Update version

Fix 'routeback' in routestopped (again)
Fix 'routeback' in /etc/shorewall/routestopped
2009-10-03 11:42:39 -07:00 · 2009-10-03 11:40:38 -07:00 · 2009-10-03 10:05:53 -07:00 · 2009-10-02 07:36:09 -07:00 · 2009-10-01 15:02:14 -07:00 · 2009-10-01 12:34:34 -07:00
48 changed files with 2028 additions and 712 deletions
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.1.2
+VERSION=4.4.2.2

 usage() # $1 = exit status
 {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.1.2
+VERSION=4.4.2.2

 usage() # $1 = exit status
 {
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,5 +1,5 @@
 %define name shorewall-lite
-%define version 4.4.1
+%define version 4.4.2
 %define release 2

 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -98,10 +98,14 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-1
+* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-2
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-1
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.1.2
+VERSION=4.4.2.2

 usage() # $1 = exit status
 {
--- a/Shorewall/Macros/macro.template
+++ b/Shorewall/Macros/macro.template
@@ -269,7 +269,7 @@
 #                       an action. See 'man shorewall-rules'.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in
-#			this colume:
+#			this column:
 #
 #				<rate>/<interval>[:<burst>]
 #
@@ -304,6 +304,100 @@
 #					#removed from Netfilter in kernel
 #					#version 2.6.14).
 #
+#	MARK		Specifies a MARK value to match. Must be empty or 
+#			'-' if the macro is to be used within an action.
+#			
+#				[!]value[/mask][:C]
+#
+#    			Defines a test on the existing packet or connection
+#			mark. The rule will match only if the test returns
+#			true.
+#
+#    			If you don't want to define a test but need to
+#			specify anything in the following columns,
+#			place a "-" in this field.
+#
+#    			!
+#
+#				Inverts the test (not equal)
+#
+#    			value
+#
+#				Value of the packet or connection mark.
+#
+#  			mask
+#
+#				A mask to be applied to the mark before
+#				testing.
+#
+#    			:C
+#
+#				Designates a connection mark. If omitted, the
+#				packet mark's value is tested.
+#
+#	CONNLIMIT	Must be empty or '-' if the macro is to be used within
+#			an action.
+#
+#				[!]limit[:mask]
+#
+#			May be used to limit the number of simultaneous
+#			connections from each individual host to limit 
+#			connections. Requires connlimit match in your kernel
+#			and iptables. While the limit is only checked on rules
+#			specifying CONNLIMIT, the number of current connections
+#			is calculated over all current connections from the
+#			SOURCE host. By default, the limit is applied to each
+#			host but can be made to apply to networks of hosts by
+#			specifying a mask. The mask specifies the width of a
+#			VLSM mask to be applied to the source address; the
+#			number of current connections is then taken over all
+#			hosts in the subnet source-address/mask. When ! is
+#			specified, the rule matches when the number of
+#			connection exceeds the limit.
+#
+#	TIME		Must be empty or '-' if the macro is to be used within
+#			an action.
+#
+#
+#				<timeelement>[&...]
+#
+#			timeelement may be:
+#
+#    				timestart=hh:mm[:ss]
+#
+#					Defines the starting time of day.
+#
+#    				timestop=hh:mm[:ss]
+#
+#					Defines the ending time of day.
+#
+#    				utc
+#
+#					Times are expressed in Greenwich Mean
+#					Time.
+#
+#    				localtz
+#
+#					Times are expressed in Local Civil Time
+#					(default).
+#
+#    				weekdays=ddd[,ddd]...
+#
+#					where ddd is one of Mon, Tue, Wed, Thu,
+#					Fri, Sat or Sun
+#
+#    				monthdays=dd[,dd],...
+#
+#					where dd is an ordinal day of the month#
+#
+#    				datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
+#
+#					Defines the starting date and time.
+#
+#    				datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
+#
+#					Defines the ending date and time.
+#
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -47,6 +47,7 @@ our @EXPORT = qw( merge_levels
 		  substitute_param
 		  merge_macro_source_dest
 		  merge_macro_column
+		  map_old_actions

 		  %usedactions
 		  %default_actions
@@ -56,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';

 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -85,6 +86,8 @@ our %macros;

 our $family;

+our @builtins;
+
 #
 # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
 #
@@ -111,6 +114,12 @@ sub initialize( $ ) {
    %actions         = ();
    %logactionchains = ();
    %macros          = ();
+
+    if ( $family == F_IPV4 ) {
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
+    } else {
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
+    }
 }

 #
@@ -264,6 +273,34 @@ sub add_requiredby ( $$ ) {
    $actions{$requires}{requires}{$requiredby} = 1;
 }

+#
+# Map pre-3.0 actions to the corresponding Macro invocation
+#
+
+sub find_old_action ( $$$ ) {
+    my ( $target, $macro, $param ) = @_;
+
+    if ( my $actiontype = find_macro( $macro ) ) {
+	( $macro, $actiontype , $param );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
+sub map_old_actions( $ ) {
+    my $target = shift;
+
+    if ( $target =~ /^Allow(.*)$/ ) {
+	find_old_action( $target, $1, 'ACCEPT' );
+    } elsif ( $target =~ /^Drop(.*)$/ ) {
+	find_old_action( $target, $1, 'DROP' );
+    } elsif ( $target = /^Reject(.*)$/ ) {
+	find_old_action( $target, $1, 'REJECT' );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
@@ -302,7 +339,7 @@ sub createlogactionchain( $$ ) {

    fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;

-    unless ( $targets{$action} & STANDARD ) {
+    unless ( $targets{$action} & BUILTIN ) {

 	my $file = find_file $chain;

@@ -328,7 +365,7 @@ sub createsimpleactionchain( $ ) {

    $logactionchains{"$action:none"} = $chainref;

-    unless ( $targets{$action} & STANDARD ) {
+    unless ( $targets{$action} & BUILTIN ) {

 	my $file = find_file $action;

@@ -413,8 +450,9 @@ sub process_macro1 ( $$ ) {
 #
 # The functions process_actions1-3() implement the three phases of action processing.
 #
-# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
-# and ${CONFDIR}/actions are scanned (in that order) and for each action:
+# The first phase (process_actions1) occurs before the rules file is processed. The builtin-actions are added
+# to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and
+# ${CONFDIR}/actions are scanned (in that order). For each action:
 #
 #      a) The related action definition file is located and scanned.
 #      b) Forward and unresolved action references are trapped as errors.
@@ -476,10 +514,10 @@ sub process_action1 ( $$ ) {
 sub process_actions1() {

    progress_message2 "Preprocessing Action Files...";
-
-    for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
-	new_action $act;
-    }
+    #
+    # Add built-in actions to the target table and create those actions
+    #
+    $targets{$_} = ACTION + BUILTIN, new_action( $_ ) for @builtins;

    for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
@@ -515,7 +553,7 @@ sub process_actions1() {

 	    while ( read_a_line ) {

-		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 1, 8, 'action file';
+		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users, $mark ) = split_line 1, 9, 'action file';

 		process_action1( $action, $wholetarget );

@@ -552,8 +590,8 @@ sub process_actions2 () {
 #
 # This function is called to process each rule generated from an action file.
 #
-sub process_action( $$$$$$$$$$ ) {
-    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+sub process_action( $$$$$$$$$$$ ) {
+    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;

    my ( $action , $level ) = split_action $target;

@@ -571,7 +609,7 @@ sub process_action( $$$$$$$$$$ ) {

    expand_rule ( $chainref ,
 		  NO_RESTRICT ,
-		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, 0xFF ) ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
@@ -584,8 +622,8 @@ sub process_action( $$$$$$$$$$ ) {
 #
 # Expand Macro in action files.
 #
-sub process_macro3( $$$$$$$$$$$ ) {
-    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+sub process_macro3( $$$$$$$$$$$$ ) {
+    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;

    my $nocomment = no_comment;

@@ -601,12 +639,14 @@ sub process_macro3( $$$$$$$$$$$ ) {

    while ( read_a_line ) {

-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark );

 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
+	    $morigdest = '-';
+	    $mmark     = '-';
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark ) = split_line1 1, 10, 'macro file', $macro_commands;
 	}

 	if ( $mtarget eq 'COMMENT' ) {
@@ -620,8 +660,6 @@ sub process_macro3( $$$$$$$$$$$ ) {
 	    next;
 	}

-	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
-
 	if ( $mtarget =~ /^PARAM:?/ ) {
 	    fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
 	    $mtarget = substitute_param $param,  $mtarget;
@@ -662,8 +700,9 @@ sub process_macro3( $$$$$$$$$$$ ) {
 	$msports = merge_macro_column $msports, $sports;
 	$mrate   = merge_macro_column $mrate,   $rate;
 	$muser   = merge_macro_column $muser,   $user;
+	$mmark   = merge_macro_column $mmark,   $mark;

-	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
+	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $mark;
    }

    pop_open;
@@ -688,7 +727,7 @@ sub process_action3( $$$$$ ) {

    while ( read_a_line ) {

-	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file';
+	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file';

 	if ( $target eq 'COMMENT' ) {
 	    process_comment;
@@ -712,9 +751,9 @@ sub process_action3( $$$$$ ) {
 	}

 	if ( $action2type == MACRO ) {
-	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
+	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark );
 	} else {
-	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
+	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark;
 	}
    }

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -74,7 +74,6 @@ our %EXPORT_TAGS = (
 				       initialize_chain_table
 				       add_commands
 				       move_rules
-				       move_rules1
 				       insert_rule1
 				       purge_jump
 				       add_tunnel_rule
@@ -166,7 +165,7 @@ our %EXPORT_TAGS = (

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';

 #
 # Chain Table
@@ -247,6 +246,7 @@ use constant { NO_RESTRICT        => 0,   # FORWARD chain rule     - Both -i and
 our $iprangematch;
 our $chainseq;
 our $idiotcount;
+our $idiotcount1;

 our $global_variables;

@@ -272,11 +272,11 @@ our %interfacegateways;     # Gateway of default route out of the interface
 our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);

 #
-# Mode of the generator.
+# Mode of the emitter.
 #
-use constant { NULL_MODE => 0 ,   # Generating neither shell commands nor iptables-restore input
-	       CAT_MODE  => 1 ,   # Generating iptables-restore input
-	       CMD_MODE  => 2 };  # Generating shell commands.
+use constant { NULL_MODE => 0 ,   # Emitting neither shell commands nor iptables-restore input
+	       CAT_MODE  => 1 ,   # Emitting iptables-restore input
+	       CMD_MODE  => 2 };  # Emitting shell commands.

 our $mode;

@@ -356,6 +356,7 @@ sub initialize( $ ) {

    $global_variables   = 0;
    $idiotcount         = 0;
+    $idiotcount1        = 0;

 }

@@ -423,19 +424,16 @@ sub add_commands ( $$;@ ) {
 }

 sub push_rule( $$ ) {
-    my ($chainref, $rule) = @_;
+    my $chainref = $_[0];
+    my $rule     = join( ' ',  '-A',  $chainref->{name} , $_[1]);

    $rule .= qq( -m comment --comment "$comment") if $comment;

    if ( $chainref->{cmdlevel} ) {
 	$rule =~ s/"/\\"/g; #Must preserve quotes in the rule
-	add_commands $chainref , qq(echo "-A $chainref->{name} $rule" >&3);
+	add_commands $chainref , qq(echo "$rule" >&3);
    } else {
-	#
-	# We omit the chain name for now -- this makes it easier to move rules from one
-	# chain to another
-	#
-	push @{$chainref->{rules}}, join( ' ', '-A' , $rule );
+	push @{$chainref->{rules}}, $rule;
 	$chainref->{referenced} = 1;
    }
 }
@@ -607,7 +605,7 @@ sub insert_rule1($$$)

    $rule .= "-m comment --comment \"$comment\"" if $comment;

-    splice( @{$chainref->{rules}}, $number, 0,  join( ' ', '-A', $rule ) );
+    splice( @{$chainref->{rules}}, $number, 0,  join( ' ', '-A', $chainref->{name}, $rule ) );

    $iprangematch = 0;

@@ -637,15 +635,18 @@ sub add_tunnel_rule( $$ ) {
 # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to
 # a zone-oriented chain, hence this function.
 #
-# The source chain must not have any run-time code included in its rules.
-#
 sub move_rules( $$ ) {
    my ($chain1, $chain2 ) = @_;

    if ( $chain1->{referenced} ) {
 	my @rules = @{$chain1->{rules}};
+	my $name  = $chain1->{name};
+	#
+	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
+	#
+	$name =~ s/\+/\\+/;

-	assert( /^-A/ ) for @rules;
+	( s/\-([AI]) $name /-$1 $chain2->{name} / ) for @rules;

 	splice @{$chain2->{rules}}, 0, 0, @rules;

@@ -655,29 +656,6 @@ sub move_rules( $$ ) {
    }
 }

-#
-# Like above except it returns 0 if it can't move the rules
-#
-sub move_rules1( $$ ) {
-    my ($chain1, $chain2 ) = @_;
-
-    if ( $chain1->{referenced} ) {
-	my @rules = @{$chain1->{rules}};
-
-	for ( @rules ) {
-	    return 0 unless /^-A/;
-	}
-
-	splice @{$chain2->{rules}}, 0, 0, @rules;
-
-	$chain2->{referenced} = 1;
-	$chain1->{referenced} = 0;
-	$chain1->{rules}      = [];
-    }
-
-    1;
-}
-
 #
 # Transform the passed interface name into a legal shell variable name.
 #
@@ -940,15 +918,17 @@ sub ensure_filter_chain( $$ )

    my $chainref = ensure_chain 'filter', $chain;

-    if ( $populate and ! $chainref->{referenced} ) {
-	if ( $section eq 'NEW' or $section eq 'DONE' ) {
-	    finish_chain_section $chainref , 'ESTABLISHED,RELATED';
-	} elsif ( $section eq 'RELATED' ) {
-	    finish_chain_section $chainref , 'ESTABLISHED';
+    unless ( $chainref->{referenced} ) {
+	if ( $populate ) {
+	    if ( $section eq 'NEW' or $section eq 'DONE' ) {
+		finish_chain_section $chainref , 'ESTABLISHED,RELATED';
+	    } elsif ( $section eq 'RELATED' ) {
+		finish_chain_section $chainref , 'ESTABLISHED';
+	    }
 	}
-    }

-    $chainref->{referenced} = 1;
+	$chainref->{referenced} = 1;
+    }

    $chainref;
 }
@@ -965,9 +945,25 @@ sub ensure_accounting_chain( $  )
    if ( $chainref ) {
 	fatal_error "Non-accounting chain ($chain) used in accounting rule" unless $chainref->{accounting};
    } else {
-	$chainref = new_chain 'filter' , $chain unless $chainref;
+	$chainref = new_chain 'filter' , $chain;
 	$chainref->{accounting} = 1;
 	$chainref->{referenced} = 1;
+
+	if ( $chain ne 'accounting' ) {
+	    my $file = find_file $chain;
+
+	    if ( -f $file ) {
+		progress_message "Processing $file...";
+
+		my ( $level, $tag ) = ( '', '' );
+
+		unless ( my $return = eval `cat $file` ) {
+		    fatal_error "Couldn't parse $file: $@" if $@;
+		    fatal_error "Couldn't do $file: $!"    unless defined $return;
+		    fatal_error "Couldn't run $file"       unless $return;
+		}
+	    }
+	}
    }

    $chainref;
@@ -1042,7 +1038,6 @@ sub ensure_manual_chain($) {
 # Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
 # The function also initializes the target table with the pre-defined targets available for the specfied address family.
 #
-#
 sub initialize_chain_table()
 {
    if ( $family == F_IPV4 ) {
@@ -1069,15 +1064,6 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'dropBcast'       => BUILTIN  + ACTION,
-		    'allowBcast'      => BUILTIN  + ACTION,
-		    'dropNotSyn'      => BUILTIN  + ACTION,
-		    'rejNotSyn'       => BUILTIN  + ACTION,
-		    'dropInvalid'     => BUILTIN  + ACTION,
-		    'allowInvalid'    => BUILTIN  + ACTION,
-		    'allowinUPnP'     => BUILTIN  + ACTION,
-		    'forwardUPnP'     => BUILTIN  + ACTION,
-		    'Limit'           => BUILTIN  + ACTION,
 		   );

 	for my $chain qw(OUTPUT PREROUTING) {
@@ -1119,12 +1105,6 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'dropBcast'       => BUILTIN  + ACTION,
-		    'allowBcast'      => BUILTIN  + ACTION,
-		    'dropNotSyn'      => BUILTIN  + ACTION,
-		    'rejNotSyn'       => BUILTIN  + ACTION,
-		    'dropInvalid'     => BUILTIN  + ACTION,
-		    'allowInvalid'    => BUILTIN  + ACTION,
 		   );

 	for my $chain qw(OUTPUT PREROUTING) {
@@ -1551,12 +1531,14 @@ sub do_ratelimit( $$ ) {
 	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';

 	my $limit = "-m hashlimit ";
+	my $match = $capabilities{OLD_HL_MATCH} ? 'hashlimit' : 'hashlimit-upto';
+
 	if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
-	    $limit .= "--hashlimit-upto $3 --hashlimit-burst $6 --hashlimit-name ";
+	    $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall';
 	    $limit .= ' --hashlimit-mode ';
 	} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
-	    $limit .= "--hashlimit-upto $3 --hashlimit-name ";
+	    $limit .= "--$match $3 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall';
 	    $limit .= ' --hashlimit-mode ';
 	} else {
@@ -2481,7 +2463,12 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    # An interface in the SOURCE column of a masq file
 	    #
 	    fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface );
-	    warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
+
+	    if ( $chainref->{table} eq 'nat' ) {
+		warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
+	    } else {
+		warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount1++;
+	    }

 	    push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done';

@@ -2839,14 +2826,15 @@ sub expand_rule( $$$$$$$$$$;$ )
 }

 #
-# The following code generates the input to iptables-restore
+# The following code generates the input to iptables-restore from the contents of the
+# @rules arrays in the chain table entries.
 #
 # We always write the iptables-restore input into a file then pass the
 # file to iptables-restore. That way, if things go wrong, the user (and Shorewall support)
 # has (have) something to look at to determine the error
 #
 # We may have to generate part of the input at run-time. The rules array in each chain
-# table entry may contain rules (begin with '-A') or shell source. We alternate between
+# table entry may contain both rules (begin with '-A') or shell source. We alternate between
 # writing the rules ('-A') into the temporary file to be passed to iptables-restore
 # (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
 #
@@ -2866,33 +2854,31 @@ sub enter_cmd_mode() {
 #
 # Emits the passed rule (input to iptables-restore) or command
 #
-sub emitr( $$ ) {
-    my ( $name, $rule ) = @_;
-
-    if ( $rule && substr( $rule, 0, 2 ) eq '-A' ) {
-	#
-	# A rule
-	#
-	enter_cat_mode unless $mode == CAT_MODE;
-	emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) );
-    } else {
-	#
-	# A command
-	#
-	enter_cmd_mode unless $mode == CMD_MODE;
-	emit $rule;
+sub emitr( $ ) {
+    if ( my $rule = $_[0] ) {
+	if ( substr( $rule, 0, 2 ) eq '-A' ) {
+	    #
+	    # A rule
+	    #
+	    enter_cat_mode unless $mode == CAT_MODE;
+	    emit_unindented $rule;
+	} else {
+	    #
+	    # A command
+	    #
+	    enter_cmd_mode unless $mode == CMD_MODE;
+	    emit $rule;
+	}
    }
 }

 #
 # Simple version that only handles rules
 #
-sub emitr1( $$ ) {
-    my ( $name, $rule ) = @_;
+sub emitr1( $ ) {
+    my $rule = $_[0];

-    assert( substr( $rule, 0, 2 ) eq '-A' );
-
-    emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) );
+    emit_unindented $rule;
 }

 #
@@ -2968,7 +2954,7 @@ sub create_netfilter_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emitr $chainref->{name}, $_ for ( grep defined $_, @{$chainref->{rules}} );
+	    emitr $_ for ( grep defined $_, @{$chainref->{rules}} );
 	}
 	#
 	# Commit the changes to the table
@@ -3077,7 +3063,7 @@ sub create_chainlist_reload($) {
 		#
 		# Emit the chain rules
 		#
-		emitr $chain, $_ for ( grep defined $_, @rules );
+		emitr $_ for ( grep defined $_, @rules );
 	    }
 	    #
 	    # Commit the changes to the table
@@ -3182,7 +3168,7 @@ sub create_stop_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emitr1 $chainref->{name}, $_ for @{$chainref->{rules}};
+	    emitr1 $_ for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';

 our $export;

@@ -589,8 +589,6 @@ sub compiler {
    #
    get_configuration( $export );

-    initialize_chain_table;
-
    report_capabilities;

    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
@@ -604,6 +602,11 @@ sub compiler {
    } else {
 	set_command( 'check', 'Checking', 'Checked' );
    }
+    #
+    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
+    # shorewall.conf has been processed and the capabilities have been determined.
+    #
+    initialize_chain_table;

    #
    # Allow user to load Perl modules
@@ -783,8 +786,8 @@ sub compiler {

 	enable_object;
 	#
-	#                                    I N I T I A L I Z E
-	#                  (Writes the initialize() function to the compiled script)
+	#                             I N I T I A L I Z E
+	#           (Writes the initialize() function to the compiled script)
 	#
 	generate_script_2;
 	#
@@ -792,20 +795,17 @@ sub compiler {
 	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
-    } else {
-	enable_object;
-    }
-    #                               S T O P _ F I R E W A L L
-    #             (Writes the stop_firewall() function to the compiled script)
-    #
-    # We must reinitialize Shorewall::Chains before generating the iptables-restore input
-    # for stopping the firewall
-    #
-    Shorewall::Chains::initialize( $family );
-    initialize_chain_table;
-    compile_stop_firewall( $test );
-    
-    if ( $objectfile ) {
+	#
+	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
+	# for stopping the firewall
+	#
+	Shorewall::Chains::initialize( $family );
+	initialize_chain_table;
+	#
+	#                           S T O P _ F I R E W A L L
+	#         (Writes the stop_firewall() function to the compiled script)
+	#
+	compile_stop_firewall( $test );
 	#
 	# Copy the footer to the object
 	#
@@ -827,6 +827,18 @@ sub compiler {
 	#
 	enable_object, generate_aux_config if $export;
    } else {
+	#
+	# Re-initialize the chain table so that process_routestopped() has the same
+	# environment that it would when called by compile_stop_firewall().
+	#
+	Shorewall::Chains::initialize( $family );
+	initialize_chain_table;
+	#
+	# compile_stop_firewall() also validates the routestopped file. Since we don't
+	# call that function during 'check', we must validate routestopped here.
+	#
+	process_routestopped;
+
 	if ( $family == F_IPV4 ) {
 	    progress_message3 "Shorewall configuration verified";
 	} else {
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -127,7 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';

 #
 # describe the current command, it's present progressive, and it's completion.
@@ -242,6 +242,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
 		 IPMARK_TARGET   => 'IPMARK Target',
 		 PERSISTENT_SNAT => 'Persistent SNAT',
+		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 CAPVERSION      => 'Capability Version',
 	       );
 #
@@ -327,8 +328,8 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.1.2",
-		    CAPVERSION => 40401 ,
+		    VERSION => "4.4.2.2",
+		    CAPVERSION => 40402 ,
 		  );

    #
@@ -566,7 +567,7 @@ sub initialize( $ ) {
 			 NONE    => '',
 			 NFLOG   => 'NFLOG',
 		         LOGMARK => 'LOGMARK' );
-	}
+    }
    #
    # From parsing the capabilities file
    #
@@ -614,6 +615,7 @@ sub initialize( $ ) {
 	       IPMARK_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
 	       PERSISTENT_SNAT => undef,
+	       OLD_HL_MATCH => undef,
 	       CAPVERSION => undef,
 	       );
    #
@@ -1592,11 +1594,16 @@ sub read_a_line() {
 	    #
 	    s/^\s*// if $currentline =~ /[,:]$/;
 	    #
+	    # If this isn't a continued line, remove trailing comments. Note that
+	    # the result may now end in '\'.
+	    #
+	    s/\s*#.*$// unless /\\$/;
+	    #
 	    # Continuation
 	    #
 	    chop $currentline, next if substr( ( $currentline .= $_ ), -1, 1 ) eq '\\';
 	    #
-	    # Remove Trailing Comments -- result might be a blank line
+	    # Now remove concatinated comments
 	    #
 	    $currentline =~ s/#.*$//;
 	    #
@@ -2022,6 +2029,15 @@ sub determine_capabilities( $ ) {
    $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
    $capabilities{COMMENTS}        = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );

+    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
+
+    if ( $capabilities{HASHLIMIT_MATCH} ) {
+	$capabilities{OLD_HL_MATCH} = '';
+    } else {
+	$capabilities{OLD_HL_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
+	$capabilities{HASHLIMIT_MATCH} = $capabilities{OLD_HL_MATCH};
+    }
+
    if  ( $capabilities{MANGLE_ENABLED} ) {
 	qt1( "$iptables -t mangle -N $sillyname" );

@@ -2066,7 +2082,6 @@ sub determine_capabilities( $ ) {
    $capabilities{USEPKTTYPE}      = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
    $capabilities{ADDRTYPE}        = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
    $capabilities{TCPMSS_MATCH}    = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
-    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
    $capabilities{NFQUEUE_TARGET}  = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
    $capabilities{REALM_MATCH}     = qt1( "$iptables -A $sillyname -m realm --realm 1" );
    $capabilities{HELPER_MATCH}    = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
@@ -2246,6 +2261,14 @@ sub unsupported_yes_no( $ ) {
    fatal_error "$option=Yes is not supported by Shorewall $globals{VERSION}" if $config{$option};
 }

+sub unsupported_yes_no_warning( $ ) {
+    my $option = shift;
+
+    default_yes_no $option, '';
+
+    warning_message "$option=Yes is not supported by Shorewall $globals{VERSION}" if $config{$option};
+}
+
 #
 # - Read the shorewall.conf file
 # - Read the capabilities file, if any
@@ -2345,14 +2368,14 @@ sub get_configuration( $ ) {
    default_yes_no 'BLACKLISTNEWONLY'           , '';
    default_yes_no 'DISABLE_IPV6'               , '';

-    unsupported_yes_no 'DYNAMIC_ZONES';
-    unsupported_yes_no 'BRIDGING';
-    unsupported_yes_no 'SAVE_IPSETS';
-    unsupported_yes_no 'MAPOLDACTIONS';
-    unsupported_yes_no 'RFC1918_STRICT';
+    unsupported_yes_no_warning 'DYNAMIC_ZONES';
+    unsupported_yes_no         'BRIDGING';
+    unsupported_yes_no_warning 'SAVE_IPSETS';
+    unsupported_yes_no_warning 'RFC1918_STRICT';

    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
+    default_yes_no 'MAPOLDACTIONS'              , 'Yes';

    warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD};

--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';

 our @addresses_to_add;
 our %addresses_to_add;
@@ -104,7 +104,7 @@ sub do_ipsec_options($)
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $origaddresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';

    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -208,9 +208,7 @@ sub process_one_masq( )
 	#
 	# Parse the ADDRESSES column
 	#
-	if ( $origaddresses ne '-' ) {
-	    my $addresses = $origaddresses;
-
+	if ( $addresses ne '-' ) {
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
@@ -228,7 +226,7 @@ sub process_one_masq( )
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
 				      '',
-				      qq(if [ "$variable" != 0.0.0.0 ]; then) );
+				      "if [ \"$variable\" != 0.0.0.0 ]; then" );
 			incr_cmd_level( $chainref );
 			$detectaddress = 1;
 		    }
@@ -241,7 +239,7 @@ sub process_one_masq( )
 			if ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
-			    if ( $addr =~ /^(.+)-(.+)$/ ) {
+			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $ipaddr, 0;
@@ -286,7 +284,7 @@ sub process_one_masq( )
 	if ( $add_snat_aliases ) {
 	    my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
 	    fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
-	    for my $address ( split_list $origaddresses, 'address' ) {
+	    for my $address ( split_list $addresses, 'address' ) {
 		my ( $addrs, $port ) = split /:/, $address;
 		next unless $addrs;
 		next if $addrs eq 'detect';
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';

 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -455,10 +455,10 @@ sub add_a_provider( ) {
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	} else {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(echo "qt \$IP -$family route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	}
    }

@@ -864,12 +864,12 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
 		    }

-		    $rule1 =~ s/-A //;
+		    $rule1 =~ s/-A tcpre //;

 		    add_rule $chainref, $rule1;

 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcpre //;
 			add_rule $chainref, $rule2;
 		    }

@@ -896,12 +896,12 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
 		    }

-		    $rule1 =~ s/-A //;
+		    $rule1 =~ s/-A tcout //;

 		    add_rule $chainref, $rule1;

 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcout //;
 			add_rule $chainref, $rule2;
 		    }

--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -40,11 +40,12 @@ our @EXPORT = qw( process_tos
 		  add_common_rules
 		  setup_mac_lists
 		  process_rules
+		  process_routestopped
 		  generate_matrix
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';

 #
 # Set to one if we find a SECTION
@@ -329,6 +330,8 @@ sub process_routestopped() {
 	}

 	unless ( $options eq '-' ) {
+	    my $chainref = $filter_table->{FORWARD};
+
 	    for my $option (split /,/, $options ) {
 		if ( $option eq 'routeback' ) {
 		    if ( $routeback ) {
@@ -340,7 +343,7 @@ sub process_routestopped() {
 			    my $source = match_source_net $host;
 			    my $dest   = match_dest_net   $host;

-			    emit "run_iptables -A FORWARD -i $interface -o $interface $source $dest -j ACCEPT";
+			    add_rule $chainref , "-i $interface -o $interface $source $dest -j ACCEPT";
 			    clearrule;
 			}
 		    }
@@ -776,6 +779,9 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
    } else {
+	#
+	# Phase II
+	#
 	for my $interface ( @maclist_interfaces ) {
 	    my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
 	    my $chain    = $chainref->{name};
@@ -848,12 +854,13 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {

    while ( read_a_line ) {

-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime);

 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
+	    ( $morigdest, $mmark, $mconnlimit, $mtime ) = qw/- - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime ) = split_line1 1, 12, 'macro file', $macro_commands;
 	}

 	if ( $mtarget eq 'COMMENT' ) {
@@ -867,8 +874,6 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 	    next;
 	}

-	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
-
 	$mtarget = merge_levels $target, $mtarget;

 	if ( $mtarget =~ /^PARAM(:.*)?$/ ) {
@@ -914,15 +919,15 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 		      $mtarget,
 		      $msource,
 		      $mdest,
-		      merge_macro_column( $mproto,    $proto ) ,
-		      merge_macro_column( $mports,    $ports ) ,
-		      merge_macro_column( $msports,   $sports ) ,
-		      merge_macro_column( $morigdest, $origdest ) ,
-		      merge_macro_column( $mrate,     $rate ) ,
-		      merge_macro_column( $muser,     $user ) ,
-		      $mark,
-		      $connlimit,
-		      $time,
+		      merge_macro_column( $mproto,     $proto ) ,
+		      merge_macro_column( $mports,     $ports ) ,
+		      merge_macro_column( $msports,    $sports ) ,
+		      merge_macro_column( $morigdest,  $origdest ) ,
+		      merge_macro_column( $mrate,      $rate ) ,
+		      merge_macro_column( $muser,      $user ) ,
+		      merge_macro_column( $mmark,      $mark ) ,
+		      merge_macro_column( $mconnlimit, $connlimit) ,
+		      merge_macro_column( $mtime,      $time ),
 		      $wildcard
 		     );

@@ -959,6 +964,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
    #
    my $actiontype = $targets{$basictarget} || find_macro( $basictarget );

+    if ( $config{ MAPOLDACTIONS } ) {
+	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless ( $actiontype || $param );
+    }
+
    fatal_error "Unknown action ($action)" unless $actiontype;

    if ( $actiontype == MACRO ) {
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,18 +1,44 @@
-Changes in Shorewall 4.4.1.3
+Changes in Shorewall 4.4.2.2

-1)  Process routestopped during 'check'
+1)  Another fix for 'routeback' in routestopped.

-2)  Apply Jesse Shrieve's patch for SNAT range.
+Changes in Shorewall 4.4.2.1

-Changes in Shorewall 4.4.1.2
+1)  Fix 'routeback' in routestopped.

-1)  Re-initialize chain table before generating 'stop_firewall()'
+Changes in Shorewall 4.4.2

-Changes in Shorewall 4.4.1.1
+1)  BUGFIX: Correct detection of Persistent SNAT support

-1)  Fixed detection of Persistent SNAT
+2)  BUGFIX: Fix chain table initialization

-2)  Fix compiler initialization fiasco.
+3)  BUGFIX: Validate routestopped file on 'check'
+
+4)  Let the Actions module add the builtin actions to
+    %Shorewall::Chains::targets. Much better modularization that way.
+
+5)  Some changes to make Lenny->Squeeze less painful.
+
+6)  Allow comments at the end of continued lines.
+
+7)  Call process_routestopped() during 'check' rather than
+    'compile_stop_firewall()'.
+
+8)  Don't look for an extension script for built-in actions.
+
+9)  Apply Jesse Shrieve's patch for SNAT range.
+
+10) Add -<family> to 'ip route del default' command.
+
+11) Add three new columns to macro body.
+
+12) Change 'wait4ifup' so that it requires no PATH
+
+13) Allow extension scripts for accounting chains.
+
+14) Allow per-ip LIMIT to work on ancient iptables releases.
+
+15) Add 'MARK' column to action body.

 Changes in Shorewall 4.4.1

@@ -63,7 +89,7 @@ Changes in Shorewall 4.4.0

 5)  Fix 'upnpclient' with required interfaces.

-5)  Fix provider number in masq file.
+6)  Fix provider number in masq file.

 Changes in Shorewall 4.4.0-RC2

--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.1.2
+VERSION=4.4.2.2

 usage() # $1 = exit status
 {
@@ -453,6 +453,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/blacklist ]; then
    echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
 fi
 #
+# Install the findgw file
+#
+run_install $OWNERSHIP -m 0644 configfiles/findgw ${PREFIX}/usr/share/shorewall/configfiles/findgw
+
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/findgw ]; then
+    run_install $OWNERSHIP -m 0600 configfiles/findgw ${PREFIX}/etc/shorewall/findgw
+    echo "Find GW file installed as ${PREFIX}/etc/shorewall/findgw"
+fi
+#
 # Delete the Routes file
 #
 delete_file ${PREFIX}/etc/shorewall/routes
@@ -783,6 +792,11 @@ cd ..

 echo "Man Pages Installed"

+if [ -z "$PREFIX" ]; then
+    rm -rf /usr/share/shorewall-perl
+    rm -rf /usr/share/shorewall-shell
+fi
+
 if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
    if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -1,22 +1,16 @@
-1)  The compiler's detection of Persistent SNAT support is broken.
+1)  'shorewall check' produces an internal error if 'routeback' appears
+    in /etc/shorewall/routestopped.

-    Fixed in Shorewall 4.4.1.1
+    You can work around this problem by using 'source' rather than
+    'routeback'.

-2)  Initialization of the compiler's chain table was broken in ways
-    that prevented some features from working.
+    Corrected in Shorewall 4.4.2.1.

-    Fixed in Shorewall 4.4.1.1
+2)  'routestopped' appearing in /etc/shorewall/routestopped doesn't
+    work (routeback traffic is not allowed).

-3)  Initialization of the compiler's chain table was still broken.
+    You can work around this problem by using 'source' rather than
+    'routeback'.

-    Fixed in Shorewall 4.4.1.2.
-
-4)  It is currently not possible to specify an address range in the
-    ADDRESS column of /etc/shorewall/masq.
-
-    Fixed in Shorewall 4.4.1.3.
-
-5)  The routestopped file is not being verified by 'shorewall check'.
-
-    Fixed in Shorewall 4.4.1.3.
+    Corrected in Shorewall 4.4.2.2.

--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -30,7 +30,7 @@
 #

 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40401
+SHOREWALL_CAPVERSION=40402

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -945,7 +945,11 @@ determine_capabilities() {
    qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
    qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
    qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    if [ -z "$HASHLIMIT_MATCH" ]; then
+	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
+	HASHLIMIT_MATCH=$OLD_HL_MATCH
+    fi	
    qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
    qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -1011,6 +1015,7 @@ report_capabilities() {
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
+	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
 	report_capability "Helper Match" $HELPER_MATCH
@@ -1069,6 +1074,7 @@ report_capabilities1() {
    report_capability1 ADDRTYPE
    report_capability1 TCPMSS_MATCH
    report_capability1 HASHLIMIT_MATCH
+    report_capability1 OLD_HL_MATCH
    report_capability1 NFQUEUE_TARGET
    report_capability1 REALM_MATCH
    report_capability1 HELPER_MATCH
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -1,4 +1,4 @@
-Shorewall 4.4.1 patch release 3
+Shorewall 4.4.2 Patch Release 1.

 ----------------------------------------------------------------------------
               R E L E A S E  4 . 4  H I G H L I G H T S
@@ -66,10 +66,9 @@ Shorewall 4.4.1 patch release 3
       WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell
                support has been removed in this release.

-    b) Review the incompatibilities between Shorewall-shell and
-       Shorewall-perl at
-       http://www.shorewall.net/Shorewall-perl.html#Incompatibilities
-       and make changes to your configuration as necessary.
+    b) Review the migration issues at
+       http://www.shorewall.net/LennyToSqueeze.html and make changes as
+       required.

    We strongly recommend that you migrate to Shorewall-perl on your
    current Shorewall version before upgrading to Shorewall 4.4.0. That
@@ -105,7 +104,7 @@ Shorewall 4.4.1 patch release 3
             starts/restarts

    To avoid this warning, replace interface names by the corresponding
-    network addresses (e.g., 192.168.144.0/24).
+    network(s) in CIDR format (e.g., 192.168.144.0/24).

 6)  Previously, Shorewall has treated traffic shaping class IDs as
    decimal numbers (or pairs of decimal numbers). That worked fine
@@ -171,62 +170,71 @@ Shorewall 4.4.1 patch release 3
    then it may have no additional members in /etc/shorewall/hosts.

 ----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 3
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2 . 2
 ----------------------------------------------------------------------------
-1)  The routestopped file wasn't verified during 'shorewall check' and
-    'shorewall6 check'.

-2)  Previously, it was not possible to specify an IP address range in
+1)  'routeback' in /etc/shorewall/routestopped was ineffective.
+
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2 . 1
+----------------------------------------------------------------------------
+
+1)  'shorewall check' produced an internal error if 'routeback' was
+    specified in /etc/shorewall/routestopped.
+
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2
+----------------------------------------------------------------------------
+
+1)  Detection of Persistent SNAT was broken in the rules compiler. 
+
+2)  Initialization of the compiler's chain table was occurring before 
+    shorewall.conf had been read and before the capabilities had been
+    determined. This could lead to incorrect rules and Perl runtime
+    errors.
+
+3)  The 'shorewall check' command previously did not detect errors in
+    /etc/shorewall/routestopped.
+
+4)  In earlier versions, if a file with the same name as a built-in
+    action were present in the CONFIG_PATH, then the compiler would
+    process that file like it was an extension script.
+
+    The compiler now ignores the presence of such files.
+
+5)  Several configuration issues which previously produced an error or
+    warning are now handled differently.
+
+    a)  MAPOLDACTIONS=Yes and MAPOLDACTIOSN= in shorewall.conf are now
+        handled as they were by the old shell-based compiler. That is,
+        they cause pre-3.0 built-in actions to be mapped automatically
+        to the corresponding macro invocation.
+
+    b)  SAVE_IPSETS=Yes no longer produces a fatal error -- it is now a
+        warning.
+
+    c)  DYNAMIC_ZONES=Yes no longer produces a fatal error -- it is now
+        a warning.
+
+    d)  RFC1918_STRICT=Yes no loger produces a fatal error -- it is now
+        a warning.
+
+6)  Previously, it was not possible to specify an IP address range in
    ADDRESS column of /etc/shorewall/masq. Thanks go to Jessee Shrieve
    for the patch.

----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 2
----------------------------------------------------------------------------
-1)  The compiler's chain table was not being re-initialized prior to
-    creating the stop_firewall() function, resulting in Perl run-time
-    errors.
----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 1
----------------------------------------------------------------------------
-1)  Detection of Persistent SNAT support was broken in the compiler.
+7)  The 'wait4ifup' script included for Debian compatibility now runs
+    correctly with no PATH.

-2)  Initialization of the compiler's chain table was broken in ways
-    that made some features not work and that caused Perl runtime errors.
+8)  The new per-IP LIMIT feature now works with ancient iptables
+    releases (e.g., 1.3.5 as found on RHEL 5). This change required
+    testing for an additional capability which means that those who use
+    a capabilities file should regenerate that file after installing
+    4.4.2.

----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1
----------------------------------------------------------------------------
-
-1)  If ULOG was specified as the LOG LEVEL in the all->all policy, the
-    rules at the end of the INPUT and OUTPUT chains would still use the
-    LOG target rather than ULOG.
-
-2)  Using CONTINUE policies with a nested IPSEC zone was still broken
-    in some cases.
-
-3)  The setting of IP_FORWARDING has been change to Off in the
-    one-interface sample configuration since forwarding is typically
-    not required with only a single interface.
-
-4)  If MULTICAST=Yes in shorewall.conf, multicast traffic was
-    incorrectly exempted from ACCEPT policies.
-
-5)  Previously, the definition of a zone that specified "nets=" in
-    /etc/shorewall/interfaces could not be extended by entries in
-    /etc/shorewall/hosts.
-
-6)  Previously, "nets=" could be specified in a multi-zone interface
-    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
-    now raises a fatal compilation error.
-
-7)  MULTICAST=Yes generates an incorrect rule that limits its
-    effectiveness to a small part of the multicast address space.
-
-8)  Checking for zone membership has been tighened up. Previously, 
-    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
-    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
-    then it may have no additional members in /etc/shorewall/hosts.
+9)  One unintended difference between Shorewall-shell and
+    Shorewall-perl was that Shorewall-perl did not support the MARK
+    column in action bodies. This has been corrected.

 ----------------------------------------------------------------------------
             K N O W N   P R O B L E M S   R E M A I N I N G
@@ -235,66 +243,41 @@ Shorewall 4.4.1 patch release 3
 None.

 ----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 1
+                N E W   F E A T U R E S   I N   4 . 4 . 2
 ----------------------------------------------------------------------------

-1)  To replace the SAME keyword in /etc/shorewall/masq, support has
-    been added for 'persistent' SNAT. Persistent SNAT is required when
-    an address range is specified in the ADDRESS column and when you
-    want a client to always receive the same source/destination IP
-    pair. It replaces SAME: which was removed in Shorewall 4.4.0.
+1)  Prior to this release, line continuation has taken precedence over 
+    #-style comments. This prevented us from doing the following:

-    To specify persistence, follow the address range with
-    ":persistent".
+    	    ACCEPT    net:206.124.146.176,\   #Gateway
+	    	          206.124.146.177,\   #Mail
+			  206.124.146.178\    #Server
+			  		      ...
+    
+    Now, unless a line ends with '\', any trailing comment is stripped
+    off (including any white-space preceding the '#'). Then if the line
+    ends with '\', it is treated as a continuation line as normal.

-    Example:
+2)  Three new columns have been added to FORMAT-2 macro bodies.

-    #INTERFACE	SOURCE	   ADDRESS
-    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
+    	  MARK
+	  CONNLIMIT
+	  TIME

-    This feature requires Persistent SNAT support in your kernel and
-    iptables. 
+    These three columns correspond to the similar columns in
+    /etc/shorewall/rules and must be empty in macros invoked from an
+    action.

-    If you use a capabilities file, you will need to create a new one
-    as a result of this feature.
+3)  Accounting chains may now have extension scripts. Simply place your
+    Perl script in the file /etc/shorewall/<chain> and when the
+    accounting chain named <chain> is created, your script will be
+    invoked.

-    WARNING: Linux kernels beginning with 2.6.29 include persistent
-    SNAT support. If your iptables supports persistent SNAT but your
-    kernel does not, there is no way for Shorewall to determine that
-    persistent SNAT isn't going to work. The kernel SNAT code blindly
-    accepts all SNAT flags without verifying them and returns them to
-    iptables when asked.
-
-2)  A 'clean' target has been added to the Makefiles. It removes backup
-    files (*~ and .*~). 
-
-3)  The meaning of 'full' has been redefined when used in the context
-    of a traffic shaping sub-class. Previously, 'full' always meant the
-    OUT-BANDWIDTH of the device. In the case of a sub-class, however,
-    that definition is awkward to use because the sub-class is limited
-    by the parent class.
-
-    Beginning with this release, 'full' in a sub-class definition
-    refers to the specified rate defined for the parent class. So
-    'full' used in the RATE column refers to the parent class's RATE;
-    when used in the CEIL column, 'full' refers to the parent class's
-    CEIL.
-
-    As part of this change, the compiler now issues a warning if the
-    sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of
-    the device. Similarly, a warning is issued if the sum of the RATEs
-    of a class's sub-classes exceeds the rate of the CLASS.
-
-4)  When 'nets=<network>' or 'nets=(<net1>,<net2>,...) is specified in
-    /etc/shorewall/interfaces, multicast traffic will now be sent to
-    the zone along with limited broadcasts.
-
-5)  A flaw in the parsing logic for the zones file allowed most zone
-    types containing the character string 'ip' to be accepted as a
-    synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration).
+    As usual, the variable $chainref will contain a reference to the
+    chain's table entry.

 ----------------------------------------------------------------------------
-                 N E W   F E A T U R E S   I N   4 . 4
+                N E W   F E A T U R E S   I N   4 . 4 . 0
 ----------------------------------------------------------------------------

 1)  The Shorewall packaging has been completely revamped in Shorewall
@@ -942,3 +925,96 @@ None.
    the iptables utility is discovered using the PATH setting, then
    ip6tables in the same directory as the discovered iptables will be
    used.
+
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1
+----------------------------------------------------------------------------
+
+1)  If ULOG was specified as the LOG LEVEL in the all->all policy, the
+    rules at the end of the INPUT and OUTPUT chains would still use the
+    LOG target rather than ULOG.
+
+2)  Using CONTINUE policies with a nested IPSEC zone was still broken
+    in some cases.
+
+3)  The setting of IP_FORWARDING has been change to Off in the
+    one-interface sample configuration since forwarding is typically
+    not required with only a single interface.
+
+4)  If MULTICAST=Yes in shorewall.conf, multicast traffic was
+    incorrectly exempted from ACCEPT policies.
+
+5)  Previously, the definition of a zone that specified "nets=" in
+    /etc/shorewall/interfaces could not be extended by entries in
+    /etc/shorewall/hosts.
+
+6)  Previously, "nets=" could be specified in a multi-zone interface
+    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
+    now raises a fatal compilation error.
+
+7)  MULTICAST=Yes generates an incorrect rule that limits its
+    effectiveness to a small part of the multicast address space.
+
+8)  Checking for zone membership has been tighened up. Previously, 
+    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
+    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
+    then it may have no additional members in /etc/shorewall/hosts.
+
+----------------------------------------------------------------------------
+                N E W   F E A T U R E S   I N   4 . 4 . 1
+----------------------------------------------------------------------------
+
+1)  To replace the SAME keyword in /etc/shorewall/masq, support has
+    been added for 'persistent' SNAT. Persistent SNAT is required when
+    an address range is specified in the ADDRESS column and when you
+    want a client to always receive the same source/destination IP
+    pair. It replaces SAME: which was removed in Shorewall 4.4.0.
+
+    To specify persistence, follow the address range with
+    ":persistent".
+
+    Example:
+
+    #INTERFACE	SOURCE	   ADDRESS
+    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
+
+    This feature requires Persistent SNAT support in your kernel and
+    iptables. 
+
+    If you use a capabilities file, you will need to create a new one
+    as a result of this feature.
+
+    WARNING: Linux kernels beginning with 2.6.29 include persistent
+    SNAT support. If your iptables supports persistent SNAT but your
+    kernel does not, there is no way for Shorewall to determine that
+    persistent SNAT isn't going to work. The kernel SNAT code blindly
+    accepts all SNAT flags without verifying them and returns them to
+    iptables when asked.
+
+2)  A 'clean' target has been added to the Makefiles. It removes backup
+    files (*~ and .*~). 
+
+3)  The meaning of 'full' has been redefined when used in the context
+    of a traffic shaping sub-class. Previously, 'full' always meant the
+    OUT-BANDWIDTH of the device. In the case of a sub-class, however,
+    that definition is awkward to use because the sub-class is limited
+    by the parent class.
+
+    Beginning with this release, 'full' in a sub-class definition
+    refers to the specified rate defined for the parent class. So
+    'full' used in the RATE column refers to the parent class's RATE;
+    when used in the CEIL column, 'full' refers to the parent class's
+    CEIL.
+
+    As part of this change, the compiler now issues a warning if the
+    sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of
+    the device. Similarly, a warning is issued if the sum of the RATEs
+    of a class's sub-classes exceeds the rate of the CLASS.
+
+4)  When 'nets=<network>' or 'nets=(<net1>,<net2>,...) is specified in
+    /etc/shorewall/interfaces, multicast traffic will now be sent to
+    the zone along with limited broadcasts.
+
+5)  A flaw in the parsing logic for the zones file allowed most zone
+    types containing the character string 'ip' to be accepted as a
+    synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration).
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -23,99 +23,9 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#	If an error occurs while starting or restarting the firewall, the
-#	firewall is automatically stopped.
+#       For a list of supported commands, type 'shorewall help'
 #
-#	The firewall uses configuration files in /etc/shorewall/ - skeleton
-#	files are included with the firewall.
-#
-#	Commands are:
-#
-#          shorewall add <iface>[:<host>] zone     Adds a host or subnet to a zone
-#          shorewall delete <iface>[:<host>] zone  Deletes a host or subnet from a zone
-#          shorewall dump                          Dumps all Shorewall-related information
-#                                                  for problem analysis
-#	   shorewall start 			   Starts the firewall
-#	   shorewall restart			   Restarts the firewall
-#	   shorewall stop			   Stops the firewall
-#	   shorewall status			   Displays firewall status
-#	   shorewall reset			   Resets iptables packet and
-#						   byte counts
-#	   shorewall clear			   Open the floodgates by
-#						   removing all iptables rules
-#						   and setting the three permanent
-#						   chain policies to ACCEPT
-#	   shorewall refresh			   Rebuild the common chain to
-#						   compensate for a change of
-#						   broadcast address on any "detect"
-#						   interface.
-#	   shorewall [re]load [ <directory> ] <system>
-#						   Compile a script and install it on a
-#						   remote Shorewall Lite system.
-#	   shorewall show <chain> [ <chain> ... ]  Display the rules in each <chain> listed
-#          shorewall show actions                  Displays the available actions
-#	   shorewall show log			   Print the last 20 log messages
-#	   shorewall show connections		   Show the kernel's connection
-#						   tracking table
-#	   shorewall show nat			   Display the rules in the nat table
-#	   shorewall show {mangle|tos}		   Display the rules in the mangle table
-#	   shorewall show tc			   Display traffic control info
-#	   shorewall show classifiers		   Display classifiers
-#          shorewall show capabilities             Display iptables/kernel capabilities
-#          shorewall show vardir                   Display the VARDIR setting.
-#	   shorewall version			   Display the installed version id
-#	   shorewall check [ -e ] [ <directory> ]  Dry-run compilation.
-#	   shorewall try <directory> [ <timeout> ] Try a new configuration and if
-#						   it doesn't work, revert to the
-#						   standard one. If a timeout is supplied
-#						   the command reverts back to the
-#						   standard configuration after that many
-#						   seconds have elapsed after successfully
-#						   starting the new configuration.
-#	   shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall
-#						   messages.
-#	   shorewall drop <address> ...		   Temporarily drop all packets from the
-#						   listed address(es)
-#	   shorewall reject <address> ...	   Temporarily reject all packets from the
-#						   listed address(es)
-#	   shorewall allow <address> ...	   Reenable address(es) previously
-#						   disabled with "drop" or "reject"
-#	   shorewall save [ <file> ]		   Save the list of "rejected" and
-#						   "dropped" addresses so that it will
-#						   be automatically reinstated the
-#						   next time that Shorewall starts.
-#                                                  Save the current state so that 'shorewall
-#                                                  restore' can be used.
-#
-#          shorewall forget [ <file> ]             Discard the data saved by 'shorewall save'
-#
-#          shorewall restore [ <file> ]            Restore the state of the firewall from
-#                                                  previously saved information.
-#
-#          shorewall ipaddr { <address>/<cidr> | <address> <netmask> }
-#
-#                                                  Displays information about the network
-#                                                  defined by the argument[s]
-#
-#          shorewall iprange <address>-<address>   Decomposes a range of IP addresses into
-#                                                  a list of network/host addresses.
-#
-#          shorewall ipdecimal { <address> | <integer> }
-#
-#                                                  Displays the decimal equivalent of an IP
-#                                                  address and vice versa.
-#
-#          shorewall safe-start [ <directory> ]    Starts the firewall and promtp for a c
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall safe-restart [ <directory> ]  Restarts the firewall and prompt for a
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall compile [ -e ] [ <directory> ] <filename>
-#                                                  Compile a firewall program file.
-
+#####################################################################################################
 #
 # Set the configuration variables from shorewall.conf
 #
@@ -123,7 +33,6 @@
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
 #     
-#
 get_config() {
    local prog

@@ -275,7 +184,7 @@ get_config() {
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
+			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
 			exit 2
 		    fi
 		    ;;
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 4.4.1
+%define version 4.4.2
 %define release 2

 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -104,10 +104,14 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 

 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-1
+* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-2
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-1
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Sun Aug 09 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.1.2
+VERSION=4.4.2.2

 usage() # $1 = exit status
 {
--- a/Shorewall/wait4ifup
+++ b/Shorewall/wait4ifup
@@ -33,7 +33,7 @@
 #

 interface_is_up() {
-    [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] 
+    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] 
 }

 case $# in
@@ -51,7 +51,7 @@ esac

 while [ $timeout -gt 0 ]; do
    interface_is_up $1 && exit 0
-    sleep 1
+    /bin/sleep 1
    timeout=$(( $timeout - 1 ))
 done

--- a/Shorewall6-lite/fallback.sh
+++ b/Shorewall6-lite/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.1.2
+VERSION=4.4.2.2

 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.1.2
+VERSION=4.4.2.2

 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@@ -1,5 +1,5 @@
 %define name shorewall6-lite
-%define version 4.4.1
+%define version 4.4.2
 %define release 2

 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
@@ -89,10 +89,14 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-1
+* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-2
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-1
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.1.2
+VERSION=4.4.2.2

 usage() # $1 = exit status
 {
--- a/Shorewall6/fallback.sh
+++ b/Shorewall6/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.1.2
+VERSION=4.4.2.2

 usage() # $1 = exit status
 {
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.1.2
+VERSION=4.4.2.2

 usage() # $1 = exit status
 {
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -33,7 +33,7 @@
 #

 SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40401
+SHOREWALL_CAPVERSION=40402

 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -853,7 +853,11 @@ determine_capabilities() {
    qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
    qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
    qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    if [ -z "$HASHLIMIT_MATCH" ]; then
+	qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
+	HASHLIMIT_MATCH=$OLD_HL_MATCH
+    fi	
    qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
    qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -917,6 +921,7 @@ report_capabilities() {
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
+	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
 	report_capability "Helper Match" $HELPER_MATCH
@@ -972,6 +977,7 @@ report_capabilities1() {
    report_capability1 ADDRTYPE
    report_capability1 TCPMSS_MATCH
    report_capability1 HASHLIMIT_MATCH
+    report_capability1 OLD_HL_MATCH
    report_capability1 NFQUEUE_TARGET
    report_capability1 REALM_MATCH
    report_capability1 HELPER_MATCH
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -23,99 +23,9 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#	If an error occurs while starting or restarting the firewall, the
-#	firewall is automatically stopped.
+#       For a list of supported commands, type 'shorewall6 help'
 #
-#	The firewall uses configuration files in /etc/shorewall/ - skeleton
-#	files are included with the firewall.
-#
-#	Commands are:
-#
-#          shorewall6 add <iface>[:<host>] zone    Adds a host or subnet to a zone
-#          shorewall6 delete <iface>[:<host>] zone Deletes a host or subnet from a zone
-#          shorewall6 dump                         Dumps all Shorewall6-related information
-#                                                  for problem analysis
-#	   shorewall6 start 			   Starts the firewall
-#	   shorewall6 restart			   Restarts the firewall
-#	   shorewall6 stop			   Stops the firewall
-#	   shorewall6 status			   Displays firewall status
-#	   shorewall6 reset			   Resets ip6tables packet and
-#						   byte counts
-#	   shorewall6 clear			   Open the floodgates by
-#						   removing all ip6tables rules
-#						   and setting the three permanent
-#						   chain policies to ACCEPT
-#	   shorewall6 refresh			   Rebuild the common chain to
-#						   compensate for a change of
-#						   broadcast address on any "detect"
-#						   interface.
-#	   shorewall6 [re]load [ <directory> ] <system>
-#						   Compile a script and install it on a
-#						   remote Shorewall6 Lite system.
-#	   shorewall6 show <chain> [ <chain> ... ] Display the rules in each <chain> listed
-#          shorewall6 show actions                 Displays the available actions
-#	   shorewall6 show log			   Print the last 20 log messages
-#	   shorewall6 show connections		   Show the kernel's connection
-#						   tracking table
-#	   shorewall6 show nat			   Display the rules in the nat table
-#	   shorewall6 show {mangle|tos}		   Display the rules in the mangle table
-#	   shorewall6 show tc			   Display traffic control info
-#	   shorewall6 show classifiers		   Display classifiers
-#          shorewall6 show capabilities            Display ip6tables/kernel capabilities
-#          shorewall6 show vardir                  Display the VARDIR setting.
-#	   shorewall6 version			   Display the installed version id
-#	   shorewall6 check [ -e ] [ <directory> ] Dry-run compilation.
-#	   shorewall6 try <directory> [ <timeout> ] Try a new configuration and if
-#						   it doesn't work, revert to the
-#						   standard one. If a timeout is supplied
-#						   the command reverts back to the
-#						   standard configuration after that many
-#						   seconds have elapsed after successfully
-#						   starting the new configuration.
-#	   shorewall6 logwatch [ refresh-interval ] Monitor the local log for Shorewall6
-#						    messages.
-#	   shorewall6 drop <address> ...	   Temporarily drop all packets from the
-#						   listed address(es)
-#	   shorewall6 reject <address> ...	   Temporarily reject all packets from the
-#						   listed address(es)
-#	   shorewall6 allow <address> ...	   Reenable address(es) previously
-#						   disabled with "drop" or "reject"
-#	   shorewall6 save [ <file> ]		   Save the list of "rejected" and
-#						   "dropped" addresses so that it will
-#						   be automatically reinstated the
-#						   next time that Shorewall6 starts.
-#                                                  Save the current state so that 'shorewall6
-#                                                  restore' can be used.
-#
-#          shorewall6 forget [ <file> ]            Discard the data saved by 'shorewall6 save'
-#
-#          shorewall6 restore [ <file> ]           Restore the state of the firewall from
-#                                                  previously saved information.
-#
-#          shorewall6 ipaddr { <address>/<cidr> | <address> <netmask> }
-#
-#                                                  Displays information about the network
-#                                                  defined by the argument[s]
-#
-#          shorewall6 iprange <address>-<address>  Decomposes a range of IP addresses into
-#                                                  a list of network/host addresses.
-#
-#          shorewall6 ipdecimal { <address> | <integer> }
-#
-#                                                  Displays the decimal equivalent of an IP
-#                                                  address and vice versa.
-#
-#          shorewall6 safe-start [ <directory> ]   Starts the firewall and promtp for a c
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall6 safe-restart [ <directory> ] Restarts the firewall and prompt for a
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall6 compile [ -e ] [ <directory> ] <filename>
-#                                                  Compile a firewall program file.
-
+################################################################################################
 #
 # Set the configuration variables from shorewall6.conf
 #
@@ -205,7 +115,7 @@ get_config() {
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
+			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
 			exit 2
 		    fi
 		    ;;
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@@ -1,5 +1,5 @@
 %define name shorewall6
-%define version 4.4.1
+%define version 4.4.2
 %define release 2

 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@@ -93,10 +93,14 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6

 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-1
+* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-2
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-1
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.1.2
+VERSION=4.4.2.2

 usage() # $1 = exit status
 {
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -193,17 +193,6 @@ ACCEPT   -              -               tcp     135,139,445
        action begins with a capital letter; that way, the name won't conflict
        with a Shorewall-defined chain name.</para>

-        <para>The name of the action may be optionally followed by a colon
-        (<quote>:</quote>) and ACCEPT, DROP or REJECT. When this is done, the
-        named action will become the <emphasis>default action</emphasis> for
-        policies of type ACCEPT, DROP or REJECT, respectively. The default
-        action is applied immediately before the policy is enforced (before
-        any logging is done under that policy) and is used mainly to suppress
-        logging of uninteresting traffic which would otherwise clog your logs.
-        The same policy name can appear in multiple actions; the last such
-        action for each policy name is the one which Shorewall will
-        use.</para>
-
        <para>Shorewall includes pre-defined actions for DROP and REJECT --
        see above.</para>
      </listitem>
@@ -246,8 +235,8 @@ ACCEPT   -              -               tcp     135,139,445
        <para>You may also use a <ulink url="Macros.html">macro</ulink> in
        your action provided that the macro's expansion only results in the
        ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
-        <filename>/usr/share/shorewall/Drop</filename> for an example of an
-        action that users macros extensively.</para>
+        <filename>/usr/share/shorewall/action.Drop</filename> for an example
+        of an action that users macros extensively.</para>
      </listitem>

      <listitem>
@@ -506,74 +495,6 @@ ACCEPT:debug -          -        tcp      22
 bar:debug</programlisting>
      </listitem>
    </orderedlist>
-
-    <para>If you define an action <quote>acton</quote> and you have an
-    <filename>/etc/shorewall/acton</filename> script, when that script is
-    invoked, the following three variables will be set for use by the
-    script:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>$CHAIN = the name of the chain where your rules are to be
-        placed. When logging is used on an action invocation, Shorewall
-        creates a chain with a slightly different name from the action
-        itself.</para>
-      </listitem>
-
-      <listitem>
-        <para>$LEVEL = Log level. If empty, no logging was specified.</para>
-      </listitem>
-
-      <listitem>
-        <para>$TAG = Log Tag.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>Example:</para>
-
-    <para><filename>/etc/shorewall/rules</filename>:</para>
-
-    <programlisting>#ACTION          SOURCE           DEST
-acton:info:test  $FW              net</programlisting>
-
-    <para>Your <filename>/etc/shorewall/acton</filename> file will be run
-    with:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>$CHAIN=<quote>%acton1</quote></para>
-      </listitem>
-
-      <listitem>
-        <para>$LEVEL=<quote>info</quote></para>
-      </listitem>
-
-      <listitem>
-        <para>$TAG=<quote>test</quote></para>
-      </listitem>
-    </itemizedlist>
-
-    <para>Shorewall-perl sets lexical variables as follows:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para><emphasis role="bold">$chainref</emphasis> is a reference to the
-        chain-table entry for the chain where your rules are to be
-        placed.</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">$level</emphasis> is the log level. If
-        false, no logging was specified.</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">$tag</emphasis> is the log tag.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>For an example of how to use these variablesl, see <ulink
-    url="PortKnocking.html">this article</ulink>.</para>
  </section>

  <section id="Extension">
@@ -591,6 +512,29 @@ acton:info:test  $FW              net</programlisting>
    <example id="Example">
      <title>An action to drop all broadcast packets</title>

+      <para>If you define an action <quote>acton</quote> and you have an
+      <filename>/etc/shorewall/acton</filename> script, the rules compiler
+      sets lexical variables as follows:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para><emphasis role="bold">$chainref</emphasis> is a reference to
+          the chain-table entry for the chain where your rules are to be
+          placed.</para>
+        </listitem>
+
+        <listitem>
+          <para><emphasis role="bold">$level</emphasis> is the log level. If
+          false, no logging was specified.</para>
+        </listitem>
+
+        <listitem>
+          <para><emphasis role="bold">$tag</emphasis> is the log tag.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Example:</para>
+
      <para>/etc/shorewall/actions<programlisting>DropBcasts</programlisting></para>

      <para>/etc/shorewall/action.DropBcasts<programlisting># This file is empty</programlisting>/etc/shorewall/DropBcasts<programlisting>use Shorewall::Chains;
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -208,7 +208,8 @@
            <entry><ulink url="Multiple_Zones.html"><ulink
            url="OPENVPN.html">OpenVPN</ulink></ulink></entry>

-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
+            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
          </row>

          <row>
@@ -218,7 +219,7 @@

            <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>

-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
          </row>

          <row>
@@ -227,8 +228,7 @@
            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>

-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
-            Creation</ulink></entry>
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
          </row>

          <row>
@@ -238,8 +238,8 @@
            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>

-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            Creation</ulink></entry>
          </row>

          <row>
@@ -250,8 +250,8 @@
            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>

-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
          </row>

          <row>
@@ -260,7 +260,8 @@

            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>

-            <entry></entry>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
          </row>

          <row>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -683,6 +683,15 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
          <para>Using this technique, you will want to configure your
          DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
          time that you get a new IP address.</para>
+
+          <note>
+            <para>For optional interfaces, use the function <emphasis
+            role="bold">find_first_interface_address_if_any()</emphasis>
+            rather than <emphasis
+            role="bold">find_first_interface_address()</emphasis>. The former
+            will return 0.0.0.0 if the interface has no configured IP address;
+            the latter terminates the calling program.</para>
+          </note>
        </listitem>
      </itemizedlist>

@@ -802,6 +811,15 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
          save</command> and <command>shorewall[-lite]
          restore</command></ulink>.</para>
        </warning>
+
+        <note>
+          <para>For optional interfaces, use the function <emphasis
+          role="bold">find_first_interface_address_if_any()</emphasis> rather
+          than <emphasis
+          role="bold">find_first_interface_address()</emphasis>. The former
+          will return 0.0.0.0 if the interface has no configured IP address;
+          the latter terminates the calling program.</para>
+        </note>
      </section>

      <section id="faq2c">
@@ -1972,6 +1990,35 @@ iptables: Invalid argument
      <filename><ulink
      url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink></filename>.</para>
    </section>
+
+    <section id="faq86">
+      <title>(FAQ 86) My distribution (Ubuntu) uses NetworkManager to manage
+      my interfaces. I want to specify the upnpclient option for my interfaces
+      which requires them to be up and configured when Shorewall starts but
+      Shorewall is being started before NetworkManager.</title>
+
+      <para>Answer: I faced a similar problem which I solved as
+      follows:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>Don't start Shorewall at boot time (Debian and Ubuntu users
+          may simply set startup=0 in
+          <filename>/etc/default/shorewall</filename>).</para>
+        </listitem>
+
+        <listitem>
+          <para>In <filename>/etc/network/ip-up.d</filename>, I added a
+          <filename>shorewall</filename> script as follows:</para>
+
+          <programlisting>#!/bin/sh
+
+shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall if it isn't already running</programlisting>
+
+          <para>Be sure to secure the script for execute access.</para>
+        </listitem>
+      </itemizedlist>
+    </section>
  </section>

  <section id="MultiISP">
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -212,8 +212,8 @@ dmz        eth2          detect        nets=(192.168.1.0/24)</programlisting>
    for 192.168.0.0/23, the <emphasis>loc</emphasis> zone as IPv4 hosts
    192.168.0.0/24 interfacing through eth1 and the <emphasis>dmz</emphasis>
    as IPv4 hosts 192.168.1.0/24 interfacing through eth2 (Note that
-    192.168.0.0/24 together with 192.168.1.0/24 constitutes
-    192.168.0.0.23).</para>
+    192.168.0.0/24 together with 192.168.1.0/24 comprises
+    192.168.0.0/23).</para>

    <para>Rules about what traffic to allow and what traffic to deny are
    expressed in terms of zones. <itemizedlist spacing="compact">
--- a/docs/LennyToSqueeze.xml
+++ b/docs/LennyToSqueeze.xml
@@ -0,0 +1,963 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Shorewall Issues when Upgrading from Debian Lenny to
+    Squeeze</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2009</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Introduction</title>
+
+    <para>Debian Lenny includes Shorewall version 4.0.15 while Squeeze will
+    soon include Shorewall 4.4. Because there are significant differences
+    between the two product versions, some users may experience upgrade
+    issues. This article outlines those issues and offers advice for dealing
+    with them.</para>
+
+    <note>
+      <para>Although this article is targeted specifically at Lenny -&gt;
+      Squeeze upgrades, it should be useful to any Shorewall-shell user
+      upgrading to Shorewall 4.4.x. Footnotes are used to flag areas where
+      non-Debian users may experience different results.</para>
+    </note>
+  </section>
+
+  <section id="Packages">
+    <title>Packaging Differences</title>
+
+    <para>The first key difference between Shorewall 4.0 and Shorewall 4.4 is
+    in the packaging<footnote>
+        <para>Most distributions use a similar packaging structure. Note,
+        however, that the 'shorewall' package in Simon Mater's RPMs for
+        RedHat/Fedora/CentOS is like the Lenny shorewall-common
+        package.</para>
+      </footnote>. In Lenny, there are six Shorewall packages:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>shorewall-common — Contains the basic components needed to
+        create an IPv4 firewall.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-shell — The legacy Shorewall configuration compiler
+        written in Bourne shell.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall — A transitional package that depends on
+        shorewall-common and shorewall-shell. Installing this package installs
+        both shorewall-common and shorewall-shell.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-perl — A re-implementation of the Shorewall
+        configuration compiler in Perl. This compiler has many advantages over
+        the shell-based compiler:</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>The compiler is much faster</para>
+          </listitem>
+
+          <listitem>
+            <para>The compiler does a much better job of validating the
+            configuration, thus avoiding run-time errors.</para>
+          </listitem>
+
+          <listitem>
+            <para>The compiler produces better and more consistent diagnostic
+            messages.</para>
+          </listitem>
+
+          <listitem>
+            <para>The compiler produces a script that runs much faster and
+            that does not reject/drop connections during start/restart.</para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-lite — A small package that can run scripts generated
+        by shorewall-shell or shorewall-perl. Allows centralized firewall
+        administration.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-doc — Documentation.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>In Squeeze, there are five packages:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>shorewall — Contains everything needed to create an IPv4
+        firewall. It combines the former shorewall-common and shorewall-perl
+        packages.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall6 — Depends on shorewall. Adds those components needed
+        to create an IPv6 firewall.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-lite — Same as in Lenny; only runs IPv4 firewall
+        scripts.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall6-lite — Similar to shorewall-lite, except that it only
+        runs IPv6 firewall scripts.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-doc — Documentation.</para>
+      </listitem>
+    </orderedlist>
+
+    <warning>
+      <para>Do not purge the old packages (shorewall-common, shorewall-shell
+      and shorewall-perl) until after the new shorewall package has been
+      installed.</para>
+    </warning>
+
+    <para>The key change in Squeeze that may produce upgrade issues is that
+    Squeeze does not include the shell-based configuration compiler. As a
+    consequence, unless you are already using Shorewall-perl on Lenny, an
+    upgrade from Lenny to Squeeze will mean that you will be switching from
+    the old shell-based compiler to the new Perl-based compiler<footnote>
+        <para>Note that Perl is a required package on Debian. If you are
+        running an embedded distribution which does not include Perl and it is
+        not feasible to install Perl on your firewall, then you should
+        consider installing Shorewall on another system in your network (may
+        be a <trademark>Windows</trademark> system running
+        <trademark>Cygwin</trademark>) and installing Shorewall-lite on your
+        firewall.</para>
+      </footnote>. While the two compilers are highly compatible, there are
+    some differences. Those differences are detailed in the following
+    sections.</para>
+  </section>
+
+  <section id="Issues">
+    <title>Issues Most Likely to Cause Problems or Concerns</title>
+
+    <section id="conf">
+      <title>shorewall.conf</title>
+
+      <para>As always, when upgrading from one major release of Shorewall to
+      another, the installer will prompt you about replacing your existing
+      <filename>shorewall.conf</filename> with the updated one from the
+      package. Shorewall is designed with the assumption that users will never
+      replace shorewall.conf and retaining your existing file will always
+      produce upward-compatible behavior.</para>
+
+      <para>That having been said, there are a few settings that you may have
+      in your shorewall.conf that will cause compilation warning or error
+      messages after the upgrade.</para>
+
+      <variablelist>
+        <varlistentry>
+          <term>BLACKLISTNEWONLY</term>
+
+          <listitem>
+            <para>If you have BLACKLISTNEWONLY=No together with
+            FASTACCEPT=Yes, you will receive this error:</para>
+
+            <para><emphasis role="bold">ERROR: BLACKLISTNEWONLY=No may not be
+            specified with FASTACCEPT=Yes</emphasis></para>
+
+            <para>To eliminate the error, reverse the setting of one of the
+            options.</para>
+
+            <note>
+              <para>This combination never worked correctly in earlier
+              versions -- to duplicate the earlier behavior, you will want to
+              set BLACKLISTNEWONLY=Yes.</para>
+            </note>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>BRIDGING</term>
+
+          <listitem>
+            <para>If you have set this option to Yes, you will receive the
+            following error:</para>
+
+            <para><emphasis role="bold">ERROR: BRIDGING=Yes is not supported
+            by Shorewall 4.4.x</emphasis></para>
+
+            <para>You should not be receiving this error if you are upgrading
+            from Lenny since BRIDGING=Yes did not work in that
+            release<footnote>
+                <para>If you are upgrading from a release using a kernel
+                earlier than 2.6.20, then BRIDGING=Yes did work correctly with
+                Shorewall-shell.</para>
+              </footnote>. If you have a bridge configuration where you want
+            to control connections through the bridge, you will want to visit
+            <ulink
+            url="http://www.shorewall.net/bridge-Shorewall-perl.html">http://www.shorewall.net/bridge-Shorewall-perl.html</ulink><footnote>
+                <para>Kernel 2.6.20 or later is required.</para>
+              </footnote>.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>DELAYBLACKLISTLOAD</term>
+
+          <listitem>
+            <para>If you have set this option to Yes, you will receive the
+            following warning:</para>
+
+            <para><emphasis role="bold">WARNING: DELAYBLACKLIST=Yes is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, set DELAYBLACKLISTLOAD=No or
+            remove the setting altogether.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>DYNAMIC_ZONES</term>
+
+          <listitem>
+            <para>If you have set this option to Yes, you will receive the
+            following warning:</para>
+
+            <para><emphasis role="bold">WARNING: DYNAMIC_ZONES=Yes is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, set DYNAMIC_ZONES=No or remove the
+            setting altogether. See <ulink url="Dynamic.html">this
+            article</ulink> to learn how to set up Dynamic Zones under
+            Shorewall 4.4.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry id="FW">
+          <term>FW</term>
+
+          <listitem>
+            <para>If a setting for FW appears in your shorewall.conf file, you
+            will receive this warning:</para>
+
+            <para><emphasis role="bold">WARNING: Unknown configuration option
+            (FW) ignored.</emphasis></para>
+
+            <para>Remove the setting from the file and modify your
+            <filename>/etc/shorewall/zones</filename> file as described <link
+            linkend="zones">below</link>.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>IPSECFILE</term>
+
+          <listitem>
+            <para>If you have specified IPSECFILE=ipsec or IPSECFILE= or if
+            you do not have a setting for IPSECFILE, then you will receive the
+            following error:</para>
+
+            <para><emphasis role="bold">ERROR: IPSECFILE=ipsec is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, you will need to:</para>
+
+            <orderedlist>
+              <listitem>
+                <para>Set IPSECFILE=zones</para>
+              </listitem>
+
+              <listitem>
+                <para>Modify your <filename>/etc/shorewall/zones</filename>
+                file as described <link linkend="zones">below</link>.</para>
+              </listitem>
+            </orderedlist>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>PKTTYPE</term>
+
+          <listitem>
+            <para>The PKTTYPE option is ignored by Shorewall-perl.
+            Shorewall-perl will use Address type match if it is available;
+            otherwise, it will behave as if PKTTYPE=No had been
+            specified.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>RFC1918_LOG_LEVEL</term>
+
+          <listitem>
+            <para>If you have specified any setting for this option, you will
+            receive the following warning:</para>
+
+            <para><emphasis role="bold">WARNING: RFC1918_LOG_LEVEL=value
+            ignored. The 'norfc1918' interface/host option is no longer
+            supported.</emphasis></para>
+
+            <para>To eliminate the warning, set RFC1918_LOG_LEVEL= or simply
+            remove the setting altogether.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>RFC1918_STRICT</term>
+
+          <listitem>
+            <para>If you have set this option to Yes, you will receive the
+            following warning:</para>
+
+            <para><emphasis role="bold">WARNING: RFC1918_STRICT=Yes is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, set RFC1918_STRICT=No or remove
+            the setting altogether.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>SAVE_IPSETS</term>
+
+          <listitem>
+            <para>Shorewall 4.4 will issue a warning if you set
+            SAVE_IPSETS=Yes in <filename>shorewall.conf</filename>:</para>
+
+            <para><emphasis role="bold">WARNING SAVE_IPSETS=Yes is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate this message, you will need to set
+            SAVE_IPSETS=No or remove the setting altogether.</para>
+
+            <para>See <link linkend="ipsets">below</link> for additional
+            information regarding ipsets in Shorewall 4.4.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>SHOREWALL_COMPILER</term>
+
+          <listitem>
+            <para>If you have specified SHOREWALL_COMPILER=shell, you will
+            receive the following warning message:</para>
+
+            <para><emphasis role="bold">WARNING: SHOREWALL_COMPILER=shell
+            ignored. Shorewall-shell support has been removed in this
+            release</emphasis></para>
+
+            <para>To eliminate the warning, set SHOREWALL_COMPILER=perl or
+            simply remove the setting altogether.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>USE_ACTIONS</term>
+
+          <listitem>
+            <para>If you have set this option to No, you will receive the
+            following warning:</para>
+
+            <para><emphasis role="bold">WARNING: USE_ACTIONS=No is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, set USE_ACTIONS=Yes or remove the
+            setting altogether.</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </section>
+
+    <section id="zones">
+      <title>/etc/shorewall/zones</title>
+
+      <para>If the column headings in your /etc/shorewall/zones file look like
+      this:</para>
+
+      <programlisting>#ZONE   DISPLAY         COMMENTS
+net     Net             The big bad net
+loc     Local           The local LAN</programlisting>
+
+      <para>then you are using the original zones file format that has been
+      deprecated since Shorewall 3.0.</para>
+
+      <para>You will need to convert to the new file format which has the
+      following headings:</para>
+
+      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+#                                       OPTIONS                 OPTIONS</programlisting>
+
+      <para>You will need to add an entry for your firewall zone. The default
+      name for the firewall zone is 'fw' but may have been overriden using
+      <link linkend="FW">the FW option in
+      <filename>shorewall.conf</filename></link>.</para>
+
+      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+#                                       OPTIONS                 OPTIONS
+fw      firewall</programlisting>
+
+      <para>The remainder of your zones will have type 'ipv4' unless they are
+      mentioned in your /etc/shorewall/ipsec file (see <link
+      linkend="ipsec">below</link>).</para>
+
+      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+#                                       OPTIONS                 OPTIONS
+fw      firewall
+net     ipv4            # The big bad net
+loc     ipv4            # The local LAN</programlisting>
+    </section>
+
+    <section id="ipsec">
+      <title>/etc/shorewall/ipsec</title>
+
+      <para>This file is no longer used -- its specifications are now included
+      in <filename>/etc/shorewall/zones</filename>.</para>
+
+      <para>Take this example:</para>
+
+      <programlisting>#ZONE   IPSEC    OPTIONS         IN              OUT
+#       ONLY                     OPTIONS         OPTIONS
+ipsec1  Yes
+ipsec2  No</programlisting>
+
+      <para>This would translate to the following entries in
+      <filename>/etc/shorewall/zones</filename>:</para>
+
+      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+#                                       OPTIONS                 OPTIONS
+ipsec1  ipsec4
+ipsec2  ipv4</programlisting>
+
+      <para>Any OPTIONS, IN OPTIONS and OUT OPTIONS should simply be copied
+      from <filename>/etc/shorewall/ipsec</filename> to
+      <filename>/etc/shorewall/zones</filename>.</para>
+    </section>
+
+    <section id="interfaces">
+      <title>/etc/shorewall/interfaces</title>
+
+      <para>The BROADCAST column is essentially unused in Squeeze. If it
+      contains anything except 'detect' or '-', then you will receive this
+      warning<footnote>
+          <para>Users whose kernel and/or iptables do not include Address Type
+          Match Support can continue to list broadcast addresses in this
+          column; no warning will be issued.</para>
+        </footnote>:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: Shorewall no longer uses
+        broadcast addresses in rule generation when Address Type Match is
+        available</emphasis></para>
+      </blockquote>
+
+      <para>To eliminate the warning, replace the contents of the BROADCAST
+      column with '-' or 'detect'.</para>
+
+      <para>The 'norfc1918' option has been removed. If you specify the
+      option, you will receive the following warning:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: Support for the norfc1918
+        interface option has been removed from Shorewall</emphasis></para>
+      </blockquote>
+
+      <para>To eliminate the warning, simply remove the 'norfc1918' option
+      from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes
+      as a replacement (see <ulink
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
+    </section>
+
+    <section id="hosts">
+      <title>/etc/shorewall/hosts</title>
+
+      <para>The 'norfc1918' option has been removed. If you specify the
+      option, you will receive the following warning:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: The 'norfc1918' option is no
+        longer supported</emphasis></para>
+      </blockquote>
+
+      <para>To eliminate the warning, simply remove the 'norfc1918' option
+      from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes
+      as a replacement (see <ulink
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
+    </section>
+
+    <section id="policy">
+      <title>/etc/shorewall/policy</title>
+
+      <para>Shorewall 4.4 detects dead policy file entries that result when an
+      entry is masked by an earlier more general entry.</para>
+
+      <para>Example:</para>
+
+      <programlisting>#SOURCE DEST     POLICY    LOG LEVEL
+all     all      REJECT    info
+loc     net      ACCEPT</programlisting>
+
+      <para>Shorewall-shell silently accepted the above even though the
+      loc-&gt;net policy is useless. Shorewall-perl generates a fatal
+      compilation error:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">ERROR: Policy "loc net ACCEPT" duplicates
+        earlier policy "all all REJECT"</emphasis></para>
+      </blockquote>
+    </section>
+
+    <section id="masq">
+      <title>/etc/shorewall/masq</title>
+
+      <para>There is a long tradition of specifying an interface name in the
+      SOURCE column of this file.</para>
+
+      <para>Masquerading/SNAT occurs in the Netfilter POSTROUTING chain where
+      an incoming interface may not be specified in iptables rules.
+      Consequently, while processing the <command>shorewall start</command>
+      and <command>shorewall restart</command> commands, the generated script
+      must examine the firewall's main routing table to determine those
+      networks that are routed out of the interface; the script then adds a
+      MASQUERADE/SNAT rule for connections from each of those networks. This
+      additional processing requires the named interface to be up and
+      configured when Shorewall starts or restarts.</para>
+
+      <para>Users often complain that Shorewall fails to start at boot time
+      because a VPN interface that is named as a masq SOURCE isn't up and
+      configured during boot.</para>
+
+      <para>To emphasize this restriction, if an interface is named in the
+      SOURCE column of one or more entries, a single warning is issued as
+      follows:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: Using an interface as the masq
+        SOURCE requires the interface to be up and configured when Shorewall
+        starts/restarts</emphasis></para>
+      </blockquote>
+
+      <para>To suppress this warning, replace the interface name with the list
+      of networks that are routed out of the interface.</para>
+
+      <para>Example.</para>
+
+      <para>Existing entry:</para>
+
+      <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/
+#                                                                                       GROUP
+eth0                    eth1</programlisting>
+
+      <para>Current routing configuration:</para>
+
+      <programlisting>gateway:~# ip route ls dev eth1
+<emphasis role="bold">172.20.1.0/24</emphasis>  proto kernel  scope link  src 172.20.1.254 
+224.0.0.0/4  scope link 
+gateway:~# 
+</programlisting>
+
+      <para>Replacement entry:</para>
+
+      <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/
+#                                                                                       GROUP
+eth0                    <emphasis role="bold">172.20.1.0/24</emphasis></programlisting>
+
+      <para>Note that no entry is included for 224.0.0.0/4 since that is the
+      multicast IP range and there should never be any packets with a SOURCE
+      IP address in that network.</para>
+    </section>
+
+    <section id="rules">
+      <title>/etc/shorewall/rules</title>
+
+      <para>If you include a destination zone in a 'nonat' rule, Shorewall
+      issues the following warning:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: Destination zone (zonename)
+        ignored.</emphasis></para>
+      </blockquote>
+
+      <para>Nonat rules include:</para>
+
+      <blockquote>
+        <simplelist>
+          <member>DNAT-</member>
+
+          <member>REDIRECT-</member>
+
+          <member>NONAT</member>
+        </simplelist>
+      </blockquote>
+
+      <para>To eliminate the warning, remove the DEST zone.</para>
+
+      <para>Example.</para>
+
+      <para>Before:</para>
+
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME
+#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+NONAT           loc             net             tcp     80</programlisting>
+
+      <para>After:</para>
+
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME
+#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+NONAT           loc             -               tcp     80</programlisting>
+    </section>
+
+    <section id="routestopped">
+      <title>/etc/shorewall/routestopped</title>
+
+      <para>The 'critical' option is no longer needed and hence is no longer
+      supported. If you have critical hosts defined, you will receive this
+      warning:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: The 'critical' option is no
+        longer supported (or needed)</emphasis></para>
+      </blockquote>
+
+      <para>To suppress the warning, simply remove the option.</para>
+
+      <para>Shorewall 4.4 also treats the <filename>routestopped</filename>
+      file differently from earlier releases. Previously, the
+      <filename>routestopped</filename> file was parsed during
+      <command>shorewall stop</command> processing so that changes made to the
+      file while Shorewall was running would be applied at the next
+      <command>stop</command>. This is no longer the case -- the
+      <filename>routestopped</filename> file is processed during compilation
+      just like the rest of the configuration files so that when
+      <command>shorewall stop</command> is issued, the firewall will pass
+      traffic based on the contents of the <filename>routestopped</filename>
+      file at the last <command>start</command> or
+      <command>restart</command>.</para>
+    </section>
+
+    <section id="tos">
+      <title>/etc/shorewall/tos</title>
+
+      <para>The <filename>/etc/shorewall/tos</filename> file now has
+      zone-independent SOURCE and DEST columns as do all other files except
+      the rules and policy files.</para>
+
+      <para>The SOURCE column may be one of the following:</para>
+
+      <simplelist>
+        <member>[<command>all</command>:]&lt;<replaceable>address</replaceable>&gt;[,...]</member>
+
+        <member>[<command>all</command>:]&lt;<replaceable>interface</replaceable>&gt;[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
+
+        <member><command>$FW</command>[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
+      </simplelist>
+
+      <para>The DEST column may be one of the following:</para>
+
+      <simplelist>
+        <member>[<command>all</command>:]&lt;<replaceable>address</replaceable>&gt;[,...]</member>
+
+        <member>[<command>all</command>:]&lt;<replaceable>interface</replaceable>&gt;[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
+      </simplelist>
+
+      <para>This is a permanent change. The old zone-based rules have never
+      worked right and this is a good time to replace them. We have tried to
+      make the new syntax cover the most common cases without requiring change
+      to existing files. In particular, it will handle the
+      <filename>tos</filename> file released with Shorewall 1.4 and
+      earlier.</para>
+    </section>
+
+    <section id="extension">
+      <title>Extension Scripts</title>
+
+      <para>With the shell-based compiler, all extension scripts were copied
+      into the compiled script and executed at run-time. In some cases, this
+      approach doesn't work with Shorewall Perl because (almost) the entire
+      rule set is built by the compiler. As a result, Shorewall-perl runs some
+      extension scripts at compile-time rather than at run-time. Because the
+      compiler is written in Perl, these extension scripts from earlier
+      versions will no longer work.</para>
+
+      <para>The following table summarizes when the various extension scripts
+      are run:<informaltable align="left" frame="none">
+          <tgroup cols="3">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">Compile-time (Must be written in
+                Perl)</emphasis></entry>
+
+                <entry><emphasis role="bold">Run-time</emphasis></entry>
+
+                <entry><emphasis role="bold">Eliminated</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>initdone</entry>
+
+                <entry>clear</entry>
+
+                <entry>continue</entry>
+              </row>
+
+              <row>
+                <entry>maclog</entry>
+
+                <entry>init</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry>Per-chain (including those associated with
+                actions)</entry>
+
+                <entry>start</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>started</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>stop</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>stopped</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>tcclear</entry>
+
+                <entry></entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable></para>
+
+      <para>Compile-time extension scripts are executed using the Perl 'eval
+      `cat &lt;file&gt;`' mechanism. Be sure that each script returns a 'true'
+      value; otherwise, the Shorewall-perl compiler will assume that the
+      script failed and will abort the compilation.</para>
+
+      <para>When a script is invoked, the <emphasis
+      role="bold">$chainref</emphasis> scalar variable will usually hold a
+      reference to a chain table entry.</para>
+
+      <simplelist>
+        <member><emphasis role="bold">$chainref-&gt;{name}</emphasis> contains
+        the name of the chain</member>
+
+        <member><emphasis role="bold">$chainref-&gt;{table}</emphasis> holds
+        the table name</member>
+      </simplelist>
+
+      <para>To add a rule to the chain:</para>
+
+      <simplelist>
+        <member>add_rule $chainref,
+        <replaceable>the-rule</replaceable></member>
+      </simplelist>
+
+      <para>Where</para>
+
+      <simplelist>
+        <member><replaceable>the rule</replaceable> is a scalar argument
+        holding the rule text. Do not include "-A
+        <replaceable>chain-name</replaceable>"</member>
+      </simplelist>
+
+      <para>Example:</para>
+
+      <simplelist>
+        <member>add_rule $chainref, '-j ACCEPT';</member>
+      </simplelist>
+
+      <para>To insert a rule into the chain:</para>
+
+      <simplelist>
+        <member>insert_rule $chainref, <replaceable>rulenum</replaceable>,
+        <replaceable>the-rule</replaceable></member>
+      </simplelist>
+
+      <para>The log_rule_limit function works like it does in the shell
+      compiler with three exceptions:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>You pass the chain reference rather than the name of the
+          chain.</para>
+        </listitem>
+
+        <listitem>
+          <para>The commands are 'add' and 'insert' rather than '-A' and
+          '-I'.</para>
+        </listitem>
+
+        <listitem>
+          <para>There is only a single "pass as-is to iptables" argument (so
+          you must quote that part</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Example:</para>
+
+      <programlisting>    log_rule_limit
+              'info' , 
+              $chainref , 
+              $chainref-&gt;{name},
+              'DROP' , 
+              '',    #Limit
+              '' ,   #Log tag
+              'add'
+              '-p tcp ';         </programlisting>
+
+      <para>Here is an example of an actual initdone script used with
+      Shorewall 3.4:<programlisting>run_iptables -t mangle -I PREROUTING -p esp -j MARK --set-mark 0x50
+run_iptables -t filter -I INPUT -p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT
+run_iptables -t filter -I OUTPUT -p udp --sport 1701 -j ACCEPT
+</programlisting></para>
+
+      <para>Here is the corresponding script used with Shorewall
+      4.4:<programlisting>use Shorewall::Chains;
+
+insert_rule $mangle_table-&gt;{PREROUTING}, 1, "-p esp -j MARK --set-mark 0x50";
+insert_rule $filter_table-&gt;{INPUT},      1, "-p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT";
+insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
+
+1;</programlisting></para>
+
+      <para>The initdone script is unique because the $chainref variable is
+      not set before the script is called. The above script illustrates how
+      the $mangle_table, $filter_table, and $nat_table references can be used
+      to add or insert rules in arbitrary chains.</para>
+    </section>
+
+    <section id="ipsets">
+      <title>Ipsets</title>
+
+      <para>Shorewall 4.4 insists that ipset names begin with a letter and be
+      composed of alphanumeric characters and underscores (_). When used in a
+      Shorewall configuration file, the name must be preceded by a plus sign
+      (+) as with the shell-based compiler.</para>
+
+      <para>Shorewall 4.4 is out of the ipset load/reload business with the
+      exception of ipsets used for dynamic zones. With scripts generated by
+      Shorwall 4.4, the Netfilter rule set is never cleared. That means that
+      there is no opportunity for Shorewall to load/reload your ipsets since
+      that cannot be done while there are any current rules using
+      ipsets.</para>
+
+      <para>So:</para>
+
+      <orderedlist numeration="upperroman">
+        <listitem>
+          <para>Your ipsets must be loaded before Shorewall starts. You are
+          free to try to do that with the following code in
+          <filename>/etc/shorewall/init (it works for me; your mileage may
+          vary)</filename>:</para>
+
+          <programlisting>if [ "$COMMAND" = start ]; then
+    ipset -U :all: :all:
+    ipset -U :all: :default:
+    ipset -F
+    ipset -X
+    ipset -R &lt; /etc/shorewall/ipsets
+fi</programlisting>
+
+          <para>The file <filename>/etc/shorewall/ipsets</filename> will
+          normally be produced using the <command>ipset -S</command> command.
+          I have this in my<filename> /etc/shorewall/stop</filename>
+          file:</para>
+
+          <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
+    mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
+    mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
+fi</programlisting>
+
+          <para>The above extension scripts will work most of the time but
+          will fail in a <command>shorewall stop</command> -
+          <command>shorewall start</command> sequence if you use ipsets in
+          your routestopped file (see <link
+          linkend="routestopped">below</link>).</para>
+        </listitem>
+
+        <listitem>
+          <para>Your ipsets may not be reloaded until Shorewall is stopped or
+          cleared.</para>
+        </listitem>
+
+        <listitem>
+          <para>If you specify ipsets in your routestopped file then Shorewall
+          must be cleared in order to reload your ipsets.</para>
+        </listitem>
+      </orderedlist>
+    </section>
+  </section>
+
+  <section id="Additional">
+    <title>Additional Sources of Information</title>
+
+    <para>The following articles provide additional information.</para>
+
+    <itemizedlist>
+      <listitem>
+        <para><ulink url="Shorewall-perl.html#Incompatibilities">Shorewall
+        Perl Incompatibilities</ulink></para>
+      </listitem>
+
+      <listitem>
+        <para><ulink url="upgrade_issues.htm">Upgrade Issues</ulink></para>
+      </listitem>
+    </itemizedlist>
+  </section>
+</article>
--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -248,7 +248,7 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
      </varlistentry>
    </variablelist>

-    <para>One remaining restriction should be noted: macros that are invoked
+    <para>One additional restriction should be noted: macros that are invoked
    from actions cannot themselves invoke other actions.</para>
  </section>

@@ -554,6 +554,151 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
          2.6.14).</member>
        </simplelist>
      </listitem>
+
+      <listitem>
+        <para>MARK - (Added in Shorewall-4.4.2) Defines a test on the existing
+        packet or connection mark. The rule will match only if the test
+        returns true. Must be empty or '-' if the macro is to be used within
+        an action.</para>
+
+        <programlisting>     [!]<replaceable>value</replaceable>[/<replaceable>mask</replaceable>][:C]</programlisting>
+
+        <variablelist>
+          <varlistentry>
+            <term>!</term>
+
+            <listitem>
+              <para>Inverts the test (not equal)</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><replaceable>value</replaceable></term>
+
+            <listitem>
+              <para>Value of the packet or connection mark.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><replaceable>mask</replaceable></term>
+
+            <listitem>
+              <para>A mask to be applied to the mark before testing.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>:C</term>
+
+            <listitem>
+              <para>Designates a connection mark. If omitted, the # packet
+              mark's value is tested.</para>
+            </listitem>
+          </varlistentry>
+        </variablelist>
+      </listitem>
+
+      <listitem>
+        <para>CONNLIMIT - (Added in Shorewall-4.4.2) Must be empty or '-' if
+        the macro is to be used within an action.</para>
+
+        <programlisting>     [!]<replaceable>limit</replaceable>[:<replaceable>mask</replaceable>]</programlisting>
+
+        <para>May be used to limit the number of simultaneous connections from
+        each individual host to limit connections. Requires connlimit match in
+        your kernel and iptables. While the limit is only checked on rules
+        specifying CONNLIMIT, the number of current connections is calculated
+        over all current connections from the SOURCE host. By default, the
+        <replaceable>limit</replaceable> is applied to each host but can be
+        made to apply to networks of hosts by specifying a
+        <replaceable>mask</replaceable>. The mask specifies the width of a
+        VLSM mask to be applied to the source address; the number of current
+        connections is then taken over all hosts in the subnet
+        <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
+        When ! is specified, the rule matches when the number of connection
+        exceeds the limit. </para>
+      </listitem>
+
+      <listitem>
+        <para>TIME - (Added in Shorewall-4.4.2) Must be empty or '-' if the
+        macro is to be used within an action.</para>
+
+        <programlisting>     &lt;timeelement&gt;[&amp;...]</programlisting>
+
+        <para><replaceable>timeelement</replaceable> may be:</para>
+
+        <variablelist>
+          <varlistentry>
+            <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+            <listitem>
+              <para>Defines the starting time of day.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+            <listitem>
+              <para>Defines the ending time of day.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>utc</term>
+
+            <listitem>
+              <para>Times are expressed in Greenwich Mean Time.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>localtz</term>
+
+            <listitem>
+              <para>Times are expressed in Local Civil Time (default).</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>weekdays=ddd[,ddd]...</term>
+
+            <listitem>
+              <para>where <replaceable>ddd</replaceable> is one of
+              <option>Mon</option>, <option>Tue</option>,
+              <option>Wed</option>, <option>Thu</option>,
+              <option>Fri</option>, <option>Sat</option> or
+              <option>Sun</option></para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>monthdays=dd[,dd],...</term>
+
+            <listitem>
+              <para>where <replaceable>dd</replaceable> is an ordinal day of
+              the month</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+            <listitem>
+              <para>Defines the starting date and time.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+            <listitem>
+              <para>Defines the ending date and time.</para>
+            </listitem>
+          </varlistentry>
+        </variablelist>
+      </listitem>
    </itemizedlist>

    <para>Omitted column entries should be entered using a dash ("-:).</para>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -235,7 +235,7 @@

              <listitem>
                <para>Use mark values &gt; 255 for provider marks in this
-                column. </para>
+                column.</para>

                <itemizedlist>
                  <listitem>
@@ -423,11 +423,21 @@
                <term>loose</term>

                <listitem>
-                  <para>Do not include routing rules that force traffic whose
+                  <para>Do not generate routing rules that force traffic whose
                  source IP is an address of the INTERFACE to be routed to
                  this provider. Useful for defining providers that are to be
                  used only when the appropriate packet mark is
                  applied.</para>
+
+                  <para>Shorewall makes no attempt to consolidate the routing
+                  rules added when <emphasis role="bold">loose</emphasis> is
+                  not specified. So, if you have multiple IP addresses on a
+                  provider interface, you may be able to replace the rules
+                  that Shorewall generates with one or two rules in
+                  <filename>/etc/shorewall/route_rules</filename>. In that
+                  case, you can specify <emphasis role="bold">loose</emphasis>
+                  to suppress Shorewall's rule generation. See the <link
+                  linkend="Complete">example</link> below.</para>
                </listitem>
              </varlistentry>

@@ -1454,7 +1464,7 @@ defaults {
  warn_email=teastep@shorewall.net
  check_arp=0
  sourceip=
-  ttl=64
+  ttl=0
 }

 include /etc/lsm/shorewall.conf</programlisting>
--- a/docs/Shorewall-perl.xml
+++ b/docs/Shorewall-perl.xml
@@ -143,7 +143,7 @@
          </itemizedlist>
        </listitem>

-        <listitem>
+        <listitem id="Extensions">
          <para>With the shell-based compiler, extension scripts were copied
          into the compiled script and executed at run-time. In many cases,
          this approach doesn't work with Shorewall Perl because (almost) the
@@ -153,67 +153,79 @@
          extension scripts from earlier versions will no longer work.</para>

          <para>The following table summarizes when the various extension
-          scripts are run:<informaltable align="left" frame="none">
-              <tgroup cols="3">
-                <tbody>
-                  <row>
-                    <entry><emphasis role="bold">Compile-time (Must be written
-                    in Perl)</emphasis></entry>
+          scripts are run:</para>

-                    <entry><emphasis role="bold">Run-time</emphasis></entry>
+          <informaltable align="left" frame="none">
+            <tgroup cols="3">
+              <tbody>
+                <row>
+                  <entry><emphasis role="bold">Compile-time (Must be written
+                  in Perl)</emphasis></entry>

-                    <entry><emphasis role="bold">Eliminated</emphasis></entry>
-                  </row>
+                  <entry><emphasis role="bold">Run-time</emphasis></entry>

-                  <row>
-                    <entry>initdone</entry>
+                  <entry><emphasis role="bold">Eliminated</emphasis></entry>
+                </row>

-                    <entry>clear</entry>
+                <row>
+                  <entry>initdone</entry>

-                    <entry>continue</entry>
-                  </row>
+                  <entry>clear</entry>

-                  <row>
-                    <entry>maclog</entry>
+                  <entry>continue</entry>
+                </row>

-                    <entry>start</entry>
-                  </row>
+                <row>
+                  <entry>maclog</entry>

-                  <row>
-                    <entry>Per-chain (including those associated with
-                    actions)</entry>
+                  <entry>init</entry>

-                    <entry>started</entry>
+                  <entry></entry>
+                </row>

-                    <entry></entry>
-                  </row>
+                <row>
+                  <entry>Per-chain (including those associated with
+                  actions)</entry>

-                  <row>
-                    <entry></entry>
+                  <entry>start</entry>

-                    <entry>stop</entry>
+                  <entry></entry>
+                </row>

-                    <entry></entry>
-                  </row>
+                <row>
+                  <entry></entry>

-                  <row>
-                    <entry></entry>
+                  <entry>started</entry>

-                    <entry>stopped</entry>
+                  <entry></entry>
+                </row>

-                    <entry></entry>
-                  </row>
+                <row>
+                  <entry></entry>

-                  <row>
-                    <entry></entry>
+                  <entry>stop</entry>

-                    <entry>tcclear</entry>
+                  <entry></entry>
+                </row>

-                    <entry></entry>
-                  </row>
-                </tbody>
-              </tgroup>
-            </informaltable></para>
+                <row>
+                  <entry></entry>
+
+                  <entry>stopped</entry>
+
+                  <entry></entry>
+                </row>
+
+                <row>
+                  <entry></entry>
+
+                  <entry>tcclear</entry>
+
+                  <entry></entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </informaltable>

          <para>Compile-time extension scripts are executed using the Perl
          'eval `cat &lt;file&gt;`' mechanism. Be sure that each script
@@ -343,7 +355,7 @@ insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
          the tos file released with Shorewall 1.4 and earlier.</para>
        </listitem>

-        <listitem>
+        <listitem id="SAVE_IPSETS">
          <para>Shorewall-perl insists that ipset names begin with a letter
          and be composed of alphanumeric characters and underscores (_). When
          used in a Shorewall configuration file, the name must be preceded by
@@ -547,7 +559,8 @@ DNAT-              net                192.168.1.3      tcp          21</programl
          starts/restarts</para>

          <para>To avoid this warning, replace interface names by the
-          corresponding network addresses (e.g., 192.168.144.0/24).</para>
+          corresponding network() in CIDR format (e.g.,
+          192.168.144.0/24).</para>
        </listitem>
      </orderedlist>
    </section>
--- a/docs/SimpleBridge.xml
+++ b/docs/SimpleBridge.xml
@@ -93,6 +93,12 @@
    bridge-specific changes are restricted to the
    <filename>/etc/shorewall/interfaces</filename> file.</para>

+    <note>
+      <para>Older configurations that specify an interface name in the SOURCE
+      column of <filename>/etc/shorewall/masq</filename> will also need to
+      change that file.</para>
+    </note>
+
    <para>This example illustrates the bridging of two Ethernet devices but
    the types of the devices really isn't important. What is shown here would
    apply equally to bridging an Ethernet device to an <ulink
@@ -138,5 +144,11 @@ loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <
 net            eth0            detect         ...
 loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <emphasis
          role="bold">routeback,bridge</emphasis>,...</programlisting></para>
+
+    <para>Your entry in <filename>/etc/shorewall/masq</filename> should be
+    unchanged:</para>
+
+    <programlisting>#INTERFACE     SOURCE          ADDRESS
+eth0           10.0.1.0/24     ...            # 10.0.1.0/24 is the local network on LAN A and LAN B</programlisting>
  </section>
 </article>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -216,7 +216,7 @@

        <listitem>
          <para><filename>/usr/share/shorewall/modules</filename> - directs
-          the firewall to load kernel modules. </para>
+          the firewall to load kernel modules.</para>
        </listitem>

        <listitem>
@@ -432,6 +432,79 @@ ACCEPT      net:\
    </example>
  </section>

+  <section id="SOURCE-DEST">
+    <title>Specifying SOURCE and DEST</title>
+
+    <para>Entries in Shorewall configuration files often deal with the source
+    (SOURCE) and destination (DEST) of connections and Shorewall implements a
+    uniform way for specifying them.</para>
+
+    <para>A SOURCE or DEST consists of one to three parts separated by colons
+    (":"):</para>
+
+    <orderedlist>
+      <listitem>
+        <para>ZONE — The name of a zone declared in
+        <filename>/etc/shorewall/zones</filename> or
+        <filename>/etc/shorewall6/zones</filename>. This part is only
+        available in the rules file (<filename>/etc/shorewall/rules</filename>
+        and <filename>/etc/shorewall6/rules</filename>).</para>
+      </listitem>
+
+      <listitem>
+        <para>INTERFACE — The name of an interface that matches an entry in
+        <filename>/etc/shorewall/interfaces</filename>
+        (<filename>/etc/shorewall6/interfaces</filename>).</para>
+      </listitem>
+
+      <listitem>
+        <para>ADDRESS LIST — A list of one or more addresses (host or network)
+        or address ranges, separated by commas. In an IPv6 configuration, this
+        list must be includes in angled brackets ("&lt;...&gt;"). The list may
+        have <link linkend="Exclusion">exclusion</link>.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>Examples.</para>
+
+    <orderedlist>
+      <listitem>
+        <para>All hosts in the <emphasis role="bold">net</emphasis> zone —
+        <emphasis role="bold">net</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>Subnet 192.168.1.0/29 in the <emphasis
+        role="bold">loc</emphasis> zone — <emphasis
+        role="bold">loc:192.168.1.0/29</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>All hosts in the net zone connecting through <filename
+        class="devicefile">ppp0</filename> — <emphasis
+        role="bold">net:ppp0</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>All hosts interfaced by <filename
+        class="devicefile">eth3</filename> — <emphasis
+        role="bold">eth3</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>Subnet 10.0.1.0/24 interfacing through <filename><filename
+        class="devicefile">eth2</filename></filename> — <emphasis
+        role="bold">eth2:10.0.1.0/24</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
+        role="bold">loc</emphasis> zone — <emphasis
+        role="bold">loc:&lt;2002:ce7c:92b4:1:a00:27ff:feb1:46a9&gt;</emphasis></para>
+      </listitem>
+    </orderedlist>
+  </section>
+
  <section id="INCLUDE">
    <title>INCLUDE Directive</title>

--- a/docs/template.xml
+++ b/docs/template.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2008</year>
+      <year>2009</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@@ -148,7 +148,8 @@
        starts/restarts</para>

        <para>To avoid this warning, replace interface names by the
-        corresponding network addresses (e.g., 192.168.144.0/24).</para>
+        corresponding netwok(s) in CIDR format (e.g.,
+        192.168.144.0/24).</para>
      </listitem>

      <listitem>
@@ -166,12 +167,6 @@
        need to renumber the class IDs for devices 10 and greater.</para>
      </listitem>

-      <listitem>
-        <para>Jozsef Kadlecsik has removed the set binding capability from
-        ipset 3.1. As a consequence, Shorewall 4.3 no longer supports set
-        binding.</para>
-      </listitem>
-
      <listitem>
        <para>Support for the 'norfc1918' interface and host option has been
        removed. If 'norfc1918' is specified for an entry in either the
@@ -206,6 +201,9 @@
        against the parent zone rules.</para>
      </listitem>
    </orderedlist>
+
+    <para>Be sure to check the latest 4.4 Release Notes linked from the <ulink
+    url="index.htm">home page</ulink>.</para>
  </section>

  <section>
@@ -865,7 +863,7 @@ all             all             REJECT:MyReject info</programlisting>
        BOGON_LOG_LEVEL option have been eliminated.</para>
      </listitem>

-      <listitem>
+      <listitem id="MAPOLDACTIONS">
        <para>Most of the standard actions have been replaced by parameterized
        macros (see below). So for example, the action.AllowSMTP and
        action.DropSMTP have been removed an a parameterized macro macro.SMTP
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -1032,7 +1032,7 @@

      <varlistentry>
        <term><emphasis role="bold">TIME</emphasis> -
-        <emphasis>timeelement</emphasis>[,<emphasis>timelement</emphasis>...]</term>
+        <emphasis>timeelement</emphasis>[&amp;<emphasis>timelement</emphasis>...]</term>

        <listitem>
          <para>May be used to limit the rule to a particular time period each
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@@ -1013,6 +1013,17 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">MAPOLDACTIONS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>This option is included for compatibility with old Shorewall
+          configuration. New installs should always have
+          MAPOLDACTIONS=No.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
@@ -1162,30 +1173,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

        <listitem>
-          <para>Normally Shorewall attempts to use the iptables packet type
-          match extension to determine broadcast and multicast packets.</para>
-
-          <orderedlist>
-            <listitem>
-              <para>This can cause a message to appear during shorewall start
-              (modprobe: cant locate module ipt_pkttype).</para>
-            </listitem>
-
-            <listitem>
-              <para>Some users have found problems with the packet match
-              extension with the result that their firewall log is flooded
-              with messages relating to broadcast packets.</para>
-            </listitem>
-          </orderedlist>
-
-          <para></para>
-
-          <blockquote>
-            <para>If you are experiencing either of these problems, setting
-            PKTTYPE=No will prevent Shorewall from trying to use the packet
-            type match extension and to use IP address matching to determine
-            which packets are broadcasts or multicasts.</para>
-          </blockquote>
+          <para>This option is included for compatibility with older Shorewall
+          releases. Its setting has no effect.</para>
        </listitem>
      </varlistentry>

--- a/manpages/shorewall.xml
+++ b/manpages/shorewall.xml
@@ -538,6 +538,8 @@

      <arg><option>-f</option></arg>

+      <arg><option>-p</option></arg>
+
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

--- a/manpages6/shorewall6-rules.xml
+++ b/manpages6/shorewall6-rules.xml
@@ -817,7 +817,7 @@

      <varlistentry>
        <term><emphasis role="bold">TIME</emphasis> -
-        <emphasis>timeelement</emphasis>[,<emphasis>timelement</emphasis>...]</term>
+        <emphasis>timeelement</emphasis>[&amp;<emphasis>timelement</emphasis>...]</term>

        <listitem>
          <para>May be used to limit the rule to a particular time period each
--- a/manpages6/shorewall6.conf.xml
+++ b/manpages6/shorewall6.conf.xml
@@ -551,9 +551,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        role="bold">Keep</emphasis>]</term>

        <listitem>
-          <para>This parameter determines whether Shorewall6 enables or
-          disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward).
-          Possible values are:</para>
+          <para>This rather useless parameter determines whether Shorewall6
+          enables or disables IPV6 Packet Forwarding on all interfaces
+          (/proc/sys/net/ipv6/config/all/forwarding). Possible values
+          are:</para>

          <variablelist>
            <varlistentry>
Author	SHA1	Message	Date
Tom Eastep	5dd9c5705c	Update version	2009-10-03 11:42:39 -07:00
Tom Eastep	1254dd23cf	Fix 'routeback' in routestopped (again)	2009-10-03 11:40:38 -07:00
Tom Eastep	9eb85f51ef	Fix 'routeback' in /etc/shorewall/routestopped	2009-10-03 10:05:53 -07:00
Tom Eastep	818379a8a6	Prepare for 4.4.2.1, should it be needed	2009-10-02 07:36:09 -07:00
Tom Eastep	a87cb7b95d	Generate list of builtins in initialize()	2009-10-01 15:02:14 -07:00
Tom Eastep	a8cc7d2a7e	More clarification of masq file changes	2009-10-01 12:34:34 -07:00
Tom Eastep	dd70456430	Add '-p' to 'start' synopsis	2009-10-01 10:34:05 -07:00
Tom Eastep	ddb46931a0	Update version	2009-10-01 08:44:05 -07:00
Tom Eastep	327e170be5	Fix range-in-masq patch	2009-10-01 08:16:22 -07:00
Tom Eastep	5e49be219b	Fix result from bad pull	2009-10-01 07:49:43 -07:00
Tom Eastep	d323c5b9c5	Delete shorewall-perl and shorewall-shell during upgrade	2009-10-01 07:37:30 -07:00
Tom Eastep	39ee3b2025	Tweak emitter	2009-09-29 14:28:50 -05:00
Tom Eastep	393673a884	Allow MARK in action body -- take 2	2009-09-25 16:15:56 -04:00
Tom Eastep	bfdc8db31a	Allow MARK in action body	2009-09-25 16:01:24 -04:00
Tom Eastep	c1305eb059	Correct typo in error message	2009-09-25 13:36:45 -04:00
Tom Eastep	9f853d02d9	Make Tuomo Happy	2009-09-25 13:35:37 -04:00
Tom Eastep	111464ad95	Clarify 'loose' -- tweak wording	2009-09-25 06:17:49 -04:00
Tom Eastep	795ffb7212	Clarify 'loose'	2009-09-25 06:15:56 -04:00
Tom Eastep	d84458518e	Add capability to detect old hashlimit syntax	2009-09-23 16:56:31 -04:00
Tom Eastep	428c3d1e4e	Hack to make new LIMIT stuff work on ancient iptables releases	2009-09-20 09:12:35 -04:00
Tom Eastep	20250c9ce9	Hack to make new LIMIT stuff work on ancient iptables releases	2009-09-20 09:10:23 -04:00
Tom Eastep	96b19dd218	Fix accounting extension feature	2009-09-15 13:01:20 -07:00
Tom Eastep	120aade417	Allow Extension Scripts for Accounting Chains	2009-09-15 12:22:51 -07:00
Tom Eastep	4f4925002a	Revert "Allow Extension Scripts for Accounting Chains" This reverts commit `728ad2fecf`.	2009-09-15 12:18:29 -07:00
Tom Eastep	728ad2fecf	Allow Extension Scripts for Accounting Chains	2009-09-15 11:16:37 -07:00
Tom Eastep	0d651f093b	Correct file name	2009-09-15 10:33:52 -07:00
Tom Eastep	326ac90596	Remove pre-4.4 cruft from article	2009-09-15 06:59:59 -07:00
Tom Eastep	d6b641b000	Add FAQ 86	2009-09-14 14:14:20 -07:00
Tom Eastep	a5f3a05341	Fix typo in the Introduction	2009-09-14 13:43:32 -07:00
Tom Eastep	0e8cb3b74d	Improve wording of 'masq' section; add IDs to all sections	2009-09-14 09:01:02 -07:00
Tom Eastep	8180f45382	Add footnotes for non-Debian users	2009-09-14 08:29:49 -07:00
Tom Eastep	f25646d819	Add missing link to ipset section	2009-09-14 08:10:18 -07:00
Tom Eastep	b8e772a416	More Lenny->Squeeze additions (ipsets, extension scripts, more shorewall.conf options)	2009-09-14 07:49:47 -07:00
Tom Eastep	d5d4c451f9	Mention DYNAMIC_ZONES is Lenny->Squeeze article	2009-09-14 07:01:39 -07:00
Tom Eastep	9f102a1fba	More tweaks to Lenny->Squeeze article	2009-09-14 06:53:25 -07:00
Tom Eastep	e814dc7b75	Make index entry for Lenny->Squeeze more generic	2009-09-13 09:32:06 -07:00
Tom Eastep	e1f7048107	More tweaks to the Lenny->Squeeze article	2009-09-13 09:28:58 -07:00
Tom Eastep	485ddd5e9f	Note that the Lenny->Squeeze article is useful to non-Debian users	2009-09-13 09:25:45 -07:00
Tom Eastep	6afc43d200	Correct typo in comment	2009-09-13 09:20:32 -07:00
Tom Eastep	8fdbb6f252	Bump Nat.pm version; remove inadvertent paste	2009-09-13 09:13:50 -07:00
Tom Eastep	5793246d7c	Make processing of original dest in Format-1 macros more obvious	2009-09-13 09:01:34 -07:00
Tom Eastep	57f4458ec9	Avoid repetative wording	2009-09-13 08:19:07 -07:00
Tom Eastep	8fdebf0c38	Add new columns to macros	2009-09-13 08:09:40 -07:00
Tom Eastep	904754c074	Correct syntax of TIME column	2009-09-13 07:03:25 -07:00
Tom Eastep	66765dcf75	Minor rewording	2009-09-12 15:03:19 -07:00
Tom Eastep	07d8872823	Indicate that Squeeze 'will' include 4.4	2009-09-12 09:20:38 -07:00
Tom Eastep	9b0a9e8ecd	Add -<family> to 'ip route del default' command	2009-09-12 08:48:52 -07:00
Tom Eastep	0336a77120	Fix ID	2009-09-11 16:36:56 -07:00
Tom Eastep	95d422b15f	Add Extension Scripts to Lenny->Squeeze Article	2009-09-11 16:33:06 -07:00
Tom Eastep	6f54b5ea2f	Formatting in zones manpage	2009-09-11 10:49:49 -07:00
Tom Eastep	8c2a228a7d	Apply Jesse Shrieve's SNAT patch	2009-09-11 07:47:31 -07:00
Tom Eastep	460428b21a	More formatting fixes to shorewall-zones(5)	2009-09-10 19:43:52 -07:00
Tom Eastep	02d9888513	Document ipsec4/6	2009-09-10 14:56:39 -07:00
Tom Eastep	f33e842f1b	Update module version	2009-09-10 14:56:23 -07:00
Tom Eastep	82eaf124ca	Add section about SOURCE and DEST	2009-09-10 14:55:50 -07:00
Tom Eastep	74aff4f4ef	Bump the version in a couple of modules modified for 4.4.2	2009-09-09 12:58:39 -07:00
Tom Eastep	212937a29d	Make 'map_old_actions' a little cleaner	2009-09-09 12:37:49 -07:00
Tom Eastep	7c1dd35a00	Update release documents	2009-09-09 12:18:31 -07:00
Tom Eastep	0b03f52ad9	Don't look for extension script for built-in actions	2009-09-09 11:53:51 -07:00
Tom Eastep	5fc0137a2e	Update Compiler module version	2009-09-08 17:05:01 -07:00
Tom Eastep	128edd4bba	Slight optimization -- also makes code easier to read	2009-09-08 16:00:40 -07:00
Tom Eastep	b4712a93fa	Don't call compile_stop_firewall() during 'check'; call process_routestopped() instead - comments	2009-09-08 13:04:34 -07:00
Tom Eastep	bb83db3eb9	Don't call compile_stop_firewall() during 'check'; call process_routestopped() instead - change log	2009-09-08 12:55:14 -07:00
Tom Eastep	5655dbb01b	Don't call compile_stop_firewall() during 'check'; call process_routestopped() instead	2009-09-08 12:54:23 -07:00
Tom Eastep	fefff9fd83	Add MAPOLDACTIONS	2009-09-07 17:04:09 -07:00
Tom Eastep	9a1cb0c6b6	Admin that PKTTYPE is a no-op	2009-09-07 16:44:19 -07:00
Tom Eastep	b2c7b583f5	Add Lenny->Squeeze article to index	2009-09-07 16:26:32 -07:00
Tom Eastep	bc7e65732e	Add upgrade warning	2009-09-07 14:13:32 -07:00
Tom Eastep	993bbe8a4e	Fix broken links in Lenny->Squeeze doc	2009-09-07 09:43:53 -07:00
Tom Eastep	1ef90b4f0f	Add means for handling 'norfc1918' warning in Lenny->Squeeze doc	2009-09-07 09:39:00 -07:00
Tom Eastep	8da5fd42d0	Yet more enhancements to Lenny->Squeeze doc	2009-09-07 09:35:15 -07:00
Tom Eastep	180024c1fc	More enhancements to Lenny->Squeeze doc	2009-09-07 09:21:47 -07:00
Tom Eastep	06e85d6191	Add routestopped file to Lenny->Squeeze doc	2009-09-07 09:07:07 -07:00
Tom Eastep	c4eeb7b77e	Link upgrade issues back to the home page	2009-09-06 17:25:39 -07:00
Tom Eastep	b03d502bbb	Allow comments on continued lines	2009-09-06 16:17:22 -07:00
Tom Eastep	cf9bb616b8	Add example of nat-only fix	2009-09-06 14:03:36 -07:00
Tom Eastep	70ebe17cb3	Reimplement MAPOLDACTIONS=Yes	2009-09-06 13:37:24 -07:00
Tom Eastep	477c0ef9e8	Update Lenny->Squeeze doc	2009-09-06 12:46:22 -07:00
Tom Eastep	1a33596ada	Update Lenny->Squeeze doc	2009-09-06 12:41:36 -07:00
Tom Eastep	efa952572c	Update 4.4.2	2009-09-06 11:43:46 -07:00
Tom Eastep	7192b47289	Add a Lenny->Squeeze Howto	2009-09-06 09:51:32 -07:00
Tom Eastep	75eb186ea7	Split MASQ SOURCE warning into two separate warnings	2009-09-05 16:02:16 -07:00
Tom Eastep	f126755a96	Add notes about find_first_interface_address_if_any()	2009-09-05 08:59:45 -07:00
Tom Eastep	ec94ed638e	Better modularization of Chains and Actions	2009-09-05 08:43:14 -07:00
Tom Eastep	496a9449f1	Add note to simple bridge doc	2009-09-05 08:23:35 -07:00
Tom Eastep	4368af9525	Add /etc/shorewall/masq to Simple Bridge article	2009-09-05 07:24:29 -07:00
Tom Eastep	b092ba5671	clarify IP_FORWARDING in IPv6	2009-09-04 19:04:03 -07:00
Tom Eastep	dd64ea2484	Update known_problems for 4.4.2	2009-09-04 11:41:23 -07:00
Tom Eastep	bb8ad187f1	Update version to 4.4.2	2009-09-04 11:40:34 -07:00
Tom Eastep	03821dc22c	Process routestopped file during 'check'	2009-09-03 19:27:25 -07:00
Tom Eastep	76d9a80df3	A small optimization on the last restriction removal	2009-09-03 18:26:50 -07:00
Tom Eastep	84bff13e7f	Apply 4.4.1.2 fix to trunk	2009-09-03 18:25:32 -07:00
Tom Eastep	4a809e14ab	Documentation cleanup	2009-09-03 15:24:19 -07:00
Tom Eastep	f3455b107d	4.4.2 release doc initialization and update	2009-09-03 14:58:46 -07:00
Tom Eastep	df5291e119	Apply initialization fix to master branch	2009-09-03 14:54:47 -07:00
Tom Eastep	015d4f58ce	Allow moving rules with commands	2009-09-03 14:11:44 -07:00
Tom Eastep	4412a05a70	Fix detection of PERSISTENT_SNAT	2009-09-03 13:56:00 -07:00