Update TRACK_PROVIDER description in the man pages.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/one-interface/interfaces

@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs

Samples/one-interface/policy

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 $FW		net		ACCEPT

Samples/one-interface/rules

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/one-interface/shorewall.conf

@@ -34,9 +34,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -107,7 +107,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-IP_FORWARDING=On
+IP_FORWARDING=Off
 
 ADD_IP_ALIASES=Yes
 
@@ -115,10 +115,12 @@ ADD_SNAT_ALIASES=No
 
 RETAIN_ALIASES=No
 
-TC_ENABLED=Internal
+TC_ENABLED=Simple
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -137,7 +139,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -161,11 +163,9 @@ FASTACCEPT=No
 
 IMPLICIT_CONTINUE=No
 
-HIGH_ROUTE_MARKS=No
-
 USE_ACTIONS=Yes
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -189,7 +189,26 @@ RESTORE_DEFAULT_ROUTE=Yes
 
 AUTOMAKE=No
 
-WIDE_TC_MARKS=Yes
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
 
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N

Samples/one-interface/zones

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/three-interfaces/interfaces

@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians

Samples/three-interfaces/masq

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Masq
-#
 ##############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\

Samples/three-interfaces/policy

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 

Samples/three-interfaces/routestopped

@@ -10,11 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
-#
-# See http://shorewall.net/Documentation.htm#Routestopped and
-# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
 ##############################################################################
 #INTERFACE	HOST(S)
 eth1		-

Samples/three-interfaces/rules

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Rules
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/three-interfaces/shorewall.conf

@@ -34,9 +34,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -115,10 +115,12 @@ ADD_SNAT_ALIASES=No
 
 RETAIN_ALIASES=No
 
-TC_ENABLED=Internal
+TC_ENABLED=Simple
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -137,7 +139,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -161,11 +163,9 @@ FASTACCEPT=No
 
 IMPLICIT_CONTINUE=No
 
-HIGH_ROUTE_MARKS=No
-
 USE_ACTIONS=Yes
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -189,7 +189,26 @@ RESTORE_DEFAULT_ROUTE=Yes
 
 AUTOMAKE=No
 
-WIDE_TC_MARKS=Yes
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
 
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N

Samples/three-interfaces/zones

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/two-interfaces/interfaces

@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians

Samples/two-interfaces/masq

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Masq
-#
 ###############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\

Samples/two-interfaces/policy

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 

Samples/two-interfaces/routestopped

@@ -10,11 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
-#
-# See http://shorewall.net/Documentation.htm#Routestopped and
-# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
 ##############################################################################
 #INTERFACE	HOST(S)                  OPTIONS
 eth1		-

Samples/two-interfaces/rules

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Rules
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/two-interfaces/shorewall.conf

@@ -41,9 +41,9 @@ SHOREWALL_COMPILER=
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -122,10 +122,12 @@ ADD_SNAT_ALIASES=No
 
 RETAIN_ALIASES=No
 
-TC_ENABLED=Internal
+TC_ENABLED=Simple
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -144,7 +146,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -168,11 +170,9 @@ FASTACCEPT=No
 
 IMPLICIT_CONTINUE=No
 
-HIGH_ROUTE_MARKS=No
-
 USE_ACTIONS=Yes
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -196,7 +196,26 @@ RESTORE_DEFAULT_ROUTE=Yes
 
 AUTOMAKE=No
 
-WIDE_TC_MARKS=Yes
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
 
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N

Samples/two-interfaces/zones

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples6/one-interface/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -111,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -119,7 +119,7 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -139,6 +139,27 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/three-interfaces/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -111,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -119,7 +119,7 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -139,6 +139,27 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -111,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -119,7 +119,7 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-OPTIMIZE=1
+OPTIMIZE=7
 
 EXPORTPARAMS=No
 
@@ -139,6 +139,27 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=8
+
+MASK_BITS=8
+
+PROVIDER_BITS=8
+
+PROVIDER_OFFSET=8
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-lite/default.debian

@@ -21,4 +21,9 @@ startup=0
 
 OPTIONS=""
 
+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
 # EOF

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.0.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall-lite/init.debian.sh

@@ -15,9 +15,7 @@
 
 SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
-# Note, set INITLOG to /dev/null if you do not want to
-# keep logs of the firewall (not recommended)
-INITLOG=/var/log/shorewall-lite-init.log
+test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
 
 [ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
@@ -25,7 +23,7 @@ export SHOREWALL_INIT_SCRIPT
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.0.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {
@@ -220,6 +220,11 @@ mkdir -p ${PREFIX}/var/lib/shorewall-lite
 chmod 755 ${PREFIX}/etc/shorewall-lite
 chmod 755 ${PREFIX}/usr/share/shorewall-lite
 
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
+fi
+
 #
 # Install the config file
 #
@@ -304,6 +309,12 @@ cd ..
 
 echo "Man Pages Installed"
 
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall-lite"
+fi
+
+
 #
 # Create the version file
 #

Shorewall-lite/logrotate

@@ -0,0 +1,5 @@
+/var/log/shorewall-init.log {
+  missingok
+  notifempty
+  create 0600 root root
+}

Shorewall-lite/shorewall-lite

@@ -95,7 +95,7 @@ get_config() {
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -f $LOGFILE ]; then
+    elif [ -r $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -431,6 +431,8 @@ NOROUTES=
 EXPORT=
 export TIMESTAMP=
 noroutes=
+RECOVERING=
+export RECOVERING
 
 finished=0
 

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.0
-%define release 1
+%define version 4.5.4
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -79,6 +79,8 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall-lite
 %attr(0700,root,root) %dir /var/lib/shorewall-lite
 
+%attr(0644,root,root) /etc/logrotate.d/shorewall-lite
+
 %attr(0755,root,root) /sbin/shorewall-lite
 
 %attr(0644,root,root) /usr/share/shorewall-lite/version
@@ -98,8 +100,32 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-1
+* Fri Jan 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.4-0base
+* Mon Jan 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.3-0base
+* Wed Dec 30 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.2-0base
+* Sun Dec 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.1-0base
+* Tue Dec 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.0-0base
+* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-0base
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.0.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall/Macros/macro.BGP

@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.BGP
 #
-#       This macro handles BGP4 traffic.
+#	This macro handles BGP4 traffic.
 #
 ###############################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
-PARAM   -       -       tcp     179     				# BGP4
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S) PORT(S) LIMIT	GROUP
+PARAM	-	-	tcp	179	# BGP4

Shorewall/Macros/macro.Citrix

@@ -3,11 +3,12 @@
 #
 # /usr/share/shorewall/macro.Citrix
 #
-# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a. ICA Session Reliability)
+#	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
+#	ICA Session Reliability)
 #
 ####################################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
-PARAM   -       -       tcp     1494 				   # ICA
-PARAM   -       -       udp     1604    			   # ICA Browser
-PARAM   -       -       tcp     2598    			   # CGP Session Reliabilty
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S) PORT(S) LIMIT	GROUP
+PARAM	-	-	tcp	1494	# ICA
+PARAM	-	-	udp	1604	# ICA Browser
+PARAM	-	-	tcp	2598	# CGP Session Reliabilty

Shorewall/Macros/macro.DHCPfwd

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - DHCPfwd Macro
+#
+# /usr/share/shorewall/macro.DHCPfwd
+#
+#	This macro (bidirectional) handles forwarded DHCP traffic
+#
+###############################################################################
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S) PORT(S) LIMIT	GROUP
+PARAM	-	-	udp	67:68	67:68	# DHCP
+PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP

Shorewall/Macros/macro.Forward

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Forward Macro
+#
+# /usr/share/shorewall/macro.Forward
+#
+#	This macro provides an alias for DNAT.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+DNAT

Shorewall/Macros/macro.OSPF

@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.OSPF
 #
-#       This macro handles OSPF multicast traffic
+#	This macro handles OSPF multicast traffic
 #
-#######################################################################################################
-#ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/   ORIGINAL
-#                                               PORT(S) PORT(S) DEST            LIMIT   GROUP   DEST
-PARAM           -               -       89      -                                                       # OSPF
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	89	# OSPF

Shorewall/Macros/macro.Razor

@@ -3,7 +3,7 @@
 #
 # /usr/share/shorewall/macro.Razor
 #
-# This macro handles traffic for the Razor Antispam System
+#	This macro handles traffic for the Razor Antispam System
 #
 ###############################################################################
 #ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  RATE    USER/

Shorewall/Macros/macro.mDNS

@@ -1,12 +1,14 @@
 #
 # Shorewall version 4 - Multicast DNS Macro
 #
-# /usr/share/shorewall/macro.DNS
+# /usr/share/shorewall/macro.mDNS
 #
 #	This macro handles multicast DNS traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	5353
-PARAM	DEST	SOURCE	udp	5353
+#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
+#						PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	224.0.0.251		udp	5353
+PARAM	-	224.0.0.251		2
+PARAM	DEST	SOURCE:224.0.0.251	udp	5353
+PARAM	DEST	SOURCE:224.0.0.251	2

Shorewall/Macros/macro.template

@@ -269,7 +269,7 @@
 #                       an action. See 'man shorewall-rules'.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in
-#			this colume:
+#			this column:
 #
 #				<rate>/<interval>[:<burst>]
 #
@@ -304,6 +304,100 @@
 #					#removed from Netfilter in kernel
 #					#version 2.6.14).
 #
+#	MARK		Specifies a MARK value to match. Must be empty or 
+#			'-' if the macro is to be used within an action.
+#			
+#				[!]value[/mask][:C]
+#
+#    			Defines a test on the existing packet or connection
+#			mark. The rule will match only if the test returns
+#			true.
+#
+#    			If you don't want to define a test but need to
+#			specify anything in the following columns,
+#			place a "-" in this field.
+#
+#    			!
+#
+#				Inverts the test (not equal)
+#
+#    			value
+#
+#				Value of the packet or connection mark.
+#
+#  			mask
+#
+#				A mask to be applied to the mark before
+#				testing.
+#
+#    			:C
+#
+#				Designates a connection mark. If omitted, the
+#				packet mark's value is tested.
+#
+#	CONNLIMIT	Must be empty or '-' if the macro is to be used within
+#			an action.
+#
+#				[!]limit[:mask]
+#
+#			May be used to limit the number of simultaneous
+#			connections from each individual host to limit 
+#			connections. Requires connlimit match in your kernel
+#			and iptables. While the limit is only checked on rules
+#			specifying CONNLIMIT, the number of current connections
+#			is calculated over all current connections from the
+#			SOURCE host. By default, the limit is applied to each
+#			host but can be made to apply to networks of hosts by
+#			specifying a mask. The mask specifies the width of a
+#			VLSM mask to be applied to the source address; the
+#			number of current connections is then taken over all
+#			hosts in the subnet source-address/mask. When ! is
+#			specified, the rule matches when the number of
+#			connection exceeds the limit.
+#
+#	TIME		Must be empty or '-' if the macro is to be used within
+#			an action.
+#
+#
+#				<timeelement>[&...]
+#
+#			timeelement may be:
+#
+#    				timestart=hh:mm[:ss]
+#
+#					Defines the starting time of day.
+#
+#    				timestop=hh:mm[:ss]
+#
+#					Defines the ending time of day.
+#
+#    				utc
+#
+#					Times are expressed in Greenwich Mean
+#					Time.
+#
+#    				localtz
+#
+#					Times are expressed in Local Civil Time
+#					(default).
+#
+#    				weekdays=ddd[,ddd]...
+#
+#					where ddd is one of Mon, Tue, Wed, Thu,
+#					Fri, Sat or Sun
+#
+#    				monthdays=dd[,dd],...
+#
+#					where dd is an ordinal day of the month#
+#
+#    				datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
+#
+#					Defines the starting date and time.
+#
+#    				datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
+#
+#					Defines the ending date and time.
+#
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:

Shorewall/Makefile

@@ -14,4 +14,8 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
 	fi
 
+clean:
+	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
+.PHONY: clean
+
 # EOF

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,27 +35,16 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.5_2';
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function or when compiling
-#                       for IPv6.
+# Called by the compiler to [re-]initialize this module's state
 #
-
 sub initialize() {
     our $jumpchainref;
     $jumpchainref = undef;
 }
 
-INIT {
-    initialize;
-}
-
 #
 # Accounting
 #
@@ -95,7 +84,7 @@ sub process_accounting_rule( ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, 0xFF );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
     my $rule2 = 0;
 
     unless ( $action eq 'COUNT' ) {
@@ -196,17 +185,17 @@ sub setup_accounting() {
     if ( have_bridges ) {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD/ ) {
-		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
 
 	if ( $filter_table->{accountout} ) {
-	    insert_rule1 $filter_table->{OUTPUT}, 0, '-j accountout';
+	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 	}
     } else {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
     }

Shorewall/Perl/Shorewall/Actions.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -47,6 +47,7 @@ our @EXPORT = qw( merge_levels
 		  substitute_param
 		  merge_macro_source_dest
 		  merge_macro_column
+		  map_old_actions
 
 		  %usedactions
 		  %default_actions
@@ -56,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.3_7';
+our $VERSION = '4.5_2';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -85,21 +86,25 @@ our %macros;
 
 our $family;
 
+our @builtins;
+
+our $oldmacros;
+
 #
 # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
 #
 our $macro_commands = { COMMENT => 0, FORMAT => 2 };
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function or when compiling
-#                       for IPv6.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
 
     $family          = shift;
@@ -111,10 +116,14 @@ sub initialize( $ ) {
     %actions         = ();
     %logactionchains = ();
     %macros          = ();
-}
 
-INIT {
-    initialize( F_IPV4 );
+    if ( $family == F_IPV4 ) {
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
+    } else {
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
+    }
+
+    $oldmacros = 0;
 }
 
 #
@@ -208,7 +217,7 @@ sub merge_macro_source_dest( $$ ) {
     if ( $invocation ) {
 	if ( $body ) {
 	    return $body if $invocation eq '-';
-	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/;
+	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~<|~\[/;
 	    return "$invocation:$body";
 	}
 
@@ -243,7 +252,9 @@ sub isolate_basic_target( $ ) {
 sub get_target_param( $ ) {
     my ( $target, $param ) = split '/', $_[0];
 
-    unless ( defined $param ) {
+    if ( defined $param ) {
+	warning_message "The form <macro>/<param> is deprecated in favor of <macro>(<param>)" unless $oldmacros++;
+    } else {
 	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
     }
 
@@ -268,14 +279,42 @@ sub add_requiredby ( $$ ) {
     $actions{$requires}{requires}{$requiredby} = 1;
 }
 
+#
+# Map pre-3.0 actions to the corresponding Macro invocation
+#
+
+sub find_old_action ( $$$ ) {
+    my ( $target, $macro, $param ) = @_;
+
+    if ( my $actiontype = find_macro( $macro ) ) {
+	( $macro, $actiontype , $param );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
+sub map_old_actions( $ ) {
+    my $target = shift;
+
+    if ( $target =~ /^Allow(.*)$/ ) {
+	find_old_action( $target, $1, 'ACCEPT' );
+    } elsif ( $target =~ /^Drop(.*)$/ ) {
+	find_old_action( $target, $1, 'DROP' );
+    } elsif ( $target = /^Reject(.*)$/ ) {
+	find_old_action( $target, $1, 'REJECT' );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
 # a 1- or 2-digit sequence number. In the functions that follow,
-# the CHAIN, LEVEL and TAG variable serves as arguments to the user's
+# the $chain, $level and $tag variable serves as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
-# set CHAIN to the name of the iptables chain where rules are to be added.
-# Similarly, LEVEL and TAG contain the log level and log tag respectively.
+# set $chain to the name of the iptables chain where rules are to be added.
+# Similarly, $level and $tag contain the log level and log tag respectively.
 #
 # The maximum length of a chain name is 30 characters -- since the log
 # action chain name is 2-3 characters longer than the base chain name,
@@ -306,7 +345,9 @@ sub createlogactionchain( $$ ) {
 
     fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
 
-    unless ( $targets{$action} & STANDARD ) {
+    unless ( $targets{$action} & BUILTIN ) {
+
+	dont_optimize $chainref;
 
 	my $file = find_file $chain;
 
@@ -332,7 +373,9 @@ sub createsimpleactionchain( $ ) {
 
     $logactionchains{"$action:none"} = $chainref;
 
-    unless ( $targets{$action} & STANDARD ) {
+    unless ( $targets{$action} & BUILTIN ) {
+
+	dont_optimize $chainref;
 
 	my $file = find_file $action;
 
@@ -351,7 +394,7 @@ sub createsimpleactionchain( $ ) {
 }
 
 #
-# Create an action chain and run it's associated user exit
+# Create an action chain and run its associated user exit
 #
 sub createactionchain( $ ) {
     my ( $action , $level ) = split_action $_[0];
@@ -417,8 +460,9 @@ sub process_macro1 ( $$ ) {
 #
 # The functions process_actions1-3() implement the three phases of action processing.
 #
-# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
-# and ${CONFDIR}/actions are scanned (in that order) and for each action:
+# The first phase (process_actions1) occurs before the rules file is processed. The builtin-actions are added
+# to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and
+# ${CONFDIR}/actions are scanned (in that order). For each action:
 #
 #      a) The related action definition file is located and scanned.
 #      b) Forward and unresolved action references are trapped as errors.
@@ -480,10 +524,10 @@ sub process_action1 ( $$ ) {
 sub process_actions1() {
 
     progress_message2 "Preprocessing Action Files...";
-
-    for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
-	new_action $act;
-    }
+    #
+    # Add built-in actions to the target table and create those actions
+    #
+    $targets{$_} = ACTION + BUILTIN, new_action( $_ ) for @builtins;
 
     for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
@@ -519,7 +563,7 @@ sub process_actions1() {
 
 	    while ( read_a_line ) {
 
-		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 1, 8, 'action file';
+		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users, $mark ) = split_line 1, 9, 'action file';
 
 		process_action1( $action, $wholetarget );
 
@@ -540,7 +584,7 @@ sub process_actions2 () {
 	for my $target (keys %usedactions) {
 	    my ($action, $level) = split_action $target;
 	    my $actionref = $actions{$action};
-	    fatal_error "Null Action Reference in process_actions2" unless $actionref;
+	    assert( $actionref );
 	    for my $action1 ( keys %{$actionref->{requires}} ) {
 		my $action2 = merge_levels $target, $action1;
 		unless ( $usedactions{ $action2 } ) {
@@ -556,8 +600,8 @@ sub process_actions2 () {
 #
 # This function is called to process each rule generated from an action file.
 #
-sub process_action( $$$$$$$$$$ ) {
-    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+sub process_action( $$$$$$$$$$$ ) {
+    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
 
     my ( $action , $level ) = split_action $target;
 
@@ -575,7 +619,7 @@ sub process_action( $$$$$$$$$$ ) {
 
     expand_rule ( $chainref ,
 		  NO_RESTRICT ,
-		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, $globals{TC_MASK} ) ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
@@ -588,8 +632,8 @@ sub process_action( $$$$$$$$$$ ) {
 #
 # Expand Macro in action files.
 #
-sub process_macro3( $$$$$$$$$$$ ) {
-    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+sub process_macro3( $$$$$$$$$$$$ ) {
+    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
 
     my $nocomment = no_comment;
 
@@ -605,12 +649,14 @@ sub process_macro3( $$$$$$$$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark );
 
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
+	    $morigdest = '-';
+	    $mmark     = '-';
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark ) = split_line1 1, 10, 'macro file', $macro_commands;
 	}
 
 	if ( $mtarget eq 'COMMENT' ) {
@@ -624,8 +670,6 @@ sub process_macro3( $$$$$$$$$$$ ) {
 	    next;
 	}
 
-	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
-
 	if ( $mtarget =~ /^PARAM:?/ ) {
 	    fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
 	    $mtarget = substitute_param $param,  $mtarget;
@@ -666,8 +710,9 @@ sub process_macro3( $$$$$$$$$$$ ) {
 	$msports = merge_macro_column $msports, $sports;
 	$mrate   = merge_macro_column $mrate,   $rate;
 	$muser   = merge_macro_column $muser,   $user;
+	$mmark   = merge_macro_column $mmark,   $mark;
 
-	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
+	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $mark;
     }
 
     pop_open;
@@ -692,7 +737,7 @@ sub process_action3( $$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file';
+	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file';
 
 	if ( $target eq 'COMMENT' ) {
 	    process_comment;
@@ -716,9 +761,9 @@ sub process_action3( $$$$$ ) {
 	}
 
 	if ( $action2type == MACRO ) {
-	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
+	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark );
 	} else {
-	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
+	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark;
 	}
     }
 
@@ -799,15 +844,15 @@ sub allowBcast( $$$ ) {
 sub dropNotSyn ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
-    add_rule $chainref , '-p tcp ! --syn -j DROP';
+    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+    add_rule $chainref , '-p 6 ! --syn -j DROP';
 }
 
 sub rejNotSyn ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
-    add_rule $chainref , '-p tcp ! --syn -j REJECT --reject-with tcp-reset';
+    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+    add_rule $chainref , '-p 6 ! --syn -j REJECT --reject-with tcp-reset';
 }
 
 sub dropInvalid ( $$$ ) {
@@ -825,18 +870,19 @@ sub allowInvalid ( $$$ ) {
 }
 
 sub forwardUPnP ( $$$ ) {
+    dont_optimize 'forwardUPnP';
 }
 
 sub allowinUPnP ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
     if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
     }
 
-    add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
-    add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
+    add_rule $chainref, '-p 17 --dport 1900 -j ACCEPT';
+    add_rule $chainref, '-p 6 --dport 49152 -j ACCEPT';
 }
 
 sub Limit( $$$ ) {
@@ -862,7 +908,7 @@ sub Limit( $$$ ) {
 	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
 	log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
 	add_rule $xchainref, '-j DROP';
-	add_rule $chainref,  "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
+	add_jump $chainref,  $xchainref, 0, "-m recent --name $set --update --seconds $tag[2] --hitcount $count ";
     } else {
 	add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
     }

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -43,20 +43,18 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_0';
+our $VERSION = '4.5_3';
 
 our $export;
 
 our $test;
 
-our $reused = 0;
-
-our $family = F_IPV4;
+our $family;
 
 #
-# Reinitilize the package-globals in the other modules
+# Initilize the package-globals in the other modules
 #
-sub reinitialize() {
+sub initialize_package_globals() {
     Shorewall::Config::initialize($family);
     Shorewall::Chains::initialize ($family);
     Shorewall::Zones::initialize ($family);
@@ -79,11 +77,11 @@ sub reinitialize() {
 #
 sub generate_script_1() {
 
-    my $date = localtime;
-
     if ( $test ) {
 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
     } else {
+	my $date = localtime;
+
 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 	if ( $family == F_IPV4 ) {
 	    copy $globals{SHAREDIRPL} . 'prog.header';
@@ -92,14 +90,24 @@ sub generate_script_1() {
 	}
     }
 
+    my $lib = find_file 'lib.private';
+
+    if ( -f $lib ) {
+	emit <<'EOF';
+################################################################################
+# Functions imported from lib.private
+################################################################################
+EOF
+
+	copy1 $lib;
+	emit "\n";
+    }
+
     emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
-    my $lib = find_file 'lib.private';
-
-    copy1 $lib, emit "\n" if -f $lib;
 
     for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
 	emit "\nrun_${exit}_exit() {";
@@ -131,7 +139,7 @@ EOF
 #    Generate the 'initialize()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the object file.
+#          than those related to writing to the output script file.
 
 sub generate_script_2() {
 
@@ -206,8 +214,7 @@ sub generate_script_2() {
 
     emit ( '[ -n "${COMMAND:=restart}" ]',
 	   '[ -n "${VERBOSE:=0}" ]',
-	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
-	   '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' );
+	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );
 
     emit ( qq(VERSION="$globals{VERSION}") ) unless $test;
 
@@ -232,14 +239,24 @@ sub generate_script_2() {
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
 	   );
 
+    pop_indent;
+
+    emit "\n}\n"; # End of initialize()
+
+    emit( '' ,
+	  '#' ,
+	  '# Set global variables holding detected IP information' ,
+	  '#' ,
+	  'detect_configuration()',
+	  '{' );
+
     my $global_variables = have_global_variables;
 
+    push_indent;
+
     if ( $global_variables ) {
-	emit( '' ,
-	      '#' ,
-	      '# Set global variables holding detected IP information' ,
-	      '#' ,
-	      'case $COMMAND in' );
+	
+	emit( 'case $COMMAND in' );
 
 	push_indent;
 
@@ -275,11 +292,13 @@ sub generate_script_2() {
 	pop_indent;
 
 	emit ( 'esac' ) ,
+    } else {
+	emit( 'true' ) unless handle_optional_interfaces;
     }
 
     pop_indent;
 
-    emit "\n}\n"; # End of initialize()
+    emit "\n}\n"; # End of detect_configuration()
     
 }
 
@@ -293,7 +312,7 @@ sub generate_script_2() {
 #    Generate the 'define_firewall()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the object file.
+#          than those related to writing to the output script file.
 #
 sub generate_script_3($) {
 
@@ -336,15 +355,17 @@ sub generate_script_3($) {
     if ( $family == F_IPV4 ) {
 	my @ipsets = all_ipsets;
 
-	if ( @ipsets ) {
+	if ( @ipsets || $config{SAVE_IPSETS} ) {
 	    emit ( '',
+		   'local hack',
+		   '',
 		   'case $IPSET in',
 		   '    */*)',
-		   '        [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
+		   '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
 		   '        ;;',
 		   '    *)',
 		   '        IPSET="$(mywhich $IPSET)"',
-		   '        [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' ,
+		   '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
 		   '        ;;',
 		   'esac',
 		   '',
@@ -354,20 +375,44 @@ sub generate_script_3($) {
 		   '        $IPSET -X' ,
 		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
 		   '    fi' ,
-		   '' );
+		   'elif [ "$COMMAND" = restore -a -z "$RECOVERING" ]; then' ,
+		   '    if [ -f $(my_pathname)-ipsets ]; then' ,
+		   '        if chain_exists shorewall; then' ,
+		   '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
+		   '        else' ,
+		   '            $IPSET -F' ,
+		   '            $IPSET -X' ,
+		   '            $IPSET -R < $(my_pathname)-ipsets' ,
+		   '        fi' ,
+		   '    fi' ,
+		 );
 
-	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+	    if ( @ipsets ) {
+		emit '';
 
-	    emit ( '' ,
-		   'elif [ "$COMMAND" = restart ]; then' ,
-		   '' );
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
 
-	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+		emit ( '' ,
+		       'elif [ "$COMMAND" = restart ]; then' ,
+		       '' );
+
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+		emit ( '' ,
+		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
+		       '        #',
+		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
+		       '        #',
+		       '        hack=\'| grep -v /31\'' ,
+		       '    else' ,
+		       '        hack=' ,
+		       '    fi' ,
+		       '',
+		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
+		       '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
+		       '    fi' );
+	    }
 
-	    emit ( '' , 
-		   '    if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
-		   '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		   '    fi' );
 	    emit ( 'fi',
 		   '' );
 	}
@@ -402,23 +447,10 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};
 
     } else {
-	emit ( '#',
-	       '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
-	       '#',
-	       'qt1 $IP6TABLES -N foox1234',
-	       'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
-	       'result=$?',
-	       'qt1 $IP6TABLES -F foox1234',
-	       'qt1 $IP6TABLES -X foox1234',
-	       '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
-	       '' );
-
 	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
-		   '',
-	       'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
-	       ''
-	     );
-
+	       '' );
+	mark_firewall_not_started;
+	emit '';
     }
 
     emit qq(delete_tc1\n) if $config{CLEAR_TC};
@@ -440,6 +472,10 @@ sub generate_script_3($) {
     dump_zone_contents;
     emit_unindented '__EOF__';
 
+    emit 'cat > ${VARDIR}/policies << __EOF__';
+    save_policies;
+    emit_unindented '__EOF__';
+
     pop_indent;
 
     emit "fi\n";
@@ -526,8 +562,8 @@ EOF
 #
 sub compiler {
 
-    my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) = 
-       ( '',          '',         -1,          '',          0,      '',       '',   -1 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0 );
 
     $export = 0;
     $test   = 0;
@@ -547,7 +583,8 @@ sub compiler {
 	defined($val) && ($val == F_IPV4 || $val == F_IPV6);
     }
 
-    my %parms = ( object        => { store => \$objectfile },
+    my %parms = ( object        => { store => \$scriptfilename },    #Deprecated
+		  script        => { store => \$scriptfilename },
 		  directory     => { store => \$directory  },
 		  family        => { store => \$family    ,    validate => \&validate_family    } ,
 		  verbosity     => { store => \$verbosity ,    validate => \&validate_verbosity } ,
@@ -558,6 +595,7 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
+		  preview       => { store => \$preview },
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -572,14 +610,17 @@ sub compiler {
 	${$ref->{store}} = $val;
     }
 
-    reinitialize if $reused++ || $family == F_IPV6;
+    #
+    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
+    #
+    initialize_package_globals;
 
     if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
 	set_shorewall_dir( $directory );
     }
 
-    set_verbose( $verbosity );
+    set_verbosity( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
     set_debug( $debug );
@@ -592,16 +633,20 @@ sub compiler {
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
     require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
+    require_capability( 'XCONNMARK'       , 'PROVIDER_OFFSET > 0' , 's' )   if $config{PROVIDER_OFFSET};
     require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 
-    set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
-
-    initialize_chain_table;
-
-    unless ( $command eq 'check' ) {
-	create_temp_object( $objectfile , $export );
+    if ( $scriptfilename ) {
+	set_command( 'compile', 'Compiling', 'Compiled' );
+	create_temp_script( $scriptfilename , $export );
+    } else {
+	set_command( 'check', 'Checking', 'Checked' );
     }
+    #
+    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
+    # shorewall.conf has been processed and the capabilities have been determined.
+    #
+    initialize_chain_table;
 
     #
     # Allow user to load Perl modules
@@ -639,11 +684,11 @@ sub compiler {
     #
     setup_notrack;
 
-    enable_object;
+    enable_script;
 
-    unless ( $command eq 'check' ) {
+    if ( $scriptfilename ) {
 	#
-	# Place Header in the object
+	# Place Header in the script
 	#
 	generate_script_1;
 	#
@@ -677,25 +722,24 @@ sub compiler {
     #
     setup_proxy_arp;
     #
-    # Handle MSS setings in the zones file
+    # Handle MSS settings in the zones file
     #
     setup_zone_mss;
 
-    unless ( $command eq 'check' ) {
+    if ( $scriptfilename ) {
 	emit 'return 0';
 	pop_indent;
 	emit '}';
     }
 
-    disable_object;
+    disable_script;
     #
     #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
     #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
     #
-    enable_object;
-    
-    unless ( $command eq 'check' ) {
+    enable_script;
 
+    if ( $scriptfilename ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -713,12 +757,12 @@ sub compiler {
     #
     setup_tc;
 
-    unless ( $command eq 'check' ) {
+    if ( $scriptfilename ) {
 	pop_indent;
 	emit "}\n";
     }
 
-    disable_object;
+    disable_script;
     #
     #                                       N E T F I L T E R
     #       (Produces no output to the compiled script -- rules are stored in the chain table)
@@ -772,24 +816,30 @@ sub compiler {
     #
     # Accounting.
     #
-    setup_accounting;
+    setup_accounting if $config{ACCOUNTING};
 
-    if ( $command eq 'check' ) {
-	if ( $family == F_IPV4 ) {
-	    progress_message3 "Shorewall configuration verified";
-	} else {
-	    progress_message3 "Shorewall6 configuration verified";
-	}
-    } else {
+    if ( $scriptfilename ) {
 	#
-	# Generate the zone x zone matrix
+	# Compiling a script - generate the zone by zone matrix
 	#
 	generate_matrix;
 
-	enable_object;
+	if ( $config{OPTIMIZE} & 6 ) {
+	    progress_message2 'Optimizing Ruleset...';
+	    #
+	    # Optimize Policy Chains
+	    #
+	    optimize_policy_chains if $config{OPTIMIZE} & 2;
+	    #
+	    # More Optimization
+	    #
+	    optimize_ruleset if $config{OPTIMIZE} & 4;
+	}
+
+	enable_script;
 	#
-	#                                    I N I T I A L I Z E
-	#                  (Writes the initialize() function to the compiled script)
+	#                             I N I T I A L I Z E
+	#           (Writes the initialize() function to the compiled script)
 	#
 	generate_script_2;
 	#
@@ -797,17 +847,19 @@ sub compiler {
 	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
-	#                               S T O P _ F I R E W A L L
-	#             (Writes the stop_firewall() function to the compiled script)
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
 	#
 	Shorewall::Chains::initialize( $family );
 	initialize_chain_table;
-	compile_stop_firewall( $test ); 
 	#
-	# Copy the footer to the object
+	#                           S T O P _ F I R E W A L L
+	#         (Writes the stop_firewall() function to the compiled script)
+	#
+	compile_stop_firewall( $test, $export );
+	#
+	# Copy the footer to the script
 	#
 	unless ( $test ) {
 	    if ( $family == F_IPV4 ) {
@@ -817,15 +869,56 @@ sub compiler {
 	    }
 	}
 
-	disable_object;
+	disable_script;
 	#
-	# Close, rename and secure the object
+	# Close, rename and secure the script
 	#
-	finalize_object ( $export );
+	finalize_script ( $export );
 	#
 	# And generate the auxilary config file
 	#
-	enable_object, generate_aux_config if $export;
+	enable_script, generate_aux_config if $export;
+    } else {
+	#
+	# Just checking the configuration
+	#
+	if ( $preview ) {
+	    #
+	    # User wishes to preview the ruleset -- generate the rule matrix
+	    #
+	    generate_matrix;
+
+	    if ( $config{OPTIMIZE} & 6 ) {
+		progress_message2 'Optimizing Ruleset...';
+		#
+		# Optimize Policy Chains
+		#
+		optimize_policy_chains if $config{OPTIMIZE} & 2;
+		#
+		# Ruleset Optimization
+		#
+		optimize_ruleset if $config{OPTIMIZE} & 4;
+	    }
+
+	    preview_netfilter_load;
+	}
+	#
+	# Re-initialize the chain table so that process_routestopped() has the same
+	# environment that it would when called by compile_stop_firewall().
+	#
+	Shorewall::Chains::initialize( $family );
+	initialize_chain_table;
+	#
+	# compile_stop_firewall() also validates the routestopped file. Since we don't
+	# call that function during 'check', we must validate routestopped here.
+	#
+	process_routestopped;
+
+	if ( $family == F_IPV4 ) {
+	    progress_message3 "Shorewall configuration verified";
+	} else {
+	    progress_message3 "Shorewall6 configuration verified";
+	}
     }
 
     close_log if $log;

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,7 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
 use Socket;
 
 use strict;
@@ -34,10 +34,10 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( ALLIPv4
                   ALLIPv6
+	          IPv4_MULTICAST
 	          IPv6_MULTICAST
 	          IPv6_LINKLOCAL
 	          IPv6_SITELOCAL
-	          IPv6_LINKLOCAL
 	          IPv6_LOOPBACK
 	          IPv6_LINK_ALLNODES
 	          IPv6_LINK_ALLRTRS
@@ -72,21 +72,27 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_5';
 
 #
 # Some IPv4/6 useful stuff
 #
 our @allipv4 = ( '0.0.0.0/0' );
 our @allipv6 = ( '::/0' );
-our $family;
+our $allip;
+our @allip;
+our $valid_address;
+our $validate_address;
+our $validate_net;
+our $validate_range;
+our $validate_host;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
+	       IPv4_MULTICAST      => '224.0.0.0/4' ,
 	       IPv6_MULTICAST      => 'FF00::/10' ,
 	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_SITELOCAL      => 'FFC0::/10' ,
-	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
 	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
 	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
@@ -101,23 +107,10 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 
 our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
+
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Note: initialize() is declared at the bottom of the file
 #
-
-sub initialize( $ ) {
-    $family = shift;
-}
-
-INIT {
-    initialize( F_IPV4 );
-}
-
 sub vlsm_to_mask( $ ) {
     my $vlsm = $_[0];
 
@@ -309,7 +302,8 @@ sub validate_port( $$ ) {
     my $value;
 
     if ( $port =~ /^(\d+)$/ ) {
-	return $port if $port <= 65535;
+	$port = numeric_value $port;
+	return $port if defined $port && $port && $port <= 65535;
     } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
@@ -398,7 +392,6 @@ my %icmp_types = ( any                          => 'any',
 		   'address-mask-reply'         => 18 );
 
 sub validate_icmp( $ ) {
-    fatal_error "IPv4 ICMP not allowed in an IPv6 Rule" unless $family == F_IPV4;
 
     my $type = $_[0];
 
@@ -484,6 +477,7 @@ sub valid_6address( $ ) {
 	return 0 unless valid_4address pop @address;
 	$max = 6;
 	$address = join ':', @address;
+	return 1 if @address eq ':';
     } else {
 	$max = 8;
     }
@@ -492,16 +486,16 @@ sub valid_6address( $ ) {
     return 0 unless ( @address == $max ) || $address =~ /::/;
     return 0 if $address =~ /:::/ || $address =~ /::.*::/;
 
-    if ( $address =~ /^:/ ) {
-	unless ( $address eq '::' ) {
-	    return 0 if $address =~ /:$/ || $address =~ /^:.*::/;
-	}
-    } elsif ( $address =~ /:$/ ) {
-	return 0 if $address =~ /::.*:$/;
+    unless ( $address =~ /^::/ ) {
+	return 0 if $address =~ /^:/;
+    }
+
+    unless ( $address =~ /::$/  ) {
+	return 0 if $address =~ /:$/;
     }
 		 
     for my $a ( @address ) {
-	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 );
+	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 );
     }
 
     1;
@@ -550,13 +544,27 @@ sub validate_6net( $$ ) {
 sub normalize_6addr( $ ) {
     my $addr = shift;
 
-    while ( $addr =~ tr/:/:/ < 6 ) {
-	$addr =~ s/::/:0::/;
+    if ( $addr eq '::' ) {
+	'0:0:0:0:0:0:0:0';
+    } else {
+	#
+	# Suppress leading zeros
+	#
+	$addr =~ s/^0+//;
+	$addr =~ s/:0+/:/g;
+	$addr =~ s/^:/0:/;
+	$addr =~ s/:$/:0/;
+
+	$addr =~ s/::/:0::/ while $addr =~ tr/:/:/ < 7;
+	#
+	# Note: "s/::/:0:/g" doesn't work here
+	#
+	1 while $addr =~ s/::/:0:/;
+
+	$addr =~ s/^0+:/0:/;
+	
+	$addr;
     }
-
-    $addr =~ s/::/:0:/;
-
-    $addr;
 }
 
 sub validate_6range( $$ ) {
@@ -580,7 +588,7 @@ sub validate_6range( $$ ) {
 }
 
 sub validate_6host( $$ ) {
-    my ( $host, $allow_name )  = $_[0];
+    my ( $host, $allow_name )  = @_;
 
     if ( $host =~ /^(.*:.*)-(.*:.*)$/ ) {
 	validate_6range $1, $2;
@@ -614,7 +622,6 @@ my %ipv6_icmp_types = ( any                          => 'any',
 
 
 sub validate_icmp6( $ ) {
-    fatal_error "IPv6 ICMP not allowed in an IPv4 Rule" unless $family == F_IPV6;
     my $type = $_[0];
 
     my $value = $ipv6_icmp_types{$type};
@@ -629,31 +636,63 @@ sub validate_icmp6( $ ) {
 }
 
 sub ALLIP() {
-    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
+    $allip;
 }
 
 sub allip() {
-    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
+    @allip;
 }
 
 sub valid_address ( $ ) {
-    $family == F_IPV4 ? valid_4address( $_[0] ) :  valid_6address( $_[0] );
+    $valid_address->(@_);
 }
 
 sub validate_address ( $$ ) {
-    $family == F_IPV4 ? validate_4address( $_[0], $_[1] ) :  validate_6address( $_[0], $_[1] );
+    $validate_address->(@_);
 }
 
 sub validate_net ( $$ ) {
-    $family == F_IPV4 ? validate_4net( $_[0], $_[1] ) :  validate_6net( $_[0], $_[1] );
+    $validate_net->(@_);
 }
 
 sub validate_range ($$ ) {
-    $family == F_IPV4 ? validate_4range( $_[0], $_[1] ) :  validate_6range( $_[0], $_[1] );
+    $validate_range->(@_);
 }
 
 sub validate_host ($$ ) {
-    $family == F_IPV4 ? validate_4host( $_[0], $_[1] ) :  validate_6host( $_[0], $_[1] );
+    $validate_host->(@_);
+}
+
+#
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
+#
+sub initialize( $ ) {
+    my $family = shift;
+
+    if ( $family == F_IPV4 ) {
+	$allip            = ALLIPv4;
+	@allip            = @allipv4;
+	$valid_address    = \&valid_4address;
+	$validate_address = \&validate_4address;
+	$validate_net     = \&validate_4net;
+	$validate_range   = \&validate_4range;
+	$validate_host    = \&validate_4host;
+    } else {
+	$allip            = ALLIPv6;
+	@allip            = @allipv6;
+	$valid_address    = \&valid_6address;
+	$validate_address = \&validate_6address;
+	$validate_net     = \&validate_6net;
+	$validate_range   = \&validate_6range;
+	$validate_host    = \&validate_6host;
+    }
 }
 
 1;

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -29,7 +29,6 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
-use Shorewall::IPAddrs;
 use Shorewall::Providers qw( lookup_provider );
 
 use strict;
@@ -37,29 +36,19 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.3_7';
+our $VERSION = '4.5_2';
 
 our @addresses_to_add;
 our %addresses_to_add;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Called by the compiler
 #
-
 sub initialize() {
     @addresses_to_add = ();
     %addresses_to_add = ();
 }
 
-INIT {
-    initialize;
-}
-
 #
 # Handle IPSEC Options in a masq record
 #
@@ -178,12 +167,11 @@ sub process_one_masq( )
     # Handle Protocol and Ports
     #
     $baserule .= do_proto $proto, $ports, '';
-
     #
     # Handle Mark
     #
-    $baserule .= do_test( $mark, 0xFF) if $mark ne '-';
-    $baserule .= do_user( $user )      if $user ne '-';
+    $baserule .= do_test( $mark, $globals{TC_MASK} ) if $mark ne '-';
+    $baserule .= do_user( $user ) if $user ne '-';
 
     for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
@@ -207,7 +195,7 @@ sub process_one_masq( )
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
 	unless ( $interfaceref->{root} ) {
-	    $rule .= "-o $interface ";
+	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}
 
@@ -216,6 +204,7 @@ sub process_one_masq( )
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
+	my $persistent    = '';
 	#
 	# Parse the ADDRESSES column
 	#
@@ -223,7 +212,10 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
-		$addresses =~ s/:random$// and $randomize = '--random ';
+		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
+		$addresses =~ s/:random$//     and $randomize  = '--random ';
+
+		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;
 
 		if ( $addresses =~ /^SAME/ ) {
 		    fatal_error "The SAME target is no longer supported";
@@ -247,7 +239,11 @@ sub process_one_masq( )
 			if ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
-			    validate_address $ipaddr, 0;
+			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
+				validate_range( $1, $2 );
+			    } else {
+				validate_address $ipaddr, 0;
+			    }
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
@@ -262,6 +258,7 @@ sub process_one_masq( )
 	    }
 
 	    $target .= $randomize;
+	    $target .= $persistent;
 	} else {
 	    $add_snat_aliases = 0;
 	}
@@ -293,7 +290,6 @@ sub process_one_masq( )
 		next if $addrs eq 'detect';
 		for my $addr ( ip_range_explicit $addrs ) {
 		    unless ( $addresses_to_add{$addr} ) {
-			emit "del_ip_addr $addr $interface" unless $config{RETAIN_ALIASES};
 			$addresses_to_add{$addr} = 1;
 			if ( defined $alias ) {
 			    push @addresses_to_add, $addr, "$interface:$alias";
@@ -371,8 +367,8 @@ sub do_one_nat( $$$$$ )
     fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
     unless ( $interfaceref->{root} ) {
-	$rulein  = "-i $interface ";
-	$ruleout = "-o $interface ";
+	$rulein  = match_source_dev $interface;
+	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
     }
 
@@ -464,8 +460,8 @@ sub setup_netmap() {
 	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
 
 	    unless ( $interfaceref->{root} ) {
-		$rulein  = "-i $interface ";
-		$ruleout = "-o $interface ";
+		$rulein  = match_source_dev $interface;
+		$ruleout = match_dest_dev $interface;
 		$interface = $interfaceref->{name};
 	    }
 
@@ -485,12 +481,13 @@ sub setup_netmap() {
 
 sub add_addresses () {
     if ( @addresses_to_add ) {
+	my @addrs = @addresses_to_add;
 	my $arg = '';
 	my $addresses = 0;
 
-	while ( @addresses_to_add ) {
-	    my $addr      = shift @addresses_to_add;
-	    my $interface = shift @addresses_to_add;
+	while ( @addrs ) {
+	    my $addr      = shift @addrs;
+	    my $interface = shift @addrs;
 	    $arg = "$arg $addr $interface";
 	    unless ( $config{RETAIN_ALIASES} ) {
 		emit '' unless $addresses++;

Shorewall/Perl/Shorewall/Policy.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -32,31 +32,21 @@ use Shorewall::Actions;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.3_7';
+our $VERSION = '4.5_2';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
 our @policy_chains;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Called by the compiler
 #
-
 sub initialize() {
     @policy_chains = ();
 }
 
-INIT {
-    initialize;
-}
-
 #
 # Convert a chain into a policy chain.
 #
@@ -78,7 +68,7 @@ sub new_policy_chain($$$$)
 {
     my ($source, $dest, $policy, $optional) = @_;
 
-    my $chainref = new_chain( 'filter', "${source}2${dest}" );
+    my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
 
     convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
 
@@ -129,7 +119,7 @@ use constant { OPTIONAL => 1 };
 
 sub add_or_modify_policy_chain( $$ ) {
     my ( $zone, $zone1 ) = @_;
-    my $chain    = "${zone}2${zone1}";
+    my $chain    = rules_chain( ${zone}, ${zone1} );
     my $chainref = $filter_table->{$chain};
 
     if ( $chainref ) {
@@ -214,14 +204,14 @@ sub process_a_policy() {
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
     }
 
-    unless ( $clientwild || $serverwild ) {
+    unless ( $clientwild || $serverwild || $policy eq 'NONE' ) {
 	if ( zone_type( $server ) == BPORT ) {
 	    fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
 		unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
 	}
     }
 
-    my $chain = "${client}2${server}";
+    my $chain = rules_chain( ${client}, ${server} );
     my $chainref;
 
     if ( defined $filter_table->{$chain} ) {
@@ -262,19 +252,19 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
+		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
+		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
+	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
 	    print_policy $client, $zone, $policy, $chain;
 	}
 
@@ -283,6 +273,21 @@ sub process_a_policy() {
     }
 }
 
+sub save_policies() {
+    for my $zone1 ( all_zones ) {
+	for my $zone2 ( all_zones ) {
+	    my $chainref  = $filter_table->{ rules_chain( $zone1, $zone2 ) };
+	    my $policyref = $filter_table->{ $chainref->{policychain} };
+
+	    if ( $policyref->{referenced} ) {
+		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy} . ' using chain ' . $policyref->{name};
+	    } elsif ( $zone1 ne $zone2 ) {
+		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy};
+	    }
+	}
+    }
+}	    
+
 sub validate_policy()
 {
     our %validpolicies = (
@@ -344,7 +349,7 @@ sub validate_policy()
 
     for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
+	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{rules_chain( ${zone}, ${zone1} )}{policy};
 	}
     }
 }
@@ -356,8 +361,8 @@ sub policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
 
     unless ( $target eq 'NONE' ) {
-	add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE';
-	add_rule $chainref, "-j $default" if $default && $default ne 'none';
+	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
+	add_jump $chainref, $default, 0 if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 
@@ -413,13 +418,24 @@ sub apply_policy_rules() {
 	my $provisional = $chainref->{provisional};
 	my $default     = $chainref->{default};
 	my $name        = $chainref->{name};
+	my $synparms    = $chainref->{synparms};
 
 	if ( $policy ne 'NONE' ) {
-	    if ( ! $chainref->{referenced} && ( ! $provisional && $policy ne 'CONTINUE' ) ) {
-		ensure_filter_chain $name, 1;
+	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
+		if ( $config{OPTIMIZE} & 2 ) {
+		    #
+		    # This policy chain is empty and the only thing that we would put in it is
+		    # the policy-related stuff. Don't create it if all we are going to put in it
+		    # is a single jump. Generate_matrix() will just use the policy target when
+		    # needed.
+		    #
+		    ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
+		} else {
+		    ensure_filter_chain $name, 1;
+		}
 	    }
 
-	    if ( $name =~ /^all2|2all$/ ) {
+	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		run_user_exit $chainref;
 		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
@@ -428,7 +444,7 @@ sub apply_policy_rules() {
 
     for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $filter_table->{"${zone}2${zone1}"};
+	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
 
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
@@ -454,7 +470,7 @@ sub complete_standard_chain ( $$$$ ) {
 
     run_user_exit $stdchainref;
 
-    my $ruleschainref = $filter_table->{"${zone}2${zone2}"} || $filter_table->{all2all};
+    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
     my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
     my $policychainref;
 
@@ -482,4 +498,24 @@ sub setup_syn_flood_chains() {
     }
 }
 
+#
+# Optimize Policy chains with ACCEPT policy
+#
+sub optimize_policy_chains() {
+    for my $chainref ( grep $_->{policy} eq 'ACCEPT', @policy_chains ) {
+	optimize_chain ( $chainref );
+    }
+    #
+    # Often, fw->all has an ACCEPT policy. This code allows optimization in that case
+    #
+    my $outputrules = $filter_table->{OUTPUT}{rules};
+
+    if ( @{$outputrules} && $outputrules->[-1] =~ /-j ACCEPT/ ) {
+	optimize_chain( $filter_table->{OUTPUT} );
+    }
+
+    progress_message '  Policy chains optimized';
+    progress_message '';
+}
+
 1;

Shorewall/Perl/Shorewall/Proc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -41,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_12';
+our $VERSION = '4.4_4';
 
 #
 # ARP Filtering
@@ -56,27 +56,35 @@ sub setup_arp_filtering() {
 	save_progress_message "Setting up ARP filtering...";
 
 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
 	    my $value = get_interface_option $interface, 'arp_filter';
+	    my $optional = interface_is_optional $interface;
+                           
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
 
 	    emit ( '',
 		   "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
 
 	for my $interface ( @$interfaces1 ) {
-	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
 	    my $value = get_interface_option $interface, 'arp_ignore';
+	    my $optional = interface_is_optional $interface;
+                           
+	    $interface = get_physical $interface;
+
+	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
 
 	    assert( defined $value );
 
 	    emit ( "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
     }
@@ -88,16 +96,18 @@ sub setup_arp_filtering() {
 sub setup_route_filtering() {
 
     my $interfaces = find_interfaces_by_option 'routefilter';
+    my $config     = $config{ROUTE_FILTER};
 
-    if ( @$interfaces || $config{ROUTE_FILTER} ) {
+    if ( @$interfaces || $config ) {
 
 	progress_message2 "$doing Kernel Route Filtering...";
 
 	save_progress_message "Setting up Route Filtering...";
 
+	my $val = '';
 
-	if ( $config{ROUTE_FILTER} ) {
-	    my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
+	if ( $config{ROUTE_FILTER} ne '' ) {
+	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;
 
 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
 		   "    [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
@@ -106,24 +116,28 @@ sub setup_route_filtering() {
 	}
 
 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
 	    my $value = get_interface_option $interface, 'routefilter';
+	    my $optional = interface_is_optional $interface;
+                           
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
 
-	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
-
-	if ( $config{ROUTE_FILTER} eq 'on' ) {
-	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
-	} elsif (  $config{ROUTE_FILTER} eq 'off' ) {
-	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
+	if ( $capabilities{KERNELVERSION} < 20631 ) {
+	    emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
+	} elsif ( $val ne '' ) {
+	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
 	}
 
+	emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';
+
 	emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
     }
 }
@@ -153,14 +167,18 @@ sub setup_martian_logging() {
 	}
 
 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
 	    my $value = get_interface_option $interface, 'logmartians';
+	    my $optional = interface_is_optional $interface;
+                           
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless $optional;
 	    emit   "fi\n";
 	}
     }
@@ -180,13 +198,17 @@ sub setup_source_routing( $ ) {
 	save_progress_message 'Setting up Accept Source Routing...';
 
 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";
 	    my $value = get_interface_option $interface, 'sourceroute';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
     }
@@ -227,13 +249,17 @@ sub setup_forwarding( $$ ) {
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 
 	    for my $interface ( @$interfaces ) {
-		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
 		my $value = get_interface_option $interface, 'forward';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
+		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
 
 		emit ( "if [ -f $file ]; then" ,
 		       "    echo $value > $file" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless interface_is_optional( $interface);
+		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_0';
+our $VERSION = '4.5_2';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -59,17 +59,20 @@ our @providers;
 
 our $family;
 
+our $lastmark;
+
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
 
@@ -89,17 +92,13 @@ sub initialize( $ ) {
     @providers = ();
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 #
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
+    my $mask = in_hex( $globals{PROVIDER_MASK} );
 
-    require_capability( $_ , 'the provider \'track\' option' , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
+    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
     add_rule $mangle_table->{$_} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
 
@@ -111,33 +110,21 @@ sub setup_route_marking() {
 
     for my $providerref ( @routemarked_providers ) {
 	my $interface = $providerref->{interface};
+	my $physical  = $providerref->{physical};
 	my $mark      = $providerref->{mark};
-	my $base      = uc chain_base $interface;
-
-	if ( $providerref->{optional} ) {
-	    if ( $providerref->{shared} ) {
-		add_commands( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) );
-	    } else {
-		add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
-	    }
-		
-	    incr_cmd_level( $chainref );
-	}
 
 	unless ( $marked_interfaces{$interface} ) {
-	    add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
-	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $interface -m mark --mark  $mark/$mask ";
+	    add_jump $mangle_table->{PREROUTING} , $chainref,  0, "-i $physical -m mark --mark 0/$mask ";
+	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark  $mark/$mask ";
 	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
 	}
 
 	if ( $providerref->{shared} ) {
-	    add_rule $chainref, " -i $interface -m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, match_source_dev( $interface ) . "-m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
 	} else {
-	    add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, match_source_dev( $interface ) . "-j MARK --set-mark $providerref->{mark}";
 	}
-
-	decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
     }
 
     add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask";
@@ -145,11 +132,15 @@ sub setup_route_marking() {
 
 sub copy_table( $$$ ) {
     my ( $duplicate, $number, $realm ) = @_;
+    #
+    # Hack to work around problem in iproute
+    #
+    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
 
     if ( $realm ) {
 	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
     } else {
-	emit  ( "\$IP -$family route show table $duplicate | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
     }
 
     emit ( '    case $net in',
@@ -165,11 +156,23 @@ sub copy_table( $$$ ) {
 
 sub copy_and_edit_table( $$$$ ) {
     my ( $duplicate, $number, $copy, $realm) = @_;
+    #
+    # Hack to work around problem in iproute
+    #    
+    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
+    #
+    # Map physical names in $copy to logical names
+    #
+    $copy = join( '|' , map( physical_name($_) , split( ',' , $copy ) ) );
+    #
+    # Shell and iptables use a different wildcard character
+    #
+    $copy =~ s/\+/*/;
 
     if ( $realm ) {
-	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
     } else {
-	emit  ( "\$IP -$family route show table $duplicate | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
     }
 
     emit (  '    case $net in',
@@ -273,9 +276,10 @@ sub add_a_provider( ) {
     }
 
     fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
+    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
 
-    my $provider    = chain_base $table;
-    my $base        = uc chain_base $interface;
+    my $physical    = get_physical $interface;
+    my $base        = uc chain_base $physical;
     my $gatewaycase = '';
 
     if ( $gateway eq 'detect' ) {
@@ -291,40 +295,15 @@ sub add_a_provider( ) {
 	$gateway = '';
     }
 
-    my $val = 0;
-    my $pref;
-
-    if ( $mark ne '-' ) {
-
-	$val = numeric_value $mark;
-
-	fatal_error "Invalid Mark Value ($mark)" unless defined $val;
-
-	verify_mark $mark;
-
-	if ( $val < 65535 ) {
-	    if ( $config{HIGH_ROUTE_MARKS} ) {
-		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes" if $config{WIDE_TC_MARKS};
-		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $val < 256;
-	    }
-	} else {
-	    fatal_error "Invalid Mark Value ($mark)" unless $config{HIGH_ROUTE_MARKS} && $config{WIDE_TC_MARKS};
-	}
-
-	for my $providerref ( values %providers  ) {
-	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
-	}
-
-	$pref = 10000 + $number - 1;
-
-    }
-
-    my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) = 
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
 		$track = 1;
+	    } elsif ( $option eq 'notrack' ) {
+		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
 		$balance = $1;
@@ -358,12 +337,43 @@ sub add_a_provider( ) {
 		} else {
 		    $default = -1;
 		}
+	    } elsif ( $option eq 'local' ) {
+		$local = 1;
+		$track = 0           if $config{TRACK_PROVIDERS};
+		$default_balance = 0 if$config{USE_DEFAULT_RT}; 
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}
     }
 
+    my $val = 0;
+    my $pref;
+
+    $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
+
+    if ( $mark ne '-' ) {
+
+	$val = numeric_value $mark;
+
+	fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
+
+	verify_mark $mark;
+
+	fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val;
+
+	fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS};
+
+	for my $providerref ( values %providers  ) {
+	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
+	}
+
+	$pref = 10000 + $number - 1;
+
+	$lastmark = $val;
+
+    }
+
     unless ( $loose ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
@@ -375,6 +385,7 @@ sub add_a_provider( ) {
 			   number      => $number ,
 			   mark        => $val ? in_hex($val) : $val ,
 			   interface   => $interface ,
+			   physical    => $physical ,
 			   optional    => $optional ,
 			   gateway     => $gateway ,
 			   gatewaycase => $gatewaycase ,
@@ -402,19 +413,25 @@ sub add_a_provider( ) {
     if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
+	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
     } else {
 	if ( $optional ) {
 	    start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
+	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $interface; then" );
+	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
 	}
 
 	$provider_interfaces{$interface} = $table;
 
-	emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
+	if ( $gatewaycase eq 'none' ) {
+	    if ( $local ) {
+		emit "run_ip route add local 0.0.0.0/0 dev $physical table $number";
+	    } else {
+		emit "run_ip route add default dev $physical table $number";
+	    }
+	}
     }
 
     if ( $mark ne '-' ) {
@@ -433,8 +450,7 @@ sub add_a_provider( ) {
 	    if ( $copy eq 'none' ) {
 		$copy = $interface;
 	    } else {
-		$copy =~ tr/,/|/;
-		$copy = "$interface|$copy";
+		$copy = "$interface,$copy";
 	    }
 
 	    copy_and_edit_table( $duplicate, $number ,$copy , $realm);
@@ -446,28 +462,33 @@ sub add_a_provider( ) {
 
     if ( $gateway ) {
 	$address = get_interface_address $interface unless $address;
-	emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm";
-	emit "run_ip route add default via $gateway src $address dev $interface ${mtu}table $number $realm";
+	emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
+	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
     }
 
-    balance_default_route $balance , $gateway, $interface, $realm if $balance;
+    balance_default_route $balance , $gateway, $physical, $realm if $balance;
 
     if ( $default > 0 ) {
-	balance_fallback_route $default , $gateway, $interface, $realm;
+	balance_fallback_route $default , $gateway, $physical, $realm;
     } elsif ( $default ) {
 	emit '';
 	if ( $gateway ) {
-	    emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
+	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	} else {
-	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
+	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	}
     }
 
-    if ( $loose ) {
+    if ( $local ) {
+	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
+	fatal_error "'track' not valid with 'local'"          if $track;
+	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
+	fatal_error "MARK required with 'local'"              unless $mark;
+    } elsif ( $loose ) {
 	if ( $config{DELETE_THEN_ADD} ) {
-	    emit ( "\nfind_interface_addresses $interface | while read address; do",
+	    emit ( "\nfind_interface_addresses $physical | while read address; do",
 		   "    qt \$IP -$family rule del from \$address",
 		   'done'
 		 );
@@ -481,7 +502,7 @@ sub add_a_provider( ) {
 
 	emit "\nrulenum=0\n";
 
-	emit  ( "find_interface_addresses $interface | while read address; do" );
+	emit  ( "find_interface_addresses $physical | while read address; do" );
 	emit  (	"    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	emit  (	"    run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
 		"    echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
@@ -497,15 +518,15 @@ sub add_a_provider( ) {
 
     if ( $optional ) {
 	if ( $shared ) {
-	    emit ( "    error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" );
-	} else {
 	    emit ( "    error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
+	} else {
+	    emit ( "    error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Added\"" );
 	}
     } else {
 	if ( $shared ) {
 	    emit( "    fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" );
 	} else {
-	    emit( "    fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" );
+	    emit( "    fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Added\"" );
 	}
     }
 
@@ -516,9 +537,32 @@ sub add_a_provider( ) {
     progress_message "   Provider \"$currentline\" $done";
 }
 
+#
+# Begin an 'if' statement testing whether the passed interface is available
+#
+sub start_new_if( $ ) {
+    our $current_if = shift;
+
+    emit ( '', qq(if [ -n "\$${current_if}_IS_USABLE" ]; then) );
+    push_indent;
+}
+  
+#
+# Complete any current 'if' statement in the output script
+#
+sub finish_current_if() {
+    if ( our $current_if ) {
+	pop_indent;
+	emit ( "fi\n" );
+	$current_if = '';
+    }
+}
+
 sub add_an_rtrule( ) {
     my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
 
+    our $current_if;
+
     unless ( $providers{$provider} ) {
 	my $found = 0;
 
@@ -553,6 +597,7 @@ sub add_an_rtrule( ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
 	    validate_net ( $source, 0 );
+	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
 	    validate_net ( $source, 0 );
@@ -560,9 +605,10 @@ sub add_an_rtrule( ) {
 	} else {
 	    $source = "iif $source";
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
 	validate_net ($source, 0);
+	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
     } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
 	validate_net ( $source, 0 );
@@ -575,21 +621,21 @@ sub add_an_rtrule( ) {
 
     $priority = "priority $priority";
 
-    emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
+    finish_current_if, emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
 
     my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
 
     if ( $optional ) {
-	my $base = uc chain_base( $providers{$provider}{interface} );
-	emit ( '', "if [ -n \$${base}_IS_USABLE ]; then" );
-	push_indent;
+	my $base = uc chain_base( $providers{$provider}{physical} );
+	finish_current_if if $base ne $current_if;
+	start_new_if( $base ) unless $current_if;
+  } else {
+	finish_current_if;
     }
 
     emit ( "run_ip rule add $source $dest $priority table $number",
 	   "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
 
-    pop_indent, emit ( "fi\n" ) if $optional;
-
     progress_message "   Routing rule \"$currentline\" $done";
 }
 
@@ -707,12 +753,14 @@ sub finish_providers() {
 sub setup_providers() {
     my $providers = 0;
 
+    $lastmark = 0;
+
     my $fn = open_file 'providers';
 
     first_entry sub() {
+	progress_message2 "$doing $fn...";
 	emit "\nif [ -z \"\$NOROUTES\" ]; then";
 	push_indent;
-	progress_message2 "$doing $fn...";
 	start_providers; };
 
     add_a_provider, $providers++ while read_a_line;
@@ -723,18 +771,21 @@ sub setup_providers() {
 	my $fn = open_file 'route_rules';
 
 	if ( $fn ) {
+	    our $current_if = '';
 
 	    first_entry "$doing $fn...";
 
 	    emit '';
 
 	    add_an_rtrule while read_a_line;
+
+	    finish_current_if;
 	}
 
 	setup_null_routing if $config{NULL_ROUTE_RFC1918};
 	emit "\nrun_ip route flush cache";
 	#
-	# This completes the if block begun in the first_entry closure
+	# This completes the if-block begun in the first_entry closure above
 	#
 	pop_indent;
 	emit "fi\n";
@@ -784,18 +835,21 @@ sub lookup_provider( $ ) {
 }
 
 #
-# This function is called by the compiler when it is generating the initialize() function.
+# This function is called by the compiler when it is generating the detect_configuration() function.
 # The function emits code to set the ..._IS_USABLE interface variables appropriately for the
 # optional interfaces
 #
+# Returns true if there were optional interfaces
+#
 sub handle_optional_interfaces() {
 
     my $interfaces = find_interfaces_by_option 'optional';
 
     if ( @$interfaces ) {
 	for my $interface ( @$interfaces ) {
-	    my $base  = uc chain_base( $interface );
 	    my $provider = $provider_interfaces{$interface};
+	    my $physical = get_physical $interface;
+	    my $base     = uc chain_base( $physical );
 
 	    emit '';
 
@@ -806,15 +860,15 @@ sub handle_optional_interfaces() {
 		my $providerref = $providers{$provider};
 
 		if ( $providerref->{gatewaycase} eq 'detect' ) {
-		    emit qq(if interface_is_usable $interface && [ -n "$providerref->{gateway}" ]; then);
+		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 		} else {
-		    emit qq(if interface_is_usable $interface; then);
+		    emit qq(if interface_is_usable $physical; then);
 		}
 	    } else {
 		#
 		# Not a provider interface
 		#
-		emit qq(if interface_is_usable $interface; then);
+		emit qq(if interface_is_usable $physical; then);
 	    }
 
 	    emit( "    ${base}_IS_USABLE=Yes" ,
@@ -822,6 +876,8 @@ sub handle_optional_interfaces() {
 		  "    ${base}_IS_USABLE=" ,
 		  'fi' );
 	}
+
+	1;
     }
 }
 
@@ -831,7 +887,7 @@ sub handle_optional_interfaces() {
 #
 sub handle_stickiness( $ ) {
     my $havesticky   = shift;
-    my $mask         = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
+    my $mask         = in_hex( $globals{PROVIDER_MASK} );
     my $setstickyref = $mangle_table->{setsticky};
     my $setstickoref = $mangle_table->{setsticko};
     my $tcpreref     = $mangle_table->{tcpre};
@@ -842,9 +898,8 @@ sub handle_stickiness( $ ) {
     if ( $havesticky ) {
 	fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
 
-
 	for my $providerref ( @routemarked_providers ) {
-	    my $interface = $providerref->{interface};
+	    my $interface = $providerref->{physical};
 	    my $base      = uc chain_base $interface;
 	    my $mark      = $providerref->{mark};
 
@@ -854,9 +909,6 @@ sub handle_stickiness( $ ) {
 		my $list = sprintf "sticky%03d" , $sticky++;
 
 		for my $chainref ( $stickyref, $setstickyref ) {
-
-		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-
 		    if ( $chainref->{name} eq 'sticky' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
@@ -867,17 +919,14 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
 		    }
 
-		    $rule1 =~ s/-A //;
+		    $rule1 =~ s/-A tcpre //;
 
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcpre //;
 			add_rule $chainref, $rule2;
 		    }
-
-		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
-		    
 		}
 	    }
 
@@ -887,8 +936,6 @@ sub handle_stickiness( $ ) {
 		my $stickoref = ensure_mangle_chain 'sticko';
 
 		for my $chainref ( $stickoref, $setstickoref ) {
-		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-
 		    if ( $chainref->{name} eq 'sticko' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
@@ -899,16 +946,14 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
 		    }
 
-		    $rule1 =~ s/-A //;
+		    $rule1 =~ s/-A tcout //;
 
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcout //;
 			add_rule $chainref, $rule2;
 		    }
-
-		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
 		}
 	    }
 	}

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,30 +35,27 @@ our @EXPORT = qw(
 		  );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_4';
 
 our @proxyarp;
 
 our $family;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
     @proxyarp = ();
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 sub setup_one_proxy_arp( $$$$$ ) {
     my ( $address, $interface, $external, $haveroute, $persistent) = @_;
 
@@ -120,6 +117,8 @@ sub setup_proxy_arp() {
 		    $first_entry = 0;
 		}
 
+		$interface = get_physical $interface;
+
 		$set{$interface}  = 1;
 		$reset{$external} = 1 unless $set{$external};
 
@@ -146,10 +145,14 @@ sub setup_proxy_arp() {
 
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyarp';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
 		emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
 		       "    echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
+		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 	}
@@ -161,10 +164,14 @@ sub setup_proxy_arp() {
 
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyndp';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
 		emit ( "if [ -f /proc/sys/net/ipv6/conf/$interface/proxy_ndp ] ; then" ,
 		   "    echo $value > /proc/sys/net/ipv6/conf/$interface/proxy_ndp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless interface_is_optional( $interface );
+		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 	}

Shorewall/Perl/Shorewall/Raw.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.5_2';
 
 #
 # Notrack

Shorewall/Perl/Shorewall/Rules.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -24,6 +24,7 @@
 #
 package Shorewall::Rules;
 require Exporter;
+
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
@@ -40,12 +41,12 @@ our @EXPORT = qw( process_tos
 		  add_common_rules
 		  setup_mac_lists
 		  process_rules
+		  process_routestopped
 		  generate_matrix
-		  setup_mss
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_0';
+our $VERSION = '4.5_3';
 
 #
 # Set to one if we find a SECTION
@@ -64,14 +65,15 @@ my %rules_commands = ( COMMENT => 0,
 		       SECTION => 2 );
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
     $sectioned = 0;
@@ -80,10 +82,6 @@ sub initialize( $ ) {
     @param_stack = ();
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 use constant { MAX_MACRO_NEST_LEVEL => 5 };
 
 sub process_tos() {
@@ -127,7 +125,7 @@ sub process_tos() {
 	    if ( $family == F_IPV4 ) {
 		( $srczone , $source , $remainder ) = split( /:/, $src, 3 );
 		fatal_error 'Invalid SOURCE' if defined $remainder;
-	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ ) {
+	    } elsif ( $src =~ /^(.+?):<(.*)>\s*$/ || $src =~ /^(.+?):\[(.*)\]\s*$/ ) {
 		$srczone = $1;
 		$source  = $2;
 	    } else {
@@ -148,7 +146,7 @@ sub process_tos() {
 	    expand_rule
 		$chainref ,
 		$restriction ,
-		do_proto( $proto, $ports, $sports ) . do_test( $mark , 0xFF ) ,
+		do_proto( $proto, $ports, $sports ) . do_test( $mark , $globals{TC_MASK} ) ,
 		$src ,
 		$dst ,
 		'' ,
@@ -159,8 +157,8 @@ sub process_tos() {
 	}
 
 	unless ( $first_entry ) {
-	    add_rule $mangle_table->{$stdchain}, "-j $chain" if $pretosref->{referenced};
-	    add_rule $mangle_table->{OUTPUT},    "-j outtos" if $outtosref->{referenced};
+	    add_jump( $mangle_table->{$stdchain}, $chain,   0 ) if $pretosref->{referenced};
+	    add_jump( $mangle_table->{OUTPUT},    'outtos', 0 ) if $outtosref->{referenced};
 	}
     }
 }
@@ -201,8 +199,8 @@ sub setup_ecn()
 	    for my $interface ( @interfaces ) {
 		my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
 
-		add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp -o $interface ";
-		add_jump $mangle_table->{OUTPUT},       $chainref, 0, "-p tcp -o $interface ";
+		add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp " . match_dest_dev( $interface );
+		add_jump $mangle_table->{OUTPUT},       $chainref, 0, "-p tcp " . match_dest_dev( $interface );
 	    }
 
 	    for my $host ( @hosts ) {
@@ -216,7 +214,7 @@ sub add_rule_pair( $$$$ ) {
     my ($chainref , $predicate , $target , $level ) = @_;
 
     log_rule( $level, $chainref, "\U$target", $predicate )  if defined $level && $level ne '';
-    add_rule $chainref , "${predicate}-j $target";
+    add_jump( $chainref , $target, 0, $predicate );
 }
 
 sub setup_blacklist() {
@@ -234,7 +232,7 @@ sub setup_blacklist() {
 
 	    log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add',	'' );
 
-	    add_rule $logchainref, "-j $target" ;
+	    add_jump $logchainref, $target, 1;
 
 	    $target = 'blacklog';
 	}
@@ -317,34 +315,38 @@ sub process_routestopped() {
 	my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
 
 	fatal_error "Unknown interface ($interface)" unless known_interface $interface;
-
 	$hosts = ALLIP unless $hosts && $hosts ne '-';
 
 	my @hosts;
 
 	$seq++;
 
-	my $rule = do_proto( $proto, $ports, $sports, 1 );
+	my $rule = do_proto( $proto, $ports, $sports, 0 );
 
 	for my $host ( split /,/, $hosts ) {
+	    fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
 	    validate_host $host, 1;
 	    push @hosts, "$interface|$host|$seq";
 	    push @rule, $rule;
 	}
 
 	unless ( $options eq '-' ) {
+
 	    for my $option (split /,/, $options ) {
 		if ( $option eq 'routeback' ) {
 		    if ( $routeback ) {
 			warning_message "Duplicate 'routeback' option ignored";
 		    } else {
+			my $chainref = $filter_table->{FORWARD};
+
 			$routeback = 1;
 
 			for my $host ( split /,/, $hosts ) {
-			    my $source = match_source_net $host;
-			    my $dest   = match_dest_net   $host;
-
-			    emit "run_iptables -A FORWARD -i $interface -o $interface $source $dest -j ACCEPT";
+			    add_rule( $chainref , 
+				      match_source_dev( $interface ) . 
+				      match_dest_dev( $interface ) .
+				      match_source_net( $host ) .
+				      match_dest_net( $host ) );
 			    clearrule;
 			}
 		    }
@@ -378,24 +380,24 @@ sub process_routestopped() {
 	my $desti   = match_dest_dev $interface;
 	my $rule    = shift @rule;
 
-	add_rule $filter_table->{INPUT},  "$sourcei $source $rule -j ACCEPT";
-	add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT" unless $config{ADMINISABSENTMINDED};
+	add_rule $filter_table->{INPUT},  "$sourcei $source $rule -j ACCEPT", 1;
+	add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED};
 
 	my $matched = 0;
 
 	if ( $source{$host} ) {
-	    add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT";
+	    add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT", 1;
 	    $matched = 1;
 	}
 
 	if ( $dest{$host} ) {
-	    add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT";
+	    add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1;
 	    $matched = 1;
 	}
 
 	if ( $notrack{$host} ) {
-	    add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK";
-	    add_rule $raw_table->{OUTPUT},     "$desti $dest $rule -j NOTRACK";
+	    add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1;
+	    add_rule $raw_table->{OUTPUT},     "$desti $dest $rule -j NOTRACK", 1;
 	}
 
 	unless ( $matched ) {
@@ -404,7 +406,7 @@ sub process_routestopped() {
 		    my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
 		    my $dest1 = match_dest_net $h1;
 		    my $desti1 = match_dest_dev $interface1;
-		    add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT";
+		    add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT", 1;
 		    clearrule;
 		}
 	    }
@@ -417,17 +419,21 @@ sub setup_mss();
 sub add_common_rules() {
     my $interface;
     my $chainref;
-    my $level;
     my $target;
     my $rule;
     my $list;
     my $chain;
 
-    new_standard_chain 'dynamic';
+    my $state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
+    my $level     = $config{BLACKLIST_LOGLEVEL};
+    my $rejectref = dont_move new_standard_chain 'reject';
 
-    my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
-
-    add_rule $filter_table->{$_}, "$state -j dynamic" for qw( INPUT FORWARD );
+    if ( $config{DYNAMIC_BLACKLIST} ) {
+	add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ),   ' ' , 'DROP'   , $level ;
+	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), ' ' , 'reject' , $level ;
+	$chainref = dont_optimize( new_standard_chain( 'dynamic' ) );
+	add_jump $filter_table->{$_}, $chainref, 0, $state for qw( INPUT FORWARD );
+    }
 
     setup_mss;
 
@@ -435,13 +441,6 @@ sub add_common_rules() {
 	add_rule( $filter_table->{$_} , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT );
     }
 
-    my $rejectref = new_standard_chain 'reject';
-
-    $level = $config{BLACKLIST_LOGLEVEL};
-
-    add_rule_pair new_standard_chain( 'logdrop' ),   ' ' , 'DROP'   , $level ;
-    add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'reject' , $level ;
-
     for $interface ( all_interfaces ) {
 	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
     }
@@ -550,7 +549,11 @@ sub add_common_rules() {
 		add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
 	    }
 
-	    add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport $ports -j ACCEPT" if get_interface_option( $interface, 'bridge' );
+	    add_rule( $filter_table->{forward_chain $interface} , 
+		      "-p udp " .
+		      match_dest_dev( $interface ) .
+		      "--dport $ports -j ACCEPT" )
+		if get_interface_option( $interface, 'bridge' );
 	}
     }
 
@@ -585,11 +588,11 @@ sub add_common_rules() {
 	    $disposition = $config{TCP_FLAGS_DISPOSITION};
 	}
 
-	add_rule $chainref , "-p tcp --tcp-flags ALL FIN,URG,PSH -j $disposition";
-	add_rule $chainref , "-p tcp --tcp-flags ALL NONE        -j $disposition";
-	add_rule $chainref , "-p tcp --tcp-flags SYN,RST SYN,RST -j $disposition";
-	add_rule $chainref , "-p tcp --tcp-flags SYN,FIN SYN,FIN -j $disposition";
-	add_rule $chainref , "-p tcp --syn --sport 0 -j $disposition";
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags ALL FIN,URG,PSH ';
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags ALL NONE ';
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags SYN,RST SYN,RST ';
+	add_jump $chainref , $disposition, 1, '-p tcp --tcp-flags SYN,FIN SYN,FIN ';
+	add_jump $chainref , $disposition, 1, '-p tcp --syn --sport 0 ';
 
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
@@ -612,12 +615,12 @@ sub add_common_rules() {
 	if ( @$list ) {
 	    progress_message2 "$doing UPnP";
 
-	    new_nat_chain( 'UPnP' );
+	    dont_optimize new_nat_chain( 'UPnP' );
 
 	    $announced = 1;
 
 	    for $interface ( @$list ) {
-		add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
+		add_jump $nat_table->{PREROUTING} , 'UPnP', 0, match_source_dev ( $interface );
 	    }
 	}
 
@@ -634,10 +637,10 @@ sub add_common_rules() {
 		if ( interface_is_optional $interface ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
-				  qq(    echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) ,
+				  qq(    echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) ,
 				  qq(fi) );
 		} else {
-		    add_commands( $chainref, qq(echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) );
+		    add_commands( $chainref, qq(echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) );
 		}
 	    }
 	}
@@ -700,7 +703,7 @@ sub setup_mac_lists( $ ) {
 		my $chain = $chainref->{name};
 
 		add_rule $chainref, "-m recent --rcheck --seconds $ttl --name $chain -j RETURN";
-		add_rule $chainref, "-j $chain1ref->{name}";
+		add_jump $chainref, $chain1ref, 0;
 		add_rule $chainref, "-m recent --update --name $chain -j RETURN";
 		add_rule $chainref, "-m recent --set --name $chain";
 	    }
@@ -742,6 +745,7 @@ sub setup_mac_lists( $ ) {
 			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
 			    if defined $level && $level ne '';
 			add_rule $chainref , "${mac}${source}-j $targetref->{target}";
+
 		    }
 		} else {
 		    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
@@ -780,6 +784,9 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
     } else {
+	#
+	# Phase II
+	#
 	for my $interface ( @maclist_interfaces ) {
 	    my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
 	    my $chain    = $chainref->{name};
@@ -825,7 +832,7 @@ sub setup_mac_lists( $ ) {
 	    run_user_exit2( 'maclog', $chainref );
 
 	    log_rule_limit $level, $chainref , $chain , $disposition, '', '', 'add', '' if $level ne '';
-	    add_rule $chainref, "-j $target";
+	    add_jump $chainref, $target, 0;
 	}
     }
 }
@@ -852,12 +859,13 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime);
 
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
+	    ( $morigdest, $mmark, $mconnlimit, $mtime ) = qw/- - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime ) = split_line1 1, 12, 'macro file', $macro_commands;
 	}
 
 	if ( $mtarget eq 'COMMENT' ) {
@@ -871,8 +879,6 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 	    next;
 	}
 
-	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
-
 	$mtarget = merge_levels $target, $mtarget;
 
 	if ( $mtarget =~ /^PARAM(:.*)?$/ ) {
@@ -918,15 +924,15 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 		      $mtarget,
 		      $msource,
 		      $mdest,
-		      merge_macro_column( $mproto,    $proto ) , 
-		      merge_macro_column( $mports,    $ports ) ,
-		      merge_macro_column( $msports,   $sports ) ,
-		      merge_macro_column( $morigdest, $origdest ) , 
-		      merge_macro_column( $mrate,     $rate ) ,
-		      merge_macro_column( $muser,     $user ) ,
-		      $mark, 
-		      $connlimit,
-		      $time,
+		      merge_macro_column( $mproto,     $proto ) ,
+		      merge_macro_column( $mports,     $ports ) ,
+		      merge_macro_column( $msports,    $sports ) ,
+		      merge_macro_column( $morigdest,  $origdest ) ,
+		      merge_macro_column( $mrate,      $rate ) ,
+		      merge_macro_column( $muser,      $user ) ,
+		      merge_macro_column( $mmark,      $mark ) ,
+		      merge_macro_column( $mconnlimit, $connlimit) ,
+		      merge_macro_column( $mtime,      $time ),
 		      $wildcard
 		     );
 
@@ -941,7 +947,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 
 }
 #
-# Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If
+# Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
 # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
 #
 sub process_rule1 ( $$$$$$$$$$$$$ ) {
@@ -950,11 +956,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     my ( $basictarget, $param ) = get_target_param $action;
     my $rule = '';
     my $actionchainref;
-    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0;
-
-    unless ( defined $param ) {
-	( $basictarget, $param ) = ( $1, $2 ) if $action =~ /^(\w+)[(](.*)[)]$/;
-    }
+    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 1 ) : 0;
 
     $param = '' unless defined $param;
 
@@ -963,6 +965,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     #
     my $actiontype = $targets{$basictarget} || find_macro( $basictarget );
 
+    if ( $config{ MAPOLDACTIONS } ) {
+	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || $param;
+    }
+
     fatal_error "Unknown action ($action)" unless $actiontype;
 
     if ( $actiontype == MACRO ) {
@@ -1080,7 +1086,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    $destref = defined_zone( $destzone );
 
 	    if ( $destref ) {
-		warning_message "Destination zone ($destzone) ignored";
+		warning_message "The destination zone ($destzone) is ignored in $log_action rules";
 	    } else {
 		$dest = join ':', $destzone, $dest;
 		$destzone = '';
@@ -1120,7 +1126,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 	}
 
-	$chain    = "${sourcezone}2${destzone}";
+	$chain = rules_chain( ${sourcezone}, ${destzone} );
+	#
+	# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
+	#
 	$chainref = ensure_chain 'filter', $chain;
 	$policy   = $chainref->{policy};
 
@@ -1143,12 +1152,22 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	# Mark the chain as referenced and add appropriate rules from earlier sections.
 	#
 	$chainref = ensure_filter_chain $chain, 1;
+	#
+	# Don't let the rules in this chain be moved elsewhere
+	#
+	dont_move $chainref;
     }
 
     #
     # Generate Fixed part of the rule
     #
-    $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) , do_connlimit( $connlimit ), do_time( $time ) );
+    $rule = join( '', 
+		  do_proto($proto, $ports, $sports),
+		  do_ratelimit( $ratelimit, $basictarget ) ,
+		  do_user( $user ) ,
+		  do_test( $mark , $globals{TC_MASK} ) ,
+		  do_connlimit( $connlimit ),
+		  do_time( $time ) );
 
     unless ( $section eq 'NEW' ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
@@ -1226,9 +1245,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		}
 	    }
 	} else {            
-	    fatal_error "A server must be specified in the DEST column in $action rules" if $server eq '';
-
-	    if ( $server =~ /^(.+)-(.+)$/ ) {
+	    if ( $server eq '' ) {
+		fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
+	    } elsif ( $server =~ /^(.+)-(.+)$/ ) {
 		validate_range( $1, $2 );
 	    } else {
 		my @servers = validate_address $server, 1;
@@ -1237,9 +1256,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 
 	    if ( $action eq 'DNAT' ) {
 		$target = '-j DNAT ';
-		$serverport = ":$serverport" if $serverport;
-		for my $serv ( split /,/, $server ) {
-		    $target .= "--to-destination ${serv}${serverport} ";
+		if ( $server ) {
+		    $serverport = ":$serverport" if $serverport;
+		    for my $serv ( split /,/, $server ) {
+			$target .= "--to-destination ${serv}${serverport} ";
+		    }
+		} else {
+		    $target .= "--to-destination :$serverport ";
 		}
 	    }
 
@@ -1277,7 +1300,11 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	#   - the target will be ACCEPT.
 	#
 	unless ( $actiontype & NATONLY ) {
-	    $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) );
+	    $rule = join( '',
+			  do_proto( $proto, $ports, $sports ),
+			  do_ratelimit( $ratelimit, 'ACCEPT' ),
+			  do_user $user ,
+			  do_test( $mark , $globals{TC_MASK} ) );
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';
@@ -1317,7 +1344,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		    # Static NAT is defined on this interface
 		    #
 		    $chn = new_chain( 'nat', newnonatchain ) unless $chn;
-		    add_jump $chn, $nat_table->{$ichain}, 0, @interfaces > 1 ? "-i $_ " : '';
+		    add_jump $chn, $nat_table->{$ichain}, 0, @interfaces > 1 ? match_source_dev( $_ )  : '';
 		}
 	    }
 
@@ -1355,7 +1382,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		     "-j $tgt",
 		     $loglevel ,
 		     $log_action ,
-		     ''
+		     '' ,
 		   );
 	#
 	# Possible optimization if the rule just generated was a simple jump to the nonat chain
@@ -1368,7 +1395,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    #
 	    # And move the rules from the nonat chain to the zone dnat chain
 	    #
-	    add_rule( $nonat_chain, "-j $tgt" ) unless move_rules ( $chn, $nonat_chain );
+	    move_rules ( $chn, $nonat_chain );
 	}
     }
 
@@ -1573,6 +1600,9 @@ sub process_rules() {
 # Add jumps from the builtin chains to the interface-chains that are used by this configuration
 #
 sub add_interface_jumps {
+    our %input_jump_added;
+    our %output_jump_added;
+    our %forward_jump_added;
     #
     # Add Nat jumps
     #
@@ -1593,10 +1623,10 @@ sub add_interface_jumps {
     # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
     #
     for my $interface ( @_ ) {
-	add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) if use_forward_chain $interface;
-	add_jump( $filter_table->{INPUT}   , input_chain $interface ,   0, match_source_dev( $interface ) ) if use_input_chain $interface;
+	add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface;
+	add_jump( $filter_table->{INPUT}   , input_chain $interface ,   0, match_source_dev( $interface ) ) unless $input_jump_added{$interface}   || ! use_input_chain $interface;
 
-	if ( use_output_chain $interface ) {
+	unless ( $output_jump_added{$interface} || ! use_output_chain $interface ) {
 	    add_jump $filter_table->{OUTPUT} , output_chain $interface , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
 	}
     }
@@ -1604,15 +1634,15 @@ sub add_interface_jumps {
     # Loopback
     #
     my $fw = firewall_zone;
-    my $chainref = $filter_table->{"${fw}2${fw}"};
+    my $chainref = $filter_table->{rules_chain( ${fw}, ${fw} )};
 
-    add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
+    add_jump $filter_table->{OUTPUT} ,  ($chainref->{referenced} ? $chainref : 'ACCEPT' ), 0, '-o lo ';
     add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
 }
 
 # Generate the rules matrix.
 #
-# Stealing a comment from the Burroughs B6700 MCP Operating System source, generate_matrix makes a sow's ear out of a silk purse.
+# Stealing a comment from the Burroughs B6700 MCP Operating System source, "generate_matrix makes a sow's ear out of a silk purse".
 #
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
@@ -1628,7 +1658,7 @@ sub generate_matrix() {
     #
     sub rules_target( $$ ) {
 	my ( $zone, $zone1 ) = @_;
-	my $chain = "${zone}2${zone1}";
+	my $chain = rules_chain( ${zone}, ${zone1} );
 	my $chainref = $filter_table->{$chain};
 
 	return $chain   if $chainref && $chainref->{referenced};
@@ -1639,7 +1669,8 @@ sub generate_matrix() {
 	if ( $chainref->{policy} ne 'CONTINUE' ) {
 	    my $policyref = $filter_table->{$chainref->{policychain}};
 	    assert( $policyref );
-	    return $policyref->{name};
+	    return $policyref->{name} if $policyref ne $chainref;
+	    return $chainref->{policy} eq 'REJECT' ? 'reject' : $chainref->{policy};
 	}
 
 	''; # CONTINUE policy
@@ -1663,18 +1694,28 @@ sub generate_matrix() {
     my $notrackref = $raw_table->{notrack_chain $fw};
     my @zones = non_firewall_zones;
     my $interface_jumps_added = 0;
+    our %input_jump_added   = ();
+    our %output_jump_added  = ();
+    our %forward_jump_added = ();
 
     #
     # Special processing for complex configurations
     #
     for my $zone ( @zones ) {
-	my $zoneref    = find_zone( $zone );
+	my $zoneref = find_zone( $zone );
 
 	next if @zones <= 2 && ! $zoneref->{options}{complex};
-
+	#
+	# Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain
+	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
 
 	if ( $capabilities{POLICY_MATCH} ) {
+	    #
+	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
+	    # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
+	    # can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
+	    #
 	    my $type       = $zoneref->{type};
 	    my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
 
@@ -1684,6 +1725,7 @@ sub generate_matrix() {
 
 		if ( use_forward_chain( $interface ) ) {
 		    $sourcechainref = $filter_table->{forward_chain $interface};
+		    add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 		} else {
 		    $sourcechainref = $filter_table->{FORWARD};
 		    $interfacematch = match_source_dev $interface;
@@ -1710,7 +1752,7 @@ sub generate_matrix() {
     #
     # NOTRACK from firewall
     #
-    add_rule $raw_table->{OUTPUT}, "-j $notrackref->{name}" if $notrackref->{referenced};
+    add_jump $raw_table->{OUTPUT}, $notrackref, 0 if $notrackref->{referenced};
     #
     # Main source-zone matrix-generation loop
     #
@@ -1750,7 +1792,7 @@ sub generate_matrix() {
 
 	    if ( $parenthasnat || $parenthasnotrack ) {
 		for my $zone1 ( all_zones ) {
-		    if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) {
+		    if ( $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'CONTINUE' ) {
 			#
 			# This zone has a continue policy to another zone. We must
 			# send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain.
@@ -1795,6 +1837,7 @@ sub generate_matrix() {
 
 			    if ( use_output_chain $interface ) {
 				$outputref = $filter_table->{output_chain $interface};
+				add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 			    } else {
 				$outputref = $filter_table->{OUTPUT};
 				$interfacematch = match_dest_dev $interface;
@@ -1843,6 +1886,7 @@ sub generate_matrix() {
 
 			if ( use_input_chain $interface ) {
 			    $inputchainref = $filter_table->{input_chain $interface};
+			    add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
 			} else {
 			    $inputchainref = $filter_table->{INPUT};
 			    $interfacematch = match_source_dev $interface;
@@ -1856,7 +1900,9 @@ sub generate_matrix() {
 			if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
 			    my $ref = source_exclusion( $exclusions, $frwd_ref );
 			    if ( use_forward_chain $interface ) {
-				add_jump $filter_table->{forward_chain $interface} , $ref, 0, join( '', $source, $ipsec_in_match );
+				my $forwardref = $filter_table->{forward_chain $interface};
+				add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match );
+				add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 			    } else {
 				add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
 				move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref );
@@ -1873,15 +1919,14 @@ sub generate_matrix() {
 	my @dest_zones;
 	my $last_chain = '';
 
-	if ( $config{OPTIMIZE} > 0 ) {
+	if ( $config{OPTIMIZE} & 1 ) {
 	    my @temp_zones;
 
-	  ZONE1:
 	    for my $zone1 ( @zones )  {
 		my $zone1ref = find_zone( $zone1 );
-		my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
+		my $policy = $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy};
 
-		next if $policy  eq 'NONE';
+		next if $policy eq 'NONE';
 
 		my $chain = rules_target $zone, $zone1;
 
@@ -1895,7 +1940,7 @@ sub generate_matrix() {
 		    next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 		}
 
-		if ( $chain =~ /2all$/ ) {
+		if ( $chain =~ /(2all|-all)$/ ) {
 		    if ( $chain ne $last_chain ) {
 			$last_chain = $chain;
 			push @dest_zones, @temp_zones;
@@ -1926,12 +1971,10 @@ sub generate_matrix() {
 	# We now loop through the destination zones creating jumps to the rules chain for each source/dest combination.
 	# @dest_zones is the list of destination zones that we need to handle from this source zone
 	#
-      ZONE1:
 	for my $zone1 ( @dest_zones ) {
 	    my $zone1ref = find_zone( $zone1 );
-	    my $policy   = $filter_table->{"${zone}2${zone1}"}->{policy};
 
-	    next if $policy  eq 'NONE';
+	    next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy}  eq 'NONE';
 
 	    my $chain = rules_target $zone, $zone1;
 
@@ -1940,57 +1983,69 @@ sub generate_matrix() {
 	    my $num_ifaces = 0;
 
 	    if ( $zone eq $zone1 ) {
-		next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
+		next if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
 	    }
 
 	    if ( $zone1ref->{type} == BPORT ) {
-		next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge};
+		next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 	    }
 
-	    my $chainref    = $filter_table->{$chain};
-
-	    my $dest_hosts_ref = $zone1ref->{hosts};
+	    my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
 
 	    if ( $frwd_ref ) {
-		for my $typeref ( values %$dest_hosts_ref ) {
+		#
+		# Simple case -- the source zone has it's own forwarding chain
+		#
+		for my $typeref ( values %{$zone1ref->{hosts}} ) {
 		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
-			my $arrayref = $typeref->{$interface};
-			for my $hostref ( @$arrayref ) {
+			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
 				my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
+				my $dest_exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
 				for my $net ( @{$hostref->{hosts}} ) {
-				    add_jump $frwd_ref, dest_exclusion( $hostref->{exclusions}, $chain), 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match );
+				    add_jump $frwd_ref, $dest_exclusion, 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match );
 				}
 			    }
 			}
 		    }
 		}
 	    } else {
+		#
+		# More compilcated case. If the interface is associated with a single simple zone, we try to combine the interface's forwarding chain with the rules chain
+		#
 		for my $typeref ( values %$source_hosts_ref ) {
 		    for my $interface ( keys %$typeref ) {
-			my $arrayref = $typeref->{$interface};
 			my $chain3ref;
 			my $match_source_dev = '';
+			my $forwardchainref = $filter_table->{forward_chain $interface};
 
-			if ( use_forward_chain $interface ) {
-			    $chain3ref = $filter_table->{forward_chain $interface};
+			if ( use_forward_chain $interface || ( @{$forwardchainref->{rules} } && ! $chainref ) ) {
+			    #
+			    # Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
+			    #
+			    $chain3ref = $forwardchainref;
+			    add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 			} else {
+			    #
+			    # Don't use the interface's forward chain -- move any rules in that chain to this rules chain
+			    #
 			    $chain3ref  = $filter_table->{FORWARD};
 			    $match_source_dev = match_source_dev $interface;
-			    move_rules $filter_table->{forward_chain $interface}, $chainref;
+			    move_rules $forwardchainref, $chainref;
 			}
 
-			for my $hostref ( @$arrayref ) {
+			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{destonly};
 			    my $excl3ref = source_exclusion( $hostref->{exclusions}, $chain3ref );
 			    for my $net ( @{$hostref->{hosts}} ) {
-				for my $type1ref ( values %$dest_hosts_ref ) {
+				for my $type1ref ( values %{$zone1ref->{hosts}} ) {
 				    for my $interface1 ( keys %$type1ref ) {
 					my $array1ref = $type1ref->{$interface1};
 					for my $host1ref ( @$array1ref ) {
 					    next if $host1ref->{options}{sourceonly};
 					    my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
+					    my $dest_exclusion  = dest_exclusion( $host1ref->{exclusions}, $chain );
 					    for my $net1 ( @{$host1ref->{hosts}} ) {
 						unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
 						    #
@@ -1998,7 +2053,7 @@ sub generate_matrix() {
 						    #
 						    add_jump(
 							     $excl3ref ,
-							     dest_exclusion( $host1ref->{exclusions}, $chain ),
+							     $dest_exclusion,
 							     0,
 							     join( '',
 								   $match_source_dev,
@@ -2017,13 +2072,13 @@ sub generate_matrix() {
 		    }
 		}
 	    }
-	    #
-	    #                                      E N D   F O R W A R D I N G
-	    #
-	    # Now add an unconditional jump to the last unique policy-only chain determined above, if any
-	    #
-	    add_jump $frwd_ref , $last_chain, 1 if $last_chain;
 	}
+	#
+	#                                      E N D   F O R W A R D I N G
+	#
+	# Now add an unconditional jump to the last unique policy-only chain determined above, if any
+	#
+	add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
     }
 
     add_interface_jumps @interfaces unless $interface_jumps_added;
@@ -2080,7 +2135,7 @@ sub setup_mss( ) {
 	#
 	# Send all forwarded SYN packets to the 'settcpmss' chain
 	#
-	add_rule $filter_table->{FORWARD} ,  "-p tcp --tcp-flags SYN,RST SYN -j settcpmss";
+	add_jump $filter_table->{FORWARD} , $chainref, 0, '-p tcp --tcp-flags SYN,RST SYN ';
 
 	my $in_match  = '';
 	my $out_match = '';
@@ -2093,10 +2148,12 @@ sub setup_mss( ) {
 	for ( @$interfaces ) {
 	    my $mss      = get_interface_option( $_, 'mss' );
 	    my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
-	    add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
-	    add_rule $chainref, "-o $_ -j RETURN" if $clampmss;
-	    add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
-	    add_rule $chainref, "-i $_ -j RETURN" if $clampmss;
+	    my $source   = match_source_dev $_;
+	    my $dest     = match_dest_dev $_;
+	    add_rule $chainref, "${dest}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
+	    add_rule $chainref, "${dest}-j RETURN" if $clampmss;
+	    add_rule $chainref, "${source}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
+	    add_rule $chainref, "${source}-j RETURN" if $clampmss;
 	}
     }
 
@@ -2106,8 +2163,8 @@ sub setup_mss( ) {
 #
 # Compile the stop_firewall() function
 #
-sub compile_stop_firewall( $ ) {
-    my $test = shift;
+sub compile_stop_firewall( $$ ) {
+    my ( $test, $export ) = @_;
 
     my $input   = $filter_table->{INPUT};
     my $output  = $filter_table->{OUTPUT};
@@ -2118,6 +2175,7 @@ sub compile_stop_firewall( $ ) {
 # Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
 #
 stop_firewall() {
+    local hack
 EOF
 
     $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
@@ -2146,8 +2204,8 @@ EOF
 	        restart)
 	            logger -p kern.err "ERROR:$PRODUCT restart failed"
 	            ;;
-	        restore)
-	            logger -p kern.err "ERROR:$PRODUCT restore failed"
+	        refresh)
+	            logger -p kern.err "ERROR:$PRODUCT refresh failed"
 	            ;;
             esac
 
@@ -2164,6 +2222,9 @@ EOF
 	        if [ -x $RESTOREPATH ]; then
 		    echo Restoring ${PRODUCT:=Shorewall}...
                     
+                    RECOVERING=Yes
+                    export RECOVERING
+
 		    if $RESTOREPATH restore; then
 		        echo "$PRODUCT restored from $RESTOREPATH"
 		        set_state "Started"
@@ -2253,12 +2314,14 @@ EOF
 	my $ports = $family == F_IPV4 ? '67:68' : '546:547';
 
 	for my $interface ( @$interfaces ) {
-	    add_rule $input,  "-p udp -i $interface --dport $ports -j ACCEPT";
-	    add_rule $output, "-p udp -o $interface --dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
+	    add_rule $input,  "-p udp " . match_source_dev( $interface ) . "--dport $ports -j ACCEPT";
+	    add_rule $output, "-p udp " . match_dest_dev( $interface )   . "--dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
 	    #
 	    # This might be a bridge
 	    #
-	    add_rule $forward, "-p udp -i $interface -o $interface --dport $ports -j ACCEPT";
+	    if ( $export || $test || is_bridge( get_physical( $interface ) ) ) {
+		add_rule $forward, "-p udp " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT";
+	    }
 	}
     }
 
@@ -2277,7 +2340,7 @@ EOF
 	}
     } else {
 	for my $interface ( all_bridges ) {
-	    emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
+	    emit "do_iptables -A FORWARD -p 58 " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "-j ACCEPT";
 	}
 
 	if ( $config{IP_FORWARDING} eq 'on' ) {
@@ -2297,16 +2360,38 @@ EOF
 
     my @ipsets = all_ipsets;
 
-    if ( @ipsets ) {
+    if ( @ipsets || $config{SAVE_IPSETS} ) {
 	emit <<'EOF';
 
-    if [ -n "$(mywhich ipset)" ]; then
-        if $IPSET -S > ${VARDIR}/ipsets.tmp; then
+    case $IPSET in
+        */*)
+            if [ ! -x "$IPSET" ]; then
+                error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+                IPSET=
+            fi
+	    ;;
+	*)
+	    IPSET="$(mywhich $IPSET)"
+	    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
+	    ;;
+    esac
+
+    if [ -n "$IPSET" ]; then
+        if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+            #
+            # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+            #
+            hack='| grep -v /31'
+        else
+            hack=
+        fi
+
+        if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
             #
             # Don't save an 'empty' file
             #
             grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
-	fi
+        fi
     fi
 EOF
     }

Shorewall/Perl/Shorewall/Tc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.3_12';
+our $VERSION = '4.5_3';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -79,48 +79,6 @@ use constant { NOMARK    => 0 ,
 	       HIGHMARK  => 2
 	       };
 
-our @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
-		 target    => 'CONNMARK --save-mark --mask' ,
-		 mark      => SMALLMARK ,
-		 mask      => '0xFF' ,
-		 connmark  => 1
-	       } ,
-	      { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
-		target    => 'CONNMARK --restore-mark --mask' ,
-		mark      => SMALLMARK ,
-		mask      => '0xFF' ,
-		connmark  => 1
-		} ,
-	      { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
-		target    => 'RETURN' ,
-		mark      => NOMARK ,
-		mask      => '' ,
-		connmark  => 0
-		} ,
-	      { match     => sub ( $ ) { $_[0] eq 'SAME' },
-		target    => 'sticky' ,
-		mark      => NOMARK ,
-		mask      => '' ,
-		connmark  => 0
-		} ,
-	      { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
-		target    => 'IPMARK' ,
-		mark      => NOMARK,
-		mask      => '',
-		connmark  => 0
-	        } ,
-	      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
-		target    => 'MARK --or-mark' ,
-		mark      => HIGHMARK ,
-		mask      => '' } ,
-	      { match     => sub ( $ ) { $_[0] =~ '&.*' },
-		target    => 'MARK --and-mark ' ,
-		mark      => HIGHMARK ,
-		mask      => '' ,
-		connmark  => 0
-		}
-	      );
-
 our %flow_keys = ( 'src'            => 1,
 		   'dst'            => 1,
 		   'proto'          => 1,
@@ -153,7 +111,7 @@ our @deferred_rules;
 #
 # TCDevices Table
 #
-# %tcdevices { <interface> -> {in_bandwidth  => <value> ,
+# %tcdevices { <interface> => {in_bandwidth  => <value> ,
 #                              out_bandwidth => <value> ,
 #                              number        => <number>,
 #                              classify      => 0|1
@@ -163,6 +121,8 @@ our @deferred_rules;
 #                              nextclass     => <number>
 #                              occurs        => Has one or more occurring classes
 #                              qdisc         => htb|hfsc
+#                              guarantee     => <total RATE of classes seen so far>
+#                              name          => <interface>
 #                                               }
 #
 our @tcdevices;
@@ -170,6 +130,7 @@ our %tcdevices;
 our @devnums;
 our $devnum;
 our $sticky;
+our $ipp2p;
 
 
 #
@@ -186,6 +147,7 @@ our $sticky;
 #              occurs    => <number> # 0 means that this is a class generated by another class with occurs > 1
 #              parent    => <class number>
 #              leaf      => 0|1
+#              guarantee => <sum of rates of sub-classes>
 #              options   => { tos  => [ <value1> , <value2> , ... ];
 #                             tcp_ack => 1 ,
 #                             ...
@@ -202,14 +164,15 @@ our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 our $family;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family   = shift;
     %classids = ();
@@ -221,15 +184,14 @@ sub initialize( $ ) {
     @devnums   = ();
     $devnum = 0;
     $sticky = 0;
-}
-
-INIT {
-    initialize( F_IPV4 );
+    $ipp2p  = 0;
 }
 
 sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
 
+    our @tccmd;
+
     if ( $originalmark eq 'COMMENT' ) {
 	process_comment;
 	return;
@@ -265,9 +227,9 @@ sub process_tc_rule( ) {
 		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
 	    }
 
-	    $chain    = $tcsref->{chain}  if $tcsref->{chain};
-	    $target   = $tcsref->{target} if $tcsref->{target};
-	    $mark     = "$mark/0xFF"      if $connmark = $tcsref->{connmark};
+	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
+	    $target   = $tcsref->{target}                      if $tcsref->{target};
+	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
 
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 
@@ -285,8 +247,6 @@ sub process_tc_rule( ) {
 	}
     }
 
-    my $mask = 0xffff;
-
     my ($cmd, $rest) = split( '/', $mark, 2 );
 
     $list = '';
@@ -354,8 +314,40 @@ sub process_tc_rule( ) {
 			}
 
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
+		    } elsif ( $target eq 'TPROXY ' ) {
+			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
+
+			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
+			
+			$chain = 'tcpre';
+
+			$cmd =~ /TPROXY\((.+?)\)$/;
+
+			my $params = $1;
+
+			fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
+
+			( $mark, my $port, my $ip, my $bad ) = split ',', $params;
+
+			fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
+
+			if ( $port ) {
+			    $port = validate_port( 'tcp', $port );
+			} else {
+			    $port = 0;
+			}
+
+			$target .= "--on-port $port";
+			
+			if ( defined $ip && $ip ne '' ) {
+			    validate_address $ip, 1;
+			    $target .= " --on-ip $ip";
+			}
+
+			$target .= ' --tproxy-mark';	
 		    }
 			
+
 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
 
@@ -376,11 +368,11 @@ sub process_tc_rule( ) {
 
 	    validate_mark $mark;
 
-	    if ( $config{HIGH_ROUTE_MARKS} ) {
+	    if ( $config{PROVIDER_OFFSET} ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
-		my $limit = $config{WIDE_TC_MARKS} ? 65535 : 255;
-		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+		my $limit = $globals{TC_MASK};
+		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when PROVIDER_OFFSET > 0"
 		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 	    }
 	}
@@ -390,7 +382,7 @@ sub process_tc_rule( ) {
 				     $restrictions{$chain} ,
 				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
-				     do_test( $testval, $mask ) . 
+				     do_test( $testval, $globals{TC_MASK} ) .
 				     do_length( $length ) .
 				     do_tos( $tos ) .
 				     do_connbytes( $connbytes ) .
@@ -451,6 +443,96 @@ sub process_flow($) {
     $flow;
 }
 
+sub process_simple_device() {
+    my ( $device , $type , $bandwidth ) = split_line 1, 3, 'tcinterfaces';
+
+    my $devnumber;
+
+    if ( $device =~ /:/ ) {
+	( my $number, $device, my $rest )  = split /:/, $device, 3;
+
+	fatal_error "Invalid NUMBER:INTERFACE ($device:$number:$rest)" if defined $rest;
+
+	if ( defined $number ) {
+	    $devnumber = hex_value( $number );
+	    fatal_error "Invalid interface NUMBER ($number)" unless defined $devnumber && $devnumber;
+	    fatal_error "Duplicate interface number ($number)" if defined $devnums[ $devnumber ];
+	    $devnum = $devnumber if $devnumber > $devnum;
+	} else {
+	    fatal_error "Missing interface NUMBER";
+	}
+    } else {
+	$devnumber = ++$devnum;
+    }
+
+    $devnums[ $devnumber ] = $device;
+
+    my $number = in_hexp $devnumber;
+
+    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
+    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
+
+    my $physical = physical_name $device;
+    my $dev      = chain_base( $physical );
+
+    if ( $type ne '-' ) {
+	if ( lc $type eq 'external' ) {
+	    $type = 'nfct-src';
+	} elsif ( lc $type eq 'internal' ) {
+	    $type = 'dst';
+	} else {
+	    fatal_error "Invalid TYPE ($type)";
+	}
+    }
+
+    $tcdevices{$device} = { number   => $devnumber ,
+			    physical => physical_name $device ,
+			    type     => $type ,
+			    in_bandwidth => $bandwidth = rate_to_kbit( $bandwidth ) ,
+			  };
+
+    push @tcdevices, $device;
+
+    emit "if interface_is_up $physical; then";
+
+    push_indent;
+
+    emit ( "${dev}_exists=Yes",
+	   "qt \$TC qdisc del dev $physical root",
+	   "qt \$TC qdisc del dev $physical ingress\n"	   
+	 );
+
+    if ( $bandwidth ) {
+	emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
+	       "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${bandwidth}kbit burst 10k drop flowid :1\n"
+	     );
+    }
+	  
+    emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
+    
+    my $i = 0;
+
+    while ( ++$i <= 3 ) {
+	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
+	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i";
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-';
+	emit '';
+    }
+
+    save_progress_message_short "   TC Device $physical defined.";
+    
+    pop_indent;
+    emit 'else';
+    push_indent;
+
+    emit qq(error_message "WARNING: Device $physical is not in the UP state -- traffic-shaping configuration skipped");
+    emit "${dev}_exists=";
+    pop_indent;
+    emit "fi\n";
+ 
+    progress_message "  Simple tcdevice \"$currentline\" $done.";
+}    
+
 sub validate_tc_device( ) {
     my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
 
@@ -529,6 +611,9 @@ sub validate_tc_device( ) {
 			    default       => 0,
 			    nextclass     => 2,
 			    qdisc         => $qdisc,
+			    guarantee     => 0,
+			    name          => $device,
+			    physical      => physical_name $device
 			  } ,
 
     push @tcdevices, $device;
@@ -538,8 +623,8 @@ sub validate_tc_device( ) {
     progress_message "  Tcdevice \"$currentline\" $done.";
 }
 
-sub convert_rate( $$$ ) {
-    my ($full, $rate, $column) = @_;
+sub convert_rate( $$$$ ) {
+    my ($full, $rate, $column, $max) = @_;
 
     if ( $rate =~ /\bfull\b/ ) {
 	$rate =~ s/\bfull\b/$full/g;
@@ -553,7 +638,7 @@ sub convert_rate( $$$ ) {
     }
 
     fatal_error "$column may not be zero" unless $rate;
-    fatal_error "$column ($_[1]) exceeds OUT-BANDWIDTH" if $rate > $full;
+    fatal_error "$column ($_[1]) exceeds $max (${full}kbit)" if $rate > $full;
 
     $rate;
 }
@@ -599,6 +684,7 @@ sub validate_tc_class( ) {
     my $device = $devclass;
     my $occurs = 1;
     my $parentclass = 1;
+    my $parentref;
 
     if ( $devclass =~ /:/ ) {
 	( $device, my ($number, $subnumber, $rest ) )  = split /:/, $device, 4;
@@ -630,7 +716,11 @@ sub validate_tc_class( ) {
 	fatal_error "Missing class NUMBER" if $devref->{classify};
     }
 
-    my $full  = rate_to_kbit $devref->{out_bandwidth};
+    my $full    = rate_to_kbit $devref->{out_bandwidth};
+    my $ratemax = $full;
+    my $ceilmax = $full;
+    my $ratename = 'OUT-BANDWIDTH';
+    my $ceilname = 'OUT-BANDWIDTH';
 
     my $tcref = $tcclasses{$device};
 
@@ -640,15 +730,17 @@ sub validate_tc_class( ) {
 	if ( $devref->{classify} ) {
 	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
 	} else {
-	    fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-fA-F]+)$/ && numeric_value( $mark ) <= 0xff;
+	    fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
 
 	    $markval = numeric_value( $mark );
 	    fatal_error "Invalid MARK ($markval)" unless defined $markval;
 
+	    fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
+
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	    } else {
-		$classnumber = $config{WIDE_TC_MARKS} ? $tcref->{nextclass}++ : hex_value( $devnum . $markval );
+		$classnumber = $config{WIDE_TC_MARKS} ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
 		fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	    }
 	}
@@ -660,10 +752,14 @@ sub validate_tc_class( ) {
 	#
 	# Nested Class
 	#
-	my $parentref = $tcref->{$parentclass};
+	$parentref = $tcref->{$parentclass};
 	fatal_error "Unknown Parent class ($parentclass)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The parent class ($parentclass) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
 	$parentref->{leaf} = 0;
+	$ratemax  = $parentref->{rate};
+	$ratename = q(the parent class's RATE);
+	$ceilmax = $parentref->{ceiling};
+	$ceilname = q(the parent class's CEIL);
     }
 
     my ( $umax, $dmax ) = ( '', '' );
@@ -673,26 +769,36 @@ sub validate_tc_class( ) {
 
 	fatal_error "Invalid RATE ($rate)" if defined $rest;
 
-	$rate = convert_rate ( $full, $trate, 'RATE' );
+	$rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
 	$dmax = convert_delay( $dmax );
 	$umax = convert_size( $umax );
 	fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
     } else {
-	$rate = convert_rate ( $full, $rate, 'RATE' );
+	$rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename );
     }
 
-    $tcref->{$classnumber} = { tos      => [] ,
-			       rate     => $rate ,
-			       umax     => $umax ,
-			       dmax     => $dmax ,
-			       ceiling  => convert_rate( $full, $ceil, 'CEIL' ) ,
-			       priority => $prio eq '-' ? 1 : $prio ,
-			       mark     => $markval ,
-			       flow     => '' ,
-			       pfifo    => 0,
-			       occurs   => 1,
-			       parent   => $parentclass,
-			       leaf     => 1,
+    if ( $parentref ) {
+	warning_message "Total RATE of sub classes ($parentref->{guarantee}kbits) exceeds RATE of parent class ($parentref->{rate}kbits)" if ( $parentref->{guarantee} += $rate ) > $parentref->{rate};
+    } else {
+	warning_message "Total RATE of classes ($devref->{guarantee}kbits) exceeds OUT-BANDWIDTH (${full}kbits)" if ( $devref->{guarantee} += $rate ) > $full;
+    }
+
+    fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
+
+    $tcref->{$classnumber} = { tos       => [] ,
+			       rate      => $rate ,
+			       umax      => $umax ,
+			       dmax      => $dmax ,
+			       ceiling   => convert_rate( $ceilmax, $ceil, 'CEIL' , $ceilname ) ,
+			       priority  => $prio eq '-' ? 1 : $prio ,
+			       mark      => $markval ,
+			       flow      => '' ,
+			       pfifo     => 0,
+			       occurs    => 1,
+			       parent    => $parentclass,
+			       leaf      => 1,
+			       guarantee => 0,
+			       limit     => 127,
 			     };
 
     $tcref = $tcref->{$classnumber};
@@ -733,7 +839,7 @@ sub validate_tc_class( ) {
 		fatal_error q(The 'occurs' option is only valid for IPv4)           if $family == F_IPV6;
 		fatal_error q(The 'occurs' option may not be used with 'classify')  if $devref->{classify};
 		fatal_error "Invalid 'occurs' ($val)"                               unless defined $occurs && $occurs > 1 && $occurs <= 256;
-		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > ( $config{WIDE_TC_MARKS} ? 8191 : 255 );
+		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > $globals{TC_MAX};
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
 		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
@@ -741,6 +847,10 @@ sub validate_tc_class( ) {
 
 		$tcref->{occurs} = $occurs;
 		$devref->{occurs} = 1;
+	    } elsif ( $option =~ /^limit=(\d+)$/ ) {
+		warning_message "limit ignored with pfifo queuing" if $tcref->{pfifo};
+		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
+		$tcref->{limit} = $1;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -769,6 +879,7 @@ sub validate_tc_class( ) {
 					       pfifo    => $tcref->{pfifo},
 					       occurs   => 0,
 					       parent   => $parentclass,
+					       limit    => $tcref->{limit},
 					     };
 	push @tcclasses, "$device:$classnumber";
     };
@@ -805,7 +916,7 @@ sub process_tc_filter( ) {
     fatal_error "Unknown CLASS ($devclass)"                  unless $tcref && $tcref->{occurs};
     fatal_error "Filters may not specify an occurring CLASS" if $tcref->{occurs} > 1;
 
-    my $rule = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32";
+    my $rule = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32";
 
     if ( $source ne '-' ) {
 	my ( $net , $mask ) = decompose_net( $source );
@@ -876,7 +987,7 @@ sub process_tc_filter( ) {
 	    $lasttnum = $tnum;
 	    $lastrule = $rule;
 
-	    emit( "\nrun_tc filter add dev $device parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
+	    emit( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
 	}
 	#
 	# And link to it using the current contents of $rule
@@ -886,7 +997,7 @@ sub process_tc_filter( ) {
 	#
 	# The rule to match the port(s) will be inserted into the new table
 	#
-	$rule     = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
+	$rule     = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
 
 	if ( $portlist eq '-' ) {
 	    fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
@@ -989,6 +1100,91 @@ sub process_tc_filter( ) {
 
 }
 
+sub process_tc_priority() {
+    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';
+
+    if ( $band eq 'COMMENT' ) {
+	process_comment;
+	return;
+    }
+
+    my $val = numeric_value $band;
+
+    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
+
+    my $rule = do_helper( $helper ) . "-j MARK --set-mark $band";
+
+    $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if $capabilities{EXMARK};
+
+    if ( $interface ne '-' ) {
+	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
+
+	my $forwardref = $mangle_table->{tcfor};
+
+	add_rule( $forwardref ,
+		  join( '', match_source_dev( $interface) , $rule ) ,
+		  1 );
+    } else {
+	my $postref = $mangle_table->{tcpost};
+	
+	if ( $address ne '-' ) {
+	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
+	    add_rule( $postref ,
+		      join( '', match_source_net( $address) , $rule ) ,
+		      1 );
+	} else {
+	    add_rule( $postref , 
+		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
+		      1 );
+
+	    if ( $ports ne '-' ) {
+		my $protocol = resolve_proto $proto;
+
+		if ( $proto =~ /^ipp2p/ ) {
+		    fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
+		    $ipp2p = 1;
+		}
+
+		add_rule( $postref , 
+			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
+			  1 )
+		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
+	    }
+	}
+    }
+}
+
+sub setup_simple_traffic_shaping() {
+    my $interfaces;
+
+    save_progress_message "Setting up Traffic Control...";
+
+    my $fn = open_file 'tcinterfaces';
+
+    if ( $fn ) {
+	first_entry "$doing $fn...";
+	process_simple_device, $interfaces++ while read_a_line;
+    } else {
+	$fn = find_file 'tcinterfaces';
+    }
+
+    my $fn1 = open_file 'tcpri';
+
+    if ( $fn1 ) {
+	first_entry sub { progress_message2 "$doing $fn1...";
+			  warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces;
+		      };
+	process_tc_priority while read_a_line;
+
+	clear_comment;
+
+	if ( $ipp2p ) {
+	    insert_rule1 $mangle_table->{tcpost} , 0 , '-m mark --mark 0/'   . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} );
+	    add_rule     $mangle_table->{tcpost} ,     '-m mark ! --mark 0/' . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} );
+	}
+    }
+}
+
 sub setup_traffic_shaping() {
     our $lastrule = '';
 
@@ -1013,12 +1209,15 @@ sub setup_traffic_shaping() {
     }
 
     for my $device ( @tcdevices ) {
-	my $dev     = chain_base( $device );
 	my $devref  = $tcdevices{$device};
 	my $defmark = in_hexp ( $devref->{default} || 0 );
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};
 
+	$device = physical_name $device;
+
+	my $dev = chain_base( $device );
+
 	emit "if interface_is_up $device; then";
 
 	push_indent;
@@ -1101,12 +1300,14 @@ sub setup_traffic_shaping() {
 	my $classid  = join( ':', in_hexp $devicenumber, $classnum);
 	my $rate     = "$tcref->{rate}kbit";
 	my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
+
+	$classids{$classid}=$device;
+	$device = physical_name $device;
+
 	my $dev      = chain_base $device;
 	my $priority = $tcref->{priority} << 8;
 	my $parent   = in_hexp $tcref->{parent};
 
-	$classids{$classid}=$device;
-
 	if ( $lastdevice ne $device ) {
 	    if ( $lastdevice ) {
 		pop_indent;
@@ -1133,7 +1334,7 @@ sub setup_traffic_shaping() {
 	    }
 	}
 
-	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
+	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit $tcref->{limit} perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
 	#
 	# add filters
 	#
@@ -1179,7 +1380,7 @@ sub setup_traffic_shaping() {
 #
 sub setup_tc() {
 
-    if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
+    if ( $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
 	ensure_mangle_chain 'tcout';
 
@@ -1191,29 +1392,25 @@ sub setup_tc() {
 	my $mark_part = '';
 
 	if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
-	    $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
+	    $mark_part = '-m mark --mark 0/' . in_hex( $globals{PROVIDER_MASK} ) . ' ';
 
-	    for my $interface ( @routemarked_interfaces ) {
-		add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
+	    unless ( $config{TRACK_PROVIDERS} ) {
+		#
+		# This is overloading TRACK_PROVIDERS a bit but sending tracked packets through PREROUTING is a PITA for users
+		#
+		for my $interface ( @routemarked_interfaces ) {
+		    add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
+		}
 	    }
 	}
 
-	add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre";
-	add_rule $mangle_table->{OUTPUT} ,     "$mark_part -j tcout";
+	add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part;
+	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
 
 	if ( $capabilities{MANGLE_FORWARD} ) {
-	    add_rule $mangle_table->{FORWARD} ,     '-j tcfor';
-	    add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
-	}
-
-	if ( $config{HIGH_ROUTE_MARKS} ) {
-	    for my $chain qw(INPUT FORWARD) {
-		insert_rule1 $mangle_table->{$chain}, 0, $config{WIDE_TC_MARKS} ? '-j MARK --and-mark 0xFFFF' : '-j MARK --and-mark 0xFF';
-	    }
-	    #
-	    # In POSTROUTING, we only want to clear routing mark and not IPMARK.
-	    #
-	    insert_rule1 $mangle_table->{POSTROUTING}, 0, $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFFFF -j MARK --and-mark 0' : '-m mark --mark 0/0xFF -j MARK --and-mark 0';
+	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' );
+	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
+	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
 	}
     }
 
@@ -1222,12 +1419,61 @@ sub setup_tc() {
 	append_file $globals{TC_SCRIPT};
     } elsif ( $config{TC_ENABLED} eq 'Internal' ) {
 	setup_traffic_shaping;
+    } elsif ( $config{TC_ENABLED} eq 'Simple' ) {
+	setup_simple_traffic_shaping;
     }
 
     if ( $config{TC_ENABLED} ) {
+	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+			  target    => 'CONNMARK --save-mark --mask' ,
+			  mark      => SMALLMARK ,
+			  mask      => in_hex( $globals{TC_MASK} ) ,
+			  connmark  => 1
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
+			  target    => 'CONNMARK --restore-mark --mask' ,
+			  mark      => SMALLMARK ,
+			  mask      => in_hex( $globals{TC_MASK} ) ,
+			  connmark  => 1
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
+			  target    => 'RETURN' ,
+			  mark      => NOMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'SAME' },
+			  target    => 'sticky' ,
+			  mark      => NOMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+			  target    => 'IPMARK' ,
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
+			  target    => 'MARK --or-mark' ,
+			  mark      => HIGHMARK ,
+			  mask      => '' } ,
+			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
+			  target    => 'MARK --and-mark ' ,
+			  mark      => HIGHMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
+			  target    => 'TPROXY',
+			  mark      => HIGHMARK,
+			  mask      => '',
+			  connmark  => '' },
+		      );
+
 	if ( my $fn = open_file 'tcrules' ) {
 
-	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
+	    first_entry "$doing $fn...";
 
 	    process_tc_rule while read_a_line;
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.5_0';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -83,8 +83,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
-		$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
+		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
+		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
 
 		unless ( $capabilities{POLICY_MATCH} ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
@@ -239,8 +239,8 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
 
-	my $inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
-	my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
+	my $inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
+	my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
 
 	$gateway = ALLIP if $gateway eq '-';
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -60,6 +60,8 @@ our @EXPORT = qw( NOTHING
 		  interface_number
 		  find_interface
 		  known_interface
+		  get_physical
+		  physical_name
 		  have_bridges
 		  port_to_bridge
 		  source_port_to_bridge
@@ -73,7 +75,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_0';
+our $VERSION = '4.5_0';
 
 #
 # IPSEC Option types
@@ -135,7 +137,8 @@ our %reservedName = ( all => 1,
 #
 #     %interfaces { <interface1> => { name        => <name of interface>
 #                                     root        => <name without trailing '+'>
-#                                     options     => { <option1> = <val1> ,
+#                                     options     => { port => undef|1
+#                                                      <option1> = <val1> ,          #See %validinterfaceoptions
 #                                                      ...
 #                                                    }
 #                                     zone        => <zone name>
@@ -143,6 +146,8 @@ our %reservedName = ( all => 1,
 #                                     bridge      => <bridge>
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
+#                                     physical    => <physical interface name>
+#                                     include     => [ <if1>, ... ]
 #                                   }
 #                 }
 #
@@ -150,6 +155,7 @@ our @interfaces;
 our %interfaces;
 our @bport_zones;
 our %ipsets;
+our %physical;
 our $family;
 
 use constant { FIREWALL => 1,
@@ -163,26 +169,32 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       NUMERIC_IF_OPTION  => 4,
 	       OBSOLETE_IF_OPTION => 5,
 	       IPLIST_IF_OPTION   => 6,
-	       MASK_IF_OPTION     => 7,
+	       STRING_IF_OPTION   => 7,
 
-	       IF_OPTION_ZONEONLY => 8,
-	       IF_OPTION_HOST     => 16,
+	       MASK_IF_OPTION     => 15,
+
+	       IF_OPTION_ZONEONLY => 16,
+	       IF_OPTION_HOST     => 32,
 	   };
 
 our %validinterfaceoptions;
 
+our %defaultinterfaceoptions = ( routefilter => 1 );
+
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 );
+
 our %validhostoptions;
 
 #
-# Initialize globals -- we take this novel approach to globals initialization to allow
-#                       the compiler to run multiple times in the same process. The
-#                       initialize() function does globals initialization for this
-#                       module and is called from an INIT block below. The function is
-#                       also called by Shorewall::Compiler::compiler at the beginning of
-#                       the second and subsequent calls to that function or when compiling
-#                       for IPv6.
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
 #
-
 sub initialize( $ ) {
     $family = shift;
     @zones = ();
@@ -193,6 +205,7 @@ sub initialize( $ ) {
     %interfaces = ();
     @bport_zones = ();
     %ipsets = ();
+    %physical = ();
 
     if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -209,12 +222,13 @@ sub initialize( $ ) {
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
-				  routefilter => BINARY_IF_OPTION ,
+				  routefilter => NUMERIC_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION,
+				  physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -239,7 +253,8 @@ sub initialize( $ ) {
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
-				    forward     => NUMERIC_IF_OPTION,
+				    forward     => BINARY_IF_OPTION,
+				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -250,10 +265,6 @@ sub initialize( $ ) {
     }
 }
 
-INIT {
-    initialize( F_IPV4 );
-}
-
 #
 # Parse the passed option list and return a reference to a hash as follows:
 #
@@ -363,8 +374,8 @@ sub process_zone( \$ ) {
     fatal_error "Invalid zone name ($zone)"      if $reservedName{$zone} || $zone =~ /^all2|2all$/;
     fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
 
-    if ( $type =~ /ipv([46])?/i ) {
-	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
+    if ( $type =~ /^ip(v([46]))?$/i ) {
+	fatal_error "Invalid zone type ($type)" if $1 && $2 != $family;
 	$type = IP;
 	$$ip = 1;
     } elsif ( $type =~ /^ipsec([46])?$/i ) {
@@ -500,17 +511,19 @@ sub zone_report()
 		my $interfaceref = $hostref->{$type};
 
 		for my $interface ( sort keys %$interfaceref ) {
+		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 		    for my $groupref ( @$arrayref ) {
 			my $hosts      = $groupref->{hosts};
-			my $exclusions = join ',', @{$groupref->{exclusions}};
 			if ( $hosts ) {
-			    my $grouplist = join ',', ( @$hosts );
+			    my $grouplist  = join ',', ( @$hosts );
+			    my $exclusions = join ',', @{$groupref->{exclusions}};
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;
+		
 			    if ( $family == F_IPV4 ) {
-				progress_message_nocompress "      $interface:$grouplist";
+				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $interface:<$grouplist>";
+				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
 			    }
 			    $printed = 1;
 			}
@@ -528,6 +541,9 @@ sub zone_report()
     }
 }
 
+#
+# This function is called to create the contents of the ${VARDIR}/zones file
+#
 sub dump_zone_contents()
 {
     my @xlate;
@@ -554,20 +570,21 @@ sub dump_zone_contents()
 		my $interfaceref = $hostref->{$type};
 
 		for my $interface ( sort keys %$interfaceref ) {
+		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 		    for my $groupref ( @$arrayref ) {
 			my $hosts     = $groupref->{hosts};
-			my $exclusions = join ',', @{$groupref->{exclusions}};
 
 			if ( $hosts ) {
-			    my $grouplist = join ',', ( @$hosts );
+			    my $grouplist  = join ',', ( @$hosts );
+			    my $exclusions = join ',', @{$groupref->{exclusions}};
 
 			    $grouplist = join '!', ( $grouplist, $exclusions ) if $exclusions;
 
 			    if ( $family == F_IPV4 ) {
-				$entry .= " $interface:$grouplist";
+				$entry .= " $iref->{physical}:$grouplist";
 			    } else {
-				$entry .= " $interface:<$grouplist>";
+				$entry .= " $iref->{physical}:<$grouplist>";
 			    }
 			}
 		    }
@@ -601,7 +618,6 @@ sub add_group_to_zone($$$$$)
     my $interfaceref;
     my $zoneref  = $zones{$zone};
     my $zonetype = $zoneref->{type};
-    my $ifacezone = $interfaces{$interface}{zone};
 
     $zoneref->{interfaces}{$interface} = 1;
 
@@ -609,8 +625,7 @@ sub add_group_to_zone($$$$$)
     my @exclusions = ();
     my $new = \@newnetworks;
     my $switched = 0;
-
-    $ifacezone = '' unless defined $ifacezone;
+    my $allip    = 0;
 
     for my $host ( @$networks ) {
 	$interfaces{$interface}{nets}++;
@@ -626,8 +641,12 @@ sub add_group_to_zone($$$$$)
 
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
-		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $ifacezone eq $zone;
-		$ifacezone = $zone if $host eq ALLIP;
+		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone;
+		if ( $host eq ALLIP ) {
+		    fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
+		    $interfaces{$interface}{zone} = $zone;
+		    $allip = 1;
+		}
 	    }
 	}
 
@@ -649,7 +668,9 @@ sub add_group_to_zone($$$$$)
     $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
     $interfaceref = ( $typeref->{$interface}      || ( $typeref->{$interface} = [] ) );
 
-    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions );
+    fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
+
+    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ) || $options->{routeback};
 
     push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
@@ -706,10 +727,10 @@ sub firewall_zone() {
 #
 # Process a record in the interfaces file
 #
-sub process_interface( $ ) {
-    my $nextinum = $_[0];
-    my $nets;
-    my ($zone, $originalinterface, $networks, $options ) = split_line 2, 4, 'interfaces file';
+sub process_interface( $$ ) {
+    my ( $nextinum , $export ) = @_;
+    my $netsref = '';
+    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
     my $zoneref;
     my $bridge = '';
 
@@ -722,18 +743,21 @@ sub process_interface( $ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
     }
 
-    $networks = '' if $networks eq '-';
+    $bcasts = '' if $bcasts eq '-';
     $options  = '' if $options  eq '-';
 
     my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
 
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
 
-    if ( defined $port ) {
+    if ( defined $port && $port ne '' ) {
 	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
 	fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE};
+
+	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
 	fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
+
 	fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
 	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
 
@@ -745,10 +769,6 @@ sub process_interface( $ ) {
 	    }
 	}
 
-	next if $port eq '';
-
-	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
-
 	$bridge = $interface;
 	$interface = $port;
     } else {
@@ -767,10 +787,11 @@ sub process_interface( $ ) {
 	$root = $interface;
     }
 
+    my $physical = $interface;
     my $broadcasts;
 
-    unless ( $networks eq '' || $networks eq 'detect' ) {
-	my @broadcasts = split_list $networks, 'address';
+    unless ( $bcasts eq '' || $bcasts eq 'detect' ) {
+	my @broadcasts = split_list $bcasts, 'address';
 
 	for my $address ( @broadcasts ) {
 	    fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
@@ -814,12 +835,12 @@ sub process_interface( $ ) {
 		$hostoptions{$option} = 1 if $hostopt;
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
-		fatal_error "Option value for $option must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
-		fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
+		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
+		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
-		fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
+		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
 		if ( $option eq 'arp_ignore' ) {
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
@@ -834,14 +855,14 @@ sub process_interface( $ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
-		fatal_error "The $option option requires a value" unless defined $value;
+		$value = $defaultinterfaceoptions{$option} unless defined $value;
+		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
-		fatal_error "Invalid value ($value) for option $option" unless defined $numval;
+		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
-		fatal_error "The $option option requires a value" unless defined $value;
-		fatal_error "Duplicate $option option" if $nets;
+		fatal_error "The '$option' option requires a value" unless defined $value;
 		#
 		# Remove parentheses from address list if present
 		#
@@ -851,25 +872,54 @@ sub process_interface( $ ) {
 		#
 		$value = join ',' , ALLIP , $value if $value =~ /^!/;
 
-		if ( $value eq 'dynamic' ) {
-		    require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-		    $value = "+${zone}_${interface}";
-		    $hostoptions{dynamic} = 1;
-		    $ipsets{"${zone}_${interface}"} = 1;
+		if ( $option eq 'nets' ) {
+		    fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
+		    fatal_error "Duplicate $option option" if $netsref;
+		    if ( $value eq 'dynamic' ) {
+			require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
+			$hostoptions{dynamic} = 1;
+			#
+			# Defer remaining processing until we have the final physical interface name
+			#
+			$netsref = 'dynamic';
+		    } else {
+			$hostoptions{multicast} = 1;
+			#
+			# Convert into a Perl array reference
+			#
+			$netsref = [ split_list $value, 'address' ];
+		    }
+		    #
+		    # Assume 'broadcast'
+		    #
+		    $hostoptions{broadcast} = 1;
+		} else {
+		    assert(0);
+		}
+	    } elsif ( $type == STRING_IF_OPTION ) {
+		fatal_error "The '$option' option requires a value" unless defined $value;
+
+		if ( $option eq 'physical' ) {
+		    fatal_error "Invalid Physical interface name ($value)" unless $value =~ /^[\w.@%-]+\+?$/;
+
+		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
+
+		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
+		    $physical = $value;
+		} else {
+		    assert(0);
 		}
-		#
-		# Convert into a Perl array reference
-		#
-		$nets = [ split_list $value, 'address' ];
-		#
-		# Assume 'broadcast'
-		#
-		$hostoptions{broadcast} = 1;
 	    } else {
 		warning_message "Support for the $option interface option has been removed from Shorewall";
 	    }
 	}
 
+	if ( $netsref eq 'dynamic' ) {
+	    my $ipset = "${zone}_" . chain_base $physical;
+	    $netsref = [ "+$ipset" ];
+	    $ipsets{$ipset} = 1;
+	}
+
 	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};
 
 	if ( $options{bridge} ) {
@@ -880,20 +930,33 @@ sub process_interface( $ ) {
 	$hostoptionsref = \%hostoptions;
 
     }
+    #
+    # Automatically set 'routeback' for local bridges
+    #
+    unless ( $export || $wildcard || $options{routeback} ) {
+	$options{routeback} = $hostoptionsref->{routeback} = is_bridge $physical;
+    }
 
-    $interfaces{$interface} = { name       => $interface ,
-				bridge     => $bridge ,
-				nets       => 0 ,
-				number     => $nextinum ,
-				root       => $root ,
-				broadcasts => $broadcasts ,
-				options    => \%options };
+    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
+						       bridge     => $bridge ,
+						       nets       => 0 ,
+						       number     => $nextinum ,
+						       root       => $root ,
+						       broadcasts => $broadcasts ,
+						       options    => \%options ,
+						       zone       => '',
+						       physical   => $physical
+						     };
 
-    $nets = [ allip ] unless $nets; 
-
-    add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref ) if $zone;
-
-    $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone()
+    if ( $zone ) {
+	$netsref ||= [ allip ];
+	add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, $hostoptionsref );
+	add_group_to_zone( $zone, 
+			   $zoneref->{type}, 
+			   $interface, 
+			   [ IPv4_MULTICAST ], 
+			   { destonly => 1 } ) if $hostoptionsref->{multicast} && $interfaces{$interface}{zone} ne $zone;
+    } 
 
     progress_message "  Interface \"$currentline\" Validated";
 
@@ -914,7 +977,7 @@ sub validate_interfaces_file( $ ) {
 
     first_entry "$doing $fn...";
 
-    push @ifaces, process_interface( $nextinum++) while read_a_line;
+    push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
 
     #
     # We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge
@@ -940,6 +1003,20 @@ sub validate_interfaces_file( $ ) {
     fatal_error "No network interfaces defined" unless @interfaces;
 }
 
+#
+# Map the passed name to the corresponding physical name in the passed interface
+#
+sub map_physical( $$ ) {
+    my ( $name, $interfaceref ) = @_;
+    my $physical = $interfaceref->{physical};
+    
+    return $physical if $name eq $interfaceref->{name};
+
+    $physical =~ s/\+$//;
+
+    $physical . substr( $name, length  $interfaceref->{root} );
+}  
+
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
@@ -954,13 +1031,17 @@ sub known_interface($)
 
     for my $i ( @interfaces ) {
 	$interfaceref = $interfaces{$i};
-	my $val = $interfaceref->{root};
-	next if $val eq $i;
-	if ( substr( $interface, 0, length $val ) eq $val ) {
+	my $root = $interfaceref->{root};
+	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
 	    #
-	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
+	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
 	    #
-	    return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i , number => $interfaceref->{number} };
+	    return $interfaces{$interface} = { options  => $interfaceref->{options}, 
+					       bridge   => $interfaceref->{bridge} , 
+					       name     => $i , 
+					       number   => $interfaceref->{number} ,
+					       physical => map_physical( $interface, $interfaceref )
+					     };
 	}
     }
 
@@ -1000,6 +1081,23 @@ sub find_interface( $ ) {
     $interfaceref;
 }
 
+#
+# Returns the physical interface associated with the passed logical name
+#
+sub get_physical( $ ) {
+    $interfaces{ $_[0] }->{physical};
+}
+
+#
+# This one doesn't insist that the passed name be the name of a configured interface
+#
+sub physical_name( $ ) {
+    my $device = shift;
+    my $devref = known_interface $device;
+
+    $devref ? $devref->{physical} : $device;
+}
+
 #
 # Returns true if there are bridge port zones defined in the config
 #
@@ -1040,7 +1138,11 @@ sub find_interfaces_by_option( $ ) {
     my @ints = ();
 
     for my $interface ( @interfaces ) {
-	my $optionsref = $interfaces{$interface}{options};
+	my $interfaceref = $interfaces{$interface};
+	
+	next unless $interfaceref->{root};
+
+	my $optionsref = $interfaceref->{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
 	    push @ints , $interface
 	}
@@ -1091,15 +1193,13 @@ sub process_host( ) {
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ || $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]\s*$/   ) {
+	$interface = $1;
+	$hosts = $2;
+	$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+	fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
     } else {
-	if ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ ) {
-	    $interface = $1;
-	    $hosts = $2;
-	    $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
-	    fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
-	} else {
-	    fatal_error "Invalid HOST(S) column contents: $hosts";
-	}
+	fatal_error "Invalid HOST(S) column contents: $hosts";
     }
 
     if ( $type == BPORT ) {
@@ -1151,9 +1251,10 @@ sub process_host( ) {
 
     if ( $hosts eq 'dynamic' ) {
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	$hosts = "+${zone}_${interface}";
+	my $physical = physical_name $interface;
+	$hosts = "+${zone}_${physical}";
 	$optionsref->{dynamic} = 1;
-	$ipsets{"${zone}_${interface}"} = 1;
+	$ipsets{"${zone}_${physical}"} = 1;
 
     }
 
@@ -1173,7 +1274,7 @@ sub validate_hosts_file()
 
     my $fn = open_file 'hosts';
 
-    first_entry "doing $fn...";
+    first_entry "$doing $fn...";
 
     $ipsec |= process_host while read_a_line;
 

Shorewall/Perl/compiler.pl

@@ -36,6 +36,7 @@
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
+#         --preview                   # Preview the ruleset.
 #
 use strict;
 use FindBin;
@@ -58,10 +59,11 @@ sub usage( $ ) {
     [ --log=<filename> ]
     [ --log-verbose={-1|0-2} ]
     [ --test ]
+    [ --preview ]
     [ --family={4|6} ]
 ';
 
-    $returnval;
+    exit $returnval;
 }
 
 #
@@ -78,6 +80,7 @@ my $log_verbose   = 0;
 my $help          = 0;
 my $test          = 0;
 my $family        = 4; # F_IPV4
+my $preview       = 0;
 
 Getopt::Long::Configure ('bundling');
 
@@ -98,6 +101,7 @@ my $result = GetOptions('h'               => \$help,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
 			'test'            => \$test,
+			'preview'         => \$preview,
 			'f=i'             => \$family,
 			'family=i'        => \$family,
 		       );
@@ -105,7 +109,7 @@ my $result = GetOptions('h'               => \$help,
 usage(1) unless $result && @ARGV < 2;
 usage(0) if $help;
 
-compiler( object          => defined $ARGV[0] ? $ARGV[0] : '', 
+compiler( script          => defined $ARGV[0] ? $ARGV[0] : '',
 	  directory       => $shorewall_dir,
 	  verbosity       => $verbose,
 	  timestamp       => $timestamp,
@@ -115,4 +119,5 @@ compiler( object          => defined $ARGV[0] ? $ARGV[0] : '',
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
+	  preview         => $preview,
 	  family          => $family );

Shorewall/Perl/prog.footer

@@ -1,283 +1,6 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
 ###############################################################################
-#
-# Clear Proxy Arp
-#
-delete_proxyarp() {
-    if [ -f ${VARDIR}/proxyarp ]; then
-	while read address interface external haveroute; do
-	    qt arp -i $external -d $address pub
-	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
-	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyarp
-    fi
-
-    rm -f ${VARDIR}/proxyarp
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
-    if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IPTABLES ]; then
-    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
-	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
-	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
-	fi
-    fi
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$PRODUCT Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -4 $@; then
-	error_message "ERROR: Command \"$IP -4 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Get a list of all configured broadcast addresses on the system
-#
-get_all_bcasts()
-{
-    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset 
-    #
-    qt1 $IPTABLES -t mangle -F
-    qt1 $IPTABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t raw    -F
-    qt1 $IPTABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
-
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t filter -F
-    qt1 $IPTABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IPTABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 #
 # Give Usage Information
 #
@@ -304,6 +27,8 @@ fi
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then
+    touch $STARTUP_LOG
+    chmod 0600 $STARTUP_LOG
     if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
@@ -362,6 +87,7 @@ case "$COMMAND" in
 	    status=0
 	else
 	    progress_message3 "Starting $PRODUCT...."
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    [ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
@@ -371,6 +97,7 @@ case "$COMMAND" in
     stop)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Stopping $PRODUCT...."
+	detect_configuration
 	stop_firewall
 	status=0
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -414,6 +141,7 @@ case "$COMMAND" in
 	    progress_message3 "Starting $PRODUCT...."
 	fi
 
+	detect_configuration
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -425,6 +153,7 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
 	    progress_message3 "Refreshing $PRODUCT...."
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    progress_message3 "done."
@@ -435,6 +164,7 @@ case "$COMMAND" in
 	;;
     restore)
 	[ $# -ne 1 ] && usage 2
+	detect_configuration
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then

Shorewall/Perl/prog.footer6

@@ -1,244 +1,6 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer6
 ###############################################################################
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$PRODUCT Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -6 $@; then
-	error_message "ERROR: Command \"$IP -6 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset 
-    #
-    qt1 $IP6TABLES -t mangle -F
-    qt1 $IP6TABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t raw    -F
-    qt1 $IP6TABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t filter -F
-    qt1 $IP6TABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IP6TABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 #
 # Give Usage Information
 #
@@ -265,6 +27,8 @@ fi
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then
+    touch $STARTUP_LOG
+    chmod 0600 $STARTUP_LOG
     if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
@@ -315,7 +79,7 @@ COMMAND="$1"
 
 [ -n "${PRODUCT:=Shorewall6}" ]
 
-kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
+kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 if [ $kernel -lt 20624 ]; then
     error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later"
     status=2
@@ -328,6 +92,7 @@ else
 		status=0
 	    else
 		progress_message3 "Starting $PRODUCT...."
+		detect_configuration
 		define_firewall
 		status=$?
 		[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
@@ -337,6 +102,7 @@ else
 	stop)
 	    [ $# -ne 1 ] && usage 2
 	    progress_message3 "Stopping $PRODUCT...."
+	    detect_configuration
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -379,6 +145,7 @@ else
 		progress_message3 "Starting $PRODUCT...."
 	    fi
 
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
@@ -390,6 +157,7 @@ else
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
 		progress_message3 "Refreshing $PRODUCT...."
+		detect_configuration
 		define_firewall
 		status=$?
 		progress_message3 "done."
@@ -400,6 +168,7 @@ else
 	    ;;
 	restore)
 	    [ $# -ne 1 ] && usage 2
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then

Shorewall/Perl/prog.header

@@ -255,7 +255,7 @@ reload_kernel_modules() {
 
     [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     MODULES=$(lsmod | cut -d ' ' -f1)
 
@@ -294,7 +294,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 
     [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -606,6 +606,7 @@ find_first_interface_address_if_any() # $1 = interface
 #
 interface_is_usable() # $1 = interface
 {
+    [ "$1" = lo ] && return 0
     interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
 }
 
@@ -1071,6 +1072,283 @@ conditionally_flush_conntrack() {
     fi
 }
 
+#
+# Clear Proxy Arp
+#
+delete_proxyarp() {
+    if [ -f ${VARDIR}/proxyarp ]; then
+	while read address interface external haveroute; do
+	    qt arp -i $external -d $address pub
+	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyarp
+    fi
+
+    rm -f ${VARDIR}/proxyarp
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    if [ -n "$DISABLE_IPV6" ]; then
+	if [ -x $IP6TABLES ]; then
+    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
+	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
+	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
+	fi
+    fi
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -4 $@; then
+	error_message "ERROR: Command \"$IP -4 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
+#
+# Get a list of all configured broadcast addresses on the system
+#
+get_all_bcasts()
+{
+    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $IPTABLES -t mangle -F
+    qt1 $IPTABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IPTABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t raw    -F
+    qt1 $IPTABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IPTABLES -t raw -P $chain ACCEPT
+    done
+
+    run_iptables -t nat -F
+    run_iptables -t nat -X
+
+    for chain in PREROUTING POSTROUTING OUTPUT; do
+	qt1 $IPTABLES -t nat -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t filter -F
+    qt1 $IPTABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IPTABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################

Shorewall/Perl/prog.header6

@@ -268,7 +268,7 @@ reload_kernel_modules() {
 
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched/
     MODULES=$(lsmod | cut -d ' ' -f1)
 
     for directory in $(split $MODULESDIR); do
@@ -304,7 +304,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
     [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched/
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -946,6 +946,244 @@ conditionally_flush_conntrack() {
     fi
 }
 
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -6 $@; then
+	error_message "ERROR: Command \"$IP -6 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $IP6TABLES -t mangle -F
+    qt1 $IP6TABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t raw    -F
+    qt1 $IP6TABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IP6TABLES -t raw -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t filter -F
+    qt1 $IP6TABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IP6TABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################

Shorewall/changelog.txt

@@ -1,234 +1,65 @@
+Changes in 4.5.4
 
-Changes in Shorewall 4.4.0.1
+1) Autodetect local bridges.
 
-1)  Updated release versions.
+2) Add 'show macro' command.
 
-2)  Fix log level in rules at the end of INPUT and OUTPUT
+Changes in 4.5.3
 
-3)  Correct handling of nested IPSEC chains.
+1) Fix logging NONAT rules.
 
-Changes in Shorewall 4.4.0
+2) Don't let fw-fw be optimized away.
 
-1)  Fix 'compile ... -' so that it no longer requires '-v-1'
+3) Don't optimize away non-empty rules chains.
 
-2)  Fix rule generation for logging nat rules with no exclusion.
+4) Represent masks in hex.
 
-3)  Fix log record formatting.
+5) Don't specify a mask in tcpri-generated rules.
 
-4)  Restore ipset binding
+6) Add TPROXY support.
 
-5)  Fix 'upnpclient' with required interfaces.
+Changes in 4.5.2
 
-5)  Fix provider number in 
+1) Extend OPTIMIZE & 4 to all tables.
 
-Changes in Shorewall 4.4.0-RC2
+2) Add OPTIMIZE_ACCOUNTING.
 
-1)  Fix capabilities file with Shorewall6.
+3) Add -p option to check.
 
-2)  Allow Shorewall6 to recognize TC, IP and IPSET
+Changes in 4.5.1
 
-3)  Make 'any' a reserved zone name.
+1)  Fix syntax error in /sbin/shorewall.
 
-4)  Correct handling of an ipsec zone nested in a non-ipsec zone.
+2)  Don't generate source type rule for ICMP/ICMPv6.
 
-Changes in Shorewall 4.4.0-RC1
+3)  Add <device> argument to 'show tc'.
 
-1)  Delete duplicate Git macro.
+4)  Fix 'save' when DYNAMIC_BLACKLIST=No
 
-2)  Fix routing when no providers.
+5)  Allow COMMENTs in tcpri.
 
-3)  Add 'any' as a SOURCE/DEST in rules.
+6)  More ACCEPT optimization with OPTIMIZE & 2.
 
-4)  Fix NONAT on child zone.
+7)  OPTIMIZE & 4.
 
-5)  Fix rpm -U from earlier versions
+8)  Allow ipp2p in tcpri.
 
-6)  Generate error on 'status' by non-root.
+Changes in 4.5.0
 
-7)  Get rid of prog.functions and prog.functions6
+1)  Allow control over how the Mark is used.
 
-Changes in Shorewall 4.4.0-Beta4
+2)  Generate warning on <macro>/<param>.
 
-1)  Add more macros.
+3)  Add a new optimization option.
 
-2)  Correct broadcast address detection
+4)  Combine identical logging chains.
 
-3) Fix 'show dynamic'
+5)  Added ACCOUNTING and DYNAMIC_BLACKLIST options.
 
-4) Fix BGP and OSFP macros.
+6)  Don't unconditionally pass traffic from routemarked interfaces
+    through the tcpre chain.
 
-5) Change DISABLE_IPV6 default and use 'correct' ip6tables.
-
-Changes in Shorewall 4.4.0-Beta3
-
-1)  Add new macros.
-
-2)  Work around mis-configured interfaces.
-
-3)  Fix 'show dynamic'.
-
-4)  Check for xt_LOG.
-
-5)  Fix 'findgw'
-
-Changes in Shorewall 4.4.0-Beta2
-
-1)  The 'find_first_interface_address()' and
-    'find_first_interface_address_if_any()' functions have been restored to
-    lib.base.
-
-2)  Integerize r2q before inserting it into 'tc qdisc add root'
-    command.
-
-3)  Remove '-h' from the help text for install.sh in Shorewall and
-    Shorewall6.
-
-4)  Delete the 'continue' file from the Shorewall package.
-
-5)  Add 'upnpclient' interface option.
-
-6)  Fix handling of optional interfaces.
-
-7)  Add 'iptrace' and 'noiptrace' command.
-
-8)  Add 'USER/GROUP' column to masq file.
-
-9)  Added lib.private.
-
-Changes in Shorewall 4.4.0-Beta1
-
-1)  Correct typo in Shorewall6 two-interface sample shorewall.conf.
-
-2)  Fix TOS mnemonic handling in /etc/shorewall/tcfilters.
-
-Changes in Shorewall 4.3.12
-
-1) Eliminate 'large quantum' warnings.
-
-2) Add HFSC support.
-
-3) Delete support for ipset binding. Jozsef has removed the capability
-   from ipset.
-
-4) Add TOS and LENGTH columns to tcfilters file.
-
-5) Fix 'reset' command.
-
-6) Fix 'findgw'.
-
-7) Remove 'norfc1918' support.
-
-Changes in Shorewall 4.3.11
-
-1) Reduce the number of arguments passed in may cases.
-
-2) Fix SCTP source port handling in tcfilters.
-
-3) Add 'findgw' user exit.
-
-4) Add macro.Trcrt
-
-Changes in Shorewall 4.3.10
-
-1) Fix handling of shared optional providers.
-
-2) Add WIDE_TC_MARKS option.
-
-3) Allow compile to STDOUT.
-
-4) Fix handling of class IDs.
-
-5) Deprecate use of an interface in the SOURCE column of
-   /etc/shorewall/masq.
-
-6) Fix handling of 'all' in the SOURCE of DNAT- rules.
-
-7) Fix compile for export.
-
-8) Optimize IPMARK.
-
-9) Implement nested HTB classes.
-
-10) Fix 'iprange' command.
-
-11) Make traffic shaping work better with IPv6.
-
-12) Externalize 'flow'.
-
-13) Fix 'start' with AUTOMAKE=Yes
-
-Changes in Shorewall 4.3.9
-
-1) Logging rules now create separate chain.
-
-2) Fix netmask genereation in tcfilters.
-
-3) Allow Shorewall6 with kernel 2.6.24
-
-4) Avoid 'Invalid BROADCAST address' errors.
-
-5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
-
-6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.
-
-7) Add IPMARK support
-
-Changes in Shorewall 4.3.8
-
-1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.
-
-2) Use 'startup_error' for those errors caught early.
-
-3) Fix swping
-
-4) Detect gateway via dhclient leases file.
-
-5) Suppress leading whitespace on certain continuation lines.
-
-6) Use iptables[6]-restore to stop the firewall.
-
-7) Add AUTOMAKE option
-
-8) Remove SAME support.
-
-9) Allow 'compile' without a pathname.
-
-10) Fix LOG_MARTIANS=Yes.
-
-11) Adapt I. Buijs's hashlimit patch.
-
-Changes in Shorewall 4.3.7
-
-1)  Fix forward treatment of interface options.
-
-2)  Replace $VARDIR/.restore with $VARDIR/firewall
-
-3)  Fix DNAT- parsing of DEST column.
-
-4)  Implement dynamic zones
-
-5)  Allow 'HOST' options on bridge ports.
-
-6)  Deprecate old macro parameter syntax.
-
-Changes in Shorewall 4.3.6
-
-1)  Add SAME tcrules target.
-
-2)  Make 'dump' display the raw table. Fix shorewall6 dump anomalies.
-
-3)  Fix split_list1()
-
-4)  Fix Shorewall6 file location bugs.
-
-Changes in Shorewall 4.3.5
-
-1)  Remove support for shorewall-shell.
-
-2)  Combine shorewall-common and shorewall-perl to product shorewall.
-
-3)  Add nets= OPTION in interfaces file.
-
-4)  Add SAME MARK/CLASSIFY target
+7)  Automatically assign mark values.
 
+8)  Simplified Traffic Shaping
 

Shorewall/configfiles/findgw

@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - Filegw File
+# Shorewall version 4 - Findgw File
 #
 # /etc/shorewall/findgw
 #

Shorewall/configfiles/shorewall.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -117,6 +117,8 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -135,7 +137,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -189,6 +191,27 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=No
 
+TRACK_PROVIDERS=No
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=
+
+MASK_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/configfiles/tcinterfaces

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Tcinterfaces File
+#
+# For information about entries in this file, type "man shorewall-tcinterfaces"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#INTERFACE		TYPE	IN-BANDWIDTH
+

Shorewall/configfiles/tcpri

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Tcpri File
+#
+# For information about entries in this file, type "man shorewall-tcpri"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#BAND	PROTO	PORT(S)		ADDRESS		IN-INTERFACE	HELPER
+
+
+

Shorewall/default.debian

@@ -21,4 +21,9 @@ startup=0
 
 OPTIONS=""
 
+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
 # EOF

Shorewall/init.debian.sh

@@ -15,13 +15,11 @@
 SRWL=/sbin/shorewall
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
-# Note, set INITLOG to /dev/null if you want to
-# use Shorewall's STARTUP_LOG feature.
-INITLOG=/var/log/shorewall-init.log
+test -n ${INITLOG:=/var/log/shorewall-init.log}
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
@@ -49,7 +47,7 @@ not_configured () {
 	then
 		echo ""
 		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-common/README.Debian.gz."
+		echo "/usr/share/doc/shorewall/README.Debian.gz."
 	fi
 	echo "#################"
 	exit 0

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.0.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {
@@ -176,7 +176,7 @@ else
     fi
 
     if [ -z "$CYGWIN" ]; then
-	if [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
+	if [ -f /etc/debian_version ]; then
 	    DEBIAN=yes
 	elif [ -f /etc/slackware-version ] ; then
 	    echo "installing Slackware specific configuration..."
@@ -242,6 +242,12 @@ mkdir -p ${PREFIX}/var/lib/shorewall
 chmod 755 ${PREFIX}/etc/shorewall
 chmod 755 ${PREFIX}/usr/share/shorewall
 chmod 755 ${PREFIX}/usr/share/shorewall/configfiles
+
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
+fi
+    
 #
 # Install the config file
 #
@@ -453,6 +459,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/blacklist ]; then
     echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
 fi
 #
+# Install the findgw file
+#
+run_install $OWNERSHIP -m 0644 configfiles/findgw ${PREFIX}/usr/share/shorewall/configfiles/findgw
+
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/findgw ]; then
+    run_install $OWNERSHIP -m 0600 configfiles/findgw ${PREFIX}/etc/shorewall/findgw
+    echo "Find GW file installed as ${PREFIX}/etc/shorewall/findgw"
+fi
+#
 # Delete the Routes file
 #
 delete_file ${PREFIX}/etc/shorewall/routes
@@ -783,6 +798,16 @@ cd ..
 
 echo "Man Pages Installed"
 
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall"
+fi
+
+if [ -z "$PREFIX" ]; then
+    rm -rf /usr/share/shorewall-perl
+    rm -rf /usr/share/shorewall-shell
+fi
+
 if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall

Shorewall/known_problems.txt

@@ -1,16 +1 @@
-1)  If ULOG is specified as the LOG LEVEL in the all->all policy, the
-    rules at the end of the INPUT and OUTPUT chains still use the
-    LOG target rather than ULOG.
-
-    You can work around this problem by adding two additional policies
-    before the all->all one:
-
-    	   all 		$FW	DROP	ULOG
-	   $FW		all	REJECT	ULOG
-
-    This problem was corrected in Shorewall 4.4.0.1.
-
-2)  Use of CONTINUE policies with a nested IPSEC zone was broken in
-    some cases.
-
-    This problem was corrected in Shorewall 4.4.0.1.
+There are no known problems in Shorewall 4.5.4

Shorewall/lib.base

@@ -29,8 +29,8 @@
 #   and /usr/share/shorewall-lite/shorecap.
 #
 
-SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40310
+SHOREWALL_LIBVERSION=40503
+SHOREWALL_CAPVERSION=40503
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -220,7 +220,7 @@ reload_kernel_modules() {
 
     [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     MODULES=$(lsmod | cut -d ' ' -f1)
 
@@ -259,7 +259,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 
     [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -777,6 +777,13 @@ set_state () # $1 = state
 # Determine which optional facilities are supported by iptables/netfilter
 #
 determine_capabilities() {
+    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
+
+    if [ -z "$IPTABLES" ]; then
+	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
+	exit 1
+    fi
+
     qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
     qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
 
@@ -806,6 +813,8 @@ determine_capabilities() {
     KLUDGEFREE=
     MARK=
     XMARK=
+    EXMARK=
+    TPROXY_TARGET=
     MANGLE_FORWARD=
     COMMENTS=
     ADDRTYPE=
@@ -820,14 +829,16 @@ determine_capabilities() {
     LOGMARK_TARGET=
     IPMARK_TARGET=
     LOG_TARGET=Yes
+    PERSISTENT_SNAT=
 
     chain=fooX$$
 
-    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
-
-    if [ -z "$IPTABLES" ]; then
-	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
-	exit 1
+    if [ -n "$NAT_ENABLED" ]; then
+	if qt $IPTABLES -t nat -N $chain; then
+	    qt $IPTABLES -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
+	    qt $IPTABLES -t nat -F $chain
+	    qt $IPTABLES -t nat -X $chain
+	fi
     fi
 
     qt $IPTABLES -F $chain
@@ -905,6 +916,7 @@ determine_capabilities() {
 	if qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1; then
 	    MARK=Yes
 	    qt $IPTABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
+	    qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
 	fi
 
 	if qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark; then
@@ -914,6 +926,7 @@ determine_capabilities() {
 
 	qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
 	qt $IPTABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
+	qt $IPTABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
 	qt $IPTABLES -t mangle -F $chain
 	qt $IPTABLES -t mangle -X $chain
 	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
@@ -936,7 +949,11 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
     qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    if [ -z "$HASHLIMIT_MATCH" ]; then
+	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
+	HASHLIMIT_MATCH=$OLD_HL_MATCH
+    fi	
     qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
     qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
     qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -952,6 +969,7 @@ determine_capabilities() {
     qt $IPTABLES -X $chain1
 
     CAPVERSION=$SHOREWALL_CAPVERSION
+    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
 
 report_capabilities() {
@@ -997,11 +1015,13 @@ report_capabilities() {
 	report_capability "Repeat match" $KLUDGEFREE
 	report_capability "MARK Target" $MARK
 	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
+	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
 	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
 	report_capability "Comments" $COMMENTS
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
+	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
 	report_capability "Helper Match" $HELPER_MATCH
@@ -1011,6 +1031,8 @@ report_capabilities() {
 	report_capability "LOGMARK Target" $LOGMARK_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
+	report_capability "Persistent SNAT" $PERSISTENT_SNAT
+	report_capability "TPROXY Target" $TPROXY_TARGET
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1054,11 +1076,13 @@ report_capabilities1() {
     report_capability1 KLUDGEFREE
     report_capability1 MARK
     report_capability1 XMARK
+    report_capability1 EXMARK
     report_capability1 MANGLE_FORWARD
     report_capability1 COMMENTS
     report_capability1 ADDRTYPE
     report_capability1 TCPMSS_MATCH
     report_capability1 HASHLIMIT_MATCH
+    report_capability1 OLD_HL_MATCH
     report_capability1 NFQUEUE_TARGET
     report_capability1 REALM_MATCH
     report_capability1 HELPER_MATCH
@@ -1068,8 +1092,11 @@ report_capabilities1() {
     report_capability1 LOGMARK_TARGET
     report_capability1 IPMARK_TARGET
     report_capability1 LOG_TARGET
+    report_capability1 PERSISTENT_SNAT
+    report_capability1 TPROXY_TARGET
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
+    echo KERNELVERSION=$KERNELVERSION
 }
 
 # Function to truncate a string -- It uses 'cut -b -<n>'

Shorewall/lib.cli

@@ -177,9 +177,13 @@ show_tc() {
 	fi
     }
 
-    ip -o link list | while read inx interface details; do
-	show_one_tc ${interface%:}
-    done
+    if [ $# -gt 0 ]; then
+	show_one_tc $1
+    else
+	ip -o link list | while read inx interface details; do
+	    show_one_tc ${interface%:}
+	done
+    fi
 
 }
 
@@ -263,6 +267,70 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 #
 # Save currently running configuration
 #
+do_save() {
+    local status
+    status=0
+
+    if [ -f ${VARDIR}/firewall ]; then
+	if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
+	    cp -f ${VARDIR}/firewall $RESTOREPATH
+	    mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
+	    chmod +x $RESTOREPATH
+	    echo "   Currently-running Configuration Saved to $RESTOREPATH"
+	    run_user_exit save
+	else
+	    rm -f ${VARDIR}/restore-$$
+	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
+	    status=1
+	fi
+    else
+	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+	status=1
+    fi
+
+    case ${SAVE_IPSETS:=No} in 
+	[Yy]es)
+	    case ${IPSET:=ipset} in
+		*/*)
+		    if [ ! -x "$IPSET" ]; then
+			error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+			IPSET=
+		    fi
+		    ;;
+		*)
+		    IPSET="$(mywhich $IPSET)"
+		    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
+		    ;;
+	    esac
+
+	    if [ -n "$IPSET" ]; then
+		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+                    #
+                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+                    #
+		    hack='| grep -v /31'
+		else
+		    hack=
+		fi
+
+		if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+                    #
+                    # Don't save an 'empty' file
+                    #
+		    grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${RESTOREPATH}-ipsets
+		fi
+	    fi
+	    ;;
+	[Nn]o)
+	    ;;
+	*)
+	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
+	    ;;
+    esac
+
+    return $status
+}
+
 save_config() {
 
     local result
@@ -285,24 +353,15 @@ save_config() {
 		*)
 		    validate_restorefile RESTOREFILE
 
-		    if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
-			echo "   Dynamic Rules Saved"
-			if [ -f ${VARDIR}/firewall ]; then
-			    if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
-				cp -f ${VARDIR}/firewall $RESTOREPATH
-				mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
-				chmod +x $RESTOREPATH
-				echo "   Currently-running Configuration Saved to $RESTOREPATH"
-				run_user_exit save
-			    else
-			        rm -f ${VARDIR}/restore-$$
-				echo "   ERROR: Currently-running Configuration Not Saved" >&2
-			    fi
+		    if chain_exists dynamic; then
+			if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
+			    echo "   Dynamic Rules Saved"
+			    do_save
 			else
-			    echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+		            echo "Error Saving the Dynamic Rules" >&2
 			fi
 		    else
-		        echo "Error Saving the Dynamic Rules" >&2
+			do_save && rm -f ${VARDIR}/save
 		    fi
 		    ;;
 	    esac
@@ -430,6 +489,10 @@ show_command() {
 			    option=
 			    shift
 			    ;;
+			l*)
+			    IPT_OPTIONS1="--line-numbers"
+			    option=${option#l}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -443,11 +506,15 @@ show_command() {
 	esac
     done
 
+    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+
     [ -n "$debugging" ] && set -x
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
+	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$PRODUCT $version Connections ($count out of $max) at $HOSTNAME - $(date)"
 	    echo
 	    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
 	    ;;
@@ -481,10 +548,11 @@ show_command() {
 	    packet_log 20
 	    ;;
 	tc)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 2 ] && usage 1
 	    echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)"
 	    echo
-	    show_tc
+	    shift
+	    show_tc $1
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
@@ -560,6 +628,12 @@ show_command() {
 	vardir)
 	    echo $VARDIR;
 	    ;;
+	policies)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$PRODUCT $version Policies at $HOSTNAME - $(date)"
+	    echo
+	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
+	    ;;
 	*)
 	    if [ "$PRODUCT" = Shorewall ]; then
 		case $1 in
@@ -585,6 +659,18 @@ show_command() {
 			    grep -Ev '^\#|^$' ${SHAREDIR}/actions.std
 			fi
 
+			return
+			;;
+		    macro)
+			[ $# -ne 2 ] && usage 1
+			for directory in $(split $CONFIG_PATH); do
+			    if [ -f ${directory}/macro.$2 ]; then
+				echo "Shorewall $version Macro $2 at $HOSTNAME - $(date)"
+				cat ${directory}/macro.$2
+				return
+			    fi
+			done
+			echo "   WARNING: Macro $2 not found" >&2
 			return
 			;;
 		    macros)
@@ -673,6 +759,10 @@ dump_command() {
 			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
+			l*)
+			    IPT_OPTIONS1="--line-numbers"
+			    option=${option#l}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -686,6 +776,8 @@ dump_command() {
 	esac
     done
 
+    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+
     [ $VERBOSE -lt 2 ] && VERBOSE=2
 
     [ -n "$debugging" ] && set -x
@@ -710,7 +802,10 @@ dump_command() {
     heading "Raw Table"
     $IPTABLES -t raw -L $IPT_OPTIONS
 
-    heading "Conntrack Table"
+    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+
+    heading "Conntrack Table ($count out of $max)"
     [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
 
     heading "IP Configuration"
@@ -924,6 +1019,12 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     local finished
     finished=$2
 
+    if ! chain_exists dynamic; then
+	echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	[ -n "$nolock" ] || mutex_off
+	exit 2
+    fi
+
     shift 3
 
     while [ $# -gt 0 ]; do
@@ -1030,7 +1131,7 @@ add_command() {
     local interface host hostlist zone ipset
     if ! shorewall_is_started ; then
 	echo "Shorewall Not Started" >&2
-	exit 2;
+	exit 2
     fi
 
     case "$IPSET" in
@@ -1236,6 +1337,11 @@ allow_command() {
     [ -n "$debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall_is_started ; then
+	if ! chain_exists dynamic; then
+	    echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	    exit 2
+	fi
+
 	[ -n "$nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift

Shorewall/logrotate

@@ -0,0 +1,5 @@
+/var/log/shorewall-init.log {
+  missingok
+  notifempty
+  create 0600 root root
+}

Shorewall/modules

@@ -54,6 +54,8 @@ loadmodule xt_owner
 loadmodule xt_physdev
 loadmodule xt_pkttype
 loadmodule xt_tcpmss
+loadmodule xt_IPMARK
+loadmodule xt_TPROXY
 #
 # Helpers
 #

Shorewall/shorewall

@@ -23,99 +23,9 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#	If an error occurs while starting or restarting the firewall, the
-#	firewall is automatically stopped.
+#       For a list of supported commands, type 'shorewall help'
 #
-#	The firewall uses configuration files in /etc/shorewall/ - skeleton
-#	files are included with the firewall.
-#
-#	Commands are:
-#
-#          shorewall add <iface>[:<host>] zone     Adds a host or subnet to a zone
-#          shorewall delete <iface>[:<host>] zone  Deletes a host or subnet from a zone
-#          shorewall dump                          Dumps all Shorewall-related information
-#                                                  for problem analysis
-#	   shorewall start 			   Starts the firewall
-#	   shorewall restart			   Restarts the firewall
-#	   shorewall stop			   Stops the firewall
-#	   shorewall status			   Displays firewall status
-#	   shorewall reset			   Resets iptables packet and
-#						   byte counts
-#	   shorewall clear			   Open the floodgates by
-#						   removing all iptables rules
-#						   and setting the three permanent
-#						   chain policies to ACCEPT
-#	   shorewall refresh			   Rebuild the common chain to
-#						   compensate for a change of
-#						   broadcast address on any "detect"
-#						   interface.
-#	   shorewall [re]load [ <directory> ] <system>
-#						   Compile a script and install it on a
-#						   remote Shorewall Lite system.
-#	   shorewall show <chain> [ <chain> ... ]  Display the rules in each <chain> listed
-#          shorewall show actions                  Displays the available actions
-#	   shorewall show log			   Print the last 20 log messages
-#	   shorewall show connections		   Show the kernel's connection
-#						   tracking table
-#	   shorewall show nat			   Display the rules in the nat table
-#	   shorewall show {mangle|tos}		   Display the rules in the mangle table
-#	   shorewall show tc			   Display traffic control info
-#	   shorewall show classifiers		   Display classifiers
-#          shorewall show capabilities             Display iptables/kernel capabilities
-#          shorewall show vardir                   Display the VARDIR setting.
-#	   shorewall version			   Display the installed version id
-#	   shorewall check [ -e ] [ <directory> ]  Dry-run compilation.
-#	   shorewall try <directory> [ <timeout> ] Try a new configuration and if
-#						   it doesn't work, revert to the
-#						   standard one. If a timeout is supplied
-#						   the command reverts back to the
-#						   standard configuration after that many
-#						   seconds have elapsed after successfully
-#						   starting the new configuration.
-#	   shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall
-#						   messages.
-#	   shorewall drop <address> ...		   Temporarily drop all packets from the
-#						   listed address(es)
-#	   shorewall reject <address> ...	   Temporarily reject all packets from the
-#						   listed address(es)
-#	   shorewall allow <address> ...	   Reenable address(es) previously
-#						   disabled with "drop" or "reject"
-#	   shorewall save [ <file> ]		   Save the list of "rejected" and
-#						   "dropped" addresses so that it will
-#						   be automatically reinstated the
-#						   next time that Shorewall starts.
-#                                                  Save the current state so that 'shorewall
-#                                                  restore' can be used.
-#
-#          shorewall forget [ <file> ]             Discard the data saved by 'shorewall save'
-#
-#          shorewall restore [ <file> ]            Restore the state of the firewall from
-#                                                  previously saved information.
-#
-#          shorewall ipaddr { <address>/<cidr> | <address> <netmask> }
-#
-#                                                  Displays information about the network
-#                                                  defined by the argument[s]
-#
-#          shorewall iprange <address>-<address>   Decomposes a range of IP addresses into
-#                                                  a list of network/host addresses.
-#
-#          shorewall ipdecimal { <address> | <integer> }
-#
-#                                                  Displays the decimal equivalent of an IP
-#                                                  address and vice versa.
-#
-#          shorewall safe-start [ <directory> ]    Starts the firewall and promtp for a c
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall safe-restart [ <directory> ]  Restarts the firewall and prompt for a
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall compile [ -e ] [ <directory> ] <filename>
-#                                                  Compile a firewall program file.
-
+#####################################################################################################
 #
 # Set the configuration variables from shorewall.conf
 #
@@ -123,7 +33,6 @@
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
 #     
-#
 get_config() {
     local prog
 
@@ -164,7 +73,7 @@ get_config() {
 
 	    if [ -n "$(syslog_circular_buffer)" ]; then
 		LOGREAD="logread | tac"
-	    elif [ -f $LOGFILE ]; then
+	    elif [ -r $LOGFILE ]; then
 		LOGREAD="tac $LOGFILE"
 	    else
 		echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -275,7 +184,7 @@ get_config() {
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
+			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
 			exit 2
 		    fi
 		    ;;
@@ -453,6 +362,7 @@ compiler() {
     [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
     [ -n "$TIMESTAMP" ] && options="$options --timestamp"
     [ -n "$TEST" ] && options="$options --test"
+    [ -n "$PREVIEW" ] && options="$options --preview"
     [ "$debugging" = trace ] && options="$options --debug"
     [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
     #
@@ -733,6 +643,10 @@ check_command() {
 			    DEBUG=Yes;
 			    option=${option#d}
 			    ;;
+			r*)
+			    PREVIEW=Yes;
+			    option=${option#r}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1062,7 +976,7 @@ safe_commands() {
 
     [ -n "$nolock" ] || mutex_on
 
-    if ${VARDIR}/.$command $command; then
+    if ${VARDIR}/.$command $debugging $command; then
 
 	echo -n "Do you want to accept the new firewall configuration? [y/n] "
 
@@ -1322,8 +1236,10 @@ reload_command() # $* = original arguments less the command.
 	    ensure_config_path
 	fi
 
+	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
+
 	progress_message "Getting Capabilities on system $system..."
-	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
+	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
 	    fatal_error "ERROR: Capturing capabilities on system $system failed"
 	fi
     fi
@@ -1440,7 +1356,7 @@ usage() # $1 = exit status
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    echo "   check [ -e ] [ <directory> ]"
+    echo "   check [ -e ] [ -r ] [ <directory> ]"
     echo "   clear [ -f ]"
     echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
@@ -1473,12 +1389,14 @@ usage() # $1 = exit status
     echo "   show config"
     echo "   show connections"
     echo "   show dynamic <zone>"
-    echo "   show filter"
+    echo "   show filters"
     echo "   show ip"
     echo "   show [ -m ] log"
+    echo "   show macro <macro>"
     echo "   show macros"
     echo "   show [ -x ] mangle|nat|raw|routing"
-    echo "   show tc"
+    echo "   show policies"
+    echo "   show tc [ device ]"
     echo "   show vardir"
     echo "   show zones"
     echo "   start [ -f ] [ -n ] [ -p ] [ <directory> ]"
@@ -1681,6 +1599,8 @@ FIREWALL=${VARDIR}/firewall
 LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
 VERSION_FILE=$SHAREDIR/version
 REFRESHCHAINS=
+RECOVERING=
+export RECOVERING
 
 for library in $LIBRARIES; do
     if [ -f $library ]; then
@@ -1840,6 +1760,11 @@ case "$COMMAND" in
 	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
+	    if ! chain_exists dynamic; then
+		echo "Dynamic blacklisting is not supported in the current $PRODUCT configuration"
+		exit 2
+	    fi
+
 	    [ -n "$nolock" ] || mutex_on
 	    block DROP Dropped $*
 	    [ -n "$nolock" ] || mutex_off
@@ -1852,6 +1777,11 @@ case "$COMMAND" in
 	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
+	    if ! chain_exists dynamic; then
+		echo "Dynamic blacklisting is not supported in the current $PRODUCT configuration"
+		exit 2
+	    fi
+
 	    [ -n "$nolock" ] || mutex_on
 	    block logdrop Dropped $*
 	    [ -n "$nolock" ] || mutex_off

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.0
-%define release 1
+%define version 4.5.4
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -77,6 +77,8 @@ fi
 %attr(0644,root,root) %config(noreplace) /etc/shorewall/*
 %attr(0600,root,root) /etc/shorewall/Makefile
 
+%attr(0644,root,root) /etc/logrotate.d/shorewall
+
 %attr(0755,root,root) /sbin/shorewall
 
 %attr(0644,root,root) /usr/share/shorewall/version
@@ -104,8 +106,32 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-1
+* Fri Jan 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.4-0base
+* Mon Jan 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.3-0base
+* Wed Dec 30 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.2-0base
+* Sun Dec 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.1-0base
+* Tue Dec 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.0-0base
+* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-0base
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
 * Sun Aug 09 2009 Tom Eastep tom@shorewall.net
 - Made Perl a dependency
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.0.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall/wait4ifup

@@ -33,7 +33,7 @@
 #
 
 interface_is_up() {
-    [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] 
+    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] 
 }
 
 case $# in
@@ -51,7 +51,7 @@ esac
 
 while [ $timeout -gt 0 ]; do
     interface_is_up $1 && exit 0
-    sleep 1
+    /bin/sleep 1
     timeout=$(( $timeout - 1 ))
 done
 

Shorewall6-lite/default.debian

@@ -21,4 +21,9 @@ startup=0
 
 OPTIONS=""
 
+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
 # EOF

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.0.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall6-lite/init.debian.sh

@@ -15,9 +15,7 @@
 
 SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
-# Note, set INITLOG to /dev/null if you do not want to
-# keep logs of the firewall (not recommended)
-INITLOG=/var/log/shorewall6-lite-init.log
+test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
 
 [ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
@@ -25,7 +23,7 @@ export SHOREWALL_INIT_SCRIPT
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.0.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {
@@ -219,6 +219,11 @@ mkdir -p ${PREFIX}/var/lib/shorewall6-lite
 chmod 755 ${PREFIX}/etc/shorewall6-lite
 chmod 755 ${PREFIX}/usr/share/shorewall6-lite
 
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
+fi
+
 #
 # Install the config file
 #
@@ -303,6 +308,11 @@ cd ..
 
 echo "Man Pages Installed"
 
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6-lite"
+fi
+
 #
 # Create the version file
 #

Shorewall6-lite/logrotate

@@ -0,0 +1,5 @@
+/var/log/shorewall6-init.log {
+  missingok
+  notifempty
+  create 0600 root root
+}

Shorewall6-lite/shorewall6-lite

@@ -95,7 +95,7 @@ get_config() {
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -f $LOGFILE ]; then
+    elif [ -r $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -417,6 +417,8 @@ USE_VERBOSITY=
 NOROUTES=
 EXPORT=
 export TIMESTAMP=
+RECOVERING=
+export RECOVERING
 noroutes=
 
 finished=0

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.0
-%define release 1
+%define version 4.5.4
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -70,6 +70,8 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall6-lite
 %attr(0700,root,root) %dir /var/lib/shorewall6-lite
 
+%attr(0644,root,root) /etc/logrotate.d/shorewall6-lite
+
 %attr(0755,root,root) /sbin/shorewall6-lite
 
 %attr(0644,root,root) /usr/share/shorewall6-lite/version
@@ -89,8 +91,32 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-1
+* Fri Jan 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.4-0base
+* Mon Jan 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.3-0base
+* Wed Dec 30 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.2-0base
+* Sun Dec 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.1-0base
+* Tue Dec 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.0-0base
+* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-0base
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.0.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall6/Makefile

@@ -14,4 +14,8 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall6 -q restart 2>&1 | tail >&2; \
 	fi
 
+clean:
+	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
+.PHONY: clean
+
 # EOF

Shorewall6/action.Drop

@@ -22,7 +22,7 @@
 #
 # Reject 'auth'
 #
-Auth/REJECT
+Auth(REJECT)
 #
 # ACCEPT critical ICMP types
 #
@@ -35,7 +35,7 @@ dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB/DROP
+SMB(DROP)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #

Shorewall6/action.Reject

@@ -18,7 +18,7 @@
 #
 # Don't log 'auth' -- REJECT
 #
-Auth/REJECT
+Auth(REJECT)
 #
 # ACCEPT critical ICMP types
 #
@@ -32,7 +32,7 @@ dropInvalid
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB/REJECT
+SMB(REJECT)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.0.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {

Shorewall6/init.debian.sh

@@ -15,13 +15,11 @@
 SRWL=/sbin/shorewall6
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall6/wait4ifup
-# Note, set INITLOG to /dev/null if you do not want to
-# keep logs of the firewall (not recommended)
-INITLOG=/var/log/shorewall6-init.log
+test -n ${INITLOG:=/var/log/shorewall6-init.log}
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.0.1
+VERSION=4.5.4
 
 usage() # $1 = exit status
 {
@@ -234,6 +234,12 @@ mkdir -p ${PREFIX}/var/lib/shorewall6
 chmod 755 ${PREFIX}/etc/shorewall6
 chmod 755 ${PREFIX}/usr/share/shorewall6
 chmod 755 ${PREFIX}/usr/share/shorewall6/configfiles
+
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
+fi
+
 #
 # Install the config file
 #
@@ -365,6 +371,26 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcrules ]; then
     echo "TC Rules file installed as ${PREFIX}/etc/shorewall6/tcrules"
 fi
 
+#
+# Install the TC Interfaces file
+#
+run_install $OWNERSHIP -m 0644 tcinterfaces ${PREFIX}/usr/share/shorewall6/configfiles/tcinterfaces
+
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcinterfaces ]; then
+    run_install $OWNERSHIP -m 0600 tcinterfaces ${PREFIX}/etc/shorewall6/tcinterfaces
+    echo "TC Interfaces file installed as ${PREFIX}/etc/shorewall6/tcinterfaces"
+fi
+
+#
+# Install the TC Priority file
+#
+run_install $OWNERSHIP -m 0644 tcpri ${PREFIX}/usr/share/shorewall6/configfiles/tcpri
+
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcpri ]; then
+    run_install $OWNERSHIP -m 0600 tcpri ${PREFIX}/etc/shorewall6/tcpri
+    echo "TC Priority file installed as ${PREFIX}/etc/shorewall6/tcpri"
+fi
+
 #
 # Install the TOS file
 #
@@ -642,6 +668,11 @@ cd ..
 
 echo "Man Pages Installed"
 
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6"
+fi
+
 if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6

Shorewall6/lib.base

@@ -32,8 +32,8 @@
 #   by the compiler.
 #
 
-SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40310
+SHOREWALL_LIBVERSION=40503
+SHOREWALL_CAPVERSION=40503
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -260,7 +260,7 @@ reload_kernel_modules() {
 
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched
     MODULES=$(lsmod | cut -d ' ' -f1)
 
     for directory in $(split $MODULESDIR); do
@@ -296,7 +296,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
     [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -696,8 +696,6 @@ set_state () # $1 = state
 # Determine which optional facilities are supported by iptables/netfilter
 #
 determine_capabilities() {
-    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
-
     CONNTRACK_MATCH=
     NEW_CONNTRACK_MATCH=
     OLD_CONNTRACK_MATCH=
@@ -724,6 +722,8 @@ determine_capabilities() {
     KLUDGEFREE=
     MARK=
     XMARK=
+    EXMARK=
+    TPROXY_TARGET=
     MANGLE_FORWARD=
     COMMENTS=
     ADDRTYPE=
@@ -747,6 +747,8 @@ determine_capabilities() {
 	exit 1
     fi
 
+    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
+
     qt $IP6TABLES -F $chain
     qt $IP6TABLES -X $chain
     if ! $IP6TABLES -N $chain; then
@@ -822,6 +824,7 @@ determine_capabilities() {
 	if qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1; then
 	    MARK=Yes
 	    qt $IP6TABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
+	    qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
 	fi
 
 	if qt $IP6TABLES -t mangle -A $chain -j CONNMARK --save-mark; then
@@ -831,6 +834,7 @@ determine_capabilities() {
 
 	qt $IP6TABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
 	qt $IP6TABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
+	qt $IP6TABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
 	qt $IP6TABLES -t mangle -F $chain
 	qt $IP6TABLES -t mangle -X $chain
 	qt $IP6TABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
@@ -853,7 +857,11 @@ determine_capabilities() {
     qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
     qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    if [ -z "$HASHLIMIT_MATCH" ]; then
+	qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
+	HASHLIMIT_MATCH=$OLD_HL_MATCH
+    fi	
     qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
     qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
     qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -868,6 +876,7 @@ determine_capabilities() {
     qt $IP6TABLES -X $chain1
 
     CAPVERSION=$SHOREWALL_CAPVERSION
+    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
 
 report_capabilities() {
@@ -912,11 +921,13 @@ report_capabilities() {
 	report_capability "Repeat match" $KLUDGEFREE
 	report_capability "MARK Target" $MARK
 	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
+	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
 	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
 	report_capability "Comments" $COMMENTS
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
+	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
 	report_capability "Helper Match" $HELPER_MATCH
@@ -925,6 +936,7 @@ report_capabilities() {
 	report_capability "Goto Support" $GOTO_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
+	report_capability "TPROXY Target" $TPROXY_TARGET
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -967,11 +979,13 @@ report_capabilities1() {
     report_capability1 KLUDGEFREE
     report_capability1 MARK
     report_capability1 XMARK
+    report_capability1 EXMARK
     report_capability1 MANGLE_FORWARD
     report_capability1 COMMENTS
     report_capability1 ADDRTYPE
     report_capability1 TCPMSS_MATCH
     report_capability1 HASHLIMIT_MATCH
+    report_capability1 OLD_HL_MATCH
     report_capability1 NFQUEUE_TARGET
     report_capability1 REALM_MATCH
     report_capability1 HELPER_MATCH
@@ -980,8 +994,10 @@ report_capabilities1() {
     report_capability1 GOTO_TARGET
     report_capability1 IPMARK_TARGET
     report_capability1 LOG_TARGET
+    report_capability1 TPROXY_TARGET
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
+    echo KERNELVERSION=$KERNELVERSION    
 }
 
 detect_gateway() # $1 = interface

Shorewall6/lib.cli

@@ -158,9 +158,13 @@ show_tc() {
 	fi
     }
 
-    ip -o link list | while read inx interface details; do
-	show_one_tc ${interface%:}
-    done
+    if [ $# -gt 0 ]; then
+	show_one_tc $1
+    else
+	ip -o link list | while read inx interface details; do
+	    show_one_tc ${interface%:}
+	done
+    fi
 
 }
 
@@ -244,6 +248,30 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 #
 # Save currently running configuration
 #
+do_save() {
+    local status
+    status=0
+
+    if [ -f ${VARDIR}/firewall ]; then
+	if $iptables_save > ${VARDIR}/restore-$$; then
+	    cp -f ${VARDIR}/firewall $RESTOREPATH
+	    mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
+	    chmod +x $RESTOREPATH
+	    echo "   Currently-running Configuration Saved to $RESTOREPATH"
+	    run_user_exit save
+	else
+	    rm -f ${VARDIR}/restore-$$
+	    echo "   ERROR: Currently-running Configuration Not Saved" >&2
+	    status=1
+	fi
+    else
+	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+	status=1
+    fi
+
+    return $status
+}
+
 save_config() {
 
     local result
@@ -266,24 +294,15 @@ save_config() {
 		*)
 		    validate_restorefile RESTOREFILE
 
-		    if $IP6TABLES -L dynamic -n > ${VARDIR}/save; then
-			echo "   Dynamic Rules Saved"
-			if [ -f ${VARDIR}/firewall ]; then
-			    if $iptables_save > ${VARDIR}/restore-$$; then
-				cp -f ${VARDIR}/firewall $RESTOREPATH
-				mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
-				chmod +x $RESTOREPATH
-				echo "   Currently-running Configuration Saved to $RESTOREPATH"
-				run_user_exit save
-			    else
-			        rm -f ${VARDIR}/restore-$$
-				echo "   ERROR: Currently-running Configuration Not Saved" >&2
-			    fi
+		    if chain_exists dynamic; then
+			if $IP6TABLES -L dynamic -n > ${VARDIR}/save; then
+			    echo "   Dynamic Rules Saved"
+			    do_save
 			else
-			    echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
+		            echo "Error Saving the Dynamic Rules" >&2
 			fi
 		    else
-		        echo "Error Saving the Dynamic Rules" >&2
+			do_save && rm -f ${VARDIR}/save
 		    fi
 		    ;;
 	    esac
@@ -383,6 +402,10 @@ show_command() {
 			    option=
 			    shift
 			    ;;
+			l*)
+			    IPT_OPTIONS1="--line-numbers"
+			    option=${option#l}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -396,11 +419,15 @@ show_command() {
 	esac
     done
 
+    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+
     [ -n "$debugging" ] && set -x
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
+	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$PRODUCT $version Connections ($count of $max) at $HOSTNAME - $(date)"
 	    echo
 	    grep '^ipv6' /proc/net/nf_conntrack
 	    ;;
@@ -427,7 +454,7 @@ show_command() {
 	    packet_log 20
 	    ;;
 	tc)
-	    [ $# -gt 1 ] && usage 1
+	    [ $# -gt 2 ] && usage 1
 	    echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)"
 	    echo
 	    show_tc
@@ -505,6 +532,12 @@ show_command() {
 	vardir)
 	    echo $VARDIR;
 	    ;;
+	policies)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$PRODUCT $version Policies at $HOSTNAME - $(date)"
+	    echo
+	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
+	    ;;
 	*)
 	    if [ "$PRODUCT" = Shorewall6 ]; then
 		case $1 in
@@ -602,6 +635,10 @@ dump_command() {
 			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
+			l*)
+			    IPT_OPTIONS1="--line-numbers"
+			    option=${option#l}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -615,6 +652,8 @@ dump_command() {
 	esac
     done
 
+    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+
     [ $VERBOSE -lt 2 ] && VERBOSE=2
 
     [ -n "$debugging" ] && set -x
@@ -641,7 +680,10 @@ dump_command() {
     heading "Raw Table"
     $IP6TABLES -t raw -L $IPT_OPTIONS
 
-    heading "Conntrack Table"
+    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+
+    heading "Conntrack Table ($count out of $max)"
     grep '^ipv6' /proc/net/nf_conntrack
 
     heading "IP Configuration"
@@ -673,8 +715,8 @@ dump_command() {
 
     show_routing
 
-    heading "ARP"
-    arp -na
+    heading "Neighbors"
+    ip -6 neigh ls
 
     if qt mywhich lsmod; then
 	heading "Modules"
@@ -860,6 +902,12 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     local finished
     finished=$2
 
+    if ! chain_exists dynamic; then
+	echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	[ -n "$nolock" ] || mutex_off
+	exit 2
+    fi
+
     shift 3
 
     while [ $# -gt 0 ]; do
@@ -981,6 +1029,11 @@ allow_command() {
     [ -n "$debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall6_is_started ; then
+	if ! chain_exists dynamic; then
+	    echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	    exit 2
+	fi
+
 	[ -n "$nolock" ] || mutex_on
 	while [ $# -gt 1 ]; do
 	    shift

Shorewall6/logrotate

@@ -0,0 +1,5 @@
+/var/log/shorewall6-init.log {
+  missingok
+  notifempty
+  create 0600 root root
+}

Shorewall6/modules

@@ -85,6 +85,7 @@ loadmodule sch_ingress
 loadmodule sch_htb
 loadmodule cls_u32
 loadmodule cls_fw
+loadmodule cls_flow
 loadmodule act_police
 #
 # Extensions

Shorewall6/shorewall6

@@ -23,99 +23,9 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#	If an error occurs while starting or restarting the firewall, the
-#	firewall is automatically stopped.
+#       For a list of supported commands, type 'shorewall6 help'
 #
-#	The firewall uses configuration files in /etc/shorewall/ - skeleton
-#	files are included with the firewall.
-#
-#	Commands are:
-#
-#          shorewall6 add <iface>[:<host>] zone    Adds a host or subnet to a zone
-#          shorewall6 delete <iface>[:<host>] zone Deletes a host or subnet from a zone
-#          shorewall6 dump                         Dumps all Shorewall6-related information
-#                                                  for problem analysis
-#	   shorewall6 start 			   Starts the firewall
-#	   shorewall6 restart			   Restarts the firewall
-#	   shorewall6 stop			   Stops the firewall
-#	   shorewall6 status			   Displays firewall status
-#	   shorewall6 reset			   Resets ip6tables packet and
-#						   byte counts
-#	   shorewall6 clear			   Open the floodgates by
-#						   removing all ip6tables rules
-#						   and setting the three permanent
-#						   chain policies to ACCEPT
-#	   shorewall6 refresh			   Rebuild the common chain to
-#						   compensate for a change of
-#						   broadcast address on any "detect"
-#						   interface.
-#	   shorewall6 [re]load [ <directory> ] <system>
-#						   Compile a script and install it on a
-#						   remote Shorewall6 Lite system.
-#	   shorewall6 show <chain> [ <chain> ... ] Display the rules in each <chain> listed
-#          shorewall6 show actions                 Displays the available actions
-#	   shorewall6 show log			   Print the last 20 log messages
-#	   shorewall6 show connections		   Show the kernel's connection
-#						   tracking table
-#	   shorewall6 show nat			   Display the rules in the nat table
-#	   shorewall6 show {mangle|tos}		   Display the rules in the mangle table
-#	   shorewall6 show tc			   Display traffic control info
-#	   shorewall6 show classifiers		   Display classifiers
-#          shorewall6 show capabilities            Display ip6tables/kernel capabilities
-#          shorewall6 show vardir                  Display the VARDIR setting.
-#	   shorewall6 version			   Display the installed version id
-#	   shorewall6 check [ -e ] [ <directory> ] Dry-run compilation.
-#	   shorewall6 try <directory> [ <timeout> ] Try a new configuration and if
-#						   it doesn't work, revert to the
-#						   standard one. If a timeout is supplied
-#						   the command reverts back to the
-#						   standard configuration after that many
-#						   seconds have elapsed after successfully
-#						   starting the new configuration.
-#	   shorewall6 logwatch [ refresh-interval ] Monitor the local log for Shorewall6
-#						    messages.
-#	   shorewall6 drop <address> ...	   Temporarily drop all packets from the
-#						   listed address(es)
-#	   shorewall6 reject <address> ...	   Temporarily reject all packets from the
-#						   listed address(es)
-#	   shorewall6 allow <address> ...	   Reenable address(es) previously
-#						   disabled with "drop" or "reject"
-#	   shorewall6 save [ <file> ]		   Save the list of "rejected" and
-#						   "dropped" addresses so that it will
-#						   be automatically reinstated the
-#						   next time that Shorewall6 starts.
-#                                                  Save the current state so that 'shorewall6
-#                                                  restore' can be used.
-#
-#          shorewall6 forget [ <file> ]            Discard the data saved by 'shorewall6 save'
-#
-#          shorewall6 restore [ <file> ]           Restore the state of the firewall from
-#                                                  previously saved information.
-#
-#          shorewall6 ipaddr { <address>/<cidr> | <address> <netmask> }
-#
-#                                                  Displays information about the network
-#                                                  defined by the argument[s]
-#
-#          shorewall6 iprange <address>-<address>  Decomposes a range of IP addresses into
-#                                                  a list of network/host addresses.
-#
-#          shorewall6 ipdecimal { <address> | <integer> }
-#
-#                                                  Displays the decimal equivalent of an IP
-#                                                  address and vice versa.
-#
-#          shorewall6 safe-start [ <directory> ]   Starts the firewall and promtp for a c
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall6 safe-restart [ <directory> ] Restarts the firewall and prompt for a
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall6 compile [ -e ] [ <directory> ] <filename>
-#                                                  Compile a firewall program file.
-
+################################################################################################
 #
 # Set the configuration variables from shorewall6.conf
 #
@@ -163,7 +73,7 @@ get_config() {
 
 	    if [ -n "$(syslog_circular_buffer)" ]; then
 		LOGREAD="logread | tac"
-	    elif [ -f $LOGFILE ]; then
+	    elif [ -r $LOGFILE ]; then
 		LOGREAD="tac $LOGFILE"
 	    else
 		echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -205,7 +115,7 @@ get_config() {
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
+			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
 			exit 2
 		    fi
 		    ;;
@@ -369,6 +279,7 @@ compiler() {
     [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
     [ -n "$TIMESTAMP" ] && options="$options --timestamp"
     [ -n "$TEST" ] && options="$options --test"
+    [ -n "$PREVIEW" ] && options="$options --preview"
     [ "$debugging" = trace ] && options="$options --debug"
     [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
     [ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
@@ -642,6 +553,10 @@ check_command() {
 			    PROFILE=Yes
 			    option=${option#p}
 			    ;;
+			r*)
+			    PREVIEW=Yes;
+			    option=${option#r}
+			    ;;
 			d*)
 			    DEBUG=Yes;
 			    option=${option#d}
@@ -1357,7 +1272,7 @@ usage() # $1 = exit status
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    echo "   check [ -e ] [ <directory> ]"
+    echo "   check [ -e ] [ -r ] [ <directory> ]"
     echo "   clear [ -f ]"
     echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
@@ -1379,7 +1294,7 @@ usage() # $1 = exit status
     echo "   restart [ -n ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|raw|routing|tc|vardir|zones} ]"
+    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
     echo "   start [ -f ] [ -n ] [ <directory> ]"
     echo "   stop [ -f ]"
     echo "   status"
@@ -1584,7 +1499,8 @@ fi
 FIREWALL=${VARDIR}/firewall
 LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
 VERSION_FILE=$SHAREDIR/version
-REFRESHCHAINS=
+RECOVERING=
+export RECOVERING
 
 for library in $LIBRARIES; do
     if [ -f $library ]; then
@@ -1742,7 +1658,7 @@ case "$COMMAND" in
 	    block DROP Dropped $*
 	    [ -n "$nolock" ] || mutex_off
 	else
-	    fatal_error "Shorewall6 is not started"
+	    fatal_error "$PRODUCT is not started"
 	fi
 	;;
     logdrop)

Shorewall6/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -117,7 +117,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -145,6 +145,27 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=No
 
+TRACK_PROVIDERS=No
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+###############################################################################
+# MARK Layout
+###############################################################################
+TC_BITS=
+
+MASK_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.0
-%define release 1
+%define version 4.5.4
+%define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -69,6 +69,8 @@ fi
 %attr(0644,root,root) %config(noreplace) /etc/shorewall6/*
 %attr(0600,root,root) /etc/shorewall6/Makefile
 
+%attr(0644,root,root) /etc/logrotate.d/shorewall6
+
 %attr(0755,root,root) /sbin/shorewall6
 
 %attr(0644,root,root) /usr/share/shorewall6/version
@@ -93,8 +95,32 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-1
+* Fri Jan 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.4-0base
+* Mon Jan 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.5.3-0base
+* Wed Dec 30 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.2-0base
+* Sun Dec 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.1-0base
+* Tue Dec 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.5.0-0base
+* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-0base
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall6/tcinterfaces

@@ -0,0 +1,11 @@
+#
+# Shorewall6 version 4 - Tcinterfaces File
+#
+# For information about entries in this file, type "man shorewall6-tcinterfaces"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#INTERFACE		TYPE	IN-BANDWIDTH
+