Modify a comment are delete a silly identity assignment

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/Universal/interfaces

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Interfaces File
+#
+# For information about entries in this file, type "man shorewall-interfaces"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-interfaces.html
+#
+###############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	lo		-		ignore
+net	all		-		dhcp,physical=+,routeback,optional

Samples/Universal/policy

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Policy File
+#
+# For information about entries in this file, type "man shorewall-policy"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-policy.html
+#
+###############################################################################
+#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#				LEVEL	BURST		MASK
+$FW	net	ACCEPT
+net	all	DROP

Samples/Universal/rules

@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - Rules File
+#
+# For information on the settings in this file, type "man shorewall-rules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-rules.html
+#
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+SSH(ACCEPT)	net		$FW
+Ping(ACCEPT)	net		$FW

Samples/Universal/shorewall.conf

@@ -0,0 +1,213 @@
+###############################################################################
+#
+#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
+#
+#  For information about the settings in this file, type "man shorewall.conf"
+#
+#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
+###############################################################################
+#		       S T A R T U P   E N A B L E D
+###############################################################################
+
+STARTUP_ENABLED=Yes
+
+###############################################################################
+#		              V E R B O S I T Y
+###############################################################################
+
+VERBOSITY=1
+
+###############################################################################
+#			       L O G G I N G
+###############################################################################
+
+LOGFILE=
+
+STARTUP_LOG=/var/log/shorewall-init.log
+
+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGLIMIT=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
+MACLIST_LOG_LEVEL=info
+
+TCP_FLAGS_LOG_LEVEL=info
+
+SMURF_LOG_LEVEL=info
+
+LOG_MARTIANS=Yes
+
+###############################################################################
+#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
+###############################################################################
+
+IPTABLES=
+
+IP=
+
+TC=
+
+IPSET=
+
+PERL=/usr/bin/perl
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+SHOREWALL_SHELL=/bin/sh
+
+SUBSYSLOCK=
+
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
+RESTOREFILE=
+
+IPSECFILE=zones
+
+LOCKFILE=
+
+###############################################################################
+#		D E F A U L T   A C T I O N S / M A C R O S
+###############################################################################
+
+DROP_DEFAULT="Drop"
+REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
+
+###############################################################################
+#                        R S H / R C P  C O M M A N D S
+###############################################################################
+
+RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+
+###############################################################################
+#			F I R E W A L L	  O P T I O N S
+###############################################################################
+
+IP_FORWARDING=On
+
+ADD_IP_ALIASES=No
+
+ADD_SNAT_ALIASES=No
+
+RETAIN_ALIASES=No
+
+TC_ENABLED=Internal
+
+TC_EXPERT=No
+
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+ROUTE_FILTER=No
+
+DETECT_DNAT_IPADDRS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=ko
+
+DISABLE_IPV6=No
+
+BRIDGING=No
+
+DYNAMIC_ZONES=No
+
+PKTTYPE=Yes
+
+NULL_ROUTE_RFC1918=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+SAVE_IPSETS=No
+
+MAPOLDACTIONS=No
+
+FASTACCEPT=Yes
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+USE_ACTIONS=Yes
+
+OPTIMIZE=15
+
+EXPORTPARAMS=Yes
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=No
+
+DELETE_THEN_ADD=Yes
+
+MULTICAST=No
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+USE_DEFAULT_RT=No
+
+RESTORE_DEFAULT_ROUTE=Yes
+
+AUTOMAKE=No
+
+WIDE_TC_MARKS=Yes
+
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=Yes
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=Yes
+
+###############################################################################
+#			P A C K E T   D I S P O S I T I O N
+###############################################################################
+
+BLACKLIST_DISPOSITION=DROP
+
+MACLIST_DISPOSITION=REJECT
+
+TCP_FLAGS_DISPOSITION=DROP
+
+#LAST LINE -- DO NOT REMOVE

Samples/Universal/zones

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Zones File
+#
+# For information about this file, type "man shorewall-zones"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-zones.html
+#
+###############################################################################
+#ZONE	TYPE		OPTIONS		IN			OUT
+#					OPTIONS			OPTIONS
+fw	firewall
+net	ip
+

Samples/one-interface/interfaces

@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs

Samples/one-interface/policy

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 $FW		net		ACCEPT

Samples/one-interface/rules

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/one-interface/shorewall.conf

@@ -34,17 +34,15 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -70,6 +68,8 @@ TC=
 
 IPSET=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -107,9 +107,9 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-IP_FORWARDING=On
+IP_FORWARDING=Off
 
-ADD_IP_ALIASES=Yes
+ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
@@ -119,6 +119,8 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -137,7 +139,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -191,6 +193,24 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/one-interface/zones

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/three-interfaces/interfaces

@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians

Samples/three-interfaces/masq

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Masq
-#
 ##############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\

Samples/three-interfaces/policy

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 

Samples/three-interfaces/routestopped

@@ -10,11 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
-#
-# See http://shorewall.net/Documentation.htm#Routestopped and
-# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
 ##############################################################################
 #INTERFACE	HOST(S)
 eth1		-

Samples/three-interfaces/rules

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Rules
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/three-interfaces/shorewall.conf

@@ -34,17 +34,15 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -70,6 +68,8 @@ TC=
 
 IPSET=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -109,7 +109,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=Yes
+ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
@@ -119,6 +119,8 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -137,7 +139,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -191,6 +193,24 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/zones

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/two-interfaces/interfaces

@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians

Samples/two-interfaces/masq

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Masq
-#
 ###############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\

Samples/two-interfaces/policy

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 

Samples/two-interfaces/routestopped

@@ -10,11 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
-#
-# See http://shorewall.net/Documentation.htm#Routestopped and
-# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
 ##############################################################################
 #INTERFACE	HOST(S)                  OPTIONS
 eth1		-

Samples/two-interfaces/rules

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Rules
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/two-interfaces/shorewall.conf

@@ -41,17 +41,15 @@ SHOREWALL_COMPILER=
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -77,6 +75,8 @@ TC=
 
 IPSET=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -116,7 +116,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=Yes
+ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
@@ -126,6 +126,8 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -144,7 +146,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -198,6 +200,24 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/zones

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples6/Universal/interfaces

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Interfaces File
+#
+# For information about entries in this file, type "man shorewall-interfaces"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-interfaces.html
+#
+###############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	lo		-		ignore
+net	all		-		dhcp,physical=+,routeback
+

Samples6/Universal/policy

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Policy File
+#
+# For information about entries in this file, type "man shorewall-policy"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-policy.html
+#
+###############################################################################
+#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#				LEVEL	BURST		MASK
+fw	net	ACCEPT
+net	all	DROP
+

Samples6/Universal/rules

@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - Rules File
+#
+# For information on the settings in this file, type "man shorewall-rules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-rules.html
+#
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+SSH(ACCEPT)	net		$FW
+Ping(ACCEPT)	net		$FW

Samples6/Universal/shorewall6.conf

@@ -0,0 +1,168 @@
+###############################################################################
+#
+#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+#
+#  For information about the settings in this file, type "man shorewall6.conf"
+#
+#  Manpage also online at
+#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+###############################################################################
+#		       S T A R T U P   E N A B L E D
+###############################################################################
+
+STARTUP_ENABLED=Yes
+
+###############################################################################
+#		              V E R B O S I T Y
+###############################################################################
+
+VERBOSITY=1
+
+###############################################################################
+#			       L O G G I N G
+###############################################################################
+
+LOGFILE=
+
+STARTUP_LOG=/var/log/shorewall6-init.log
+
+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGLIMIT=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
+TCP_FLAGS_LOG_LEVEL=info
+
+SMURF_LOG_LEVEL=info
+
+###############################################################################
+#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
+###############################################################################
+
+IP6TABLES=
+
+IP=
+
+TC=
+
+IPSET=
+
+PERL=/usr/bin/perl
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+SHOREWALL_SHELL=/bin/sh
+
+SUBSYSLOCK=
+
+MODULESDIR=
+
+CONFIG_PATH=/usr/share/shorewall6:/usr/share/shorewall
+
+RESTOREFILE=
+
+LOCKFILE=
+
+###############################################################################
+#		D E F A U L T   A C T I O N S / M A C R O S
+###############################################################################
+
+DROP_DEFAULT="Drop"
+REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
+
+###############################################################################
+#                        R S H / R C P  C O M M A N D S
+###############################################################################
+
+RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+
+###############################################################################
+#			F I R E W A L L	  O P T I O N S
+###############################################################################
+
+IP_FORWARDING=Off
+
+TC_ENABLED=No
+
+TC_EXPERT=No
+
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+MODULE_SUFFIX=ko
+
+FASTACCEPT=Yes
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+OPTIMIZE=15
+
+EXPORTPARAMS=Yes
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=Yes
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+AUTOMAKE=No
+
+WIDE_TC_MARKS=Yes
+
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=Yes
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=Yes
+
+###############################################################################
+#			P A C K E T   D I S P O S I T I O N
+###############################################################################
+
+BLACKLIST_DISPOSITION=DROP
+
+TCP_FLAGS_DISPOSITION=DROP
+
+#LAST LINE -- DO NOT REMOVE

Samples6/Universal/zones

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Zones File
+#
+# For information about this file, type "man shorewall-zones"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-zones.html
+#
+###############################################################################
+#ZONE	TYPE		OPTIONS		IN			OUT
+#					OPTIONS			OPTIONS
+fw	firewall
+net	ip
+

Samples6/one-interface/shorewall6.conf

@@ -32,17 +32,15 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -58,6 +56,8 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -99,6 +99,8 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -111,7 +113,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -139,7 +141,25 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-###############################################################################
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
+##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 

Samples6/three-interfaces/interfaces

@@ -12,6 +12,6 @@
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags
-loc     eth1            detect          tcpflags
-dmz     eth2            detect
+net     eth0            detect          tcpflags,forward=1
+loc     eth1            detect          tcpflags,forward=1
+dmz     eth2            detect		tcpflags,forward=1

Samples6/three-interfaces/shorewall6.conf

@@ -32,17 +32,15 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -58,6 +56,8 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -99,6 +99,8 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -111,7 +113,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -139,6 +141,24 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/interfaces

@@ -12,5 +12,5 @@
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags
-loc     eth1            detect          tcpflags
+net     eth0            detect          tcpflags,forward=1
+loc     eth1            detect          tcpflags,forward=1

Samples6/two-interfaces/shorewall6.conf

@@ -1,6 +1,6 @@
 ###############################################################################
 #
-# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
+# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -32,17 +32,15 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -58,6 +56,8 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -99,6 +99,8 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -111,7 +113,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -139,6 +141,24 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-init/COPYING

@@ -55,7 +55,7 @@ patent must be licensed for everyone's free use or not licensed at all.
 
   The precise terms and conditions for copying, distribution and
 modification follow.
-
+
 		    GNU GENERAL PUBLIC LICENSE
    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
 
@@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions:
     License.  (Exception: if the Program itself is interactive but
     does not normally print such an announcement, your work based on
     the Program is not required to print an announcement.)
-
+
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
@@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
-
+
   4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
@@ -225,7 +225,7 @@ impose that choice.
 
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
-
+
   8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
@@ -278,7 +278,7 @@ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
 		     END OF TERMS AND CONDITIONS
-
+
 	    How to Apply These Terms to Your New Programs
 
   If you develop a new program, and you want it to be of the greatest
@@ -291,7 +291,7 @@ convey the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
 
     <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
+    Copyright (C) 19yy  <name of author>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -313,7 +313,7 @@ Also add information on how to contact you by electronic and paper mail.
 If the program is interactive, make it output a short notice like this
 when it starts in an interactive mode:
 
-    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision version 69, Copyright (C) 19yy name of author
     Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
     This is free software, and you are welcome to redistribute it
     under certain conditions; type `show c' for details.

Shorewall-init/README.txt

@@ -0,0 +1 @@
+This is the Shorewall-init stable 4.4 branch of Git.

Shorewall-init/ifupdown.sh

@@ -0,0 +1,104 @@
+#!/bin/sh
+#
+# ifupdown script for Shorewall-based products
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+IFUPDOWN=0
+PRODUCTS=
+
+if [ -f /etc/default/shorewall-init ]; then
+    . /etc/default/shorewall-init
+elif [ -f /etc/sysconfig/shorewall-init ]; then
+    . /etc/sysconfig/shorewall-init
+fi
+
+[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
+
+if [ -f /etc/debian_version ]; then
+    #
+    # Debian ifupdown system
+    #
+    if [ "$MODE" = start ]; then
+	COMMAND=up
+    elif [ "$MODE" = stop ]; then
+	COMMAND=down
+    else
+	exit 0
+    fi
+
+    case "$PHASE" in
+	pre-*)
+	    exit 0
+	    ;;
+    esac
+elif [ -f /etc/SuSE-release ]; then
+    #
+    # SuSE ifupdown system
+    #
+    IFACE="$2"
+
+    case $0 in
+	*if-up.d*)
+	    COMMAND=up
+	    ;;
+	*if-down.d*)
+	    COMMAND=down
+	    ;;
+	*)
+	    exit 0
+	    ;;
+    esac
+else
+    #
+    # Assume RedHat/Fedora/CentOS/Foobar/...
+    #
+    IFACE="$1"
+    
+    case $0 in 
+	*ifup*)
+	    COMMAND=up
+	    ;;
+	*ifdown*)
+	    COMMAND=down
+	    ;;
+	*dispatcher.d*)
+	    COMMAND="$2"
+	    ;;
+	*)
+	    exit 0
+	    ;;
+    esac
+fi
+
+for PRODUCT in $PRODUCTS; do
+    VARDIR=/var/lib/$PRODUCT
+    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
+    if [ -x $VARDIR/firewall ]; then
+	  ( . /usr/share/$PRODUCT/lib.base
+	    mutex_on
+	    ${VARDIR}/firewall -V0 $COMMAND $IFACE || echo_notdone
+	    mutex_off
+	  )
+    fi
+done
+
+exit 0

Shorewall-init/init.debian.sh

@@ -0,0 +1,146 @@
+#!/bin/sh
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+### BEGIN INIT INFO
+# Provides:          shorewall-init
+# Required-Start:    $local_fs
+# X-Start-Before:    $network
+# Required-Stop:     $local_fs
+# X-Stop-After:      $network
+# Default-Start:     S
+# Default-Stop:      0 6
+# Short-Description: Initialize the firewall at boot time
+# Description:       Place the firewall in a safe state at boot time prior to
+#                    bringing up the network
+### END INIT INFO
+
+export VERBOSITY=0
+
+if [ "$(id -u)" != "0" ]
+then
+  echo "You must be root to start, stop or restart \"Shorewall \"."
+  exit 1
+fi
+
+echo_notdone () {
+  echo "not done."
+  exit 1
+}
+
+not_configured () {
+	echo "#### WARNING ####"
+	echo "the firewall won't be initialized unless it is configured"
+	if [ "$1" != "stop" ]
+	then
+		echo ""
+		echo "Please read about Debian specific customization in"
+		echo "/usr/share/doc/shorewall-init/README.Debian.gz."
+	fi
+	echo "#################"
+	exit 0
+}
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/default/shorewall-init" ]
+then
+	. /etc/default/shorewall-init
+	if [ -z "$PRODUCTS" ]
+	then
+		not_configured
+	fi
+else
+	not_configured
+fi
+
+# Initialize the firewall
+shorewall_start () {
+  local product
+  local VARDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for product in $PRODUCTS; do
+      VARDIR=/var/lib/$product
+      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
+      if [ -x ${VARDIR}/firewall ]; then
+	  #
+	  # Run in a sub-shell to avoid name collisions
+	  #
+	  ( 
+	      . /usr/share/$product/lib.base
+	      #
+	      # Get mutex so the firewall state is stable
+	      #
+	      mutex_on
+	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
+		  ${VARDIR}/firewall stop || echo_notdone
+	      fi
+	      mutex_off
+	  )
+      fi
+  done
+
+  echo "done."
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local product
+  local VARDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for product in $PRODUCTS; do
+      VARDIR=/var/lib/$product
+      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
+      if [ -x ${VARDIR}/firewall ]; then
+	  ( . /usr/share/$product/lib.base
+	    mutex_on
+	    ${VARDIR}/firewall clear || echo_notdone
+	    mutex_off
+	  )
+      fi
+  done
+
+  echo "done."
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  reload|force-reload)
+     ;;
+  *)
+     echo "Usage: /etc/init.d/shorewall-init {start|stop|reload|force-reload}"
+     exit 1
+esac
+
+exit 0

Shorewall-init/init.sh

@@ -0,0 +1,104 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# chkconfig: - 09 91
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-start: $local_fs
+# Required-stop:  $local_fs
+# Default-Start:  2 3 5
+# Default-Stop:
+# Short-Description: Initialize the firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.  
+### END INIT INFO
+
+if [ "$(id -u)" != "0" ]
+then
+  echo "You must be root to start, stop or restart \"Shorewall \"."
+  exit 1
+fi
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]
+then
+	. /etc/sysconfig/shorewall-init
+	if [ -z "$PRODUCTS" ]
+	then
+		exit 0
+	fi
+else
+	exit 0
+fi
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	      ${VARDIR}/firewall stop || echo_notdone
+	  fi
+      fi
+  done
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  ${VARDIR}/firewall clear || exit 1
+      fi
+  done
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+     exit 1
+esac
+
+exit 0

Shorewall-init/install.sh

@@ -0,0 +1,336 @@
+#!/bin/sh
+#
+# Script to install Shoreline Firewall Init
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+VERSION=4.4.13-Beta3
+
+usage() # $1 = exit status
+{
+    ME=$(basename $0)
+    echo "usage: $ME"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    exit $1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+run_install()
+{
+    if ! install $*; then
+	echo
+	echo "ERROR: Failed to install $*" >&2
+	exit 1
+    fi
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
+install_file() # $1 = source $2 = target $3 = mode
+{
+    run_install $T $OWNERSHIP -m $3 $1 ${2}
+}
+
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+
+#
+# Parse the run line
+#
+# DEST is the SysVInit script directory
+# INIT is the name of the script in the $DEST directory
+# ARGS is "yes" if we've already parsed an argument
+#
+ARGS=""
+
+if [ -z "$DEST" ] ; then
+	DEST="/etc/init.d"
+fi
+
+if [ -z "$INIT" ] ; then
+	INIT="shorewall-init"
+fi
+
+while [ $# -gt 0 ] ; do
+    case "$1" in
+	-h|help|?)
+	    usage 0
+	    ;;
+        -v)
+	    echo "Shorewall Init Installer Version $VERSION"
+	    exit 0
+	    ;;
+	*)
+	    usage 1
+	    ;;
+    esac
+    shift
+    ARGS="yes"
+done
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+#
+# Determine where to install the firewall script
+#
+
+case $(uname) in
+    Darwin)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
+	T=
+	;;	
+    *)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=root
+	;;
+esac
+
+OWNERSHIP="-o $OWNER -g $GROUP"
+
+if [ -n "$DESTDIR" ]; then
+    if [ `id -u` != 0 ] ; then
+	echo "Not setting file owner/group permissions, not running as root."
+	OWNERSHIP=""
+    fi
+    
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+elif [ -f /etc/debian_version ]; then
+    DEBIAN=yes
+elif [ -f /etc/SuSE-release ]; then
+    SUSE=Yes
+elif [ -f /etc/slackware-version ] ; then
+    echo "Shorewall-init is currently not supported on Slackware" >&2
+    exit 1
+#   DEST="/etc/rc.d"
+#   INIT="rc.firewall"
+elif [ -f /etc/arch-release ] ; then
+    echo "Shorewall-init is currently not supported on Arch Linux" >&2
+    exit 1
+#   DEST="/etc/rc.d"
+#   INIT="shorewall-init"
+#   ARCHLINUX=yes
+elif [ -d /etc/sysconfig/network-scripts/ ]; then
+    #
+    # Assume RedHat-based
+    #
+    REDHAT=Yes
+else
+    echo "Unknown distribution: Shorewall-init support is not available" >&2
+    exit 1
+fi
+
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
+echo "Installing Shorewall Init Version $VERSION"
+
+#
+# Check for /usr/share/shorewall-init/version
+#
+if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
+    first_install=""
+else
+    first_install="Yes"
+fi
+
+#
+# Install the Init Script
+#
+if [ -n "$DEBIAN" ]; then
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
+#elif [ -n "$ARCHLINUX" ]; then
+#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+else
+    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+fi
+
+echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
+
+#
+# Create /usr/share/shorewall-init if needed
+#
+mkdir -p ${DESTDIR}/usr/share/shorewall-init
+chmod 755 ${DESTDIR}/usr/share/shorewall-init
+
+#
+# Create the version file
+#
+echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
+chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
+
+#
+# Remove and create the symbolic link to the init script
+#
+if [ -z "$DESTDIR" ]; then
+    rm -f /usr/share/shorewall-init/init
+    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
+fi
+
+if [ -n "$DEBIAN" ]; then
+    if [ -n "${DESTDIR}" ]; then
+	mkdir -p ${DESTDIR}/etc/network/if-up.d/
+	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
+    fi
+
+    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
+	if [ -n "${DESTDIR}" ]; then
+	    mkdir ${DESTDIR}/etc/default
+	fi
+
+	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+    fi
+else
+    if [ -n "$DESTDIR" ]; then
+	mkdir -p ${DESTDIR}/etc/sysconfig
+
+	if [ -z "$RPM" ]; then
+	    if [ -n "$SUSE" ]; then
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
+	    else
+		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
+	    fi
+	fi
+    fi
+
+    if [ -d ${DESTDIR}/etc/sysconfig -a ! -f ${DESTDIR}/etc/sysconfig/shorewall-init ]; then
+	install_file sysconfig ${DESTDIR}/etc/sysconfig/shorewall-init 0644
+    fi 
+fi
+
+#
+# Install the ifupdown script
+#
+
+mkdir -p ${DESTDIR}/usr/share/shorewall-init
+
+install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544
+
+if [ -d ${DESTDIR}/etc/NetworkManager ]; then
+    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+fi
+
+if [ -n "$DEBIAN" ]; then
+    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+elif [ -n "$SUSE" ]; then
+    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
+    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
+elif [ -n "$REDHAT" ]; then
+    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
+	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
+    else
+	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
+	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
+    fi
+fi
+
+if [ -z "$DESTDIR" ]; then
+    if [ -n "$first_install" ]; then
+	if [ -n "$DEBIAN" ]; then
+	    if [ -x /sbin/insserv ]; then
+		insserv /etc/init.d/shorewall-init
+	    else
+		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
+	    fi
+
+	    echo "Shorewall Init will start automatically at boot"
+	else
+	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+		if insserv /etc/init.d/shorewall-init ; then
+		    echo "Shorewall Init will start automatically at boot"
+		else
+		    cant_autostart
+		fi
+	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+		if chkconfig --add shorewall-init ; then
+		    echo "Shorewall Init will start automatically in run levels as follows:"
+		    chkconfig --list shorewall-init
+		else
+		    cant_autostart
+		fi
+	    elif [ -x /sbin/rc-update ]; then
+		if rc-update add shorewall-init default; then
+		    echo "Shorewall Init will start automatically at boot"
+		else
+		    cant_autostart
+		fi
+	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+		cant_autostart
+	    fi
+	fi
+    fi
+else
+    if [ -n "$first_install" ]; then
+	if [ -n "$DEBIAN" ]; then
+	    if [ -n "${DESTDIR}" ]; then
+		mkdir -p ${DESTDIR}/etc/rcS.d
+	    fi
+
+	    ln -sf ../init.d/shorewall-init ${DESTDIR}/etc/rcS.d/S38shorewall-init
+	    echo "Shorewall Init will start automatically at boot"
+	fi
+    fi
+fi
+
+#
+#  Report Success
+#
+echo "shorewall Init Version $VERSION Installed"

Shorewall-init/shorewall-init.spec

@@ -0,0 +1,146 @@
+%define name shorewall-init
+%define version 4.4.13
+%define release 0Beta3
+
+Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
+Name: %{name}
+Version: %{version}
+Release: %{release}
+License: GPLv2
+Packager: Tom Eastep <teastep@shorewall.net>
+Group: Networking/Utilities
+Source: %{name}-%{version}.tgz
+URL: http://www.shorewall.net/
+BuildArch: noarch
+BuildRoot: %{_tmppath}/%{name}-%{version}-root
+Requires: shoreline_firewall >= 4.4.10
+
+%description
+
+The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
+(iptables) based firewall that can be used on a dedicated firewall system,
+a multi-function gateway/ router/server or on a standalone GNU/Linux system.
+
+Shorewall Init is a companion product to Shorewall that allows for tigher
+control of connections during boot and that integrates Shorewall with
+ifup/ifdown and NetworkManager.
+
+%prep
+
+%setup
+
+%build
+
+%install
+export DESTDIR=$RPM_BUILD_ROOT ; \
+export OWNER=`id -n -u` ; \
+export GROUP=`id -n -g` ;\
+./install.sh
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+
+if [ $1 -eq 1 ]; then
+    if [ -x /sbin/insserv ]; then
+	/sbin/insserv /etc/rc.d/shorewall-init
+    elif [ -x /sbin/chkconfig ]; then
+	/sbin/chkconfig --add shorewall-init;
+    fi
+fi
+
+if [ -f /etc/SuSE-release ]; then
+    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
+    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
+else
+    if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then
+	if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then
+	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
+	else
+	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
+	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
+	fi
+    else
+	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
+	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
+    fi
+
+    if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
+	cp -pf /usr/share/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
+    fi
+fi
+
+%preun
+
+if [ $1 -eq 0 ]; then
+    if [ -x /sbin/insserv ]; then
+	/sbin/insserv -r /etc/init.d/shorewall-init
+    elif [ -x /sbin/chkconfig ]; then
+	/sbin/chkconfig --del shorewall-init
+    fi
+
+    [ -f /sbin/ifup-local ]   && grep -q Shorewall /sbin/ifup-local   && rm -f /sbin/ifup-local
+    [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local
+
+    rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
+fi
+
+%files
+%defattr(0644,root,root,0755)
+%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
+
+%attr(0544,root,root) /etc/init.d/shorewall-init
+%attr(0755,root,root) %dir /usr/share/shorewall-init
+
+%attr(0644,root,root) /usr/share/shorewall-init/version
+%attr(0544,root,root) /usr/share/shorewall-init/ifupdown
+
+%doc COPYING changelog.txt releasenotes.txt
+
+%changelog
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
+* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0base
+* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0RC1
+* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta3
+* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta2
+* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta1
+* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0base
+* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC2
+* Thu May 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC1
+* Wed May 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta4
+* Tue May 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta3
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Tue May 18 2010 Tom Eastep tom@shorewall.net
+- Initial version
+
+
+

Shorewall-init/sysconfig

@@ -0,0 +1,12 @@
+# List the Shorewall products that Shorewall-init is to
+# initialize (space-separated list).
+#
+# Sample: PRODUCTS="shorewall shorewall6"
+#
+PRODUCTS=""
+
+#
+# Set this to 1 if you want Shorewall-init to react to 
+# ifup/ifdown and NetworkManager events
+#
+IFUPDOWN=0

Shorewall-init/uninstall.sh

@@ -0,0 +1,97 @@
+#!/bin/sh
+#
+# Script to back uninstall Shoreline Firewall
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.sourceforge.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#    Usage:
+#
+#       You may only use this script to uninstall the version
+#       shown below. Simply run this script to remove Shorewall Firewall
+
+VERSION=4.4.13-Beta3
+
+usage() # $1 = exit status
+{
+    ME=$(basename $0)
+    echo "usage: $ME"
+    exit $1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
+if [ -f /usr/share/shorewall-init/version ]; then
+    INSTALLED_VERSION="$(cat /usr/share/shorewall-init/version)"
+    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
+	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
+	echo "         and this is the $VERSION uninstaller."
+	VERSION="$INSTALLED_VERSION"
+    fi
+else
+    echo "WARNING: Shorewall Init Version $VERSION is not installed"
+    VERSION=""
+fi
+
+echo "Uninstalling Shorewall Init $VERSION"
+
+INITSCRIPT=/etc/init.d/shorewall-init
+
+if [ -n "$INITSCRIPT" ]; then
+    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+        insserv -r $INITSCRIPT
+    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+	chkconfig --del $(basename $INITSCRIPT)
+    else
+	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
+    fi
+
+    remove_file $INITSCRIPT
+fi
+
+[ "$(readlink -m -q /sbin/ifup-local)"   = /usr/share/shorewall-init ] && remove_file /sbin/ifup-local
+[ "$(readlink -m -q /sbin/ifdown-local)" = /usr/share/shorewall-init ] && remove_file /sbin/ifdown-local
+
+remove_file /etc/default/shorewall-init
+remove_file /etc/sysconfig/shorewall-init
+
+remove_file /etc/NetworkManager/dispatcher.d/01-shorewall
+
+remove_file /etc/network/if-up.d/shorewall
+remove_file /etc/network/if-down.d/shorewall
+
+remove_file /etc/sysconfig/network/if-up.d/shorewall
+remove_file /etc/sysconfig/network/if-down.d/shorewall
+
+rm -rf /usr/share/shorewall-init
+
+echo "Shorewall Init Uninstalled"
+
+

Shorewall-lite/README.txt

@@ -1 +1 @@
-This is the Shorewall-lite development 4.3 branch of SVN.
+This is the Shorewall-lite stable 4.4 branch of Git.

Shorewall-lite/default.debian

@@ -21,4 +21,16 @@ startup=0
 
 OPTIONS=""
 
+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
+#
+# Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
+# a safe state rather than to open it
+#
+
+SAFESTOP=0
+
 # EOF

Shorewall-lite/fallback.sh

@@ -1,104 +0,0 @@
-#!/bin/sh
-#
-# Script to back out the installation of Shorewall Lite and to restore the previous version of
-# the program
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#    Usage:
-#
-#       You may only use this script to back out the installation of the version
-#       shown below. Simply run this script to revert to your prior version of
-#       Shoreline Firewall.
-
-VERSION=4.4.0.1
-
-usage() # $1 = exit status
-{
-    echo "usage: $(basename $0)"
-    exit $1
-}
-
-restore_directory() # $1 = directory to restore
-{
-    if [ -d ${1}-${VERSION}.bkout ]; then
-	if mv -f $1 ${1}-${VERSION} && mv ${1}-${VERSION}.bkout $1; then
-	    echo
-	    echo "$1 restored"
-	    rm -rf ${1}-${VERSION}
-	else
-	    echo "ERROR: Could not restore $1"
-	    exit 1
-	fi
-    fi
-}
-
-restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
-{
-    if [ -n "$2" ]; then
-	local file
-	file=$(basename $1)
-
-	if [ -f $2/$file ]; then
-	    if mv -f $2/$file $1 ; then
-		echo
-		echo "$1 restored"
-		return
-	    fi
-
-	    echo "ERROR: Could not restore $1"
-	    exit 1
-        fi
-    fi
-
-    if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then
-	if (mv -f ${1}-${VERSION}.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    echo "ERROR: Could not restore $1"
-	    exit 1
-        fi
-    fi
-}
-
-if [ ! -f /usr/share/shorewall-lite-${VERSION}.bkout/version ]; then
-    echo "Shorewall Version $VERSION is not installed"
-    exit 1
-fi
-
-echo "Backing Out Installation of Shorewall $VERSION"
-
-if [ -L /usr/share/shorewall-lite/init ]; then
-    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
-    restore_file $FIREWALL /usr/share/shorewall-lite-${VERSION}.bkout
-else
-    restore_file /etc/init.d/shorewall /usr/share/shorewall-lite-${VERSION}.bkout
-fi
-
-restore_file /sbin/shorewall /var/lib/shorewall-lite-${VERSION}.bkout
-
-restore_directory /etc/shorewall-lite
-restore_directory /usr/share/shorewall-lite
-restore_directory /var/lib/shorewall-lite
-
-echo "Shorewall Lite Restored to Version $(cat /usr/share/shorewall-lite/version)"
-
-

Shorewall-lite/init.debian.sh

@@ -2,8 +2,8 @@
 
 ### BEGIN INIT INFO
 # Provides:          shorewall-lite
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -15,9 +15,7 @@
 
 SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
-# Note, set INITLOG to /dev/null if you do not want to
-# keep logs of the firewall (not recommended)
-INITLOG=/var/log/shorewall-lite-init.log
+test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
 
 [ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
@@ -25,7 +23,7 @@ export SHOREWALL_INIT_SCRIPT
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
@@ -44,6 +42,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
   fi
 
+  exit 1
 }
 
 not_configured () {
@@ -89,7 +88,11 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   echo -n "Stopping \"Shorewall firewall\": "
+  if [ "$SAFESTOP" = 1 ]; then
+      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  else
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  fi
   return 0
 }
 

Shorewall-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.0.1
+VERSION=4.4.13-Beta3
 
 usage() # $1 = exit status
 {
@@ -82,15 +82,16 @@ delete_file() # $1 = file to delete
 
 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $OWNERSHIP -m $3 $1 ${2}
+    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
-# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -103,10 +104,6 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall-lite"
 fi
 
-if [ -z "$RUNLEVELS" ] ; then
-	RUNLEVELS=""
-fi
-
 while [ $# -gt 0 ] ; do
     case "$1" in
 	-h|help|?)
@@ -131,10 +128,12 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 DEBIAN=
 CYGWIN=
+INSTALLD='-D'
+T='-T'
 
 case $(uname) in
     CYGWIN*)
-	if [ -z "$PREFIX" ]; then
+	if [ -z "$DESTDIR" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -142,6 +141,10 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
+    Darwin)
+	INSTALLD=
+	T=
+	;;	   
     *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -150,14 +153,14 @@ esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
-if [ -n "$PREFIX" ]; then
+if [ -n "$DESTDIR" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
     
-    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
-    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
+    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
     DEBIAN=yes
 elif [ -f /etc/slackware-version ] ; then
@@ -179,151 +182,186 @@ echo "Installing Shorewall Lite Version $VERSION"
 #
 # Check for /etc/shorewall-lite
 #
-if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then
-    first_install=""
+if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
     [ -f /etc/shorewall-lite/shorewall.conf ] && \
 	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
 else
-    first_install="Yes"
-    rm -rf ${PREFIX}/etc/shorewall-lite
-    rm -rf ${PREFIX}/usr/share/shorewall-lite
-    rm -rf ${PREFIX}/var/lib/shorewall-lite
+    rm -rf ${DESTDIR}/etc/shorewall-lite
+    rm -rf ${DESTDIR}/usr/share/shorewall-lite
+    rm -rf ${DESTDIR}/var/lib/shorewall-lite
 fi
 
-delete_file ${PREFIX}/usr/share/shorewall-lite/xmodules
+#
+# Check for /sbin/shorewall-lite
+#
+if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
+    first_install=""
+else
+    first_install="Yes"
+fi
 
-install_file shorewall-lite ${PREFIX}/sbin/shorewall-lite 0544 ${PREFIX}/var/lib/shorewall-lite-${VERSION}.bkout
+delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
 
-echo "Shorewall Lite control program installed in ${PREFIX}/sbin/shorewall-lite"
+install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
+
+echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
 
 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall-lite 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
+    install_file init.debian.sh /etc/init.d/shorewall-lite 0544
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
+    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 
 else
-    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
+    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
 fi
 
-echo  "Shorewall Lite script installed in ${PREFIX}${DEST}/$INIT"
+echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
 
 #
 # Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
 #
-mkdir -p ${PREFIX}/etc/shorewall-lite
-mkdir -p ${PREFIX}/usr/share/shorewall-lite
-mkdir -p ${PREFIX}/var/lib/shorewall-lite
+mkdir -p ${DESTDIR}/etc/shorewall-lite
+mkdir -p ${DESTDIR}/usr/share/shorewall-lite
+mkdir -p ${DESTDIR}/var/lib/shorewall-lite
 
-chmod 755 ${PREFIX}/etc/shorewall-lite
-chmod 755 ${PREFIX}/usr/share/shorewall-lite
+chmod 755 ${DESTDIR}/etc/shorewall-lite
+chmod 755 ${DESTDIR}/usr/share/shorewall-lite
+
+if [ -n "$DESTDIR" ]; then
+    mkdir -p ${DESTDIR}/etc/logrotate.d
+    chmod 755 ${DESTDIR}/etc/logrotate.d
+fi
 
 #
 # Install the config file
 #
-if [ ! -f ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf ]; then
-   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf
-   echo "Config file installed as ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf"
+if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
+   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
 fi
 
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
 fi
 
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall-lite/Makefile
-echo "Makefile installed as ${PREFIX}/etc/shorewall-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
+echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
 
 #
 # Install the default config path file
 #
-install_file configpath ${PREFIX}/usr/share/shorewall-lite/configpath 0644
-echo "Default config path file installed as ${PREFIX}/usr/share/shorewall-lite/configpath"
+install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
+echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
 
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${PREFIX}/usr/share/shorewall-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall-lite/$f"
+	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
     fi
 done
 
-ln -sf lib.base ${PREFIX}/usr/share/shorewall-lite/functions
+ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
 
-echo "Common functions linked through ${PREFIX}/usr/share/shorewall-lite/functions"
+echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
 
 #
 # Install Shorecap
 #
 
-install_file shorecap ${PREFIX}/usr/share/shorewall-lite/shorecap 0755
+install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755
 
 echo
-echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall-lite/shorecap"
+echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap"
 
 #
 # Install wait4ifup
 #
 
-install_file wait4ifup ${PREFIX}/usr/share/shorewall-lite/wait4ifup 0755
+if [ -f wait4ifup ]; then
+    install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755
 
-echo
-echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall-lite/wait4ifup"
+    echo
+    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup"
+fi
 
 #
 # Install the Modules file
 #
-run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall-lite/modules
-echo "Modules file installed as ${PREFIX}/usr/share/shorewall-lite/modules"
+
+if [ -f modules ]; then
+    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
+    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
+fi
 
 #
 # Install the Man Pages
 #
 
-cd manpages
+if [ -d manpages ]; then
+    cd manpages
 
-for f in *.5; do
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
+
+    for f in *.5; do
 	gzip -c $f > $f.gz
-    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
-    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man5/$f.gz"
-done
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
+    done
 
-for f in *.8; do
+    for f in *.8; do
 	gzip -c $f > $f.gz
-    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
-    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man8/$f.gz"
-done
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
+    done
 
-cd ..
+    cd ..
+
+    echo "Man Pages Installed"
+fi
+
+if [ -d ${DESTDIR}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
+    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
+fi
 
-echo "Man Pages Installed"
 
 #
 # Create the version file
 #
-echo "$VERSION" > ${PREFIX}/usr/share/shorewall-lite/version
-chmod 644 ${PREFIX}/usr/share/shorewall-lite/version
+echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
+chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
 #
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$PREFIX" ]; then
+if [ -z "$DESTDIR" ]; then
     rm -f /usr/share/shorewall-lite/init
     ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
 fi
 
-if [ -z "$PREFIX" -a -n "$first_install" ]; then
+if [ -z "$DESTDIR" ]; then
+    touch /var/log/shorewall-lite-init.log
+
+    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
+
+	    if [ -x /sbin/insserv ]; then
+		insserv /etc/init.d/shorewall-lite
+	    else
 		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+	    fi
+
 	    echo "Shorewall Lite will start automatically at boot"
-	touch /var/log/shorewall-init.log
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall-lite ; then
@@ -348,6 +386,7 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
 		cant_autostart
 	    fi
 	fi
+    fi
 fi
 
 #

Shorewall-lite/logrotate

@@ -0,0 +1,5 @@
+/var/log/shorewall-lite-init.log {
+  missingok
+  notifempty
+  create 0600 root root
+}

Shorewall-lite/shorecap

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
@@ -48,18 +48,19 @@
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-PRODUCT="Shorewall Lite"
+g_product="Shorewall Lite"
 
 . /usr/share/shorewall-lite/lib.base
+. /usr/share/shorewall-lite/lib.cli
 . /usr/share/shorewall-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-VERSION=$(cat /usr/share/shorewall-lite/version)
+SHOREWALL_VERSION=$(cat /usr/share/shorewall-lite/version)
 
 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
 
-VERBOSE=0
+VERBOSITY=0
 load_kernel_modules No
 determine_capabilities
 report_capabilities1

Shorewall-lite/shorewall-lite

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -95,7 +95,7 @@ get_config() {
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -f $LOGFILE ]; then
+    elif [ -r $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -117,8 +117,6 @@ get_config() {
 
     [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
 
-    export LOGFORMAT
-
     if [ -n "$IPTABLES" ]; then
 	if [ ! -x "$IPTABLES" ]; then
 	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
@@ -132,8 +130,6 @@ get_config() {
 	fi
     fi
 
-    export IPTABLES
-
     if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
 	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
@@ -145,15 +141,20 @@ get_config() {
 
     validate_restorefile RESTOREFILE
 
-    export RESTOREFILE
-
     [ -n "${VERBOSITY:=2}" ]
 
-    [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
+    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
 
-    export VERBOSE
+    g_hostname=$(hostname 2> /dev/null)
 
-    [ -n "${HOSTNAME:=$(hostname)}" ]
+    IP=$(mywhich ip 2> /dev/null)
+    if [ -z "$IP" ] ; then
+	echo "   ERROR: Can't find ip executable" >&2
+	exit 2
+    fi
+
+    IPSET=ipset
+    TC=tc
 
 }
 
@@ -161,13 +162,13 @@ get_config() {
 # Verify that we have a compiled firewall script
 #
 verify_firewall_script() {
-    if [ ! -f $FIREWALL ]; then
+    if [ ! -f $g_firewall ]; then
 	echo "   ERROR: Shorewall Lite is not properly installed" >&2
-	if [ -L $FIREWALL ]; then
-	    echo "          $FIREWALL is a symbolic link to a" >&2
+	if [ -L $g_firewall ]; then
+	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
-	    echo "          The file $FIREWALL does not exist" >&2
+	    echo "          The file $g_firewall does not exist" >&2
 	fi
 	
 	exit 2
@@ -187,7 +188,7 @@ start_command() {
 	[ -n "$nolock" ] || mutex_on
 
 	if [ -x ${LITEDIR}/firewall ]; then
-	    ${LITEDIR}/firewall $debugging start
+	    run_it ${LITEDIR}/firewall $debugging start
 	    rc=$?
 	else
 	    error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -219,12 +220,12 @@ start_command() {
 			    option=
 			    ;;
 			f*)
-			    FAST=Yes
+			    g_fast=Yes
 			    option=${option#f}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    PURGE=Yes
+			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -248,36 +249,21 @@ start_command() {
 	    ;;
     esac
 
-    export NOROUTES
-
-    if [ -n "$FAST" ]; then
+    if [ -n "$g_fast" ]; then
 	if qt mywhich make; then
-	    #
-	    # RESTOREFILE is exported by get_config()
-	    #
-	    make -qf ${CONFDIR}/Makefile || FAST=
+	    export RESTOREFILE
+	    make -qf ${CONFDIR}/Makefile || g_fast=
 	fi
 
-	if [ -n "$FAST" ]; then
+	if [ -n "$g_fast" ]; then
 
-	    RESTOREPATH=${VARDIR}/$RESTOREFILE
-
-	    if [ -x $RESTOREPATH ]; then
-		if [ -x ${RESTOREPATH}-ipsets ]; then
-		    echo Restoring Ipsets...
-		    #
-		    # We must purge iptables to be sure that there are no
-		    # references to ipsets
-		    #
-		    iptables -F
-		    iptables -X
-		    $SHOREWALL_SHELL ${RESTOREPATH}-ipsets
-		fi
+	    g_restorepath=${VARDIR}/$RESTOREFILE
 
+	    if [ -x $g_restorepath ]; then
 		echo Restoring Shorewall Lite...
-		$SHOREWALL_SHELL $RESTOREPATH restore
+		run_it $g_restorepath restore
 		date > ${VARDIR}/restarted
-		progress_message3 Shorewall Lite restored from $RESTOREPATH
+		progress_message3 Shorewall Lite restored from $g_restorepath
 	    else
 		do_it
 	    fi
@@ -313,12 +299,12 @@ restart_command() {
 			    option=
 			    ;;
 			n*)
-			    NOROUTES=Yes
+			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    PURGE=Yes
+			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -342,12 +328,10 @@ restart_command() {
 	    ;;
     esac
 
-    export NOROUTES
-
     [ -n "$nolock" ] || mutex_on
 
     if [ -x ${LITEDIR}/firewall ]; then
-	$SHOREWALL_SHELL ${LITEDIR}/firewall $debugging restart
+	run_it ${LITEDIR}/firewall $debugging restart
 	rc=$?
     else
 	error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -366,13 +350,14 @@ usage() # $1 = exit status
 {
     echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
     echo "where <command> is one of:"
+    echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   clear"
+    echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
     echo "   forget [ <file name> ]"
     echo "   help"
-    echo "   hits [ -t ]"
     echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
     echo "   ipdecimal { <address> | <integer> }"
     echo "   iprange <address>-<address>"
@@ -381,7 +366,7 @@ usage() # $1 = exit status
     echo "   logwatch [<refresh interval>]"
     echo "   reject <address> ..."
     echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ]"
+    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
     echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
@@ -389,23 +374,71 @@ usage() # $1 = exit status
     echo "   show classifiers"
     echo "   show config"
     echo "   show connections"
-    echo "   show dynamic <zone>"
-    echo "   show filter"
+    echo "   show filters"
     echo "   show ip"
-    echo "   show [ -m ] log"
-    echo "   show [ -x ] mangle|nat|raw"
-    echo "   show routing"
-    echo "   show tc"
+    echo "   show [ -m ] log [<regex>]"
+    echo "   show [ -x ] mangle|nat|raw|routing"
+    echo "   show policies"
+    echo "   show tc [ device ]"
     echo "   show vardir"
     echo "   show zones"
-    echo "   start [ -n ] [ -p ]"
+    echo "   start [ -f ] [ -p ] [ <directory> ]"
     echo "   stop"
     echo "   status"
-    echo "   version"
+    echo "   version [ -a ]"
     echo
     exit $1
 }
 
+version_command() {
+    local finished
+    finished=0
+    local all
+    all=
+    local product
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			a*)
+			    all=Yes
+			    option=${option#a}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    [ $# -gt 0 ] && usage 1
+
+    echo $SHOREWALL_VERSION
+    
+    if [ -n "$all" ]; then
+	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
+	    if [ -f /usr/share/$product/version ]; then
+		echo "$product: $(cat /usr/share/$product/version)"
+	    fi
+	done
+    fi
+}
+
 #
 # Execution begins here
 #
@@ -423,14 +456,13 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
     shift
 fi
 
-IPT_OPTIONS="-nv"
-FAST=
-VERBOSE_OFFSET=0
-USE_VERBOSITY=
-NOROUTES=
-EXPORT=
-export TIMESTAMP=
-noroutes=
+g_ipt_options="-nv"
+g_fast=
+g_verbose_offset=0
+g_use_verbosity=
+g_noroutes=
+g_timestamp=
+g_recovering=
 
 finished=0
 
@@ -449,48 +481,48 @@ while [ $finished -eq 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    x*)
-			IPT_OPTIONS="-xnv"
+			g_ipt_options="-xnv"
 			option=${option#x}
 			;;
 		    q*)
-			VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 ))
+			g_verbose_offset=$(($g_verbose_offset - 1 ))
 			option=${option#q}
 			;;
 		    f*)
-			FAST=Yes
+			g_fast=Yes
 			option=${option#f}
 			;;
 		    v*)
 			option=${option#v}
 			case $option in 
 			    -1*)
-				USE_VERBOSITY=-1
+				g_use_verbosity=-1
 				option=${option#-1}
 				;;
 			    0*)
-				USE_VERBOSITY=0
+				g_use_verbosity=0
 				option=${option#0}
 				;;
 			    1*)
-				USE_VERBOSITY=1
+				g_use_verbosity=1
 				option=${option#1}
 				;;
 			    2*)
-				USE_VERBOSITY=2
+				g_use_verbosity=2
 				option=${option#2}
 				;;
 			    *)
-				VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
-				USE_VERBOSITY=
+				g_verbose_offset=$(($g_verbose_offset + 1 ))
+				g_use_verbosity=
 				;;
 			esac
 			;;
 		    n*)
-			NOROUTES=Yes
+			g_noroutes=Yes
 			option=${option#n}
 			;;
 		    t*)
-			TIMESTAMP=Yes
+			g_timestamp=Yes
 			option=${option#t}
 			;;
 		    -)
@@ -515,12 +547,11 @@ if [ $# -eq 0 ]; then
 fi
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-export PATH
 MUTEX_TIMEOUT=
 
 SHAREDIR=/usr/share/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-export PRODUCT="Shorewall Lite"
+g_product="Shorewall Lite"
 
 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
 
@@ -528,17 +559,10 @@ export PRODUCT="Shorewall Lite"
 
 [ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"
 
-LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
-VERSION_FILE=$SHAREDIR/version
-HELP=$SHAREDIR/help
+version_file=$SHAREDIR/version
 
-for library in $LIBRARIES; do
-    if [ -f $library ]; then
-	. $library
-    else
-	echo "Installation error: $library does not exist!" >&2
-	exit 2
-    fi
+for library in base cli; do
+    . ${SHAREDIR}/lib.$library
 done
 
 ensure_config_path
@@ -558,7 +582,6 @@ else
 fi
 
 ensure_config_path
-export CONFIG_PATH
 
 LITEDIR=${VARDIR}
 
@@ -566,17 +589,17 @@ LITEDIR=${VARDIR}
 
 get_config
 
-FIREWALL=$LITEDIR/firewall
+g_firewall=$LITEDIR/firewall
 
-if [ -f $VERSION_FILE ]; then
-    version=$(cat $VERSION_FILE)
+if [ -f $version_file ]; then
+    SHOREWALL_VERSION=$(cat $version_file)
 else
     echo "   ERROR: Shorewall Lite is not properly installed" >&2
-    echo "          The file $VERSION_FILE does not exist" >&2
+    echo "          The file $version_file does not exist" >&2
     exit 1
 fi
 
-banner="Shorewall Lite $version Status at $HOSTNAME -"
+banner="Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname -"
 
 case $(echo -e) in
     -e*)
@@ -605,15 +628,12 @@ case "$COMMAND" in
 	shift
 	start_command $@
 	;;
-    stop|clear)
+    stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	export NOROUTES
-	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
-	;;
-    reset)
-	verify_firewall_script
-	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
+	[ -n "$nolock" ] || mutex_on
+	run_it $g_firewall $debugging $COMMAND
+	[ -n "$nolock" ] || mutex_off
 	;;
     restart)
 	shift
@@ -626,7 +646,7 @@ case "$COMMAND" in
     status)
 	[ $# -eq 1 ] || usage 1
 	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
-	echo "Shorewall Lite $version Status at $HOSTNAME - $(date)"
+	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
 	echo
 	if shorewall_is_started ; then
 	    echo "Shorewall Lite is running"
@@ -639,7 +659,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Clear*)
+		Stopped*|Closed*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -660,7 +680,8 @@ case "$COMMAND" in
 	hits_command $@
 	;;
     version)
-	echo $version Lite
+	shift
+	version_command $@
 	;;
     logwatch)
 	logwatch_command $@
@@ -729,7 +750,7 @@ case "$COMMAND" in
 	    ;;
 	esac
 
-	RESTOREPATH=${VARDIR}/$RESTOREFILE
+	g_restorepath=${VARDIR}/$RESTOREFILE
 
 	[ "$nolock" ] || mutex_on
 
@@ -751,20 +772,15 @@ case "$COMMAND" in
 	esac
 
 
-	RESTOREPATH=${VARDIR}/$RESTOREFILE
+	g_restorepath=${VARDIR}/$RESTOREFILE
 
-	if [ -x $RESTOREPATH ]; then
-
-	    if [ -x ${RESTOREPATH}-ipsets ]; then
-		rm -f ${RESTOREPATH}-ipsets
-		echo "    ${RESTOREPATH}-ipsets removed"
-	    fi
-
-	    rm -f $RESTOREPATH
-	    rm -f ${RESTOREPATH}-iptables
-	    echo "    $RESTOREPATH removed"
-	elif [ -f $RESTOREPATH ]; then
-	    echo "   $RESTOREPATH exists and is not a saved Shorewall configuration"
+	if [ -x $g_restorepath ]; then
+	    rm -f $g_restorepath
+	    rm -f ${g_restorepath}-iptables
+	    rm -f ${g_restorepath}-ipsets
+	    echo "    $g_restorepath removed"
+	elif [ -f $g_restorepath ]; then
+	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
 	fi
 	rm -f ${VARDIR}/save
 	;;

Shorewall-lite/shorewall-lite.conf

@@ -4,12 +4,11 @@
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.
 #
-#  This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#  This file should be placed in /etc/shorewall-lite
-#
-#  (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
+#  For information about the settings in this file, type
+#  "man shorewall-lite.conf"
 #
+#  Manpage also online at
+#  http://www.shorewall.net/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.0
-%define release 1
+%define version 4.4.13
+%define release 0Beta3
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -14,6 +14,7 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
+Provides: shoreline_firewall = %{version}-%{release}
 
 %description
 
@@ -31,7 +32,7 @@ administrators to centralize the configuration of Shorewall-based firewalls.
 %build
 
 %install
-export PREFIX=$RPM_BUILD_ROOT ; \
+export DESTDIR=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -79,6 +80,8 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall-lite
 %attr(0700,root,root) %dir /var/lib/shorewall-lite
 
+%attr(0644,root,root) /etc/logrotate.d/shorewall-lite
+
 %attr(0755,root,root) /sbin/shorewall-lite
 
 %attr(0644,root,root) /usr/share/shorewall-lite/version
@@ -86,6 +89,7 @@ fi
 %attr(-   ,root,root) /usr/share/shorewall-lite/functions
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.base
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.cli
+%attr(0644,root,root) /usr/share/shorewall-lite/lib.common
 %attr(0644,root,root) /usr/share/shorewall-lite/modules
 %attr(0544,root,root) /usr/share/shorewall-lite/shorecap
 %attr(0755,root,root) /usr/share/shorewall-lite/wait4ifup
@@ -98,8 +102,110 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-1
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
+* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0base
+* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0RC1
+* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta3
+* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta2
+* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta1
+* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0base
+* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC2
+* Thu May 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC1
+* Wed May 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta4
+* Tue May 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta3
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Thu May 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta1
+* Mon May 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0base
+* Sun May 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0RC2
+* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0RC1
+* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta5
+* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta4
+* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta3
+* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta2
+* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta1
+* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0base
+* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC2
+* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC1
+* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta2
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta1
+* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0base
+* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC2
+* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC1
+* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta4
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta3
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta2
+* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta1
+* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0base
+* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0Beta1
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-0base
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.0.1
+VERSION=4.4.13-Beta3
 
 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
 fi
 
 if [ -L /usr/share/shorewall-lite/init ]; then
-    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
+    FIREWALL=$(readlink -m -q /usr/share/shorewall-lite/init)
 else
     FIREWALL=/etc/init.d/shorewall-lite
 fi
@@ -106,6 +106,7 @@ rm -rf /var/lib/shorewall-lite
 rm -rf /var/lib/shorewall-lite-*.bkout
 rm -rf /usr/share/shorewall-lite
 rm -rf /usr/share/shorewall-lite-*.bkout
+rm -f  /etc/logrotate.d/shorewall-lite
 
 echo "Shorewall Uninstalled"
 

Shorewall/Contrib/swping

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V4.2
+#     Shorewall WAN Interface monitor - V4.4
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #

Shorewall/Contrib/swping.init

@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V4.2
+#     Shorewall WAN Interface monitor - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Macros/macro.Citrix

@@ -3,7 +3,8 @@
 #
 # /usr/share/shorewall/macro.Citrix
 #
-# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a. ICA Session Reliability)
+#	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
+#	ICA Session Reliability)
 #
 ####################################################################################
 #ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/

Shorewall/Macros/macro.DHCPfwd

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - DHCPfwd Macro
+#
+# /usr/share/shorewall/macro.DHCPfwd
+#
+#	This macro (bidirectional) handles forwarded DHCP traffic
+#
+###############################################################################
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S) PORT(S) LIMIT	GROUP
+PARAM	-	-	udp	67:68	67:68	# DHCP
+PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP

Shorewall/Macros/macro.HKP

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - HKP Macro
+#
+# /usr/share/shorewall/macro.HKP
+#
+#	This macro handles OpenPGP HTTP keyserver protocol traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	11371

Shorewall/Macros/macro.OSPF

@@ -5,7 +5,7 @@
 #
 #	This macro handles OSPF multicast traffic
 #
-#######################################################################################################
-#ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/   ORIGINAL
-#                                               PORT(S) PORT(S) DEST            LIMIT   GROUP   DEST
-PARAM           -               -       89      -                                                       # OSPF
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	89	# OSPF

Shorewall/Macros/macro.mDNS

@@ -1,12 +1,15 @@
 #
 # Shorewall version 4 - Multicast DNS Macro
 #
-# /usr/share/shorewall/macro.DNS
+# /usr/share/shorewall/macro.mDNS
 #
 #	This macro handles multicast DNS traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
 #						PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	5353
-PARAM	DEST	SOURCE	udp	5353
+PARAM	-	224.0.0.251		udp	5353
+PARAM	-	-			udp	32768:	5353
+PARAM	-	224.0.0.251		2
+PARAM	DEST	SOURCE:224.0.0.251	udp	5353
+PARAM	DEST	SOURCE:224.0.0.251	2

Shorewall/Macros/macro.template

@@ -269,7 +269,7 @@
 #                       an action. See 'man shorewall-rules'.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in
-#			this colume:
+#			this column:
 #
 #				<rate>/<interval>[:<burst>]
 #
@@ -304,6 +304,100 @@
 #					#removed from Netfilter in kernel
 #					#version 2.6.14).
 #
+#	MARK		Specifies a MARK value to match. Must be empty or 
+#			'-' if the macro is to be used within an action.
+#			
+#				[!]value[/mask][:C]
+#
+#    			Defines a test on the existing packet or connection
+#			mark. The rule will match only if the test returns
+#			true.
+#
+#    			If you don't want to define a test but need to
+#			specify anything in the following columns,
+#			place a "-" in this field.
+#
+#    			!
+#
+#				Inverts the test (not equal)
+#
+#    			value
+#
+#				Value of the packet or connection mark.
+#
+#  			mask
+#
+#				A mask to be applied to the mark before
+#				testing.
+#
+#    			:C
+#
+#				Designates a connection mark. If omitted, the
+#				packet mark's value is tested.
+#
+#	CONNLIMIT	Must be empty or '-' if the macro is to be used within
+#			an action.
+#
+#				[!]limit[:mask]
+#
+#			May be used to limit the number of simultaneous
+#			connections from each individual host to limit 
+#			connections. Requires connlimit match in your kernel
+#			and iptables. While the limit is only checked on rules
+#			specifying CONNLIMIT, the number of current connections
+#			is calculated over all current connections from the
+#			SOURCE host. By default, the limit is applied to each
+#			host but can be made to apply to networks of hosts by
+#			specifying a mask. The mask specifies the width of a
+#			VLSM mask to be applied to the source address; the
+#			number of current connections is then taken over all
+#			hosts in the subnet source-address/mask. When ! is
+#			specified, the rule matches when the number of
+#			connection exceeds the limit.
+#
+#	TIME		Must be empty or '-' if the macro is to be used within
+#			an action.
+#
+#
+#				<timeelement>[&...]
+#
+#			timeelement may be:
+#
+#    				timestart=hh:mm[:ss]
+#
+#					Defines the starting time of day.
+#
+#    				timestop=hh:mm[:ss]
+#
+#					Defines the ending time of day.
+#
+#    				utc
+#
+#					Times are expressed in Greenwich Mean
+#					Time.
+#
+#    				localtz
+#
+#					Times are expressed in Local Civil Time
+#					(default).
+#
+#    				weekdays=ddd[,ddd]...
+#
+#					where ddd is one of Mon, Tue, Wed, Thu,
+#					Fri, Sat or Sun
+#
+#    				monthdays=dd[,dd],...
+#
+#					where dd is an ordinal day of the month#
+#
+#    				datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
+#
+#					Defines the starting date and time.
+#
+#    				datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
+#
+#					Defines the ending date and time.
+#
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:

Shorewall/Makefile

@@ -14,4 +14,8 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
 	fi
 
+clean:
+	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
+.PHONY: clean
+
 # EOF

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,27 +35,16 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4.13';
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function or when compiling
-#                       for IPv6.
+# Called by the compiler to [re-]initialize this module's state
 #
-
 sub initialize() {
     our $jumpchainref;
     $jumpchainref = undef;
 }
 
-INIT {
-    initialize;
-}
-
 #
 # Accounting
 #
@@ -63,7 +52,7 @@ sub process_accounting_rule( ) {
 
     our $jumpchainref;
 
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
 
     if ( $action eq 'COMMENT' ) {
 	process_comment;
@@ -72,6 +61,16 @@ sub process_accounting_rule( ) {
 
     our $disposition = '';
 
+    sub reserved_chain_name($) {
+	$_[0] =~ /^acc(?:ount(?:ing|out)|ipsecin|ipsecout)$/;
+    }
+
+    sub ipsec_chain_name($) {
+	if ( $_[0] =~ /^accipsec(in|out)$/ ) {
+	    $1;
+	}
+    }
+
     sub check_chain( $ ) {
 	my $chainref = shift;
 	fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy};
@@ -83,10 +82,11 @@ sub process_accounting_rule( ) {
 
     sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
-	$jumpchainref = ensure_accounting_chain( $jumpchain );
+	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
+	$jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
-	"-j $jumpchain";
+	$jumpchain;
     }
 
     my $target = '';
@@ -95,18 +95,21 @@ sub process_accounting_rule( ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, 0xFF );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
     my $rule2 = 0;
+    my $jump  = 0;
     
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
-	    $target = '-j RETURN';
+	    $target = 'RETURN';
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 	    if ( $cmd ) {
 		if ( $cmd eq 'COUNT' ) {
-		    $rule2=1;
-		} elsif ( $cmd ne 'JUMP' ) {
+		    $rule2 = 1;
+		} elsif ( $cmd eq 'JUMP' ) {
+		    $jump = 1;
+		} else {
 		    accounting_error;
 		}
 	    }
@@ -148,7 +151,31 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
     }
 
-    my $chainref = ensure_accounting_chain $chain;
+    my $chainref = $filter_table->{$chain};
+    my $dir;
+
+    if ( ! $chainref ) {
+	$chainref = ensure_accounting_chain $chain, 0;
+	$dir      = ipsec_chain_name( $chain );
+
+	if ( $ipsec ne '-' ) {
+	    if ( $dir ) {
+		$rule .= do_ipsec( $dir, $ipsec );
+		$chainref->{ipsec} = $dir;
+	    } else {
+		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
+	    }
+	} else {
+	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );	    
+	    $chainref->{ipsec} = $dir;
+	}
+    } elsif ( $ipsec ne '-' ) {
+	$dir = $chainref->{ipsec};
+	fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
+	$rule .= do_ipsec( $dir , $ipsec );
+    }
+
+    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
 
     expand_rule
 	$chainref ,
@@ -162,6 +189,22 @@ sub process_accounting_rule( ) {
 	$disposition ,
 	'' ;
 
+    if ( $rule2 || $jump ) {
+	if ( $chainref->{ipsec} ) {
+	    if ( $jumpchainref->{ipsec} ) {
+		fatal_error "IPSEC in/out mismatch on chains $chain and $jumpchainref->{name}";
+	    } else {
+		fatal_error "$jumpchainref->{name} is not an IPSEC chain" if keys %{$jumpchainref->{references}} > 1;
+		$jumpchainref->{ipsec} = $chainref->{ipsec};
+	    }
+	} elsif ( $jumpchainref->{ipsec} ) {
+	    fatal_error "Jump from a non-IPSEC chain to an IPSEC chain not allowed";
+	} else {
+	    $jumpchainref->{ipsec} = $chainref->{ipsec};
+	}
+
+    }
+
     if ( $rule2 ) {
 	expand_rule
 	    $jumpchainref ,
@@ -189,27 +232,40 @@ sub setup_accounting() {
 
     $nonEmpty |= process_accounting_rule while read_a_line;
 
-    fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting};
-
     clear_comment;
 
     if ( have_bridges ) {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD/ ) {
-		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
 
 	if ( $filter_table->{accountout} ) {
-	    insert_rule1 $filter_table->{OUTPUT}, 0, '-j accountout';
+	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 	}
-    } else {
-	if ( $filter_table->{accounting} ) {
+    } elsif ( $filter_table->{accounting} ) {
 	for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
+	    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	}
     }
+
+    if ( $filter_table->{accipsecin} ) {
+	for my $chain ( qw/INPUT FORWARD/ ) {
+	    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
 	}
+    }
+
+    if ( $filter_table->{accipsecout} ) {
+	for my $chain ( qw/FORWARD OUTPUT/ ) {
+	    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
+	}
+    }
+
+    for ( accounting_chainrefs ) {
+	warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
+    }
+
 }
 
 1;

Shorewall/Perl/Shorewall/Actions.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -28,6 +28,7 @@ require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
+use Shorewall::IPAddrs;
 
 use strict;
 
@@ -47,6 +48,7 @@ our @EXPORT = qw( merge_levels
 		  substitute_param
 		  merge_macro_source_dest
 		  merge_macro_column
+		  map_old_actions
 
 		  %usedactions
 		  %default_actions
@@ -56,7 +58,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_13';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -85,21 +87,23 @@ our %macros;
 
 our $family;
 
+our @builtins;
+
 #
 # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
 #
 our $macro_commands = { COMMENT => 0, FORMAT => 2 };
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function or when compiling
-#                       for IPv6.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
 
     $family          = shift;
@@ -111,10 +115,12 @@ sub initialize( $ ) {
     %actions         = ();
     %logactionchains = ();
     %macros          = ();
-}
 
-INIT {
-    initialize( F_IPV4 );
+    if ( $family == F_IPV4 ) {
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
+    } else {
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
+    }
 }
 
 #
@@ -173,9 +179,27 @@ sub find_macro( $ )
 #
 sub split_action ( $ ) {
     my $action = $_[0];
+
+    my $target = '';
+    my $max    = 3;
+    #
+    # The following rather grim RE, when matched, breaks the action into two parts:
+    #
+    #    basicaction(param)
+    #    logging part (may be empty)
+    #
+    # The param may contain one or more ':' characters
+    #
+    if ( $action =~ /^([^(:]+\(.*?\))(:(.*))?$/ ) {
+	$target = $1;
+	$action = $2 ? $3 : '';
+	$max    = 2;
+    }
+	
     my @a = split( /:/ , $action, 4 );
-    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
-    ( shift @a, join ":", @a );
+    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
+    $target = shift @a unless $target;
+    ( $target, join ":", @a );
 }
 
 #
@@ -208,7 +232,7 @@ sub merge_macro_source_dest( $$ ) {
     if ( $invocation ) {
 	if ( $body ) {
 	    return $body if $invocation eq '-';
-	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/;
+	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~<|~\[/;
 	    return "$invocation:$body";
 	}
 
@@ -268,14 +292,42 @@ sub add_requiredby ( $$ ) {
     $actions{$requires}{requires}{$requiredby} = 1;
 }
 
+#
+# Map pre-3.0 actions to the corresponding Macro invocation
+#
+
+sub find_old_action ( $$$ ) {
+    my ( $target, $macro, $param ) = @_;
+
+    if ( my $actiontype = find_macro( $macro ) ) {
+	( $macro, $actiontype , $param );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
+sub map_old_actions( $ ) {
+    my $target = shift;
+
+    if ( $target =~ /^Allow(.*)$/ ) {
+	find_old_action( $target, $1, 'ACCEPT' );
+    } elsif ( $target =~ /^Drop(.*)$/ ) {
+	find_old_action( $target, $1, 'DROP' );
+    } elsif ( $target = /^Reject(.*)$/ ) {
+	find_old_action( $target, $1, 'REJECT' );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
 # a 1- or 2-digit sequence number. In the functions that follow,
-# the CHAIN, LEVEL and TAG variable serves as arguments to the user's
+# the $chain, $level and $tag variable serves as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
-# set CHAIN to the name of the iptables chain where rules are to be added.
-# Similarly, LEVEL and TAG contain the log level and log tag respectively.
+# set $chain to the name of the iptables chain where rules are to be added.
+# Similarly, $level and $tag contain the log level and log tag respectively.
 #
 # The maximum length of a chain name is 30 characters -- since the log
 # action chain name is 2-3 characters longer than the base chain name,
@@ -306,7 +358,9 @@ sub createlogactionchain( $$ ) {
 
     fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
 
-    unless ( $targets{$action} & STANDARD ) {
+    unless ( $targets{$action} & BUILTIN ) {
+
+	dont_optimize $chainref;
 
 	my $file = find_file $chain;
 
@@ -332,7 +386,9 @@ sub createsimpleactionchain( $ ) {
 
     $logactionchains{"$action:none"} = $chainref;
 
-    unless ( $targets{$action} & STANDARD ) {
+    unless ( $targets{$action} & BUILTIN ) {
+
+	dont_optimize $chainref;
 
 	my $file = find_file $action;
 
@@ -351,7 +407,7 @@ sub createsimpleactionchain( $ ) {
 }
 
 #
-# Create an action chain and run it's associated user exit
+# Create an action chain and run its associated user exit
 #
 sub createactionchain( $ ) {
     my ( $action , $level ) = split_action $_[0];
@@ -417,8 +473,9 @@ sub process_macro1 ( $$ ) {
 #
 # The functions process_actions1-3() implement the three phases of action processing.
 #
-# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
-# and ${CONFDIR}/actions are scanned (in that order) and for each action:
+# The first phase (process_actions1) occurs before the rules file is processed. The builtin-actions are added
+# to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and
+# ${CONFDIR}/actions are scanned (in that order). For each action:
 #
 #      a) The related action definition file is located and scanned.
 #      b) Forward and unresolved action references are trapped as errors.
@@ -480,10 +537,10 @@ sub process_action1 ( $$ ) {
 sub process_actions1() {
 
     progress_message2 "Preprocessing Action Files...";
-
-    for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
-	new_action $act;
-    }
+    #
+    # Add built-in actions to the target table and create those actions
+    #
+    $targets{$_} = ACTION + BUILTIN, new_action( $_ ) for @builtins;
 
     for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
@@ -519,7 +576,7 @@ sub process_actions1() {
 
 	    while ( read_a_line ) {
 
-		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 1, 8, 'action file';
+		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users, $mark ) = split_line 1, 9, 'action file';
 
 		process_action1( $action, $wholetarget );
 
@@ -540,7 +597,7 @@ sub process_actions2 () {
 	for my $target (keys %usedactions) {
 	    my ($action, $level) = split_action $target;
 	    my $actionref = $actions{$action};
-	    fatal_error "Null Action Reference in process_actions2" unless $actionref;
+	    assert( $actionref );
 	    for my $action1 ( keys %{$actionref->{requires}} ) {
 		my $action2 = merge_levels $target, $action1;
 		unless ( $usedactions{ $action2 } ) {
@@ -556,8 +613,8 @@ sub process_actions2 () {
 #
 # This function is called to process each rule generated from an action file.
 #
-sub process_action( $$$$$$$$$$ ) {
-    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+sub process_action( $$$$$$$$$$$ ) {
+    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
 
     my ( $action , $level ) = split_action $target;
 
@@ -575,11 +632,11 @@ sub process_action( $$$$$$$$$$ ) {
 
     expand_rule ( $chainref ,
 		  NO_RESTRICT ,
-		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, $globals{TC_MASK} ) ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
-		  $action ? "-j $action" : '',
+		  $action ,
 		  $level ,
 		  $action ,
 		  '' );
@@ -588,8 +645,8 @@ sub process_action( $$$$$$$$$$ ) {
 #
 # Expand Macro in action files.
 #
-sub process_macro3( $$$$$$$$$$$ ) {
-    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+sub process_macro3( $$$$$$$$$$$$ ) {
+    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
 
     my $nocomment = no_comment;
 
@@ -605,12 +662,14 @@ sub process_macro3( $$$$$$$$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark );
 
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
+	    $morigdest = '-';
+	    $mmark     = '-';
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark ) = split_line1 1, 10, 'macro file', $macro_commands;
 	}
 
 	if ( $mtarget eq 'COMMENT' ) {
@@ -624,8 +683,6 @@ sub process_macro3( $$$$$$$$$$$ ) {
 	    next;
 	}
 
-	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
-
 	if ( $mtarget =~ /^PARAM:?/ ) {
 	    fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
 	    $mtarget = substitute_param $param,  $mtarget;
@@ -666,8 +723,9 @@ sub process_macro3( $$$$$$$$$$$ ) {
 	$msports = merge_macro_column $msports, $sports;
 	$mrate   = merge_macro_column $mrate,   $rate;
 	$muser   = merge_macro_column $muser,   $user;
+	$mmark   = merge_macro_column $mmark,   $mark;
 
-	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
+	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $mark;
     }
 
     pop_open;
@@ -692,7 +750,7 @@ sub process_action3( $$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file';
+	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file';
 
 	if ( $target eq 'COMMENT' ) {
 	    process_comment;
@@ -716,9 +774,9 @@ sub process_action3( $$$$$ ) {
 	}
 
 	if ( $action2type == MACRO ) {
-	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
+	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark );
 	} else {
-	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
+	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark;
 	}
     }
 
@@ -731,10 +789,14 @@ sub process_action3( $$$$$ ) {
 sub dropBcast( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    if ( $capabilities{ADDRTYPE} ) {
+    if ( have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	    if ( $family == F_IPV4 ) {
 		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
+	    } else {
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
+	    }
 	}
 
 	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
@@ -758,14 +820,14 @@ sub dropBcast( $$$ ) {
     if ( $family == F_IPV4 ) {
 	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
     } else {
-	add_rule $chainref, '-d ff00::/10 -j DROP';
+	add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' );
     }
 }
 
 sub allowBcast( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    if ( $family == F_IPV4 && $capabilities{ADDRTYPE} ) {
+    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
@@ -790,8 +852,8 @@ sub allowBcast( $$$ ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
 	} else {
-	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
-	    add_rule $chainref, '-d ff00:/10 -j ACCEPT';
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
+	    add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' );
 	}
     }
 }
@@ -799,44 +861,46 @@ sub allowBcast( $$$ ) {
 sub dropNotSyn ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
-    add_rule $chainref , '-p tcp ! --syn -j DROP';
+    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+    add_rule $chainref , '-p 6 ! --syn -j DROP';
 }
 
 sub rejNotSyn ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
-    add_rule $chainref , '-p tcp ! --syn -j REJECT --reject-with tcp-reset';
+    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+    add_rule $chainref , '-p 6 ! --syn -j REJECT --reject-with tcp-reset';
 }
 
 sub dropInvalid ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
-    add_rule $chainref , '-m state --state INVALID -j DROP';
+    log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
+    add_rule $chainref , "$globals{STATEMATCH} INVALID -j DROP";
 }
 
 sub allowInvalid ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
-    add_rule $chainref , '-m state --state INVALID -j ACCEPT';
+    log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
+    add_rule $chainref , "$globals{STATEMATCH} INVALID -j ACCEPT";
 }
 
 sub forwardUPnP ( $$$ ) {
+    my $chainref = dont_optimize 'forwardUPnP';
+    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 }
 
 sub allowinUPnP ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
     if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
     }
 
-    add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
-    add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
+    add_rule $chainref, '-p 17 --dport 1900 -j ACCEPT';
+    add_rule $chainref, '-p 6 --dport 49152 -j ACCEPT';
 }
 
 sub Limit( $$$ ) {
@@ -862,7 +926,7 @@ sub Limit( $$$ ) {
 	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
 	log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
 	add_rule $xchainref, '-j DROP';
-	add_rule $chainref,  "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
+	add_jump $chainref,  $xchainref, 0, "-m recent --name $set --update --seconds $tag[2] --hitcount $count ";
     } else {
 	add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
     }

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -41,22 +41,20 @@ use Shorewall::IPAddrs;
 use Shorewall::Raw;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
+our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_0';
+our $VERSION = '4.4_12';
 
 our $export;
 
 our $test;
 
-our $reused = 0;
-
-our $family = F_IPV4;
+our $family;
 
 #
-# Reinitilize the package-globals in the other modules
+# Initilize the package-globals in the other modules
 #
-sub reinitialize() {
+sub initialize_package_globals() {
     Shorewall::Config::initialize($family);
     Shorewall::Chains::initialize ($family);
     Shorewall::Zones::initialize ($family);
@@ -74,32 +72,44 @@ sub reinitialize() {
 #
 # First stage of script generation.
 #
-#    Copy prog.header to the generated script.
+#    Copy prog.header and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
-sub generate_script_1() {
+#    Note: This function is not called when $command eq 'check'. So it must have no side effects other
+#          than those related to writing to the output script file.
+#
+sub generate_script_1( $ ) {
 
-    my $date = localtime;
+    my $script = shift;
 
+    if ( $script ) {
 	if ( $test ) {
 	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
+	    my $date = localtime;
+
 	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
+
 	    if ( $family == F_IPV4 ) {
 		copy $globals{SHAREDIRPL} . 'prog.header';
 	    } else {
 		copy $globals{SHAREDIRPL} . 'prog.header6';
 	    }
+
+	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
 	}
 
+    }
+
+    my $lib = find_file 'lib.private';
+
+    copy2( $lib, $debug ) if -f $lib;
+
     emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
-    my $lib = find_file 'lib.private';
-
-    copy1 $lib, emit "\n" if -f $lib;
 
     for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
 	emit "\nrun_${exit}_exit() {";
@@ -131,7 +141,7 @@ EOF
 #    Generate the 'initialize()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the object file.
+#          than those related to writing to the output script file.
 
 sub generate_script_2() {
 
@@ -156,24 +166,24 @@ sub generate_script_2() {
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
 		   'CONFDIR=/etc/shorewall-lite',
-		   'PRODUCT="Shorewall Lite"'
+		   'g_product="Shorewall Lite"'
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall',
 		   'CONFDIR=/etc/shorewall',
-		   'PRODUCT=\'Shorewall\'',
+		   'g_product=\'Shorewall\'',
 		 );
 	}
     } else {
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
 		   'CONFDIR=/etc/shorewall6-lite',
-		   'PRODUCT="Shorewall6 Lite"'
+		   'g_product="Shorewall6 Lite"'
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6',
 		   'CONFDIR=/etc/shorewall6',
-		   'PRODUCT=\'Shorewall6\'',
+		   'g_product=\'Shorewall6\'',
 		 );
 	}
     }
@@ -205,17 +215,15 @@ sub generate_script_2() {
     my @dont_load = split_list $config{DONT_LOAD}, 'module';
 
     emit ( '[ -n "${COMMAND:=restart}" ]',
-	   '[ -n "${VERBOSE:=0}" ]',
-	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
-	   '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' );
+	   '[ -n "${VERBOSITY:=0}" ]',
+	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );
 
-    emit ( qq(VERSION="$globals{VERSION}") ) unless $test;
+    emit ( qq(SHOREWALL_VERSION="$globals{VERSION}") ) unless $test;
 
     emit ( qq(PATH="$config{PATH}") ,
 	   'TERMINATOR=fatal_error' ,
 	   qq(DONT_LOAD="@dont_load") ,
 	   qq(STARTUP_LOG="$config{STARTUP_LOG}") ,
-	   "LOG_VERBOSE=$config{LOG_VERBOSITY}" ,
 	   ''
 	   );
 
@@ -224,7 +232,7 @@ sub generate_script_2() {
     append_file 'params' if $config{EXPORTPARAMS};
 
     emit ( '',
-	   "STOPPING=",
+	   "g_stopping=",
 	   '',
 	   '#',
 	   '# The library requires that ${VARDIR} exist',
@@ -232,14 +240,24 @@ sub generate_script_2() {
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
 	   );
 
-    my $global_variables = have_global_variables;
+    pop_indent;
+
+    emit "\n}\n"; # End of initialize()
 
-    if ( $global_variables ) {
     emit( '' ,
 	  '#' ,
 	  '# Set global variables holding detected IP information' ,
 	  '#' ,
-	      'case $COMMAND in' );
+	  'detect_configuration()',
+	  '{' );
+
+    my $global_variables = have_global_variables;
+
+    push_indent;
+
+    if ( $global_variables ) {
+
+	emit( 'case $COMMAND in' );
 
 	push_indent;
 
@@ -253,7 +271,7 @@ sub generate_script_2() {
 
 	set_global_variables(1);
 
-	handle_optional_interfaces;
+	handle_optional_interfaces(0);
 
 	emit ';;';
 
@@ -266,7 +284,7 @@ sub generate_script_2() {
 
 	    set_global_variables(0);
 
-	    handle_optional_interfaces;
+	    handle_optional_interfaces(0);
 
 	    emit ';;';
 	}
@@ -275,15 +293,16 @@ sub generate_script_2() {
 	pop_indent;
 
 	emit ( 'esac' ) ,
+    } else {
+	emit( 'true' ) unless handle_optional_interfaces(1);
     }
 
     pop_indent;
 
-    emit "\n}\n"; # End of initialize()
+    emit "\n}\n"; # End of detect_configuration()
 
 }
 
-#
 # Final stage of script generation.
 #
 #    Generate code for loading the various files in /var/lib/shorewall[6][-lite]
@@ -293,7 +312,7 @@ sub generate_script_2() {
 #    Generate the 'define_firewall()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the object file.
+#          than those related to writing to the output script file.
 #
 sub generate_script_3($) {
 
@@ -315,9 +334,9 @@ sub generate_script_3($) {
     save_progress_message 'Initializing...';
 
     if ( $export ) {
-	my $fn = find_file 'modules';
+	my $fn = find_file $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules';
 
-	if ( $fn ne "$globals{SHAREDIR}/modules" && -f $fn ) {
+	if ( -f $fn && ! $fn =~ "^$globals{SHAREDIR}/" ) {
 	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
@@ -334,54 +353,17 @@ sub generate_script_3($) {
     }
 
     if ( $family == F_IPV4 ) {
-	my @ipsets = all_ipsets;
-
-	if ( @ipsets ) {
-	    emit ( '',
-		   'case $IPSET in',
-		   '    */*)',
-		   '        [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
-		   '        ;;',
-		   '    *)',
-		   '        IPSET="$(mywhich $IPSET)"',
-		   '        [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' ,
-		   '        ;;',
-		   'esac',
-		   '',
-		   'if [ "$COMMAND" = start ]; then' ,
-		   '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		   '        $IPSET -F' ,
-		   '        $IPSET -X' ,
-		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
-		   '    fi' ,
-		   '' );
-
-	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-	    emit ( '' ,
-		   'elif [ "$COMMAND" = restart ]; then' ,
-		   '' );
-
-	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-	    emit ( '' , 
-		   '    if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
-		   '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		   '    fi' );
-	    emit ( 'fi',
-		   '' );
-	}
+	load_ipsets;
 
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	       '   run_refresh_exit' );
-
-	emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-	emit ( 'else' ,
+	       '   run_refresh_exit' ,
+	       'else' ,
 	       '    run_init_exit',
 	       'fi',
 	       '' );
 
+	save_dynamic_chains;
+
 	mark_firewall_not_started;
 
 	emit ('',
@@ -389,7 +371,7 @@ sub generate_script_3($) {
 	       ''
 	     );
 
-	if ( $capabilities{NAT_ENABLED} ) {
+	if ( have_capability( 'NAT_ENABLED' ) ) {
 	    emit(  'if [ -f ${VARDIR}/nat ]; then',
 		   '    while read external interface; do',
 		   '        del_ip_addr $external $interface',
@@ -402,23 +384,11 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};
 
     } else {
-	emit ( '#',
-	       '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
-	       '#',
-	       'qt1 $IP6TABLES -N foox1234',
-	       'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
-	       'result=$?',
-	       'qt1 $IP6TABLES -F foox1234',
-	       'qt1 $IP6TABLES -X foox1234',
-	       '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
-	       '' );
-
 	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
-		   '',
-	       'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
-	       ''
-	     );
-
+	       '' );
+	save_dynamic_chains;
+	mark_firewall_not_started;
+	emit '';
     }
 
     emit qq(delete_tc1\n) if $config{CLEAR_TC};
@@ -440,6 +410,10 @@ sub generate_script_3($) {
     dump_zone_contents;
     emit_unindented '__EOF__';
 
+    emit 'cat > ${VARDIR}/policies << __EOF__';
+    save_policies;
+    emit_unindented '__EOF__';
+
     pop_indent;
 
     emit "fi\n";
@@ -467,31 +441,38 @@ EOF
     pop_indent;
     setup_forwarding( $family , 1 );
     push_indent;
-    emit<<'EOF';
-    set_state "Started"
+
+    my $config_dir = $globals{CONFIGDIR};
+
+    emit<<"EOF";
+    set_state Started $config_dir 
     run_restored_exit
 else
-    if [ $COMMAND = refresh ]; then
+    if [ \$COMMAND = refresh ]; then
         chainlist_reload
 EOF
     setup_forwarding( $family , 0 );
-    emit<<'EOF';
+
+    emit<<"EOF";
         run_refreshed_exit
         do_iptables -N shorewall
-        set_state "Started"
+        set_state Started $config_dir
     else
         setup_netfilter
-        restore_dynamic_rules
         conditionally_flush_conntrack
 EOF
     setup_forwarding( $family , 0 );
-    emit<<'EOF';
+
+    emit<<"EOF";
         run_start_exit
         do_iptables -N shorewall
-        set_state "Started"
+        set_state Started $config_dir
         run_started_exit
     fi
 
+EOF
+
+    emit<<'EOF';
     [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
 fi
 
@@ -499,16 +480,16 @@ date > ${VARDIR}/restarted
 
 case $COMMAND in
     start)
-        logger -p kern.info "$PRODUCT started"
+        logger -p kern.info "$g_product started"
         ;;
     restart)
-        logger -p kern.info "$PRODUCT restarted"
+        logger -p kern.info "$g_product restarted"
         ;;
     refresh)
-        logger -p kern.info "$PRODUCT refreshed"
+        logger -p kern.info "$g_product refreshed"
         ;;
     restore)
-        logger -p kern.info "$PRODUCT restored"
+        logger -p kern.info "$g_product restored"
         ;;
 esac
 EOF
@@ -526,8 +507,8 @@ EOF
 #
 sub compiler {
 
-    my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) = 
-       ( '',          '',         -1,          '',          0,      '',       '',   -1 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0 );
 
     $export = 0;
     $test   = 0;
@@ -547,7 +528,8 @@ sub compiler {
 	defined($val) && ($val == F_IPV4 || $val == F_IPV6);
     }
 
-    my %parms = ( object        => { store => \$objectfile },
+    my %parms = ( object        => { store => \$scriptfilename },    #Deprecated
+		  script        => { store => \$scriptfilename },
 		  directory     => { store => \$directory  },
 		  family        => { store => \$family    ,    validate => \&validate_family    } ,
 		  verbosity     => { store => \$verbosity ,    validate => \&validate_verbosity } ,
@@ -558,6 +540,7 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
+		  preview       => { store => \$preview },
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -572,14 +555,19 @@ sub compiler {
 	${$ref->{store}} = $val;
     }
 
-    reinitialize if $reused++ || $family == F_IPV6;
+    #
+    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
+    #
+    initialize_package_globals;
 
     if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
 	set_shorewall_dir( $directory );
     }
 
-    set_verbose( $verbosity );
+    $verbosity = 1 if $debug && $verbosity < 1;
+
+    set_verbosity( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
     set_debug( $debug );
@@ -588,20 +576,24 @@ sub compiler {
     #
     get_configuration( $export );
 
-    report_capabilities;
+    report_capabilities unless $config{LOAD_HELPERS_ONLY};
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
     require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
     require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 
-    set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
-
-    initialize_chain_table;
-
-    unless ( $command eq 'check' ) {
-	create_temp_object( $objectfile , $export );
+    if ( $scriptfilename ) {
+	set_command( 'compile', 'Compiling', 'Compiled' );
+	create_temp_script( $scriptfilename , $export );
+    } else {
+	set_command( 'check', 'Checking', 'Checked' );
     }
+    #
+    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
+    # shorewall.conf has been processed and the capabilities have been determined.
+    #
+    initialize_chain_table;
 
     #
     # Allow user to load Perl modules
@@ -639,13 +631,13 @@ sub compiler {
     #
     setup_notrack;
 
-    enable_object;
+    enable_script;
 
-    unless ( $command eq 'check' ) {
+    if ( $scriptfilename || $debug ) {
 	#
-	# Place Header in the object
+	# Place Header in the script
 	#
-	generate_script_1;
+	generate_script_1( $scriptfilename );
 	#
 	#                               C O M M O N _ R U L E S
 	#           (Writes the setup_common_rules() function to the compiled script)
@@ -659,11 +651,11 @@ sub compiler {
 	push_indent;
     }
     #
-    # Do all of the zone-independent stuff
+    # Do all of the zone-independent stuff (mostly /proc)
     #
     add_common_rules;
     #
-    # /proc stuff
+    # More /proc
     #
     if ( $family == F_IPV4 ) {
 	setup_arp_filtering;
@@ -677,25 +669,24 @@ sub compiler {
     #
     setup_proxy_arp;
     #
-    # Handle MSS setings in the zones file
+    # Handle MSS settings in the zones file
     #
     setup_zone_mss;
 
-    unless ( $command eq 'check' ) {
+    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
 	emit '}';
     }
 
-    disable_object;
+    disable_script;
     #
     #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
     #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
     #
-    enable_object;
-    
-    unless ( $command eq 'check' ) {
+    enable_script;
 
+    if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -713,12 +704,12 @@ sub compiler {
     #
     setup_tc;
 
-    unless ( $command eq 'check' ) {
+    if ( $scriptfilename || $debug ) {
 	pop_indent;
 	emit "}\n";
     }
 
-    disable_object;
+    disable_script;
     #
     #                                       N E T F I L T E R
     #       (Produces no output to the compiled script -- rules are stored in the chain table)
@@ -729,7 +720,7 @@ sub compiler {
 	#
 	# ECN
 	#
-	setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
+	setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
 	#
 	# Setup Masquerading/SNAT
 	#
@@ -772,21 +763,27 @@ sub compiler {
     #
     # Accounting.
     #
-    setup_accounting;
+    setup_accounting if $config{ACCOUNTING};
 
-    if ( $command eq 'check' ) {
-	if ( $family == F_IPV4 ) {
-	    progress_message3 "Shorewall configuration verified";
-	} else {
-	    progress_message3 "Shorewall6 configuration verified";
-	}
-    } else {
+    if ( $scriptfilename ) {
 	#
-	# Generate the zone x zone matrix
+	# Compiling a script - generate the zone by zone matrix
 	#
 	generate_matrix;
 
-	enable_object;
+	if ( $config{OPTIMIZE} & 0xD ) {
+	    progress_message2 'Optimizing Ruleset...';
+	    #
+	    # Optimize Policy Chains
+	    #
+	    optimize_policy_chains if $config{OPTIMIZE} & 2;
+	    #
+	    # More Optimization
+	    #
+	    optimize_ruleset if $config{OPTIMIZE} & 0xC;
+	}
+
+	enable_script;
 	#
 	#                             I N I T I A L I Z E
 	#           (Writes the initialize() function to the compiled script)
@@ -797,17 +794,24 @@ sub compiler {
 	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
-	#                               S T O P _ F I R E W A L L
-	#             (Writes the stop_firewall() function to the compiled script)
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
 	#
 	Shorewall::Chains::initialize( $family );
 	initialize_chain_table;
-	compile_stop_firewall( $test ); 
 	#
-	# Copy the footer to the object
+	#                           S T O P _ F I R E W A L L
+	#         (Writes the stop_firewall() function to the compiled script)
+	#
+	compile_stop_firewall( $test, $export );
+	#
+	#                               U P D O W N
+	#               (Writes the updown() function to the compiled script)
+	#
+	compile_updown;
+	#
+	# Copy the footer to the script
 	#
 	unless ( $test ) {
 	    if ( $family == F_IPV4 ) {
@@ -817,15 +821,66 @@ sub compiler {
 	    }
 	}
 
-	disable_object;
+	disable_script;
 	#
-	# Close, rename and secure the object
+	# Close, rename and secure the script
 	#
-	finalize_object ( $export );
+	finalize_script ( $export );
 	#
 	# And generate the auxilary config file
 	#
-	enable_object, generate_aux_config if $export;
+	enable_script, generate_aux_config if $export;
+    } else {
+	#
+	# Just checking the configuration
+	#
+	if ( $preview || $debug ) {
+	    #
+	    # User wishes to preview the ruleset or we are tracing -- generate the rule matrix
+	    #
+	    generate_matrix;
+
+	    if ( $config{OPTIMIZE} & 6 ) {
+		progress_message2 'Optimizing Ruleset...';
+		#
+		# Optimize Policy Chains
+		#
+		optimize_policy_chains if $config{OPTIMIZE} & 2;
+		#
+		# Ruleset Optimization
+		#
+		optimize_ruleset if $config{OPTIMIZE} & 4;
+	    }
+
+	    enable_script if $debug;
+
+	    generate_script_2 if $debug;
+
+	    preview_netfilter_load if $preview;
+	}
+	#
+	# Re-initialize the chain table so that process_routestopped() has the same
+	# environment that it would when called by compile_stop_firewall().
+	#
+	Shorewall::Chains::initialize( $family );
+	initialize_chain_table;
+
+	if ( $debug ) {
+	    compile_stop_firewall( $test, $export );
+	    disable_script;
+	} else {
+	    #
+	    # compile_stop_firewall() also validates the routestopped file. Since we don't
+	    # call that function during normal 'check', we must validate routestopped here.
+	    #
+	    process_routestopped;
+	}
+
+	if ( $family == F_IPV4 ) {
+	    progress_message3 "Shorewall configuration verified";
+	} else {
+	    progress_message3 "Shorewall6 configuration verified";
+	}
     }
 
     close_log if $log;

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,7 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
 use Socket;
 
 use strict;
@@ -34,10 +34,10 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( ALLIPv4
                   ALLIPv6
+	          IPv4_MULTICAST
 	          IPv6_MULTICAST
 	          IPv6_LINKLOCAL
 	          IPv6_SITELOCAL
-	          IPv6_LINKLOCAL
 	          IPv6_LOOPBACK
 	          IPv6_LINK_ALLNODES
 	          IPv6_LINK_ALLRTRS
@@ -47,6 +47,7 @@ our @EXPORT = qw( ALLIPv4
 		  ALL
 		  TCP
 		  UDP
+		  UDPLITE
 		  ICMP
 		  DCCP
 		  IPv6_ICMP
@@ -72,52 +73,46 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_12';
 
 #
 # Some IPv4/6 useful stuff
 #
 our @allipv4 = ( '0.0.0.0/0' );
 our @allipv6 = ( '::/0' );
+our $allip;
+our @allip;
+our $valid_address;
+our $validate_address;
+our $validate_net;
+our $validate_range;
+our $validate_host;
 our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
-	       IPv6_MULTICAST      => 'FF00::/10' ,
-	       IPv6_LINKLOCAL      => 'FF80::/10' ,
-	       IPv6_SITELOCAL      => 'FFC0::/10' ,
-	       IPv6_LINKLOCAL      => 'FF80::/10' ,
+	       IPv4_MULTICAST      => '224.0.0.0/4' ,
+	       IPv6_MULTICAST      => 'ff00::/8' ,
+	       IPv6_LINKLOCAL      => 'fe80::/10' ,
+	       IPv6_SITELOCAL      => 'feC0::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
-	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
-	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
-	       IPv6_SITE_ALLNODES  => 'FF02::1' ,
-	       IPv6_SITE_ALLRTRS   => 'FF02::2' ,
+	       IPv6_LINK_ALLNODES  => 'ff01::1' ,
+	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
+	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
+	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
 	       ICMP                => 1,
 	       TCP                 => 6,
 	       UDP                 => 17,
 	       DCCP                => 33,
 	       IPv6_ICMP           => 58,
-	       SCTP                => 132 };
+	       SCTP                => 132,
+	       UDPLITE             => 136 };
 
 our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Note: initialize() is declared at the bottom of the file
 #
-
-sub initialize( $ ) {
-    $family = shift;
-}
-
-INIT {
-    initialize( F_IPV4 );
-}
-
 sub vlsm_to_mask( $ ) {
     my $vlsm = $_[0];
 
@@ -129,8 +124,8 @@ sub valid_4address( $ ) {
 
     my @address = split /\./, $address;
     return 0 unless @address == 4;
-    for my $a ( @address ) {
-	return 0 unless $a =~ /^\d+$/ && $a < 256;
+    for ( @address ) {
+	return 0 unless /^\d+$/ && $_ < 256;
     }
 
     1;
@@ -163,8 +158,8 @@ sub decodeaddr( $ ) {
 
     my $result = shift @address;
 
-    for my $a ( @address ) {
-	$result = ( $result << 8 ) | $a;
+    for ( @address ) {
+	$result = ( $result << 8 ) | $_;
     }
 
     $result;
@@ -294,7 +289,17 @@ sub resolve_proto( $ ) {
     my $proto = $_[0];
     my $number;
 
-    $proto =~ /^(\d+)$/ ? $proto <= 65535 ? $proto : undef : defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
+    if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
+	$number = numeric_value ( $proto );
+	defined $number && $number <= 65535 ? $number : undef;
+    } else {
+	#
+	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
+	#
+	$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
+	
+	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
+    }
 }
 
 sub proto_name( $ ) {
@@ -308,16 +313,19 @@ sub validate_port( $$ ) {
 
     my $value;
 
-    if ( $port =~ /^(\d+)$/ ) {
-	return $port if $port <= 65535;
+    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
+	$port = numeric_value $port;
+	return $port if defined $port && $port && $port <= 65535;
     } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
     }
 
-    fatal_error "Invalid/Unknown $proto port/service ($port)" unless defined $value;
+    return $value if defined $value;
 
-    $value;
+    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
+
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
 }
 
 sub validate_portpair( $$ ) {
@@ -330,7 +338,7 @@ sub validate_portpair( $$ ) {
 
     my @ports = split /:/, $portpair, 2;
 
-    $_ = validate_port( $proto, $_) for ( @ports );
+    $_ = validate_port( $proto, $_) for ( grep $_, @ports );
 
     if ( @ports == 2 ) {
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
@@ -398,7 +406,6 @@ my %icmp_types = ( any                          => 'any',
 		   'address-mask-reply'         => 18 );
 
 sub validate_icmp( $ ) {
-    fatal_error "IPv4 ICMP not allowed in an IPv6 Rule" unless $family == F_IPV4;
 
     my $type = $_[0];
 
@@ -484,6 +491,7 @@ sub valid_6address( $ ) {
 	return 0 unless valid_4address pop @address;
 	$max = 6;
 	$address = join ':', @address;
+	return 1 if @address eq ':';
     } else {
 	$max = 8;
     }
@@ -492,16 +500,16 @@ sub valid_6address( $ ) {
     return 0 unless ( @address == $max ) || $address =~ /::/;
     return 0 if $address =~ /:::/ || $address =~ /::.*::/;
 
-    if ( $address =~ /^:/ ) {
-	unless ( $address eq '::' ) {
-	    return 0 if $address =~ /:$/ || $address =~ /^:.*::/;
+    unless ( $address =~ /^::/ ) {
+	return 0 if $address =~ /^:/;
     }
-    } elsif ( $address =~ /:$/ ) {
-	return 0 if $address =~ /::.*:$/;
+
+    unless ( $address =~ /::$/  ) {
+	return 0 if $address =~ /:$/;
     }
 
     for my $a ( @address ) {
-	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 );
+	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 );
     }
 
     1;
@@ -550,13 +558,27 @@ sub validate_6net( $$ ) {
 sub normalize_6addr( $ ) {
     my $addr = shift;
 
-    while ( $addr =~ tr/:/:/ < 6 ) {
-	$addr =~ s/::/:0::/;
-    }
+    if ( $addr eq '::' ) {
+	'0:0:0:0:0:0:0:0';
+    } else {
+	#
+	# Suppress leading zeros
+	#
+	$addr =~ s/^0+//;
+	$addr =~ s/:0+/:/g;
+	$addr =~ s/^:/0:/;
+	$addr =~ s/:$/:0/;
 
-    $addr =~ s/::/:0:/;
+	$addr =~ s/::/:0::/ while $addr =~ tr/:/:/ < 7;
+	#
+	# Note: "s/::/:0:/g" doesn't work here
+	#
+	1 while $addr =~ s/::/:0:/;
+
+	$addr =~ s/^0+:/0:/;
 
 	$addr;
+    }
 }
 
 sub validate_6range( $$ ) {
@@ -580,7 +602,7 @@ sub validate_6range( $$ ) {
 }
 
 sub validate_6host( $$ ) {
-    my ( $host, $allow_name )  = $_[0];
+    my ( $host, $allow_name )  = @_;
 
     if ( $host =~ /^(.*:.*)-(.*:.*)$/ ) {
 	validate_6range $1, $2;
@@ -614,7 +636,6 @@ my %ipv6_icmp_types = ( any                          => 'any',
 
 
 sub validate_icmp6( $ ) {
-    fatal_error "IPv6 ICMP not allowed in an IPv4 Rule" unless $family == F_IPV6;
     my $type = $_[0];
 
     my $value = $ipv6_icmp_types{$type};
@@ -629,31 +650,63 @@ sub validate_icmp6( $ ) {
 }
 
 sub ALLIP() {
-    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
+    $allip;
 }
 
 sub allip() {
-    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
+    @allip;
 }
 
 sub valid_address ( $ ) {
-    $family == F_IPV4 ? valid_4address( $_[0] ) :  valid_6address( $_[0] );
+    $valid_address->(@_);
 }
 
 sub validate_address ( $$ ) {
-    $family == F_IPV4 ? validate_4address( $_[0], $_[1] ) :  validate_6address( $_[0], $_[1] );
+    $validate_address->(@_);
 }
 
 sub validate_net ( $$ ) {
-    $family == F_IPV4 ? validate_4net( $_[0], $_[1] ) :  validate_6net( $_[0], $_[1] );
+    $validate_net->(@_);
 }
 
 sub validate_range ($$ ) {
-    $family == F_IPV4 ? validate_4range( $_[0], $_[1] ) :  validate_6range( $_[0], $_[1] );
+    $validate_range->(@_);
 }
 
 sub validate_host ($$ ) {
-    $family == F_IPV4 ? validate_4host( $_[0], $_[1] ) :  validate_6host( $_[0], $_[1] );
+    $validate_host->(@_);
+}
+
+#
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
+#
+sub initialize( $ ) {
+    $family = shift;
+
+    if ( $family == F_IPV4 ) {
+	$allip            = ALLIPv4;
+	@allip            = @allipv4;
+	$valid_address    = \&valid_4address;
+	$validate_address = \&validate_4address;
+	$validate_net     = \&validate_4net;
+	$validate_range   = \&validate_4range;
+	$validate_host    = \&validate_4host;
+    } else {
+	$allip            = ALLIPv6;
+	@allip            = @allipv6;
+	$valid_address    = \&valid_6address;
+	$validate_address = \&validate_6address;
+	$validate_net     = \&validate_6net;
+	$validate_range   = \&validate_6range;
+	$validate_host    = \&validate_6host;
+    }
 }
 
 1;

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -29,7 +29,6 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
-use Shorewall::IPAddrs;
 use Shorewall::Providers qw( lookup_provider );
 
 use strict;
@@ -37,79 +36,19 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_13';
 
 our @addresses_to_add;
 our %addresses_to_add;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Called by the compiler
 #
-
 sub initialize() {
     @addresses_to_add = ();
     %addresses_to_add = ();
 }
 
-INIT {
-    initialize;
-}
-
-#
-# Handle IPSEC Options in a masq record
-#
-sub do_ipsec_options($)
-{
-    my %validoptions = ( strict       => NOTHING,
-			 next         => NOTHING,
-			 reqid        => NUMERIC,
-			 spi          => NUMERIC,
-			 proto        => IPSECPROTO,
-			 mode         => IPSECMODE,
-			 "tunnel-src" => NETWORK,
-			 "tunnel-dst" => NETWORK,
-		       );
-    my $list=$_[0];
-    my $options = '-m policy --pol ipsec --dir out ';
-    my $fmt;
-
-    for my $e ( split_list $list, 'option' ) {
-	my $val    = undef;
-	my $invert = '';
-
-	if ( $e =~ /([\w-]+)!=(.+)/ ) {
-	    $val    = $2;
-	    $e      = $1;
-	    $invert = '! ';
-	} elsif ( $e =~ /([\w-]+)=(.+)/ ) {
-	    $val = $2;
-	    $e   = $1;
-	}
-
-	$fmt = $validoptions{$e};
-
-	fatal_error "Invalid Option ($e)" unless $fmt;
-
-	if ( $fmt eq NOTHING ) {
-	    fatal_error "Option \"$e\" does not take a value" if defined $val;
-	} else {
-	    fatal_error "Missing value for option \"$e\""        unless defined $val;
-	    fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
-	}
-
-	$options .= $invert;
-	$options .= "--$e ";
-	$options .= "$val " if defined $val;
-    }
-
-    $options;
-}
-
 #
 # Process a single rule from the the masq file
 #
@@ -161,16 +100,16 @@ sub process_one_masq( )
     # Handle IPSEC options, if any
     #
     if ( $ipsec ne '-' ) {
-	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless $globals{ORIGINAL_POLICY_MATCH};
+	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
 
 	if ( $ipsec =~ /^yes$/i ) {
-	    $baserule .= '-m policy --pol ipsec --dir out ';
+	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
 	} elsif ( $ipsec =~ /^no$/i ) {
-	    $baserule .= '-m policy --pol none --dir out ';
+	    $baserule .= do_ipsec_options 'out', 'none', '';
 	} else {
-	    $baserule .= do_ipsec_options $ipsec;
+	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
 	}
-    } elsif ( $capabilities{POLICY_MATCH} ) {
+    } elsif ( have_ipsec ) {
 	$baserule .= '-m policy --pol none --dir out ';
     }
 
@@ -178,16 +117,15 @@ sub process_one_masq( )
     # Handle Protocol and Ports
     #
     $baserule .= do_proto $proto, $ports, '';
-
     #
     # Handle Mark
     #
-    $baserule .= do_test( $mark, 0xFF) if $mark ne '-';
+    $baserule .= do_test( $mark, $globals{TC_MASK} ) if $mark ne '-';
     $baserule .= do_user( $user )                    if $user ne '-';
 
     for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = '-j MASQUERADE ';
+	my $target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -207,7 +145,7 @@ sub process_one_masq( )
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
 	unless ( $interfaceref->{root} ) {
-	    $rule .= "-o $interface ";
+	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}
 
@@ -216,6 +154,7 @@ sub process_one_masq( )
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
+	my $persistent    = '';
 	#
 	# Parse the ADDRESSES column
 	#
@@ -223,13 +162,16 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
+		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
 		$addresses =~ s/:random$//     and $randomize  = '--random ';
 
+		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;
+
 		if ( $addresses =~ /^SAME/ ) {
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
 		    my $variable = get_interface_address $interface;
-		    $target = "-j SNAT --to-source $variable";
+		    $target = "SNAT --to-source $variable";
 
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
@@ -239,15 +181,19 @@ sub process_one_masq( )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
-		    $target = '-j RETURN';
+		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    $target = '-j SNAT ';
+			    $target = 'SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
+			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
+				validate_range( $1, $2 );
+			    } else {
 				validate_address $ipaddr, 0;
+			    }
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
@@ -262,6 +208,7 @@ sub process_one_masq( )
 	    }
 
 	    $target .= $randomize;
+	    $target .= $persistent;
 	} else {
 	    $add_snat_aliases = 0;
 	}
@@ -293,7 +240,6 @@ sub process_one_masq( )
 		next if $addrs eq 'detect';
 		for my $addr ( ip_range_explicit $addrs ) {
 		    unless ( $addresses_to_add{$addr} ) {
-			emit "del_ip_addr $addr $interface" unless $config{RETAIN_ALIASES};
 			$addresses_to_add{$addr} = 1;
 			if ( defined $alias ) {
 			    push @addresses_to_add, $addr, "$interface:$alias";
@@ -371,12 +317,12 @@ sub do_one_nat( $$$$$ )
     fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
     unless ( $interfaceref->{root} ) {
-	$rulein  = "-i $interface ";
-	$ruleout = "-o $interface ";
+	$rulein  = match_source_dev $interface;
+	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
     }
 
-    if ( $capabilities{POLICY_MATCH} ) {
+    if ( have_ipsec ) {
 	$policyin = ' -m policy --pol none --dir in';
 	$policyout =  '-m policy --pol none --dir out';
     }
@@ -406,7 +352,6 @@ sub do_one_nat( $$$$$ )
 	    push @addresses_to_add, ( $external , $fullinterface );
 	}
     }
-
 }
 
 #
@@ -453,7 +398,9 @@ sub setup_netmap() {
 
     while ( read_a_line ) {
 
-	my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
+	my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
+
+	$net3 = ALLIP if $net3 eq '-';
 
 	for my $interface ( split_list $interfacelist, 'interface' ) {
 
@@ -461,18 +408,18 @@ sub setup_netmap() {
 	    my $ruleout = '';
 	    my $iface = $interface;
 
-	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
+	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
 	    unless ( $interfaceref->{root} ) {
-		$rulein  = "-i $interface ";
-		$ruleout = "-o $interface ";
+		$rulein  = match_source_dev( $interface );
+		$ruleout = match_dest_dev( $interface );
 		$interface = $interfaceref->{name};
 	    }
 
 	    if ( $type eq 'DNAT' ) {
-		add_rule ensure_chain( 'nat' , input_chain $interface )  , $rulein  . "-d $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
 	    } elsif ( $type eq 'SNAT' ) {
-		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
 	    } else {
 		fatal_error "Invalid type ($type)";
 	    }
@@ -485,12 +432,13 @@ sub setup_netmap() {
 
 sub add_addresses () {
     if ( @addresses_to_add ) {
+	my @addrs = @addresses_to_add;
 	my $arg = '';
 	my $addresses = 0;
 
-	while ( @addresses_to_add ) {
-	    my $addr      = shift @addresses_to_add;
-	    my $interface = shift @addresses_to_add;
+	while ( @addrs ) {
+	    my $addr      = shift @addrs;
+	    my $interface = shift @addrs;
 	    $arg = "$arg $addr $interface";
 	    unless ( $config{RETAIN_ALIASES} ) {
 		emit '' unless $addresses++;

Shorewall/Perl/Shorewall/Policy.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -32,31 +32,21 @@ use Shorewall::Actions;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_12';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
 our @policy_chains;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Called by the compiler
 #
-
 sub initialize() {
     @policy_chains = ();
 }
 
-INIT {
-    initialize;
-}
-
 #
 # Convert a chain into a policy chain.
 #
@@ -76,11 +66,11 @@ sub convert_to_policy_chain($$$$$)
 #
 sub new_policy_chain($$$$)
 {
-    my ($source, $dest, $policy, $optional) = @_;
+    my ($source, $dest, $policy, $provisional) = @_;
 
-    my $chainref = new_chain( 'filter', "${source}2${dest}" );
+    my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
 
-    convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
+    convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional );
 
     $chainref;
 }
@@ -125,20 +115,20 @@ sub set_policy_chain($$$$$)
 #
 # Process the policy file
 #
-use constant { OPTIONAL => 1 };
+use constant { PROVISIONAL => 1 };
 
 sub add_or_modify_policy_chain( $$ ) {
     my ( $zone, $zone1 ) = @_;
-    my $chain    = "${zone}2${zone1}";
+    my $chain    = rules_chain( ${zone}, ${zone1} );
     my $chainref = $filter_table->{$chain};
 
     if ( $chainref ) {
 	unless( $chainref->{is_policy} ) {
-	    convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
+	    convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', PROVISIONAL );
 	    push @policy_chains, $chainref;
 	}
     } else {
-	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
+	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', PROVISIONAL );
     }
 }
 
@@ -221,7 +211,7 @@ sub process_a_policy() {
 	}
     }
 
-    my $chain = "${client}2${server}";
+    my $chain = rules_chain( ${client}, ${server} );
     my $chainref;
 
     if ( defined $filter_table->{$chain} ) {
@@ -262,19 +252,19 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
+		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
+		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
+	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
 	    print_policy $client, $zone, $policy, $chain;
 	}
 
@@ -283,6 +273,21 @@ sub process_a_policy() {
     }
 }
 
+sub save_policies() {
+    for my $zone1 ( all_zones ) {
+	for my $zone2 ( all_zones ) {
+	    my $chainref  = $filter_table->{ rules_chain( $zone1, $zone2 ) };
+	    my $policyref = $filter_table->{ $chainref->{policychain} };
+
+	    if ( $policyref->{referenced} ) {
+		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy} . ' using chain ' . $policyref->{name};
+	    } elsif ( $zone1 ne $zone2 ) {
+		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy};
+	    }
+	}
+    }
+}
+
 sub validate_policy()
 {
     our %validpolicies = (
@@ -302,6 +307,7 @@ sub validate_policy()
 		 NFQUEUE_DEFAULT => 'NFQUEUE' );
 
     my $zone;
+    my $firewall = firewall_zone;
     our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
 
     for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
@@ -324,9 +330,12 @@ sub validate_policy()
     }
 
     for $zone ( all_zones ) {
-	push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );
+	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL );
+	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL ) if zone_type( $zone ) == BPORT;
 
-	if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
+	my $zoneref = find_zone( $zone );
+
+	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1 );
@@ -344,7 +353,7 @@ sub validate_policy()
 
     for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
+	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{rules_chain( ${zone}, ${zone1} )}{policy};
 	}
     }
 }
@@ -356,8 +365,8 @@ sub policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
 
     unless ( $target eq 'NONE' ) {
-	add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE';
-	add_rule $chainref, "-j $default" if $default && $default ne 'none';
+	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
+	add_jump $chainref, $default, 0 if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 
@@ -409,17 +418,29 @@ sub apply_policy_rules() {
 
     for my $chainref ( @policy_chains ) {
 	my $policy      = $chainref->{policy};
+
+	unless ( $policy eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
 	    my $name        = $chainref->{name};
+	    my $synparms    = $chainref->{synparms};
 
-	if ( $policy ne 'NONE' ) {
-	    if ( ! $chainref->{referenced} && ( ! $provisional && $policy ne 'CONTINUE' ) ) {
+	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
+		if ( $config{OPTIMIZE} & 2 ) {
+		    #
+		    # This policy chain is empty and the only thing that we would put in it is
+		    # the policy-related stuff. Don't create it if all we are going to put in it
+		    # is a single jump. Generate_matrix() will just use the policy target when
+		    # needed.
+		    #
+		    ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
+		} else {
 		    ensure_filter_chain $name, 1;
 		}
+	    }
 
-	    if ( $name =~ /^all2|2all$/ ) {
+	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		run_user_exit $chainref;
 		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
@@ -428,7 +449,7 @@ sub apply_policy_rules() {
 
     for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $filter_table->{"${zone}2${zone1}"};
+	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
 
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
@@ -450,11 +471,11 @@ sub apply_policy_rules() {
 sub complete_standard_chain ( $$$$ ) {
     my ( $stdchainref, $zone, $zone2, $default ) = @_;
 
-    add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT};
+    add_rule $stdchainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" unless $config{FASTACCEPT};
 
     run_user_exit $stdchainref;
 
-    my $ruleschainref = $filter_table->{"${zone}2${zone2}"} || $filter_table->{all2all};
+    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
     my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
     my $policychainref;
 
@@ -475,11 +496,38 @@ sub setup_syn_flood_chains() {
 	    my $level = $chainref->{loglevel};
 	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
 	    add_rule $synchainref , "${limit}-j RETURN";
-	    log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
+	    log_rule_limit( $level , 
+			    $synchainref , 
+			    $chainref->{name} , 
+			    'DROP', 
+			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , 
+			    '' , 
+			    'add' , 
+			    '' )
 		if $level ne '';
 	    add_rule $synchainref, '-j DROP';
 	}
     }
 }
 
+#
+# Optimize Policy chains with ACCEPT policy
+#
+sub optimize_policy_chains() {
+    for my $chainref ( grep $_->{policy} eq 'ACCEPT', @policy_chains ) {
+	optimize_chain ( $chainref );
+    }
+    #
+    # Often, fw->all has an ACCEPT policy. This code allows optimization in that case
+    #
+    my $outputrules = $filter_table->{OUTPUT}{rules};
+
+    if ( @{$outputrules} && $outputrules->[-1] =~ /-j ACCEPT/ ) {
+	optimize_chain( $filter_table->{OUTPUT} );
+    }
+
+    progress_message '  Policy chains optimized';
+    progress_message '';
+}
+
 1;

Shorewall/Perl/Shorewall/Proc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -41,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_12';
+our $VERSION = '4.4_7';
 
 #
 # ARP Filtering
@@ -56,27 +56,35 @@ sub setup_arp_filtering() {
 	save_progress_message "Setting up ARP filtering...";
 
 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
 	    my $value = get_interface_option $interface, 'arp_filter';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
 
 	    emit ( '',
 		   "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
 
 	for my $interface ( @$interfaces1 ) {
-	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
 	    my $value = get_interface_option $interface, 'arp_ignore';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
 
 	    assert( defined $value );
 
 	    emit ( "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
     }
@@ -88,16 +96,18 @@ sub setup_arp_filtering() {
 sub setup_route_filtering() {
 
     my $interfaces = find_interfaces_by_option 'routefilter';
+    my $config     = $config{ROUTE_FILTER};
 
-    if ( @$interfaces || $config{ROUTE_FILTER} ) {
+    if ( @$interfaces || $config ) {
 
 	progress_message2 "$doing Kernel Route Filtering...";
 
 	save_progress_message "Setting up Route Filtering...";
 
+	my $val = '';
 
-	if ( $config{ROUTE_FILTER} ) {
-	    my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
+	if ( $config{ROUTE_FILTER} ne '' ) {
+	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;
 
 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
 		   "    [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
@@ -106,25 +116,29 @@ sub setup_route_filtering() {
 	}
 
 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
 	    my $value = get_interface_option $interface, 'routefilter';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
 
+	if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
 	    emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
-
-	if ( $config{ROUTE_FILTER} eq 'on' ) {
-	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
-	} elsif (  $config{ROUTE_FILTER} eq 'off' ) {
-	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
+	} elsif ( $val ne '' ) {
+	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
 	}
 
-	emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
+	emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';
+
+	emit "[ -n \"\$g_noroutes\" ] || \$IP -4 route flush cache";
     }
 }
 
@@ -153,14 +167,18 @@ sub setup_martian_logging() {
 	}
 
 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
 	    my $value = get_interface_option $interface, 'logmartians';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless $optional;
 	    emit   "fi\n";
 	}
     }
@@ -180,13 +198,17 @@ sub setup_source_routing( $ ) {
 	save_progress_message 'Setting up Accept Source Routing...';
 
 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";
 	    my $value = get_interface_option $interface, 'sourceroute';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
     }
@@ -227,13 +249,17 @@ sub setup_forwarding( $$ ) {
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 
 	    for my $interface ( @$interfaces ) {
-		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
 		my $value = get_interface_option $interface, 'forward';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
+		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
 
 		emit ( "if [ -f $file ]; then" ,
 		       "    echo $value > $file" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless interface_is_optional( $interface);
+		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_0';
+our $VERSION = '4.4_13';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -59,17 +59,20 @@ our @providers;
 
 our $family;
 
+our $lastmark;
+
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
 
@@ -89,17 +92,13 @@ sub initialize( $ ) {
     @providers = ();
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 #
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
+    my $mask = in_hex( $globals{PROVIDER_MASK} );
 
-    require_capability( $_ , 'the provider \'track\' option' , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
+    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
     add_rule $mangle_table->{$_} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
 
@@ -111,33 +110,21 @@ sub setup_route_marking() {
 
     for my $providerref ( @routemarked_providers ) {
 	my $interface = $providerref->{interface};
+	my $physical  = $providerref->{physical};
 	my $mark      = $providerref->{mark};
-	my $base      = uc chain_base $interface;
-
-	if ( $providerref->{optional} ) {
-	    if ( $providerref->{shared} ) {
-		add_commands( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) );
-	    } else {
-		add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
-	    }
-		
-	    incr_cmd_level( $chainref );
-	}
 
 	unless ( $marked_interfaces{$interface} ) {
-	    add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
-	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $interface -m mark --mark  $mark/$mask ";
+	    add_jump $mangle_table->{PREROUTING} , $chainref,  0, "-i $physical -m mark --mark 0/$mask ";
+	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark  $mark/$mask ";
 	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
 	}
 
 	if ( $providerref->{shared} ) {
-	    add_rule $chainref, " -i $interface -m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, match_source_dev( $interface ) . "-m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
 	} else {
-	    add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, match_source_dev( $interface ) . "-j MARK --set-mark $providerref->{mark}";
 	}
-
-	decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
     }
 
     add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask";
@@ -145,11 +132,15 @@ sub setup_route_marking() {
 
 sub copy_table( $$$ ) {
     my ( $duplicate, $number, $realm ) = @_;
+    #
+    # Hack to work around problem in iproute
+    #
+    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
 
     if ( $realm ) {
 	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
     } else {
-	emit  ( "\$IP -$family route show table $duplicate | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
     }
 
     emit ( '    case $net in',
@@ -165,11 +156,23 @@ sub copy_table( $$$ ) {
 
 sub copy_and_edit_table( $$$$ ) {
     my ( $duplicate, $number, $copy, $realm) = @_;
+    #
+    # Hack to work around problem in iproute
+    #
+    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
+    #
+    # Map physical names in $copy to logical names
+    #
+    $copy = join( '|' , map( physical_name($_) , split( ',' , $copy ) ) );
+    #
+    # Shell and iptables use a different wildcard character
+    #
+    $copy =~ s/\+/*/;
 
     if ( $realm ) {
-	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
     } else {
-	emit  ( "\$IP -$family route show table $duplicate | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
     }
 
     emit (  '    case $net in',
@@ -272,10 +275,11 @@ sub add_a_provider( ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
     }
 
-    fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
+    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface, 1 );
+    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
 
-    my $provider    = chain_base $table;
-    my $base        = uc chain_base $interface;
+    my $physical    = get_physical $interface;
+    my $base        = uc chain_base $physical;
     my $gatewaycase = '';
 
     if ( $gateway eq 'detect' ) {
@@ -291,40 +295,15 @@ sub add_a_provider( ) {
 	$gateway = '';
     }
 
-    my $val = 0;
-    my $pref;
-
-    if ( $mark ne '-' ) {
-
-	$val = numeric_value $mark;
-
-	fatal_error "Invalid Mark Value ($mark)" unless defined $val;
-
-	verify_mark $mark;
-
-	if ( $val < 65535 ) {
-	    if ( $config{HIGH_ROUTE_MARKS} ) {
-		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes" if $config{WIDE_TC_MARKS};
-		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $val < 256;
-	    }
-	} else {
-	    fatal_error "Invalid Mark Value ($mark)" unless $config{HIGH_ROUTE_MARKS} && $config{WIDE_TC_MARKS};
-	}
-
-	for my $providerref ( values %providers  ) {
-	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
-	}
-
-	$pref = 10000 + $number - 1;
-
-    }
-
-    my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) =
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
 		$track = 1;
+	    } elsif ( $option eq 'notrack' ) {
+		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
 		$balance = $1;
@@ -358,12 +337,43 @@ sub add_a_provider( ) {
 		} else {
 		    $default = -1;
 		}
+	    } elsif ( $option eq 'local' ) {
+		$local = 1;
+		$track = 0           if $config{TRACK_PROVIDERS};
+		$default_balance = 0 if$config{USE_DEFAULT_RT};
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}
     }
 
+    my $val = 0;
+    my $pref;
+
+    $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
+
+    if ( $mark ne '-' ) {
+
+	$val = numeric_value $mark;
+
+	fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
+
+	verify_mark $mark;
+
+	fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val;
+
+	fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS};
+
+	for my $providerref ( values %providers  ) {
+	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
+	}
+
+	$pref = 10000 + $number - 1;
+
+	$lastmark = $val;
+
+    }
+
     unless ( $loose ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
@@ -375,6 +385,7 @@ sub add_a_provider( ) {
 			   number      => $number ,
 			   mark        => $val ? in_hex($val) : $val ,
 			   interface   => $interface ,
+			   physical    => $physical ,
 			   optional    => $optional ,
 			   gateway     => $gateway ,
 			   gatewaycase => $gatewaycase ,
@@ -402,26 +413,34 @@ sub add_a_provider( ) {
     if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
+	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
     } else {
 	if ( $optional ) {
-	    start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
+	    start_provider( $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
+	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $interface; then" );
+	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
 	}
 
 	$provider_interfaces{$interface} = $table;
 
-	emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
+	if ( $gatewaycase eq 'none' ) {
+	    if ( $local ) {
+		emit "run_ip route add local 0.0.0.0/0 dev $physical table $number";
+	    } else {
+		emit "run_ip route add default dev $physical table $number";
+	    }
+	}
     }
 
     if ( $mark ne '-' ) {
-	emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
+	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
 
-	emit ( "run_ip rule add fwmark $mark pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
+	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
+
+	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
+	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing"
 	     );
     }
 
@@ -433,8 +452,7 @@ sub add_a_provider( ) {
 	    if ( $copy eq 'none' ) {
 		$copy = $interface;
 	    } else {
-		$copy =~ tr/,/|/;
-		$copy = "$interface|$copy";
+		$copy = "$interface,$copy";
 	    }
 
 	    copy_and_edit_table( $duplicate, $number ,$copy , $realm);
@@ -446,28 +464,33 @@ sub add_a_provider( ) {
 
     if ( $gateway ) {
 	$address = get_interface_address $interface unless $address;
-	emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm";
-	emit "run_ip route add default via $gateway src $address dev $interface ${mtu}table $number $realm";
+	emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
+	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
     }
 
-    balance_default_route $balance , $gateway, $interface, $realm if $balance;
+    balance_default_route $balance , $gateway, $physical, $realm if $balance;
 
     if ( $default > 0 ) {
-	balance_fallback_route $default , $gateway, $interface, $realm;
+	balance_fallback_route $default , $gateway, $physical, $realm;
     } elsif ( $default ) {
 	emit '';
 	if ( $gateway ) {
-	    emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
+	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	} else {
-	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
+	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	}
     }
 
-    if ( $loose ) {
+    if ( $local ) {
+	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
+	fatal_error "'track' not valid with 'local'"          if $track;
+	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
+	fatal_error "MARK required with 'local'"              unless $mark;
+    } elsif ( $loose ) {
 	if ( $config{DELETE_THEN_ADD} ) {
-	    emit ( "\nfind_interface_addresses $interface | while read address; do",
+	    emit ( "\nfind_interface_addresses $physical | while read address; do",
 		   "    qt \$IP -$family rule del from \$address",
 		   'done'
 		 );
@@ -481,7 +504,7 @@ sub add_a_provider( ) {
 
 	emit "\nrulenum=0\n";
 
-	emit  ( "find_interface_addresses $interface | while read address; do" );
+	emit  ( "find_interface_addresses $physical | while read address; do" );
 	emit  (	"    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	emit  (	"    run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
 		"    echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
@@ -497,15 +520,15 @@ sub add_a_provider( ) {
 
     if ( $optional ) {
 	if ( $shared ) {
-	    emit ( "    error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" );
-	} else {
 	    emit ( "    error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
+	} else {
+	    emit ( "    error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Added\"" );
 	}
     } else {
 	if ( $shared ) {
 	    emit( "    fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" );
 	} else {
-	    emit( "    fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" );
+	    emit( "    fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Added\"" );
 	}
     }
 
@@ -516,9 +539,32 @@ sub add_a_provider( ) {
     progress_message "   Provider \"$currentline\" $done";
 }
 
+#
+# Begin an 'if' statement testing whether the passed interface is available
+#
+sub start_new_if( $ ) {
+    our $current_if = shift;
+
+    emit ( '', qq(if [ -n "\$SW_${current_if}_IS_USABLE" ]; then) );
+    push_indent;
+}
+
+#
+# Complete any current 'if' statement in the output script
+#
+sub finish_current_if() {
+    if ( our $current_if ) {
+	pop_indent;
+	emit ( "fi\n" );
+	$current_if = '';
+    }
+}
+
 sub add_an_rtrule( ) {
     my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
 
+    our $current_if;
+
     unless ( $providers{$provider} ) {
 	my $found = 0;
 
@@ -553,6 +599,7 @@ sub add_an_rtrule( ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
 	    validate_net ( $source, 0 );
+	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
 	    validate_net ( $source, 0 );
@@ -560,9 +607,10 @@ sub add_an_rtrule( ) {
 	} else {
 	    $source = "iif $source";
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
 	validate_net ($source, 0);
+	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
     } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
 	validate_net ( $source, 0 );
@@ -575,21 +623,21 @@ sub add_an_rtrule( ) {
 
     $priority = "priority $priority";
 
-    emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
+    finish_current_if, emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
 
     my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
 
     if ( $optional ) {
-	my $base = uc chain_base( $providers{$provider}{interface} );
-	emit ( '', "if [ -n \$${base}_IS_USABLE ]; then" );
-	push_indent;
+	my $base = uc chain_base( $providers{$provider}{physical} );
+	finish_current_if if $base ne $current_if;
+	start_new_if( $base ) unless $current_if;
+  } else {
+	finish_current_if;
     }
 
     emit ( "run_ip rule add $source $dest $priority table $number",
 	   "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
 
-    pop_indent, emit ( "fi\n" ) if $optional;
-
     progress_message "   Routing rule \"$currentline\" $done";
 }
 
@@ -707,12 +755,14 @@ sub finish_providers() {
 sub setup_providers() {
     my $providers = 0;
 
+    $lastmark = 0;
+
     my $fn = open_file 'providers';
 
     first_entry sub() {
-	emit "\nif [ -z \"\$NOROUTES\" ]; then";
-	push_indent;
 	progress_message2 "$doing $fn...";
+	emit "\nif [ -z \"\$g_noroutes\" ]; then";
+	push_indent;
 	start_providers; };
 
     add_a_provider, $providers++ while read_a_line;
@@ -723,25 +773,28 @@ sub setup_providers() {
 	my $fn = open_file 'route_rules';
 
 	if ( $fn ) {
+	    our $current_if = '';
 
 	    first_entry "$doing $fn...";
 
 	    emit '';
 
 	    add_an_rtrule while read_a_line;
+
+	    finish_current_if;
 	}
 
 	setup_null_routing if $config{NULL_ROUTE_RFC1918};
 	emit "\nrun_ip route flush cache";
 	#
-	# This completes the if block begun in the first_entry closure
+	# This completes the if-block begun in the first_entry closure above
 	#
 	pop_indent;
 	emit "fi\n";
 
 	setup_route_marking if @routemarked_interfaces;
     } else {
-	emit "\nif [ -z \"\$NOROUTES\" ]; then";
+	emit "\nif [ -z \"\$g_noroutes\" ]; then";
 
 	push_indent;
 
@@ -784,45 +837,133 @@ sub lookup_provider( $ ) {
 }
 
 #
-# This function is called by the compiler when it is generating the initialize() function.
-# The function emits code to set the ..._IS_USABLE interface variables appropriately for the
-# optional interfaces
+# This function is called by the compiler when it is generating the detect_configuration() function.
+# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
+# ..._IS_USABLE interface variables appropriately for the  optional interfaces
 #
-sub handle_optional_interfaces() {
+# Returns true if there were required or optional interfaces
+#
+sub handle_optional_interfaces( $ ) {
 
-    my $interfaces = find_interfaces_by_option 'optional';
+    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
 
     if ( @$interfaces ) {
-	for my $interface ( @$interfaces ) {
-	    my $base  = uc chain_base( $interface );
-	    my $provider = $provider_interfaces{$interface};
+	my $require     = $config{REQUIRE_INTERFACE};
 	
+	verify_required_interfaces( shift );
+
+	emit( 'HAVE_INTERFACE=', '' ) if $require;
+	#
+	# Clear the '_IS_USABLE' variables
+	#
+	emit( join( '_', 'SW', uc chain_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
+
+	if ( $wildcards ) {
+	    #
+	    # We must consider all interfaces with an address in $family -- generate a list of such addresses. 
+	    #
+	    emit( '', 
+		  'for interface in $(find_all_interfaces1); do',
+		);
+
+	    push_indent;
+	    emit ( 'case "$interface" in' );
+	    push_indent;
+	} else {
 	    emit '';
+	}
 
-	    if ( $provider ) {
-		#
-		# This interface is associated with a non-shared provider -- get the provider table entry
-		#
+	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
+	    my $provider    = $provider_interfaces{$interface};
+	    my $physical    = get_physical $interface;
+	    my $base        = uc chain_base( $physical );
 	    my $providerref = $providers{$provider};
 
+	    emit( "$physical)" ), push_indent if $wildcards;
+
 	    if ( $providerref->{gatewaycase} eq 'detect' ) {
-		    emit qq(if interface_is_usable $interface && [ -n "$providerref->{gateway}" ]; then);
+		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
-		    emit qq(if interface_is_usable $interface; then);
-		}
-	    } else {
-		#
-		# Not a provider interface
-		#
-		emit qq(if interface_is_usable $interface; then);
+		emit qq(if interface_is_usable $physical; then);
 	    }
 
-	    emit( "    ${base}_IS_USABLE=Yes" ,
-		  'else' ,
-		  "    ${base}_IS_USABLE=" ,
+	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
+
+	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'fi' );
+
+	    emit( ';;' ), pop_indent if $wildcards;
+	}
+
+	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
+	    my $physical    = get_physical $interface;
+	    my $base        = uc chain_base( $physical );
+	    my $case        = $physical;
+	    my $wild        = $case =~ s/\+$/*/;
+
+	    if ( $wildcards ) {
+		emit( "$case)" );
+		push_indent;
+		
+		if ( $wild ) {
+		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
+		    push_indent; 
+		    emit ( 'if interface_is_usable $interface; then' );
+		} else {
+		    emit ( "if interface_is_usable $physical; then" );
+		}
+	    } else {
+		emit ( "if interface_is_usable $physical; then" );
+	    }
+
+	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
+	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
+		   'fi' );
+
+	    if ( $wildcards ) {
+		pop_indent, emit( 'fi' ) if $wild;
+		emit( ';;' );
+		pop_indent;
 	    }
 	}
+
+	if ( $wildcards ) {
+	    emit( '*)' ,
+		  '    ;;'
+		);
+	    pop_indent;
+	    emit( 'esac' );
+	    pop_indent;
+	    emit('done' );
+	}
+
+	if ( $require ) {
+	    emit( '',
+		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
+		  '    case "$COMMAND" in',
+		  '        start|restart|restore|refresh)'
+		);
+
+	    if ( $family == F_IPV4 ) {
+		emit( '            if shorewall_is_started; then' );
+	    } else {
+		emit( '            if shorewall6_is_started; then' );
+	    }
+
+	    emit( '                fatal_error "No network interface available"',
+		  '            else',
+		  '                startup_error "No network interface available"',
+		  '            fi',
+		  '            ;;',
+		  '    esac',
+		  'fi'
+		);
+	}
+
+	return 1;
+    }
+
+    verify_required_interfaces( shift );
 }
 
 #
@@ -831,7 +972,7 @@ sub handle_optional_interfaces() {
 #
 sub handle_stickiness( $ ) {
     my $havesticky   = shift;
-    my $mask         = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
+    my $mask         = in_hex( $globals{PROVIDER_MASK} );
     my $setstickyref = $mangle_table->{setsticky};
     my $setstickoref = $mangle_table->{setsticko};
     my $tcpreref     = $mangle_table->{tcpre};
@@ -842,9 +983,8 @@ sub handle_stickiness( $ ) {
     if ( $havesticky ) {
 	fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
 
-
 	for my $providerref ( @routemarked_providers ) {
-	    my $interface = $providerref->{interface};
+	    my $interface = $providerref->{physical};
 	    my $base      = uc chain_base $interface;
 	    my $mark      = $providerref->{mark};
 
@@ -854,9 +994,6 @@ sub handle_stickiness( $ ) {
 		my $list = sprintf "sticky%03d" , $sticky++;
 
 		for my $chainref ( $stickyref, $setstickyref ) {
-
-		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-
 		    if ( $chainref->{name} eq 'sticky' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
@@ -867,17 +1004,14 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
 		    }
 
-		    $rule1 =~ s/-A //;
+		    $rule1 =~ s/-A tcpre //;
 
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcpre //;
 			add_rule $chainref, $rule2;
 		    }
-
-		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
-		    
 		}
 	    }
 
@@ -887,8 +1021,6 @@ sub handle_stickiness( $ ) {
 		my $stickoref = ensure_mangle_chain 'sticko';
 
 		for my $chainref ( $stickoref, $setstickoref ) {
-		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-
 		    if ( $chainref->{name} eq 'sticko' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
@@ -899,24 +1031,23 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
 		    }
 
-		    $rule1 =~ s/-A //;
+		    $rule1 =~ s/-A tcout //;
 
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcout //;
 			add_rule $chainref, $rule2;
 		    }
-
-		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
 		}
 	    }
 	}
     }
 
     if ( @routemarked_providers ) {
-	purge_jump $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
-	purge_jump $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};	
+	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
+	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
     }
 }
+
 1;

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -35,30 +35,27 @@ our @EXPORT = qw(
 		  );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_9';
 
 our @proxyarp;
 
 our $family;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
     @proxyarp = ();
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 sub setup_one_proxy_arp( $$$$$ ) {
     my ( $address, $interface, $external, $haveroute, $persistent) = @_;
 
@@ -79,7 +76,7 @@ sub setup_one_proxy_arp( $$$$$ ) {
     }
 
     unless ( $haveroute ) {
-	emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface";
+	emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address dev $interface";
 	$haveroute = 1 if $persistent;
     }
 
@@ -120,6 +117,9 @@ sub setup_proxy_arp() {
 		    $first_entry = 0;
 		}
 
+		$interface = get_physical $interface;
+		$external  = get_physical $external;
+
 		$set{$interface}  = 1;
 		$reset{$external} = 1 unless $set{$external};
 
@@ -146,10 +146,14 @@ sub setup_proxy_arp() {
 
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyarp';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
 		emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
 		       "    echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
+		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 	}
@@ -161,10 +165,14 @@ sub setup_proxy_arp() {
 
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyndp';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
 		emit ( "if [ -f /proc/sys/net/ipv6/conf/$interface/proxy_ndp ] ; then" ,
 		   "    echo $value > /proc/sys/net/ipv6/conf/$interface/proxy_ndp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless interface_is_optional( $interface );
+		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 	}

Shorewall/Perl/Shorewall/Raw.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_13';
 
 #
 # Notrack
@@ -50,9 +50,9 @@ sub process_notrack_rule( $$$$$$ ) {
     ( my $zone, $source) = split /:/, $source, 2;
     my $zoneref  = find_zone $zone;
     my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
 
-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
     require_capability 'RAW_TABLE', 'Notrack rules', '';
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
@@ -64,7 +64,7 @@ sub process_notrack_rule( $$$$$$ ) {
 	$source ,
 	$dest ,
 	'' ,
-	'-j NOTRACK' ,
+	'NOTRACK' ,
 	'' ,
 	'NOTRACK' ,
 	'' ;

Shorewall/Perl/Shorewall/Tc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.3_12';
+our $VERSION = '4.4_13';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -79,48 +79,6 @@ use constant { NOMARK    => 0 ,
 	       HIGHMARK  => 2
 	       };
 
-our @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
-		 target    => 'CONNMARK --save-mark --mask' ,
-		 mark      => SMALLMARK ,
-		 mask      => '0xFF' ,
-		 connmark  => 1
-	       } ,
-	      { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
-		target    => 'CONNMARK --restore-mark --mask' ,
-		mark      => SMALLMARK ,
-		mask      => '0xFF' ,
-		connmark  => 1
-		} ,
-	      { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
-		target    => 'RETURN' ,
-		mark      => NOMARK ,
-		mask      => '' ,
-		connmark  => 0
-		} ,
-	      { match     => sub ( $ ) { $_[0] eq 'SAME' },
-		target    => 'sticky' ,
-		mark      => NOMARK ,
-		mask      => '' ,
-		connmark  => 0
-		} ,
-	      { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
-		target    => 'IPMARK' ,
-		mark      => NOMARK,
-		mask      => '',
-		connmark  => 0
-	        } ,
-	      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
-		target    => 'MARK --or-mark' ,
-		mark      => HIGHMARK ,
-		mask      => '' } ,
-	      { match     => sub ( $ ) { $_[0] =~ '&.*' },
-		target    => 'MARK --and-mark ' ,
-		mark      => HIGHMARK ,
-		mask      => '' ,
-		connmark  => 0
-		}
-	      );
-
 our %flow_keys = ( 'src'            => 1,
 		   'dst'            => 1,
 		   'proto'          => 1,
@@ -153,7 +111,7 @@ our @deferred_rules;
 #
 # TCDevices Table
 #
-# %tcdevices { <interface> -> {in_bandwidth  => <value> ,
+# %tcdevices { <interface> => {in_bandwidth  => <value> ,
 #                              out_bandwidth => <value> ,
 #                              number        => <number>,
 #                              classify      => 0|1
@@ -163,6 +121,8 @@ our @deferred_rules;
 #                              nextclass     => <number>
 #                              occurs        => Has one or more occurring classes
 #                              qdisc         => htb|hfsc
+#                              guarantee     => <total RATE of classes seen so far>
+#                              name          => <interface>
 #                                               }
 #
 our @tcdevices;
@@ -170,7 +130,7 @@ our %tcdevices;
 our @devnums;
 our $devnum;
 our $sticky;
-
+our $ipp2p;
 
 #
 # TCClasses Table
@@ -186,6 +146,7 @@ our $sticky;
 #              occurs    => <number> # 0 means that this is a class generated by another class with occurs > 1
 #              parent    => <class number>
 #              leaf      => 0|1
+#              guarantee => <sum of rates of sub-classes>
 #              options   => { tos  => [ <value1> , <value2> , ... ];
 #                             tcp_ack => 1 ,
 #                             ...
@@ -202,14 +163,15 @@ our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 our $family;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family   = shift;
     %classids = ();
@@ -221,15 +183,14 @@ sub initialize( $ ) {
     @devnums   = ();
     $devnum = 0;
     $sticky = 0;
-}
-
-INIT {
-    initialize( F_IPV4 );
+    $ipp2p  = 0;
 }
 
 sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
 
+    our @tccmd;
+
     if ( $originalmark eq 'COMMENT' ) {
 	process_comment;
 	return;
@@ -267,7 +228,7 @@ sub process_tc_rule( ) {
 
 	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
 	    $target   = $tcsref->{target}                      if $tcsref->{target};
-	    $mark     = "$mark/0xFF"      if $connmark = $tcsref->{connmark};
+	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
 
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 
@@ -285,8 +246,6 @@ sub process_tc_rule( ) {
 	}
     }
 
-    my $mask = 0xffff;
-
     my ($cmd, $rest) = split( '/', $mark, 2 );
 
     $list = '';
@@ -354,8 +313,40 @@ sub process_tc_rule( ) {
 			}
 
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
+		    } elsif ( $target eq 'TPROXY ' ) {
+			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
+
+			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
+
+			$chain = 'tcpre';
+
+			$cmd =~ /TPROXY\((.+?)\)$/;
+
+			my $params = $1;
+
+			fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
+
+			( $mark, my $port, my $ip, my $bad ) = split ',', $params;
+
+			fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
+
+			if ( $port ) {
+			    $port = validate_port( 'tcp', $port );
+			} else {
+			    $port = 0;
 			}
 
+			$target .= "--on-port $port";
+
+			if ( defined $ip && $ip ne '' ) {
+			    validate_address $ip, 1;
+			    $target .= " --on-ip $ip";
+			}
+
+			$target .= ' --tproxy-mark';
+		    }
+
+
 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
 
@@ -376,21 +367,23 @@ sub process_tc_rule( ) {
 
 	    validate_mark $mark;
 
-	    if ( $config{HIGH_ROUTE_MARKS} ) {
+	    if ( $config{PROVIDER_OFFSET} ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
-		my $limit = $config{WIDE_TC_MARKS} ? 65535 : 255;
+		my $limit = $globals{TC_MASK};
+		unless ( have_capability 'FWMARK_RT_MASK' ) {
 		    fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
 			if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 		}
 	    }
 	}
+    }
 
     if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 				     $restrictions{$chain} ,
 				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
-				     do_test( $testval, $mask ) . 
+				     do_test( $testval, $globals{TC_MASK} ) .
 				     do_length( $length ) .
 				     do_tos( $tos ) .
 				     do_connbytes( $connbytes ) .
@@ -398,9 +391,9 @@ sub process_tc_rule( ) {
 				     $source ,
 				     $dest ,
 				     '' ,
-				     "-j $target $mark" ,
-				     '' ,
+				     "$target $mark" ,
 				     '' ,
+				     $target ,
 				     '' ) )
 	  && $device ) {
 	#
@@ -440,8 +433,6 @@ sub calculate_quantum( $$ ) {
 sub process_flow($) {
     my $flow = shift;
 
-    $flow =~ s/^\(// if $flow =~ s/\)$//;
-
     my @flow = split /,/, $flow;
 
     for ( @flow ) {
@@ -451,6 +442,65 @@ sub process_flow($) {
     $flow;
 }
 
+sub process_simple_device() {
+    my ( $device , $type , $in_bandwidth ) = split_line 1, 3, 'tcinterfaces';
+
+    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
+    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
+
+    my $number = in_hexp( $tcdevices{$device} = ++$devnum );
+
+    my $physical = physical_name $device;
+    my $dev      = chain_base( $physical );
+
+    if ( $type ne '-' ) {
+	if ( lc $type eq 'external' ) {
+	    $type = 'nfct-src';
+	} elsif ( lc $type eq 'internal' ) {
+	    $type = 'dst';
+	} else {
+	    fatal_error "Invalid TYPE ($type)";
+	}
+    }
+
+    $in_bandwidth = rate_to_kbit( $in_bandwidth );
+
+    emit "if interface_is_up $physical; then";
+
+    push_indent;
+
+    emit ( "${dev}_exists=Yes",
+	   "qt \$TC qdisc del dev $physical root",
+	   "qt \$TC qdisc del dev $physical ingress\n"
+	 );
+
+    emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
+	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst 10k drop flowid :1\n"
+	 ) if $in_bandwidth;
+
+    emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
+
+    for ( my $i = 1; $i <= 3; $i++ ) {
+	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
+	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $number:$i";
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit '';
+    }
+
+    save_progress_message_short qq("   TC Device $physical defined.");
+
+    pop_indent;
+    emit 'else';
+    push_indent;
+
+    emit qq(error_message "WARNING: Device $physical is not in the UP state -- traffic-shaping configuration skipped");
+    emit "${dev}_exists=";
+    pop_indent;
+    emit "fi\n";
+
+    progress_message "  Simple tcdevice \"$currentline\" $done.";
+}
+
 sub validate_tc_device( ) {
     my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
 
@@ -509,7 +559,6 @@ sub validate_tc_device( ) {
     if ( @redirected ) {
 	fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband;
 	$classify = 1;
-    }	
 
 	for my $rdevice ( @redirected ) {
 	    fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
@@ -517,6 +566,7 @@ sub validate_tc_device( ) {
 	    fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref;
 	    fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} ne '0kbit';
 	}
+    }
 
     $tcdevices{$device} = { in_bandwidth  => rate_to_kbit( $inband ) . 'kbit',
 			    out_bandwidth => rate_to_kbit( $outband ) . 'kbit',
@@ -529,6 +579,9 @@ sub validate_tc_device( ) {
 			    default       => 0,
 			    nextclass     => 2,
 			    qdisc         => $qdisc,
+			    guarantee     => 0,
+			    name          => $device,
+			    physical      => physical_name $device
 			  } ,
 
     push @tcdevices, $device;
@@ -538,8 +591,8 @@ sub validate_tc_device( ) {
     progress_message "  Tcdevice \"$currentline\" $done.";
 }
 
-sub convert_rate( $$$ ) {
-    my ($full, $rate, $column) = @_;
+sub convert_rate( $$$$ ) {
+    my ($full, $rate, $column, $max) = @_;
 
     if ( $rate =~ /\bfull\b/ ) {
 	$rate =~ s/\bfull\b/$full/g;
@@ -553,7 +606,7 @@ sub convert_rate( $$$ ) {
     }
 
     fatal_error "$column may not be zero" unless $rate;
-    fatal_error "$column ($_[1]) exceeds OUT-BANDWIDTH" if $rate > $full;
+    fatal_error "$column ($_[1]) exceeds $max (${full}kbit)" if $rate > $full;
 
     $rate;
 }
@@ -599,6 +652,7 @@ sub validate_tc_class( ) {
     my $device = $devclass;
     my $occurs = 1;
     my $parentclass = 1;
+    my $parentref;
 
     if ( $devclass =~ /:/ ) {
 	( $device, my ($number, $subnumber, $rest ) )  = split /:/, $device, 4;
@@ -631,6 +685,10 @@ sub validate_tc_class( ) {
     }
 
     my $full    = rate_to_kbit $devref->{out_bandwidth};
+    my $ratemax = $full;
+    my $ceilmax = $full;
+    my $ratename = 'OUT-BANDWIDTH';
+    my $ceilname = 'OUT-BANDWIDTH';
 
     my $tcref = $tcclasses{$device};
 
@@ -640,15 +698,17 @@ sub validate_tc_class( ) {
 	if ( $devref->{classify} ) {
 	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
 	} else {
-	    fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-fA-F]+)$/ && numeric_value( $mark ) <= 0xff;
+	    fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
 
 	    $markval = numeric_value( $mark );
 	    fatal_error "Invalid MARK ($markval)" unless defined $markval;
 
+	    fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
+
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	    } else {
-		$classnumber = $config{WIDE_TC_MARKS} ? $tcref->{nextclass}++ : hex_value( $devnum . $markval );
+		$classnumber = $config{WIDE_TC_MARKS} ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
 		fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	    }
 	}
@@ -660,10 +720,14 @@ sub validate_tc_class( ) {
 	#
 	# Nested Class
 	#
-	my $parentref = $tcref->{$parentclass};
+	$parentref = $tcref->{$parentclass};
 	fatal_error "Unknown Parent class ($parentclass)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The parent class ($parentclass) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
 	$parentref->{leaf} = 0;
+	$ratemax  = $parentref->{rate};
+	$ratename = q(the parent class's RATE);
+	$ceilmax = $parentref->{ceiling};
+	$ceilname = q(the parent class's CEIL);
     }
 
     my ( $umax, $dmax ) = ( '', '' );
@@ -673,19 +737,27 @@ sub validate_tc_class( ) {
 
 	fatal_error "Invalid RATE ($rate)" if defined $rest;
 
-	$rate = convert_rate ( $full, $trate, 'RATE' );
+	$rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
 	$dmax = convert_delay( $dmax );
 	$umax = convert_size( $umax );
 	fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
     } else {
-	$rate = convert_rate ( $full, $rate, 'RATE' );
+	$rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename );
     }
 
+    if ( $parentref ) {
+	warning_message "Total RATE of sub classes ($parentref->{guarantee}kbits) exceeds RATE of parent class ($parentref->{rate}kbits)" if ( $parentref->{guarantee} += $rate ) > $parentref->{rate};
+    } else {
+	warning_message "Total RATE of classes ($devref->{guarantee}kbits) exceeds OUT-BANDWIDTH (${full}kbits)" if ( $devref->{guarantee} += $rate ) > $full;
+    }
+
+    fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
+
     $tcref->{$classnumber} = { tos       => [] ,
 			       rate      => $rate ,
 			       umax      => $umax ,
 			       dmax      => $dmax ,
-			       ceiling  => convert_rate( $full, $ceil, 'CEIL' ) ,
+			       ceiling   => convert_rate( $ceilmax, $ceil, 'CEIL' , $ceilname ) ,
 			       priority  => $prio eq '-' ? 1 : $prio ,
 			       mark      => $markval ,
 			       flow      => '' ,
@@ -693,6 +765,8 @@ sub validate_tc_class( ) {
 			       occurs    => 1,
 			       parent    => $parentclass,
 			       leaf      => 1,
+			       guarantee => 0,
+			       limit     => 127,
 			     };
 
     $tcref = $tcref->{$classnumber};
@@ -733,7 +807,7 @@ sub validate_tc_class( ) {
 		fatal_error q(The 'occurs' option is only valid for IPv4)           if $family == F_IPV6;
 		fatal_error q(The 'occurs' option may not be used with 'classify')  if $devref->{classify};
 		fatal_error "Invalid 'occurs' ($val)"                               unless defined $occurs && $occurs > 1 && $occurs <= 256;
-		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > ( $config{WIDE_TC_MARKS} ? 8191 : 255 );
+		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > $globals{TC_MAX};
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
 		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
@@ -741,6 +815,10 @@ sub validate_tc_class( ) {
 
 		$tcref->{occurs} = $occurs;
 		$devref->{occurs} = 1;
+	    } elsif ( $option =~ /^limit=(\d+)$/ ) {
+		warning_message "limit ignored with pfifo queuing" if $tcref->{pfifo};
+		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
+		$tcref->{limit} = $1;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -769,6 +847,7 @@ sub validate_tc_class( ) {
 					       pfifo    => $tcref->{pfifo},
 					       occurs   => 0,
 					       parent   => $parentclass,
+					       limit    => $tcref->{limit},
 					     };
 	push @tcclasses, "$device:$classnumber";
     };
@@ -805,7 +884,7 @@ sub process_tc_filter( ) {
     fatal_error "Unknown CLASS ($devclass)"                  unless $tcref && $tcref->{occurs};
     fatal_error "Filters may not specify an occurring CLASS" if $tcref->{occurs} > 1;
 
-    my $rule = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32";
+    my $rule = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32";
 
     if ( $source ne '-' ) {
 	my ( $net , $mask ) = decompose_net( $source );
@@ -876,7 +955,7 @@ sub process_tc_filter( ) {
 	    $lasttnum = $tnum;
 	    $lastrule = $rule;
 
-	    emit( "\nrun_tc filter add dev $device parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
+	    emit( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
 	}
 	#
 	# And link to it using the current contents of $rule
@@ -886,7 +965,7 @@ sub process_tc_filter( ) {
 	#
 	# The rule to match the port(s) will be inserted into the new table
 	#
-	$rule     = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
+	$rule     = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
 
 	if ( $portlist eq '-' ) {
 	    fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
@@ -983,16 +1062,104 @@ sub process_tc_filter( ) {
 
     $currentline =~ s/\s+/ /g;
 
-    save_progress_message_short qq("   TC Filter \"$currentline\" defined.");
+    save_progress_message_short qq('   TC Filter \"$currentline\" defined.');
 
     emit '';
 
 }
 
+sub process_tc_priority() {
+    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';
+
+    if ( $band eq 'COMMENT' ) {
+	process_comment;
+	return;
+    }
+
+    my $val = numeric_value $band;
+
+    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
+
+    my $rule = do_helper( $helper ) . "-j MARK --set-mark $band";
+
+    $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
+
+    if ( $interface ne '-' ) {
+	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
+
+	my $forwardref = $mangle_table->{tcfor};
+
+	add_rule( $forwardref ,
+		  join( '', match_source_dev( $interface) , $rule ) ,
+		  1 );
+    } else {
+	my $postref = $mangle_table->{tcpost};
+
+	if ( $address ne '-' ) {
+	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
+	    add_rule( $postref ,
+		      join( '', match_source_net( $address) , $rule ) ,
+		      1 );
+	} else {
+	    add_rule( $postref ,
+		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
+		      1 );
+
+	    if ( $ports ne '-' ) {
+		my $protocol = resolve_proto $proto;
+
+		if ( $proto =~ /^ipp2p/ ) {
+		    fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
+		    $ipp2p = 1;
+		}
+
+		add_rule( $postref ,
+			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
+			  1 )
+		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
+	    }
+	}
+    }
+}
+
+sub setup_simple_traffic_shaping() {
+    my $interfaces;
+
+    save_progress_message q("Setting up Traffic Control...");
+
+    my $fn = open_file 'tcinterfaces';
+
+    if ( $fn ) {
+	first_entry "$doing $fn...";
+	process_simple_device, $interfaces++ while read_a_line;
+    } else {
+	$fn = find_file 'tcinterfaces';
+    }
+
+    my $fn1 = open_file 'tcpri';
+
+    if ( $fn1 ) {
+	first_entry
+	    sub {
+		progress_message2 "$doing $fn1...";
+		warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces;
+	    };
+
+	process_tc_priority while read_a_line;
+
+	clear_comment;
+
+	if ( $ipp2p ) {
+	    insert_rule1 $mangle_table->{tcpost} , 0 , '-m mark --mark 0/'   . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} );
+	    add_rule     $mangle_table->{tcpost} ,     '-m mark ! --mark 0/' . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} );
+	}
+    }
+}
+
 sub setup_traffic_shaping() {
     our $lastrule = '';
 
-    save_progress_message "Setting up Traffic Control...";
+    save_progress_message q("Setting up Traffic Control...");
 
     my $fn = open_file 'tcdevices';
 
@@ -1002,6 +1169,9 @@ sub setup_traffic_shaping() {
 	validate_tc_device while read_a_line;
     }
 
+    my $sfq = $devnum;
+    my $sfqinhex;
+
     $devnum = $devnum > 10 ? 10 : 1;
 
     $fn = open_file 'tcclasses';
@@ -1013,12 +1183,15 @@ sub setup_traffic_shaping() {
     }
 
     for my $device ( @tcdevices ) {
-	my $dev     = chain_base( $device );
 	my $devref  = $tcdevices{$device};
 	my $defmark = in_hexp ( $devref->{default} || 0 );
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};
 
+	$device = physical_name $device;
+
+	my $dev = chain_base( $device );
+
 	emit "if interface_is_up $device; then";
 
 	push_indent;
@@ -1068,7 +1241,7 @@ sub setup_traffic_shaping() {
 	    emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	}
 
-	save_progress_message_short "   TC Device $device defined.";
+	save_progress_message_short qq("   TC Device $device defined.");
 
 	pop_indent;
 	emit 'else';
@@ -1101,12 +1274,14 @@ sub setup_traffic_shaping() {
 	my $classid  = join( ':', in_hexp $devicenumber, $classnum);
 	my $rate     = "$tcref->{rate}kbit";
 	my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
+
+	$classids{$classid}=$device;
+	$device = physical_name $device;
+
 	my $dev      = chain_base $device;
 	my $priority = $tcref->{priority} << 8;
 	my $parent   = in_hexp $tcref->{parent};
 
-	$classids{$classid}=$device;
-
 	if ( $lastdevice ne $device ) {
 	    if ( $lastdevice ) {
 		pop_indent;
@@ -1133,17 +1308,18 @@ sub setup_traffic_shaping() {
 	    }
 	}
 
-	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
+	if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+	    $sfqinhex = in_hexp( ++$sfq);
+	    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
+	}
 	#
 	# add filters
 	#
 	unless ( $devref->{classify} ) {
-	    if ( $tcref->{occurs} == 1 ) {
-		emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid";
-	    }
+	    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
 	}
 
-	emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
+	emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
 	#
 	# options
 	#
@@ -1167,7 +1343,7 @@ sub setup_traffic_shaping() {
 	$fn = open_file 'tcfilters';
 
 	if ( $fn ) {
-	    first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message "Adding TC Filters"; } );
+	    first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message q("Adding TC Filters"); } );
 
 	    process_tc_filter while read_a_line;
 	}
@@ -1179,11 +1355,11 @@ sub setup_traffic_shaping() {
 #
 sub setup_tc() {
 
-    if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
+    if ( $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
 	ensure_mangle_chain 'tcout';
 
-	if ( $capabilities{MANGLE_FORWARD} ) {
+	if ( have_capability( 'MANGLE_FORWARD' ) ) {
 	    ensure_mangle_chain 'tcfor';
 	    ensure_mangle_chain 'tcpost';
 	}
@@ -1191,43 +1367,90 @@ sub setup_tc() {
 	my $mark_part = '';
 
 	if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
-	    $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
+	    $mark_part = '-m mark --mark 0/' . in_hex( $globals{PROVIDER_MASK} ) . ' ';
 
+	    unless ( $config{TRACK_PROVIDERS} ) {
+		#
+		# This is overloading TRACK_PROVIDERS a bit but sending tracked packets through PREROUTING is a PITA for users
+		#
 		for my $interface ( @routemarked_interfaces ) {
-		add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
+		    add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, match_source_dev( $interface );
+		}
 	    }
 	}
 
-	add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre";
-	add_rule $mangle_table->{OUTPUT} ,     "$mark_part -j tcout";
+	add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part;
+	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
 
-	if ( $capabilities{MANGLE_FORWARD} ) {
-	    add_rule $mangle_table->{FORWARD} ,     '-j tcfor';
-	    add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
-	}
+	if ( have_capability( 'MANGLE_FORWARD' ) ) {
+	    my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : '';
 
-	if ( $config{HIGH_ROUTE_MARKS} ) {
-	    for my $chain qw(INPUT FORWARD) {
-		insert_rule1 $mangle_table->{$chain}, 0, $config{WIDE_TC_MARKS} ? '-j MARK --and-mark 0xFFFF' : '-j MARK --and-mark 0xFF';
-	    }
-	    #
-	    # In POSTROUTING, we only want to clear routing mark and not IPMARK.
-	    #
-	    insert_rule1 $mangle_table->{POSTROUTING}, 0, $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFFFF -j MARK --and-mark 0' : '-m mark --mark 0/0xFF -j MARK --and-mark 0';
+	    add_rule( $mangle_table->{FORWARD},     "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
+	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
+	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
 	}
     }
 
     if ( $globals{TC_SCRIPT} ) {
-	save_progress_message 'Setting up Traffic Control...';
+	save_progress_message q('Setting up Traffic Control...');
 	append_file $globals{TC_SCRIPT};
     } elsif ( $config{TC_ENABLED} eq 'Internal' ) {
 	setup_traffic_shaping;
+    } elsif ( $config{TC_ENABLED} eq 'Simple' ) {
+	setup_simple_traffic_shaping;
     }
 
     if ( $config{TC_ENABLED} ) {
+	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+			  target    => 'CONNMARK --save-mark --mask' ,
+			  mark      => SMALLMARK ,
+			  mask      => in_hex( $globals{TC_MASK} ) ,
+			  connmark  => 1
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
+			  target    => 'CONNMARK --restore-mark --mask' ,
+			  mark      => SMALLMARK ,
+			  mask      => in_hex( $globals{TC_MASK} ) ,
+			  connmark  => 1
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
+			  target    => 'RETURN' ,
+			  mark      => NOMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'SAME' },
+			  target    => 'sticky' ,
+			  mark      => NOMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+			  target    => 'IPMARK' ,
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
+			  target    => 'MARK --or-mark' ,
+			  mark      => HIGHMARK ,
+			  mask      => '' } ,
+			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
+			  target    => 'MARK --and-mark ' ,
+			  mark      => HIGHMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
+			  target    => 'TPROXY',
+			  mark      => HIGHMARK,
+			  mask      => '',
+			  connmark  => '' },
+		      );
+
 	if ( my $fn = open_file 'tcrules' ) {
 
-	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
+	    first_entry "$doing $fn...";
 
 	    process_tc_rule while read_a_line;
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_9';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
 
-	my $options = $globals{UNTRACKED} ? '-m state --state NEW,UNTRACKED -j ACCEPT' : '-m state --state NEW -j ACCEPT';
+	my $options = $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
 
 	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";
@@ -83,10 +83,10 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
-		$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
+		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
+		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
 
-		unless ( $capabilities{POLICY_MATCH} ) {
+		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 		    add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
 
@@ -239,8 +239,8 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
 
-	my $inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
-	my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
+	my $inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
+	my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
 
 	$gateway = ALLIP if $gateway eq '-';
 

Shorewall/Perl/compiler.pl

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -36,6 +36,7 @@
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
+#         --preview                   # Preview the ruleset.
 #
 use strict;
 use FindBin;
@@ -44,7 +45,6 @@ use Shorewall::Compiler;
 use Getopt::Long;
 
 sub usage( $ ) {
-    my $returnval = shift @_;
 
     print STDERR 'usage: compiler.pl [ <option> ... ] [ <filename> ]
 
@@ -58,10 +58,11 @@ sub usage( $ ) {
     [ --log=<filename> ]
     [ --log-verbose={-1|0-2} ]
     [ --test ]
+    [ --preview ]
     [ --family={4|6} ]
 ';
 
-    $returnval;
+    exit shift @_;
 }
 
 #
@@ -78,6 +79,7 @@ my $log_verbose   = 0;
 my $help          = 0;
 my $test          = 0;
 my $family        = 4; # F_IPV4
+my $preview       = 0;
 
 Getopt::Long::Configure ('bundling');
 
@@ -98,6 +100,7 @@ my $result = GetOptions('h'               => \$help,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
 			'test'            => \$test,
+			'preview'         => \$preview,
 			'f=i'             => \$family,
 			'family=i'        => \$family,
 		       );
@@ -105,7 +108,7 @@ my $result = GetOptions('h'               => \$help,
 usage(1) unless $result && @ARGV < 2;
 usage(0) if $help;
 
-compiler( object          => defined $ARGV[0] ? $ARGV[0] : '', 
+compiler( script          => $ARGV[0] || '',
 	  directory       => $shorewall_dir,
 	  verbosity       => $verbose,
 	  timestamp       => $timestamp,
@@ -115,4 +118,5 @@ compiler( object          => defined $ARGV[0] ? $ARGV[0] : '',
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
+	  preview         => $preview,
 	  family          => $family );

Shorewall/Perl/prog.footer

@@ -1,288 +1,20 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
 ###############################################################################
-#
-# Clear Proxy Arp
-#
-delete_proxyarp() {
-    if [ -f ${VARDIR}/proxyarp ]; then
-	while read address interface external haveroute; do
-	    qt arp -i $external -d $address pub
-	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
-	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyarp
-    fi
-
-    rm -f ${VARDIR}/proxyarp
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
-    if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IPTABLES ]; then
-    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
-	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
-	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
-	fi
-    fi
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$PRODUCT Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -4 $@; then
-	error_message "ERROR: Command \"$IP -4 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Get a list of all configured broadcast addresses on the system
-#
-get_all_bcasts()
-{
-    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset 
-    #
-    qt1 $IPTABLES -t mangle -F
-    qt1 $IPTABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t raw    -F
-    qt1 $IPTABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
-
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t filter -F
-    qt1 $IPTABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IPTABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 #
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
+    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
+    echo
+    echo "Options are:"
+    echo
+    echo "   -v and -q        Standard Shorewall verbosity controls"
+    echo "   -n               Don't unpdate routing configuration"
+    echo "   -p               Purge Conntrack Table"
+    echo "   -t               Timestamp progress Messages"
+    echo "   -V <verbosity>   Set verbosity explicitly"
+    echo "   -R <file>        Override RESTOREFILE setting"
     exit $1
 }
 ################################################################################
@@ -300,10 +32,23 @@ if [ $# -gt 1 ]; then
 	shift
     fi
 fi
+#
+# Map VERBOSE to VERBOSITY for compatibility with old Shorewall-lite installations
+#
+[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
+#
+# Map other old exported variables
+#
+g_purge=$PURGE
+g_noroutes=$NOROUTES
+g_timestamp=$TIMESTAMP
+g_recovering=$RECOVERING
 
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then
+    touch $STARTUP_LOG
+    chmod 0600 $STARTUP_LOG
     if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
@@ -326,17 +71,78 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			VERBOSE=$(($VERBOSE + 1 ))
+			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			VERBOSE=$(($VERBOSE - 1 ))
+			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
 			option=${option#q}
 			;;
 		    n*)
-			NOROUTES=Yes
+			g_noroutes=Yes
 			option=${option#n}
 			;;
+		    t*)
+			g_timestamp=Yes
+			option=${option#t}
+			;;
+		    p*)
+			g_purge=Yes
+			option=${option#p}
+			;;
+		    r*)
+			g_recovering=Yes
+			option=${option#r}
+			;;
+		    V*)
+			option=${option#V}
+
+			if [ -z "$option" -a $# -gt 0 ]; then
+			    shift
+			    option=$1
+			fi
+
+			if [ -n "$option" ]; then
+			    case $option in
+				-1|0|1|2)
+				    VERBOSITY=$option
+				    option=
+				    ;;
+				*)
+				    startup_error "Invalid -V option value ($option)"
+				    ;;
+			    esac
+			else
+			    startup_error "Missing -V option value"
+			fi
+			;;
+		    R*)
+			option=${option#R}
+
+			if [ -z "$option" -a $# -gt 0 ]; then
+			    shift
+			    option=$1
+			fi
+
+			if [ -n "$option" ]; then
+			    case $option in
+				*/*)
+	    			    startup_error "-R must specify a simple file name: $option"
+				    ;;
+				.safe|.try|NONE)
+				    ;;
+				.*)
+				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
+				    exit 2
+				    ;;
+			    esac
+			else
+			    startup_error "Missing -R option value"
+			fi
+
+			RESTOREFILE=$option
+			option=
+			;;
 		    *)
 			usage 1
 			;;
@@ -352,16 +158,15 @@ done
 
 COMMAND="$1"
 
-[ -n "${PRODUCT:=Shorewall}" ]
-
 case "$COMMAND" in
     start)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    error_message "$PRODUCT is already Running"
+	    error_message "$g_product is already Running"
 	    status=0
 	else
-	    progress_message3 "Starting $PRODUCT...."
+	    progress_message3 "Starting $g_product...."
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    [ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
@@ -370,7 +175,8 @@ case "$COMMAND" in
 	;;
     stop)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Stopping $PRODUCT...."
+	progress_message3 "Stopping $g_product...."
+	detect_configuration
 	stop_firewall
 	status=0
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -378,7 +184,7 @@ case "$COMMAND" in
 	;;
     reset)
 	if ! shorewall_is_started ; then
-	    error_message "$PRODUCT is not running"
+	    error_message "$g_product is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
 	    $IPTABLES -Z
@@ -386,7 +192,7 @@ case "$COMMAND" in
 	    $IPTABLES -t mangle -Z
 	    date > ${VARDIR}/restarted
 	    status=0
-	    progress_message3 "$PRODUCT Counters Reset"
+	    progress_message3 "$g_product Counters Reset"
 	else
 	    shift
 	    status=0
@@ -408,12 +214,14 @@ case "$COMMAND" in
     restart)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    progress_message3 "Restarting $PRODUCT...."
+	    progress_message3 "Restarting $g_product...."
 	else
-	    error_message "$PRODUCT is not running"
-	    progress_message3 "Starting $PRODUCT...."
+	    error_message "$g_product is not running"
+	    progress_message3 "Starting $g_product...."
+	    COMMAND=start
 	fi
 
+	detect_configuration
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -424,17 +232,19 @@ case "$COMMAND" in
     refresh)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    progress_message3 "Refreshing $PRODUCT...."
+	    progress_message3 "Refreshing $g_product...."
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    progress_message3 "done."
 	else
-	    echo "$PRODUCT is not running" >&2
+	    echo "$g_product is not running" >&2
 	    status=2
 	fi
 	;;
     restore)
 	[ $# -ne 1 ] && usage 2
+	detect_configuration
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -443,28 +253,30 @@ case "$COMMAND" in
 	;;
     clear)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Clearing $PRODUCT...."
+	progress_message3 "Clearing $g_product...."
 	clear_firewall
 	status=0
-	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	if [ -n "$SUBSYSLOCK" ]; then
+	    rm -f $SUBSYSLOCK
+	fi
 	progress_message3 "done."
 	;;
     status)
 	[ $# -ne 1 ] && usage 2
-	echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
+	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	echo
 	if shorewall_is_started; then
-	    echo "$PRODUCT is running"
+	    echo "$g_product is running"
 	    status=0
 	else
-	    echo "$PRODUCT is stopped"
+	    echo "$g_product is stopped"
 	    status=4
 	fi
 
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Clear*)
+		Stopped*|lClear*)
 		    status=3
 		    ;;
 	    esac
@@ -474,9 +286,16 @@ case "$COMMAND" in
 	echo "State:$state"
 	echo
 	;;
+    up|down)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	updown $@
+	status=0;
+	;;
     version)
 	[ $# -ne 1 ] && usage 2
-	echo $VERSION
+	echo $SHOREWALL_VERSION
 	status=0
 	;;
     help)

Shorewall/Perl/prog.footer6

@@ -1,249 +1,20 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer6
 ###############################################################################
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$PRODUCT Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -6 $@; then
-	error_message "ERROR: Command \"$IP -6 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset 
-    #
-    qt1 $IP6TABLES -t mangle -F
-    qt1 $IP6TABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t raw    -F
-    qt1 $IP6TABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t filter -F
-    qt1 $IP6TABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IP6TABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 #
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
+    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
+    echo
+    echo "Options are:"
+    echo
+    echo "   -v and -q        Standard Shorewall verbosity controls"
+    echo "   -n               Don't unpdate routing configuration"
+    echo "   -p               Purge Conntrack Table"
+    echo "   -t               Timestamp progress Messages"
+    echo "   -V <verbosity>   Set verbosity explicitly"
+    echo "   -R <file>        Override RESTOREFILE setting"
     exit $1
 }
 ################################################################################
@@ -261,10 +32,23 @@ if [ $# -gt 1 ]; then
 	shift
     fi
 fi
+#
+# Map VERBOSE to VERBOSITY for compatibility with old Shorewall6-lite installations
+#
+[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
+#
+# Map other old exported variables
+#
+g_purge=$PURGE
+g_noroutes=$NOROUTES
+g_timestamp=$TIMESTAMP
+g_recovering=$RECOVERING
 
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then
+    touch $STARTUP_LOG
+    chmod 0600 $STARTUP_LOG
     if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
@@ -287,19 +71,77 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			VERBOSE=$(($VERBOSE + 1 ))
+			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			VERBOSE=$(($VERBOSE - 1 ))
+			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
 			option=${option#q}
 			;;
 		    n*)
-			NOROUTES=Yes
+			g_noroutes=Yes
 			option=${option#n}
 			;;
+		    t*)
+			g_timestamp=Yes
+			option=${option#t}
+			;;
+		    p*)
+			g_purge=Yes
+			option=${option#p}
+			;;
+		    r*)
+			g_recovering=Yes
+			option=${option#r}
+			;;
+		    V*)
+			option=${option#V}
+
+			if [ -z "$option" -a $# -gt 0 ]; then
+			    shift
+			    option=$1
+			fi
+
+			if [ -n "$option" ]; then
+			    case $option in
+				-1|0|1|2)
+				    VERBOSITY=$option
+				    option=
+				    ;;
 				*)
-			usage 1
+				    startup_error "Invalid -V option value ($option)"
+				    ;;
+			    esac
+			else
+			    startup_error "Missing -V option value"
+			fi
+			;;
+		    R*)
+			option=${option#R}
+
+			if [ -z "$option" -a $# -gt 0 ]; then
+			    shift
+			    option=$1
+			fi
+
+			if [ -n "$option" ]; then
+			    case $option in
+				*/*)
+	    			    startup_error "-R must specify a simple file name: $option"
+				    ;;
+				.safe|.try|NONE)
+				    ;;
+				.*)
+				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
+				    exit 2
+				    ;;
+			    esac
+			else
+			    startup_error "Missing -R option value"
+			fi
+
+			RESTOREFILE=$option
+			option=
 			;;
 		esac
 	    done
@@ -313,21 +155,20 @@ done
 
 COMMAND="$1"
 
-[ -n "${PRODUCT:=Shorewall6}" ]
-
-kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
+kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 if [ $kernel -lt 20624 ]; then
-    error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later"
+    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
     status=2
 else
     case "$COMMAND" in
 	start)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		error_message "$PRODUCT is already Running"
+		error_message "$g_product is already Running"
 		status=0
 	    else
-		progress_message3 "Starting $PRODUCT...."
+		progress_message3 "Starting $g_product...."
+		detect_configuration
 		define_firewall
 		status=$?
 		[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
@@ -336,7 +177,8 @@ else
 	    ;;
 	stop)
 	    [ $# -ne 1 ] && usage 2
-	    progress_message3 "Stopping $PRODUCT...."
+	    progress_message3 "Stopping $g_product...."
+	    detect_configuration
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -344,14 +186,14 @@ else
 	    ;;
  	reset)
 	    if ! shorewall6_is_started ; then
-		error_message "$PRODUCT is not running"
+		error_message "$g_product is not running"
 		status=2
 	    elif [ $# -eq 1 ]; then
 		$IP6TABLES -Z
 		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
-		progress_message3 "$PRODUCT Counters Reset"
+		progress_message3 "$g_product Counters Reset"
 	    else
 		shift
 		status=0
@@ -373,12 +215,14 @@ else
 	restart)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		progress_message3 "Restarting $PRODUCT...."
+		progress_message3 "Restarting $g_product...."
 	    else
-		error_message "$PRODUCT is not running"
-		progress_message3 "Starting $PRODUCT...."
+		error_message "$g_product is not running"
+		progress_message3 "Starting $g_product...."
+		COMMAND=start
 	    fi
 
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
@@ -389,17 +233,19 @@ else
 	refresh)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		progress_message3 "Refreshing $PRODUCT...."
+		progress_message3 "Refreshing $g_product...."
+		detect_configuration
 		define_firewall
 		status=$?
 		progress_message3 "done."
 	    else
-		echo "$PRODUCT is not running" >&2
+		echo "$g_product is not running" >&2
 		status=2
 	    fi
 	    ;;
 	restore)
 	    [ $# -ne 1 ] && usage 2
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
@@ -408,21 +254,23 @@ else
 	    ;;
 	clear)
 	    [ $# -ne 1 ] && usage 2
-	    progress_message3 "Clearing $PRODUCT...."
+	    progress_message3 "Clearing $g_product...."
 	    clear_firewall
 	    status=0
-	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	    if [ -n "$SUBSYSLOCK" ]; then
+		rm -f $SUBSYSLOCK
+	    fi
 	    progress_message3 "done."
 	    ;;
 	status)
 	    [ $# -ne 1 ] && usage 2
-	    echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
+	    echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	    echo
 	    if shorewall6_is_started; then
-		echo "$PRODUCT is running"
+		echo "$g_product is running"
 		status=0
 	    else
-		echo "$PRODUCT is stopped"
+		echo "$g_product is stopped"
 		status=4
 	    fi
 
@@ -439,9 +287,16 @@ else
 	    echo "State:$state"
 	    echo
 	    ;;
+	up|down)
+	    [ $# -eq 1 ] && exit 0
+	    shift
+	    [ $# -ne 1 ] && usage 2
+	    updown $1
+	    status=0
+	    ;;
 	version)
 	    [ $# -ne 1 ] && usage 2
-	    echo $VERSION
+	    echo $SHOREWALL_VERSION
 	    status=0
 	    ;;
 	help)

Shorewall/Perl/prog.header

@@ -1,11 +1,18 @@
+#!/bin/sh
+#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
 #	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
+#           -t                            Timestamp progress messages
+#           -p                            Purge conntrack table
+#           -r                            Recover from failed start/restart
+#           -V <verbosity>                Set verbosity level explicitly
+#           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
@@ -22,14 +29,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header
 ################################################################################
-#
-# Message to stderr
-#
-error_message() # $* = Error Message
-{
-   echo "   $@" >&2
-}
-
 #
 # Conditionally produce message
 #
@@ -38,12 +37,12 @@ progress_message() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -gt 1 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSE -gt 1 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -54,12 +53,12 @@ progress_message2() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -gt 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSE -gt 0 ]; then
+    if [ $LOG_VERBOSITY -gt 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -70,93 +69,17 @@ progress_message3() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -ge 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSE -ge 0 ]; then
+    if [ $LOG_VERBOSITY -ge 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
 }
 
-#
-# Split a colon-separated list into a space-separated list
-#
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    echo $*
-    IFS=$ifs
-}
-
-#
-# Search a list looking for a match -- returns zero if a match found
-# 1 otherwise
-#
-list_search() # $1 = element to search for , $2-$n = list
-{
-    local e
-    e=$1
-
-    while [ $# -gt 1 ]; do
-	shift
-	[ "x$e" = "x$1" ] && return 0
-    done
-
-    return 1
-}
-
-#
-# Suppress all output for a command
-#
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-qt1()
-{
-    local status
-
-    while [ 1 ]; do
-	"$@" >/dev/null 2>&1
-	status=$?
-	[ $status -ne 4 ] && return $status
-    done
-}
-
-#
-# Determine if Shorewall is "running"
-#
-shorewall_is_started() {
-    qt1 $IPTABLES -L shorewall -n
-}
-
-#
-# Echos the fully-qualified name of the calling shell program
-#
-my_pathname() {
-    cd $(dirname $0)
-    echo $PWD/$(basename $0)
-}
-
-#
-# Source a user exit file if it exists
-#
-run_user_exit() # $1 = file name
-{
-    local user_exit
-    user_exit=$(find_file $1)
-
-    if [ -f $user_exit ]; then
-	progress_message "Processing $user_exit ..."
-	. $user_exit
-    fi
-}
-
 #
 # Set a standard chain's policy
 #
@@ -198,240 +121,17 @@ deleteallchains() {
 }
 
 #
-# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
-#                         a space-separated list of directories to search for
-#                         the module and that 'moduleloader' contains the
-#                         module loader command.
+# Generate a list of all network interfaces on the system
 #
-loadmodule() # $1 = module name, $2 - * arguments
-{
-    local modulename
-    modulename=$1
-    local modulefile
-    local suffix
-
-    if ! list_search $modulename $DONT_LOAD $MODULES; then
-	shift
-
-	for suffix in $MODULE_SUFFIX ; do
-	    for directory in $moduledirectories; do
-		modulefile=$directory/${modulename}.${suffix}
-
-		if [ -f $modulefile ]; then
-		    case $moduleloader in
-			insmod)
-			    insmod $modulefile $*
-			    ;;
-			*)
-			    modprobe $modulename $*
-			    ;;
-		    esac
-		    break 2
-		fi
-	    done
-	done
-    fi
+find_all_interfaces() {
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }
 
 #
-# Reload the Modules
+# Generate a list of all network interfaces on the system that have an ipv4 address
 #
-reload_kernel_modules() {
-
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local uname
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
-
-    MODULES=$(lsmod | cut -d ' ' -f1)
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$moduledirectories" ] && while read command; do
-	eval $command
-    done
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-# Load kernel modules required for Shorewall
-#
-load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
-{
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local savemoduleinfo
-    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
-    local uname
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    modules=$(find_file modules)
-
-    if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
-	progress_message "Loading Modules..."
-	. $modules
-	if [ $savemoduleinfo = Yes ]; then
-	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
-	    cp -f $modules ${VARDIR}/.modules
-	fi
-    elif [ $savemoduleinfo = Yes ]; then
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	> ${VARDIR}/.modulesdir
-	> ${VARDIR}/.modules
-    fi
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-#  Note: The following set of IP address manipulation functions have anomalous
-#        behavior when the shell only supports 32-bit signed arithmetic and
-#        the IP address is 128.0.0.0 or 128.0.0.1.
-#
-
-LEFTSHIFT='<<'
-
-#
-# Convert an IP address in dot quad format to an integer
-#
-decodeaddr() {
-    local x
-    local temp
-    temp=0
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
-    done
-
-    echo $temp
-
-    IFS=$ifs
-}
-
-#
-# convert an integer to dot quad format
-#
-encodeaddr() {
-    addr=$1
-    local x
-    local y
-    y=$(($addr & 255))
-
-    for x in 1 2 3 ; do
-	addr=$(($addr >> 8))
-	y=$(($addr & 255)).$y
-    done
-
-    echo $y
-}
-
-#
-# Netmask from CIDR
-#
-ip_netmask() {
-    local vlsm
-    vlsm=${1#*/}
-
-    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
-}
-
-#
-# Network address from CIDR
-#
-ip_network() {
-    local decodedaddr
-    decodedaddr=$(decodeaddr ${1%/*})
-    local netmask
-    netmask=$(ip_netmask $1)
-
-    echo $(encodeaddr $(($decodedaddr & $netmask)))
-}
-
-#
-# The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives don't support XOR ("^").
-#
-ip_broadcast() {
-    local x
-    x=$(( 32 - ${1#*/} ))
-
-    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
-}
-
-#
-# Calculate broadcast address from CIDR
-#
-broadcastaddress() {
-    local decodedaddr
-    decodedaddr=$(decodeaddr ${1%/*})
-    local netmask
-    netmask=$(ip_netmask $1)
-    local broadcast
-    broadcast=$(ip_broadcast $1)
-
-    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
-}
-
-#
-# Test for network membership
-#
-in_network() # $1 = IP address, $2 = CIDR network
-{
-    local netmask
-    netmask=$(ip_netmask $2)
-    #
-    # Use string comparison to work around a broken BusyBox ash in OpenWRT
-    #
-    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
-}
-
-#
-# Query NetFilter about the existence of a filter chain
-#
-chain_exists() # $1 = chain name
-{
-    qt1 $IPTABLES -L $1 -n
+find_all_interfaces1() {
+    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }
 
 #
@@ -534,32 +234,6 @@ find_interface_by_address() {
     [ -n "$dev" ] && echo $dev
 }
 
-#
-# Find the interface with the passed MAC address
-#
-
-find_interface_by_mac() {
-    local mac
-    mac=$1
-    local first
-    local second
-    local rest
-    local dev
-
-    $IP link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
 #
 # Determine if Interface is up
 #
@@ -567,45 +241,12 @@ interface_is_up() {
     [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 
-#
-# Find interface address--returns the first IP address assigned to the passed
-# device
-#
-find_first_interface_address() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-}
-
-find_first_interface_address_if_any() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
-}
-
 #
 # Determine if interface is usable from a Netfilter prespective
 #
 interface_is_usable() # $1 = interface
 {
+    [ "$1" = lo ] && return 0
     interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
 }
 
@@ -658,71 +299,6 @@ get_interface_bcasts() # $1 = interface
     $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 
-#
-# Internal version of 'which'
-#
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-#
-# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
-#
-find_file()
-{
-    local saveifs
-    saveifs=
-    local directory
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	*)
-	    for directory in $(split $CONFIG_PATH); do
-		if [ -f $directory/$1 ]; then
-		    echo $directory/$1
-		    return
-		fi
-	    done
-
-	    echo ${CONFDIR}/$1
-	    ;;
-    esac
-}
-
-#
-# Set the Shorewall state
-#
-set_state () # $1 = state
-{
-    echo "$1 ($(date))" > ${VARDIR}/state
-}
-
-#
-# Perform variable substitution on the passed argument and echo the result
-#
-expand() # $@ = contents of variable which may be the name of another variable
-{
-    eval echo \"$@\"
-}
-
-#
-# Function for including one file into another
-#
-INCLUDE() {
-    . $(find_file $(expand $@))
-}
-
 #
 # Delete IP address
 #
@@ -875,16 +451,6 @@ disable_ipv6() {
     fi
 }
 
-# Function to truncate a string -- It uses 'cut -b -<n>'
-# rather than ${v:first:last} because light-weight shells like ash and
-# dash do not support that form of expansion.
-#
-
-truncate() # $1 = length
-{
-    cut -b -${1}
-}
-
 #
 # Clear the current traffic shaping configuration
 #
@@ -950,7 +516,7 @@ get_device_mtu1() # $1 = device
 #
 undo_routing() {
 
-    if [ -z "$NOROUTES"  ]; then
+    if [ -z "$g_noroutes"  ]; then
 	#
 	# Restore rt_tables database
 	#
@@ -974,7 +540,7 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
+    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
@@ -1017,25 +583,6 @@ restore_default_route() {
     return $result
 }
 
-#
-# Determine how to do "echo -e"
-#
-
-find_echo() {
-    local result
-
-    result=$(echo "a\tb")
-    [ ${#result} -eq 3 ] && { echo echo; return; }
-
-    result=$(echo -e "a\tb")
-    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
-
-    result=$(mywhich echo)
-    [ -n "$result" ] && { echo "$result -e"; return; }
-
-    echo echo
-}
-
 #
 # Determine the MAC address of the passed IP through the passed interface
 #
@@ -1058,11 +605,11 @@ find_mac() # $1 = IP address, $2 = interface
 }
 
 #
-# Flush the conntrack table if $PURGE is non-empty
+# Flush the conntrack table if $g_purge is non-empty
 #
 conditionally_flush_conntrack() {
 
-    if [ -n "$PURGE" ]; then
+    if [ -n "$g_purge" ]; then
 	if [ -n $(mywhich conntrack) ]; then
             conntrack -F
 	else
@@ -1071,6 +618,261 @@ conditionally_flush_conntrack() {
     fi
 }
 
+#
+# Clear Proxy Arp
+#
+delete_proxyarp() {
+    if [ -f ${VARDIR}/proxyarp ]; then
+	while read address interface external haveroute; do
+	    qt arp -i $external -d $address pub
+	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address dev $interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyarp
+    fi
+
+    rm -f ${VARDIR}/proxyarp
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    if [ -n "$DISABLE_IPV6" ]; then
+	if [ -x $IP6TABLES ]; then
+    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
+	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
+	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
+	fi
+    fi
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$g_product Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -4 $@; then
+	error_message "ERROR: Command \"$IP -4 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Get a list of all configured broadcast addresses on the system
+#
+get_all_bcasts()
+{
+    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $IPTABLES -t mangle -F
+    qt1 $IPTABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IPTABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t raw    -F
+    qt1 $IPTABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IPTABLES -t raw -P $chain ACCEPT
+    done
+
+    run_iptables -t nat -F
+    run_iptables -t nat -X
+
+    for chain in PREROUTING POSTROUTING OUTPUT; do
+	qt1 $IPTABLES -t nat -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t filter -F
+    qt1 $IPTABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IPTABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################

Shorewall/Perl/prog.header6

@@ -1,11 +1,18 @@
+#!/bin/sh
+#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2010- Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
 #	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
+#           -t                            Timestamp progress messages
+#           -p                            Purge conntrack table
+#           -r                            Recover from failed start/restart
+#           -V <verbosity>                Set verbosity level explicitly
+#           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
@@ -22,14 +29,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
-#
-# Message to stderr
-#
-error_message() # $* = Error Message
-{
-   echo "   $@" >&2
-}
-
 #
 # Conditionally produce message
 #
@@ -38,12 +37,12 @@ progress_message() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -gt 1 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSE -gt 1 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -54,12 +53,12 @@ progress_message2() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -gt 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSE -gt 0 ]; then
+    if [ $LOG_VERBOSITY -gt 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -70,117 +69,17 @@ progress_message3() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -ge 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSE -ge 0 ]; then
+    if [ $LOG_VERBOSITY -ge 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
 }
 
-#
-# Split a colon-separated list into a space-separated list
-#
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    echo $*
-    IFS=$ifs
-}
-
-#
-# Undo the effect of 'split()'
-#
-join()
-{
-    local f
-    local o
-    o=
-
-    for f in $* ; do
-        o="${o:+$o:}$f"
-    done
-
-    echo $o
-}
-
-#
-# Return the number of elements in a list
-#
-list_count() # $* = list
-{
-    return $#
-}
-
-#
-# Search a list looking for a match -- returns zero if a match found
-# 1 otherwise
-#
-list_search() # $1 = element to search for , $2-$n = list
-{
-    local e
-    e=$1
-
-    while [ $# -gt 1 ]; do
-	shift
-	[ "x$e" = "x$1" ] && return 0
-    done
-
-    return 1
-}
-
-#
-# Suppress all output for a command
-#
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-qt1()
-{
-    local status
-
-    while [ 1 ]; do
-	"$@" >/dev/null 2>&1
-	status=$?
-	[ $status -ne 4 ] && return $status
-    done
-}
-
-#
-# Determine if Shorewall is "running"
-#
-shorewall6_is_started() {
-    qt1 $IP6TABLES -L shorewall -n
-}
-
-#
-# Echos the fully-qualified name of the calling shell program
-#
-my_pathname() {
-    cd $(dirname $0)
-    echo $PWD/$(basename $0)
-}
-
-#
-# Source a user exit file if it exists
-#
-run_user_exit() # $1 = file name
-{
-    local user_exit
-    user_exit=$(find_file $1)
-
-    if [ -f $user_exit ]; then
-	progress_message "Processing $user_exit ..."
-	. $user_exit
-    fi
-}
-
 #
 # Set a standard chain's policy
 #
@@ -214,128 +113,17 @@ deleteallchains() {
 }
 
 #
-# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
-#                         a space-separated list of directories to search for
-#                         the module and that 'moduleloader' contains the
-#                         module loader command.
+# Generate a list of all network interfaces on the system
 #
-loadmodule() # $1 = module name, $2 - * arguments
-{
-    local modulename
-    modulename=$1
-    local modulefile
-    local suffix
-
-    if ! list_search $modulename $DONT_LOAD $MODULES; then
-	shift
-
-	for suffix in $MODULE_SUFFIX ; do
-	    for directory in $moduledirectories; do
-		modulefile=$directory/${modulename}.${suffix}
-
-		if [ -f $modulefile ]; then
-		    case $moduleloader in
-			insmod)
-			    insmod $modulefile $*
-			    ;;
-			*)
-			    modprobe $modulename $*
-			    ;;
-		    esac
-		    break 2
-		fi
-	    done
-	done
-    fi
+find_all_interfaces() {
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }
 
 #
-# Reload the Modules
+# Generate a list of all network interfaces on the system that have an ipv6 address
 #
-reload_kernel_modules() {
-
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
-    MODULES=$(lsmod | cut -d ' ' -f1)
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$moduledirectories" ] && while read command; do
-	eval $command
-    done
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-# Load kernel modules required for Shorewall6
-#
-load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
-{
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local savemoduleinfo
-    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    modules=$(find_file modules)
-
-    if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
-	progress_message "Loading Modules..."
-	. $modules
-	if [ $savemoduleinfo = Yes ]; then
-	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
-	    cp -f $modules ${VARDIR}/.modules
-	fi
-    elif [ $savemoduleinfo = Yes ]; then
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	> ${VARDIR}/.modulesdir
-	> ${VARDIR}/.modules
-    fi
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-# Query NetFilter about the existence of a filter chain
-#
-chain_exists() # $1 = chain name
-{
-    qt1 $IP6TABLES -L $1 -n
+find_all_interfaces1() {
+    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }
 
 #
@@ -400,71 +188,11 @@ find_default_interface() {
     done
 }
 
-#
-# Find the interface with the passed MAC address
-#
-
-find_interface_by_mac() {
-    local mac
-    mac=$1
-    local first
-    local second
-    local rest
-    local dev
-
-    $IP link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
 #
 # Determine if Interface is up
 #
 interface_is_up() {
-    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
-}
-
-#
-# Find interface address--returns the first IP address assigned to the passed
-# device
-#
-find_first_interface_address() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
-}
-
-find_first_interface_address_if_any() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    [ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo ::
+    [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 
 #
@@ -472,6 +200,7 @@ find_first_interface_address_if_any() # $1 = interface
 #
 interface_is_usable() # $1 = interface
 {
+    [ "$1" = lo ] && return 0
     interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
 }
 
@@ -681,71 +410,6 @@ get_all_acasts()
     find_interface_full_addresses | convert_to_anycast | sort -u
 }
 
-#
-# Internal version of 'which'
-#
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-#
-# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
-#
-find_file()
-{
-    local saveifs
-    saveifs=
-    local directory
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	*)
-	    for directory in $(split $CONFIG_PATH); do
-		if [ -f $directory/$1 ]; then
-		    echo $directory/$1
-		    return
-		fi
-	    done
-
-	    echo ${CONFDIR}/$1
-	    ;;
-    esac
-}
-
-#
-# Set the Shorewall state
-#
-set_state () # $1 = state
-{
-    echo "$1 ($(date))" > ${VARDIR}/state
-}
-
-#
-# Perform variable substitution on the passed argument and echo the result
-#
-expand() # $@ = contents of variable which may be the name of another variable
-{
-    eval echo \"$@\"
-}
-
-#
-# Function for including one file into another
-#
-INCLUDE() {
-    . $(find_file $(expand $@))
-}
-
 #
 # Detect the gateway through an interface
 #
@@ -771,20 +435,6 @@ detect_gateway() # $1 = interface
     [ -n "$gateway" ] && echo $gateway
 }
 
-# Function to truncate a string -- It uses 'cut -b -<n>'
-# rather than ${v:first:last} because light-weight shells like ash and
-# dash do not support that form of expansion.
-#
-
-truncate() # $1 = length
-{
-    cut -b -${1}
-}
-
-#
-# Clear the current traffic shaping configuration
-#
-
 delete_tc1()
 {
     clear_one_tc() {
@@ -846,7 +496,7 @@ get_device_mtu1() # $1 = device
 #
 undo_routing() {
 
-    if [ -z "$NOROUTES"  ]; then
+    if [ -z "$g_noroutes"  ]; then
 	#
 	# Restore rt_tables database
 	#
@@ -870,7 +520,7 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
+    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
@@ -933,11 +583,11 @@ find_echo() {
 }
 
 #
-# Flush the conntrack table if $PURGE is non-empty
+# Flush the conntrack table if $g_purge is non-empty
 #
 conditionally_flush_conntrack() {
 
-    if [ -n "$PURGE" ]; then
+    if [ -n "$g_purge" ]; then
 	if [ -n $(which conntrack) ]; then
             conntrack -F
 	else
@@ -946,6 +596,222 @@ conditionally_flush_conntrack() {
     fi
 }
 
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$g_product Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSITY -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSITY -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -6 $@; then
+	error_message "ERROR: Command \"$IP -6 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $IP6TABLES -t mangle -F
+    qt1 $IP6TABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t raw    -F
+    qt1 $IP6TABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IP6TABLES -t raw -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t filter -F
+    qt1 $IP6TABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IP6TABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################

Shorewall/changelog.txt

@@ -1,11 +1,384 @@
+Changes in Shorewall 4.4.13
 
-Changes in Shorewall 4.4.0.1
+1)  Allow zone lists in rules SOURCE and DEST.
 
-1)  Updated release versions.
+2)  Fix exclusion in the blacklist file.
 
-2)  Fix log level in rules at the end of INPUT and OUTPUT
+3)  Correct several old exclusion bugs.
 
-3)  Correct handling of nested IPSEC chains.
+4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
+
+5)  Re-implement optional interface handling.
+
+Changes in Shorewall 4.4.12
+
+1)  Fix IPv6 shorecap program.
+
+2)  Eradicate incorrect IPv6 Multicast Network
+
+3)  Add ADD/DEL support.
+
+4)  Allow :random to work with REDIRECT
+
+5)  Add per-ip log rate limiting.
+
+6)  Use new hashlimit match syntax if available.
+
+7)  Add Universal sample.
+
+8)  Add COMPLETE option.
+
+9)  Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
+
+10) Support new set match syntax.
+
+11) Blacklisting by DEST IP.
+
+12) Fix duplicate rule generation with 'any'.
+
+13) Fix port range editing problem.
+
+14) Display the .conf file directory in response to the status command.
+
+15)  Correct AUTOMAKE
+
+Changes in Shorewall 4.4.11
+
+1)  Apply patch from Gabriel.
+
+2)  Fix IPSET match detection when a pathname is specified for IPSET.
+
+3)  Fix start priority of shorewall-init on Debian
+
+4)  Make IPv6 log and connections output readable.
+
+5)  Add REQUIRE_INTERFACE to shorewall*.conf
+
+6)  Avoid run-time warnings when options are not listed in
+    shorewall.conf.
+
+7)  Implement Vserver zones.
+
+8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
+    hosts file.
+
+9)  Add CLEAR_FORWARD_MARK option.
+
+10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
+
+11) Add PERL option.
+
+12) Fix nets= in Shorewall6
+
+Changes in Shorewall 4.4.10
+
+1)  Fix regression with scripts.
+
+2)  Log startup errors.
+
+3)  Implement Shorewall-init.
+
+4)  Add SAFESTOP option to /etc/default/shorewall*
+
+5)  Restore -a functionality to the version command.
+
+6)  Correct Optimization issue
+
+7)  Rename PREFIX to DESTDIR in install scripts
+
+8)  Correct handling of optional/required interfaces with wildcard names.
+
+Changes in Shorewall 4.4.9
+
+1)  Auto-detection of bridges.
+
+2)  Correct handling of a logical interface name in the EXTERNAL column
+    of proxyarp.
+
+3)  More robust 'trace'.
+
+4)  Added IPv6 mDNS macro.
+
+5)  Fix find_first_interface_address() error reporting.
+
+6)  Fix propagation of zero-valued config variables.
+
+7)  Fix OPTIMIZE 4 bug.
+
+8)  Deallocate unused rules.
+
+9)  Keep rule arrays compressed during optimization.
+
+10) Remove remaining fallback scripts.
+
+11) Rationalize startup logs.
+
+12) Optimize 8.
+
+13) Don't create output chains for BPORT zones.
+
+14) Implement 'show log ip-addr' in /sbin/shorewall and
+    /sbin/shorewall-lite/
+
+15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2.
+
+16) Change chain policy on OUTPUT chain with lone ACCEPT rule.
+
+17) Set IP before sourcing the params file.
+
+18) Fix rare optimization bug.
+
+19) Allow definition of an addressless bridge without a zone.
+
+20) In the routestopped file, assume 'routeback' if the interface has
+    'routeback'.
+
+21) Make Shorewall and Shorewall6 installable on OS X.
+
+Changes in Shorewall 4.4.8
+
+1)  Correct handling of RATE LIMIT on NAT rules.
+
+2)  Don't create a logging chain for rules with '-j RETURN'.
+
+3)  Avoid duplicate SFQ class numbers.
+
+4)  Fix low per-IP rate limits.
+
+5)  Fix Debian init script exit status
+
+6)  Fix NFQUEUE(queue-num) in policy
+
+7)  Implement -s option in install.sh
+
+8)  Add HKP Macro
+
+9)  Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE
+
+10) Eliminate up-cased variable names that aren't documented options.
+
+11) Don't show 'OLD' capabilities if they are not available.
+
+12) Attempt to flag use of '-' as a port-range separator.
+
+13) Add undocumented OPTIMIZE=-1 setting.
+
+14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES
+    default optimizations.
+
+15) Add support for UDPLITE
+
+16) Distinguish between 'Started' and 'Restored' in ${VARDIR}/state
+
+17) Issue warnings when 'blacklist' but no blacklist file entries.
+
+18) Don't optimize 'blacklst'.
+
+Changes in Shorewall 4.4.7
+
+1)  Backport optimization changes from 4.5.
+
+2)  Backport two new options from 4.5.
+
+3)  Backport TPROXY from 4.5
+
+4)  Add TC_PRIOMAP to shorewall*.conf
+
+5)  Implement LOAD_HELPERS_ONLY
+
+6)  Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes
+
+7)  Fix case where MARK target is unavailable.
+
+8)  Change default to ADD_IP_ALIASES=No
+
+9)  Correct defects in generate_matrix().
+
+10) Fix and optimize 'nosmurfs'.
+
+11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC.
+
+Changes in Shorewall 4.4.6
+
+1)  Fix for rp_filter and kernel 2.6.31.
+
+2)  Add a hack to work around a bug in Lenny + xtables-addons
+
+3)  Re-enable SAVE_IPSETS
+
+4)  Allow both <...> and [...] for IPv6 Addresses.
+
+5)  Port mark geometry change from 4.5.
+
+6)  Add Macro patch from Tuomo Soini
+
+7)  Add 'show macro' command.
+
+8)  Add -r option to check.
+
+9)  Port simplified TC from 4.5.
+
+Changes in Shorewall 4.4.5
+
+1)  Fix 15-port limit removal change.
+
+2)  Fix handling of interfaces with the 'bridge' option.
+
+3)  Generate error for port number 0
+
+4)  Allow zone::serverport in rules DEST column.
+
+5)  Fix 'show policies' in Shorewall6.
+
+6)  Auto-load tc modules.
+
+7)  Allow LOGFILE=/dev/null
+
+8)  Fix shorewall6-lite/shorecap
+
+9) Fix MODULE_SUFFIX.
+
+10) Fix ENHANCED_REJECT detection for IPv4.
+
+11) Fix DONT_LOAD vs 'reload -c'
+
+12) Fix handling of SOURCE and DEST vs macros.
+
+13) Remove silly logic in expand_rule().
+
+14) Add current and limit to Conntrack Table Heading.
+
+Changes in Shorewall 4.4.4
+
+1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
+
+2)  Fix access to uninitialized variable.
+
+3)  Add logrotate scripts.
+
+4)  Allow long port lists in /etc/shorewall/routestopped.
+
+5)  Implement 'physical' interface option.
+
+6)  Implement ZONE2ZONE option.
+
+7)  Suppress duplicate COMMENT warnings.
+
+8)  Implement 'show policies' command.
+
+9)  Fix route_rule suppression for down provider.
+
+10) Suppress redundant tests for provider availability in route rules
+    processing.
+
+11) Implement the '-l' option to the 'show' command.
+
+12) Fix class number assignment when WIDE_TC_MARKS=Yes
+
+13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
+
+Changes in Shorewall 4.4.3
+
+1)  Move Debian INITLOG initialization to /etc/default/shorewall
+
+2)  Fix 'routeback' in /etc/shorewall/routestopped.
+
+3)  Rename 'object' to 'script' in compiler and config modules.
+
+4)  Correct RETAIN_ALIASES=No.
+
+5)  Fix detection of IP config.
+
+6)  Fix nested zones.
+
+7)  Move all function declarations from prog.footer to prog.header
+
+8)  Remove superfluous variables from generated script
+
+9)  Make 'track' the default.
+
+10)  Add TRACK_PROVIDERS option.
+
+11)  Fix IPv6 address parsing bug.
+
+12)  Add hack to work around iproute IPv6 bug in route handling
+
+13)  Correct messages issued when an optional provider is not usable.
+
+14)  Fix optional interfaces.
+
+15)  Add 'limit' option to tcclasses.
+
+Changes in Shorewall 4.4.2
+
+1)  BUGFIX: Correct detection of Persistent SNAT support
+
+2)  BUGFIX: Fix chain table initialization
+
+3)  BUGFIX: Validate routestopped file on 'check'
+
+4)  Let the Actions module add the builtin actions to
+    %Shorewall::Chains::targets. Much better modularization that way.
+
+5)  Some changes to make Lenny->Squeeze less painful.
+
+6)  Allow comments at the end of continued lines.
+
+7)  Call process_routestopped() during 'check' rather than
+    'compile_stop_firewall()'.
+
+8)  Don't look for an extension script for built-in actions.
+
+9)  Apply Jesse Shrieve's patch for SNAT range.
+
+10) Add -<family> to 'ip route del default' command.
+
+11) Add three new columns to macro body.
+
+12) Change 'wait4ifup' so that it requires no PATH
+
+13) Allow extension scripts for accounting chains.
+
+14) Allow per-ip LIMIT to work on ancient iptables releases.
+
+15) Add 'MARK' column to action body.
+
+Changes in Shorewall 4.4.1
+
+1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
+
+2)  Deleted superfluous export from Chains.pm.
+
+3)  Added support for --persistent.
+
+4)  Don't do module initialization in an INIT block.
+
+5)  Minor performance improvements.
+
+6)  Add 'clean' target to Makefile.
+
+7)  Redefine 'full' for sub-classes.
+
+8)  Fix log level in rules at the end of INPUT and OUTPUT chains.
+
+9)  Fix nested ipsec zones.
+
+10) Change one-interface sample to IP_FORWARDING=Off.
+
+11) Allow multicast to non-dynamic zones defined with nets=.
+
+12) Allow zones with nets= to be extended by /etc/shorewall/hosts
+    entries.
+
+13) Don't allow nets= in a multi-zone interface definition.
+
+14) Fix rule generated by MULTICAST=Yes
+
+15) Fix silly hole in zones file parsing.
+
+16) Tighen up zone membership checking.
+
+17) Combine portlist-spitting routines into a single function.
 
 Changes in Shorewall 4.4.0
 
@@ -19,7 +392,7 @@ Changes in Shorewall 4.4.0
 
 5)  Fix 'upnpclient' with required interfaces.
 
-5)  Fix provider number in 
+6)  Fix provider number in masq file.
 
 Changes in Shorewall 4.4.0-RC2
 
@@ -225,10 +598,8 @@ Changes in Shorewall 4.3.5
 
 1)  Remove support for shorewall-shell.
 
-2)  Combine shorewall-common and shorewall-perl to product shorewall.
+2)  Combine shorewall-common and shorewall-perl to produce shorewall.
 
 3)  Add nets= OPTION in interfaces file.
 
-4)  Add SAME MARK/CLASSIFY target
-
 

Shorewall/configfiles/accounting

@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#####################################################################################
-#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK
+#####################################################################################################
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
 #							PORT(S)		PORT(S)	GROUP

Shorewall/configfiles/blacklist

@@ -7,4 +7,5 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT
+#ADDRESS/SUBNET		PROTOCOL	PORT		OPTIONS
+

Shorewall/configfiles/findgw

@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - Filegw File
+# Shorewall version 4 - Findgw File
 #
 # /etc/shorewall/findgw
 #

Shorewall/configfiles/masq

@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###############################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP

Shorewall/configfiles/netmap

@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#TYPE	NET1			INTERFACE	NET2
+#TYPE	NET1			INTERFACE	NET2		NET3

Shorewall/configfiles/shorewall.conf

@@ -1,19 +1,10 @@
 ###############################################################################
-#  /etc/shorewall/shorewall.conf Version 4 - Change the following variables to
-#  match your setup
 #
-#  This program is under GPL
-#  [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#  This file should be placed in /etc/shorewall
-#
-#  (c) 1999,2000,2001,2002,2003,2004,2005,
-#      2006,2007,2008 - Tom Eastep (teastep@shorewall.net)
+#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
-#  Additional information is available at 
-#  http://www.shorewall.net/Documentation.htm#Conf
+#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -32,17 +23,15 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -68,6 +57,8 @@ TC=
 
 IPSET=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -107,7 +98,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=Yes
+ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
@@ -117,6 +108,8 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -135,7 +128,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -189,6 +182,24 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=No
 
+TRACK_PROVIDERS=No
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=No
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/configfiles/tcinterfaces

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Tcinterfaces File
+#
+# For information about entries in this file, type "man shorewall-tcinterfaces"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#INTERFACE	TYPE		IN-BANDWIDTH
+

Shorewall/configfiles/tcpri

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Tcpri File
+#
+# For information about entries in this file, type "man shorewall-tcpri"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#BAND	PROTO	PORT(S)		ADDRESS		IN-INTERFACE	HELPER
+
+
+

Shorewall/default.debian

@@ -21,4 +21,16 @@ startup=0
 
 OPTIONS=""
 
+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
+#
+# Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
+# a safe state rather than to open it
+#
+
+SAFESTOP=0
+
 # EOF

Shorewall/helpers

@@ -0,0 +1,63 @@
+#
+# Shorewall version 4 - Helpers File
+#
+# /usr/share/shorewall/helpers
+#
+#	This file loads the kernel helper modules.
+#
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
+#	before you load M2.
+#
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
+#  copy.
+#
+###############################################################################
+
+# Helpers
+#
+loadmodule ip_conntrack_amanda
+loadmodule ip_conntrack_ftp
+loadmodule ip_conntrack_h323
+loadmodule ip_conntrack_irc
+loadmodule ip_conntrack_netbios_ns
+loadmodule ip_conntrack_pptp
+loadmodule ip_conntrack_sip
+loadmodule ip_conntrack_tftp
+loadmodule ip_nat_amanda
+loadmodule ip_nat_ftp
+loadmodule ip_nat_h323
+loadmodule ip_nat_irc
+loadmodule ip_nat_pptp
+loadmodule ip_nat_sip
+loadmodule ip_nat_snmp_basic
+loadmodule ip_nat_tftp
+loadmodule ip_set
+loadmodule ip_set_iphash
+loadmodule ip_set_ipmap
+loadmodule ip_set_macipmap
+loadmodule ip_set_portmap
+#
+# 2.6.20+ helpers
+#
+loadmodule nf_conntrack_ftp
+loadmodule nf_conntrack_h323
+loadmodule nf_conntrack_irc
+loadmodule nf_conntrack_netbios_ns
+loadmodule nf_conntrack_netlink
+loadmodule nf_conntrack_pptp
+loadmodule nf_conntrack_proto_gre
+loadmodule nf_conntrack_proto_sctp
+loadmodule nf_conntrack_sip         sip_direct_media=0
+loadmodule nf_conntrack_tftp
+loadmodule nf_conntrack_sane
+loadmodule nf_nat_amanda
+loadmodule nf_nat_ftp
+loadmodule nf_nat_h323
+loadmodule nf_nat_irc
+loadmodule nf_nat
+loadmodule nf_nat_pptp
+loadmodule nf_nat_proto_gre
+loadmodule nf_nat_sip
+loadmodule nf_nat_snmp_basic
+loadmodule nf_nat_tftp

Shorewall/init.debian.sh

@@ -1,8 +1,8 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          shorewall
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -15,13 +15,11 @@
 SRWL=/sbin/shorewall
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
-# Note, set INITLOG to /dev/null if you want to
-# use Shorewall's STARTUP_LOG feature.
-INITLOG=/var/log/shorewall-init.log
+test -n ${INITLOG:=/var/log/shorewall-init.log}
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ;
 	exit 1;
 }
@@ -40,6 +38,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
   fi
 
+  exit 1
 }
 
 not_configured () {
@@ -49,7 +48,7 @@ not_configured () {
 	then
 		echo ""
 		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-common/README.Debian.gz."
+		echo "/usr/share/doc/shorewall/README.Debian.gz."
 	fi
 	echo "#################"
 	exit 0
@@ -94,7 +93,11 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   echo -n "Stopping \"Shorewall firewall\": "
+  if [ "$SAFESTOP" = 1 ]; then
+      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  else
       $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  fi
   return 0
 }
 

Shorewall/known_problems.txt

@@ -1,16 +1 @@
-1)  If ULOG is specified as the LOG LEVEL in the all->all policy, the
-    rules at the end of the INPUT and OUTPUT chains still use the
-    LOG target rather than ULOG.
-
-    You can work around this problem by adding two additional policies
-    before the all->all one:
-
-    	   all 		$FW	DROP	ULOG
-	   $FW		all	REJECT	ULOG
-
-    This problem was corrected in Shorewall 4.4.0.1.
-
-2)  Use of CONTINUE policies with a nested IPSEC zone was broken in
-    some cases.
-
-    This problem was corrected in Shorewall 4.4.0.1.
+There are no known problems in Shorewall 4.4.13-Beta3

Shorewall/lib.base

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Shorewall 4.2 -- /usr/share/shorewall/lib.base
+# Shorewall 4.4 -- /usr/share/shorewall/lib.base
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -24,26 +24,17 @@
 # This library contains the code common to all Shorewall components.
 #
 # - It is loaded by /sbin/shorewall.
-# - It is loaded by /usr/share/shorewall/firewall.
 # - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
 #   and /usr/share/shorewall-lite/shorecap.
 #
 
-SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40310
+SHOREWALL_LIBVERSION=40407
+SHOREWALL_CAPVERSION=40413
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
 [ -n "${CONFDIR:=/etc/shorewall}" ]
 
-#
-# Message to stderr
-#
-error_message() # $* = Error Message
-{
-   echo "   $@" >&2
-}
-
 #
 # Conditionally produce message
 #
@@ -52,8 +43,8 @@ progress_message() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -gt 1 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 }
@@ -63,8 +54,8 @@ progress_message2() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -gt 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 }
@@ -74,40 +65,12 @@ progress_message3() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -ge 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 }
 
-#
-# Split a colon-separated list into a space-separated list
-#
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    echo $*
-    IFS=$ifs
-}
-
-#
-# Search a list looking for a match -- returns zero if a match found
-# 1 otherwise
-#
-list_search() # $1 = element to search for , $2-$n = list
-{
-    local e
-    e=$1
-
-    while [ $# -gt 1 ]; do
-	shift
-	[ "x$e" = "x$1" ] && return 0
-    done
-
-    return 1
-}
-
 #
 # Undo the effect of 'separate_list()'
 #
@@ -124,167 +87,6 @@ combine_list()
     echo $o
 }
 
-#
-# Suppress all output for a command
-#
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-#
-# Determine if Shorewall is "running"
-#
-shorewall_is_started() {
-    qt $IPTABLES -L shorewall -n
-}
-
-#
-# Echos the fully-qualified name of the calling shell program
-#
-my_pathname() {
-    cd $(dirname $0)
-    echo $PWD/$(basename $0)
-}
-
-#
-# Source a user exit file if it exists
-#
-run_user_exit() # $1 = file name
-{
-    local user_exit
-    user_exit=$(find_file $1)
-
-    if [ -f $user_exit ]; then
-	progress_message "Processing $user_exit ..."
-	. $user_exit
-    fi
-}
-
-#
-# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
-#                         a space-separated list of directories to search for
-#                         the module and that 'moduleloader' contains the
-#                         module loader command.
-#
-loadmodule() # $1 = module name, $2 - * arguments
-{
-    local modulename
-    modulename=$1
-    local modulefile
-    local suffix
-
-    if ! list_search $modulename $MODULES $DONT_LOAD ; then
-	shift
-
-	for suffix in $MODULE_SUFFIX ; do
-	    for directory in $moduledirectories; do
-		modulefile=$directory/${modulename}.${suffix}
-
-		if [ -f $modulefile ]; then
-		    case $moduleloader in
-			insmod)
-			    insmod $modulefile $*
-			    ;;
-			*)
-			    modprobe $modulename $*
-			    ;;
-		    esac
-		    break 2
-		fi
-	    done
-	done
-    fi
-}
-
-#
-# Reload the Modules
-#
-reload_kernel_modules() {
-
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local uname
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
-
-    MODULES=$(lsmod | cut -d ' ' -f1)
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$moduledirectories" ] && while read command; do
-	eval $command
-    done
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-# Load kernel modules required for Shorewall
-#
-load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
-{
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local savemoduleinfo
-    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
-    local uname
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    modules=$(find_file modules)
-
-    if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
-	progress_message "Loading Modules..."
-	. $modules
-	if [ $savemoduleinfo = Yes ]; then
-	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
-	    cp -f $modules ${VARDIR}/.modules
-	fi
-    elif [ $savemoduleinfo = Yes ]; then
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	> ${VARDIR}/.modulesdir	
-	> ${VARDIR}/.modules
-    fi
-
-    MODULESDIR=$save_modules_dir
-}
-
 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
 # /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
@@ -334,12 +136,32 @@ mutex_off()
 }
 
 #
-#  Note: The following set of IP address manipulation functions have anomalous
-#        behavior when the shell only supports 32-bit signed arithmetic and
-#        the IP address is 128.0.0.0 or 128.0.0.1.
+# Find the interface with the passed MAC address
 #
 
-LEFTSHIFT='<<'
+find_interface_by_mac() {
+    local mac
+    mac=$1
+    local first
+    local second
+    local rest
+    local dev
+
+    $IP link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
+[ -z "$LEFTSHIFT" ] && . ${SHAREDIR}/lib.common
 
 #
 # Validate an IP address
@@ -369,44 +191,6 @@ valid_address() {
     return 0
 }
 
-#
-# Convert an IP address in dot quad format to an integer
-#
-decodeaddr() {
-    local x
-    local temp
-    temp=0
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
-    done
-
-    echo $temp
-
-    IFS=$ifs
-}
-
-#
-# convert an integer to dot quad format
-#
-encodeaddr() {
-    addr=$1
-    local x
-    local y
-    y=$(($addr & 255))
-
-    for x in 1 2 3 ; do
-	addr=$(($addr >> 8))
-	y=$(($addr & 255)).$y
-    done
-
-    echo $y
-}
-
 #
 # Miserable Hack to work around broken BusyBox ash in OpenWRT
 #
@@ -507,66 +291,6 @@ ip_range_explicit() {
     done
 }
 
-#
-# Netmask from CIDR
-#
-ip_netmask() {
-    local vlsm
-    vlsm=${1#*/}
-
-    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
-}
-
-#
-# Network address from CIDR
-#
-ip_network() {
-    local decodedaddr
-    decodedaddr=$(decodeaddr ${1%/*})
-    local netmask
-    netmask=$(ip_netmask $1)
-
-    echo $(encodeaddr $(($decodedaddr & $netmask)))
-}
-
-#
-# The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives don't support XOR ("^").
-#
-ip_broadcast() {
-    local x
-    x=$(( 32 - ${1#*/} ))
-
-    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
-}
-
-#
-# Calculate broadcast address from CIDR
-#
-broadcastaddress() {
-    local decodedaddr
-    decodedaddr=$(decodeaddr ${1%/*})
-    local netmask
-    netmask=$(ip_netmask $1)
-    local broadcast
-    broadcast=$(ip_broadcast $1)
-
-    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
-}
-
-#
-# Test for network membership
-#
-in_network() # $1 = IP address, $2 = CIDR network
-{
-    local netmask
-    netmask=$(ip_netmask $2)
-    #
-    # We compare the values as strings rather than integers to work around broken BusyBox ash on OpenWRT
-    #
-    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
-}
-
 #
 # Netmask to VLSM
 #
@@ -590,90 +314,6 @@ ip_vlsm() {
     fi
 }
 
-#
-# Query NetFilter about the existence of a filter chain
-#
-chain_exists() # $1 = chain name
-{
-    qt $IPTABLES -L $1 -n
-}
-
-#
-# Find the interface with the passed MAC address
-#
-
-find_interface_by_mac() {
-    local mac
-    mac=$1 
-    local first 
-    local second
-    local rest
-    local dev
-
-    ip link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
-#
-# Find interface address--returns the first IP address assigned to the passed
-# device
-#
-find_first_interface_address() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-}
-
-find_first_interface_address_if_any() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
-}
-
-#
-# Internal version of 'which'
-#
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
 #
 # Set default config path
 #
@@ -690,32 +330,6 @@ ensure_config_path() {
     fi
 }
 
-#
-# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
-#
-find_file()
-{
-    local saveifs
-    saveifs= 
-    local directory
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	*)
-	    for directory in $(split $CONFIG_PATH); do
-		if [ -f $directory/$1 ]; then
-		    echo $directory/$1
-		    return
-		fi
-	    done
-
-	    echo ${CONFDIR}/$1
-	    ;;
-    esac
-}
-
 #
 # Get fully-qualified name of file
 #
@@ -750,342 +364,11 @@ resolve_file() # $1 = file name
     esac
 }
 
-#
-# Perform variable substitution on the passed argument and echo the result
-#
-expand() # $@ = contents of variable which may be the name of another variable
-{
-    eval echo \"$@\"
-}
-
-#
-# Function for including one file into another
-#
-INCLUDE() {
-    . $(find_file $(expand $@))
-}
-
-#
-# Set the Shorewall state
-#
-set_state () # $1 = state
-{
-    echo "$1 ($(date))" > ${VARDIR}/state
-}
-
-#
-# Determine which optional facilities are supported by iptables/netfilter
-#
-determine_capabilities() {
-    qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
-    qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
-
-    CONNTRACK_MATCH=
-    NEW_CONNTRACK_MATCH=
-    OLD_CONNTRACK_MATCH=
-    MULTIPORT=
-    XMULTIPORT=
-    POLICY_MATCH=
-    PHYSDEV_MATCH=
-    PHYSDEV_BRIDGE=
-    IPRANGE_MATCH=
-    RECENT_MATCH=
-    OWNER_MATCH=
-    IPSET_MATCH=
-    CONNMARK=
-    XCONNMARK=
-    CONNMARK_MATCH=
-    XCONNMARK_MATCH=
-    RAW_TABLE=
-    IPP2P_MATCH=
-    OLD_IPP2P_MATCH=
-    LENGTH_MATCH=
-    CLASSIFY_TARGET=
-    ENHANCED_REJECT=
-    USEPKTTYPE=
-    KLUDGEFREE=
-    MARK=
-    XMARK=
-    MANGLE_FORWARD=
-    COMMENTS=
-    ADDRTYPE=
-    TCPMSS_MATCH=
-    HASHLIMIT_MATCH=
-    NFQUEUE_TARGET=
-    REALM_MATCH=
-    HELPER_MATCH=
-    CONNLIMIT_MATCH=
-    TIME_MATCH=
-    GOTO_TARGET=
-    LOGMARK_TARGET=
-    IPMARK_TARGET=
-    LOG_TARGET=Yes
-
-    chain=fooX$$
-
-    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
-
-    if [ -z "$IPTABLES" ]; then
-	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
-	exit 1
-    fi
-
-    qt $IPTABLES -F $chain
-    qt $IPTABLES -X $chain
-    if ! $IPTABLES -N $chain; then
-	echo "   ERROR: The command \"$IPTABLES -N $chain\" failed" >&2
-	exit 1
-    fi
-
-    chain1=${chain}1
-
-    qt $IPTABLES -F $chain1
-    qt $IPTABLES -X $chain1
-    if ! $IPTABLES -N $chain1; then
-	echo "   ERROR: The command \"$IPTABLES -N $chain1\" failed" >&2
-	exit 1
-    fi
-
-    if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then
-	echo "   ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
-	exit 1
-    fi
-
-    qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
-
-    if [ -n "$CONNTRACK_MATCH" ]; then
-	qt $IPTABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
-	qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes
-    fi
-
-    if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
-	MULTIPORT=Yes
-	qt $IPTABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
-    fi
-
-    qt $IPTABLES -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT           && XMULTIPORT=Yes
-    qt $IPTABLES -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
-
-    if qt $IPTABLES -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then
-	PHYSDEV_MATCH=Yes
-	qt $IPTABLES -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes
-	if [ -z "${KLUDGEFREE}" ]; then
-	    qt $IPTABLES -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
-	fi
-    fi
-
-    if qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
-	IPRANGE_MATCH=Yes
-	if [ -z "${KLUDGEFREE}" ]; then
-	    qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
-	fi
-    fi
-
-    qt $IPTABLES -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
-    qt $IPTABLES -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
-
-    if qt $IPTABLES -A $chain -m connmark --mark 2  -j ACCEPT; then
-	CONNMARK_MATCH=Yes
-	qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
-    fi
-
-    qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT       && IPP2P_MATCH=Yes
-    if [ -n "$IPP2P_MATCH" ]; then
-	qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
-    fi
-
-    qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT           && LENGTH_MATCH=Yes
-    qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
-
-    qt $IPTABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
-
-    if [ -n "$MANGLE_ENABLED" ]; then
-	qt $IPTABLES -t mangle -N $chain
-
-	if qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1; then
-	    MARK=Yes
-	    qt $IPTABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
-	fi
-
-	if qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark; then
-	    CONNMARK=Yes
-	    qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
-	fi
-
-	qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
-	qt $IPTABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
-	qt $IPTABLES -t mangle -F $chain
-	qt $IPTABLES -t mangle -X $chain
-	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
-    fi
-
-    qt $IPTABLES -t raw	   -L -n && RAW_TABLE=Yes
-
-    if qt mywhich ipset; then
-	qt ipset -X $chain # Just in case something went wrong the last time
-
-	if qt ipset -N $chain iphash ; then
-	    if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
-		qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
-		IPSET_MATCH=Yes
-	    fi
-	    qt ipset -X $chain
-	fi
-    fi
-
-    qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
-    qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
-    qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
-    qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
-    qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
-    qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
-    qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
-    qt $IPTABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
-    qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
-    qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
-
-    qt $IPTABLES -F $chain
-    qt $IPTABLES -X $chain
-    qt $IPTABLES -F $chain1
-    qt $IPTABLES -X $chain1
-
-    CAPVERSION=$SHOREWALL_CAPVERSION
-}
-
-report_capabilities() {
-    report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
-    {
-	local setting
-	setting=
-
-	[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
-
-	echo "  " $1: $setting
-    }
-
-    if [ $VERBOSE -gt 1 ]; then
-	echo "Shorewall has detected the following iptables/netfilter capabilities:"
-	report_capability "NAT" $NAT_ENABLED
-	report_capability "Packet Mangling" $MANGLE_ENABLED
-	report_capability "Multi-port Match" $MULTIPORT
-	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
-	report_capability "Connection Tracking Match" $CONNTRACK_MATCH
-	if [ -n "$CONNTRACK_MATCH" ]; then
-	    report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
-	    report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH
-	fi
-	report_capability "Packet Type Match" $USEPKTTYPE
-	report_capability "Policy Match" $POLICY_MATCH
-	report_capability "Physdev Match" $PHYSDEV_MATCH
-	report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
-	report_capability "Packet length Match" $LENGTH_MATCH
-	report_capability "IP range Match" $IPRANGE_MATCH
-	report_capability "Recent Match" $RECENT_MATCH
-	report_capability "Owner Match" $OWNER_MATCH
-	report_capability "Ipset Match" $IPSET_MATCH
-	report_capability "CONNMARK Target" $CONNMARK
-	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
-	report_capability "Connmark Match" $CONNMARK_MATCH
-	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
-	report_capability "Raw Table" $RAW_TABLE
-	report_capability "IPP2P Match" $IPP2P_MATCH
-	[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
-	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
-	report_capability "Extended REJECT" $ENHANCED_REJECT
-	report_capability "Repeat match" $KLUDGEFREE
-	report_capability "MARK Target" $MARK
-	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
-	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
-	report_capability "Comments" $COMMENTS
-	report_capability "Address Type Match" $ADDRTYPE
-	report_capability "TCPMSS Match" $TCPMSS_MATCH
-	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
-	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
-	report_capability "Realm Match" $REALM_MATCH
-	report_capability "Helper Match" $HELPER_MATCH
-	report_capability "Connlimit Match" $CONNLIMIT_MATCH
-	report_capability "Time Match" $TIME_MATCH
-	report_capability "Goto Support" $GOTO_TARGET
-	report_capability "LOGMARK Target" $LOGMARK_TARGET
-	report_capability "IPMARK Target" $IPMARK_TARGET
-	report_capability "LOG Target" $LOG_TARGET
-    fi
-
-    [ -n "$PKTTYPE" ] || USEPKTTYPE=
-
-}
-
-report_capabilities1() {
-    report_capability1() # $1 = Capability
-    {
-	eval echo $1=\$$1
-    }
-
-    echo "#"
-    echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
-    echo "#"
-    report_capability1 NAT_ENABLED
-    report_capability1 MANGLE_ENABLED
-    report_capability1 MULTIPORT
-    report_capability1 XMULTIPORT
-    report_capability1 CONNTRACK_MATCH
-    report_capability1 NEW_CONNTRACK_MATCH
-    report_capability1 OLD_CONNTRACK_MATCH
-    report_capability1 USEPKTTYPE
-    report_capability1 POLICY_MATCH
-    report_capability1 PHYSDEV_MATCH
-    report_capability1 PHYSDEV_BRIDGE
-    report_capability1 LENGTH_MATCH
-    report_capability1 IPRANGE_MATCH
-    report_capability1 RECENT_MATCH
-    report_capability1 OWNER_MATCH
-    report_capability1 IPSET_MATCH
-    report_capability1 CONNMARK
-    report_capability1 XCONNMARK
-    report_capability1 CONNMARK_MATCH
-    report_capability1 XCONNMARK_MATCH
-    report_capability1 RAW_TABLE
-    report_capability1 IPP2P_MATCH
-    report_capability1 OLD_IPP2P_MATCH
-    report_capability1 CLASSIFY_TARGET
-    report_capability1 ENHANCED_REJECT
-    report_capability1 KLUDGEFREE
-    report_capability1 MARK
-    report_capability1 XMARK
-    report_capability1 MANGLE_FORWARD
-    report_capability1 COMMENTS
-    report_capability1 ADDRTYPE
-    report_capability1 TCPMSS_MATCH
-    report_capability1 HASHLIMIT_MATCH
-    report_capability1 NFQUEUE_TARGET
-    report_capability1 REALM_MATCH
-    report_capability1 HELPER_MATCH
-    report_capability1 CONNLIMIT_MATCH
-    report_capability1 TIME_MATCH
-    report_capability1 GOTO_TARGET
-    report_capability1 LOGMARK_TARGET
-    report_capability1 IPMARK_TARGET
-    report_capability1 LOG_TARGET
-    
-    echo CAPVERSION=$SHOREWALL_CAPVERSION
-}
-
 # Function to truncate a string -- It uses 'cut -b -<n>'
 # rather than ${v:first:last} because light-weight shells like ash and
 # dash do not support that form of expansion.
 #
 
-truncate() # $1 = length
-{
-    cut -b -${1}
-}
-
-#
-# Determine how to do "echo -e"
-#
-
 find_echo() {
     local result