & AUDIT_OPT;

@@ -1910,14 +1940,15 @@ sub process_action(\$\$$) {
 				      $dscp ,
 				      $state,
 				      $time );
+		set_inline_matches( $matches );
 	    }
 	} else {
-	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );
+	    my ($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper );

 	    if ( $file_format == 1 ) {
 		fatal_error( "FORMAT-1 actions are no longer supported" );
 	    } else {
-		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
+		($target, $source, $dest, $protos, $ports, $sports, $origdest, $rate, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
 		    = split_line2( 'action file',
 				   \%rulecolumns,
 				   $action_commands,
@@ -1941,6 +1972,8 @@ sub process_action(\$\$$) {
 		next;
 	    }

+	    for my $proto ( split_list( $protos, 'Protocol' ) ) {
+		for my $user ( split_list( $users, 'User/Group' ) ) {
 		    process_rule( $chainref,
 				  '',
 				  '',
@@ -1961,6 +1994,10 @@ sub process_action(\$\$$) {
 				  $condition,
 				  $helper,
 				  0 );
+
+		    set_inline_matches( $matches );
+		}
+	    }
 	}
    }

@@ -2055,7 +2092,7 @@ sub process_actions() {
 		$action =~ s/:.*$//;
 	    }

-	    fatal_error "Invalid Action Name ($action)" unless $action =~ /^[a-zA-Z][\w-]*$/;
+	    fatal_error "Invalid Action Name ($action)" unless $action =~ /^[a-zA-Z][\w-]*!?$/;

 	    if ( $options ne '-' ) {
 		for ( split_list( $options, 'option' ) ) {
@@ -2199,6 +2236,7 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {


    my $macrofile    = $macros{$macro};
+    my $save_matches = fetch_inline_matches;

    progress_message "..Expanding Macro $macrofile...";

@@ -2208,7 +2246,7 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {

    while ( read_a_line( NORMAL_READ ) ) {

-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);
+	my ( $mtarget, $msource, $mdest, $mprotos, $mports, $msports, $morigdest, $mrate, $musers, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);

 	if ( $file_format == 1 ) {
 	    fatal_error( "FORMAT-1 macros are no longer supported" );
@@ -2216,12 +2254,12 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 	    ( $mtarget,
 	      $msource,
 	      $mdest,
-	      $mproto,
+	      $mprotos,
 	      $mports,
 	      $msports,
 	      $morigdest,
 	      $mrate,
-	      $muser,
+	      $musers,
 	      $mmark,
 	      $mconnlimit,
 	      $mtime,
@@ -2282,20 +2320,21 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 	    $mdest = '';
 	}

-	$generated |= process_rule(
-				   $chainref,
+	for my $mp ( split_list( $mprotos, 'Protocol' ) ) {
+	    for my $mu ( split_list( $musers, 'User/Group' ) ) {
+		$generated |= process_rule( $chainref,
 					    $matches,
 					    $matches1,
 					    $mtarget,
 					    $param,
 					    $msource,
 					    $mdest,
-				   merge_macro_column( $mproto,     $proto ) ,
+					    merge_macro_column( $mp,         $proto ) ,
 					    merge_macro_column( $mports,     $ports ) ,
 					    merge_macro_column( $msports,    $sports ) ,
 					    merge_macro_column( $morigdest,  $origdest ) ,
 					    merge_macro_column( $mrate,      $rate ) ,
-				   merge_macro_column( $muser,      $user ) ,
+					    merge_macro_column( $mu,         $user ) ,
 					    merge_macro_column( $mmark,      $mark ) ,
 					    merge_macro_column( $mconnlimit, $connlimit) ,
 					    merge_macro_column( $mtime,      $time ),
@@ -2305,6 +2344,10 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
 					    $wildcard
 		                          );

+		set_inline_matches( $save_matches );
+	    }
+	}
+
 	progress_message "   Rule \"$currentline\" $done";
    }

@@ -2337,6 +2380,7 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
    my $inlinefile   = $actionref->{file};
    my $options      = $actionref->{options};
    my $nolog        = $options & NOLOG_OPT;
+    my $save_matches = fetch_inline_matches;

    setup_audit_action( $inline ) if $options & AUDIT_OPT;

@@ -2350,12 +2394,12 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 	my  ( $mtarget,
 	      $msource,
 	      $mdest,
-	      $mproto,
+	      $mprotos,
 	      $mports,
 	      $msports,
 	      $morigdest,
 	      $mrate,
-	      $muser,
+	      $musers,
 	      $mmark,
 	      $mconnlimit,
 	      $mtime,
@@ -2420,20 +2464,21 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 	    $mdest = '';
 	}

-	$generated |= process_rule(
-				   $chainref,
+	for my $mp ( split_list( $mprotos, 'Protocol' ) ) {
+	    for my $mu ( split_list( $musers, 'User/Group' ) ) {
+		$generated |= process_rule( $chainref,
 					    $matches,
 					    $matches1,
 					    $mtarget,
 					    $param,
 					    $msource,
 					    $mdest,
-				   merge_macro_column( $mproto,     $proto ) ,
+					    merge_macro_column( $mp,          $proto ) ,
 					    merge_macro_column( $mports,     $ports ) ,
 					    merge_macro_column( $msports,    $sports ) ,
 					    merge_macro_column( $morigdest,  $origdest ) ,
 					    merge_macro_column( $mrate,      $rate ) ,
-				   merge_macro_column( $muser,      $user ) ,
+					    merge_macro_column( $mu,         $user ) ,
 					    merge_macro_column( $mmark,      $mark ) ,
 					    merge_macro_column( $mconnlimit, $connlimit) ,
 					    merge_macro_column( $mtime,      $time ),
@@ -2443,6 +2488,10 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
 					    $wildcard
 		                          );

+		set_inline_matches( $save_matches );
+	    }
+	}
+
 	progress_message "   Rule \"$currentline\" $done";
    }

@@ -2634,7 +2683,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    $loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
 	    $action   = 'LOG';
 	} elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) {
-	    fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN;
+	    fatal_error "'builtin' actions may only be used in INLINE or IP[6]TABLES rules" if $actiontype == USERBUILTIN;
 	    fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '' || $actiontype & OPTIONS;
 	}
    }
@@ -2708,7 +2757,22 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 		  }
 	      } ,

-	      REJECT => sub { $action = 'reject'; } ,
+	      REJECT => sub {
+		  if ( supplied( $param ) ) {
+		      my $option = $reject_options{$param};
+		      fatal_error "Invalid REJECT option ($param)" unless $option;
+		      if ( $option == 2 ) {
+			  #
+			  # tcp-reset
+			  #
+			  fatal_error "tcp-reset may only be used with PROTO tcp" unless ( resolve_proto( $proto ) || 0 ) == TCP;
+		      }
+
+		      $action = "REJECT --reject-with $param";
+		  } else {		      
+		      $action = 'reject';
+		  }
+	      },

 	      CONTINUE => sub { $action = 'RETURN'; } ,

@@ -3021,8 +3085,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {

 	my $generated = process_inline( $basictarget,
 					$chainref,
-					$prerule . $rule . $raw_matches,
-					$matches1,
+					$prerule . $rule,
+					$matches1 . $raw_matches,
 					$loglevel,
 					$target,
 					$param,
@@ -3197,8 +3261,13 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {

 	if ( $actiontype & ACTION ) {
 	    $action = $actionchain;
+
+	    if ( $actions{$basictarget}{options} & LOGJUMP_OPT ) {
+		$log_action = $basictarget;
+	    } else {
 		$loglevel = '';
 	    }
+	}

 	if ( $origdest ) {
 	    unless ( $origdest eq '-' ) {
@@ -3662,10 +3731,6 @@ sub process_raw_rule ( ) {
 					   $wild ) ) {
 			    $generated = 1;
 			}
-			#
-			# Clear inline matches
-			#
-			set_inline_matches( '' );
 		    }
 		}
 	    }
@@ -3702,6 +3767,11 @@ sub process_rules() {
 			RELATED_SECTION,     'RELATED',
 			INVALID_SECTION,     'INVALID',
 			UNTRACKED_SECTION,   'UNTRACKED' );
+
+    #
+    # If A_REJECT was specified in shorewall[6].conf, the A_REJECT chain will already exist.
+    #
+    $usedactions{normalize_action_name( 'A_REJECT' )} = $filter_table->{A_REJECT} if $filter_table->{A_REJECT};
    #
    # Create zone-forwarding chains if required
    #
@@ -3787,6 +3857,7 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 					 $chainref->{name} );

    my $inlinefile = $actions{$inline}{file};
+    my $matches    = fetch_inline_matches;

    progress_message "..Expanding inline action $inlinefile...";

@@ -3881,6 +3952,8 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 	}

 	progress_message "   Rule \"$currentline\" $done";
+
+	set_inline_matches( $matches );
    }

    pop_comment( $save_comment );
@@ -4169,7 +4242,9 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    minparams      => 0,
 	    maxparams      => 0,
 	    function       => sub () {
-		fatal_error 'DIVERT is only allowed in the PREROUTING chain' if $designator && $designator != PREROUTING;
+		fatal_error 'DIVERT is only allowed in the PREROUTING chain' if $designator && 
+		    $designator != PREROUTING &&
+		    $designator != REALPREROUTING;
 		my $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );

 		unless ( $divertref ) {
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -82,6 +82,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_interface
 		    known_interface
 		    get_physical
+		    get_logical
 		    physical_name
 		    have_bridges
 		    port_to_bridge
@@ -210,7 +211,6 @@ our %interfaces;
 our %roots;
 our @bport_zones;
 our %ipsets;
-our %physical;
 our %basemap;
 our %basemap1;
 our %mapbase;
@@ -327,7 +327,6 @@ sub initialize( $$ ) {
    %interfaces = ();
    @bport_zones = ();
    %ipsets = ();
-    %physical = ();
    %basemap = ();
    %basemap1 = ();
    %mapbase = ();
@@ -1311,7 +1310,7 @@ sub process_interface( $$ ) {
 		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
 		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;

-		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
+		    fatal_error "Duplicate physical interface name ($value)" if ( $interfaces{$value} && ! $port );

 		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
 		    $physical = $value;
@@ -1385,7 +1384,7 @@ sub process_interface( $$ ) {
 	$options{tcpflags} = $hostoptionsref->{tcpflags} = 1 unless exists $options{tcpflags};
    }

-    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
+    my $interfaceref = $interfaces{$interface} = { name       => $interface ,
 						   bridge     => $bridge ,
 						   filter     => $filterref ,
 						   nets       => 0 ,
@@ -1401,6 +1400,8 @@ sub process_interface( $$ ) {
 						   wildcard   => $wildcard,
 					         };

+    $interfaces{$physical} = $interfaceref if $physical ne $interface;
+
    if ( $zone ) {
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};

@@ -1570,7 +1571,9 @@ sub known_interface($)

 		my $physical = map_physical( $interface, $interfaceref );

-		return $interfaces{$interface} = { options  => $interfaceref->{options} ,
+		$interfaceref =
+		    $interfaces{$interface} =
+		    $interfaces{$physical} = { options  => $interfaceref->{options} ,
 					       bridge   => $interfaceref->{bridge} ,
 					       name     => $i ,
 					       number   => $interfaceref->{number} ,
@@ -1579,11 +1582,12 @@ sub known_interface($)
 					       wildcard => $interfaceref->{wildcard} ,
 					       zones    => $interfaceref->{zones} ,
 		                              };
+		return $interfaceref;
 	    }
 	}
    }

-    $physical{$interface} || 0;
+    0;
 }

 # 
@@ -1655,12 +1659,19 @@ sub find_interface( $ ) {
 }

 #
-# Returns the physical interface associated with the passed logical name
+# Returns the physical interface associated with the passed interface name
 #
 sub get_physical( $ ) {
    $interfaces{ $_[0] }->{physical};
 }

+#
+# Returns the logical interface associated with the passed interface name
+#
+sub get_logical( $ ) {
+    $interfaces{ $_[0] }->{name};
+}
+
 #
 # This one doesn't insist that the passed name be the name of a configured interface
 #
@@ -2040,6 +2051,7 @@ sub process_host( ) {
 	    $interface = $1;
 	    $hosts = $2;
 	    fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
+	    $interface = $interfaceref->{name};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
@@ -2053,7 +2065,7 @@ sub process_host( ) {

 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
-
+	$interface = $interfaceref->{name};
 	if ( $interfaceref->{physical} eq $loopback_interface ) {
 	    fatal_error "Only a loopback zone may be associated with the loopback interface ($loopback_interface)" if $type != LOOPBACK;
 	} else {
--- a/Shorewall/README.txt
+++ b/Shorewall/README.txt
@@ -1 +0,0 @@
-This is the Shorewall 4.4 stable branch of Git.
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -192,6 +192,8 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -203,6 +203,8 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -200,6 +200,8 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -203,6 +203,8 @@ MANGLE_ENABLED=Yes

 MAPOLDACTIONS=No

+MINIUPNPD=No
+
 MARK_IN_FORWARD_CHAIN=No

 MODULE_SUFFIX="ko ko.xz"
--- a/Shorewall/action.A_Drop
+++ b/Shorewall/action.A_Drop
@@ -1,7 +1,5 @@
 #
-# Shorewall version 5 - Drop Action
-#
-# /usr/share/shorewall/action.A_Drop
+# Shorewall -- /usr/share/shorewall/action.A_Drop
 #
 # The audited default DROP common rules
 #
@@ -9,22 +7,19 @@
 # of the action is:
 #
 # a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   DROP. Otherwise, you may experience problems establishing
-#	   connections with servers that use auth.
-#	c) Ensure that certain ICMP packets that are necessary for successful
+# b) Ensure that certain ICMP packets that are necessary for successful
 #    internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
-# Silently DROP 'auth'
+# Special Handling for Auth
 #
 Auth(A_DROP)
 #
--- a/Shorewall/action.A_REJECT
+++ b/Shorewall/action.A_REJECT
@@ -0,0 +1,41 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
+#
+# A_REJECT Action.
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+###############################################################################
+
+DEFAULTS -
+
+AUDIT(reject)
+
+?if passed @1
+    ?if @1 =~ /tcp-reset$/
+        ?set reject_proto 6
+    ?else
+        ?set reject_proto ''
+    ?endif
+REJECT(@1)	-	-	$reject_proto
+?else
+REJECT
+?endif
--- a/Shorewall/action.A_REJECT!
+++ b/Shorewall/action.A_REJECT!
@@ -0,0 +1,30 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_REJECT!
+#
+# A_REJECT! Action.
+#
+# This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
+#
+# Complete documentation is available at http://shorewall.net
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of Version 2 of the GNU General Public License
+# as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+###############################################################################
+
+DEFAULTS -
+
+A_REJECT(@1)
--- a/Shorewall/action.A_Reject
+++ b/Shorewall/action.A_Reject
@@ -1,7 +1,5 @@
 #
-# Shorewall version 5 - Reject Action
-#
-# /usr/share/shorewall/action.A_Reject
+# Shorewall -- /usr/share/shorewall/action.A_Reject
 #
 # The audited default REJECT action common rules
 #
@@ -14,7 +12,7 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO
+#ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
--- a/Shorewall/action.AutoBL
+++ b/Shorewall/action.AutoBL
@@ -1,5 +1,7 @@
 #
-# Shorewall version 5 - Auto Blacklist Action
+# Shorewall -- /usr/share/shorewall/action.AutoBL
+#
+# Auto Blacklist Action
 #
 # Parameters are:
 #
@@ -37,7 +39,7 @@ validate_level( $level );
 1;
 ?end perl
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Silently reject the client if blacklisted
 #
--- a/Shorewall/action.AutoBLL
+++ b/Shorewall/action.AutoBLL
@@ -1,13 +1,16 @@
 #
-# Shorewall version 5 - Auto Blacklisting Logger Action
+# Shorewall -- /usr/share/shorewall/action.AutoBLL
+#
+# Auto Blacklisting Logger Action
 #
 # Arguments are
 #
-#    Event:       Name of the blacklisted event
-#    Disposition: What to do with packets
-#    Level:       Log level and optional tag for logging.
+# Event       - Name of the blacklisted event
+# Disposition - What to do with packets
+# Level       - Log level and optional tag for logging
+#
 ###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Log the Reject
 #
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -1,11 +1,9 @@
 #
-# Shorewall 4 - Broadcast Action
-#
-#    /usr/share/shorewall/action.Broadcast
+# Shorewall -- /usr/share/shorewall/action.Broadcast
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +24,7 @@
 #
 # Default action is DROP
 #
-##########################################################################################
+###############################################################################

 DEFAULTS DROP,-

--- a/Shorewall/action.DNSAmp
+++ b/Shorewall/action.DNSAmp
@@ -1,11 +1,11 @@
 #
-# Shorewall 5 - DNS Amplification Action
+# Shorewall -- /usr/share/shorewall/action.DNSAmp
 #
-#    /usr/share/shorewall/action.DNSAmp
+#  DNS Amplification Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,8 @@
 #
 # Default action is DROP
 #
-##########################################################################################
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT

 DEFAULTS DROP

--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -1,7 +1,5 @@
 #
-# Shorewall version 5 - Drop Action
-#
-# /usr/share/shorewall/action.Drop
+# Shorewall -- /usr/share/shorewall/action.Drop
 #
 # The default DROP common rules
 #
@@ -39,7 +37,7 @@ DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP
 DEFAULTS -,-,DROP,ACCEPT,DROP
 ?endif

-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
@@ -67,7 +65,7 @@ Invalid(DROP,@1)
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(@3)
-DropUPnP(@5)
+DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -1,14 +1,14 @@
 #
-# Shorewall version 5 - Drop Smurfs Action
+# Shorewall -- /usr/share/shorewall/action.DropSmurfs
 #
-# /usr/share/shorewall/action.DropSmurfs
+# Drop Smurfs Action
 #
 # Accepts a single optional parameter:
 #
 # -     = Do not Audit
 # audit = Audit dropped packets.
 #
-#################################################################################
+###############################################################################

 DEFAULTS -

@@ -79,8 +79,3 @@ if ( $family == F_IPV4 ) {
 }

 ?end perl;
-
-
-
-
-
--- a/Shorewall/action.Established
+++ b/Shorewall/action.Established
@@ -1,11 +1,11 @@
 #
-# Shorewall 5 - Established Action
+# Shorewall -- /usr/share/shorewall/action.Established
 #
-#    /usr/share/shorewall/action.Established
+# Established Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,7 @@
 #
 # Default action is ACCEPT
 #
-##########################################################################################
+###############################################################################

 DEFAULTS ACCEPT

--- a/Shorewall/action.GlusterFS
+++ b/Shorewall/action.GlusterFS
@@ -1,13 +1,14 @@
 #
-# Shorewall version 5 - GlusterFS Handler for GlusterFS 3.4 and Later
+# Shorewall -- /usr/share/shorewall/action.GlusterFS
 #
-# /etc/shorewall/action.GlusterFS
+# GlusterFS Handler for GlusterFS 3.4 and Later
 #
 # Parameters:
-#	Bricks:		Number of bricks
-#	IB:		0 or 1, indicating whether Infiniband is used or not
 #
-#########################################################################################
+# Bricks - Number of bricks
+# IB     - 0 or 1, indicating whether Infiniband is used or not
+#
+###############################################################################

 DEFAULTS 2,0

@@ -17,8 +18,8 @@ DEFAULTS 2,0
    ?error Invalid value for IB (@2)
 ?endif

-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#ACTION		SOURCE		DEST		PROTO	DPORT
+
 ACCEPT		-		-		udp	111,2049
 ACCEPT		-		-		tcp	38465:38467

@@ -31,4 +32,3 @@ ACCEPT		-		-		tcp	24007
 ?set last_port 49150 + @{1}

 ACCEPT		-		-		tcp	49151:$last_port
-
--- a/Shorewall/action.IfEvent
+++ b/Shorewall/action.IfEvent
@@ -1,34 +1,38 @@
 #
-# Shorewall version 5 - Perform an Action based on a Event
+# Shorewall -- /usr/share/shorewall/action.IfEvent
 #
-# /etc/shorewall/action.IfEvent
+# Perform an Action based on a Event
 #
 # Parameters:
-#    Event:        Must start with a letter and be composed of letters, digits, '-', and '_'.
-#    Action:       Anything that can appear in the ACTION column of a rule.
-#    Duration:     Duration in seconds over which the event is to be tested.
-#    Hit Count:    Number of packets seen within the duration -- default is 1
-#    Src or Dest:  'src' (default) or 'dst'. Determines if the event is associated with the source
-#                  address (src) or destination address (dst)
-#    Command:      'check' (default) 'reset', or 'update'. If 'reset', the event will be reset before
-#                  the Action is taken. If 'update', the timestamp associated with the event will
-#                  be updated and the action taken if the time limit/hitcount are matched.
-#                  If '-', the action will be taken if the limit/hitcount are matched but the
-#                  event's timestamp will not be updated.
 #
-#                  If a duration is specified, then 'checkreap' and 'updatereap' may also
-#                  be used. These are like 'check' and 'update' respectively, but they also
-#                  remove any event entries for the IP address that are older than <duration>
-#                  seconds.
-#    Disposition:  Disposition for any event generated.
+# Event        - Must start with a letter and be composed of letters, digits,
+#                '-', and '_'.
+# Action       - Anything that can appear in the ACTION column of a rule.
+# Duration     - Duration in seconds over which the event is to be tested.
+# Hit Count    - Number of packets seen within the duration -- default is 1
+# Src or Dest  - 'src' (default) or 'dst'. Determines if the event is
+#                associated with the source address (src) or destination
+#                address (dst)
+# Command      - 'check' (default) 'reset', or 'update'. If 'reset',
+#                the event will be reset before the Action is taken.
+#                If 'update', the timestamp associated with the event will
+#                be updated and the action taken if the time limit/hitcount
+#                are matched.
+#                If '-', the action will be taken if the limit/hitcount are
+#                matched but the event's timestamp will not be updated.
+#
+#                If a duration is specified, then 'checkreap' and 'updatereap'
+#                may also be used. These are like 'check' and 'update'
+#                respectively, but they also remove any event entries for
+#                the IP address that are older than <duration> seconds.
+# Disposition  - Disposition for any event generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-#######################################################################################################
+###############################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT

 DEFAULTS -,ACCEPT,-,1,src,check,-

--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -1,11 +1,10 @@
 #
-# Shorewall 4 - Invalid Action
-#
-#    /usr/share/shorewall/action.Invalid
+# Shorewall -- /usr/share/shorewall/action.Invalid
 #
+# Invalid Action
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -26,10 +25,11 @@
 #
 # Default action is DROP
 #
-##########################################################################################
+###############################################################################

 DEFAULTS DROP,-

 #
-# All logic for this action is triggered by the 'audit' and 'state' options in actions.std
+# All logic for this action is triggered by the 'audit' and 'state' options
+# in actions.std
 #
--- a/Shorewall/action.New
+++ b/Shorewall/action.New
@@ -1,11 +1,11 @@
 #
-# Shorewall 4 - New Action
+# Shorewall -- /usr/share/shorewall/action.New
 #
-#    /usr/share/shorewall/action.New
+# New Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,7 @@
 #
 # Default action is ACCEPT
 #
-##########################################################################################
+###############################################################################

 DEFAULTS ACCEPT

--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -1,11 +1,11 @@
 #
-# Shorewall 4 - NotSyn Action
+# Shorewall -- /usr/share/shorewall/action.NotSyn
 #
-#    /usr/share/shorewall/action.NotSyn
+# NotSyn Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,7 @@
 #
 # Default action is DROP
 #
-##########################################################################################
+###############################################################################

 DEFAULTS DROP,-

--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -1,11 +1,11 @@
 #
-# Shorewall 4 - RST Action
+# Shorewall -- /usr/share/shorewall/action.RST
 #
-#    /usr/share/shorewall/action.RST
+# RST Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,7 @@
 #
 # Default action is DROP
 #
-##########################################################################################
+###############################################################################

 DEFAULTS DROP,-

--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -1,7 +1,5 @@
 #
-# Shorewall version 5 - Reject Action
-#
-# /usr/share/shorewall/action.Reject
+# Shorewall -- /usr/share/shorewall/action.Reject
 #
 # The default REJECT action common rules
 #
@@ -38,7 +36,7 @@ DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP
 DEFAULTS -,-,REJECT,ACCEPT,DROP
 ?endif

-#TARGET		SOURCE	DEST	PROTO
+#ACTION		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
--- a/Shorewall/action.Related
+++ b/Shorewall/action.Related
@@ -1,11 +1,11 @@
 #
-# Shorewall 4 - Related Action
+# Shorewall -- /usr/share/shorewall/action.Related
 #
-#    /usr/share/shorewall/action.Related
+# Related Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,7 @@
 #
 # Default action is DROP
 #
-##########################################################################################
+###############################################################################

 DEFAULTS DROP

--- a/Shorewall/action.ResetEvent
+++ b/Shorewall/action.ResetEvent
@@ -1,22 +1,24 @@
 #
-# Shorewall version 5 - Reset an Event
+# Shorewall -- /etc/shorewall/action.ResetEvent
 #
-# /etc/shorewall/action.ResetEvent
+# Reset an Event
 #
 # Parameters:
-#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
-#    Action:      Action to perform after setting the event. Default is ACCEPT
-#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
-#                 address (src) or destination address (dst)
-#    Disposition: Disposition for any rule generated.
+#
+# Event       - Must start with a letter and be composed of letters, digits,
+#               '-', and '_'.
+# Action      - Action to perform after setting the event. Default is ACCEPT
+# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
+#               associated with the source address (src) or destination
+#               address (dst)
+# Disposition - Disposition for any rule generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
-#######################################################################################################
+###############################################################################
 #                        DO NOT REMOVE THE FOLLOWING LINE
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER

 DEFAULTS -,ACCEPT,src,-

--- a/Shorewall/action.SetEvent
+++ b/Shorewall/action.SetEvent
@@ -1,14 +1,17 @@
 #
-# Shorewall version 5 - Set an Event
+# Shorewall -- /usr/share/shorewall/action.SetEvent
 #
-# /etc/shorewall/action.SetEvent
+# Set an Event
 #
 # Parameters:
-#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
-#    Action:      Action to perform after setting the event. Default is ACCEPT
-#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
-#                 address (src) or destination address (dst)
-#    Disposition: Disposition for any event generated.
+#
+# Event       - Must start with a letter and be composed of letters, digits,
+#               '-', and '_'.
+# Action      - Action to perform after setting the event. Default is ACCEPT
+# Src or Dest - 'src' (default) or 'dst'. Determines if the event is
+#               associated with the source address (src) or destination
+#               address (dst)
+# Disposition - Disposition for any event generated.
 #
 # For additional information, see http://www.shorewall.net/Events.html
 #
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -1,14 +1,14 @@
 #
-# Shorewall version 5 - Drop TCPFlags Action
+# Shorewall -- /usr/share/shorewall/action.TCPFlags
 #
-# /usr/share/shorewall/action.TCPFlags
+# Drop TCPFlags Action
 #
 # Accepts a single optional parameter:
 #
 # -     = Do not Audit
 # audit = Audit dropped packets.
 #
-#################################################################################
+###############################################################################

 DEFAULTS -

--- a/Shorewall/action.Untracked
+++ b/Shorewall/action.Untracked
@@ -1,11 +1,11 @@
 #
-# Shorewall 4 - Untracked Action
+# Shorewall --/usr/share/shorewall/action.Untracked
 #
-#    /usr/share/shorewall/action.Untracked
+# Untracked Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,8 @@
 #
 # Default action is DROP
 #
-##########################################################################################
+###############################################################################
+
 DEFAULTS DROP

 #
--- a/Shorewall/action.allowInvalid
+++ b/Shorewall/action.allowInvalid
@@ -1,11 +1,9 @@
-\#
-# Shorewall 4 - allowInvalid Action
 #
-#    /usr/share/shorewall/action.allowInvalid
+# Shorewall -- /usr/share/shorewall/action.allowInvalid
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -24,7 +22,7 @@
 #
 #  allowInvalid[([audit])]
 #
-##########################################################################################
+###############################################################################

 DEFAULTS -

--- a/Shorewall/action.dropInvalid
+++ b/Shorewall/action.dropInvalid
@@ -1,11 +1,11 @@
 #
-# Shorewall 5 - dropInvalid Action
+# Shorewall -- /usr/share/shorewall/action.dropInvalid
 #
-#    /usr/share/shorewall/action.dropInvalid
+# dropInvalid Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -24,9 +24,7 @@
 #
 # dropInvalid[([audit])]
 #
-##########################################################################################
-
-DEFAULTS -
+###############################################################################

 DEFAULTS -

--- a/Shorewall/action.mangletemplate
+++ b/Shorewall/action.mangletemplate
@@ -1,7 +1,7 @@
 #
-# Shorewall version 5 - Mangle Action Template
+# Shorewall -- /etc/shorewall/action.mangletemplate
 #
-# /etc/shorewall/action.mangletemplate
+# Mangle Action Template
 #
 # This file is a template for files with names of the form
 # /etc/shorewall/action.<action-name> where <action> is an
--- a/Shorewall/action.template
+++ b/Shorewall/action.template
@@ -1,7 +1,7 @@
 #
-# Shorewall version 5 - Action Template
+# Shorewall -- /usr/share/shorewall/action.template
 #
-# /etc/shorewall/action.template
+# Action Template
 #
 # This file is a template for files with names of the form
 # /etc/shorewall/action.<action-name> where <action> is an
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -11,7 +11,6 @@
 ?if 0
 A_ACCEPT                        # Audits then accepts a connection request
 A_DROP                          # Audits then drops a connection request
-A_REJECT		        # Audits then drops a connection request
 allowBcast		        # Silently Allow Broadcast/multicast
 dropBcast		        # Silently Drop Broadcast/multicast
 dropNotSyn		        # Silently Drop Non-syn TCP packets
@@ -23,6 +22,8 @@ Limit                           # Limit the rate of connections from each indivi
 ###############################################################################
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
+A_REJECT     noinline,logjump   # Audits then rejects a connection request
+A_REJECT!    inline             # Audits then rejects a connection request
 A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -194,6 +194,8 @@ MAPOLDACTIONS=No

 MARK_IN_FORWARD_CHAIN=No

+MINIUPNPD=No
+
 MODULE_SUFFIX=ko

 MULTICAST=No
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -390,7 +390,7 @@ DIVERTHA        -               -               tcp</programlisting>
                <para>Allows you to place your own ip[6]tables matches at the
                end of the line following a semicolon (";"). If an
                <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
                may include your own jump ("-j
                <replaceable>target</replaceable>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -672,11 +672,37 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">REJECT</emphasis></term>
+              <term><emphasis
+              role="bold">REJECT[(<replaceable>option</replaceable>)]</emphasis></term>

              <listitem>
                <para>disallow the request and return an icmp-unreachable or
-                an RST packet.</para>
+                an RST packet. If no option is passed, Shorewall selects the
+                appropriate option based on the protocol of the packet.</para>
+
+                <para>Beginning with Shorewall 5.0.8, the type of reject may
+                be specified in the <replaceable>option</replaceable>
+                paramater. Valid <replaceable>option</replaceable> values
+                are:</para>
+
+                <simplelist>
+                  <member><option>icmp-net-unreachable</option></member>
+
+                  <member><option>icmp-host-unreachable</option></member>
+
+                  <member><option>i</option><option>cmp-port-unreachable</option></member>
+
+                  <member><option>icmp-proto-unreachable</option></member>
+
+                  <member><option>icmp-net-prohibited</option></member>
+
+                  <member><option>icmp-host-prohibited</option></member>
+
+                  <member><option>icmp-admin-prohibited</option></member>
+
+                  <member><option>icmp-tcp-reset</option> (the PROTO column
+                  must specify TCP)</member>
+                </simplelist>
              </listitem>
            </varlistentry>

@@ -1441,7 +1467,7 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule or POLICY specifies the same name,
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -998,7 +998,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          iptables text in a rule. You may simply preface that text with a
          pair of semicolons (";;"). If alternate input is also specified in
          the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>

@@ -1548,6 +1548,18 @@ LOG:info:,bar                        net                    fw</programlisting>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">MINIUPNPD=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.8. If set to Yes, Shorewall will create
+          a chain in the nat table named MINIUPNPD-POSTROUTING and will add
+          jumps from POSTROUTING to that chain for each interface with the
+          <option>upnpd</option> option specified. Default is No.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
@@ -1636,7 +1648,7 @@ LOG:info:,bar                        net                    fw</programlisting>

      <varlistentry>
        <term><emphasis
-        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
+        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>

        <listitem>
@@ -1647,6 +1659,10 @@ LOG:info:,bar                        net                    fw</programlisting>
          where <emphasis role="bold">uname</emphasis> holds the output of
          '<command>uname -r</command>' and <emphasis
          role="bold">g_family</emphasis> holds '4'.</para>
+
+          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
+          causes the listed pathnames to be appended to the default list
+          above.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/modules.essential
+++ b/Shorewall/modules.essential
@@ -1,7 +1,7 @@
 #
-# Shorewall version 5 - Essential Modules File
+# Shorewall -- /usr/share/shorewall/modules.essential
 #
-# /usr/share/shorewall/modules.essential
+# Essential Modules File
 #
 # This file loads the modules that may be needed by the firewall.
 #
--- a/Shorewall/modules.extensions
+++ b/Shorewall/modules.extensions
@@ -1,7 +1,7 @@
 #
-# Shorewall version 5 - Extensions Modules File
+# Shorewall -- /usr/share/shorewall/modules.extensions
 #
-# /usr/share/shorewall/modules.extensions
+# Extensions Modules File
 #
 # This file loads the modules that may be needed by the firewall.
 #
--- a/Shorewall/modules.ipset
+++ b/Shorewall/modules.ipset
@@ -1,7 +1,7 @@
 #
-# Shorewall version 5 - IP Set Modules File
+# Shorewall -- /usr/share/shorewall/modules.ipset
 #
-# /usr/share/shorewall/modules.ipset
+# IP Set Modules File
 #
 # This file loads the modules that may be needed by the firewall.
 #
--- a/Shorewall/modules.tc
+++ b/Shorewall/modules.tc
@@ -1,7 +1,7 @@
 #
-# Shorewall version 5 - Traffic Shaping Modules File
+# Shorewall -- /usr/share/shorewall/modules.tc
 #
-# /usr/share/shorewall/modules.tc
+# Traffic Shaping Modules File
 #
 # This file loads the modules that may be needed by the firewall.
 #
--- a/Shorewall/modules.xtables
+++ b/Shorewall/modules.xtables
@@ -1,7 +1,7 @@
 #
-# Shorewall version 5 - Xtables Modules File
+# Shorewall -- /usr/share/shorewall/modules.xtables
 #
-# /usr/share/shorewall/modules.xtables
+# Xtables Modules File
 #
 # This file loads the modules that may be needed by the firewall.
 #
--- a/Shorewall6-lite/README.txt
+++ b/Shorewall6-lite/README.txt
@@ -1 +0,0 @@
-This is the Shorewall6-lite stable 4.4 branch of Git.
--- a/Shorewall6/README.txt
+++ b/Shorewall6/README.txt
@@ -1 +0,0 @@
-This is the Shorewall6 stable 4.4 branch of Git.
--- a/Shorewall6/action.A_AllowICMPs
+++ b/Shorewall6/action.A_AllowICMPs
@@ -1,13 +1,11 @@
 #
-# Shorewall6 version 5 - Audited AllowICMPs Action
-#
-# /usr/share/shorewall6/action.A_AllowICMPs
+# Shorewall6 -- /usr/share/shorewall6/action.A_AllowICMPs
 #
 # This action A_ACCEPTs needed ICMP types
 #
 ###############################################################################
-#TARGET		SOURCE		DEST	PROTO		DEST
-#							PORT(S)
+#ACTION		SOURCE		DEST	PROTO		DPORT
+
 ?comment Needed ICMP types (RFC4890)

 A_ACCEPT	-		-	ipv6-icmp	destination-unreachable
--- a/Shorewall6/action.A_Drop
+++ b/Shorewall6/action.A_Drop
@@ -1,52 +0,0 @@
-#
-# Shorewall6 version 5 - Audited Drop Action
-#
-# /usr/share/shorewall6/action.ADrop
-#
-#	The Audited default DROP common rules
-#
-#	This action is invoked before a DROP policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   DROP. Otherwise, you may experience problems establishing
-#	   connections with servers that use auth.
-#	c) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-###############################################################################
-#TARGET			SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Reject 'auth'
-#
-Auth(A_REJECT)
-#
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs		-	-	ipv6-icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast(audit)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-dropInvalid(audit)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_DROP)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep
--- a/Shorewall6/action.A_Reject
+++ b/Shorewall6/action.A_Reject
@@ -1,50 +0,0 @@
-#
-# Shorewall6 version 5 - Audited Reject Action
-#
-# /usr/share/shorewall6/action.A_Reject
-#
-#	The audited default REJECT action common rules
-#
-#	This action is invoked before a REJECT policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-###############################################################################
-#TARGET			SOURCE	DEST	PROTO
-#
-# Don't log 'auth' -- REJECT
-#
-Auth(A_REJECT)
-#
-# Drop Multicasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-A_AllowICMPs		-	-	ipv6-icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast(audit)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid(audit)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_REJECT)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep
--- a/Shorewall6/action.AllowICMPs
+++ b/Shorewall6/action.AllowICMPs
@@ -1,13 +1,10 @@
 #
-# Shorewall6 version 5 - AllowICMPs Action
-#
-# /usr/share/shorewall6/action.AllowICMPs
+# Shorewall6 -- /usr/share/shorewall6/action.AllowICMPs
 #
 # This action ACCEPTs needed ICMP types
 #
 ###############################################################################
-#TARGET	SOURCE		DEST	PROTO		DEST
-#						PORT(S)
+#ACTION	SOURCE		DEST	PROTO		DPORT

 DEFAULTS ACCEPT

--- a/Shorewall6/action.Broadcast
+++ b/Shorewall6/action.Broadcast
@@ -1,11 +1,11 @@
 #
-# Shorewall 4 - Multicast/Anycast Action
+# Shorewall6 -- /usr/share/shorewall6/action.Broadcast
 #
-#    /usr/share/shorewall/action.Broadcast
+# Multicast/Anycast IPv6 Action
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,7 @@
 #
 # Default action is DROP
 #
-##########################################################################################
+###############################################################################

 DEFAULTS DROP,-

--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -1,78 +0,0 @@
-#
-# Shorewall6 version 5 - Drop Action
-#
-# /usr/share/shorewall6/action.Drop
-#
-#	The default DROP common rules
-#
-#	This action is invoked before a DROP policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   DROP. Otherwise, you may experience problems establishing
-#	   connections with servers that use auth.
-#	c) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
-#
-#  The action accepts five optional parameters:
-#
-#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#           actions.
-#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
-#           depending on the setting of the first parameter.
-#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#           A_ACCEPT depending on the first parameter.
-#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#           is DROP or A_DROP depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-###############################################################################
-
-?if passed($1)
-    ?if $1 eq 'audit'
-DEFAULTS -,A_REJECT,A_DROP,A_ACCEPT,A_DROP
-    ?else
-        ?error The first parameter to Drop must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,REJECT,DROP,ACCEPT,DROP
-?endif
-
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Reject 'auth'
-#
-?if passed($2)
-Auth($2)
-?endif
-#
-# ACCEPT critical ICMP types
-#
-AllowICMPs($4)	-	-	ipv6-icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-Broadcast(DROP,$1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-Invalid(DROP,$1)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB($3)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,$1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep($5)
--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -1,76 +0,0 @@
-#
-# Shorewall6 version 5 - Reject Action
-#
-# /usr/share/shorewall6/action.Reject
-#
-#	The default REJECT action common rules
-#
-#	This action is invoked before a REJECT policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
-#
-#  The action accepts five optional parameters:
-#
-#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#           actions.
-#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#           A_ACCEPT depending on the first parameter.
-#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#           is DROP or A_DROP depending on the first parameter.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-###############################################################################
-
-?if passed(@1)
-    ?if @1 eq 'audit'
-DEFAULTS -,A_REJECT,A_REJECT,A_ACCEPT,A_DROP
-    ?else
-	?error The first parameter to Reject must be 'audit' or '-'
-    ?endif
-?else
-DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
-?endif
-
-#TARGET		SOURCE	DEST	PROTO
-#
-# Don't log 'auth' -- REJECT
-#
-?if passed($2)
-Auth($2)
-?endif
-#
-# Drop Multicasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-AllowICMPs($4)	-	-	ipv6-icmp
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-Broadcast(DROP,$1)
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-Invalid(DROP,$1)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB($3)
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-NotSyn(DROP,$1)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DropDNSrep($5)
--- a/Shorewall6/action.mangletemplate
+++ b/Shorewall6/action.mangletemplate
@@ -1,7 +1,5 @@
 #
-# Shorewall version 5 - Mangle Action Template
-#
-# /etc/shorewall6/action.mangletemplate
+# Shorewall6 -- /usr/share/shorewall6/action.mangletemplate
 #
 # This file is a template for files with names of the form
 # /etc/shorewall/action.<action-name> where <action> is an
@@ -13,8 +11,7 @@
 # 2. Copy this file to /etc/shorewall6/action.<action name>
 # 3. Add the desired rules to that file.
 #
-#	Please see http://shorewall.net/Actions.html for additional
-#	information.
+# Please see http://shorewall.net/Actions.html for additional information.
 #
 # Columns are the same as in /etc/shorewall6/mangle.
 #
--- a/Shorewall6/action.template
+++ b/Shorewall6/action.template
@@ -1,7 +1,7 @@
 #
-# Shorewall version 5 - Action Template
+# Shorewall6 -- /usr/share/shorewall6/action.template
 #
-# /etc/shorewall6/action.template
+# Action Template
 #
 # This file is a template for files with names of the form
 # /etc/shorewall/action.<action-name> where <action> is an
@@ -13,13 +13,9 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-#	Please see http://shorewall.net/Actions.html for additional
-#	information.
+# Please see http://shorewall.net/Actions.html for additional information.
 #
 # Columns are the same as in /etc/shorewall6/rules.
 #
-#######################################################################################################
-#                                         DO NOT REMOVE THE FOLLOWING LINE
-#####################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH    HELPER
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -1,7 +1,7 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall6/lib.base
+# Shorewall -- /usr/share/shorewall6/lib.base
 #
-#     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -401,7 +401,7 @@ DIVERTHA        -               -               tcp</programlisting>
                <para>Allows you to place your own ip[6]tables matches at the
                end of the line following a semicolon (";"). If an
                <replaceable>action</replaceable> is specified, the compiler
-                procedes as if that <replaceable>action</replaceable> had been
+                proceeds as if that <replaceable>action</replaceable> had been
                specified in this column. If no action is specified, then you
                may include your own jump ("-j
                <replaceable>target</replaceable>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -673,11 +673,37 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">REJECT</emphasis></term>
+              <term><emphasis
+              role="bold">REJECT[(<replaceable>option</replaceable>)]</emphasis></term>

              <listitem>
                <para>disallow the request and return an icmp-unreachable or
-                an RST packet.</para>
+                an RST packet. If no option is passed, Shorewall selects the
+                appropriate option based on the protocol of the packet.</para>
+
+                <para>Beginning with Shorewall 5.0.8, the type of reject may
+                be specified in the <replaceable>option</replaceable>
+                paramater. Valid <replaceable>option</replaceable> values
+                are:</para>
+
+                <simplelist>
+                  <member><option>icmp6-no-route</option></member>
+
+                  <member><option>no-route</option></member>
+
+                  <member><option>i</option><option>cmp6-adm-prohibited</option></member>
+
+                  <member><option>adm-prohibited</option></member>
+
+                  <member><option>icmp6-addr-unreachable</option></member>
+
+                  <member><option>addr-unreach</option></member>
+
+                  <member><option>icmp6-port-unreachable</option></member>
+
+                  <member><option>tcp-reset</option> (the PROTO column must
+                  specify TCP)</member>
+                </simplelist>
              </listitem>
            </varlistentry>

@@ -1306,7 +1332,7 @@
          <para>When <option>s:</option> or <option>d:</option> is specified,
          the rate applies per source IP address or per destination IP address
          respectively. The <replaceable>name</replaceable>s may be chosen by
-          the user and specifiy a hash table to be used to count matching
+          the user and specify a hash table to be used to count matching
          connections. If not given, the name <emphasis
          role="bold">shorewallN</emphasis> (where N is a unique integer) is
          assumed. Where more than one rule or POLICY specifies the same name,
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -846,7 +846,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          iptables text in a rule. You may simply preface that text with a
          pair of semicolons (";;"). If alternate input is also specified in
          the rule, it should appear before the semicolons and may be
-          seperated from normal column input by a single semicolon.</para>
+          separated from normal column input by a single semicolon.</para>
        </listitem>
      </varlistentry>

@@ -1436,7 +1436,7 @@ LOG:info:,bar                        net                    fw</programlisting>

      <varlistentry>
        <term><emphasis
-        role="bold">MODULESDIR=</emphasis>[<emphasis>pathname</emphasis>[<emphasis
+        role="bold">MODULESDIR=</emphasis>[[+]<emphasis>pathname</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>

        <listitem>
@@ -1447,6 +1447,10 @@ LOG:info:,bar                        net                    fw</programlisting>
          where <emphasis role="bold">uname</emphasis> holds the output of
          '<command>uname -r</command>' and <emphasis
          role="bold">g_family</emphasis> holds '6'.</para>
+
+          <para>The option plus sign ('+') was added in Shorewall 5.0.3 and
+          causes the listed pathnames to be appended to the default list
+          above.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/modules.essential
+++ b/Shorewall6/modules.essential
@@ -1,7 +1,7 @@
 #
-# Shorewall6 version 5 - Essential Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.essential
 #
-# /usr/share/shorewall6/modules.essential
+# Essential Modules File
 #
 # This file loads the modules that may be needed by the firewall.
 #
--- a/Shorewall6/modules.extensions
+++ b/Shorewall6/modules.extensions
@@ -1,7 +1,7 @@
 #
-# Shorewall6 version 5 - Extensions Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.extension
 #
-# /usr/share/shorewall6/modules.extension
+# Extensions Modules File
 #
 # This file loads the modules that may be needed by the firewall.
 #
--- a/Shorewall6/modules.ipset
+++ b/Shorewall6/modules.ipset
@@ -1,7 +1,7 @@
 #
-# Shorewall version 5 - IP Set Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.ipset
 #
-# /usr/share/shorewall6/modules.ipset
+# IP Set Modules File
 #
 # This file loads the modules that may be needed by the firewall.
 #
--- a/Shorewall6/modules.tc
+++ b/Shorewall6/modules.tc
@@ -1,7 +1,7 @@
 #
-# Shorewall6 version 5 - Traffic Shaping Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.tc
 #
-# /usr/share/shorewall6/modules.tc
+# Traffic Shaping Modules File
 #
 # This file loads the modules that may be needed by the firewall.
 #
--- a/Shorewall6/modules.xtables
+++ b/Shorewall6/modules.xtables
@@ -1,7 +1,7 @@
 #
-# Shorewall6 version 5 - Xtables Modules File
+# Shorewall6 -- /usr/share/shorewall6/modules.xtables
 #
-# /usr/share/shorewall6/modules.xtables
+# Xtables Modules File
 #
 # This file loads the modules that may be needed by the firewall.
 #
--- a/docs/IPv6Support.xml
+++ b/docs/IPv6Support.xml
@@ -202,23 +202,6 @@
    Shorewall with some notable exceptions:</para>

    <variablelist>
-      <varlistentry>
-        <term>No NAT</term>
-
-        <listitem>
-          <para>In Shorewall6, there is no NAT of any kind (Netfilter6 doesn't
-          support any form of NAT). Most people consider this to be a giant
-          step forward.</para>
-
-          <para>When an ISP assigns you an IPv6 address, you are actually
-          assigned an IPv6 <firstterm>prefix</firstterm> (similar to a
-          subnet). A 64-bit prefix defines a subnet with 4 billion hosts
-          squared (the size of the IPv4 address space squared). Regardless of
-          the length of your prefix, you get to assign local addresses within
-          that prefix.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term>Default Zone Type</term>

--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -175,20 +175,23 @@

        <listitem>
          <para><filename>/etc/shorewall/init</filename> - commands that you
-          wish to execute at the beginning of a <quote>shorewall start</quote>
-          or <quote>shorewall restart</quote>.</para>
+          wish to execute at the beginning of a <quote>shorewall
+          start</quote>, "shorewall reload" or <quote>shorewall
+          restart</quote>.</para>
        </listitem>

        <listitem>
          <para><filename>/etc/shorewall/start</filename> - commands that you
          wish to execute near the completion of a <quote>shorewall
-          start</quote> or <quote>shorewall restart</quote></para>
+          start</quote>, "shorewall reload" or <quote>shorewall
+          restart</quote></para>
        </listitem>

        <listitem>
          <para><filename>/etc/shorewall/started</filename> - commands that
          you wish to execute after the completion of a <quote>shorewall
-          start</quote> or <quote>shorewall restart</quote></para>
+          start</quote>, "shorewall reload" or <quote>shorewall
+          restart</quote></para>
        </listitem>

        <listitem>
@@ -1779,6 +1782,10 @@ SSH(ACCEPT)    net:$MYIP      $FW
        <para><ulink url="Macros.html">Macro</ulink> files</para>
      </listitem>

+      <listitem>
+        <para><ulink url="Actions.html">Action</ulink> files</para>
+      </listitem>
+
      <listitem>
        <para><ulink
        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
@@ -2011,7 +2018,7 @@ SSH(ACCEPT)    net:$MYIP      $FW
    <para>In this simple form, the expression is evaluated by the compiler
    without having to invoke the (expensive) Perl exec() function. The
    'passed' function may also be used in more complex expressions, but exec()
-    will be invoked to evaluate those expressions. </para>
+    will be invoked to evaluate those expressions.</para>
  </section>

  <section id="Conditional">
@@ -2570,6 +2577,44 @@ Shorewall has detected the following iptables/netfilter capabilities:
    "!tcp").</para>
  </section>

+  <section id="Ranges">
+    <title>Port Ranges</title>
+
+    <para>If you need to specify a range of ports, the proper syntax is
+    &lt;low port number&gt;:&lt;high port number&gt;. For example, if you want
+    to forward the range of tcp ports 4000 through 4100 to local host
+    192.168.1.3, the entry in /etc/shorewall/rules is:</para>
+
+    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
+DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100</emphasis></programlisting>
+
+    <para>If you omit the low port number, a value of zero is assumed; if you
+    omit the high port number, a value of 65535 is assumed.</para>
+
+    <para>Also, unless otherwise documented, a port range can be preceded by
+    '!' to specify "All ports except those in this range" (e.g.,
+    "!4000:4100").</para>
+  </section>
+
+  <section id="Portlists">
+    <title>Port Lists</title>
+
+    <para>In most cases where a port or port range may appear, a
+    comma-separated list of ports or port ranges may also be entered.
+    Shorewall requires the Netfilter <emphasis
+    role="bold">multiport</emphasis> match capability if ports lists are used
+    (see the output of "<emphasis role="bold">shorewall show
+    capabilities</emphasis>").</para>
+
+    <para>Also, unless otherwise documented, a port list can be preceded by
+    '!' to specify "All ports except these" (e.g., "!80,443").</para>
+
+    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
+    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
+    (5) file may specify no more than 15 ports; port ranges appearing in a
+    list count as two ports each.</para>
+  </section>
+
  <section id="ICMP">
    <title>ICMP and ICMP6 Types and Codes</title>

@@ -2646,44 +2691,6 @@ redirect                      =&gt; 137</programlisting>
    Shorewall 4.4.19.</para>
  </section>

-  <section id="Ranges">
-    <title>Port Ranges</title>
-
-    <para>If you need to specify a range of ports, the proper syntax is
-    &lt;low port number&gt;:&lt;high port number&gt;. For example, if you want
-    to forward the range of tcp ports 4000 through 4100 to local host
-    192.168.1.3, the entry in /etc/shorewall/rules is:</para>
-
-    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
-DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100</emphasis></programlisting>
-
-    <para>If you omit the low port number, a value of zero is assumed; if you
-    omit the high port number, a value of 65535 is assumed.</para>
-
-    <para>Also, unless otherwise documented, a port range can be preceded by
-    '!' to specify "All ports except those in this range" (e.g.,
-    "!4000:4100").</para>
-  </section>
-
-  <section id="Portlists">
-    <title>Port Lists</title>
-
-    <para>In most cases where a port or port range may appear, a
-    comma-separated list of ports or port ranges may also be entered.
-    Shorewall requires the Netfilter <emphasis
-    role="bold">multiport</emphasis> match capability if ports lists are used
-    (see the output of "<emphasis role="bold">shorewall show
-    capabilities</emphasis>").</para>
-
-    <para>Also, unless otherwise documented, a port list can be preceded by
-    '!' to specify "All ports except these" (e.g., "!80,443").</para>
-
-    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
-    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
-    (5) file may specify no more than 15 ports; port ranges appearing in a
-    list count as two ports each.</para>
-  </section>
-
  <section id="MAC">
    <title>Using MAC Addresses</title>

@@ -2736,9 +2743,7 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>

    <simplelist>
-      <member>LOGRATE=10/minute</member>
-
-      <member>LOGBURST=5</member>
+      <member>LOGLIMIT=10/minute:5</member>
    </simplelist>

    <para>For each logging rule, the first time the rule is reached, the
@@ -2750,11 +2755,6 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
    30 seconds, the burst will be fully recharged; back where we
    started.</para>

-    <note>
-      <para>The LOGRATE and LOGBURST options are deprecated in favor of
-      LOGLIMIT.</para>
-    </note>
-
    <para>Shorewall also supports per-IP rate limiting.</para>

    <para>Another example from <ulink
@@ -2788,8 +2788,7 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
    <firstterm>Condition Match Support</firstterm> and you must be running
    Shorewall 4.4.24 or later. See the output of <command>shorewall show
    capabilities</command> and <command>shorewall version</command> to
-    determine if you can use this feature. As of this writing, Condition Match
-    Support requires that you install xtables-addons.</para>
+    determine if you can use this feature.</para>

    <para>The SWITCH column contains the name of a
    <firstterm>switch.</firstterm> Each switch is initially in the <emphasis
@@ -2953,8 +2952,8 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>
        <para>If <emphasis role="bold">detect</emphasis> is specified in the
        ADDRESS column of an entry in <ulink
        url="manpages/shorewall-masq.html">shorewall-masq</ulink> (5) then the
-        firewall still start if the optional interface in the INTERFACE column
-        does not have an IP address.</para>
+        firewall still startS if the optional interface in the INTERFACE
+        column does not have an IP address.</para>
      </listitem>
    </itemizedlist>

@@ -2972,7 +2971,8 @@ Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>

    <para>Shorewall allows you to have configuration directories other than
    <filename class="directory">/etc/shorewall</filename>. The shorewall
-    check, start and restart commands allow you to specify an alternate
+    <command>check</command>, <command>start</command> and
+    <command>restart</command> commands allow you to specify an alternate
    configuration directory and Shorewall will use the files in the alternate
    directory rather than the corresponding files in /etc/shorewall. The
    alternate directory need not contain a complete configuration; those files
--- a/docs/support.xml
+++ b/docs/support.xml
@@ -85,7 +85,7 @@
    problem reporting process. It will ensure that you provide us with the
    information we need to solve your problem as quickly as possible.</para>

-    <graphic align="center" fileref="images/Troubleshoot.png" />
+    <graphic align="center" fileref="images/Troubleshoot.png"/>

    <orderedlist>
      <important>
@@ -126,12 +126,10 @@

          <para>If that didn't solve your problem, then please</para>

-          <programlisting><command>/sbin/shorewall trace start 2&gt; /tmp/trace</command></programlisting>
+          <programlisting><command>/sbin/shorewall trace start &gt; /tmp/trace 2&gt;&amp;1</command></programlisting>

          <para>Forward the <filename>/tmp/trace</filename> file as an
-          attachment compressed with gzip or bzip2 (If you are running
-          Shorewall-perl, there is no need to compress the file — it will be
-          very short).</para>
+          attachment compressed with gzip or bzip2.</para>

          <para>If compilation succeeds but the compiled program fails, then
          please include the compiled program with your report. The compiled
@@ -203,7 +201,7 @@
        message produced by Shorewall is "done.":</para>

        <blockquote>
-          <para></para>
+          <para/>

          <programlisting>…
 Activating Rules...
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@@ -854,22 +854,16 @@ DNAT      net       dmz:10.10.11.2:80   tcp        5000</programlisting></para>
            with:<programlisting>#ACTION   SOURCE    DEST            PROTO  DPORT         SPORT    ORIGDEST
 DNAT      loc       dmz:10.10.11.2  tcp    80            -        <emphasis>&lt;external IP&gt;</emphasis></programlisting>If
            you have a dynamic IP then you must ensure that your external
-            interface is up before starting Shorewall and you must take steps
-            as follows (assume that your external interface is <filename
-            class="devicefile">eth0</filename>):<orderedlist>
-                <listitem>
-                  <para>Include the following in /etc/shorewall/params:</para>
+            interface is up before starting Shorewall and you must code the
+            rule as follows (assume that your external interface is <filename
+            class="devicefile">eth0</filename>):</para>

-                  <para><command>ETH0_IP=$(find_interface_address
-                  eth0)</command></para>
-                </listitem>
-
-                <listitem>
-                  <para>Make your <literal>loc-&gt;dmz</literal> rule:
            <programlisting>#ACTION   SOURCE    DEST             PROTO   DPORT         SPORT    ORIGDEST
-DNAT      loc       dmz:10.10.11.2   tcp     80            -        $ETH0_IP</programlisting></para>
-                </listitem>
-              </orderedlist></para>
+DNAT      loc       dmz:10.10.11.2   tcp     80            -        &amp;eth0</programlisting>
+
+            <para>'&amp;eth0' expands to the IP address of eth0 (see <ulink
+            url="configuration_file_basics.htm#AddressVariables">this
+            article</ulink>).</para>
          </listitem>

          <listitem>
Author	SHA1	Message	Date
Tom Eastep	26795cf082	Correct setup of $usedactions{A_REJECT} Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-06 08:18:36 -07:00
Tom Eastep	95e4071f34	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-04-06 07:42:46 -07:00
Tuomo Soini	6366fb40cf	ProxyARP.xml: fix proxyndp sample column matching Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-06 12:00:41 +03:00
Tuomo Soini	20179a5c9d	remove completely false README.txt Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-06 10:23:58 +03:00
Tom Eastep	b7e6893f7d	Restore DropUPnP behavior in Reject Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-05 20:00:15 -07:00
Tom Eastep	3ac3ae279f	Add A_REJECT action Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-05 16:38:39 -07:00
Tom Eastep	54843c617d	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-04-05 11:46:42 -07:00
Tom Eastep	e9467326f3	Allow allow REJECT to take a parameter Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-05 11:20:44 -07:00
Tuomo Soini	80bf77e8a8	modules.xtables: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:31:36 +03:00
Tuomo Soini	1e5ebee799	modules.tc: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:31:36 +03:00
Tuomo Soini	74fe7b302e	modules.ipset: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:31:36 +03:00
Tuomo Soini	d70e18535b	modules.extensions: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:31:36 +03:00
Tuomo Soini	64a6b36918	modules.essential: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:31:36 +03:00
Tuomo Soini	35bc0bd8ef	lib.base: format to new headers Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:27:47 +03:00
Tuomo Soini	4034ebc270	modules.xtables: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:25:36 +03:00
Tuomo Soini	bd33bb7105	modules.tc: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:25:36 +03:00
Tuomo Soini	dbb23d8807	modules.ipset: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:25:36 +03:00
Tuomo Soini	5c4ee58f44	modules.extensions: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:25:36 +03:00
Tuomo Soini	bf8b519da6	modules.essential: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:25:36 +03:00
Tuomo Soini	724d430ba4	action.template: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:20:55 +03:00
Tuomo Soini	11479b14f9	action.mangletemplate: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:20:55 +03:00
Tuomo Soini	54eea167e5	action.Broadcast: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:20:55 +03:00
Tuomo Soini	8d92d07352	action.AllowICMPs: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:20:55 +03:00
Tuomo Soini	6122a1db19	action.A_AllowICMPs: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:20:55 +03:00
Tuomo Soini	2962809243	action.Untracked: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	23a91d7c26	action.template: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	30b2b2dcb4	action.TCPFlags: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	46a86cfa58	action.SetEvent: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	ad2dfd9eaf	action.RST: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	001aabf72c	action.ResetEvent: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	7052819a9c	action.Related: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	2b1244c110	action.Reject: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	94803b63b1	action.NotSyn: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	5f33cb5d0a	action.New: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	deda26c790	action.mangletemplate: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	f9f349a148	action.Invalid: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	2842e897c9	action.IfEvent: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	de44a16094	action.GlusterFS: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	6560e74c2c	action.Established: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	f7ddf3008d	action.DropSmurfs: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	cb608172d3	action.dropInvalid: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	f806010521	action.Drop: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	205254e043	action.DNSAmp: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	a7efa12fff	action.Broadcast: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	95c4f2d7f6	action.AutoBLL: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	89189f7836	action.AutoBL: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	c2e3156e5c	action.A_Reject: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	ffe9f88c07	action.allowInvalid: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tuomo Soini	e4c9c83e2b	action.A_Drop: reformat to new header style Signed-off-by: Tuomo Soini <tis@foobar.fi>	2016-04-05 20:13:55 +03:00
Tom Eastep	9a7f6512a1	Delete IPv6 actions that duplicate IPv4 actions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-04 15:58:39 -07:00
Tom Eastep	77a93d10a4	Don't pass an argument to DropUPnP out of Drop and Reject Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-04 15:55:48 -07:00
Tom Eastep	a96ee0ab9a	Make IPv6 Auth default consistent with IPv4 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-04 12:59:09 -07:00
Tom Eastep	646572098c	Update IPv6 Article - Remove 'No NAT' bullet Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-04 12:55:37 -07:00
Tom Eastep	75df718865	Reword comment in push_action_params() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-04 09:41:28 -07:00
Tom Eastep	ae8e2f70ea	Efficiency change to known_interface() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-03 17:34:02 -07:00
Tom Eastep	39f5b77e5f	Fix known_interface() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-03 16:31:45 -07:00
Tom Eastep	cb5a2519f3	Keep hyphens in @chain Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-03 16:30:31 -07:00
Tom Eastep	4151f7c504	Revert change to log_[i]rule_limit Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-03 16:29:52 -07:00
Tom Eastep	054837aeea	Use the real chain name in log messages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-03 13:04:25 -07:00
Tom Eastep	ebf55a84f0	Correct trace instructions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-03 12:47:28 -07:00
Tom Eastep	b637d303b9	Correct use of a physical interface name in the hosts file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-02 17:27:20 -07:00
Tom Eastep	0dbf42424d	Make physical name a synonym for the correcponding logical name. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-02 10:04:05 -07:00
Tom Eastep	f22e8d6d55	Allow physical interface to work in the ecn file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-01 15:10:49 -07:00
Tom Eastep	d98305c6f4	Correct default for MINIUPNOD Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-01 12:20:42 -07:00
Tom Eastep	3cbfdadb32	Merge branch '5.0.7'	2016-04-01 09:46:53 -07:00
Tom Eastep	81d76e3817	Document + in the MODULESDIR setting. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-01 09:43:06 -07:00
Tom Eastep	df1b1f6768	Add MINIUPNPD option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-04-01 08:57:08 -07:00
Tom Eastep	3881b38e02	Fix similar INTERFACE column issue in the nat and netmap files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-31 14:16:43 -07:00
Tom Eastep	8a8f3b6f59	Merge branch '5.0.7'	2016-03-31 12:55:16 -07:00
Tom Eastep	b9bed00123	Correct handling of a physical name in a masq rule Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-31 12:52:30 -07:00
Tom Eastep	38aa7797c4	Allow protocol and user lists in actions and macros Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-30 08:34:42 -07:00
Tom Eastep	404540ffe1	Merge branch '5.0.7'	2016-03-30 08:17:19 -07:00
Tom Eastep	dd3c0daa08	Handle inline matches correctly in the mangle file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-29 13:33:47 -07:00
Tom Eastep	4fddfcfba0	More complete fix for inline matches Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-29 13:15:01 -07:00
Tom Eastep	421d5f6043	Move Raw matches to last. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-29 09:31:27 -07:00
Tom Eastep	382ab380a2	Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code	2016-03-29 07:36:49 -07:00
Tuomo Soini	2342c7cd9c	Perl/Shorewall/Chains.pm: Fix warning with older perl	2016-03-29 09:58:33 +03:00
Tom Eastep	66ae4975b2	Allow :R with DIVERT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-28 15:52:49 -07:00
Tom Eastep	5b7a9db170	Correct clearing of inline matches Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-28 15:48:59 -07:00
Roberto C. Sánchez	899a317c95	Fix typos	2016-03-26 22:25:30 -04:00
Tom Eastep	89adc3ea68	Use an address variable rather than find_first_interface_address() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-26 13:13:15 -07:00
Tom Eastep	ad87d94e33	Small efficiency change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-26 13:12:33 -07:00
Tom Eastep	8a6941707a	Updates to the config basics article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2016-03-26 09:01:02 -07:00
Tom Eastep	0b049a55e0	Correct Three-interface doc. - find_interface_address -> find_first_interface_address	2016-03-25 09:34:49 -07:00
				`@@ -1 +0,0 @@`
				`This is the Shorewall-init stable 4.4 branch of Git.`
				`@@ -1 +0,0 @@`
				`This is the Shorewall-lite stable 4.4 branch of Git.`
				`@@ -1 +0,0 @@`
				`This is the Shorewall 4.4 stable branch of Git.`
				`@@ -1 +0,0 @@`
				`This is the Shorewall6-lite stable 4.4 branch of Git.`
				`@@ -1 +0,0 @@`
				`This is the Shorewall6 stable 4.4 branch of Git.`