Update version

Fix 'routeback' in routestopped (again)
Fix 'routeback' in /etc/shorewall/routestopped
2009-10-03 11:42:39 -07:00 · 2009-10-03 11:40:38 -07:00 · 2009-10-03 10:05:53 -07:00 · 2009-10-02 07:36:09 -07:00 · 2009-10-01 15:02:14 -07:00 · 2009-10-01 12:34:34 -07:00
48 changed files with 2028 additions and 712 deletions
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=4.4.1.2
+VERSION=4.4.2.2
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.1.2
+VERSION=4.4.2.2
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,5 +1,5 @@
 %define name shorewall-lite
-%define version 4.4.1
+%define version 4.4.2
 %define release 2
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -98,10 +98,14 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-2
+- Updated to 4.4.2-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-1
+- Updated to 4.4.2-1
 * Sun Sep 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Sep 04 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.1.2
+VERSION=4.4.2.2
 usage() # $1 = exit status
 {
--- a/Shorewall/Macros/macro.template
+++ b/Shorewall/Macros/macro.template
@@ -269,7 +269,7 @@
 #                       an action. See 'man shorewall-rules'.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in
-#			this colume:
+#			this column:
 #
 #				<rate>/<interval>[:<burst>]
 #
@@ -304,6 +304,100 @@
 #					#removed from Netfilter in kernel
 #					#version 2.6.14).
 #
 #	MARK		Specifies a MARK value to match. Must be empty or 
 #			'-' if the macro is to be used within an action.
 #			
 #				[!]value[/mask][:C]
 #
 #    			Defines a test on the existing packet or connection
 #			mark. The rule will match only if the test returns
 #			true.
 #
 #    			If you don't want to define a test but need to
 #			specify anything in the following columns,
 #			place a "-" in this field.
 #
 #    			!
 #
 #				Inverts the test (not equal)
 #
 #    			value
 #
 #				Value of the packet or connection mark.
 #
 #  			mask
 #
 #				A mask to be applied to the mark before
 #				testing.
 #
 #    			:C
 #
 #				Designates a connection mark. If omitted, the
 #				packet mark's value is tested.
 #
 #	CONNLIMIT	Must be empty or '-' if the macro is to be used within
 #			an action.
 #
 #				[!]limit[:mask]
 #
 #			May be used to limit the number of simultaneous
 #			connections from each individual host to limit 
 #			connections. Requires connlimit match in your kernel
 #			and iptables. While the limit is only checked on rules
 #			specifying CONNLIMIT, the number of current connections
 #			is calculated over all current connections from the
 #			SOURCE host. By default, the limit is applied to each
 #			host but can be made to apply to networks of hosts by
 #			specifying a mask. The mask specifies the width of a
 #			VLSM mask to be applied to the source address; the
 #			number of current connections is then taken over all
 #			hosts in the subnet source-address/mask. When ! is
 #			specified, the rule matches when the number of
 #			connection exceeds the limit.
 #
 #	TIME		Must be empty or '-' if the macro is to be used within
 #			an action.
 #
 #
 #				<timeelement>[&...]
 #
 #			timeelement may be:
 #
 #    				timestart=hh:mm[:ss]
 #
 #					Defines the starting time of day.
 #
 #    				timestop=hh:mm[:ss]
 #
 #					Defines the ending time of day.
 #
 #    				utc
 #
 #					Times are expressed in Greenwich Mean
 #					Time.
 #
 #    				localtz
 #
 #					Times are expressed in Local Civil Time
 #					(default).
 #
 #    				weekdays=ddd[,ddd]...
 #
 #					where ddd is one of Mon, Tue, Wed, Thu,
 #					Fri, Sat or Sun
 #
 #    				monthdays=dd[,dd],...
 #
 #					where dd is an ordinal day of the month#
 #
 #    				datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
 #
 #					Defines the starting date and time.
 #
 #    				datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
 #
 #					Defines the ending date and time.
 #
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -47,6 +47,7 @@ our @EXPORT = qw( merge_levels
 		  substitute_param
 		  merge_macro_source_dest
 		  merge_macro_column
 		  map_old_actions
 		  %usedactions
 		  %default_actions
@@ -56,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -85,6 +86,8 @@ our %macros;
 our $family;
 our @builtins;
 #
 # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
 #
@@ -111,6 +114,12 @@ sub initialize( $ ) {
    %actions         = ();
    %logactionchains = ();
    %macros          = ();
    if ( $family == F_IPV4 ) {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
    } else {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
    }
 }
 #
@@ -264,6 +273,34 @@ sub add_requiredby ( $$ ) {
    $actions{$requires}{requires}{$requiredby} = 1;
 }
 #
 # Map pre-3.0 actions to the corresponding Macro invocation
 #
 sub find_old_action ( $$$ ) {
    my ( $target, $macro, $param ) = @_;
    if ( my $actiontype = find_macro( $macro ) ) {
 	( $macro, $actiontype , $param );
    } else {
 	( $target, 0, '' );
    }
 }
 sub map_old_actions( $ ) {
    my $target = shift;
    if ( $target =~ /^Allow(.*)$/ ) {
 	find_old_action( $target, $1, 'ACCEPT' );
    } elsif ( $target =~ /^Drop(.*)$/ ) {
 	find_old_action( $target, $1, 'DROP' );
    } elsif ( $target = /^Reject(.*)$/ ) {
 	find_old_action( $target, $1, 'REJECT' );
    } else {
 	( $target, 0, '' );
    }
 }
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
@@ -302,7 +339,7 @@ sub createlogactionchain( $$ ) {
    fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
-    unless ( $targets{$action} & STANDARD ) {
+    unless ( $targets{$action} & BUILTIN ) {
 	my $file = find_file $chain;
@@ -328,7 +365,7 @@ sub createsimpleactionchain( $ ) {
    $logactionchains{"$action:none"} = $chainref;
-    unless ( $targets{$action} & STANDARD ) {
+    unless ( $targets{$action} & BUILTIN ) {
 	my $file = find_file $action;
@@ -413,8 +450,9 @@ sub process_macro1 ( $$ ) {
 #
 # The functions process_actions1-3() implement the three phases of action processing.
 #
-# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
+# The first phase (process_actions1) occurs before the rules file is processed. The builtin-actions are added
-# and ${CONFDIR}/actions are scanned (in that order) and for each action:
+# to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and
 # ${CONFDIR}/actions are scanned (in that order). For each action:
 #
 #      a) The related action definition file is located and scanned.
 #      b) Forward and unresolved action references are trapped as errors.
@@ -476,10 +514,10 @@ sub process_action1 ( $$ ) {
 sub process_actions1() {
    progress_message2 "Preprocessing Action Files...";
-
+    #
-    for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
+    # Add built-in actions to the target table and create those actions
-	new_action $act;
+    #
-    }
+    $targets{$_} = ACTION + BUILTIN, new_action( $_ ) for @builtins;
    for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
@@ -515,7 +553,7 @@ sub process_actions1() {
 	    while ( read_a_line ) {
-		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 1, 8, 'action file';
+		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users, $mark ) = split_line 1, 9, 'action file';
 		process_action1( $action, $wholetarget );
@@ -552,8 +590,8 @@ sub process_actions2 () {
 #
 # This function is called to process each rule generated from an action file.
 #
-sub process_action( $$$$$$$$$$ ) {
+sub process_action( $$$$$$$$$$$ ) {
-    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
    my ( $action , $level ) = split_action $target;
@@ -571,7 +609,7 @@ sub process_action( $$$$$$$$$$ ) {
    expand_rule ( $chainref ,
 		  NO_RESTRICT ,
-		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, 0xFF ) ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
@@ -584,8 +622,8 @@ sub process_action( $$$$$$$$$$ ) {
 #
 # Expand Macro in action files.
 #
-sub process_macro3( $$$$$$$$$$$ ) {
+sub process_macro3( $$$$$$$$$$$$ ) {
-    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
    my $nocomment = no_comment;
@@ -601,12 +639,14 @@ sub process_macro3( $$$$$$$$$$$ ) {
    while ( read_a_line ) {
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark );
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
 	    $morigdest = '-';
 	    $mmark     = '-';
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark ) = split_line1 1, 10, 'macro file', $macro_commands;
 	}
 	if ( $mtarget eq 'COMMENT' ) {
@@ -620,8 +660,6 @@ sub process_macro3( $$$$$$$$$$$ ) {
 	    next;
 	}
 	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
 	if ( $mtarget =~ /^PARAM:?/ ) {
 	    fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
 	    $mtarget = substitute_param $param,  $mtarget;
@@ -662,8 +700,9 @@ sub process_macro3( $$$$$$$$$$$ ) {
 	$msports = merge_macro_column $msports, $sports;
 	$mrate   = merge_macro_column $mrate,   $rate;
 	$muser   = merge_macro_column $muser,   $user;
 	$mmark   = merge_macro_column $mmark,   $mark;
-	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
+	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $mark;
    }
    pop_open;
@@ -688,7 +727,7 @@ sub process_action3( $$$$$ ) {
    while ( read_a_line ) {
-	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file';
+	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file';
 	if ( $target eq 'COMMENT' ) {
 	    process_comment;
@@ -712,9 +751,9 @@ sub process_action3( $$$$$ ) {
 	}
 	if ( $action2type == MACRO ) {
-	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
+	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark );
 	} else {
-	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
+	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark;
 	}
    }
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -74,7 +74,6 @@ our %EXPORT_TAGS = (
 				       initialize_chain_table
 				       add_commands
 				       move_rules
 				       move_rules1
 				       insert_rule1
 				       purge_jump
 				       add_tunnel_rule
@@ -166,7 +165,7 @@ our %EXPORT_TAGS = (
 Exporter::export_ok_tags('internal');
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';
 #
 # Chain Table
@@ -247,6 +246,7 @@ use constant { NO_RESTRICT        => 0,   # FORWARD chain rule     - Both -i and
 our $iprangematch;
 our $chainseq;
 our $idiotcount;
 our $idiotcount1;
 our $global_variables;
@@ -272,11 +272,11 @@ our %interfacegateways;     # Gateway of default route out of the interface
 our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
 #
-# Mode of the generator.
+# Mode of the emitter.
 #
-use constant { NULL_MODE => 0 ,   # Generating neither shell commands nor iptables-restore input
+use constant { NULL_MODE => 0 ,   # Emitting neither shell commands nor iptables-restore input
-	       CAT_MODE  => 1 ,   # Generating iptables-restore input
+	       CAT_MODE  => 1 ,   # Emitting iptables-restore input
-	       CMD_MODE  => 2 };  # Generating shell commands.
+	       CMD_MODE  => 2 };  # Emitting shell commands.
 our $mode;
@@ -356,6 +356,7 @@ sub initialize( $ ) {
    $global_variables   = 0;
    $idiotcount         = 0;
    $idiotcount1        = 0;
 }
@@ -423,19 +424,16 @@ sub add_commands ( $$;@ ) {
 }
 sub push_rule( $$ ) {
-    my ($chainref, $rule) = @_;
+    my $chainref = $_[0];
    my $rule     = join( ' ',  '-A',  $chainref->{name} , $_[1]);
    $rule .= qq( -m comment --comment "$comment") if $comment;
    if ( $chainref->{cmdlevel} ) {
 	$rule =~ s/"/\\"/g; #Must preserve quotes in the rule
-	add_commands $chainref , qq(echo "-A $chainref->{name} $rule" >&3);
+	add_commands $chainref , qq(echo "$rule" >&3);
    } else {
-	#
+	push @{$chainref->{rules}}, $rule;
 	# We omit the chain name for now -- this makes it easier to move rules from one
 	# chain to another
 	#
 	push @{$chainref->{rules}}, join( ' ', '-A' , $rule );
 	$chainref->{referenced} = 1;
    }
 }
@@ -607,7 +605,7 @@ sub insert_rule1($$$)
    $rule .= "-m comment --comment \"$comment\"" if $comment;
-    splice( @{$chainref->{rules}}, $number, 0,  join( ' ', '-A', $rule ) );
+    splice( @{$chainref->{rules}}, $number, 0,  join( ' ', '-A', $chainref->{name}, $rule ) );
    $iprangematch = 0;
@@ -637,15 +635,18 @@ sub add_tunnel_rule( $$ ) {
 # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to
 # a zone-oriented chain, hence this function.
 #
 # The source chain must not have any run-time code included in its rules.
 #
 sub move_rules( $$ ) {
    my ($chain1, $chain2 ) = @_;
    if ( $chain1->{referenced} ) {
 	my @rules = @{$chain1->{rules}};
 	my $name  = $chain1->{name};
 	#
 	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
 	#
 	$name =~ s/\+/\\+/;
-	assert( /^-A/ ) for @rules;
+	( s/\-([AI]) $name /-$1 $chain2->{name} / ) for @rules;
 	splice @{$chain2->{rules}}, 0, 0, @rules;
@@ -655,29 +656,6 @@ sub move_rules( $$ ) {
    }
 }
 #
 # Like above except it returns 0 if it can't move the rules
 #
 sub move_rules1( $$ ) {
    my ($chain1, $chain2 ) = @_;
    if ( $chain1->{referenced} ) {
 	my @rules = @{$chain1->{rules}};
 	for ( @rules ) {
 	    return 0 unless /^-A/;
 	}
 	splice @{$chain2->{rules}}, 0, 0, @rules;
 	$chain2->{referenced} = 1;
 	$chain1->{referenced} = 0;
 	$chain1->{rules}      = [];
    }
    1;
 }
 #
 # Transform the passed interface name into a legal shell variable name.
 #
@@ -940,7 +918,8 @@ sub ensure_filter_chain( $$ )
    my $chainref = ensure_chain 'filter', $chain;
-    if ( $populate and ! $chainref->{referenced} ) {
+    unless ( $chainref->{referenced} ) {
 	if ( $populate ) {
 	    if ( $section eq 'NEW' or $section eq 'DONE' ) {
 		finish_chain_section $chainref , 'ESTABLISHED,RELATED';
 	    } elsif ( $section eq 'RELATED' ) {
@@ -949,6 +928,7 @@ sub ensure_filter_chain( $$ )
 	}
 	$chainref->{referenced} = 1;
    }
    $chainref;
 }
@@ -965,9 +945,25 @@ sub ensure_accounting_chain( $  )
    if ( $chainref ) {
 	fatal_error "Non-accounting chain ($chain) used in accounting rule" unless $chainref->{accounting};
    } else {
-	$chainref = new_chain 'filter' , $chain unless $chainref;
+	$chainref = new_chain 'filter' , $chain;
 	$chainref->{accounting} = 1;
 	$chainref->{referenced} = 1;
 	if ( $chain ne 'accounting' ) {
 	    my $file = find_file $chain;
 	    if ( -f $file ) {
 		progress_message "Processing $file...";
 		my ( $level, $tag ) = ( '', '' );
 		unless ( my $return = eval `cat $file` ) {
 		    fatal_error "Couldn't parse $file: $@" if $@;
 		    fatal_error "Couldn't do $file: $!"    unless defined $return;
 		    fatal_error "Couldn't run $file"       unless $return;
 		}
 	    }
 	}
    }
    $chainref;
@@ -1042,7 +1038,6 @@ sub ensure_manual_chain($) {
 # Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
 # The function also initializes the target table with the pre-defined targets available for the specfied address family.
 #
 #
 sub initialize_chain_table()
 {
    if ( $family == F_IPV4 ) {
@@ -1069,15 +1064,6 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
 		    'dropBcast'       => BUILTIN  + ACTION,
 		    'allowBcast'      => BUILTIN  + ACTION,
 		    'dropNotSyn'      => BUILTIN  + ACTION,
 		    'rejNotSyn'       => BUILTIN  + ACTION,
 		    'dropInvalid'     => BUILTIN  + ACTION,
 		    'allowInvalid'    => BUILTIN  + ACTION,
 		    'allowinUPnP'     => BUILTIN  + ACTION,
 		    'forwardUPnP'     => BUILTIN  + ACTION,
 		    'Limit'           => BUILTIN  + ACTION,
 		   );
 	for my $chain qw(OUTPUT PREROUTING) {
@@ -1119,12 +1105,6 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
 		    'dropBcast'       => BUILTIN  + ACTION,
 		    'allowBcast'      => BUILTIN  + ACTION,
 		    'dropNotSyn'      => BUILTIN  + ACTION,
 		    'rejNotSyn'       => BUILTIN  + ACTION,
 		    'dropInvalid'     => BUILTIN  + ACTION,
 		    'allowInvalid'    => BUILTIN  + ACTION,
 		   );
 	for my $chain qw(OUTPUT PREROUTING) {
@@ -1551,12 +1531,14 @@ sub do_ratelimit( $$ ) {
 	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
 	my $limit = "-m hashlimit ";
 	my $match = $capabilities{OLD_HL_MATCH} ? 'hashlimit' : 'hashlimit-upto';
 	if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
-	    $limit .= "--hashlimit-upto $3 --hashlimit-burst $6 --hashlimit-name ";
+	    $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall';
 	    $limit .= ' --hashlimit-mode ';
 	} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
-	    $limit .= "--hashlimit-upto $3 --hashlimit-name ";
+	    $limit .= "--$match $3 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall';
 	    $limit .= ' --hashlimit-mode ';
 	} else {
@@ -2481,7 +2463,12 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    # An interface in the SOURCE column of a masq file
 	    #
 	    fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface );
 	    if ( $chainref->{table} eq 'nat' ) {
 		warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
 	    } else {
 		warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount1++;
 	    }
 	    push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done';
@@ -2839,14 +2826,15 @@ sub expand_rule( $$$$$$$$$$;$ )
 }
 #
-# The following code generates the input to iptables-restore
+# The following code generates the input to iptables-restore from the contents of the
 # @rules arrays in the chain table entries.
 #
 # We always write the iptables-restore input into a file then pass the
 # file to iptables-restore. That way, if things go wrong, the user (and Shorewall support)
 # has (have) something to look at to determine the error
 #
 # We may have to generate part of the input at run-time. The rules array in each chain
-# table entry may contain rules (begin with '-A') or shell source. We alternate between
+# table entry may contain both rules (begin with '-A') or shell source. We alternate between
 # writing the rules ('-A') into the temporary file to be passed to iptables-restore
 # (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
 #
@@ -2866,15 +2854,14 @@ sub enter_cmd_mode() {
 #
 # Emits the passed rule (input to iptables-restore) or command
 #
-sub emitr( $$ ) {
+sub emitr( $ ) {
-    my ( $name, $rule ) = @_;
+    if ( my $rule = $_[0] ) {
-
+	if ( substr( $rule, 0, 2 ) eq '-A' ) {
    if ( $rule && substr( $rule, 0, 2 ) eq '-A' ) {
 	    #
 	    # A rule
 	    #
 	    enter_cat_mode unless $mode == CAT_MODE;
-	emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) );
+	    emit_unindented $rule;
 	} else {
 	    #
 	    # A command
@@ -2882,17 +2869,16 @@ sub emitr( $$ ) {
 	    enter_cmd_mode unless $mode == CMD_MODE;
 	    emit $rule;
 	}
    }
 }
 #
 # Simple version that only handles rules
 #
-sub emitr1( $$ ) {
+sub emitr1( $ ) {
-    my ( $name, $rule ) = @_;
+    my $rule = $_[0];
-    assert( substr( $rule, 0, 2 ) eq '-A' );
+    emit_unindented $rule;
    emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) );
 }
 #
@@ -2968,7 +2954,7 @@ sub create_netfilter_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emitr $chainref->{name}, $_ for ( grep defined $_, @{$chainref->{rules}} );
+	    emitr $_ for ( grep defined $_, @{$chainref->{rules}} );
 	}
 	#
 	# Commit the changes to the table
@@ -3077,7 +3063,7 @@ sub create_chainlist_reload($) {
 		#
 		# Emit the chain rules
 		#
-		emitr $chain, $_ for ( grep defined $_, @rules );
+		emitr $_ for ( grep defined $_, @rules );
 	    }
 	    #
 	    # Commit the changes to the table
@@ -3182,7 +3168,7 @@ sub create_stop_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emitr1 $chainref->{name}, $_ for @{$chainref->{rules}};
+	    emitr1 $_ for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';
 our $export;
@@ -589,8 +589,6 @@ sub compiler {
    #
    get_configuration( $export );
    initialize_chain_table;
    report_capabilities;
    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
@@ -604,6 +602,11 @@ sub compiler {
    } else {
 	set_command( 'check', 'Checking', 'Checked' );
    }
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # shorewall.conf has been processed and the capabilities have been determined.
    #
    initialize_chain_table;
    #
    # Allow user to load Perl modules
@@ -792,20 +795,17 @@ sub compiler {
 	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
    } else {
 	enable_object;
    }
    #                               S T O P _ F I R E W A L L
    #             (Writes the stop_firewall() function to the compiled script)
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
 	#
 	Shorewall::Chains::initialize( $family );
 	initialize_chain_table;
 	#
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
 	compile_stop_firewall( $test );
    if ( $objectfile ) {
 	#
 	# Copy the footer to the object
 	#
@@ -827,6 +827,18 @@ sub compiler {
 	#
 	enable_object, generate_aux_config if $export;
    } else {
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
 	# environment that it would when called by compile_stop_firewall().
 	#
 	Shorewall::Chains::initialize( $family );
 	initialize_chain_table;
 	#
 	# compile_stop_firewall() also validates the routestopped file. Since we don't
 	# call that function during 'check', we must validate routestopped here.
 	#
 	process_routestopped;
 	if ( $family == F_IPV4 ) {
 	    progress_message3 "Shorewall configuration verified";
 	} else {
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -127,7 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
 Exporter::export_ok_tags('internal');
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -242,6 +242,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
 		 IPMARK_TARGET   => 'IPMARK Target',
 		 PERSISTENT_SNAT => 'Persistent SNAT',
 		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 CAPVERSION      => 'Capability Version',
 	       );
 #
@@ -327,8 +328,8 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.1.2",
+		    VERSION => "4.4.2.2",
-		    CAPVERSION => 40401 ,
+		    CAPVERSION => 40402 ,
 		  );
    #
@@ -614,6 +615,7 @@ sub initialize( $ ) {
 	       IPMARK_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
 	       PERSISTENT_SNAT => undef,
 	       OLD_HL_MATCH => undef,
 	       CAPVERSION => undef,
 	       );
    #
@@ -1592,11 +1594,16 @@ sub read_a_line() {
 	    #
 	    s/^\s*// if $currentline =~ /[,:]$/;
 	    #
 	    # If this isn't a continued line, remove trailing comments. Note that
 	    # the result may now end in '\'.
 	    #
 	    s/\s*#.*$// unless /\\$/;
 	    #
 	    # Continuation
 	    #
 	    chop $currentline, next if substr( ( $currentline .= $_ ), -1, 1 ) eq '\\';
 	    #
-	    # Remove Trailing Comments -- result might be a blank line
+	    # Now remove concatinated comments
 	    #
 	    $currentline =~ s/#.*$//;
 	    #
@@ -2022,6 +2029,15 @@ sub determine_capabilities( $ ) {
    $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
    $capabilities{COMMENTS}        = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
    if ( $capabilities{HASHLIMIT_MATCH} ) {
 	$capabilities{OLD_HL_MATCH} = '';
    } else {
 	$capabilities{OLD_HL_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
 	$capabilities{HASHLIMIT_MATCH} = $capabilities{OLD_HL_MATCH};
    }
    if  ( $capabilities{MANGLE_ENABLED} ) {
 	qt1( "$iptables -t mangle -N $sillyname" );
@@ -2066,7 +2082,6 @@ sub determine_capabilities( $ ) {
    $capabilities{USEPKTTYPE}      = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
    $capabilities{ADDRTYPE}        = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
    $capabilities{TCPMSS_MATCH}    = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
    $capabilities{NFQUEUE_TARGET}  = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
    $capabilities{REALM_MATCH}     = qt1( "$iptables -A $sillyname -m realm --realm 1" );
    $capabilities{HELPER_MATCH}    = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
@@ -2246,6 +2261,14 @@ sub unsupported_yes_no( $ ) {
    fatal_error "$option=Yes is not supported by Shorewall $globals{VERSION}" if $config{$option};
 }
 sub unsupported_yes_no_warning( $ ) {
    my $option = shift;
    default_yes_no $option, '';
    warning_message "$option=Yes is not supported by Shorewall $globals{VERSION}" if $config{$option};
 }
 #
 # - Read the shorewall.conf file
 # - Read the capabilities file, if any
@@ -2345,14 +2368,14 @@ sub get_configuration( $ ) {
    default_yes_no 'BLACKLISTNEWONLY'           , '';
    default_yes_no 'DISABLE_IPV6'               , '';
-    unsupported_yes_no 'DYNAMIC_ZONES';
+    unsupported_yes_no_warning 'DYNAMIC_ZONES';
    unsupported_yes_no         'BRIDGING';
-    unsupported_yes_no 'SAVE_IPSETS';
+    unsupported_yes_no_warning 'SAVE_IPSETS';
-    unsupported_yes_no 'MAPOLDACTIONS';
+    unsupported_yes_no_warning 'RFC1918_STRICT';
    unsupported_yes_no 'RFC1918_STRICT';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
    default_yes_no 'MAPOLDACTIONS'              , 'Yes';
    warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD};
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';
 our @addresses_to_add;
 our %addresses_to_add;
@@ -104,7 +104,7 @@ sub do_ipsec_options($)
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $origaddresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -208,9 +208,7 @@ sub process_one_masq( )
 	#
 	# Parse the ADDRESSES column
 	#
-	if ( $origaddresses ne '-' ) {
+	if ( $addresses ne '-' ) {
 	    my $addresses = $origaddresses;
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
@@ -228,7 +226,7 @@ sub process_one_masq( )
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
 				      '',
-				      qq(if [ "$variable" != 0.0.0.0 ]; then) );
+				      "if [ \"$variable\" != 0.0.0.0 ]; then" );
 			incr_cmd_level( $chainref );
 			$detectaddress = 1;
 		    }
@@ -241,7 +239,7 @@ sub process_one_masq( )
 			if ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
-			    if ( $addr =~ /^(.+)-(.+)$/ ) {
+			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $ipaddr, 0;
@@ -286,7 +284,7 @@ sub process_one_masq( )
 	if ( $add_snat_aliases ) {
 	    my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
 	    fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
-	    for my $address ( split_list $origaddresses, 'address' ) {
+	    for my $address ( split_list $addresses, 'address' ) {
 		my ( $addrs, $port ) = split /:/, $address;
 		next unless $addrs;
 		next if $addrs eq 'detect';
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -455,10 +455,10 @@ sub add_a_provider( ) {
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	} else {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(echo "qt \$IP -$family route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	}
    }
@@ -864,12 +864,12 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
 		    }
-		    $rule1 =~ s/-A //;
+		    $rule1 =~ s/-A tcpre //;
 		    add_rule $chainref, $rule1;
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcpre //;
 			add_rule $chainref, $rule2;
 		    }
@@ -896,12 +896,12 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
 		    }
-		    $rule1 =~ s/-A //;
+		    $rule1 =~ s/-A tcout //;
 		    add_rule $chainref, $rule1;
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcout //;
 			add_rule $chainref, $rule2;
 		    }
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -40,11 +40,12 @@ our @EXPORT = qw( process_tos
 		  add_common_rules
 		  setup_mac_lists
 		  process_rules
 		  process_routestopped
 		  generate_matrix
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';
 #
 # Set to one if we find a SECTION
@@ -329,6 +330,8 @@ sub process_routestopped() {
 	}
 	unless ( $options eq '-' ) {
 	    my $chainref = $filter_table->{FORWARD};
 	    for my $option (split /,/, $options ) {
 		if ( $option eq 'routeback' ) {
 		    if ( $routeback ) {
@@ -340,7 +343,7 @@ sub process_routestopped() {
 			    my $source = match_source_net $host;
 			    my $dest   = match_dest_net   $host;
-			    emit "run_iptables -A FORWARD -i $interface -o $interface $source $dest -j ACCEPT";
+			    add_rule $chainref , "-i $interface -o $interface $source $dest -j ACCEPT";
 			    clearrule;
 			}
 		    }
@@ -776,6 +779,9 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
    } else {
 	#
 	# Phase II
 	#
 	for my $interface ( @maclist_interfaces ) {
 	    my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
 	    my $chain    = $chainref->{name};
@@ -848,12 +854,13 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
    while ( read_a_line ) {
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime);
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
 	    ( $morigdest, $mmark, $mconnlimit, $mtime ) = qw/- - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime ) = split_line1 1, 12, 'macro file', $macro_commands;
 	}
 	if ( $mtarget eq 'COMMENT' ) {
@@ -867,8 +874,6 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 	    next;
 	}
 	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
 	$mtarget = merge_levels $target, $mtarget;
 	if ( $mtarget =~ /^PARAM(:.*)?$/ ) {
@@ -920,9 +925,9 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 		      merge_macro_column( $morigdest,  $origdest ) ,
 		      merge_macro_column( $mrate,      $rate ) ,
 		      merge_macro_column( $muser,      $user ) ,
-		      $mark,
+		      merge_macro_column( $mmark,      $mark ) ,
-		      $connlimit,
+		      merge_macro_column( $mconnlimit, $connlimit) ,
-		      $time,
+		      merge_macro_column( $mtime,      $time ),
 		      $wildcard
 		     );
@@ -959,6 +964,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
    #
    my $actiontype = $targets{$basictarget} || find_macro( $basictarget );
    if ( $config{ MAPOLDACTIONS } ) {
 	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless ( $actiontype || $param );
    }
    fatal_error "Unknown action ($action)" unless $actiontype;
    if ( $actiontype == MACRO ) {
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,18 +1,44 @@
-Changes in Shorewall 4.4.1.3
+Changes in Shorewall 4.4.2.2
-1)  Process routestopped during 'check'
+1)  Another fix for 'routeback' in routestopped.
-2)  Apply Jesse Shrieve's patch for SNAT range.
+Changes in Shorewall 4.4.2.1
-Changes in Shorewall 4.4.1.2
+1)  Fix 'routeback' in routestopped.
-1)  Re-initialize chain table before generating 'stop_firewall()'
+Changes in Shorewall 4.4.2
-Changes in Shorewall 4.4.1.1
+1)  BUGFIX: Correct detection of Persistent SNAT support
-1)  Fixed detection of Persistent SNAT
+2)  BUGFIX: Fix chain table initialization
-2)  Fix compiler initialization fiasco.
+3)  BUGFIX: Validate routestopped file on 'check'
 4)  Let the Actions module add the builtin actions to
    %Shorewall::Chains::targets. Much better modularization that way.
 5)  Some changes to make Lenny->Squeeze less painful.
 6)  Allow comments at the end of continued lines.
 7)  Call process_routestopped() during 'check' rather than
    'compile_stop_firewall()'.
 8)  Don't look for an extension script for built-in actions.
 9)  Apply Jesse Shrieve's patch for SNAT range.
 10) Add -<family> to 'ip route del default' command.
 11) Add three new columns to macro body.
 12) Change 'wait4ifup' so that it requires no PATH
 13) Allow extension scripts for accounting chains.
 14) Allow per-ip LIMIT to work on ancient iptables releases.
 15) Add 'MARK' column to action body.
 Changes in Shorewall 4.4.1
@@ -63,7 +89,7 @@ Changes in Shorewall 4.4.0
 5)  Fix 'upnpclient' with required interfaces.
-5)  Fix provider number in masq file.
+6)  Fix provider number in masq file.
 Changes in Shorewall 4.4.0-RC2
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.1.2
+VERSION=4.4.2.2
 usage() # $1 = exit status
 {
@@ -453,6 +453,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/blacklist ]; then
    echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
 fi
 #
 # Install the findgw file
 #
 run_install $OWNERSHIP -m 0644 configfiles/findgw ${PREFIX}/usr/share/shorewall/configfiles/findgw
 if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/findgw ]; then
    run_install $OWNERSHIP -m 0600 configfiles/findgw ${PREFIX}/etc/shorewall/findgw
    echo "Find GW file installed as ${PREFIX}/etc/shorewall/findgw"
 fi
 #
 # Delete the Routes file
 #
 delete_file ${PREFIX}/etc/shorewall/routes
@@ -783,6 +792,11 @@ cd ..
 echo "Man Pages Installed"
 if [ -z "$PREFIX" ]; then
    rm -rf /usr/share/shorewall-perl
    rm -rf /usr/share/shorewall-shell
 fi
 if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
    if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -1,22 +1,16 @@
-1)  The compiler's detection of Persistent SNAT support is broken.
+1)  'shorewall check' produces an internal error if 'routeback' appears
    in /etc/shorewall/routestopped.
-    Fixed in Shorewall 4.4.1.1
+    You can work around this problem by using 'source' rather than
    'routeback'.
-2)  Initialization of the compiler's chain table was broken in ways
+    Corrected in Shorewall 4.4.2.1.
    that prevented some features from working.
-    Fixed in Shorewall 4.4.1.1
+2)  'routestopped' appearing in /etc/shorewall/routestopped doesn't
    work (routeback traffic is not allowed).
-3)  Initialization of the compiler's chain table was still broken.
+    You can work around this problem by using 'source' rather than
    'routeback'.
-    Fixed in Shorewall 4.4.1.2.
+    Corrected in Shorewall 4.4.2.2.
 4)  It is currently not possible to specify an address range in the
    ADDRESS column of /etc/shorewall/masq.
    Fixed in Shorewall 4.4.1.3.
 5)  The routestopped file is not being verified by 'shorewall check'.
    Fixed in Shorewall 4.4.1.3.
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -30,7 +30,7 @@
 #
 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40401
+SHOREWALL_CAPVERSION=40402
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -945,7 +945,11 @@ determine_capabilities() {
    qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
    qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
    qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
    if [ -z "$HASHLIMIT_MATCH" ]; then
 	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
    fi	
    qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
    qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -1011,6 +1015,7 @@ report_capabilities() {
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
 	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
 	report_capability "Helper Match" $HELPER_MATCH
@@ -1069,6 +1074,7 @@ report_capabilities1() {
    report_capability1 ADDRTYPE
    report_capability1 TCPMSS_MATCH
    report_capability1 HASHLIMIT_MATCH
    report_capability1 OLD_HL_MATCH
    report_capability1 NFQUEUE_TARGET
    report_capability1 REALM_MATCH
    report_capability1 HELPER_MATCH
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -1,4 +1,4 @@
-Shorewall 4.4.1 patch release 3
+Shorewall 4.4.2 Patch Release 1.
 ----------------------------------------------------------------------------
               R E L E A S E  4 . 4  H I G H L I G H T S
@@ -66,10 +66,9 @@ Shorewall 4.4.1 patch release 3
       WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell
                support has been removed in this release.
-    b) Review the incompatibilities between Shorewall-shell and
+    b) Review the migration issues at
-       Shorewall-perl at
+       http://www.shorewall.net/LennyToSqueeze.html and make changes as
-       http://www.shorewall.net/Shorewall-perl.html#Incompatibilities
+       required.
       and make changes to your configuration as necessary.
    We strongly recommend that you migrate to Shorewall-perl on your
    current Shorewall version before upgrading to Shorewall 4.4.0. That
@@ -105,7 +104,7 @@ Shorewall 4.4.1 patch release 3
             starts/restarts
    To avoid this warning, replace interface names by the corresponding
-    network addresses (e.g., 192.168.144.0/24).
+    network(s) in CIDR format (e.g., 192.168.144.0/24).
 6)  Previously, Shorewall has treated traffic shaping class IDs as
    decimal numbers (or pairs of decimal numbers). That worked fine
@@ -171,62 +170,71 @@ Shorewall 4.4.1 patch release 3
    then it may have no additional members in /etc/shorewall/hosts.
 ----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 3
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2 . 2
 ----------------------------------------------------------------------------
 1)  The routestopped file wasn't verified during 'shorewall check' and
    'shorewall6 check'.
-2)  Previously, it was not possible to specify an IP address range in
+1)  'routeback' in /etc/shorewall/routestopped was ineffective.
 ----------------------------------------------------------------------------
        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2 . 1
 ----------------------------------------------------------------------------
 1)  'shorewall check' produced an internal error if 'routeback' was
    specified in /etc/shorewall/routestopped.
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2
 ----------------------------------------------------------------------------
 1)  Detection of Persistent SNAT was broken in the rules compiler. 
 2)  Initialization of the compiler's chain table was occurring before 
    shorewall.conf had been read and before the capabilities had been
    determined. This could lead to incorrect rules and Perl runtime
    errors.
 3)  The 'shorewall check' command previously did not detect errors in
    /etc/shorewall/routestopped.
 4)  In earlier versions, if a file with the same name as a built-in
    action were present in the CONFIG_PATH, then the compiler would
    process that file like it was an extension script.
    The compiler now ignores the presence of such files.
 5)  Several configuration issues which previously produced an error or
    warning are now handled differently.
    a)  MAPOLDACTIONS=Yes and MAPOLDACTIOSN= in shorewall.conf are now
        handled as they were by the old shell-based compiler. That is,
        they cause pre-3.0 built-in actions to be mapped automatically
        to the corresponding macro invocation.
    b)  SAVE_IPSETS=Yes no longer produces a fatal error -- it is now a
        warning.
    c)  DYNAMIC_ZONES=Yes no longer produces a fatal error -- it is now
        a warning.
    d)  RFC1918_STRICT=Yes no loger produces a fatal error -- it is now
        a warning.
 6)  Previously, it was not possible to specify an IP address range in
    ADDRESS column of /etc/shorewall/masq. Thanks go to Jessee Shrieve
    for the patch.
----------------------------------------------------------------------------
+7)  The 'wait4ifup' script included for Debian compatibility now runs
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 2
+    correctly with no PATH.
 ----------------------------------------------------------------------------
 1)  The compiler's chain table was not being re-initialized prior to
    creating the stop_firewall() function, resulting in Perl run-time
    errors.
 ----------------------------------------------------------------------------
        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 1
 ----------------------------------------------------------------------------
 1)  Detection of Persistent SNAT support was broken in the compiler.
-2)  Initialization of the compiler's chain table was broken in ways
+8)  The new per-IP LIMIT feature now works with ancient iptables
-    that made some features not work and that caused Perl runtime errors.
+    releases (e.g., 1.3.5 as found on RHEL 5). This change required
    testing for an additional capability which means that those who use
    a capabilities file should regenerate that file after installing
    4.4.2.
----------------------------------------------------------------------------
+9)  One unintended difference between Shorewall-shell and
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1
+    Shorewall-perl was that Shorewall-perl did not support the MARK
----------------------------------------------------------------------------
+    column in action bodies. This has been corrected.
 1)  If ULOG was specified as the LOG LEVEL in the all->all policy, the
    rules at the end of the INPUT and OUTPUT chains would still use the
    LOG target rather than ULOG.
 2)  Using CONTINUE policies with a nested IPSEC zone was still broken
    in some cases.
 3)  The setting of IP_FORWARDING has been change to Off in the
    one-interface sample configuration since forwarding is typically
    not required with only a single interface.
 4)  If MULTICAST=Yes in shorewall.conf, multicast traffic was
    incorrectly exempted from ACCEPT policies.
 5)  Previously, the definition of a zone that specified "nets=" in
    /etc/shorewall/interfaces could not be extended by entries in
    /etc/shorewall/hosts.
 6)  Previously, "nets=" could be specified in a multi-zone interface
    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
    now raises a fatal compilation error.
 7)  MULTICAST=Yes generates an incorrect rule that limits its
    effectiveness to a small part of the multicast address space.
 8)  Checking for zone membership has been tighened up. Previously, 
    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
    then it may have no additional members in /etc/shorewall/hosts.
 ----------------------------------------------------------------------------
             K N O W N   P R O B L E M S   R E M A I N I N G
@@ -235,66 +243,41 @@ Shorewall 4.4.1 patch release 3
 None.
 ----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 1
+                N E W   F E A T U R E S   I N   4 . 4 . 2
 ----------------------------------------------------------------------------
-1)  To replace the SAME keyword in /etc/shorewall/masq, support has
+1)  Prior to this release, line continuation has taken precedence over 
-    been added for 'persistent' SNAT. Persistent SNAT is required when
+    #-style comments. This prevented us from doing the following:
    an address range is specified in the ADDRESS column and when you
    want a client to always receive the same source/destination IP
    pair. It replaces SAME: which was removed in Shorewall 4.4.0.
-    To specify persistence, follow the address range with
+    	    ACCEPT    net:206.124.146.176,\   #Gateway
-    ":persistent".
+	    	          206.124.146.177,\   #Mail
 			  206.124.146.178\    #Server
 			  		      ...
-    Example:
+    Now, unless a line ends with '\', any trailing comment is stripped
    off (including any white-space preceding the '#'). Then if the line
    ends with '\', it is treated as a continuation line as normal.
-    #INTERFACE	SOURCE	   ADDRESS
+2)  Three new columns have been added to FORMAT-2 macro bodies.
    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
-    This feature requires Persistent SNAT support in your kernel and
+    	  MARK
-    iptables. 
+	  CONNLIMIT
 	  TIME
-    If you use a capabilities file, you will need to create a new one
+    These three columns correspond to the similar columns in
-    as a result of this feature.
+    /etc/shorewall/rules and must be empty in macros invoked from an
    action.
-    WARNING: Linux kernels beginning with 2.6.29 include persistent
+3)  Accounting chains may now have extension scripts. Simply place your
-    SNAT support. If your iptables supports persistent SNAT but your
+    Perl script in the file /etc/shorewall/<chain> and when the
-    kernel does not, there is no way for Shorewall to determine that
+    accounting chain named <chain> is created, your script will be
-    persistent SNAT isn't going to work. The kernel SNAT code blindly
+    invoked.
    accepts all SNAT flags without verifying them and returns them to
    iptables when asked.
-2)  A 'clean' target has been added to the Makefiles. It removes backup
+    As usual, the variable $chainref will contain a reference to the
-    files (*~ and .*~). 
+    chain's table entry.
 3)  The meaning of 'full' has been redefined when used in the context
    of a traffic shaping sub-class. Previously, 'full' always meant the
    OUT-BANDWIDTH of the device. In the case of a sub-class, however,
    that definition is awkward to use because the sub-class is limited
    by the parent class.
    Beginning with this release, 'full' in a sub-class definition
    refers to the specified rate defined for the parent class. So
    'full' used in the RATE column refers to the parent class's RATE;
    when used in the CEIL column, 'full' refers to the parent class's
    CEIL.
    As part of this change, the compiler now issues a warning if the
    sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of
    the device. Similarly, a warning is issued if the sum of the RATEs
    of a class's sub-classes exceeds the rate of the CLASS.
 4)  When 'nets=<network>' or 'nets=(<net1>,<net2>,...) is specified in
    /etc/shorewall/interfaces, multicast traffic will now be sent to
    the zone along with limited broadcasts.
 5)  A flaw in the parsing logic for the zones file allowed most zone
    types containing the character string 'ip' to be accepted as a
    synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration).
 ----------------------------------------------------------------------------
-                 N E W   F E A T U R E S   I N   4 . 4
+                N E W   F E A T U R E S   I N   4 . 4 . 0
 ----------------------------------------------------------------------------
 1)  The Shorewall packaging has been completely revamped in Shorewall
@@ -942,3 +925,96 @@ None.
    the iptables utility is discovered using the PATH setting, then
    ip6tables in the same directory as the discovered iptables will be
    used.
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1
 ----------------------------------------------------------------------------
 1)  If ULOG was specified as the LOG LEVEL in the all->all policy, the
    rules at the end of the INPUT and OUTPUT chains would still use the
    LOG target rather than ULOG.
 2)  Using CONTINUE policies with a nested IPSEC zone was still broken
    in some cases.
 3)  The setting of IP_FORWARDING has been change to Off in the
    one-interface sample configuration since forwarding is typically
    not required with only a single interface.
 4)  If MULTICAST=Yes in shorewall.conf, multicast traffic was
    incorrectly exempted from ACCEPT policies.
 5)  Previously, the definition of a zone that specified "nets=" in
    /etc/shorewall/interfaces could not be extended by entries in
    /etc/shorewall/hosts.
 6)  Previously, "nets=" could be specified in a multi-zone interface
    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
    now raises a fatal compilation error.
 7)  MULTICAST=Yes generates an incorrect rule that limits its
    effectiveness to a small part of the multicast address space.
 8)  Checking for zone membership has been tighened up. Previously, 
    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
    then it may have no additional members in /etc/shorewall/hosts.
 ----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 1
 ----------------------------------------------------------------------------
 1)  To replace the SAME keyword in /etc/shorewall/masq, support has
    been added for 'persistent' SNAT. Persistent SNAT is required when
    an address range is specified in the ADDRESS column and when you
    want a client to always receive the same source/destination IP
    pair. It replaces SAME: which was removed in Shorewall 4.4.0.
    To specify persistence, follow the address range with
    ":persistent".
    Example:
    #INTERFACE	SOURCE	   ADDRESS
    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
    This feature requires Persistent SNAT support in your kernel and
    iptables. 
    If you use a capabilities file, you will need to create a new one
    as a result of this feature.
    WARNING: Linux kernels beginning with 2.6.29 include persistent
    SNAT support. If your iptables supports persistent SNAT but your
    kernel does not, there is no way for Shorewall to determine that
    persistent SNAT isn't going to work. The kernel SNAT code blindly
    accepts all SNAT flags without verifying them and returns them to
    iptables when asked.
 2)  A 'clean' target has been added to the Makefiles. It removes backup
    files (*~ and .*~). 
 3)  The meaning of 'full' has been redefined when used in the context
    of a traffic shaping sub-class. Previously, 'full' always meant the
    OUT-BANDWIDTH of the device. In the case of a sub-class, however,
    that definition is awkward to use because the sub-class is limited
    by the parent class.
    Beginning with this release, 'full' in a sub-class definition
    refers to the specified rate defined for the parent class. So
    'full' used in the RATE column refers to the parent class's RATE;
    when used in the CEIL column, 'full' refers to the parent class's
    CEIL.
    As part of this change, the compiler now issues a warning if the
    sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of
    the device. Similarly, a warning is issued if the sum of the RATEs
    of a class's sub-classes exceeds the rate of the CLASS.
 4)  When 'nets=<network>' or 'nets=(<net1>,<net2>,...) is specified in
    /etc/shorewall/interfaces, multicast traffic will now be sent to
    the zone along with limited broadcasts.
 5)  A flaw in the parsing logic for the zones file allowed most zone
    types containing the character string 'ip' to be accepted as a
    synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration).
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -23,99 +23,9 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#	If an error occurs while starting or restarting the firewall, the
+#       For a list of supported commands, type 'shorewall help'
 #	firewall is automatically stopped.
 #
-#	The firewall uses configuration files in /etc/shorewall/ - skeleton
+#####################################################################################################
 #	files are included with the firewall.
 #
 #	Commands are:
 #
 #          shorewall add <iface>[:<host>] zone     Adds a host or subnet to a zone
 #          shorewall delete <iface>[:<host>] zone  Deletes a host or subnet from a zone
 #          shorewall dump                          Dumps all Shorewall-related information
 #                                                  for problem analysis
 #	   shorewall start 			   Starts the firewall
 #	   shorewall restart			   Restarts the firewall
 #	   shorewall stop			   Stops the firewall
 #	   shorewall status			   Displays firewall status
 #	   shorewall reset			   Resets iptables packet and
 #						   byte counts
 #	   shorewall clear			   Open the floodgates by
 #						   removing all iptables rules
 #						   and setting the three permanent
 #						   chain policies to ACCEPT
 #	   shorewall refresh			   Rebuild the common chain to
 #						   compensate for a change of
 #						   broadcast address on any "detect"
 #						   interface.
 #	   shorewall [re]load [ <directory> ] <system>
 #						   Compile a script and install it on a
 #						   remote Shorewall Lite system.
 #	   shorewall show <chain> [ <chain> ... ]  Display the rules in each <chain> listed
 #          shorewall show actions                  Displays the available actions
 #	   shorewall show log			   Print the last 20 log messages
 #	   shorewall show connections		   Show the kernel's connection
 #						   tracking table
 #	   shorewall show nat			   Display the rules in the nat table
 #	   shorewall show {mangle|tos}		   Display the rules in the mangle table
 #	   shorewall show tc			   Display traffic control info
 #	   shorewall show classifiers		   Display classifiers
 #          shorewall show capabilities             Display iptables/kernel capabilities
 #          shorewall show vardir                   Display the VARDIR setting.
 #	   shorewall version			   Display the installed version id
 #	   shorewall check [ -e ] [ <directory> ]  Dry-run compilation.
 #	   shorewall try <directory> [ <timeout> ] Try a new configuration and if
 #						   it doesn't work, revert to the
 #						   standard one. If a timeout is supplied
 #						   the command reverts back to the
 #						   standard configuration after that many
 #						   seconds have elapsed after successfully
 #						   starting the new configuration.
 #	   shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall
 #						   messages.
 #	   shorewall drop <address> ...		   Temporarily drop all packets from the
 #						   listed address(es)
 #	   shorewall reject <address> ...	   Temporarily reject all packets from the
 #						   listed address(es)
 #	   shorewall allow <address> ...	   Reenable address(es) previously
 #						   disabled with "drop" or "reject"
 #	   shorewall save [ <file> ]		   Save the list of "rejected" and
 #						   "dropped" addresses so that it will
 #						   be automatically reinstated the
 #						   next time that Shorewall starts.
 #                                                  Save the current state so that 'shorewall
 #                                                  restore' can be used.
 #
 #          shorewall forget [ <file> ]             Discard the data saved by 'shorewall save'
 #
 #          shorewall restore [ <file> ]            Restore the state of the firewall from
 #                                                  previously saved information.
 #
 #          shorewall ipaddr { <address>/<cidr> | <address> <netmask> }
 #
 #                                                  Displays information about the network
 #                                                  defined by the argument[s]
 #
 #          shorewall iprange <address>-<address>   Decomposes a range of IP addresses into
 #                                                  a list of network/host addresses.
 #
 #          shorewall ipdecimal { <address> | <integer> }
 #
 #                                                  Displays the decimal equivalent of an IP
 #                                                  address and vice versa.
 #
 #          shorewall safe-start [ <directory> ]    Starts the firewall and promtp for a c
 #                                                  confirmation to accept or reject the new
 #                                                  configuration
 #
 #          shorewall safe-restart [ <directory> ]  Restarts the firewall and prompt for a
 #                                                  confirmation to accept or reject the new
 #                                                  configuration
 #
 #          shorewall compile [ -e ] [ <directory> ] <filename>
 #                                                  Compile a firewall program file.
 #
 # Set the configuration variables from shorewall.conf
 #
@@ -123,7 +33,6 @@
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
 #     
 #
 get_config() {
    local prog
@@ -275,7 +184,7 @@ get_config() {
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
+			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
 			exit 2
 		    fi
 		    ;;
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -1,5 +1,5 @@
 %define name shorewall
-%define version 4.4.1
+%define version 4.4.2
 %define release 2
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -104,10 +104,14 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-2
+- Updated to 4.4.2-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-1
+- Updated to 4.4.2-1
 * Sun Sep 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Sep 04 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Sun Aug 09 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.1.2
+VERSION=4.4.2.2
 usage() # $1 = exit status
 {
--- a/Shorewall/wait4ifup
+++ b/Shorewall/wait4ifup
@@ -33,7 +33,7 @@
 #
 interface_is_up() {
-    [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] 
+    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] 
 }
 case $# in
@@ -51,7 +51,7 @@ esac
 while [ $timeout -gt 0 ]; do
    interface_is_up $1 && exit 0
-    sleep 1
+    /bin/sleep 1
    timeout=$(( $timeout - 1 ))
 done
--- a/Shorewall6-lite/fallback.sh
+++ b/Shorewall6-lite/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=4.4.1.2
+VERSION=4.4.2.2
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.1.2
+VERSION=4.4.2.2
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@@ -1,5 +1,5 @@
 %define name shorewall6-lite
-%define version 4.4.1
+%define version 4.4.2
 %define release 2
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
@@ -89,10 +89,14 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-2
+- Updated to 4.4.2-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-1
+- Updated to 4.4.2-1
 * Sun Sep 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Sep 04 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.1.2
+VERSION=4.4.2.2
 usage() # $1 = exit status
 {
--- a/Shorewall6/fallback.sh
+++ b/Shorewall6/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=4.4.1.2
+VERSION=4.4.2.2
 usage() # $1 = exit status
 {
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.1.2
+VERSION=4.4.2.2
 usage() # $1 = exit status
 {
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -33,7 +33,7 @@
 #
 SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40401
+SHOREWALL_CAPVERSION=40402
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -853,7 +853,11 @@ determine_capabilities() {
    qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
    qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
    qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
    if [ -z "$HASHLIMIT_MATCH" ]; then
 	qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
    fi	
    qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
    qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -917,6 +921,7 @@ report_capabilities() {
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
 	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
 	report_capability "Helper Match" $HELPER_MATCH
@@ -972,6 +977,7 @@ report_capabilities1() {
    report_capability1 ADDRTYPE
    report_capability1 TCPMSS_MATCH
    report_capability1 HASHLIMIT_MATCH
    report_capability1 OLD_HL_MATCH
    report_capability1 NFQUEUE_TARGET
    report_capability1 REALM_MATCH
    report_capability1 HELPER_MATCH
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -23,99 +23,9 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#	If an error occurs while starting or restarting the firewall, the
+#       For a list of supported commands, type 'shorewall6 help'
 #	firewall is automatically stopped.
 #
-#	The firewall uses configuration files in /etc/shorewall/ - skeleton
+################################################################################################
 #	files are included with the firewall.
 #
 #	Commands are:
 #
 #          shorewall6 add <iface>[:<host>] zone    Adds a host or subnet to a zone
 #          shorewall6 delete <iface>[:<host>] zone Deletes a host or subnet from a zone
 #          shorewall6 dump                         Dumps all Shorewall6-related information
 #                                                  for problem analysis
 #	   shorewall6 start 			   Starts the firewall
 #	   shorewall6 restart			   Restarts the firewall
 #	   shorewall6 stop			   Stops the firewall
 #	   shorewall6 status			   Displays firewall status
 #	   shorewall6 reset			   Resets ip6tables packet and
 #						   byte counts
 #	   shorewall6 clear			   Open the floodgates by
 #						   removing all ip6tables rules
 #						   and setting the three permanent
 #						   chain policies to ACCEPT
 #	   shorewall6 refresh			   Rebuild the common chain to
 #						   compensate for a change of
 #						   broadcast address on any "detect"
 #						   interface.
 #	   shorewall6 [re]load [ <directory> ] <system>
 #						   Compile a script and install it on a
 #						   remote Shorewall6 Lite system.
 #	   shorewall6 show <chain> [ <chain> ... ] Display the rules in each <chain> listed
 #          shorewall6 show actions                 Displays the available actions
 #	   shorewall6 show log			   Print the last 20 log messages
 #	   shorewall6 show connections		   Show the kernel's connection
 #						   tracking table
 #	   shorewall6 show nat			   Display the rules in the nat table
 #	   shorewall6 show {mangle|tos}		   Display the rules in the mangle table
 #	   shorewall6 show tc			   Display traffic control info
 #	   shorewall6 show classifiers		   Display classifiers
 #          shorewall6 show capabilities            Display ip6tables/kernel capabilities
 #          shorewall6 show vardir                  Display the VARDIR setting.
 #	   shorewall6 version			   Display the installed version id
 #	   shorewall6 check [ -e ] [ <directory> ] Dry-run compilation.
 #	   shorewall6 try <directory> [ <timeout> ] Try a new configuration and if
 #						   it doesn't work, revert to the
 #						   standard one. If a timeout is supplied
 #						   the command reverts back to the
 #						   standard configuration after that many
 #						   seconds have elapsed after successfully
 #						   starting the new configuration.
 #	   shorewall6 logwatch [ refresh-interval ] Monitor the local log for Shorewall6
 #						    messages.
 #	   shorewall6 drop <address> ...	   Temporarily drop all packets from the
 #						   listed address(es)
 #	   shorewall6 reject <address> ...	   Temporarily reject all packets from the
 #						   listed address(es)
 #	   shorewall6 allow <address> ...	   Reenable address(es) previously
 #						   disabled with "drop" or "reject"
 #	   shorewall6 save [ <file> ]		   Save the list of "rejected" and
 #						   "dropped" addresses so that it will
 #						   be automatically reinstated the
 #						   next time that Shorewall6 starts.
 #                                                  Save the current state so that 'shorewall6
 #                                                  restore' can be used.
 #
 #          shorewall6 forget [ <file> ]            Discard the data saved by 'shorewall6 save'
 #
 #          shorewall6 restore [ <file> ]           Restore the state of the firewall from
 #                                                  previously saved information.
 #
 #          shorewall6 ipaddr { <address>/<cidr> | <address> <netmask> }
 #
 #                                                  Displays information about the network
 #                                                  defined by the argument[s]
 #
 #          shorewall6 iprange <address>-<address>  Decomposes a range of IP addresses into
 #                                                  a list of network/host addresses.
 #
 #          shorewall6 ipdecimal { <address> | <integer> }
 #
 #                                                  Displays the decimal equivalent of an IP
 #                                                  address and vice versa.
 #
 #          shorewall6 safe-start [ <directory> ]   Starts the firewall and promtp for a c
 #                                                  confirmation to accept or reject the new
 #                                                  configuration
 #
 #          shorewall6 safe-restart [ <directory> ] Restarts the firewall and prompt for a
 #                                                  confirmation to accept or reject the new
 #                                                  configuration
 #
 #          shorewall6 compile [ -e ] [ <directory> ] <filename>
 #                                                  Compile a firewall program file.
 #
 # Set the configuration variables from shorewall6.conf
 #
@@ -205,7 +115,7 @@ get_config() {
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
+			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
 			exit 2
 		    fi
 		    ;;
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@@ -1,5 +1,5 @@
 %define name shorewall6
-%define version 4.4.1
+%define version 4.4.2
 %define release 2
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
@@ -93,10 +93,14 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-2
+- Updated to 4.4.2-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-1
+- Updated to 4.4.2-1
 * Sun Sep 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Sep 04 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.1.2
+VERSION=4.4.2.2
 usage() # $1 = exit status
 {
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -193,17 +193,6 @@ ACCEPT   -              -               tcp     135,139,445
        action begins with a capital letter; that way, the name won't conflict
        with a Shorewall-defined chain name.</para>
        <para>The name of the action may be optionally followed by a colon
        (<quote>:</quote>) and ACCEPT, DROP or REJECT. When this is done, the
        named action will become the <emphasis>default action</emphasis> for
        policies of type ACCEPT, DROP or REJECT, respectively. The default
        action is applied immediately before the policy is enforced (before
        any logging is done under that policy) and is used mainly to suppress
        logging of uninteresting traffic which would otherwise clog your logs.
        The same policy name can appear in multiple actions; the last such
        action for each policy name is the one which Shorewall will
        use.</para>
        <para>Shorewall includes pre-defined actions for DROP and REJECT --
        see above.</para>
      </listitem>
@@ -246,8 +235,8 @@ ACCEPT   -              -               tcp     135,139,445
        <para>You may also use a <ulink url="Macros.html">macro</ulink> in
        your action provided that the macro's expansion only results in the
        ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
-        <filename>/usr/share/shorewall/Drop</filename> for an example of an
+        <filename>/usr/share/shorewall/action.Drop</filename> for an example
-        action that users macros extensively.</para>
+        of an action that users macros extensively.</para>
      </listitem>
      <listitem>
@@ -506,74 +495,6 @@ ACCEPT:debug -          -        tcp      22
 bar:debug</programlisting>
      </listitem>
    </orderedlist>
    <para>If you define an action <quote>acton</quote> and you have an
    <filename>/etc/shorewall/acton</filename> script, when that script is
    invoked, the following three variables will be set for use by the
    script:</para>
    <itemizedlist>
      <listitem>
        <para>$CHAIN = the name of the chain where your rules are to be
        placed. When logging is used on an action invocation, Shorewall
        creates a chain with a slightly different name from the action
        itself.</para>
      </listitem>
      <listitem>
        <para>$LEVEL = Log level. If empty, no logging was specified.</para>
      </listitem>
      <listitem>
        <para>$TAG = Log Tag.</para>
      </listitem>
    </itemizedlist>
    <para>Example:</para>
    <para><filename>/etc/shorewall/rules</filename>:</para>
    <programlisting>#ACTION          SOURCE           DEST
 acton:info:test  $FW              net</programlisting>
    <para>Your <filename>/etc/shorewall/acton</filename> file will be run
    with:</para>
    <itemizedlist>
      <listitem>
        <para>$CHAIN=<quote>%acton1</quote></para>
      </listitem>
      <listitem>
        <para>$LEVEL=<quote>info</quote></para>
      </listitem>
      <listitem>
        <para>$TAG=<quote>test</quote></para>
      </listitem>
    </itemizedlist>
    <para>Shorewall-perl sets lexical variables as follows:</para>
    <itemizedlist>
      <listitem>
        <para><emphasis role="bold">$chainref</emphasis> is a reference to the
        chain-table entry for the chain where your rules are to be
        placed.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">$level</emphasis> is the log level. If
        false, no logging was specified.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">$tag</emphasis> is the log tag.</para>
      </listitem>
    </itemizedlist>
    <para>For an example of how to use these variablesl, see <ulink
    url="PortKnocking.html">this article</ulink>.</para>
  </section>
  <section id="Extension">
@@ -591,6 +512,29 @@ acton:info:test  $FW              net</programlisting>
    <example id="Example">
      <title>An action to drop all broadcast packets</title>
      <para>If you define an action <quote>acton</quote> and you have an
      <filename>/etc/shorewall/acton</filename> script, the rules compiler
      sets lexical variables as follows:</para>
      <itemizedlist>
        <listitem>
          <para><emphasis role="bold">$chainref</emphasis> is a reference to
          the chain-table entry for the chain where your rules are to be
          placed.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">$level</emphasis> is the log level. If
          false, no logging was specified.</para>
        </listitem>
        <listitem>
          <para><emphasis role="bold">$tag</emphasis> is the log tag.</para>
        </listitem>
      </itemizedlist>
      <para>Example:</para>
      <para>/etc/shorewall/actions<programlisting>DropBcasts</programlisting></para>
      <para>/etc/shorewall/action.DropBcasts<programlisting># This file is empty</programlisting>/etc/shorewall/DropBcasts<programlisting>use Shorewall::Chains;
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -208,7 +208,8 @@
            <entry><ulink url="Multiple_Zones.html"><ulink
            url="OPENVPN.html">OpenVPN</ulink></ulink></entry>
-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
          </row>
          <row>
@@ -218,7 +219,7 @@
            <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
          </row>
          <row>
@@ -227,8 +228,7 @@
            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>
-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
            Creation</ulink></entry>
          </row>
          <row>
@@ -238,8 +238,8 @@
            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>
-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
-            DomU</ulink></entry>
+            Creation</ulink></entry>
          </row>
          <row>
@@ -250,8 +250,8 @@
            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>
-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            Xen Dom0</ulink></entry>
+            DomU</ulink></entry>
          </row>
          <row>
@@ -260,7 +260,8 @@
            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
-            <entry></entry>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
            Xen Dom0</ulink></entry>
          </row>
          <row>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -683,6 +683,15 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
          <para>Using this technique, you will want to configure your
          DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
          time that you get a new IP address.</para>
          <note>
            <para>For optional interfaces, use the function <emphasis
            role="bold">find_first_interface_address_if_any()</emphasis>
            rather than <emphasis
            role="bold">find_first_interface_address()</emphasis>. The former
            will return 0.0.0.0 if the interface has no configured IP address;
            the latter terminates the calling program.</para>
          </note>
        </listitem>
      </itemizedlist>
@@ -802,6 +811,15 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
          save</command> and <command>shorewall[-lite]
          restore</command></ulink>.</para>
        </warning>
        <note>
          <para>For optional interfaces, use the function <emphasis
          role="bold">find_first_interface_address_if_any()</emphasis> rather
          than <emphasis
          role="bold">find_first_interface_address()</emphasis>. The former
          will return 0.0.0.0 if the interface has no configured IP address;
          the latter terminates the calling program.</para>
        </note>
      </section>
      <section id="faq2c">
@@ -1972,6 +1990,35 @@ iptables: Invalid argument
      <filename><ulink
      url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink></filename>.</para>
    </section>
    <section id="faq86">
      <title>(FAQ 86) My distribution (Ubuntu) uses NetworkManager to manage
      my interfaces. I want to specify the upnpclient option for my interfaces
      which requires them to be up and configured when Shorewall starts but
      Shorewall is being started before NetworkManager.</title>
      <para>Answer: I faced a similar problem which I solved as
      follows:</para>
      <itemizedlist>
        <listitem>
          <para>Don't start Shorewall at boot time (Debian and Ubuntu users
          may simply set startup=0 in
          <filename>/etc/default/shorewall</filename>).</para>
        </listitem>
        <listitem>
          <para>In <filename>/etc/network/ip-up.d</filename>, I added a
          <filename>shorewall</filename> script as follows:</para>
          <programlisting>#!/bin/sh
 shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall if it isn't already running</programlisting>
          <para>Be sure to secure the script for execute access.</para>
        </listitem>
      </itemizedlist>
    </section>
  </section>
  <section id="MultiISP">
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -212,8 +212,8 @@ dmz        eth2          detect        nets=(192.168.1.0/24)</programlisting>
    for 192.168.0.0/23, the <emphasis>loc</emphasis> zone as IPv4 hosts
    192.168.0.0/24 interfacing through eth1 and the <emphasis>dmz</emphasis>
    as IPv4 hosts 192.168.1.0/24 interfacing through eth2 (Note that
-    192.168.0.0/24 together with 192.168.1.0/24 constitutes
+    192.168.0.0/24 together with 192.168.1.0/24 comprises
-    192.168.0.0.23).</para>
+    192.168.0.0/23).</para>
    <para>Rules about what traffic to allow and what traffic to deny are
    expressed in terms of zones. <itemizedlist spacing="compact">
--- a/docs/LennyToSqueeze.xml
+++ b/docs/LennyToSqueeze.xml
@@ -0,0 +1,963 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
  <!--$Id$-->
  <articleinfo>
    <title>Shorewall Issues when Upgrading from Debian Lenny to
    Squeeze</title>
    <authorgroup>
      <author>
        <firstname>Tom</firstname>
        <surname>Eastep</surname>
      </author>
    </authorgroup>
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
      <year>2009</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
  <section>
    <title>Introduction</title>
    <para>Debian Lenny includes Shorewall version 4.0.15 while Squeeze will
    soon include Shorewall 4.4. Because there are significant differences
    between the two product versions, some users may experience upgrade
    issues. This article outlines those issues and offers advice for dealing
    with them.</para>
    <note>
      <para>Although this article is targeted specifically at Lenny -&gt;
      Squeeze upgrades, it should be useful to any Shorewall-shell user
      upgrading to Shorewall 4.4.x. Footnotes are used to flag areas where
      non-Debian users may experience different results.</para>
    </note>
  </section>
  <section id="Packages">
    <title>Packaging Differences</title>
    <para>The first key difference between Shorewall 4.0 and Shorewall 4.4 is
    in the packaging<footnote>
        <para>Most distributions use a similar packaging structure. Note,
        however, that the 'shorewall' package in Simon Mater's RPMs for
        RedHat/Fedora/CentOS is like the Lenny shorewall-common
        package.</para>
      </footnote>. In Lenny, there are six Shorewall packages:</para>
    <orderedlist>
      <listitem>
        <para>shorewall-common — Contains the basic components needed to
        create an IPv4 firewall.</para>
      </listitem>
      <listitem>
        <para>shorewall-shell — The legacy Shorewall configuration compiler
        written in Bourne shell.</para>
      </listitem>
      <listitem>
        <para>shorewall — A transitional package that depends on
        shorewall-common and shorewall-shell. Installing this package installs
        both shorewall-common and shorewall-shell.</para>
      </listitem>
      <listitem>
        <para>shorewall-perl — A re-implementation of the Shorewall
        configuration compiler in Perl. This compiler has many advantages over
        the shell-based compiler:</para>
        <itemizedlist>
          <listitem>
            <para>The compiler is much faster</para>
          </listitem>
          <listitem>
            <para>The compiler does a much better job of validating the
            configuration, thus avoiding run-time errors.</para>
          </listitem>
          <listitem>
            <para>The compiler produces better and more consistent diagnostic
            messages.</para>
          </listitem>
          <listitem>
            <para>The compiler produces a script that runs much faster and
            that does not reject/drop connections during start/restart.</para>
          </listitem>
        </itemizedlist>
      </listitem>
      <listitem>
        <para>shorewall-lite — A small package that can run scripts generated
        by shorewall-shell or shorewall-perl. Allows centralized firewall
        administration.</para>
      </listitem>
      <listitem>
        <para>shorewall-doc — Documentation.</para>
      </listitem>
    </orderedlist>
    <para>In Squeeze, there are five packages:</para>
    <orderedlist>
      <listitem>
        <para>shorewall — Contains everything needed to create an IPv4
        firewall. It combines the former shorewall-common and shorewall-perl
        packages.</para>
      </listitem>
      <listitem>
        <para>shorewall6 — Depends on shorewall. Adds those components needed
        to create an IPv6 firewall.</para>
      </listitem>
      <listitem>
        <para>shorewall-lite — Same as in Lenny; only runs IPv4 firewall
        scripts.</para>
      </listitem>
      <listitem>
        <para>shorewall6-lite — Similar to shorewall-lite, except that it only
        runs IPv6 firewall scripts.</para>
      </listitem>
      <listitem>
        <para>shorewall-doc — Documentation.</para>
      </listitem>
    </orderedlist>
    <warning>
      <para>Do not purge the old packages (shorewall-common, shorewall-shell
      and shorewall-perl) until after the new shorewall package has been
      installed.</para>
    </warning>
    <para>The key change in Squeeze that may produce upgrade issues is that
    Squeeze does not include the shell-based configuration compiler. As a
    consequence, unless you are already using Shorewall-perl on Lenny, an
    upgrade from Lenny to Squeeze will mean that you will be switching from
    the old shell-based compiler to the new Perl-based compiler<footnote>
        <para>Note that Perl is a required package on Debian. If you are
        running an embedded distribution which does not include Perl and it is
        not feasible to install Perl on your firewall, then you should
        consider installing Shorewall on another system in your network (may
        be a <trademark>Windows</trademark> system running
        <trademark>Cygwin</trademark>) and installing Shorewall-lite on your
        firewall.</para>
      </footnote>. While the two compilers are highly compatible, there are
    some differences. Those differences are detailed in the following
    sections.</para>
  </section>
  <section id="Issues">
    <title>Issues Most Likely to Cause Problems or Concerns</title>
    <section id="conf">
      <title>shorewall.conf</title>
      <para>As always, when upgrading from one major release of Shorewall to
      another, the installer will prompt you about replacing your existing
      <filename>shorewall.conf</filename> with the updated one from the
      package. Shorewall is designed with the assumption that users will never
      replace shorewall.conf and retaining your existing file will always
      produce upward-compatible behavior.</para>
      <para>That having been said, there are a few settings that you may have
      in your shorewall.conf that will cause compilation warning or error
      messages after the upgrade.</para>
      <variablelist>
        <varlistentry>
          <term>BLACKLISTNEWONLY</term>
          <listitem>
            <para>If you have BLACKLISTNEWONLY=No together with
            FASTACCEPT=Yes, you will receive this error:</para>
            <para><emphasis role="bold">ERROR: BLACKLISTNEWONLY=No may not be
            specified with FASTACCEPT=Yes</emphasis></para>
            <para>To eliminate the error, reverse the setting of one of the
            options.</para>
            <note>
              <para>This combination never worked correctly in earlier
              versions -- to duplicate the earlier behavior, you will want to
              set BLACKLISTNEWONLY=Yes.</para>
            </note>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>BRIDGING</term>
          <listitem>
            <para>If you have set this option to Yes, you will receive the
            following error:</para>
            <para><emphasis role="bold">ERROR: BRIDGING=Yes is not supported
            by Shorewall 4.4.x</emphasis></para>
            <para>You should not be receiving this error if you are upgrading
            from Lenny since BRIDGING=Yes did not work in that
            release<footnote>
                <para>If you are upgrading from a release using a kernel
                earlier than 2.6.20, then BRIDGING=Yes did work correctly with
                Shorewall-shell.</para>
              </footnote>. If you have a bridge configuration where you want
            to control connections through the bridge, you will want to visit
            <ulink
            url="http://www.shorewall.net/bridge-Shorewall-perl.html">http://www.shorewall.net/bridge-Shorewall-perl.html</ulink><footnote>
                <para>Kernel 2.6.20 or later is required.</para>
              </footnote>.</para>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>DELAYBLACKLISTLOAD</term>
          <listitem>
            <para>If you have set this option to Yes, you will receive the
            following warning:</para>
            <para><emphasis role="bold">WARNING: DELAYBLACKLIST=Yes is not
            supported by Shorewall 4.4.x</emphasis></para>
            <para>To eliminate the warning, set DELAYBLACKLISTLOAD=No or
            remove the setting altogether.</para>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>DYNAMIC_ZONES</term>
          <listitem>
            <para>If you have set this option to Yes, you will receive the
            following warning:</para>
            <para><emphasis role="bold">WARNING: DYNAMIC_ZONES=Yes is not
            supported by Shorewall 4.4.x</emphasis></para>
            <para>To eliminate the warning, set DYNAMIC_ZONES=No or remove the
            setting altogether. See <ulink url="Dynamic.html">this
            article</ulink> to learn how to set up Dynamic Zones under
            Shorewall 4.4.</para>
          </listitem>
        </varlistentry>
        <varlistentry id="FW">
          <term>FW</term>
          <listitem>
            <para>If a setting for FW appears in your shorewall.conf file, you
            will receive this warning:</para>
            <para><emphasis role="bold">WARNING: Unknown configuration option
            (FW) ignored.</emphasis></para>
            <para>Remove the setting from the file and modify your
            <filename>/etc/shorewall/zones</filename> file as described <link
            linkend="zones">below</link>.</para>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>IPSECFILE</term>
          <listitem>
            <para>If you have specified IPSECFILE=ipsec or IPSECFILE= or if
            you do not have a setting for IPSECFILE, then you will receive the
            following error:</para>
            <para><emphasis role="bold">ERROR: IPSECFILE=ipsec is not
            supported by Shorewall 4.4.x</emphasis></para>
            <para>To eliminate the warning, you will need to:</para>
            <orderedlist>
              <listitem>
                <para>Set IPSECFILE=zones</para>
              </listitem>
              <listitem>
                <para>Modify your <filename>/etc/shorewall/zones</filename>
                file as described <link linkend="zones">below</link>.</para>
              </listitem>
            </orderedlist>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>PKTTYPE</term>
          <listitem>
            <para>The PKTTYPE option is ignored by Shorewall-perl.
            Shorewall-perl will use Address type match if it is available;
            otherwise, it will behave as if PKTTYPE=No had been
            specified.</para>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>RFC1918_LOG_LEVEL</term>
          <listitem>
            <para>If you have specified any setting for this option, you will
            receive the following warning:</para>
            <para><emphasis role="bold">WARNING: RFC1918_LOG_LEVEL=value
            ignored. The 'norfc1918' interface/host option is no longer
            supported.</emphasis></para>
            <para>To eliminate the warning, set RFC1918_LOG_LEVEL= or simply
            remove the setting altogether.</para>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>RFC1918_STRICT</term>
          <listitem>
            <para>If you have set this option to Yes, you will receive the
            following warning:</para>
            <para><emphasis role="bold">WARNING: RFC1918_STRICT=Yes is not
            supported by Shorewall 4.4.x</emphasis></para>
            <para>To eliminate the warning, set RFC1918_STRICT=No or remove
            the setting altogether.</para>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>SAVE_IPSETS</term>
          <listitem>
            <para>Shorewall 4.4 will issue a warning if you set
            SAVE_IPSETS=Yes in <filename>shorewall.conf</filename>:</para>
            <para><emphasis role="bold">WARNING SAVE_IPSETS=Yes is not
            supported by Shorewall 4.4.x</emphasis></para>
            <para>To eliminate this message, you will need to set
            SAVE_IPSETS=No or remove the setting altogether.</para>
            <para>See <link linkend="ipsets">below</link> for additional
            information regarding ipsets in Shorewall 4.4.</para>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>SHOREWALL_COMPILER</term>
          <listitem>
            <para>If you have specified SHOREWALL_COMPILER=shell, you will
            receive the following warning message:</para>
            <para><emphasis role="bold">WARNING: SHOREWALL_COMPILER=shell
            ignored. Shorewall-shell support has been removed in this
            release</emphasis></para>
            <para>To eliminate the warning, set SHOREWALL_COMPILER=perl or
            simply remove the setting altogether.</para>
          </listitem>
        </varlistentry>
        <varlistentry>
          <term>USE_ACTIONS</term>
          <listitem>
            <para>If you have set this option to No, you will receive the
            following warning:</para>
            <para><emphasis role="bold">WARNING: USE_ACTIONS=No is not
            supported by Shorewall 4.4.x</emphasis></para>
            <para>To eliminate the warning, set USE_ACTIONS=Yes or remove the
            setting altogether.</para>
          </listitem>
        </varlistentry>
      </variablelist>
    </section>
    <section id="zones">
      <title>/etc/shorewall/zones</title>
      <para>If the column headings in your /etc/shorewall/zones file look like
      this:</para>
      <programlisting>#ZONE   DISPLAY         COMMENTS
 net     Net             The big bad net
 loc     Local           The local LAN</programlisting>
      <para>then you are using the original zones file format that has been
      deprecated since Shorewall 3.0.</para>
      <para>You will need to convert to the new file format which has the
      following headings:</para>
      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
 #                                       OPTIONS                 OPTIONS</programlisting>
      <para>You will need to add an entry for your firewall zone. The default
      name for the firewall zone is 'fw' but may have been overriden using
      <link linkend="FW">the FW option in
      <filename>shorewall.conf</filename></link>.</para>
      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
 #                                       OPTIONS                 OPTIONS
 fw      firewall</programlisting>
      <para>The remainder of your zones will have type 'ipv4' unless they are
      mentioned in your /etc/shorewall/ipsec file (see <link
      linkend="ipsec">below</link>).</para>
      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
 #                                       OPTIONS                 OPTIONS
 fw      firewall
 net     ipv4            # The big bad net
 loc     ipv4            # The local LAN</programlisting>
    </section>
    <section id="ipsec">
      <title>/etc/shorewall/ipsec</title>
      <para>This file is no longer used -- its specifications are now included
      in <filename>/etc/shorewall/zones</filename>.</para>
      <para>Take this example:</para>
      <programlisting>#ZONE   IPSEC    OPTIONS         IN              OUT
 #       ONLY                     OPTIONS         OPTIONS
 ipsec1  Yes
 ipsec2  No</programlisting>
      <para>This would translate to the following entries in
      <filename>/etc/shorewall/zones</filename>:</para>
      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
 #                                       OPTIONS                 OPTIONS
 ipsec1  ipsec4
 ipsec2  ipv4</programlisting>
      <para>Any OPTIONS, IN OPTIONS and OUT OPTIONS should simply be copied
      from <filename>/etc/shorewall/ipsec</filename> to
      <filename>/etc/shorewall/zones</filename>.</para>
    </section>
    <section id="interfaces">
      <title>/etc/shorewall/interfaces</title>
      <para>The BROADCAST column is essentially unused in Squeeze. If it
      contains anything except 'detect' or '-', then you will receive this
      warning<footnote>
          <para>Users whose kernel and/or iptables do not include Address Type
          Match Support can continue to list broadcast addresses in this
          column; no warning will be issued.</para>
        </footnote>:</para>
      <blockquote>
        <para><emphasis role="bold">WARNING: Shorewall no longer uses
        broadcast addresses in rule generation when Address Type Match is
        available</emphasis></para>
      </blockquote>
      <para>To eliminate the warning, replace the contents of the BROADCAST
      column with '-' or 'detect'.</para>
      <para>The 'norfc1918' option has been removed. If you specify the
      option, you will receive the following warning:</para>
      <blockquote>
        <para><emphasis role="bold">WARNING: Support for the norfc1918
        interface option has been removed from Shorewall</emphasis></para>
      </blockquote>
      <para>To eliminate the warning, simply remove the 'norfc1918' option
      from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes
      as a replacement (see <ulink
      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
    </section>
    <section id="hosts">
      <title>/etc/shorewall/hosts</title>
      <para>The 'norfc1918' option has been removed. If you specify the
      option, you will receive the following warning:</para>
      <blockquote>
        <para><emphasis role="bold">WARNING: The 'norfc1918' option is no
        longer supported</emphasis></para>
      </blockquote>
      <para>To eliminate the warning, simply remove the 'norfc1918' option
      from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes
      as a replacement (see <ulink
      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
    </section>
    <section id="policy">
      <title>/etc/shorewall/policy</title>
      <para>Shorewall 4.4 detects dead policy file entries that result when an
      entry is masked by an earlier more general entry.</para>
      <para>Example:</para>
      <programlisting>#SOURCE DEST     POLICY    LOG LEVEL
 all     all      REJECT    info
 loc     net      ACCEPT</programlisting>
      <para>Shorewall-shell silently accepted the above even though the
      loc-&gt;net policy is useless. Shorewall-perl generates a fatal
      compilation error:</para>
      <blockquote>
        <para><emphasis role="bold">ERROR: Policy "loc net ACCEPT" duplicates
        earlier policy "all all REJECT"</emphasis></para>
      </blockquote>
    </section>
    <section id="masq">
      <title>/etc/shorewall/masq</title>
      <para>There is a long tradition of specifying an interface name in the
      SOURCE column of this file.</para>
      <para>Masquerading/SNAT occurs in the Netfilter POSTROUTING chain where
      an incoming interface may not be specified in iptables rules.
      Consequently, while processing the <command>shorewall start</command>
      and <command>shorewall restart</command> commands, the generated script
      must examine the firewall's main routing table to determine those
      networks that are routed out of the interface; the script then adds a
      MASQUERADE/SNAT rule for connections from each of those networks. This
      additional processing requires the named interface to be up and
      configured when Shorewall starts or restarts.</para>
      <para>Users often complain that Shorewall fails to start at boot time
      because a VPN interface that is named as a masq SOURCE isn't up and
      configured during boot.</para>
      <para>To emphasize this restriction, if an interface is named in the
      SOURCE column of one or more entries, a single warning is issued as
      follows:</para>
      <blockquote>
        <para><emphasis role="bold">WARNING: Using an interface as the masq
        SOURCE requires the interface to be up and configured when Shorewall
        starts/restarts</emphasis></para>
      </blockquote>
      <para>To suppress this warning, replace the interface name with the list
      of networks that are routed out of the interface.</para>
      <para>Example.</para>
      <para>Existing entry:</para>
      <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/
 #                                                                                       GROUP
 eth0                    eth1</programlisting>
      <para>Current routing configuration:</para>
      <programlisting>gateway:~# ip route ls dev eth1
 <emphasis role="bold">172.20.1.0/24</emphasis>  proto kernel  scope link  src 172.20.1.254 
 224.0.0.0/4  scope link 
 gateway:~# 
 </programlisting>
      <para>Replacement entry:</para>
      <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/
 #                                                                                       GROUP
 eth0                    <emphasis role="bold">172.20.1.0/24</emphasis></programlisting>
      <para>Note that no entry is included for 224.0.0.0/4 since that is the
      multicast IP range and there should never be any packets with a SOURCE
      IP address in that network.</para>
    </section>
    <section id="rules">
      <title>/etc/shorewall/rules</title>
      <para>If you include a destination zone in a 'nonat' rule, Shorewall
      issues the following warning:</para>
      <blockquote>
        <para><emphasis role="bold">WARNING: Destination zone (zonename)
        ignored.</emphasis></para>
      </blockquote>
      <para>Nonat rules include:</para>
      <blockquote>
        <simplelist>
          <member>DNAT-</member>
          <member>REDIRECT-</member>
          <member>NONAT</member>
        </simplelist>
      </blockquote>
      <para>To eliminate the warning, remove the DEST zone.</para>
      <para>Example.</para>
      <para>Before:</para>
      <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME
 #                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
 NONAT           loc             net             tcp     80</programlisting>
      <para>After:</para>
      <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME
 #                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
 NONAT           loc             -               tcp     80</programlisting>
    </section>
    <section id="routestopped">
      <title>/etc/shorewall/routestopped</title>
      <para>The 'critical' option is no longer needed and hence is no longer
      supported. If you have critical hosts defined, you will receive this
      warning:</para>
      <blockquote>
        <para><emphasis role="bold">WARNING: The 'critical' option is no
        longer supported (or needed)</emphasis></para>
      </blockquote>
      <para>To suppress the warning, simply remove the option.</para>
      <para>Shorewall 4.4 also treats the <filename>routestopped</filename>
      file differently from earlier releases. Previously, the
      <filename>routestopped</filename> file was parsed during
      <command>shorewall stop</command> processing so that changes made to the
      file while Shorewall was running would be applied at the next
      <command>stop</command>. This is no longer the case -- the
      <filename>routestopped</filename> file is processed during compilation
      just like the rest of the configuration files so that when
      <command>shorewall stop</command> is issued, the firewall will pass
      traffic based on the contents of the <filename>routestopped</filename>
      file at the last <command>start</command> or
      <command>restart</command>.</para>
    </section>
    <section id="tos">
      <title>/etc/shorewall/tos</title>
      <para>The <filename>/etc/shorewall/tos</filename> file now has
      zone-independent SOURCE and DEST columns as do all other files except
      the rules and policy files.</para>
      <para>The SOURCE column may be one of the following:</para>
      <simplelist>
        <member>[<command>all</command>:]&lt;<replaceable>address</replaceable>&gt;[,...]</member>
        <member>[<command>all</command>:]&lt;<replaceable>interface</replaceable>&gt;[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
        <member><command>$FW</command>[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
      </simplelist>
      <para>The DEST column may be one of the following:</para>
      <simplelist>
        <member>[<command>all</command>:]&lt;<replaceable>address</replaceable>&gt;[,...]</member>
        <member>[<command>all</command>:]&lt;<replaceable>interface</replaceable>&gt;[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
      </simplelist>
      <para>This is a permanent change. The old zone-based rules have never
      worked right and this is a good time to replace them. We have tried to
      make the new syntax cover the most common cases without requiring change
      to existing files. In particular, it will handle the
      <filename>tos</filename> file released with Shorewall 1.4 and
      earlier.</para>
    </section>
    <section id="extension">
      <title>Extension Scripts</title>
      <para>With the shell-based compiler, all extension scripts were copied
      into the compiled script and executed at run-time. In some cases, this
      approach doesn't work with Shorewall Perl because (almost) the entire
      rule set is built by the compiler. As a result, Shorewall-perl runs some
      extension scripts at compile-time rather than at run-time. Because the
      compiler is written in Perl, these extension scripts from earlier
      versions will no longer work.</para>
      <para>The following table summarizes when the various extension scripts
      are run:<informaltable align="left" frame="none">
          <tgroup cols="3">
            <tbody>
              <row>
                <entry><emphasis role="bold">Compile-time (Must be written in
                Perl)</emphasis></entry>
                <entry><emphasis role="bold">Run-time</emphasis></entry>
                <entry><emphasis role="bold">Eliminated</emphasis></entry>
              </row>
              <row>
                <entry>initdone</entry>
                <entry>clear</entry>
                <entry>continue</entry>
              </row>
              <row>
                <entry>maclog</entry>
                <entry>init</entry>
                <entry></entry>
              </row>
              <row>
                <entry>Per-chain (including those associated with
                actions)</entry>
                <entry>start</entry>
                <entry></entry>
              </row>
              <row>
                <entry></entry>
                <entry>started</entry>
                <entry></entry>
              </row>
              <row>
                <entry></entry>
                <entry>stop</entry>
                <entry></entry>
              </row>
              <row>
                <entry></entry>
                <entry>stopped</entry>
                <entry></entry>
              </row>
              <row>
                <entry></entry>
                <entry>tcclear</entry>
                <entry></entry>
              </row>
            </tbody>
          </tgroup>
        </informaltable></para>
      <para>Compile-time extension scripts are executed using the Perl 'eval
      `cat &lt;file&gt;`' mechanism. Be sure that each script returns a 'true'
      value; otherwise, the Shorewall-perl compiler will assume that the
      script failed and will abort the compilation.</para>
      <para>When a script is invoked, the <emphasis
      role="bold">$chainref</emphasis> scalar variable will usually hold a
      reference to a chain table entry.</para>
      <simplelist>
        <member><emphasis role="bold">$chainref-&gt;{name}</emphasis> contains
        the name of the chain</member>
        <member><emphasis role="bold">$chainref-&gt;{table}</emphasis> holds
        the table name</member>
      </simplelist>
      <para>To add a rule to the chain:</para>
      <simplelist>
        <member>add_rule $chainref,
        <replaceable>the-rule</replaceable></member>
      </simplelist>
      <para>Where</para>
      <simplelist>
        <member><replaceable>the rule</replaceable> is a scalar argument
        holding the rule text. Do not include "-A
        <replaceable>chain-name</replaceable>"</member>
      </simplelist>
      <para>Example:</para>
      <simplelist>
        <member>add_rule $chainref, '-j ACCEPT';</member>
      </simplelist>
      <para>To insert a rule into the chain:</para>
      <simplelist>
        <member>insert_rule $chainref, <replaceable>rulenum</replaceable>,
        <replaceable>the-rule</replaceable></member>
      </simplelist>
      <para>The log_rule_limit function works like it does in the shell
      compiler with three exceptions:</para>
      <itemizedlist>
        <listitem>
          <para>You pass the chain reference rather than the name of the
          chain.</para>
        </listitem>
        <listitem>
          <para>The commands are 'add' and 'insert' rather than '-A' and
          '-I'.</para>
        </listitem>
        <listitem>
          <para>There is only a single "pass as-is to iptables" argument (so
          you must quote that part</para>
        </listitem>
      </itemizedlist>
      <para>Example:</para>
      <programlisting>    log_rule_limit
              'info' , 
              $chainref , 
              $chainref-&gt;{name},
              'DROP' , 
              '',    #Limit
              '' ,   #Log tag
              'add'
              '-p tcp ';         </programlisting>
      <para>Here is an example of an actual initdone script used with
      Shorewall 3.4:<programlisting>run_iptables -t mangle -I PREROUTING -p esp -j MARK --set-mark 0x50
 run_iptables -t filter -I INPUT -p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT
 run_iptables -t filter -I OUTPUT -p udp --sport 1701 -j ACCEPT
 </programlisting></para>
      <para>Here is the corresponding script used with Shorewall
      4.4:<programlisting>use Shorewall::Chains;
 insert_rule $mangle_table-&gt;{PREROUTING}, 1, "-p esp -j MARK --set-mark 0x50";
 insert_rule $filter_table-&gt;{INPUT},      1, "-p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT";
 insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
 1;</programlisting></para>
      <para>The initdone script is unique because the $chainref variable is
      not set before the script is called. The above script illustrates how
      the $mangle_table, $filter_table, and $nat_table references can be used
      to add or insert rules in arbitrary chains.</para>
    </section>
    <section id="ipsets">
      <title>Ipsets</title>
      <para>Shorewall 4.4 insists that ipset names begin with a letter and be
      composed of alphanumeric characters and underscores (_). When used in a
      Shorewall configuration file, the name must be preceded by a plus sign
      (+) as with the shell-based compiler.</para>
      <para>Shorewall 4.4 is out of the ipset load/reload business with the
      exception of ipsets used for dynamic zones. With scripts generated by
      Shorwall 4.4, the Netfilter rule set is never cleared. That means that
      there is no opportunity for Shorewall to load/reload your ipsets since
      that cannot be done while there are any current rules using
      ipsets.</para>
      <para>So:</para>
      <orderedlist numeration="upperroman">
        <listitem>
          <para>Your ipsets must be loaded before Shorewall starts. You are
          free to try to do that with the following code in
          <filename>/etc/shorewall/init (it works for me; your mileage may
          vary)</filename>:</para>
          <programlisting>if [ "$COMMAND" = start ]; then
    ipset -U :all: :all:
    ipset -U :all: :default:
    ipset -F
    ipset -X
    ipset -R &lt; /etc/shorewall/ipsets
 fi</programlisting>
          <para>The file <filename>/etc/shorewall/ipsets</filename> will
          normally be produced using the <command>ipset -S</command> command.
          I have this in my<filename> /etc/shorewall/stop</filename>
          file:</para>
          <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
    mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
    mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
 fi</programlisting>
          <para>The above extension scripts will work most of the time but
          will fail in a <command>shorewall stop</command> -
          <command>shorewall start</command> sequence if you use ipsets in
          your routestopped file (see <link
          linkend="routestopped">below</link>).</para>
        </listitem>
        <listitem>
          <para>Your ipsets may not be reloaded until Shorewall is stopped or
          cleared.</para>
        </listitem>
        <listitem>
          <para>If you specify ipsets in your routestopped file then Shorewall
          must be cleared in order to reload your ipsets.</para>
        </listitem>
      </orderedlist>
    </section>
  </section>
  <section id="Additional">
    <title>Additional Sources of Information</title>
    <para>The following articles provide additional information.</para>
    <itemizedlist>
      <listitem>
        <para><ulink url="Shorewall-perl.html#Incompatibilities">Shorewall
        Perl Incompatibilities</ulink></para>
      </listitem>
      <listitem>
        <para><ulink url="upgrade_issues.htm">Upgrade Issues</ulink></para>
      </listitem>
    </itemizedlist>
  </section>
 </article>
--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -248,7 +248,7 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
      </varlistentry>
    </variablelist>
-    <para>One remaining restriction should be noted: macros that are invoked
+    <para>One additional restriction should be noted: macros that are invoked
    from actions cannot themselves invoke other actions.</para>
  </section>
@@ -554,6 +554,151 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
          2.6.14).</member>
        </simplelist>
      </listitem>
      <listitem>
        <para>MARK - (Added in Shorewall-4.4.2) Defines a test on the existing
        packet or connection mark. The rule will match only if the test
        returns true. Must be empty or '-' if the macro is to be used within
        an action.</para>
        <programlisting>     [!]<replaceable>value</replaceable>[/<replaceable>mask</replaceable>][:C]</programlisting>
        <variablelist>
          <varlistentry>
            <term>!</term>
            <listitem>
              <para>Inverts the test (not equal)</para>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term><replaceable>value</replaceable></term>
            <listitem>
              <para>Value of the packet or connection mark.</para>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term><replaceable>mask</replaceable></term>
            <listitem>
              <para>A mask to be applied to the mark before testing.</para>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>:C</term>
            <listitem>
              <para>Designates a connection mark. If omitted, the # packet
              mark's value is tested.</para>
            </listitem>
          </varlistentry>
        </variablelist>
      </listitem>
      <listitem>
        <para>CONNLIMIT - (Added in Shorewall-4.4.2) Must be empty or '-' if
        the macro is to be used within an action.</para>
        <programlisting>     [!]<replaceable>limit</replaceable>[:<replaceable>mask</replaceable>]</programlisting>
        <para>May be used to limit the number of simultaneous connections from
        each individual host to limit connections. Requires connlimit match in
        your kernel and iptables. While the limit is only checked on rules
        specifying CONNLIMIT, the number of current connections is calculated
        over all current connections from the SOURCE host. By default, the
        <replaceable>limit</replaceable> is applied to each host but can be
        made to apply to networks of hosts by specifying a
        <replaceable>mask</replaceable>. The mask specifies the width of a
        VLSM mask to be applied to the source address; the number of current
        connections is then taken over all hosts in the subnet
        <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
        When ! is specified, the rule matches when the number of connection
        exceeds the limit. </para>
      </listitem>
      <listitem>
        <para>TIME - (Added in Shorewall-4.4.2) Must be empty or '-' if the
        macro is to be used within an action.</para>
        <programlisting>     &lt;timeelement&gt;[&amp;...]</programlisting>
        <para><replaceable>timeelement</replaceable> may be:</para>
        <variablelist>
          <varlistentry>
            <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
            <listitem>
              <para>Defines the starting time of day.</para>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
            <listitem>
              <para>Defines the ending time of day.</para>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>utc</term>
            <listitem>
              <para>Times are expressed in Greenwich Mean Time.</para>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>localtz</term>
            <listitem>
              <para>Times are expressed in Local Civil Time (default).</para>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>weekdays=ddd[,ddd]...</term>
            <listitem>
              <para>where <replaceable>ddd</replaceable> is one of
              <option>Mon</option>, <option>Tue</option>,
              <option>Wed</option>, <option>Thu</option>,
              <option>Fri</option>, <option>Sat</option> or
              <option>Sun</option></para>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>monthdays=dd[,dd],...</term>
            <listitem>
              <para>where <replaceable>dd</replaceable> is an ordinal day of
              the month</para>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
            <listitem>
              <para>Defines the starting date and time.</para>
            </listitem>
          </varlistentry>
          <varlistentry>
            <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
            <listitem>
              <para>Defines the ending date and time.</para>
            </listitem>
          </varlistentry>
        </variablelist>
      </listitem>
    </itemizedlist>
    <para>Omitted column entries should be entered using a dash ("-:).</para>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -235,7 +235,7 @@
              <listitem>
                <para>Use mark values &gt; 255 for provider marks in this
-                column. </para>
+                column.</para>
                <itemizedlist>
                  <listitem>
@@ -423,11 +423,21 @@
                <term>loose</term>
                <listitem>
-                  <para>Do not include routing rules that force traffic whose
+                  <para>Do not generate routing rules that force traffic whose
                  source IP is an address of the INTERFACE to be routed to
                  this provider. Useful for defining providers that are to be
                  used only when the appropriate packet mark is
                  applied.</para>
                  <para>Shorewall makes no attempt to consolidate the routing
                  rules added when <emphasis role="bold">loose</emphasis> is
                  not specified. So, if you have multiple IP addresses on a
                  provider interface, you may be able to replace the rules
                  that Shorewall generates with one or two rules in
                  <filename>/etc/shorewall/route_rules</filename>. In that
                  case, you can specify <emphasis role="bold">loose</emphasis>
                  to suppress Shorewall's rule generation. See the <link
                  linkend="Complete">example</link> below.</para>
                </listitem>
              </varlistentry>
@@ -1454,7 +1464,7 @@ defaults {
  warn_email=teastep@shorewall.net
  check_arp=0
  sourceip=
-  ttl=64
+  ttl=0
 }
 include /etc/lsm/shorewall.conf</programlisting>
--- a/docs/Shorewall-perl.xml
+++ b/docs/Shorewall-perl.xml
@@ -143,7 +143,7 @@
          </itemizedlist>
        </listitem>
-        <listitem>
+        <listitem id="Extensions">
          <para>With the shell-based compiler, extension scripts were copied
          into the compiled script and executed at run-time. In many cases,
          this approach doesn't work with Shorewall Perl because (almost) the
@@ -153,7 +153,9 @@
          extension scripts from earlier versions will no longer work.</para>
          <para>The following table summarizes when the various extension
-          scripts are run:<informaltable align="left" frame="none">
+          scripts are run:</para>
          <informaltable align="left" frame="none">
            <tgroup cols="3">
              <tbody>
                <row>
@@ -176,13 +178,23 @@
                <row>
                  <entry>maclog</entry>
-                    <entry>start</entry>
+                  <entry>init</entry>
                  <entry></entry>
                </row>
                <row>
                  <entry>Per-chain (including those associated with
                  actions)</entry>
                  <entry>start</entry>
                  <entry></entry>
                </row>
                <row>
                  <entry></entry>
                  <entry>started</entry>
                  <entry></entry>
@@ -213,7 +225,7 @@
                </row>
              </tbody>
            </tgroup>
-            </informaltable></para>
+          </informaltable>
          <para>Compile-time extension scripts are executed using the Perl
          'eval `cat &lt;file&gt;`' mechanism. Be sure that each script
@@ -343,7 +355,7 @@ insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
          the tos file released with Shorewall 1.4 and earlier.</para>
        </listitem>
-        <listitem>
+        <listitem id="SAVE_IPSETS">
          <para>Shorewall-perl insists that ipset names begin with a letter
          and be composed of alphanumeric characters and underscores (_). When
          used in a Shorewall configuration file, the name must be preceded by
@@ -547,7 +559,8 @@ DNAT-              net                192.168.1.3      tcp          21</programl
          starts/restarts</para>
          <para>To avoid this warning, replace interface names by the
-          corresponding network addresses (e.g., 192.168.144.0/24).</para>
+          corresponding network() in CIDR format (e.g.,
          192.168.144.0/24).</para>
        </listitem>
      </orderedlist>
    </section>
--- a/docs/SimpleBridge.xml
+++ b/docs/SimpleBridge.xml
@@ -93,6 +93,12 @@
    bridge-specific changes are restricted to the
    <filename>/etc/shorewall/interfaces</filename> file.</para>
    <note>
      <para>Older configurations that specify an interface name in the SOURCE
      column of <filename>/etc/shorewall/masq</filename> will also need to
      change that file.</para>
    </note>
    <para>This example illustrates the bridging of two Ethernet devices but
    the types of the devices really isn't important. What is shown here would
    apply equally to bridging an Ethernet device to an <ulink
@@ -138,5 +144,11 @@ loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <
 net            eth0            detect         ...
 loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <emphasis
          role="bold">routeback,bridge</emphasis>,...</programlisting></para>
    <para>Your entry in <filename>/etc/shorewall/masq</filename> should be
    unchanged:</para>
    <programlisting>#INTERFACE     SOURCE          ADDRESS
 eth0           10.0.1.0/24     ...            # 10.0.1.0/24 is the local network on LAN A and LAN B</programlisting>
  </section>
 </article>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -216,7 +216,7 @@
        <listitem>
          <para><filename>/usr/share/shorewall/modules</filename> - directs
-          the firewall to load kernel modules. </para>
+          the firewall to load kernel modules.</para>
        </listitem>
        <listitem>
@@ -432,6 +432,79 @@ ACCEPT      net:\
    </example>
  </section>
  <section id="SOURCE-DEST">
    <title>Specifying SOURCE and DEST</title>
    <para>Entries in Shorewall configuration files often deal with the source
    (SOURCE) and destination (DEST) of connections and Shorewall implements a
    uniform way for specifying them.</para>
    <para>A SOURCE or DEST consists of one to three parts separated by colons
    (":"):</para>
    <orderedlist>
      <listitem>
        <para>ZONE — The name of a zone declared in
        <filename>/etc/shorewall/zones</filename> or
        <filename>/etc/shorewall6/zones</filename>. This part is only
        available in the rules file (<filename>/etc/shorewall/rules</filename>
        and <filename>/etc/shorewall6/rules</filename>).</para>
      </listitem>
      <listitem>
        <para>INTERFACE — The name of an interface that matches an entry in
        <filename>/etc/shorewall/interfaces</filename>
        (<filename>/etc/shorewall6/interfaces</filename>).</para>
      </listitem>
      <listitem>
        <para>ADDRESS LIST — A list of one or more addresses (host or network)
        or address ranges, separated by commas. In an IPv6 configuration, this
        list must be includes in angled brackets ("&lt;...&gt;"). The list may
        have <link linkend="Exclusion">exclusion</link>.</para>
      </listitem>
    </orderedlist>
    <para>Examples.</para>
    <orderedlist>
      <listitem>
        <para>All hosts in the <emphasis role="bold">net</emphasis> zone —
        <emphasis role="bold">net</emphasis></para>
      </listitem>
      <listitem>
        <para>Subnet 192.168.1.0/29 in the <emphasis
        role="bold">loc</emphasis> zone — <emphasis
        role="bold">loc:192.168.1.0/29</emphasis></para>
      </listitem>
      <listitem>
        <para>All hosts in the net zone connecting through <filename
        class="devicefile">ppp0</filename> — <emphasis
        role="bold">net:ppp0</emphasis></para>
      </listitem>
      <listitem>
        <para>All hosts interfaced by <filename
        class="devicefile">eth3</filename> — <emphasis
        role="bold">eth3</emphasis></para>
      </listitem>
      <listitem>
        <para>Subnet 10.0.1.0/24 interfacing through <filename><filename
        class="devicefile">eth2</filename></filename> — <emphasis
        role="bold">eth2:10.0.1.0/24</emphasis></para>
      </listitem>
      <listitem>
        <para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
        role="bold">loc</emphasis> zone — <emphasis
        role="bold">loc:&lt;2002:ce7c:92b4:1:a00:27ff:feb1:46a9&gt;</emphasis></para>
      </listitem>
    </orderedlist>
  </section>
  <section id="INCLUDE">
    <title>INCLUDE Directive</title>
--- a/docs/template.xml
+++ b/docs/template.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
-      <year>2008</year>
+      <year>2009</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@@ -148,7 +148,8 @@
        starts/restarts</para>
        <para>To avoid this warning, replace interface names by the
-        corresponding network addresses (e.g., 192.168.144.0/24).</para>
+        corresponding netwok(s) in CIDR format (e.g.,
        192.168.144.0/24).</para>
      </listitem>
      <listitem>
@@ -166,12 +167,6 @@
        need to renumber the class IDs for devices 10 and greater.</para>
      </listitem>
      <listitem>
        <para>Jozsef Kadlecsik has removed the set binding capability from
        ipset 3.1. As a consequence, Shorewall 4.3 no longer supports set
        binding.</para>
      </listitem>
      <listitem>
        <para>Support for the 'norfc1918' interface and host option has been
        removed. If 'norfc1918' is specified for an entry in either the
@@ -206,6 +201,9 @@
        against the parent zone rules.</para>
      </listitem>
    </orderedlist>
    <para>Be sure to check the latest 4.4 Release Notes linked from the <ulink
    url="index.htm">home page</ulink>.</para>
  </section>
  <section>
@@ -865,7 +863,7 @@ all             all             REJECT:MyReject info</programlisting>
        BOGON_LOG_LEVEL option have been eliminated.</para>
      </listitem>
-      <listitem>
+      <listitem id="MAPOLDACTIONS">
        <para>Most of the standard actions have been replaced by parameterized
        macros (see below). So for example, the action.AllowSMTP and
        action.DropSMTP have been removed an a parameterized macro macro.SMTP
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -1032,7 +1032,7 @@
      <varlistentry>
        <term><emphasis role="bold">TIME</emphasis> -
-        <emphasis>timeelement</emphasis>[,<emphasis>timelement</emphasis>...]</term>
+        <emphasis>timeelement</emphasis>[&amp;<emphasis>timelement</emphasis>...]</term>
        <listitem>
          <para>May be used to limit the rule to a particular time period each
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@@ -1013,6 +1013,17 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">MAPOLDACTIONS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>This option is included for compatibility with old Shorewall
          configuration. New installs should always have
          MAPOLDACTIONS=No.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
@@ -1162,30 +1173,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
-          <para>Normally Shorewall attempts to use the iptables packet type
+          <para>This option is included for compatibility with older Shorewall
-          match extension to determine broadcast and multicast packets.</para>
+          releases. Its setting has no effect.</para>
          <orderedlist>
            <listitem>
              <para>This can cause a message to appear during shorewall start
              (modprobe: cant locate module ipt_pkttype).</para>
            </listitem>
            <listitem>
              <para>Some users have found problems with the packet match
              extension with the result that their firewall log is flooded
              with messages relating to broadcast packets.</para>
            </listitem>
          </orderedlist>
          <para></para>
          <blockquote>
            <para>If you are experiencing either of these problems, setting
            PKTTYPE=No will prevent Shorewall from trying to use the packet
            type match extension and to use IP address matching to determine
            which packets are broadcasts or multicasts.</para>
          </blockquote>
        </listitem>
      </varlistentry>
--- a/manpages/shorewall.xml
+++ b/manpages/shorewall.xml
@@ -538,6 +538,8 @@
      <arg><option>-f</option></arg>
      <arg><option>-p</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
--- a/manpages6/shorewall6-rules.xml
+++ b/manpages6/shorewall6-rules.xml
@@ -817,7 +817,7 @@
      <varlistentry>
        <term><emphasis role="bold">TIME</emphasis> -
-        <emphasis>timeelement</emphasis>[,<emphasis>timelement</emphasis>...]</term>
+        <emphasis>timeelement</emphasis>[&amp;<emphasis>timelement</emphasis>...]</term>
        <listitem>
          <para>May be used to limit the rule to a particular time period each
--- a/manpages6/shorewall6.conf.xml
+++ b/manpages6/shorewall6.conf.xml
@@ -551,9 +551,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        role="bold">Keep</emphasis>]</term>
        <listitem>
-          <para>This parameter determines whether Shorewall6 enables or
+          <para>This rather useless parameter determines whether Shorewall6
-          disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward).
+          enables or disables IPV6 Packet Forwarding on all interfaces
-          Possible values are:</para>
+          (/proc/sys/net/ipv6/config/all/forwarding). Possible values
          are:</para>
          <variablelist>
            <varlistentry>
Author	SHA1	Message	Date
Tom Eastep	5dd9c5705c	Update version	2009-10-03 11:42:39 -07:00
Tom Eastep	1254dd23cf	Fix 'routeback' in routestopped (again)	2009-10-03 11:40:38 -07:00
Tom Eastep	9eb85f51ef	Fix 'routeback' in /etc/shorewall/routestopped	2009-10-03 10:05:53 -07:00
Tom Eastep	818379a8a6	Prepare for 4.4.2.1, should it be needed	2009-10-02 07:36:09 -07:00
Tom Eastep	a87cb7b95d	Generate list of builtins in initialize()	2009-10-01 15:02:14 -07:00
Tom Eastep	a8cc7d2a7e	More clarification of masq file changes	2009-10-01 12:34:34 -07:00
Tom Eastep	dd70456430	Add '-p' to 'start' synopsis	2009-10-01 10:34:05 -07:00
Tom Eastep	ddb46931a0	Update version	2009-10-01 08:44:05 -07:00
Tom Eastep	327e170be5	Fix range-in-masq patch	2009-10-01 08:16:22 -07:00
Tom Eastep	5e49be219b	Fix result from bad pull	2009-10-01 07:49:43 -07:00
Tom Eastep	d323c5b9c5	Delete shorewall-perl and shorewall-shell during upgrade	2009-10-01 07:37:30 -07:00
Tom Eastep	39ee3b2025	Tweak emitter	2009-09-29 14:28:50 -05:00
Tom Eastep	393673a884	Allow MARK in action body -- take 2	2009-09-25 16:15:56 -04:00
Tom Eastep	bfdc8db31a	Allow MARK in action body	2009-09-25 16:01:24 -04:00
Tom Eastep	c1305eb059	Correct typo in error message	2009-09-25 13:36:45 -04:00
Tom Eastep	9f853d02d9	Make Tuomo Happy	2009-09-25 13:35:37 -04:00
Tom Eastep	111464ad95	Clarify 'loose' -- tweak wording	2009-09-25 06:17:49 -04:00
Tom Eastep	795ffb7212	Clarify 'loose'	2009-09-25 06:15:56 -04:00
Tom Eastep	d84458518e	Add capability to detect old hashlimit syntax	2009-09-23 16:56:31 -04:00
Tom Eastep	428c3d1e4e	Hack to make new LIMIT stuff work on ancient iptables releases	2009-09-20 09:12:35 -04:00
Tom Eastep	20250c9ce9	Hack to make new LIMIT stuff work on ancient iptables releases	2009-09-20 09:10:23 -04:00
Tom Eastep	96b19dd218	Fix accounting extension feature	2009-09-15 13:01:20 -07:00
Tom Eastep	120aade417	Allow Extension Scripts for Accounting Chains	2009-09-15 12:22:51 -07:00
Tom Eastep	4f4925002a	Revert "Allow Extension Scripts for Accounting Chains" This reverts commit `728ad2fecf`.	2009-09-15 12:18:29 -07:00
Tom Eastep	728ad2fecf	Allow Extension Scripts for Accounting Chains	2009-09-15 11:16:37 -07:00
Tom Eastep	0d651f093b	Correct file name	2009-09-15 10:33:52 -07:00
Tom Eastep	326ac90596	Remove pre-4.4 cruft from article	2009-09-15 06:59:59 -07:00
Tom Eastep	d6b641b000	Add FAQ 86	2009-09-14 14:14:20 -07:00
Tom Eastep	a5f3a05341	Fix typo in the Introduction	2009-09-14 13:43:32 -07:00
Tom Eastep	0e8cb3b74d	Improve wording of 'masq' section; add IDs to all sections	2009-09-14 09:01:02 -07:00
Tom Eastep	8180f45382	Add footnotes for non-Debian users	2009-09-14 08:29:49 -07:00
Tom Eastep	f25646d819	Add missing link to ipset section	2009-09-14 08:10:18 -07:00
Tom Eastep	b8e772a416	More Lenny->Squeeze additions (ipsets, extension scripts, more shorewall.conf options)	2009-09-14 07:49:47 -07:00
Tom Eastep	d5d4c451f9	Mention DYNAMIC_ZONES is Lenny->Squeeze article	2009-09-14 07:01:39 -07:00
Tom Eastep	9f102a1fba	More tweaks to Lenny->Squeeze article	2009-09-14 06:53:25 -07:00
Tom Eastep	e814dc7b75	Make index entry for Lenny->Squeeze more generic	2009-09-13 09:32:06 -07:00
Tom Eastep	e1f7048107	More tweaks to the Lenny->Squeeze article	2009-09-13 09:28:58 -07:00
Tom Eastep	485ddd5e9f	Note that the Lenny->Squeeze article is useful to non-Debian users	2009-09-13 09:25:45 -07:00
Tom Eastep	6afc43d200	Correct typo in comment	2009-09-13 09:20:32 -07:00
Tom Eastep	8fdbb6f252	Bump Nat.pm version; remove inadvertent paste	2009-09-13 09:13:50 -07:00
Tom Eastep	5793246d7c	Make processing of original dest in Format-1 macros more obvious	2009-09-13 09:01:34 -07:00
Tom Eastep	57f4458ec9	Avoid repetative wording	2009-09-13 08:19:07 -07:00
Tom Eastep	8fdebf0c38	Add new columns to macros	2009-09-13 08:09:40 -07:00
Tom Eastep	904754c074	Correct syntax of TIME column	2009-09-13 07:03:25 -07:00
Tom Eastep	66765dcf75	Minor rewording	2009-09-12 15:03:19 -07:00
Tom Eastep	07d8872823	Indicate that Squeeze 'will' include 4.4	2009-09-12 09:20:38 -07:00
Tom Eastep	9b0a9e8ecd	Add -<family> to 'ip route del default' command	2009-09-12 08:48:52 -07:00
Tom Eastep	0336a77120	Fix ID	2009-09-11 16:36:56 -07:00
Tom Eastep	95d422b15f	Add Extension Scripts to Lenny->Squeeze Article	2009-09-11 16:33:06 -07:00
Tom Eastep	6f54b5ea2f	Formatting in zones manpage	2009-09-11 10:49:49 -07:00
Tom Eastep	8c2a228a7d	Apply Jesse Shrieve's SNAT patch	2009-09-11 07:47:31 -07:00
Tom Eastep	460428b21a	More formatting fixes to shorewall-zones(5)	2009-09-10 19:43:52 -07:00
Tom Eastep	02d9888513	Document ipsec4/6	2009-09-10 14:56:39 -07:00
Tom Eastep	f33e842f1b	Update module version	2009-09-10 14:56:23 -07:00
Tom Eastep	82eaf124ca	Add section about SOURCE and DEST	2009-09-10 14:55:50 -07:00
Tom Eastep	74aff4f4ef	Bump the version in a couple of modules modified for 4.4.2	2009-09-09 12:58:39 -07:00
Tom Eastep	212937a29d	Make 'map_old_actions' a little cleaner	2009-09-09 12:37:49 -07:00
Tom Eastep	7c1dd35a00	Update release documents	2009-09-09 12:18:31 -07:00
Tom Eastep	0b03f52ad9	Don't look for extension script for built-in actions	2009-09-09 11:53:51 -07:00
Tom Eastep	5fc0137a2e	Update Compiler module version	2009-09-08 17:05:01 -07:00
Tom Eastep	128edd4bba	Slight optimization -- also makes code easier to read	2009-09-08 16:00:40 -07:00
Tom Eastep	b4712a93fa	Don't call compile_stop_firewall() during 'check'; call process_routestopped() instead - comments	2009-09-08 13:04:34 -07:00
Tom Eastep	bb83db3eb9	Don't call compile_stop_firewall() during 'check'; call process_routestopped() instead - change log	2009-09-08 12:55:14 -07:00
Tom Eastep	5655dbb01b	Don't call compile_stop_firewall() during 'check'; call process_routestopped() instead	2009-09-08 12:54:23 -07:00
Tom Eastep	fefff9fd83	Add MAPOLDACTIONS	2009-09-07 17:04:09 -07:00
Tom Eastep	9a1cb0c6b6	Admin that PKTTYPE is a no-op	2009-09-07 16:44:19 -07:00
Tom Eastep	b2c7b583f5	Add Lenny->Squeeze article to index	2009-09-07 16:26:32 -07:00
Tom Eastep	bc7e65732e	Add upgrade warning	2009-09-07 14:13:32 -07:00
Tom Eastep	993bbe8a4e	Fix broken links in Lenny->Squeeze doc	2009-09-07 09:43:53 -07:00
Tom Eastep	1ef90b4f0f	Add means for handling 'norfc1918' warning in Lenny->Squeeze doc	2009-09-07 09:39:00 -07:00
Tom Eastep	8da5fd42d0	Yet more enhancements to Lenny->Squeeze doc	2009-09-07 09:35:15 -07:00
Tom Eastep	180024c1fc	More enhancements to Lenny->Squeeze doc	2009-09-07 09:21:47 -07:00
Tom Eastep	06e85d6191	Add routestopped file to Lenny->Squeeze doc	2009-09-07 09:07:07 -07:00
Tom Eastep	c4eeb7b77e	Link upgrade issues back to the home page	2009-09-06 17:25:39 -07:00
Tom Eastep	b03d502bbb	Allow comments on continued lines	2009-09-06 16:17:22 -07:00
Tom Eastep	cf9bb616b8	Add example of nat-only fix	2009-09-06 14:03:36 -07:00
Tom Eastep	70ebe17cb3	Reimplement MAPOLDACTIONS=Yes	2009-09-06 13:37:24 -07:00
Tom Eastep	477c0ef9e8	Update Lenny->Squeeze doc	2009-09-06 12:46:22 -07:00
Tom Eastep	1a33596ada	Update Lenny->Squeeze doc	2009-09-06 12:41:36 -07:00
Tom Eastep	efa952572c	Update 4.4.2	2009-09-06 11:43:46 -07:00
Tom Eastep	7192b47289	Add a Lenny->Squeeze Howto	2009-09-06 09:51:32 -07:00
Tom Eastep	75eb186ea7	Split MASQ SOURCE warning into two separate warnings	2009-09-05 16:02:16 -07:00
Tom Eastep	f126755a96	Add notes about find_first_interface_address_if_any()	2009-09-05 08:59:45 -07:00
Tom Eastep	ec94ed638e	Better modularization of Chains and Actions	2009-09-05 08:43:14 -07:00
Tom Eastep	496a9449f1	Add note to simple bridge doc	2009-09-05 08:23:35 -07:00
Tom Eastep	4368af9525	Add /etc/shorewall/masq to Simple Bridge article	2009-09-05 07:24:29 -07:00
Tom Eastep	b092ba5671	clarify IP_FORWARDING in IPv6	2009-09-04 19:04:03 -07:00
Tom Eastep	dd64ea2484	Update known_problems for 4.4.2	2009-09-04 11:41:23 -07:00
Tom Eastep	bb8ad187f1	Update version to 4.4.2	2009-09-04 11:40:34 -07:00
Tom Eastep	03821dc22c	Process routestopped file during 'check'	2009-09-03 19:27:25 -07:00
Tom Eastep	76d9a80df3	A small optimization on the last restriction removal	2009-09-03 18:26:50 -07:00
Tom Eastep	84bff13e7f	Apply 4.4.1.2 fix to trunk	2009-09-03 18:25:32 -07:00
Tom Eastep	4a809e14ab	Documentation cleanup	2009-09-03 15:24:19 -07:00
Tom Eastep	f3455b107d	4.4.2 release doc initialization and update	2009-09-03 14:58:46 -07:00
Tom Eastep	df5291e119	Apply initialization fix to master branch	2009-09-03 14:54:47 -07:00
Tom Eastep	015d4f58ce	Allow moving rules with commands	2009-09-03 14:11:44 -07:00
Tom Eastep	4412a05a70	Fix detection of PERSISTENT_SNAT	2009-09-03 13:56:00 -07:00