Fix typo in shorewall-rules(5)

This reverts commit 728ad2fecf.

Samples/one-interface/shorewall.conf

@@ -34,9 +34,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -191,6 +191,8 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/shorewall.conf

@@ -34,9 +34,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -191,6 +191,8 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/shorewall.conf

@@ -41,9 +41,9 @@ SHOREWALL_COMPILER=
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -198,6 +198,8 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/one-interface/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -139,6 +139,8 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/three-interfaces/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -139,6 +139,8 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/shorewall6.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -139,6 +139,8 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-lite/default.debian

@@ -21,4 +21,9 @@ startup=0
 
 OPTIONS=""
 
+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
 # EOF

Shorewall-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.1.2
+VERSION=4.4.3
 
 usage() # $1 = exit status
 {

Shorewall-lite/init.debian.sh

@@ -15,9 +15,7 @@
 
 SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
-# Note, set INITLOG to /dev/null if you do not want to
-# keep logs of the firewall (not recommended)
-INITLOG=/var/log/shorewall-lite-init.log
+test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
 
 [ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
@@ -25,7 +23,7 @@ export SHOREWALL_INIT_SCRIPT
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.1.2
+VERSION=4.4.3
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.1
-%define release 2
+%define version 4.4.3
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -98,10 +98,12 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-1
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.1.2
+VERSION=4.4.3
 
 usage() # $1 = exit status
 {

Shorewall/Macros/macro.template

@@ -269,7 +269,7 @@
 #                       an action. See 'man shorewall-rules'.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in
-#			this colume:
+#			this column:
 #
 #				<rate>/<interval>[:<burst>]
 #
@@ -304,6 +304,100 @@
 #					#removed from Netfilter in kernel
 #					#version 2.6.14).
 #
+#	MARK		Specifies a MARK value to match. Must be empty or 
+#			'-' if the macro is to be used within an action.
+#			
+#				[!]value[/mask][:C]
+#
+#    			Defines a test on the existing packet or connection
+#			mark. The rule will match only if the test returns
+#			true.
+#
+#    			If you don't want to define a test but need to
+#			specify anything in the following columns,
+#			place a "-" in this field.
+#
+#    			!
+#
+#				Inverts the test (not equal)
+#
+#    			value
+#
+#				Value of the packet or connection mark.
+#
+#  			mask
+#
+#				A mask to be applied to the mark before
+#				testing.
+#
+#    			:C
+#
+#				Designates a connection mark. If omitted, the
+#				packet mark's value is tested.
+#
+#	CONNLIMIT	Must be empty or '-' if the macro is to be used within
+#			an action.
+#
+#				[!]limit[:mask]
+#
+#			May be used to limit the number of simultaneous
+#			connections from each individual host to limit 
+#			connections. Requires connlimit match in your kernel
+#			and iptables. While the limit is only checked on rules
+#			specifying CONNLIMIT, the number of current connections
+#			is calculated over all current connections from the
+#			SOURCE host. By default, the limit is applied to each
+#			host but can be made to apply to networks of hosts by
+#			specifying a mask. The mask specifies the width of a
+#			VLSM mask to be applied to the source address; the
+#			number of current connections is then taken over all
+#			hosts in the subnet source-address/mask. When ! is
+#			specified, the rule matches when the number of
+#			connection exceeds the limit.
+#
+#	TIME		Must be empty or '-' if the macro is to be used within
+#			an action.
+#
+#
+#				<timeelement>[&...]
+#
+#			timeelement may be:
+#
+#    				timestart=hh:mm[:ss]
+#
+#					Defines the starting time of day.
+#
+#    				timestop=hh:mm[:ss]
+#
+#					Defines the ending time of day.
+#
+#    				utc
+#
+#					Times are expressed in Greenwich Mean
+#					Time.
+#
+#    				localtz
+#
+#					Times are expressed in Local Civil Time
+#					(default).
+#
+#    				weekdays=ddd[,ddd]...
+#
+#					where ddd is one of Mon, Tue, Wed, Thu,
+#					Fri, Sat or Sun
+#
+#    				monthdays=dd[,dd],...
+#
+#					where dd is an ordinal day of the month#
+#
+#    				datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
+#
+#					Defines the starting date and time.
+#
+#    				datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
+#
+#					Defines the ending date and time.
+#
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:

Shorewall/Perl/Shorewall/Actions.pm

@@ -47,6 +47,7 @@ our @EXPORT = qw( merge_levels
 		  substitute_param
 		  merge_macro_source_dest
 		  merge_macro_column
+		  map_old_actions
 
 		  %usedactions
 		  %default_actions
@@ -56,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -85,6 +86,8 @@ our %macros;
 
 our $family;
 
+our @builtins;
+
 #
 # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
 #
@@ -111,6 +114,12 @@ sub initialize( $ ) {
     %actions         = ();
     %logactionchains = ();
     %macros          = ();
+
+    if ( $family == F_IPV4 ) {
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
+    } else {
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
+    }
 }
 
 #
@@ -264,6 +273,34 @@ sub add_requiredby ( $$ ) {
     $actions{$requires}{requires}{$requiredby} = 1;
 }
 
+#
+# Map pre-3.0 actions to the corresponding Macro invocation
+#
+
+sub find_old_action ( $$$ ) {
+    my ( $target, $macro, $param ) = @_;
+
+    if ( my $actiontype = find_macro( $macro ) ) {
+	( $macro, $actiontype , $param );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
+sub map_old_actions( $ ) {
+    my $target = shift;
+
+    if ( $target =~ /^Allow(.*)$/ ) {
+	find_old_action( $target, $1, 'ACCEPT' );
+    } elsif ( $target =~ /^Drop(.*)$/ ) {
+	find_old_action( $target, $1, 'DROP' );
+    } elsif ( $target = /^Reject(.*)$/ ) {
+	find_old_action( $target, $1, 'REJECT' );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
@@ -302,7 +339,7 @@ sub createlogactionchain( $$ ) {
 
     fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
 
-    unless ( $targets{$action} & STANDARD ) {
+    unless ( $targets{$action} & BUILTIN ) {
 
 	my $file = find_file $chain;
 
@@ -328,7 +365,7 @@ sub createsimpleactionchain( $ ) {
 
     $logactionchains{"$action:none"} = $chainref;
 
-    unless ( $targets{$action} & STANDARD ) {
+    unless ( $targets{$action} & BUILTIN ) {
 
 	my $file = find_file $action;
 
@@ -413,8 +450,9 @@ sub process_macro1 ( $$ ) {
 #
 # The functions process_actions1-3() implement the three phases of action processing.
 #
-# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
-# and ${CONFDIR}/actions are scanned (in that order) and for each action:
+# The first phase (process_actions1) occurs before the rules file is processed. The builtin-actions are added
+# to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and
+# ${CONFDIR}/actions are scanned (in that order). For each action:
 #
 #      a) The related action definition file is located and scanned.
 #      b) Forward and unresolved action references are trapped as errors.
@@ -476,10 +514,10 @@ sub process_action1 ( $$ ) {
 sub process_actions1() {
 
     progress_message2 "Preprocessing Action Files...";
-
-    for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
-	new_action $act;
-    }
+    #
+    # Add built-in actions to the target table and create those actions
+    #
+    $targets{$_} = ACTION + BUILTIN, new_action( $_ ) for @builtins;
 
     for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
@@ -515,7 +553,7 @@ sub process_actions1() {
 
 	    while ( read_a_line ) {
 
-		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 1, 8, 'action file';
+		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users, $mark ) = split_line 1, 9, 'action file';
 
 		process_action1( $action, $wholetarget );
 
@@ -552,8 +590,8 @@ sub process_actions2 () {
 #
 # This function is called to process each rule generated from an action file.
 #
-sub process_action( $$$$$$$$$$ ) {
-    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+sub process_action( $$$$$$$$$$$ ) {
+    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
 
     my ( $action , $level ) = split_action $target;
 
@@ -571,7 +609,7 @@ sub process_action( $$$$$$$$$$ ) {
 
     expand_rule ( $chainref ,
 		  NO_RESTRICT ,
-		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, 0xFF ) ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
@@ -584,8 +622,8 @@ sub process_action( $$$$$$$$$$ ) {
 #
 # Expand Macro in action files.
 #
-sub process_macro3( $$$$$$$$$$$ ) {
-    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+sub process_macro3( $$$$$$$$$$$$ ) {
+    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
 
     my $nocomment = no_comment;
 
@@ -601,12 +639,14 @@ sub process_macro3( $$$$$$$$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark );
 
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
+	    $morigdest = '-';
+	    $mmark     = '-';
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark ) = split_line1 1, 10, 'macro file', $macro_commands;
 	}
 
 	if ( $mtarget eq 'COMMENT' ) {
@@ -620,8 +660,6 @@ sub process_macro3( $$$$$$$$$$$ ) {
 	    next;
 	}
 
-	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
-
 	if ( $mtarget =~ /^PARAM:?/ ) {
 	    fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
 	    $mtarget = substitute_param $param,  $mtarget;
@@ -662,8 +700,9 @@ sub process_macro3( $$$$$$$$$$$ ) {
 	$msports = merge_macro_column $msports, $sports;
 	$mrate   = merge_macro_column $mrate,   $rate;
 	$muser   = merge_macro_column $muser,   $user;
+	$mmark   = merge_macro_column $mmark,   $mark;
 
-	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
+	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $mark;
     }
 
     pop_open;
@@ -688,7 +727,7 @@ sub process_action3( $$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file';
+	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file';
 
 	if ( $target eq 'COMMENT' ) {
 	    process_comment;
@@ -712,9 +751,9 @@ sub process_action3( $$$$$ ) {
 	}
 
 	if ( $action2type == MACRO ) {
-	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
+	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark );
 	} else {
-	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
+	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark;
 	}
     }
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -74,7 +74,6 @@ our %EXPORT_TAGS = (
 				       initialize_chain_table
 				       add_commands
 				       move_rules
-				       move_rules1
 				       insert_rule1
 				       purge_jump
 				       add_tunnel_rule
@@ -166,7 +165,7 @@ our %EXPORT_TAGS = (
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';
 
 #
 # Chain Table
@@ -247,6 +246,7 @@ use constant { NO_RESTRICT        => 0,   # FORWARD chain rule     - Both -i and
 our $iprangematch;
 our $chainseq;
 our $idiotcount;
+our $idiotcount1;
 
 our $global_variables;
 
@@ -272,11 +272,11 @@ our %interfacegateways;     # Gateway of default route out of the interface
 our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
 
 #
-# Mode of the generator.
+# Mode of the emitter.
 #
-use constant { NULL_MODE => 0 ,   # Generating neither shell commands nor iptables-restore input
-	       CAT_MODE  => 1 ,   # Generating iptables-restore input
-	       CMD_MODE  => 2 };  # Generating shell commands.
+use constant { NULL_MODE => 0 ,   # Emitting neither shell commands nor iptables-restore input
+	       CAT_MODE  => 1 ,   # Emitting iptables-restore input
+	       CMD_MODE  => 2 };  # Emitting shell commands.
 
 our $mode;
 
@@ -356,6 +356,7 @@ sub initialize( $ ) {
 
     $global_variables   = 0;
     $idiotcount         = 0;
+    $idiotcount1        = 0;
 
 }
 
@@ -423,19 +424,16 @@ sub add_commands ( $$;@ ) {
 }
 
 sub push_rule( $$ ) {
-    my ($chainref, $rule) = @_;
+    my $chainref = $_[0];
+    my $rule     = join( ' ',  '-A',  $chainref->{name} , $_[1]);
 
     $rule .= qq( -m comment --comment "$comment") if $comment;
 
     if ( $chainref->{cmdlevel} ) {
 	$rule =~ s/"/\\"/g; #Must preserve quotes in the rule
-	add_commands $chainref , qq(echo "-A $chainref->{name} $rule" >&3);
+	add_commands $chainref , qq(echo "$rule" >&3);
     } else {
-	#
-	# We omit the chain name for now -- this makes it easier to move rules from one
-	# chain to another
-	#
-	push @{$chainref->{rules}}, join( ' ', '-A' , $rule );
+	push @{$chainref->{rules}}, $rule;
 	$chainref->{referenced} = 1;
     }
 }
@@ -607,7 +605,7 @@ sub insert_rule1($$$)
 
     $rule .= "-m comment --comment \"$comment\"" if $comment;
 
-    splice( @{$chainref->{rules}}, $number, 0,  join( ' ', '-A', $rule ) );
+    splice( @{$chainref->{rules}}, $number, 0,  join( ' ', '-A', $chainref->{name}, $rule ) );
 
     $iprangematch = 0;
 
@@ -637,15 +635,18 @@ sub add_tunnel_rule( $$ ) {
 # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to
 # a zone-oriented chain, hence this function.
 #
-# The source chain must not have any run-time code included in its rules.
-#
 sub move_rules( $$ ) {
     my ($chain1, $chain2 ) = @_;
 
     if ( $chain1->{referenced} ) {
 	my @rules = @{$chain1->{rules}};
+	my $name  = $chain1->{name};
+	#
+	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
+	#
+	$name =~ s/\+/\\+/;
 
-	assert( /^-A/ ) for @rules;
+	( s/\-([AI]) $name /-$1 $chain2->{name} / ) for @rules;
 
 	splice @{$chain2->{rules}}, 0, 0, @rules;
 
@@ -655,29 +656,6 @@ sub move_rules( $$ ) {
     }
 }
 
-#
-# Like above except it returns 0 if it can't move the rules
-#
-sub move_rules1( $$ ) {
-    my ($chain1, $chain2 ) = @_;
-
-    if ( $chain1->{referenced} ) {
-	my @rules = @{$chain1->{rules}};
-
-	for ( @rules ) {
-	    return 0 unless /^-A/;
-	}
-
-	splice @{$chain2->{rules}}, 0, 0, @rules;
-
-	$chain2->{referenced} = 1;
-	$chain1->{referenced} = 0;
-	$chain1->{rules}      = [];
-    }
-
-    1;
-}
-
 #
 # Transform the passed interface name into a legal shell variable name.
 #
@@ -940,15 +918,17 @@ sub ensure_filter_chain( $$ )
 
     my $chainref = ensure_chain 'filter', $chain;
 
-    if ( $populate and ! $chainref->{referenced} ) {
-	if ( $section eq 'NEW' or $section eq 'DONE' ) {
-	    finish_chain_section $chainref , 'ESTABLISHED,RELATED';
-	} elsif ( $section eq 'RELATED' ) {
-	    finish_chain_section $chainref , 'ESTABLISHED';
+    unless ( $chainref->{referenced} ) {
+	if ( $populate ) {
+	    if ( $section eq 'NEW' or $section eq 'DONE' ) {
+		finish_chain_section $chainref , 'ESTABLISHED,RELATED';
+	    } elsif ( $section eq 'RELATED' ) {
+		finish_chain_section $chainref , 'ESTABLISHED';
+	    }
 	}
-    }
 
-    $chainref->{referenced} = 1;
+	$chainref->{referenced} = 1;
+    }
 
     $chainref;
 }
@@ -965,9 +945,25 @@ sub ensure_accounting_chain( $  )
     if ( $chainref ) {
 	fatal_error "Non-accounting chain ($chain) used in accounting rule" unless $chainref->{accounting};
     } else {
-	$chainref = new_chain 'filter' , $chain unless $chainref;
+	$chainref = new_chain 'filter' , $chain;
 	$chainref->{accounting} = 1;
 	$chainref->{referenced} = 1;
+
+	if ( $chain ne 'accounting' ) {
+	    my $file = find_file $chain;
+
+	    if ( -f $file ) {
+		progress_message "Processing $file...";
+
+		my ( $level, $tag ) = ( '', '' );
+
+		unless ( my $return = eval `cat $file` ) {
+		    fatal_error "Couldn't parse $file: $@" if $@;
+		    fatal_error "Couldn't do $file: $!"    unless defined $return;
+		    fatal_error "Couldn't run $file"       unless $return;
+		}
+	    }
+	}
     }
 
     $chainref;
@@ -1042,7 +1038,6 @@ sub ensure_manual_chain($) {
 # Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
 # The function also initializes the target table with the pre-defined targets available for the specfied address family.
 #
-#
 sub initialize_chain_table()
 {
     if ( $family == F_IPV4 ) {
@@ -1069,15 +1064,6 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'dropBcast'       => BUILTIN  + ACTION,
-		    'allowBcast'      => BUILTIN  + ACTION,
-		    'dropNotSyn'      => BUILTIN  + ACTION,
-		    'rejNotSyn'       => BUILTIN  + ACTION,
-		    'dropInvalid'     => BUILTIN  + ACTION,
-		    'allowInvalid'    => BUILTIN  + ACTION,
-		    'allowinUPnP'     => BUILTIN  + ACTION,
-		    'forwardUPnP'     => BUILTIN  + ACTION,
-		    'Limit'           => BUILTIN  + ACTION,
 		   );
 
 	for my $chain qw(OUTPUT PREROUTING) {
@@ -1119,12 +1105,6 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'dropBcast'       => BUILTIN  + ACTION,
-		    'allowBcast'      => BUILTIN  + ACTION,
-		    'dropNotSyn'      => BUILTIN  + ACTION,
-		    'rejNotSyn'       => BUILTIN  + ACTION,
-		    'dropInvalid'     => BUILTIN  + ACTION,
-		    'allowInvalid'    => BUILTIN  + ACTION,
 		   );
 
 	for my $chain qw(OUTPUT PREROUTING) {
@@ -1551,12 +1531,14 @@ sub do_ratelimit( $$ ) {
 	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
 
 	my $limit = "-m hashlimit ";
+	my $match = $capabilities{OLD_HL_MATCH} ? 'hashlimit' : 'hashlimit-upto';
+
 	if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
-	    $limit .= "--hashlimit-upto $3 --hashlimit-burst $6 --hashlimit-name ";
+	    $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall';
 	    $limit .= ' --hashlimit-mode ';
 	} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
-	    $limit .= "--hashlimit-upto $3 --hashlimit-name ";
+	    $limit .= "--$match $3 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall';
 	    $limit .= ' --hashlimit-mode ';
 	} else {
@@ -2481,7 +2463,12 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    # An interface in the SOURCE column of a masq file
 	    #
 	    fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface );
-	    warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
+
+	    if ( $chainref->{table} eq 'nat' ) {
+		warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
+	    } else {
+		warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount1++;
+	    }
 
 	    push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done';
 
@@ -2839,14 +2826,15 @@ sub expand_rule( $$$$$$$$$$;$ )
 }
 
 #
-# The following code generates the input to iptables-restore
+# The following code generates the input to iptables-restore from the contents of the
+# @rules arrays in the chain table entries.
 #
 # We always write the iptables-restore input into a file then pass the
 # file to iptables-restore. That way, if things go wrong, the user (and Shorewall support)
 # has (have) something to look at to determine the error
 #
 # We may have to generate part of the input at run-time. The rules array in each chain
-# table entry may contain rules (begin with '-A') or shell source. We alternate between
+# table entry may contain both rules (begin with '-A') or shell source. We alternate between
 # writing the rules ('-A') into the temporary file to be passed to iptables-restore
 # (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
 #
@@ -2866,33 +2854,31 @@ sub enter_cmd_mode() {
 #
 # Emits the passed rule (input to iptables-restore) or command
 #
-sub emitr( $$ ) {
-    my ( $name, $rule ) = @_;
-
-    if ( $rule && substr( $rule, 0, 2 ) eq '-A' ) {
-	#
-	# A rule
-	#
-	enter_cat_mode unless $mode == CAT_MODE;
-	emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) );
-    } else {
-	#
-	# A command
-	#
-	enter_cmd_mode unless $mode == CMD_MODE;
-	emit $rule;
+sub emitr( $ ) {
+    if ( my $rule = $_[0] ) {
+	if ( substr( $rule, 0, 2 ) eq '-A' ) {
+	    #
+	    # A rule
+	    #
+	    enter_cat_mode unless $mode == CAT_MODE;
+	    emit_unindented $rule;
+	} else {
+	    #
+	    # A command
+	    #
+	    enter_cmd_mode unless $mode == CMD_MODE;
+	    emit $rule;
+	}
     }
 }
 
 #
 # Simple version that only handles rules
 #
-sub emitr1( $$ ) {
-    my ( $name, $rule ) = @_;
+sub emitr1( $ ) {
+    my $rule = $_[0];
 
-    assert( substr( $rule, 0, 2 ) eq '-A' );
-
-    emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) );
+    emit_unindented $rule;
 }
 
 #
@@ -2968,7 +2954,7 @@ sub create_netfilter_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emitr $chainref->{name}, $_ for ( grep defined $_, @{$chainref->{rules}} );
+	    emitr $_ for ( grep defined $_, @{$chainref->{rules}} );
 	}
 	#
 	# Commit the changes to the table
@@ -3077,7 +3063,7 @@ sub create_chainlist_reload($) {
 		#
 		# Emit the chain rules
 		#
-		emitr $chain, $_ for ( grep defined $_, @rules );
+		emitr $_ for ( grep defined $_, @rules );
 	    }
 	    #
 	    # Commit the changes to the table
@@ -3182,7 +3168,7 @@ sub create_stop_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emitr1 $chainref->{name}, $_ for @{$chainref->{rules}};
+	    emitr1 $_ for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table

Shorewall/Perl/Shorewall/Compiler.pm

@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_3';
 
 our $export;
 
@@ -90,14 +90,24 @@ sub generate_script_1() {
 	}
     }
 
+    my $lib = find_file 'lib.private';
+
+    if ( -f $lib ) {
+	emit <<'EOF';
+################################################################################
+# Functions imported from lib.private
+################################################################################
+EOF
+
+	copy1 $lib;
+	emit "\n";
+    }
+
     emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
-    my $lib = find_file 'lib.private';
-
-    copy1 $lib, emit "\n" if -f $lib;
 
     for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
 	emit "\nrun_${exit}_exit() {";
@@ -129,7 +139,7 @@ EOF
 #    Generate the 'initialize()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the object file.
+#          than those related to writing to the output script file.
 
 sub generate_script_2() {
 
@@ -204,8 +214,7 @@ sub generate_script_2() {
 
     emit ( '[ -n "${COMMAND:=restart}" ]',
 	   '[ -n "${VERBOSE:=0}" ]',
-	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
-	   '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' );
+	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );
 
     emit ( qq(VERSION="$globals{VERSION}") ) unless $test;
 
@@ -230,14 +239,24 @@ sub generate_script_2() {
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
 	   );
 
+    pop_indent;
+
+    emit "\n}\n"; # End of initialize()
+
+    emit( '' ,
+	  '#' ,
+	  '# Set global variables holding detected IP information' ,
+	  '#' ,
+	  'detect_configuration()',
+	  '{' );
+
     my $global_variables = have_global_variables;
 
+    push_indent;
+
     if ( $global_variables ) {
-	emit( '' ,
-	      '#' ,
-	      '# Set global variables holding detected IP information' ,
-	      '#' ,
-	      'case $COMMAND in' );
+	
+	emit( 'case $COMMAND in' );
 
 	push_indent;
 
@@ -273,12 +292,14 @@ sub generate_script_2() {
 	pop_indent;
 
 	emit ( 'esac' ) ,
+    } else {
+	emit( 'true' ) unless handle_optional_interfaces;
     }
 
     pop_indent;
 
-    emit "\n}\n"; # End of initialize()
-
+    emit "\n}\n"; # End of detect_configuration()
+    
 }
 
 #
@@ -291,7 +312,7 @@ sub generate_script_2() {
 #    Generate the 'define_firewall()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the object file.
+#          than those related to writing to the output script file.
 #
 sub generate_script_3($) {
 
@@ -524,8 +545,8 @@ EOF
 #
 sub compiler {
 
-    my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
-       ( '',          '',         -1,          '',          0,      '',       '',   -1 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1 );
 
     $export = 0;
     $test   = 0;
@@ -545,7 +566,8 @@ sub compiler {
 	defined($val) && ($val == F_IPV4 || $val == F_IPV6);
     }
 
-    my %parms = ( object        => { store => \$objectfile },
+    my %parms = ( object        => { store => \$scriptfilename },    #Deprecated
+		  script        => { store => \$scriptfilename },
 		  directory     => { store => \$directory  },
 		  family        => { store => \$family    ,    validate => \&validate_family    } ,
 		  verbosity     => { store => \$verbosity ,    validate => \&validate_verbosity } ,
@@ -589,8 +611,6 @@ sub compiler {
     #
     get_configuration( $export );
 
-    initialize_chain_table;
-
     report_capabilities;
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
@@ -598,12 +618,17 @@ sub compiler {
     require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
     require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 
-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_object( $objectfile , $export );
+	create_temp_script( $scriptfilename , $export );
     } else {
 	set_command( 'check', 'Checking', 'Checked' );
     }
+    #
+    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
+    # shorewall.conf has been processed and the capabilities have been determined.
+    #
+    initialize_chain_table;
 
     #
     # Allow user to load Perl modules
@@ -641,11 +666,11 @@ sub compiler {
     #
     setup_notrack;
 
-    enable_object;
+    enable_script;
 
-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	#
-	# Place Header in the object
+	# Place Header in the script
 	#
 	generate_script_1;
 	#
@@ -683,20 +708,20 @@ sub compiler {
     #
     setup_zone_mss;
 
-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	emit 'return 0';
 	pop_indent;
 	emit '}';
     }
 
-    disable_object;
+    disable_script;
     #
     #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
     #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
     #
-    enable_object;
+    enable_script;
 
-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -714,12 +739,12 @@ sub compiler {
     #
     setup_tc;
 
-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	pop_indent;
 	emit "}\n";
     }
 
-    disable_object;
+    disable_script;
     #
     #                                       N E T F I L T E R
     #       (Produces no output to the compiled script -- rules are stored in the chain table)
@@ -775,16 +800,16 @@ sub compiler {
     #
     setup_accounting;
 
-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	#
 	# Generate the zone by zone matrix
 	#
 	generate_matrix;
 
-	enable_object;
+	enable_script;
 	#
-	#                                    I N I T I A L I Z E
-	#                  (Writes the initialize() function to the compiled script)
+	#                             I N I T I A L I Z E
+	#           (Writes the initialize() function to the compiled script)
 	#
 	generate_script_2;
 	#
@@ -792,17 +817,19 @@ sub compiler {
 	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
-	#                               S T O P _ F I R E W A L L
-	#             (Writes the stop_firewall() function to the compiled script)
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
 	#
 	Shorewall::Chains::initialize( $family );
 	initialize_chain_table;
+	#
+	#                           S T O P _ F I R E W A L L
+	#         (Writes the stop_firewall() function to the compiled script)
+	#
 	compile_stop_firewall( $test );
 	#
-	# Copy the footer to the object
+	# Copy the footer to the script
 	#
 	unless ( $test ) {
 	    if ( $family == F_IPV4 ) {
@@ -812,16 +839,28 @@ sub compiler {
 	    }
 	}
 
-	disable_object;
+	disable_script;
 	#
-	# Close, rename and secure the object
+	# Close, rename and secure the script
 	#
-	finalize_object ( $export );
+	finalize_script ( $export );
 	#
 	# And generate the auxilary config file
 	#
-	enable_object, generate_aux_config if $export;
+	enable_script, generate_aux_config if $export;
     } else {
+	#
+	# Re-initialize the chain table so that process_routestopped() has the same
+	# environment that it would when called by compile_stop_firewall().
+	#
+	Shorewall::Chains::initialize( $family );
+	initialize_chain_table;
+	#
+	# compile_stop_firewall() also validates the routestopped file. Since we don't
+	# call that function during 'check', we must validate routestopped here.
+	#
+	process_routestopped;
+
 	if ( $family == F_IPV4 ) {
 	    progress_message3 "Shorewall configuration verified";
 	} else {

Shorewall/Perl/Shorewall/Config.pm

@@ -24,7 +24,7 @@
 #   It also exports functions for generating warning and error messages.
 #   The get_configuration function parses the shorewall.conf, capabilities and
 #   modules files during compiler startup. The module also provides the basic
-#   output file services such as creation of temporary 'object' files, writing
+#   output file services such as creation of temporary 'script' files, writing
 #   into those files (emitters) and finalizing those files (renaming
 #   them to their final name and setting their mode appropriately).
 #
@@ -54,10 +54,10 @@ our @EXPORT = qw(
 
 our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall);
 
-our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
-				       finalize_object
-				       enable_object
-				       disable_object
+our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
+				       finalize_script
+				       enable_script
+				       disable_script
 		                       numeric_value
 		                       numeric_value1
 		                       hex_value
@@ -127,7 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_3';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -146,13 +146,13 @@ our ( $log, $log_verbosity );
 #
 our $timestamp;
 #
-# Object file handle
+# Script (output) file handle
 #
-our $object;
+our $script;
 #
-# When 'true', writes to the object are enabled. Used to catch code emission between functions
+# When 'true', writes to the script are enabled. Used to catch code emission between functions
 #
-our $object_enabled;
+our $script_enabled;
 #
 # True, if last line emitted is blank
 #
@@ -170,7 +170,7 @@ our $indent2;
 #
 our $indent;
 #
-# Object's Directory and File
+# Script's Directory and File
 #
 our ( $dir, $file );
 #
@@ -186,10 +186,9 @@ our %globals;
 #
 our %config;
 #
-# Config options and global settings that are to be copied to object script
+# Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /;
-our @propagateenv    = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX SUBSYSLOCK /;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -242,6 +241,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
 		 IPMARK_TARGET   => 'IPMARK Target',
 		 PERSISTENT_SNAT => 'Persistent SNAT',
+		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 CAPVERSION      => 'Capability Version',
 	       );
 #
@@ -261,8 +261,8 @@ our $currentline;             # Current config file line image
 our $currentfile;             # File handle reference
 our $currentfilename;         # File NAME
 our $currentlinenumber;       # Line number
-our $scriptfile;              # File Handle Reference to current temporary file being written by an in-line Perl script
-our $scriptfilename;          # Name of that file.
+our $perlscript;              # File Handle Reference to current temporary file being written by an in-line Perl script
+our $perlscriptname;          # Name of that file.
 our @tempfiles;               # Files that need unlinking at END
 our $first_entry;             # Message to output or function to call on first non-blank line of a file
 
@@ -307,13 +307,13 @@ sub initialize( $ ) {
     $log = undef;              # File reference for log file
     $log_verbosity = -1;       # Verbosity of log.
     $timestamp = '';           # If true, we are to timestamp each progress message
-    $object = 0;               # Object (script) file Handle Reference
-    $object_enabled = 0;       # Object (script) file Handle Reference
+    $script = 0;               # Script (output) file Handle Reference
+    $script_enabled = 0;       # Writing to output file is disabled initially
     $lastlineblank = 0;        # Avoid extra blank lines in the output
     $indent1       = '';       # Current indentation tabs
     $indent2       = '';       # Current indentation spaces
     $indent        = '';       # Current total indentation
-    ( $dir, $file ) = ('',''); # Object's Directory and File
+    ( $dir, $file ) = ('',''); # Script's Directory and Filename
     $tempfile = '';            # Temporary File Name
 
     #
@@ -327,8 +327,8 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.1.2",
-		    CAPVERSION => 40401 ,
+		    VERSION => "4.4.3",
+		    CAPVERSION => 40402 ,
 		  );
 
     #
@@ -439,6 +439,7 @@ sub initialize( $ ) {
 	      FAST_STOP => undef ,
 	      AUTOMAKE => undef ,
 	      WIDE_TC_MARKS => undef,
+	      TRACK_PROVIDERS => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -545,6 +546,7 @@ sub initialize( $ ) {
 	      MANGLE_ENABLED => undef ,
 	      AUTOMAKE => undef ,
 	      WIDE_TC_MARKS => undef,
+	      TRACK_PROVIDERS => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -566,7 +568,7 @@ sub initialize( $ ) {
 			 NONE    => '',
 			 NFLOG   => 'NFLOG',
 		         LOGMARK => 'LOGMARK' );
-	}
+    }
     #
     # From parsing the capabilities file
     #
@@ -614,6 +616,7 @@ sub initialize( $ ) {
 	       IPMARK_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
 	       PERSISTENT_SNAT => undef,
+	       OLD_HL_MATCH => undef,
 	       CAPVERSION => undef,
 	       );
     #
@@ -683,14 +686,14 @@ sub cleanup() {
     #
     # Close files first in case we're running under Cygwin
     #
-    close  $object, $object = undef         if $object;
-    close  $scriptfile, $scriptfile = undef if $scriptfile;
+    close  $script, $script = undef         if $script;
+    close  $perlscript, $perlscript = undef if $perlscript;
     close  $log, $log = undef               if $log;
     #
     # Unlink temporary files
     #
     unlink ( $tempfile ), $tempfile = undef             if $tempfile;
-    unlink ( $scriptfilename ), $scriptfilename = undef if $scriptfilename;
+    unlink ( $perlscriptname ), $perlscriptname = undef if $perlscriptname;
     unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
 }
 
@@ -813,14 +816,14 @@ sub in_hexp( $ ) {
 }
 
 #
-# Write the arguments to the object file (if any) with the current indentation.
+# Write the arguments to the script file (if any) with the current indentation.
 #
 # Replaces leading spaces with tabs as appropriate and suppresses consecutive blank lines.
 #
 sub emit {
-    assert( $object_enabled );
+    assert( $script_enabled );
 
-    if ( $object ) {
+    if ( $script ) {
 	#
 	# 'compile' as opposed to 'check'
 	#
@@ -830,10 +833,10 @@ sub emit {
 		$line =~ s/^\n// if $lastlineblank;
 		$line =~ s/^/$indent/gm if $indent;
 		$line =~ s/        /\t/gm;
-		print $object "$line\n";
+		print $script "$line\n";
 		$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
 	    } else {
-		print $object "\n" unless $lastlineblank;
+		print $script "\n" unless $lastlineblank;
 		$lastlineblank = 1;
 	    }
 	}
@@ -841,26 +844,26 @@ sub emit {
 }
 
 #
-# Write passed message to the object with newline but no indentation.
+# Write passed message to the script with newline but no indentation.
 #
 sub emit_unindented( $ ) {
-    assert( $object_enabled );
+    assert( $script_enabled );
 
-    print $object "$_[0]\n" if $object;
+    print $script "$_[0]\n" if $script;
 }
 
 #
 # Write a progress_message2 command with surrounding blank lines to the output file.
 #
 sub save_progress_message( $ ) {
-    emit "\nprogress_message2 @_\n" if $object;
+    emit "\nprogress_message2 @_\n" if $script;
 }
 
 #
 # Write a progress_message command to the output file.
 #
 sub save_progress_message_short( $ ) {
-    emit "progress_message $_[0]" if $object;
+    emit "progress_message $_[0]" if $script;
 }
 
 #
@@ -1034,12 +1037,12 @@ sub pop_indent() {
 }
 
 #
-# Functions for copying files into the object
+# Functions for copying files into the script
 #
 sub copy( $ ) {
-    assert( $object_enabled );
+    assert( $script_enabled );
 
-    if ( $object ) {
+    if ( $script ) {
 	my $file = $_[0];
 
 	open IF , $file or fatal_error "Unable to open $file: $!";
@@ -1047,7 +1050,7 @@ sub copy( $ ) {
 	while ( <IF> ) {
 	    chomp;
 	    if ( /^\s*$/ ) {
-		print $object "\n" unless $lastlineblank;
+		print $script "\n" unless $lastlineblank;
 		$lastlineblank = 1;
 	    } else {
 		if  ( $indent ) {
@@ -1055,8 +1058,8 @@ sub copy( $ ) {
 		    s/        /\t/ if $indent2;
 		}
 
-		print $object $_;
-		print $object "\n";
+		print $script $_;
+		print $script "\n";
 		$lastlineblank = 0;
 	    }
 	}
@@ -1069,11 +1072,11 @@ sub copy( $ ) {
 # This one handles line continuation and 'here documents'
 
 sub copy1( $ ) {
-    assert( $object_enabled );
+    assert( $script_enabled );
 
     my $result = 0;
 
-    if ( $object ) {
+    if ( $script ) {
 	my $file = $_[0];
 
 	open IF , $file or fatal_error "Unable to open $file: $!";
@@ -1084,8 +1087,8 @@ sub copy1( $ ) {
 	    chomp;
 
 	    if ( /^${here_documents}\s*$/ ) {
-		print $object $here_documents if $here_documents;
-		print $object "\n";
+		print $script $here_documents if $here_documents;
+		print $script "\n";
 		$do_indent = 1;
 		$here_documents = '';
 		next;
@@ -1096,8 +1099,8 @@ sub copy1( $ ) {
 		s/^(\s*)/$indent1$1$indent2/;
 		s/        /\t/ if $indent2;
 		$do_indent = 0;
-		print $object $_;
-		print $object "\n";
+		print $script $_;
+		print $script "\n";
 		$result = 1;
 		next;
 	    }
@@ -1107,8 +1110,8 @@ sub copy1( $ ) {
 		s/        /\t/ if $indent2;
 	    }
 
-	    print $object $_;
-	    print $object "\n";
+	    print $script $_;
+	    print $script "\n";
 	    $do_indent = ! ( $here_documents || /\\$/ );
 
 	    $result = 1 unless $result || /^\s*$/ || /^\s*#/;
@@ -1123,23 +1126,23 @@ sub copy1( $ ) {
 }
 
 #
-# Create the temporary object file -- the passed file name is the name of the final file.
+# Create the temporary script file -- the passed file name is the name of the final file.
 # We create a temporary file in the same directory so that we can use rename to finalize it.
 #
-sub create_temp_object( $$ ) {
-    my ( $objectfile, $export ) = @_;
+sub create_temp_script( $$ ) {
+    my ( $scriptfile, $export ) = @_;
     my $suffix;
 
-    if ( $objectfile eq '-' ) {
+    if ( $scriptfile eq '-' ) {
 	$verbosity = -1;
-	$object = undef;
-	open( $object, '>&STDOUT' ) or fatal_error "Open of STDOUT failed";
+	$script = undef;
+	open( $script, '>&STDOUT' ) or fatal_error "Open of STDOUT failed";
 	$file = '-';
 	return 1;
     }
 
     eval {
-	( $file, $dir, $suffix ) = fileparse( $objectfile );
+	( $file, $dir, $suffix ) = fileparse( $scriptfile );
     };
 
     cleanup, die if $@;
@@ -1147,14 +1150,14 @@ sub create_temp_object( $$ ) {
     fatal_error "$dir is a Symbolic Link"        if -l $dir;
     fatal_error "Directory $dir does not exist"  unless -d _;
     fatal_error "Directory $dir is not writable" unless -w _;
-    fatal_error "$objectfile is a Symbolic Link" if -l $objectfile;
-    fatal_error "$objectfile is a Directory"     if -d _;
-    fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _;
+    fatal_error "$scriptfile is a Symbolic Link" if -l $scriptfile;
+    fatal_error "$scriptfile is a Directory"     if -d _;
+    fatal_error "$scriptfile exists and is not a compiled script" if -e _ && ! -x _;
     fatal_error "An exported \u$globals{PRODUCT} compiled script may not be named '$globals{PRODUCT}'" if $export && "$file" eq $globals{PRODUCT} && $suffix eq '';
 
     eval {
 	$dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=13851
-	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
+	( $script, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
     };
 
     fatal_error "Unable to create temporary file in directory $dir" if $@;
@@ -1166,12 +1169,12 @@ sub create_temp_object( $$ ) {
 }
 
 #
-# Finalize the object file
+# Finalize the script file
 #
-sub finalize_object( $ ) {
+sub finalize_script( $ ) {
     my $export = $_[0];
-    close $object;
-    $object = 0;
+    close $script;
+    $script = 0;
 
     if ( $file ne '-' ) {
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
@@ -1185,7 +1188,7 @@ sub finalize_object( $ ) {
 #
 sub create_temp_aux_config() {
     eval {
-	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
+	( $script, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
     };
 
     cleanup, die if $@;
@@ -1195,24 +1198,24 @@ sub create_temp_aux_config() {
 # Finalize the aux config file.
 #
 sub finalize_aux_config() {
-    close $object;
-    $object = 0;
+    close $script;
+    $script = 0;
     rename $tempfile, "$file.conf" or fatal_error "Cannot Rename $tempfile to $file.conf: $!";
     progress_message3 "Shorewall configuration compiled to $file";
 }
 
 #
-# Enable writes to the object file
+# Enable writes to the script file
 #
-sub enable_object() {
-    $object_enabled = 1;
+sub enable_script() {
+    $script_enabled = 1;
 }
 
 #
-# Disable writes to the object file
+# Disable writes to the script file
 #
-sub disable_object() {
-    $object_enabled = 0;
+sub disable_script() {
+    $script_enabled = 0;
 }
 
 #
@@ -1429,19 +1432,19 @@ sub pop_open() {
 # processed as regular file input.
 #
 sub shorewall {
-    unless ( $scriptfile ) {
+    unless ( $perlscript ) {
 	fatal_error "shorewall() may not be called in this context" unless $currentfile;
 
 	$dir ||= '/tmp/';
 
 	eval {
-	    ( $scriptfile, $scriptfilename ) = tempfile ( 'scriptfileXXXX' , DIR => $dir );
+	    ( $perlscript, $perlscriptname ) = tempfile ( 'perlscriptXXXX' , DIR => $dir );
 	};
 
 	fatal_error "Unable to create temporary file in directory $dir" if $@;
     }
 
-    print $scriptfile "@_\n";
+    print $perlscript "@_\n";
 }
 
 #
@@ -1543,21 +1546,21 @@ sub embedded_perl( $ ) {
 	fatal_error "Perl Script Returned False";
     }
 
-    if ( $scriptfile ) {
+    if ( $perlscript ) {
 	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
 
-	close $scriptfile or assert(0);
+	close $perlscript or assert(0);
 
-	$scriptfile = undef;
+	$perlscript = undef;
 
 	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
 	$currentfile = undef;
 
-	open $currentfile, '<', $scriptfilename or fatal_error "Unable to open Perl Script $scriptfilename";
+	open $currentfile, '<', $perlscriptname or fatal_error "Unable to open Perl Script $perlscriptname";
 
-	push @tempfiles, $scriptfilename unless unlink $scriptfilename; #unlink fails on Cygwin
+	push @tempfiles, $perlscriptname unless unlink $perlscriptname; #unlink fails on Cygwin
 
-	$scriptfilename = '';
+	$perlscriptname = '';
 
 	$currentfilename = "PERL\@$currentfilename:$linenumber";
 	$currentline = '';
@@ -1592,11 +1595,16 @@ sub read_a_line() {
 	    #
 	    s/^\s*// if $currentline =~ /[,:]$/;
 	    #
+	    # If this isn't a continued line, remove trailing comments. Note that
+	    # the result may now end in '\'.
+	    #
+	    s/\s*#.*$// unless /\\$/;
+	    #
 	    # Continuation
 	    #
 	    chop $currentline, next if substr( ( $currentline .= $_ ), -1, 1 ) eq '\\';
 	    #
-	    # Remove Trailing Comments -- result might be a blank line
+	    # Now remove concatinated comments
 	    #
 	    $currentline =~ s/#.*$//;
 	    #
@@ -2022,6 +2030,15 @@ sub determine_capabilities( $ ) {
     $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
     $capabilities{COMMENTS}        = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
 
+    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
+
+    if ( $capabilities{HASHLIMIT_MATCH} ) {
+	$capabilities{OLD_HL_MATCH} = '';
+    } else {
+	$capabilities{OLD_HL_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
+	$capabilities{HASHLIMIT_MATCH} = $capabilities{OLD_HL_MATCH};
+    }
+
     if  ( $capabilities{MANGLE_ENABLED} ) {
 	qt1( "$iptables -t mangle -N $sillyname" );
 
@@ -2066,7 +2083,6 @@ sub determine_capabilities( $ ) {
     $capabilities{USEPKTTYPE}      = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
     $capabilities{ADDRTYPE}        = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
     $capabilities{TCPMSS_MATCH}    = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
-    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
     $capabilities{NFQUEUE_TARGET}  = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
     $capabilities{REALM_MATCH}     = qt1( "$iptables -A $sillyname -m realm --realm 1" );
     $capabilities{HELPER_MATCH}    = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
@@ -2246,6 +2262,14 @@ sub unsupported_yes_no( $ ) {
     fatal_error "$option=Yes is not supported by Shorewall $globals{VERSION}" if $config{$option};
 }
 
+sub unsupported_yes_no_warning( $ ) {
+    my $option = shift;
+
+    default_yes_no $option, '';
+
+    warning_message "$option=Yes is not supported by Shorewall $globals{VERSION}" if $config{$option};
+}
+
 #
 # - Read the shorewall.conf file
 # - Read the capabilities file, if any
@@ -2345,14 +2369,14 @@ sub get_configuration( $ ) {
     default_yes_no 'BLACKLISTNEWONLY'           , '';
     default_yes_no 'DISABLE_IPV6'               , '';
 
-    unsupported_yes_no 'DYNAMIC_ZONES';
-    unsupported_yes_no 'BRIDGING';
-    unsupported_yes_no 'SAVE_IPSETS';
-    unsupported_yes_no 'MAPOLDACTIONS';
-    unsupported_yes_no 'RFC1918_STRICT';
+    unsupported_yes_no_warning 'DYNAMIC_ZONES';
+    unsupported_yes_no         'BRIDGING';
+    unsupported_yes_no_warning 'SAVE_IPSETS';
+    unsupported_yes_no_warning 'RFC1918_STRICT';
 
     default_yes_no 'STARTUP_ENABLED'            , 'Yes';
     default_yes_no 'DELAYBLACKLISTLOAD'         , '';
+    default_yes_no 'MAPOLDACTIONS'              , 'Yes';
 
     warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD};
 
@@ -2382,6 +2406,7 @@ sub get_configuration( $ ) {
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
     default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'WIDE_TC_MARKS'              , '';
+    default_yes_no 'TRACK_PROVIDERS'            , '';
 
     $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
 
@@ -2509,18 +2534,13 @@ sub get_configuration( $ ) {
 }
 
 #
-# The values of the options in @propagateconfig are copied to the object file in OPTION=<value> format.
+# The values of the options in @propagateconfig are copied to the script file in OPTION=<value> format.
 #
 sub propagateconfig() {
     for my $option ( @propagateconfig ) {
 	my $value = $config{$option} || '';
 	emit "$option=\"$value\"";
     }
-
-    for my $option ( @propagateenv ) {
-	my $value = $globals{$option} || '';
-	emit "$option=\"$value\"";
-    }
 }
 
 #

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -476,6 +476,7 @@ sub valid_6address( $ ) {
 	return 0 unless valid_4address pop @address;
 	$max = 6;
 	$address = join ':', @address;
+	return 1 if @address eq ':';
     } else {
 	$max = 8;
     }

Shorewall/Perl/Shorewall/Nat.pm

@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_3';
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -239,7 +239,11 @@ sub process_one_masq( )
 			if ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
-			    validate_address $ipaddr, 0;
+			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
+				validate_range( $1, $2 );
+			    } else {
+				validate_address $ipaddr, 0;
+			    }
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
@@ -286,7 +290,6 @@ sub process_one_masq( )
 		next if $addrs eq 'detect';
 		for my $addr ( ip_range_explicit $addrs ) {
 		    unless ( $addresses_to_add{$addr} ) {
-			emit "del_ip_addr $addr $interface" unless $config{RETAIN_ALIASES};
 			$addresses_to_add{$addr} = 1;
 			if ( defined $alias ) {
 			    push @addresses_to_add, $addr, "$interface:$alias";
@@ -478,12 +481,13 @@ sub setup_netmap() {
 
 sub add_addresses () {
     if ( @addresses_to_add ) {
+	my @addrs = @addresses_to_add;
 	my $arg = '';
 	my $addresses = 0;
 
-	while ( @addresses_to_add ) {
-	    my $addr      = shift @addresses_to_add;
-	    my $interface = shift @addresses_to_add;
+	while ( @addrs ) {
+	    my $addr      = shift @addrs;
+	    my $interface = shift @addrs;
 	    $arg = "$arg $addr $interface";
 	    unless ( $config{RETAIN_ALIASES} ) {
 		emit '' unless $addresses++;

Shorewall/Perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -142,11 +142,15 @@ sub setup_route_marking() {
 
 sub copy_table( $$$ ) {
     my ( $duplicate, $number, $realm ) = @_;
+    #
+    # Hack to work around problem in iproute
+    #
+    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
 
     if ( $realm ) {
 	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
     } else {
-	emit  ( "\$IP -$family route show table $duplicate | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
     }
 
     emit ( '    case $net in',
@@ -162,11 +166,15 @@ sub copy_table( $$$ ) {
 
 sub copy_and_edit_table( $$$$ ) {
     my ( $duplicate, $number, $copy, $realm) = @_;
+    #
+    # Hack to work around problem in iproute
+    #    
+    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
 
     if ( $realm ) {
 	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
     } else {
-	emit  ( "\$IP -$family route show table $duplicate | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
     }
 
     emit (  '    case $net in',
@@ -316,12 +324,15 @@ sub add_a_provider( ) {
 
     }
 
-    my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu ) = 
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' );
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
 		$track = 1;
+	    } elsif ( $option eq 'notrack' ) {
+		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
 		$balance = $1;
@@ -455,10 +466,10 @@ sub add_a_provider( ) {
 	emit '';
 	if ( $gateway ) {
 	    emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	} else {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(echo "qt \$IP -$family route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	}
     }
 
@@ -494,9 +505,9 @@ sub add_a_provider( ) {
 
     if ( $optional ) {
 	if ( $shared ) {
-	    emit ( "    error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" );
-	} else {
 	    emit ( "    error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
+	} else {
+	    emit ( "    error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" );
 	}
     } else {
 	if ( $shared ) {
@@ -781,10 +792,12 @@ sub lookup_provider( $ ) {
 }
 
 #
-# This function is called by the compiler when it is generating the initialize() function.
+# This function is called by the compiler when it is generating the detect_configuration() function.
 # The function emits code to set the ..._IS_USABLE interface variables appropriately for the
 # optional interfaces
 #
+# Returns true if there were optional interfaces
+#
 sub handle_optional_interfaces() {
 
     my $interfaces = find_interfaces_by_option 'optional';
@@ -819,6 +832,8 @@ sub handle_optional_interfaces() {
 		  "    ${base}_IS_USABLE=" ,
 		  'fi' );
 	}
+
+	1;
     }
 }
 
@@ -864,12 +879,12 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
 		    }
 
-		    $rule1 =~ s/-A //;
+		    $rule1 =~ s/-A tcpre //;
 
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcpre //;
 			add_rule $chainref, $rule2;
 		    }
 
@@ -896,12 +911,12 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
 		    }
 
-		    $rule1 =~ s/-A //;
+		    $rule1 =~ s/-A tcout //;
 
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcout //;
 			add_rule $chainref, $rule2;
 		    }
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -40,11 +40,12 @@ our @EXPORT = qw( process_tos
 		  add_common_rules
 		  setup_mac_lists
 		  process_rules
+		  process_routestopped
 		  generate_matrix
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_3';
 
 #
 # Set to one if we find a SECTION
@@ -329,18 +330,21 @@ sub process_routestopped() {
 	}
 
 	unless ( $options eq '-' ) {
+
 	    for my $option (split /,/, $options ) {
 		if ( $option eq 'routeback' ) {
 		    if ( $routeback ) {
 			warning_message "Duplicate 'routeback' option ignored";
 		    } else {
+			my $chainref = $filter_table->{FORWARD};
+
 			$routeback = 1;
 
 			for my $host ( split /,/, $hosts ) {
 			    my $source = match_source_net $host;
 			    my $dest   = match_dest_net   $host;
 
-			    emit "run_iptables -A FORWARD -i $interface -o $interface $source $dest -j ACCEPT";
+			    add_rule $chainref , "-i $interface -o $interface $source $dest -j ACCEPT";
 			    clearrule;
 			}
 		    }
@@ -776,6 +780,9 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
     } else {
+	#
+	# Phase II
+	#
 	for my $interface ( @maclist_interfaces ) {
 	    my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
 	    my $chain    = $chainref->{name};
@@ -848,12 +855,13 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime);
 
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
+	    ( $morigdest, $mmark, $mconnlimit, $mtime ) = qw/- - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime ) = split_line1 1, 12, 'macro file', $macro_commands;
 	}
 
 	if ( $mtarget eq 'COMMENT' ) {
@@ -867,8 +875,6 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 	    next;
 	}
 
-	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
-
 	$mtarget = merge_levels $target, $mtarget;
 
 	if ( $mtarget =~ /^PARAM(:.*)?$/ ) {
@@ -914,15 +920,15 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 		      $mtarget,
 		      $msource,
 		      $mdest,
-		      merge_macro_column( $mproto,    $proto ) ,
-		      merge_macro_column( $mports,    $ports ) ,
-		      merge_macro_column( $msports,   $sports ) ,
-		      merge_macro_column( $morigdest, $origdest ) ,
-		      merge_macro_column( $mrate,     $rate ) ,
-		      merge_macro_column( $muser,     $user ) ,
-		      $mark,
-		      $connlimit,
-		      $time,
+		      merge_macro_column( $mproto,     $proto ) ,
+		      merge_macro_column( $mports,     $ports ) ,
+		      merge_macro_column( $msports,    $sports ) ,
+		      merge_macro_column( $morigdest,  $origdest ) ,
+		      merge_macro_column( $mrate,      $rate ) ,
+		      merge_macro_column( $muser,      $user ) ,
+		      merge_macro_column( $mmark,      $mark ) ,
+		      merge_macro_column( $mconnlimit, $connlimit) ,
+		      merge_macro_column( $mtime,      $time ),
 		      $wildcard
 		     );
 
@@ -959,6 +965,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     #
     my $actiontype = $targets{$basictarget} || find_macro( $basictarget );
 
+    if ( $config{ MAPOLDACTIONS } ) {
+	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless ( $actiontype || $param );
+    }
+
     fatal_error "Unknown action ($action)" unless $actiontype;
 
     if ( $actiontype == MACRO ) {
@@ -1569,6 +1579,9 @@ sub process_rules() {
 # Add jumps from the builtin chains to the interface-chains that are used by this configuration
 #
 sub add_interface_jumps {
+    our %input_jump_added;
+    our %output_jump_added;
+    our %forward_jump_added;
     #
     # Add Nat jumps
     #
@@ -1589,10 +1602,10 @@ sub add_interface_jumps {
     # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
     #
     for my $interface ( @_ ) {
-	add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) if use_forward_chain $interface;
-	add_jump( $filter_table->{INPUT}   , input_chain $interface ,   0, match_source_dev( $interface ) ) if use_input_chain $interface;
+	add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface;
+	add_jump( $filter_table->{INPUT}   , input_chain $interface ,   0, match_source_dev( $interface ) ) unless $input_jump_added{$interface}   || ! use_input_chain $interface;
 
-	if ( use_output_chain $interface ) {
+	unless ( $output_jump_added{$interface} || ! use_output_chain $interface ) {
 	    add_jump $filter_table->{OUTPUT} , output_chain $interface , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
 	}
     }
@@ -1608,7 +1621,7 @@ sub add_interface_jumps {
 
 # Generate the rules matrix.
 #
-# Stealing a comment from the Burroughs B6700 MCP Operating System source, generate_matrix makes a sow's ear out of a silk purse.
+# Stealing a comment from the Burroughs B6700 MCP Operating System source, "generate_matrix makes a sow's ear out of a silk purse".
 #
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
@@ -1659,18 +1672,28 @@ sub generate_matrix() {
     my $notrackref = $raw_table->{notrack_chain $fw};
     my @zones = non_firewall_zones;
     my $interface_jumps_added = 0;
+    our %input_jump_added   = ();
+    our %output_jump_added  = ();
+    our %forward_jump_added = ();
 
     #
     # Special processing for complex configurations
     #
     for my $zone ( @zones ) {
-	my $zoneref    = find_zone( $zone );
+	my $zoneref = find_zone( $zone );
 
 	next if @zones <= 2 && ! $zoneref->{options}{complex};
-
+	#
+	# Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain
+	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
 
 	if ( $capabilities{POLICY_MATCH} ) {
+	    #
+	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
+	    # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
+	    # can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
+	    #
 	    my $type       = $zoneref->{type};
 	    my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
 
@@ -1680,6 +1703,7 @@ sub generate_matrix() {
 
 		if ( use_forward_chain( $interface ) ) {
 		    $sourcechainref = $filter_table->{forward_chain $interface};
+		    add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 		} else {
 		    $sourcechainref = $filter_table->{FORWARD};
 		    $interfacematch = match_source_dev $interface;
@@ -1791,6 +1815,7 @@ sub generate_matrix() {
 
 			    if ( use_output_chain $interface ) {
 				$outputref = $filter_table->{output_chain $interface};
+				add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 			    } else {
 				$outputref = $filter_table->{OUTPUT};
 				$interfacematch = match_dest_dev $interface;
@@ -1839,6 +1864,7 @@ sub generate_matrix() {
 
 			if ( use_input_chain $interface ) {
 			    $inputchainref = $filter_table->{input_chain $interface};
+			    add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
 			} else {
 			    $inputchainref = $filter_table->{INPUT};
 			    $interfacematch = match_source_dev $interface;
@@ -1852,7 +1878,9 @@ sub generate_matrix() {
 			if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
 			    my $ref = source_exclusion( $exclusions, $frwd_ref );
 			    if ( use_forward_chain $interface ) {
-				add_jump $filter_table->{forward_chain $interface} , $ref, 0, join( '', $source, $ipsec_in_match );
+				my $forwardref = $filter_table->{forward_chain $interface};
+				add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match );
+				add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 			    } else {
 				add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
 				move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref );
@@ -1872,7 +1900,6 @@ sub generate_matrix() {
 	if ( $config{OPTIMIZE} > 0 ) {
 	    my @temp_zones;
 
-	  ZONE1:
 	    for my $zone1 ( @zones )  {
 		my $zone1ref = find_zone( $zone1 );
 		my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
@@ -1922,7 +1949,6 @@ sub generate_matrix() {
 	# We now loop through the destination zones creating jumps to the rules chain for each source/dest combination.
 	# @dest_zones is the list of destination zones that we need to handle from this source zone
 	#
-      ZONE1:
 	for my $zone1 ( @dest_zones ) {
 	    my $zone1ref = find_zone( $zone1 );
 	    my $policy   = $filter_table->{"${zone}2${zone1}"}->{policy};
@@ -1936,11 +1962,11 @@ sub generate_matrix() {
 	    my $num_ifaces = 0;
 
 	    if ( $zone eq $zone1 ) {
-		next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
+		next if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
 	    }
 
 	    if ( $zone1ref->{type} == BPORT ) {
-		next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge};
+		next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 	    }
 
 	    my $chainref    = $filter_table->{$chain};
@@ -1971,6 +1997,7 @@ sub generate_matrix() {
 
 			if ( use_forward_chain $interface ) {
 			    $chain3ref = $filter_table->{forward_chain $interface};
+			    add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 			} else {
 			    $chain3ref  = $filter_table->{FORWARD};
 			    $match_source_dev = match_source_dev $interface;

Shorewall/Perl/Shorewall/Tc.pm

@@ -713,6 +713,7 @@ sub validate_tc_class( ) {
 			       parent    => $parentclass,
 			       leaf      => 1,
 			       guarantee => 0,
+			       limit     => 127,
 			     };
 
     $tcref = $tcref->{$classnumber};
@@ -761,6 +762,10 @@ sub validate_tc_class( ) {
 
 		$tcref->{occurs} = $occurs;
 		$devref->{occurs} = 1;
+	    } elsif ( $option =~ /^limit=(\d+)$/ ) {
+		warning_message "limit ignored with pfifo queuing" if $tcref->{pfifo};
+		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
+		$tcref->{limit} = $1;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -789,6 +794,7 @@ sub validate_tc_class( ) {
 					       pfifo    => $tcref->{pfifo},
 					       occurs   => 0,
 					       parent   => $parentclass,
+					       limit    => $tcref->{limit},
 					     };
 	push @tcclasses, "$device:$classnumber";
     };
@@ -1153,7 +1159,7 @@ sub setup_traffic_shaping() {
 	    }
 	}
 
-	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
+	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit $tcref->{limit} perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
 	#
 	# add filters
 	#

Shorewall/Perl/Shorewall/Zones.pm

@@ -1182,7 +1182,7 @@ sub validate_hosts_file()
 
     my $fn = open_file 'hosts';
 
-    first_entry "doing $fn...";
+    first_entry "$doing $fn...";
 
     $ipsec |= process_host while read_a_line;
 

Shorewall/Perl/compiler.pl

@@ -61,7 +61,7 @@ sub usage( $ ) {
     [ --family={4|6} ]
 ';
 
-    $returnval;
+    exit $returnval;
 }
 
 #
@@ -105,7 +105,7 @@ my $result = GetOptions('h'               => \$help,
 usage(1) unless $result && @ARGV < 2;
 usage(0) if $help;
 
-compiler( object          => defined $ARGV[0] ? $ARGV[0] : '',
+compiler( script          => defined $ARGV[0] ? $ARGV[0] : '',
 	  directory       => $shorewall_dir,
 	  verbosity       => $verbose,
 	  timestamp       => $timestamp,

Shorewall/Perl/prog.footer

@@ -1,283 +1,6 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
 ###############################################################################
-#
-# Clear Proxy Arp
-#
-delete_proxyarp() {
-    if [ -f ${VARDIR}/proxyarp ]; then
-	while read address interface external haveroute; do
-	    qt arp -i $external -d $address pub
-	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
-	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyarp
-    fi
-
-    rm -f ${VARDIR}/proxyarp
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
-    if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IPTABLES ]; then
-    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
-	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
-	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
-	fi
-    fi
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$PRODUCT Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -4 $@; then
-	error_message "ERROR: Command \"$IP -4 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Get a list of all configured broadcast addresses on the system
-#
-get_all_bcasts()
-{
-    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IPTABLES -t mangle -F
-    qt1 $IPTABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t raw    -F
-    qt1 $IPTABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
-
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t filter -F
-    qt1 $IPTABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IPTABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 #
 # Give Usage Information
 #
@@ -362,6 +85,7 @@ case "$COMMAND" in
 	    status=0
 	else
 	    progress_message3 "Starting $PRODUCT...."
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    [ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
@@ -371,6 +95,7 @@ case "$COMMAND" in
     stop)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Stopping $PRODUCT...."
+	detect_configuration
 	stop_firewall
 	status=0
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -414,6 +139,7 @@ case "$COMMAND" in
 	    progress_message3 "Starting $PRODUCT...."
 	fi
 
+	detect_configuration
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -425,6 +151,7 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
 	    progress_message3 "Refreshing $PRODUCT...."
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    progress_message3 "done."
@@ -435,6 +162,7 @@ case "$COMMAND" in
 	;;
     restore)
 	[ $# -ne 1 ] && usage 2
+	detect_configuration
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then

Shorewall/Perl/prog.footer6

@@ -1,244 +1,6 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer6
 ###############################################################################
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$PRODUCT Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -6 $@; then
-	error_message "ERROR: Command \"$IP -6 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IP6TABLES -t mangle -F
-    qt1 $IP6TABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t raw    -F
-    qt1 $IP6TABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t filter -F
-    qt1 $IP6TABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IP6TABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 #
 # Give Usage Information
 #
@@ -328,6 +90,7 @@ else
 		status=0
 	    else
 		progress_message3 "Starting $PRODUCT...."
+		detect_configuration
 		define_firewall
 		status=$?
 		[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
@@ -337,6 +100,7 @@ else
 	stop)
 	    [ $# -ne 1 ] && usage 2
 	    progress_message3 "Stopping $PRODUCT...."
+	    detect_configuration
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -379,6 +143,7 @@ else
 		progress_message3 "Starting $PRODUCT...."
 	    fi
 
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
@@ -390,6 +155,7 @@ else
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
 		progress_message3 "Refreshing $PRODUCT...."
+		detect_configuration
 		define_firewall
 		status=$?
 		progress_message3 "done."
@@ -400,6 +166,7 @@ else
 	    ;;
 	restore)
 	    [ $# -ne 1 ] && usage 2
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then

Shorewall/Perl/prog.header

@@ -1071,6 +1071,283 @@ conditionally_flush_conntrack() {
     fi
 }
 
+#
+# Clear Proxy Arp
+#
+delete_proxyarp() {
+    if [ -f ${VARDIR}/proxyarp ]; then
+	while read address interface external haveroute; do
+	    qt arp -i $external -d $address pub
+	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyarp
+    fi
+
+    rm -f ${VARDIR}/proxyarp
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    if [ -n "$DISABLE_IPV6" ]; then
+	if [ -x $IPTABLES ]; then
+    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
+	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
+	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
+	fi
+    fi
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -4 $@; then
+	error_message "ERROR: Command \"$IP -4 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
+#
+# Get a list of all configured broadcast addresses on the system
+#
+get_all_bcasts()
+{
+    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $IPTABLES -t mangle -F
+    qt1 $IPTABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IPTABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t raw    -F
+    qt1 $IPTABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IPTABLES -t raw -P $chain ACCEPT
+    done
+
+    run_iptables -t nat -F
+    run_iptables -t nat -X
+
+    for chain in PREROUTING POSTROUTING OUTPUT; do
+	qt1 $IPTABLES -t nat -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t filter -F
+    qt1 $IPTABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IPTABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################

Shorewall/Perl/prog.header6

@@ -946,6 +946,244 @@ conditionally_flush_conntrack() {
     fi
 }
 
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -6 $@; then
+	error_message "ERROR: Command \"$IP -6 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $IP6TABLES -t mangle -F
+    qt1 $IP6TABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t raw    -F
+    qt1 $IP6TABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IP6TABLES -t raw -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t filter -F
+    qt1 $IP6TABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IP6TABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################

Shorewall/changelog.txt

@@ -1,12 +1,68 @@
-Changes in Shorewall 4.4.1.2
+Changes in Shorewall 4.4.3
 
-1)  Re-initialize chain table before generating 'stop_firewall()'
+1)  Move Debian INITLOG initialization to /etc/default/shorewall
 
-Changes in Shorewall 4.4.1.1
+2)  Fix 'routeback' in /etc/shorewall/routestopped.
 
-1)  Fixed detection of Persistent SNAT
+3)  Rename 'object' to 'script' in compiler and config modules.
 
-2)  Fix compiler initialization fiasco.
+4)  Correct RETAIN_ALIASES=No.
+
+5)  Fix detection of IP config.
+
+6)  Fix nested zones.
+
+7)  Move all function declarations from prog.footer to prog.header
+
+8)  Remove superfluous variables from generated script
+
+9)  Make 'track' the default.
+
+10)  Add TRACK_PROVIDERS option.
+
+11)  Fix IPv6 address parsing bug.
+
+12)  Add hack to work around iproute IPv6 bug in route handling
+
+13)  Correct messages issued when an optional provider is not usable.
+
+14)  Fix optional interfaces.
+
+15)  Add 'limit' option to tcclasses.
+
+Changes in Shorewall 4.4.2
+
+1)  BUGFIX: Correct detection of Persistent SNAT support
+
+2)  BUGFIX: Fix chain table initialization
+
+3)  BUGFIX: Validate routestopped file on 'check'
+
+4)  Let the Actions module add the builtin actions to
+    %Shorewall::Chains::targets. Much better modularization that way.
+
+5)  Some changes to make Lenny->Squeeze less painful.
+
+6)  Allow comments at the end of continued lines.
+
+7)  Call process_routestopped() during 'check' rather than
+    'compile_stop_firewall()'.
+
+8)  Don't look for an extension script for built-in actions.
+
+9)  Apply Jesse Shrieve's patch for SNAT range.
+
+10) Add -<family> to 'ip route del default' command.
+
+11) Add three new columns to macro body.
+
+12) Change 'wait4ifup' so that it requires no PATH
+
+13) Allow extension scripts for accounting chains.
+
+14) Allow per-ip LIMIT to work on ancient iptables releases.
+
+15) Add 'MARK' column to action body.
 
 Changes in Shorewall 4.4.1
 
@@ -57,7 +113,7 @@ Changes in Shorewall 4.4.0
 
 5)  Fix 'upnpclient' with required interfaces.
 
-5)  Fix provider number in masq file.
+6)  Fix provider number in masq file.
 
 Changes in Shorewall 4.4.0-RC2
 

Shorewall/configfiles/findgw

@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - Filegw File
+# Shorewall version 4 - Findgw File
 #
 # /etc/shorewall/findgw
 #

Shorewall/configfiles/shorewall.conf

@@ -32,9 +32,9 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -189,6 +189,8 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=No
 
+TRACK_PROVIDERS=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/default.debian

@@ -21,4 +21,9 @@ startup=0
 
 OPTIONS=""
 
+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
 # EOF

Shorewall/init.debian.sh

@@ -15,13 +15,11 @@
 SRWL=/sbin/shorewall
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
-# Note, set INITLOG to /dev/null if you want to
-# use Shorewall's STARTUP_LOG feature.
-INITLOG=/var/log/shorewall-init.log
+test -n ${INITLOG:=/var/log/shorewall-init.log}
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
@@ -49,7 +47,7 @@ not_configured () {
 	then
 		echo ""
 		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-common/README.Debian.gz."
+		echo "/usr/share/doc/shorewall/README.Debian.gz."
 	fi
 	echo "#################"
 	exit 0

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.1.2
+VERSION=4.4.3
 
 usage() # $1 = exit status
 {
@@ -176,7 +176,7 @@ else
     fi
 
     if [ -z "$CYGWIN" ]; then
-	if [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
+	if [ -f /etc/debian_version ]; then
 	    DEBIAN=yes
 	elif [ -f /etc/slackware-version ] ; then
 	    echo "installing Slackware specific configuration..."
@@ -453,6 +453,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/blacklist ]; then
     echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
 fi
 #
+# Install the findgw file
+#
+run_install $OWNERSHIP -m 0644 configfiles/findgw ${PREFIX}/usr/share/shorewall/configfiles/findgw
+
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/findgw ]; then
+    run_install $OWNERSHIP -m 0600 configfiles/findgw ${PREFIX}/etc/shorewall/findgw
+    echo "Find GW file installed as ${PREFIX}/etc/shorewall/findgw"
+fi
+#
 # Delete the Routes file
 #
 delete_file ${PREFIX}/etc/shorewall/routes
@@ -783,6 +792,11 @@ cd ..
 
 echo "Man Pages Installed"
 
+if [ -z "$PREFIX" ]; then
+    rm -rf /usr/share/shorewall-perl
+    rm -rf /usr/share/shorewall-shell
+fi
+
 if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall

Shorewall/known_problems.txt

@@ -1,13 +1 @@
-1)  The compiler's detection of Persistent SNAT support is broken.
-
-    Fixed in Shorewall 4.4.1.1
-
-2)  Initialization of the compiler's chain table was broken in ways
-    that prevented some features from working.
-
-    Fixed in Shorewall 4.4.1.1
-
-3)  Initialization of the compiler's chain table was still broken.
-
-    Fixed in Shorewall 4.4.1.2.
-
+There are no known problems in Shorewall version 4.4.3

Shorewall/lib.base

@@ -30,7 +30,7 @@
 #
 
 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40401
+SHOREWALL_CAPVERSION=40402
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -945,7 +945,11 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
     qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    if [ -z "$HASHLIMIT_MATCH" ]; then
+	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
+	HASHLIMIT_MATCH=$OLD_HL_MATCH
+    fi	
     qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
     qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
     qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -1011,6 +1015,7 @@ report_capabilities() {
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
+	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
 	report_capability "Helper Match" $HELPER_MATCH
@@ -1069,6 +1074,7 @@ report_capabilities1() {
     report_capability1 ADDRTYPE
     report_capability1 TCPMSS_MATCH
     report_capability1 HASHLIMIT_MATCH
+    report_capability1 OLD_HL_MATCH
     report_capability1 NFQUEUE_TARGET
     report_capability1 REALM_MATCH
     report_capability1 HELPER_MATCH

Shorewall/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 4.4.1 patch release 1
+Shorewall 4.4.3
 
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 4  H I G H L I G H T S
@@ -66,10 +66,9 @@ Shorewall 4.4.1 patch release 1
        WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell
                 support has been removed in this release.
 
-    b) Review the incompatibilities between Shorewall-shell and
-       Shorewall-perl at
-       http://www.shorewall.net/Shorewall-perl.html#Incompatibilities
-       and make changes to your configuration as necessary.
+    b) Review the migration issues at
+       http://www.shorewall.net/LennyToSqueeze.html and make changes as
+       required.
 
     We strongly recommend that you migrate to Shorewall-perl on your
     current Shorewall version before upgrading to Shorewall 4.4.0. That
@@ -105,7 +104,7 @@ Shorewall 4.4.1 patch release 1
              starts/restarts
 
     To avoid this warning, replace interface names by the corresponding
-    network addresses (e.g., 192.168.144.0/24).
+    network(s) in CIDR format (e.g., 192.168.144.0/24).
 
 6)  Previously, Shorewall has treated traffic shaping class IDs as
     decimal numbers (or pairs of decimal numbers). That worked fine
@@ -170,53 +169,46 @@ Shorewall 4.4.1 patch release 1
     now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
     then it may have no additional members in /etc/shorewall/hosts.
 
-----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 2
-----------------------------------------------------------------------------
-1)  The compiler's chain table was not being re-initialized prior to
-    creating the stop_firewall() function, resulting in Perl run-time
-    errors.
-----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 1
-----------------------------------------------------------------------------
-1)  Detection of Persistent SNAT support was broken in the compiler.
-
-2)  Initialization of the compiler's chain table was broken in ways
-    that made some features not work and that caused Perl runtime errors.
+13) Because the 'track' provider option is so useful, it is now the
+    default. If, for some reason, you don't want 'track' then specify
+    'notrack' for the provider.
 
 ----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 3
 ----------------------------------------------------------------------------
 
-1)  If ULOG was specified as the LOG LEVEL in the all->all policy, the
-    rules at the end of the INPUT and OUTPUT chains would still use the
-    LOG target rather than ULOG.
+1.  Previously, if 'routeback' was specified in /etc/shorewall/routestopped:
 
-2)  Using CONTINUE policies with a nested IPSEC zone was still broken
-    in some cases.
+    a) 'shorewall check' produced an internal error
+    b) The 'routeback' option didn't work
 
-3)  The setting of IP_FORWARDING has been change to Off in the
-    one-interface sample configuration since forwarding is typically
-    not required with only a single interface.
+2)  If an alias IP address was added and RETAIN_ALIASES=No in
+    shorewall.conf, then a compiler internal error resulted.
 
-4)  If MULTICAST=Yes in shorewall.conf, multicast traffic was
-    incorrectly exempted from ACCEPT policies.
+3)  Previously, the generated script would try to detect the values
+    for all run-time variables (such as IP addresses), regardless of
+    what command was being executed. Now, this information is only
+    detected when it is needed.
 
-5)  Previously, the definition of a zone that specified "nets=" in
-    /etc/shorewall/interfaces could not be extended by entries in
-    /etc/shorewall/hosts.
+4)  Nested zones where the parent zone was defined by a wildcard
+    interface (name ends with +) in /etc/shorewall/interfaces did
+    not work correctly in some cases.
 
-6)  Previously, "nets=" could be specified in a multi-zone interface
-    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
-    now raises a fatal compilation error.
+5)  IPv4 addresses embedded in IPv6 (e.g., ::192.168.1.5) were
+    incorrectly reported as invalid.
 
-7)  MULTICAST=Yes generates an incorrect rule that limits its
-    effectiveness to a small part of the multicast address space.
+6)  Under certain circumstances, optional providers were not detected
+    as being usable.
 
-8)  Checking for zone membership has been tighened up. Previously, 
-    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
-    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
-    then it may have no additional members in /etc/shorewall/hosts.
+    Additionally, the messages issued when an optional provider was not
+    usable were confusing; the message intended to be issued when the
+    provider shared an interface ("WARNING: Gateway <gateway> is not
+    reachable -- Provider <name> (<number>) not Added") was being
+    issued when the provider did not share an interface. Similarly, the
+    message intended to be issued when the provider did not share an
+    interface ("WARNING: Interface <interface> is not usable --
+    Provider <name> (<number>) not Added") was being issued when the
+    provider did share an interface.
 
 ----------------------------------------------------------------------------
              K N O W N   P R O B L E M S   R E M A I N I N G
@@ -225,66 +217,40 @@ Shorewall 4.4.1 patch release 1
 None.
 
 ----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 1
+                N E W   F E A T U R E S   I N   4 . 4 . 3
 ----------------------------------------------------------------------------
 
-1)  To replace the SAME keyword in /etc/shorewall/masq, support has
-    been added for 'persistent' SNAT. Persistent SNAT is required when
-    an address range is specified in the ADDRESS column and when you
-    want a client to always receive the same source/destination IP
-    pair. It replaces SAME: which was removed in Shorewall 4.4.0.
+1)  On Debian systems, a default installation will now set
+    INITLOG=/dev/null in /etc/default/shorewall. In all configurations,
+    the default values for the log variables are changed to:
 
-    To specify persistence, follow the address range with
-    ":persistent".
+    	STARTUP_LOG=/var/log/shorewall-init.log
+	LOG_VERBOSITY=2
 
-    Example:
+    The effect is much the same as the old defaults, with the exception 
+    that:
 
-    #INTERFACE	SOURCE	   ADDRESS
-    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
+	a) Start, stop, etc. commands issued through /sbin/shorewall
+	   will be logged.
+	b) Logging will occur at maximum verbosity.
+	c) Log entries will be date/time stamped.
 
-    This feature requires Persistent SNAT support in your kernel and
-    iptables. 
+    On non-Debian systems, new installs will now log all Shorewall 
+    commands to /var/log/shorewall-init.log.
 
-    If you use a capabilities file, you will need to create a new one
-    as a result of this feature.
+2)  A new TRACK_PROVIDERS option has been added in shorewall.conf.
+    The value of this option becomes the default for the 'track'
+    provider option in /etc/shorewall/providers.
 
-    WARNING: Linux kernels beginning with 2.6.29 include persistent
-    SNAT support. If your iptables supports persistent SNAT but your
-    kernel does not, there is no way for Shorewall to determine that
-    persistent SNAT isn't going to work. The kernel SNAT code blindly
-    accepts all SNAT flags without verifying them and returns them to
-    iptables when asked.
-
-2)  A 'clean' target has been added to the Makefiles. It removes backup
-    files (*~ and .*~). 
-
-3)  The meaning of 'full' has been redefined when used in the context
-    of a traffic shaping sub-class. Previously, 'full' always meant the
-    OUT-BANDWIDTH of the device. In the case of a sub-class, however,
-    that definition is awkward to use because the sub-class is limited
-    by the parent class.
-
-    Beginning with this release, 'full' in a sub-class definition
-    refers to the specified rate defined for the parent class. So
-    'full' used in the RATE column refers to the parent class's RATE;
-    when used in the CEIL column, 'full' refers to the parent class's
-    CEIL.
-
-    As part of this change, the compiler now issues a warning if the
-    sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of
-    the device. Similarly, a warning is issued if the sum of the RATEs
-    of a class's sub-classes exceeds the rate of the CLASS.
-
-4)  When 'nets=<network>' or 'nets=(<net1>,<net2>,...) is specified in
-    /etc/shorewall/interfaces, multicast traffic will now be sent to
-    the zone along with limited broadcasts.
-
-5)  A flaw in the parsing logic for the zones file allowed most zone
-    types containing the character string 'ip' to be accepted as a
-    synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration).
+3)  A new 'limit' option has been added to
+    /etc/shorewall/tcclasses. This option specifies the number of
+    packets that are allowed to be queued within the class. Packets
+    exceeding this limit are dropped. The default value is 127 which is
+    the value that earlier versions of Shorewall used.  The option is
+    ignored with a warning if the 'pfifo' option has been specified.
 
 ----------------------------------------------------------------------------
-                 N E W   F E A T U R E S   I N   4 . 4
+                N E W   F E A T U R E S   I N   4 . 4 . 0
 ----------------------------------------------------------------------------
 
 1)  The Shorewall packaging has been completely revamped in Shorewall
@@ -932,3 +898,184 @@ None.
     the iptables utility is discovered using the PATH setting, then
     ip6tables in the same directory as the discovered iptables will be
     used.
+
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1
+----------------------------------------------------------------------------
+
+1)  If ULOG was specified as the LOG LEVEL in the all->all policy, the
+    rules at the end of the INPUT and OUTPUT chains would still use the
+    LOG target rather than ULOG.
+
+2)  Using CONTINUE policies with a nested IPSEC zone was still broken
+    in some cases.
+
+3)  The setting of IP_FORWARDING has been change to Off in the
+    one-interface sample configuration since forwarding is typically
+    not required with only a single interface.
+
+4)  If MULTICAST=Yes in shorewall.conf, multicast traffic was
+    incorrectly exempted from ACCEPT policies.
+
+5)  Previously, the definition of a zone that specified "nets=" in
+    /etc/shorewall/interfaces could not be extended by entries in
+    /etc/shorewall/hosts.
+
+6)  Previously, "nets=" could be specified in a multi-zone interface
+    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
+    now raises a fatal compilation error.
+
+7)  MULTICAST=Yes generates an incorrect rule that limits its
+    effectiveness to a small part of the multicast address space.
+
+8)  Checking for zone membership has been tighened up. Previously, 
+    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
+    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
+    then it may have no additional members in /etc/shorewall/hosts.
+
+----------------------------------------------------------------------------
+                N E W   F E A T U R E S   I N   4 . 4 . 1
+----------------------------------------------------------------------------
+
+1)  To replace the SAME keyword in /etc/shorewall/masq, support has
+    been added for 'persistent' SNAT. Persistent SNAT is required when
+    an address range is specified in the ADDRESS column and when you
+    want a client to always receive the same source/destination IP
+    pair. It replaces SAME: which was removed in Shorewall 4.4.0.
+
+    To specify persistence, follow the address range with
+    ":persistent".
+
+    Example:
+
+    #INTERFACE	SOURCE	   ADDRESS
+    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
+
+    This feature requires Persistent SNAT support in your kernel and
+    iptables. 
+
+    If you use a capabilities file, you will need to create a new one
+    as a result of this feature.
+
+    WARNING: Linux kernels beginning with 2.6.29 include persistent
+    SNAT support. If your iptables supports persistent SNAT but your
+    kernel does not, there is no way for Shorewall to determine that
+    persistent SNAT isn't going to work. The kernel SNAT code blindly
+    accepts all SNAT flags without verifying them and returns them to
+    iptables when asked.
+
+2)  A 'clean' target has been added to the Makefiles. It removes backup
+    files (*~ and .*~). 
+
+3)  The meaning of 'full' has been redefined when used in the context
+    of a traffic shaping sub-class. Previously, 'full' always meant the
+    OUT-BANDWIDTH of the device. In the case of a sub-class, however,
+    that definition is awkward to use because the sub-class is limited
+    by the parent class.
+
+    Beginning with this release, 'full' in a sub-class definition
+    refers to the specified rate defined for the parent class. So
+    'full' used in the RATE column refers to the parent class's RATE;
+    when used in the CEIL column, 'full' refers to the parent class's
+    CEIL.
+
+    As part of this change, the compiler now issues a warning if the
+    sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of
+    the device. Similarly, a warning is issued if the sum of the RATEs
+    of a class's sub-classes exceeds the rate of the CLASS.
+
+4)  When 'nets=<network>' or 'nets=(<net1>,<net2>,...) is specified in
+    /etc/shorewall/interfaces, multicast traffic will now be sent to
+    the zone along with limited broadcasts.
+
+5)  A flaw in the parsing logic for the zones file allowed most zone
+    types containing the character string 'ip' to be accepted as a
+    synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration).
+
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2
+----------------------------------------------------------------------------
+
+1)  Detection of Persistent SNAT was broken in the rules compiler. 
+
+2)  Initialization of the compiler's chain table was occurring before 
+    shorewall.conf had been read and before the capabilities had been
+    determined. This could lead to incorrect rules and Perl runtime
+    errors.
+
+3)  The 'shorewall check' command previously did not detect errors in
+    /etc/shorewall/routestopped.
+
+4)  In earlier versions, if a file with the same name as a built-in
+    action were present in the CONFIG_PATH, then the compiler would
+    process that file like it was an extension script.
+
+    The compiler now ignores the presence of such files.
+
+5)  Several configuration issues which previously produced an error or
+    warning are now handled differently.
+
+    a)  MAPOLDACTIONS=Yes and MAPOLDACTIONS= in shorewall.conf are now
+        handled as they were by the old shell-based compiler. That is,
+        they cause pre-3.0 built-in actions to be mapped automatically
+        to the corresponding macro invocation.
+
+    b)  SAVE_IPSETS=Yes no longer produces a fatal error -- it is now a
+        warning.
+
+    c)  DYNAMIC_ZONES=Yes no longer produces a fatal error -- it is now
+        a warning.
+
+    d)  RFC1918_STRICT=Yes no longer produces a fatal error -- it is now
+        a warning.
+
+6)  Previously, it was not possible to specify an IP address range in
+    the ADDRESS column of /etc/shorewall/masq. Thanks go to Jessee
+    Shrieve for the patch.
+
+7)  The 'wait4ifup' script included for Debian compatibility now runs
+    correctly with no PATH.
+
+8)  The new per-IP LIMIT feature now works with ancient iptables
+    releases (e.g., 1.3.5 as found on RHEL 5). This change required
+    testing for an additional capability which means that those who use
+    a capabilities file should regenerate that file after installing
+    4.4.2.
+
+9)  One unintended difference between Shorewall-shell and
+    Shorewall-perl was that Shorewall-perl did not support the MARK
+    column in action bodies. This has been corrected.
+
+----------------------------------------------------------------------------
+                N E W   F E A T U R E S   I N   4 . 4 . 2
+----------------------------------------------------------------------------
+
+1)  Prior to this release, line continuation has taken precedence over 
+    #-style comments. This prevented us from doing the following:
+
+    	    ACCEPT    net:206.124.146.176,\   #Gateway
+	    	          206.124.146.177,\   #Mail
+			  206.124.146.178\    #Server
+			  		      ...
+    
+    Now, unless a line ends with '\', any trailing comment is stripped
+    off (including any white-space preceding the '#'). Then if the line
+    ends with '\', it is treated as a continuation line as normal.
+
+2)  Three new columns have been added to FORMAT-2 macro bodies.
+
+    	  MARK
+	  CONNLIMIT
+	  TIME
+
+    These three columns correspond to the similar columns in
+    /etc/shorewall/rules and must be empty in macros invoked from an
+    action.
+
+3)  Accounting chains may now have extension scripts. Simply place your
+    Perl script in the file /etc/shorewall/<chain> and when the
+    accounting chain named <chain> is created, your script will be
+    invoked.
+
+    As usual, the variable $chainref will contain a reference to the
+    chain's table entry.

Shorewall/shorewall

@@ -23,99 +23,9 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#	If an error occurs while starting or restarting the firewall, the
-#	firewall is automatically stopped.
+#       For a list of supported commands, type 'shorewall help'
 #
-#	The firewall uses configuration files in /etc/shorewall/ - skeleton
-#	files are included with the firewall.
-#
-#	Commands are:
-#
-#          shorewall add <iface>[:<host>] zone     Adds a host or subnet to a zone
-#          shorewall delete <iface>[:<host>] zone  Deletes a host or subnet from a zone
-#          shorewall dump                          Dumps all Shorewall-related information
-#                                                  for problem analysis
-#	   shorewall start 			   Starts the firewall
-#	   shorewall restart			   Restarts the firewall
-#	   shorewall stop			   Stops the firewall
-#	   shorewall status			   Displays firewall status
-#	   shorewall reset			   Resets iptables packet and
-#						   byte counts
-#	   shorewall clear			   Open the floodgates by
-#						   removing all iptables rules
-#						   and setting the three permanent
-#						   chain policies to ACCEPT
-#	   shorewall refresh			   Rebuild the common chain to
-#						   compensate for a change of
-#						   broadcast address on any "detect"
-#						   interface.
-#	   shorewall [re]load [ <directory> ] <system>
-#						   Compile a script and install it on a
-#						   remote Shorewall Lite system.
-#	   shorewall show <chain> [ <chain> ... ]  Display the rules in each <chain> listed
-#          shorewall show actions                  Displays the available actions
-#	   shorewall show log			   Print the last 20 log messages
-#	   shorewall show connections		   Show the kernel's connection
-#						   tracking table
-#	   shorewall show nat			   Display the rules in the nat table
-#	   shorewall show {mangle|tos}		   Display the rules in the mangle table
-#	   shorewall show tc			   Display traffic control info
-#	   shorewall show classifiers		   Display classifiers
-#          shorewall show capabilities             Display iptables/kernel capabilities
-#          shorewall show vardir                   Display the VARDIR setting.
-#	   shorewall version			   Display the installed version id
-#	   shorewall check [ -e ] [ <directory> ]  Dry-run compilation.
-#	   shorewall try <directory> [ <timeout> ] Try a new configuration and if
-#						   it doesn't work, revert to the
-#						   standard one. If a timeout is supplied
-#						   the command reverts back to the
-#						   standard configuration after that many
-#						   seconds have elapsed after successfully
-#						   starting the new configuration.
-#	   shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall
-#						   messages.
-#	   shorewall drop <address> ...		   Temporarily drop all packets from the
-#						   listed address(es)
-#	   shorewall reject <address> ...	   Temporarily reject all packets from the
-#						   listed address(es)
-#	   shorewall allow <address> ...	   Reenable address(es) previously
-#						   disabled with "drop" or "reject"
-#	   shorewall save [ <file> ]		   Save the list of "rejected" and
-#						   "dropped" addresses so that it will
-#						   be automatically reinstated the
-#						   next time that Shorewall starts.
-#                                                  Save the current state so that 'shorewall
-#                                                  restore' can be used.
-#
-#          shorewall forget [ <file> ]             Discard the data saved by 'shorewall save'
-#
-#          shorewall restore [ <file> ]            Restore the state of the firewall from
-#                                                  previously saved information.
-#
-#          shorewall ipaddr { <address>/<cidr> | <address> <netmask> }
-#
-#                                                  Displays information about the network
-#                                                  defined by the argument[s]
-#
-#          shorewall iprange <address>-<address>   Decomposes a range of IP addresses into
-#                                                  a list of network/host addresses.
-#
-#          shorewall ipdecimal { <address> | <integer> }
-#
-#                                                  Displays the decimal equivalent of an IP
-#                                                  address and vice versa.
-#
-#          shorewall safe-start [ <directory> ]    Starts the firewall and promtp for a c
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall safe-restart [ <directory> ]  Restarts the firewall and prompt for a
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall compile [ -e ] [ <directory> ] <filename>
-#                                                  Compile a firewall program file.
-
+#####################################################################################################
 #
 # Set the configuration variables from shorewall.conf
 #
@@ -123,7 +33,6 @@
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
 #     
-#
 get_config() {
     local prog
 
@@ -275,7 +184,7 @@ get_config() {
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
+			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
 			exit 2
 		    fi
 		    ;;
@@ -1062,7 +971,7 @@ safe_commands() {
 
     [ -n "$nolock" ] || mutex_on
 
-    if ${VARDIR}/.$command $command; then
+    if ${VARDIR}/.$command $debugging $command; then
 
 	echo -n "Do you want to accept the new firewall configuration? [y/n] "
 

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.1
-%define release 2
+%define version 4.4.3
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -104,10 +104,12 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-1
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Sun Aug 09 2009 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.1.2
+VERSION=4.4.3
 
 usage() # $1 = exit status
 {

Shorewall/wait4ifup

@@ -33,7 +33,7 @@
 #
 
 interface_is_up() {
-    [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] 
+    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] 
 }
 
 case $# in
@@ -51,7 +51,7 @@ esac
 
 while [ $timeout -gt 0 ]; do
     interface_is_up $1 && exit 0
-    sleep 1
+    /bin/sleep 1
     timeout=$(( $timeout - 1 ))
 done
 

Shorewall6-lite/default.debian

@@ -21,4 +21,9 @@ startup=0
 
 OPTIONS=""
 
+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
 # EOF

Shorewall6-lite/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.1.2
+VERSION=4.4.3
 
 usage() # $1 = exit status
 {

Shorewall6-lite/init.debian.sh

@@ -15,9 +15,7 @@
 
 SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
-# Note, set INITLOG to /dev/null if you do not want to
-# keep logs of the firewall (not recommended)
-INITLOG=/var/log/shorewall6-lite-init.log
+test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
 
 [ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
@@ -25,7 +23,7 @@ export SHOREWALL_INIT_SCRIPT
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.1.2
+VERSION=4.4.3
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.1
-%define release 2
+%define version 4.4.3
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -89,10 +89,12 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-1
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.1.2
+VERSION=4.4.3
 
 usage() # $1 = exit status
 {

Shorewall6/fallback.sh

@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.4.1.2
+VERSION=4.4.3
 
 usage() # $1 = exit status
 {

Shorewall6/init.debian.sh

@@ -15,13 +15,11 @@
 SRWL=/sbin/shorewall6
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall6/wait4ifup
-# Note, set INITLOG to /dev/null if you do not want to
-# keep logs of the firewall (not recommended)
-INITLOG=/var/log/shorewall6-init.log
+test -n ${INITLOG:=/var/log/shorewall6-init.log}
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.1.2
+VERSION=4.4.3
 
 usage() # $1 = exit status
 {

Shorewall6/lib.base

@@ -33,7 +33,7 @@
 #
 
 SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40401
+SHOREWALL_CAPVERSION=40402
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -853,7 +853,11 @@ determine_capabilities() {
     qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
     qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    if [ -z "$HASHLIMIT_MATCH" ]; then
+	qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
+	HASHLIMIT_MATCH=$OLD_HL_MATCH
+    fi	
     qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
     qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
     qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -917,6 +921,7 @@ report_capabilities() {
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
+	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
 	report_capability "Helper Match" $HELPER_MATCH
@@ -972,6 +977,7 @@ report_capabilities1() {
     report_capability1 ADDRTYPE
     report_capability1 TCPMSS_MATCH
     report_capability1 HASHLIMIT_MATCH
+    report_capability1 OLD_HL_MATCH
     report_capability1 NFQUEUE_TARGET
     report_capability1 REALM_MATCH
     report_capability1 HELPER_MATCH

Shorewall6/shorewall6

@@ -23,99 +23,9 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#	If an error occurs while starting or restarting the firewall, the
-#	firewall is automatically stopped.
+#       For a list of supported commands, type 'shorewall6 help'
 #
-#	The firewall uses configuration files in /etc/shorewall/ - skeleton
-#	files are included with the firewall.
-#
-#	Commands are:
-#
-#          shorewall6 add <iface>[:<host>] zone    Adds a host or subnet to a zone
-#          shorewall6 delete <iface>[:<host>] zone Deletes a host or subnet from a zone
-#          shorewall6 dump                         Dumps all Shorewall6-related information
-#                                                  for problem analysis
-#	   shorewall6 start 			   Starts the firewall
-#	   shorewall6 restart			   Restarts the firewall
-#	   shorewall6 stop			   Stops the firewall
-#	   shorewall6 status			   Displays firewall status
-#	   shorewall6 reset			   Resets ip6tables packet and
-#						   byte counts
-#	   shorewall6 clear			   Open the floodgates by
-#						   removing all ip6tables rules
-#						   and setting the three permanent
-#						   chain policies to ACCEPT
-#	   shorewall6 refresh			   Rebuild the common chain to
-#						   compensate for a change of
-#						   broadcast address on any "detect"
-#						   interface.
-#	   shorewall6 [re]load [ <directory> ] <system>
-#						   Compile a script and install it on a
-#						   remote Shorewall6 Lite system.
-#	   shorewall6 show <chain> [ <chain> ... ] Display the rules in each <chain> listed
-#          shorewall6 show actions                 Displays the available actions
-#	   shorewall6 show log			   Print the last 20 log messages
-#	   shorewall6 show connections		   Show the kernel's connection
-#						   tracking table
-#	   shorewall6 show nat			   Display the rules in the nat table
-#	   shorewall6 show {mangle|tos}		   Display the rules in the mangle table
-#	   shorewall6 show tc			   Display traffic control info
-#	   shorewall6 show classifiers		   Display classifiers
-#          shorewall6 show capabilities            Display ip6tables/kernel capabilities
-#          shorewall6 show vardir                  Display the VARDIR setting.
-#	   shorewall6 version			   Display the installed version id
-#	   shorewall6 check [ -e ] [ <directory> ] Dry-run compilation.
-#	   shorewall6 try <directory> [ <timeout> ] Try a new configuration and if
-#						   it doesn't work, revert to the
-#						   standard one. If a timeout is supplied
-#						   the command reverts back to the
-#						   standard configuration after that many
-#						   seconds have elapsed after successfully
-#						   starting the new configuration.
-#	   shorewall6 logwatch [ refresh-interval ] Monitor the local log for Shorewall6
-#						    messages.
-#	   shorewall6 drop <address> ...	   Temporarily drop all packets from the
-#						   listed address(es)
-#	   shorewall6 reject <address> ...	   Temporarily reject all packets from the
-#						   listed address(es)
-#	   shorewall6 allow <address> ...	   Reenable address(es) previously
-#						   disabled with "drop" or "reject"
-#	   shorewall6 save [ <file> ]		   Save the list of "rejected" and
-#						   "dropped" addresses so that it will
-#						   be automatically reinstated the
-#						   next time that Shorewall6 starts.
-#                                                  Save the current state so that 'shorewall6
-#                                                  restore' can be used.
-#
-#          shorewall6 forget [ <file> ]            Discard the data saved by 'shorewall6 save'
-#
-#          shorewall6 restore [ <file> ]           Restore the state of the firewall from
-#                                                  previously saved information.
-#
-#          shorewall6 ipaddr { <address>/<cidr> | <address> <netmask> }
-#
-#                                                  Displays information about the network
-#                                                  defined by the argument[s]
-#
-#          shorewall6 iprange <address>-<address>  Decomposes a range of IP addresses into
-#                                                  a list of network/host addresses.
-#
-#          shorewall6 ipdecimal { <address> | <integer> }
-#
-#                                                  Displays the decimal equivalent of an IP
-#                                                  address and vice versa.
-#
-#          shorewall6 safe-start [ <directory> ]   Starts the firewall and promtp for a c
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall6 safe-restart [ <directory> ] Restarts the firewall and prompt for a
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall6 compile [ -e ] [ <directory> ] <filename>
-#                                                  Compile a firewall program file.
-
+################################################################################################
 #
 # Set the configuration variables from shorewall6.conf
 #
@@ -205,7 +115,7 @@ get_config() {
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
+			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
 			exit 2
 		    fi
 		    ;;

Shorewall6/shorewall6.conf

@@ -145,6 +145,8 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=No
 
+TRACK_PROVIDERS=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.1
-%define release 2
+%define version 4.4.3
+%define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,10 +93,12 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-1
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.1.2
+VERSION=4.4.3
 
 usage() # $1 = exit status
 {

docs/Actions.xml

@@ -193,17 +193,6 @@ ACCEPT   -              -               tcp     135,139,445
         action begins with a capital letter; that way, the name won't conflict
         with a Shorewall-defined chain name.</para>
 
-        <para>The name of the action may be optionally followed by a colon
-        (<quote>:</quote>) and ACCEPT, DROP or REJECT. When this is done, the
-        named action will become the <emphasis>default action</emphasis> for
-        policies of type ACCEPT, DROP or REJECT, respectively. The default
-        action is applied immediately before the policy is enforced (before
-        any logging is done under that policy) and is used mainly to suppress
-        logging of uninteresting traffic which would otherwise clog your logs.
-        The same policy name can appear in multiple actions; the last such
-        action for each policy name is the one which Shorewall will
-        use.</para>
-
         <para>Shorewall includes pre-defined actions for DROP and REJECT --
         see above.</para>
       </listitem>
@@ -246,8 +235,8 @@ ACCEPT   -              -               tcp     135,139,445
         <para>You may also use a <ulink url="Macros.html">macro</ulink> in
         your action provided that the macro's expansion only results in the
         ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
-        <filename>/usr/share/shorewall/Drop</filename> for an example of an
-        action that users macros extensively.</para>
+        <filename>/usr/share/shorewall/action.Drop</filename> for an example
+        of an action that users macros extensively.</para>
       </listitem>
 
       <listitem>
@@ -506,74 +495,6 @@ ACCEPT:debug -          -        tcp      22
 bar:debug</programlisting>
       </listitem>
     </orderedlist>
-
-    <para>If you define an action <quote>acton</quote> and you have an
-    <filename>/etc/shorewall/acton</filename> script, when that script is
-    invoked, the following three variables will be set for use by the
-    script:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>$CHAIN = the name of the chain where your rules are to be
-        placed. When logging is used on an action invocation, Shorewall
-        creates a chain with a slightly different name from the action
-        itself.</para>
-      </listitem>
-
-      <listitem>
-        <para>$LEVEL = Log level. If empty, no logging was specified.</para>
-      </listitem>
-
-      <listitem>
-        <para>$TAG = Log Tag.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>Example:</para>
-
-    <para><filename>/etc/shorewall/rules</filename>:</para>
-
-    <programlisting>#ACTION          SOURCE           DEST
-acton:info:test  $FW              net</programlisting>
-
-    <para>Your <filename>/etc/shorewall/acton</filename> file will be run
-    with:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>$CHAIN=<quote>%acton1</quote></para>
-      </listitem>
-
-      <listitem>
-        <para>$LEVEL=<quote>info</quote></para>
-      </listitem>
-
-      <listitem>
-        <para>$TAG=<quote>test</quote></para>
-      </listitem>
-    </itemizedlist>
-
-    <para>Shorewall-perl sets lexical variables as follows:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para><emphasis role="bold">$chainref</emphasis> is a reference to the
-        chain-table entry for the chain where your rules are to be
-        placed.</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">$level</emphasis> is the log level. If
-        false, no logging was specified.</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">$tag</emphasis> is the log tag.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>For an example of how to use these variablesl, see <ulink
-    url="PortKnocking.html">this article</ulink>.</para>
   </section>
 
   <section id="Extension">
@@ -591,6 +512,29 @@ acton:info:test  $FW              net</programlisting>
     <example id="Example">
       <title>An action to drop all broadcast packets</title>
 
+      <para>If you define an action <quote>acton</quote> and you have an
+      <filename>/etc/shorewall/acton</filename> script, the rules compiler
+      sets lexical variables as follows:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para><emphasis role="bold">$chainref</emphasis> is a reference to
+          the chain-table entry for the chain where your rules are to be
+          placed.</para>
+        </listitem>
+
+        <listitem>
+          <para><emphasis role="bold">$level</emphasis> is the log level. If
+          false, no logging was specified.</para>
+        </listitem>
+
+        <listitem>
+          <para><emphasis role="bold">$tag</emphasis> is the log tag.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Example:</para>
+
       <para>/etc/shorewall/actions<programlisting>DropBcasts</programlisting></para>
 
       <para>/etc/shorewall/action.DropBcasts<programlisting># This file is empty</programlisting>/etc/shorewall/DropBcasts<programlisting>use Shorewall::Chains;

docs/Documentation_Index.xml

@@ -208,7 +208,8 @@
             <entry><ulink url="Multiple_Zones.html"><ulink
             url="OPENVPN.html">OpenVPN</ulink></ulink></entry>
 
-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
+            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
           </row>
 
           <row>
@@ -218,7 +219,7 @@
 
             <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
 
-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
           </row>
 
           <row>
@@ -227,8 +228,7 @@
             <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
             Shorewall</ulink></entry>
 
-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
-            Creation</ulink></entry>
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
           </row>
 
           <row>
@@ -238,8 +238,8 @@
             <entry><ulink url="PacketMarking.html">Packet
             Marking</ulink></entry>
 
-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            Creation</ulink></entry>
           </row>
 
           <row>
@@ -250,8 +250,8 @@
             <entry><ulink url="PacketHandling.html">Packet Processing in a
             Shorewall-based Firewall</ulink></entry>
 
-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
           </row>
 
           <row>
@@ -260,7 +260,8 @@
 
             <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
 
-            <entry></entry>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
           </row>
 
           <row>

docs/FAQ.xml

@@ -520,6 +520,10 @@ eth0:66.249.93.111  0.0.0.0/0   206.124.146.176  tcp          993</programlistin
         <programlisting>#ACTION         SOURCE        DEST        PROTO        DEST
 #                                                      PORT(S)
 REDIRECT        net           22          tcp          9022</programlisting>
+
+        <para>Note that the above rule will also allow connections from the
+        net on TCP port 22. If you don't want that, see <link
+        linkend="faq1e">FAQ 1e</link>.</para>
       </section>
     </section>
 
@@ -534,7 +538,13 @@ REDIRECT        net           22          tcp          9022</programlisting>
       to go the opposite direction from SNAT/MASQUERADE. So if you masquerade
       or use SNAT from your local network to the Internet then you will need
       to use DNAT rules to allow connections from the Internet to your local
-      network. You also want to use DNAT rules when you intentionally want to
+      network.<note>
+          <para>If you use both 1:1 NAT and SNAT/MASQUERADE, those connections
+          that are subject to 1:1 NAT should use ACCEPT rather than DNAT.
+          Note, however, that DNAT can be used to override 1:1 NAT so as to
+          redirect a connection to a different internal system or port than
+          would be the case using 1:1 NAT.</para>
+        </note> You also want to use DNAT rules when you intentionally want to
       rewrite the destination IP address or port number. In all other cases,
       you use ACCEPT unless you need to hijack connections as they go through
       your firewall and handle them on the firewall box itself; in that case,
@@ -683,6 +693,15 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
           <para>Using this technique, you will want to configure your
           DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
           time that you get a new IP address.</para>
+
+          <note>
+            <para>For optional interfaces, use the function <emphasis
+            role="bold">find_first_interface_address_if_any()</emphasis>
+            rather than <emphasis
+            role="bold">find_first_interface_address()</emphasis>. The former
+            will return 0.0.0.0 if the interface has no configured IP address;
+            the latter terminates the calling program.</para>
+          </note>
         </listitem>
       </itemizedlist>
 
@@ -802,6 +821,15 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
           save</command> and <command>shorewall[-lite]
           restore</command></ulink>.</para>
         </warning>
+
+        <note>
+          <para>For optional interfaces, use the function <emphasis
+          role="bold">find_first_interface_address_if_any()</emphasis> rather
+          than <emphasis
+          role="bold">find_first_interface_address()</emphasis>. The former
+          will return 0.0.0.0 if the interface has no configured IP address;
+          the latter terminates the calling program.</para>
+        </note>
       </section>
 
       <section id="faq2c">
@@ -1972,6 +2000,35 @@ iptables: Invalid argument
       <filename><ulink
       url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink></filename>.</para>
     </section>
+
+    <section id="faq86">
+      <title>(FAQ 86) My distribution (Ubuntu) uses NetworkManager to manage
+      my interfaces. I want to specify the upnpclient option for my interfaces
+      which requires them to be up and configured when Shorewall starts but
+      Shorewall is being started before NetworkManager.</title>
+
+      <para>Answer: I faced a similar problem which I solved as
+      follows:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>Don't start Shorewall at boot time (Debian and Ubuntu users
+          may simply set startup=0 in
+          <filename>/etc/default/shorewall</filename>).</para>
+        </listitem>
+
+        <listitem>
+          <para>In <filename>/etc/network/ip-up.d</filename>, I added a
+          <filename>shorewall</filename> script as follows:</para>
+
+          <programlisting>#!/bin/sh
+
+shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall if it isn't already running</programlisting>
+
+          <para>Be sure to secure the script for execute access.</para>
+        </listitem>
+      </itemizedlist>
+    </section>
   </section>
 
   <section id="MultiISP">
@@ -2497,30 +2554,53 @@ REJECT    fw            net:216.239.39.99    all</programlisting>Given that
       <command>shorewall[-lite] show capabilities</command> command at a root
       prompt.</para>
 
-      <programlisting>gateway:~# shorewall show capabilities
-Loading /usr/share/shorewall/functions...
-Processing /etc/shorewall/params ...
-Processing /etc/shorewall/shorewall.conf...
-Loading Modules...
+      <programlisting>gateway:~# <command>shorewall show capabilities</command>
 Shorewall has detected the following iptables/netfilter capabilities:
    NAT: Available
    Packet Mangling: Available
    Multi-port Match: Available
    Extended Multi-port Match: Available
    Connection Tracking Match: Available
+   Extended Connection Tracking Match Support: Available
+   Old Connection Tracking Match Syntax: Not available
    Packet Type Match: Available
    Policy Match: Available
    Physdev Match: Available
+   Physdev-is-bridged Support: Available
+   Packet length Match: Available
    IP range Match: Available
    Recent Match: Available
    Owner Match: Available
    Ipset Match: Available
-   ROUTE Target: Available
-   Extended MARK Target: Available
    CONNMARK Target: Available
+   Extended CONNMARK Target: Available
    Connmark Match: Available
+   Extended Connmark Match: Available
    Raw Table: Available
-gateway:~#</programlisting>
+   IPP2P Match: Available
+   Old IPP2P Match Syntax: Not available
+   CLASSIFY Target: Available
+   Extended REJECT: Available
+   Repeat match: Available
+   MARK Target: Available
+   Extended MARK Target: Available
+   Mangle FORWARD Chain: Available
+   Comments: Available
+   Address Type Match: Available
+   TCPMSS Match: Available
+   Hashlimit Match: Available
+   Old Hashlimit Match: Not available
+   NFQUEUE Target: Available
+   Realm Match: Available
+   Helper Match: Available
+   Connlimit Match: Available
+   Time Match: Available
+   Goto Support: Available
+   LOGMARK Target: Available
+   IPMARK Target: Available
+   LOG Target: Available
+   Persistent SNAT: Available
+gateway:~# </programlisting>
     </section>
 
     <section id="faq19">

docs/IPSEC-2.6.xml

@@ -57,26 +57,31 @@
     release.</emphasis></para>
   </caution>
 
+  <important>
+    <para><emphasis role="bold">Shorewall does not configure IPSEC for
+    you</emphasis> -- it rather configures netfilter to accomodate your IPSEC
+    configuration.</para>
+  </important>
+
   <important>
     <para>The information in this article is only applicable if you plan to
     have IPSEC end-points on the same system where Shorewall is used.</para>
   </important>
 
   <important>
-    <para>While this article shows configuration of IPSEC using ipsec-tools,
-    Shorewall configuration is exactly the same when using OpenSwan or
+    <para>While this <emphasis role="bold">article shows configuration of
+    IPSEC using ipsec-tools</emphasis>, <emphasis role="bold">Shorewall
+    configuration is exactly the same when using OpenSwan</emphasis> or
     FreeSwan.</para>
   </important>
 
   <warning>
     <para>When running a Linux kernel prior to 2.6.20, the Netfilter+ipsec and
     policy match support are broken when used with a bridge device. The
-    problem has been reported to the responsible Netfilter developer who has
-    confirmed the problem. The problem was corrected in Kernel 2.6.20 as a
-    result of the removal of deferred FORWARD/OUTPUT processing of traffic
-    destined for a bridge. See the <ulink
-    url="bridge-Shorewall-perl.html">"<emphasis>Shorewall-perl and Bridged
-    Firewalls</emphasis>"</ulink> article.</para>
+    problem was corrected in Kernel 2.6.20 as a result of the removal of
+    deferred FORWARD/OUTPUT processing of traffic destined for a bridge. See
+    the <ulink url="bridge-Shorewall-perl.html">"<emphasis>Shorewall-perl and
+    Bridged Firewalls</emphasis>"</ulink> article.</para>
   </warning>
 
   <section id="Overview">
@@ -132,12 +137,12 @@
 
     <para>Under the 2.4 Linux Kernel, the association of unencrypted traffic
     and zones was made easy by the presence of IPSEC pseudo-interfaces with
-    names of the form <filename class="devicefile">ipsecn</filename> (e.g.
+    names of the form <filename class="devicefile">ipsecN</filename> (e.g.
     <filename class="devicefile">ipsec0</filename>). Outgoing unencrypted
     traffic (case 1.) was send through an <filename
-    class="devicefile">ipsecn</filename> device while incoming unencrypted
+    class="devicefile">ipsecN</filename> device while incoming unencrypted
     traffic (case 2) arrived from an <filename
-    class="devicefile">ipsecn</filename> device. The 2.6 kernel-based
+    class="devicefile">ipsecN</filename> device. The 2.6 kernel-based
     implementation does away with these pseudo-interfaces. Outgoing traffic
     that is going to be encrypted and incoming traffic that has been decrypted
     must be matched against policies in the SPD and/or the appropriate

docs/Introduction.xml

@@ -212,8 +212,8 @@ dmz        eth2          detect        nets=(192.168.1.0/24)</programlisting>
     for 192.168.0.0/23, the <emphasis>loc</emphasis> zone as IPv4 hosts
     192.168.0.0/24 interfacing through eth1 and the <emphasis>dmz</emphasis>
     as IPv4 hosts 192.168.1.0/24 interfacing through eth2 (Note that
-    192.168.0.0/24 together with 192.168.1.0/24 constitutes
-    192.168.0.0.23).</para>
+    192.168.0.0/24 together with 192.168.1.0/24 comprises
+    192.168.0.0/23).</para>
 
     <para>Rules about what traffic to allow and what traffic to deny are
     expressed in terms of zones. <itemizedlist spacing="compact">

docs/LennyToSqueeze.xml

@@ -0,0 +1,963 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Shorewall Issues when Upgrading from Debian Lenny to
+    Squeeze</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2009</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Introduction</title>
+
+    <para>Debian Lenny includes Shorewall version 4.0.15 while Squeeze will
+    soon include Shorewall 4.4. Because there are significant differences
+    between the two product versions, some users may experience upgrade
+    issues. This article outlines those issues and offers advice for dealing
+    with them.</para>
+
+    <note>
+      <para>Although this article is targeted specifically at Lenny -&gt;
+      Squeeze upgrades, it should be useful to any Shorewall-shell user
+      upgrading to Shorewall 4.4.x. Footnotes are used to flag areas where
+      non-Debian users may experience different results.</para>
+    </note>
+  </section>
+
+  <section id="Packages">
+    <title>Packaging Differences</title>
+
+    <para>The first key difference between Shorewall 4.0 and Shorewall 4.4 is
+    in the packaging<footnote>
+        <para>Most distributions use a similar packaging structure. Note,
+        however, that the 'shorewall' package in Simon Mater's RPMs for
+        RedHat/Fedora/CentOS is like the Lenny shorewall-common
+        package.</para>
+      </footnote>. In Lenny, there are six Shorewall packages:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>shorewall-common — Contains the basic components needed to
+        create an IPv4 firewall.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-shell — The legacy Shorewall configuration compiler
+        written in Bourne shell.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall — A transitional package that depends on
+        shorewall-common and shorewall-shell. Installing this package installs
+        both shorewall-common and shorewall-shell.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-perl — A re-implementation of the Shorewall
+        configuration compiler in Perl. This compiler has many advantages over
+        the shell-based compiler:</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>The compiler is much faster</para>
+          </listitem>
+
+          <listitem>
+            <para>The compiler does a much better job of validating the
+            configuration, thus avoiding run-time errors.</para>
+          </listitem>
+
+          <listitem>
+            <para>The compiler produces better and more consistent diagnostic
+            messages.</para>
+          </listitem>
+
+          <listitem>
+            <para>The compiler produces a script that runs much faster and
+            that does not reject/drop connections during start/restart.</para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-lite — A small package that can run scripts generated
+        by shorewall-shell or shorewall-perl. Allows centralized firewall
+        administration.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-doc — Documentation.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>In Squeeze, there are five packages:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>shorewall — Contains everything needed to create an IPv4
+        firewall. It combines the former shorewall-common and shorewall-perl
+        packages.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall6 — Depends on shorewall. Adds those components needed
+        to create an IPv6 firewall.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-lite — Same as in Lenny; only runs IPv4 firewall
+        scripts.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall6-lite — Similar to shorewall-lite, except that it only
+        runs IPv6 firewall scripts.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-doc — Documentation.</para>
+      </listitem>
+    </orderedlist>
+
+    <warning>
+      <para>Do not purge the old packages (shorewall-common, shorewall-shell
+      and shorewall-perl) until after the new shorewall package has been
+      installed.</para>
+    </warning>
+
+    <para>The key change in Squeeze that may produce upgrade issues is that
+    Squeeze does not include the shell-based configuration compiler. As a
+    consequence, unless you are already using Shorewall-perl on Lenny, an
+    upgrade from Lenny to Squeeze will mean that you will be switching from
+    the old shell-based compiler to the new Perl-based compiler<footnote>
+        <para>Note that Perl is a required package on Debian. If you are
+        running an embedded distribution which does not include Perl and it is
+        not feasible to install Perl on your firewall, then you should
+        consider installing Shorewall on another system in your network (may
+        be a <trademark>Windows</trademark> system running
+        <trademark>Cygwin</trademark>) and installing Shorewall-lite on your
+        firewall.</para>
+      </footnote>. While the two compilers are highly compatible, there are
+    some differences. Those differences are detailed in the following
+    sections.</para>
+  </section>
+
+  <section id="Issues">
+    <title>Issues Most Likely to Cause Problems or Concerns</title>
+
+    <section id="conf">
+      <title>shorewall.conf</title>
+
+      <para>As always, when upgrading from one major release of Shorewall to
+      another, the installer will prompt you about replacing your existing
+      <filename>shorewall.conf</filename> with the updated one from the
+      package. Shorewall is designed with the assumption that users will never
+      replace shorewall.conf and retaining your existing file will always
+      produce upward-compatible behavior.</para>
+
+      <para>That having been said, there are a few settings that you may have
+      in your shorewall.conf that will cause compilation warning or error
+      messages after the upgrade.</para>
+
+      <variablelist>
+        <varlistentry>
+          <term>BLACKLISTNEWONLY</term>
+
+          <listitem>
+            <para>If you have BLACKLISTNEWONLY=No together with
+            FASTACCEPT=Yes, you will receive this error:</para>
+
+            <para><emphasis role="bold">ERROR: BLACKLISTNEWONLY=No may not be
+            specified with FASTACCEPT=Yes</emphasis></para>
+
+            <para>To eliminate the error, reverse the setting of one of the
+            options.</para>
+
+            <note>
+              <para>This combination never worked correctly in earlier
+              versions -- to duplicate the earlier behavior, you will want to
+              set BLACKLISTNEWONLY=Yes.</para>
+            </note>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>BRIDGING</term>
+
+          <listitem>
+            <para>If you have set this option to Yes, you will receive the
+            following error:</para>
+
+            <para><emphasis role="bold">ERROR: BRIDGING=Yes is not supported
+            by Shorewall 4.4.x</emphasis></para>
+
+            <para>You should not be receiving this error if you are upgrading
+            from Lenny since BRIDGING=Yes did not work in that
+            release<footnote>
+                <para>If you are upgrading from a release using a kernel
+                earlier than 2.6.20, then BRIDGING=Yes did work correctly with
+                Shorewall-shell.</para>
+              </footnote>. If you have a bridge configuration where you want
+            to control connections through the bridge, you will want to visit
+            <ulink
+            url="http://www.shorewall.net/bridge-Shorewall-perl.html">http://www.shorewall.net/bridge-Shorewall-perl.html</ulink><footnote>
+                <para>Kernel 2.6.20 or later is required.</para>
+              </footnote>.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>DELAYBLACKLISTLOAD</term>
+
+          <listitem>
+            <para>If you have set this option to Yes, you will receive the
+            following warning:</para>
+
+            <para><emphasis role="bold">WARNING: DELAYBLACKLIST=Yes is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, set DELAYBLACKLISTLOAD=No or
+            remove the setting altogether.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>DYNAMIC_ZONES</term>
+
+          <listitem>
+            <para>If you have set this option to Yes, you will receive the
+            following warning:</para>
+
+            <para><emphasis role="bold">WARNING: DYNAMIC_ZONES=Yes is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, set DYNAMIC_ZONES=No or remove the
+            setting altogether. See <ulink url="Dynamic.html">this
+            article</ulink> to learn how to set up Dynamic Zones under
+            Shorewall 4.4.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry id="FW">
+          <term>FW</term>
+
+          <listitem>
+            <para>If a setting for FW appears in your shorewall.conf file, you
+            will receive this warning:</para>
+
+            <para><emphasis role="bold">WARNING: Unknown configuration option
+            (FW) ignored.</emphasis></para>
+
+            <para>Remove the setting from the file and modify your
+            <filename>/etc/shorewall/zones</filename> file as described <link
+            linkend="zones">below</link>.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>IPSECFILE</term>
+
+          <listitem>
+            <para>If you have specified IPSECFILE=ipsec or IPSECFILE= or if
+            you do not have a setting for IPSECFILE, then you will receive the
+            following error:</para>
+
+            <para><emphasis role="bold">ERROR: IPSECFILE=ipsec is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, you will need to:</para>
+
+            <orderedlist>
+              <listitem>
+                <para>Set IPSECFILE=zones</para>
+              </listitem>
+
+              <listitem>
+                <para>Modify your <filename>/etc/shorewall/zones</filename>
+                file as described <link linkend="zones">below</link>.</para>
+              </listitem>
+            </orderedlist>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>PKTTYPE</term>
+
+          <listitem>
+            <para>The PKTTYPE option is ignored by Shorewall-perl.
+            Shorewall-perl will use Address type match if it is available;
+            otherwise, it will behave as if PKTTYPE=No had been
+            specified.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>RFC1918_LOG_LEVEL</term>
+
+          <listitem>
+            <para>If you have specified any setting for this option, you will
+            receive the following warning:</para>
+
+            <para><emphasis role="bold">WARNING: RFC1918_LOG_LEVEL=value
+            ignored. The 'norfc1918' interface/host option is no longer
+            supported.</emphasis></para>
+
+            <para>To eliminate the warning, set RFC1918_LOG_LEVEL= or simply
+            remove the setting altogether.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>RFC1918_STRICT</term>
+
+          <listitem>
+            <para>If you have set this option to Yes, you will receive the
+            following warning:</para>
+
+            <para><emphasis role="bold">WARNING: RFC1918_STRICT=Yes is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, set RFC1918_STRICT=No or remove
+            the setting altogether.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>SAVE_IPSETS</term>
+
+          <listitem>
+            <para>Shorewall 4.4 will issue a warning if you set
+            SAVE_IPSETS=Yes in <filename>shorewall.conf</filename>:</para>
+
+            <para><emphasis role="bold">WARNING SAVE_IPSETS=Yes is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate this message, you will need to set
+            SAVE_IPSETS=No or remove the setting altogether.</para>
+
+            <para>See <link linkend="ipsets">below</link> for additional
+            information regarding ipsets in Shorewall 4.4.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>SHOREWALL_COMPILER</term>
+
+          <listitem>
+            <para>If you have specified SHOREWALL_COMPILER=shell, you will
+            receive the following warning message:</para>
+
+            <para><emphasis role="bold">WARNING: SHOREWALL_COMPILER=shell
+            ignored. Shorewall-shell support has been removed in this
+            release</emphasis></para>
+
+            <para>To eliminate the warning, set SHOREWALL_COMPILER=perl or
+            simply remove the setting altogether.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>USE_ACTIONS</term>
+
+          <listitem>
+            <para>If you have set this option to No, you will receive the
+            following warning:</para>
+
+            <para><emphasis role="bold">WARNING: USE_ACTIONS=No is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, set USE_ACTIONS=Yes or remove the
+            setting altogether.</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </section>
+
+    <section id="zones">
+      <title>/etc/shorewall/zones</title>
+
+      <para>If the column headings in your /etc/shorewall/zones file look like
+      this:</para>
+
+      <programlisting>#ZONE   DISPLAY         COMMENTS
+net     Net             The big bad net
+loc     Local           The local LAN</programlisting>
+
+      <para>then you are using the original zones file format that has been
+      deprecated since Shorewall 3.0.</para>
+
+      <para>You will need to convert to the new file format which has the
+      following headings:</para>
+
+      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+#                                       OPTIONS                 OPTIONS</programlisting>
+
+      <para>You will need to add an entry for your firewall zone. The default
+      name for the firewall zone is 'fw' but may have been overriden using
+      <link linkend="FW">the FW option in
+      <filename>shorewall.conf</filename></link>.</para>
+
+      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+#                                       OPTIONS                 OPTIONS
+fw      firewall</programlisting>
+
+      <para>The remainder of your zones will have type 'ipv4' unless they are
+      mentioned in your /etc/shorewall/ipsec file (see <link
+      linkend="ipsec">below</link>).</para>
+
+      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+#                                       OPTIONS                 OPTIONS
+fw      firewall
+net     ipv4            # The big bad net
+loc     ipv4            # The local LAN</programlisting>
+    </section>
+
+    <section id="ipsec">
+      <title>/etc/shorewall/ipsec</title>
+
+      <para>This file is no longer used -- its specifications are now included
+      in <filename>/etc/shorewall/zones</filename>.</para>
+
+      <para>Take this example:</para>
+
+      <programlisting>#ZONE   IPSEC    OPTIONS         IN              OUT
+#       ONLY                     OPTIONS         OPTIONS
+ipsec1  Yes
+ipsec2  No</programlisting>
+
+      <para>This would translate to the following entries in
+      <filename>/etc/shorewall/zones</filename>:</para>
+
+      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+#                                       OPTIONS                 OPTIONS
+ipsec1  ipsec4
+ipsec2  ipv4</programlisting>
+
+      <para>Any OPTIONS, IN OPTIONS and OUT OPTIONS should simply be copied
+      from <filename>/etc/shorewall/ipsec</filename> to
+      <filename>/etc/shorewall/zones</filename>.</para>
+    </section>
+
+    <section id="interfaces">
+      <title>/etc/shorewall/interfaces</title>
+
+      <para>The BROADCAST column is essentially unused in Squeeze. If it
+      contains anything except 'detect' or '-', then you will receive this
+      warning<footnote>
+          <para>Users whose kernel and/or iptables do not include Address Type
+          Match Support can continue to list broadcast addresses in this
+          column; no warning will be issued.</para>
+        </footnote>:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: Shorewall no longer uses
+        broadcast addresses in rule generation when Address Type Match is
+        available</emphasis></para>
+      </blockquote>
+
+      <para>To eliminate the warning, replace the contents of the BROADCAST
+      column with '-' or 'detect'.</para>
+
+      <para>The 'norfc1918' option has been removed. If you specify the
+      option, you will receive the following warning:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: Support for the norfc1918
+        interface option has been removed from Shorewall</emphasis></para>
+      </blockquote>
+
+      <para>To eliminate the warning, simply remove the 'norfc1918' option
+      from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes
+      as a replacement (see <ulink
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
+    </section>
+
+    <section id="hosts">
+      <title>/etc/shorewall/hosts</title>
+
+      <para>The 'norfc1918' option has been removed. If you specify the
+      option, you will receive the following warning:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: The 'norfc1918' option is no
+        longer supported</emphasis></para>
+      </blockquote>
+
+      <para>To eliminate the warning, simply remove the 'norfc1918' option
+      from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes
+      as a replacement (see <ulink
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
+    </section>
+
+    <section id="policy">
+      <title>/etc/shorewall/policy</title>
+
+      <para>Shorewall 4.4 detects dead policy file entries that result when an
+      entry is masked by an earlier more general entry.</para>
+
+      <para>Example:</para>
+
+      <programlisting>#SOURCE DEST     POLICY    LOG LEVEL
+all     all      REJECT    info
+loc     net      ACCEPT</programlisting>
+
+      <para>Shorewall-shell silently accepted the above even though the
+      loc-&gt;net policy is useless. Shorewall-perl generates a fatal
+      compilation error:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">ERROR: Policy "loc net ACCEPT" duplicates
+        earlier policy "all all REJECT"</emphasis></para>
+      </blockquote>
+    </section>
+
+    <section id="masq">
+      <title>/etc/shorewall/masq</title>
+
+      <para>There is a long tradition of specifying an interface name in the
+      SOURCE column of this file.</para>
+
+      <para>Masquerading/SNAT occurs in the Netfilter POSTROUTING chain where
+      an incoming interface may not be specified in iptables rules.
+      Consequently, while processing the <command>shorewall start</command>
+      and <command>shorewall restart</command> commands, the generated script
+      must examine the firewall's main routing table to determine those
+      networks that are routed out of the interface; the script then adds a
+      MASQUERADE/SNAT rule for connections from each of those networks. This
+      additional processing requires the named interface to be up and
+      configured when Shorewall starts or restarts.</para>
+
+      <para>Users often complain that Shorewall fails to start at boot time
+      because a VPN interface that is named as a masq SOURCE isn't up and
+      configured during boot.</para>
+
+      <para>To emphasize this restriction, if an interface is named in the
+      SOURCE column of one or more entries, a single warning is issued as
+      follows:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: Using an interface as the masq
+        SOURCE requires the interface to be up and configured when Shorewall
+        starts/restarts</emphasis></para>
+      </blockquote>
+
+      <para>To suppress this warning, replace the interface name with the list
+      of networks that are routed out of the interface.</para>
+
+      <para>Example.</para>
+
+      <para>Existing entry:</para>
+
+      <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/
+#                                                                                       GROUP
+eth0                    eth1</programlisting>
+
+      <para>Current routing configuration:</para>
+
+      <programlisting>gateway:~# ip route ls dev eth1
+<emphasis role="bold">172.20.1.0/24</emphasis>  proto kernel  scope link  src 172.20.1.254 
+224.0.0.0/4  scope link 
+gateway:~# 
+</programlisting>
+
+      <para>Replacement entry:</para>
+
+      <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/
+#                                                                                       GROUP
+eth0                    <emphasis role="bold">172.20.1.0/24</emphasis></programlisting>
+
+      <para>Note that no entry is included for 224.0.0.0/4 since that is the
+      multicast IP range and there should never be any packets with a SOURCE
+      IP address in that network.</para>
+    </section>
+
+    <section id="rules">
+      <title>/etc/shorewall/rules</title>
+
+      <para>If you include a destination zone in a 'nonat' rule, Shorewall
+      issues the following warning:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: Destination zone (zonename)
+        ignored.</emphasis></para>
+      </blockquote>
+
+      <para>Nonat rules include:</para>
+
+      <blockquote>
+        <simplelist>
+          <member>DNAT-</member>
+
+          <member>REDIRECT-</member>
+
+          <member>NONAT</member>
+        </simplelist>
+      </blockquote>
+
+      <para>To eliminate the warning, remove the DEST zone.</para>
+
+      <para>Example.</para>
+
+      <para>Before:</para>
+
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME
+#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+NONAT           loc             net             tcp     80</programlisting>
+
+      <para>After:</para>
+
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME
+#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+NONAT           loc             -               tcp     80</programlisting>
+    </section>
+
+    <section id="routestopped">
+      <title>/etc/shorewall/routestopped</title>
+
+      <para>The 'critical' option is no longer needed and hence is no longer
+      supported. If you have critical hosts defined, you will receive this
+      warning:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: The 'critical' option is no
+        longer supported (or needed)</emphasis></para>
+      </blockquote>
+
+      <para>To suppress the warning, simply remove the option.</para>
+
+      <para>Shorewall 4.4 also treats the <filename>routestopped</filename>
+      file differently from earlier releases. Previously, the
+      <filename>routestopped</filename> file was parsed during
+      <command>shorewall stop</command> processing so that changes made to the
+      file while Shorewall was running would be applied at the next
+      <command>stop</command>. This is no longer the case -- the
+      <filename>routestopped</filename> file is processed during compilation
+      just like the rest of the configuration files so that when
+      <command>shorewall stop</command> is issued, the firewall will pass
+      traffic based on the contents of the <filename>routestopped</filename>
+      file at the last <command>start</command> or
+      <command>restart</command>.</para>
+    </section>
+
+    <section id="tos">
+      <title>/etc/shorewall/tos</title>
+
+      <para>The <filename>/etc/shorewall/tos</filename> file now has
+      zone-independent SOURCE and DEST columns as do all other files except
+      the rules and policy files.</para>
+
+      <para>The SOURCE column may be one of the following:</para>
+
+      <simplelist>
+        <member>[<command>all</command>:]&lt;<replaceable>address</replaceable>&gt;[,...]</member>
+
+        <member>[<command>all</command>:]&lt;<replaceable>interface</replaceable>&gt;[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
+
+        <member><command>$FW</command>[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
+      </simplelist>
+
+      <para>The DEST column may be one of the following:</para>
+
+      <simplelist>
+        <member>[<command>all</command>:]&lt;<replaceable>address</replaceable>&gt;[,...]</member>
+
+        <member>[<command>all</command>:]&lt;<replaceable>interface</replaceable>&gt;[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
+      </simplelist>
+
+      <para>This is a permanent change. The old zone-based rules have never
+      worked right and this is a good time to replace them. We have tried to
+      make the new syntax cover the most common cases without requiring change
+      to existing files. In particular, it will handle the
+      <filename>tos</filename> file released with Shorewall 1.4 and
+      earlier.</para>
+    </section>
+
+    <section id="extension">
+      <title>Extension Scripts</title>
+
+      <para>With the shell-based compiler, all extension scripts were copied
+      into the compiled script and executed at run-time. In some cases, this
+      approach doesn't work with Shorewall Perl because (almost) the entire
+      rule set is built by the compiler. As a result, Shorewall-perl runs some
+      extension scripts at compile-time rather than at run-time. Because the
+      compiler is written in Perl, these extension scripts from earlier
+      versions will no longer work.</para>
+
+      <para>The following table summarizes when the various extension scripts
+      are run:<informaltable align="left" frame="none">
+          <tgroup cols="3">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">Compile-time (Must be written in
+                Perl)</emphasis></entry>
+
+                <entry><emphasis role="bold">Run-time</emphasis></entry>
+
+                <entry><emphasis role="bold">Eliminated</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>initdone</entry>
+
+                <entry>clear</entry>
+
+                <entry>continue</entry>
+              </row>
+
+              <row>
+                <entry>maclog</entry>
+
+                <entry>init</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry>Per-chain (including those associated with
+                actions)</entry>
+
+                <entry>start</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>started</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>stop</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>stopped</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>tcclear</entry>
+
+                <entry></entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable></para>
+
+      <para>Compile-time extension scripts are executed using the Perl 'eval
+      `cat &lt;file&gt;`' mechanism. Be sure that each script returns a 'true'
+      value; otherwise, the Shorewall-perl compiler will assume that the
+      script failed and will abort the compilation.</para>
+
+      <para>When a script is invoked, the <emphasis
+      role="bold">$chainref</emphasis> scalar variable will usually hold a
+      reference to a chain table entry.</para>
+
+      <simplelist>
+        <member><emphasis role="bold">$chainref-&gt;{name}</emphasis> contains
+        the name of the chain</member>
+
+        <member><emphasis role="bold">$chainref-&gt;{table}</emphasis> holds
+        the table name</member>
+      </simplelist>
+
+      <para>To add a rule to the chain:</para>
+
+      <simplelist>
+        <member>add_rule $chainref,
+        <replaceable>the-rule</replaceable></member>
+      </simplelist>
+
+      <para>Where</para>
+
+      <simplelist>
+        <member><replaceable>the rule</replaceable> is a scalar argument
+        holding the rule text. Do not include "-A
+        <replaceable>chain-name</replaceable>"</member>
+      </simplelist>
+
+      <para>Example:</para>
+
+      <simplelist>
+        <member>add_rule $chainref, '-j ACCEPT';</member>
+      </simplelist>
+
+      <para>To insert a rule into the chain:</para>
+
+      <simplelist>
+        <member>insert_rule $chainref, <replaceable>rulenum</replaceable>,
+        <replaceable>the-rule</replaceable></member>
+      </simplelist>
+
+      <para>The log_rule_limit function works like it does in the shell
+      compiler with three exceptions:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>You pass the chain reference rather than the name of the
+          chain.</para>
+        </listitem>
+
+        <listitem>
+          <para>The commands are 'add' and 'insert' rather than '-A' and
+          '-I'.</para>
+        </listitem>
+
+        <listitem>
+          <para>There is only a single "pass as-is to iptables" argument (so
+          you must quote that part</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Example:</para>
+
+      <programlisting>    log_rule_limit
+              'info' , 
+              $chainref , 
+              $chainref-&gt;{name},
+              'DROP' , 
+              '',    #Limit
+              '' ,   #Log tag
+              'add'
+              '-p tcp ';         </programlisting>
+
+      <para>Here is an example of an actual initdone script used with
+      Shorewall 3.4:<programlisting>run_iptables -t mangle -I PREROUTING -p esp -j MARK --set-mark 0x50
+run_iptables -t filter -I INPUT -p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT
+run_iptables -t filter -I OUTPUT -p udp --sport 1701 -j ACCEPT
+</programlisting></para>
+
+      <para>Here is the corresponding script used with Shorewall
+      4.4:<programlisting>use Shorewall::Chains;
+
+insert_rule $mangle_table-&gt;{PREROUTING}, 1, "-p esp -j MARK --set-mark 0x50";
+insert_rule $filter_table-&gt;{INPUT},      1, "-p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT";
+insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
+
+1;</programlisting></para>
+
+      <para>The initdone script is unique because the $chainref variable is
+      not set before the script is called. The above script illustrates how
+      the $mangle_table, $filter_table, and $nat_table references can be used
+      to add or insert rules in arbitrary chains.</para>
+    </section>
+
+    <section id="ipsets">
+      <title>Ipsets</title>
+
+      <para>Shorewall 4.4 insists that ipset names begin with a letter and be
+      composed of alphanumeric characters and underscores (_). When used in a
+      Shorewall configuration file, the name must be preceded by a plus sign
+      (+) as with the shell-based compiler.</para>
+
+      <para>Shorewall 4.4 is out of the ipset load/reload business with the
+      exception of ipsets used for dynamic zones. With scripts generated by
+      Shorwall 4.4, the Netfilter rule set is never cleared. That means that
+      there is no opportunity for Shorewall to load/reload your ipsets since
+      that cannot be done while there are any current rules using
+      ipsets.</para>
+
+      <para>So:</para>
+
+      <orderedlist numeration="upperroman">
+        <listitem>
+          <para>Your ipsets must be loaded before Shorewall starts. You are
+          free to try to do that with the following code in
+          <filename>/etc/shorewall/init (it works for me; your mileage may
+          vary)</filename>:</para>
+
+          <programlisting>if [ "$COMMAND" = start ]; then
+    ipset -U :all: :all:
+    ipset -U :all: :default:
+    ipset -F
+    ipset -X
+    ipset -R &lt; /etc/shorewall/ipsets
+fi</programlisting>
+
+          <para>The file <filename>/etc/shorewall/ipsets</filename> will
+          normally be produced using the <command>ipset -S</command> command.
+          I have this in my<filename> /etc/shorewall/stop</filename>
+          file:</para>
+
+          <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
+    mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
+    mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
+fi</programlisting>
+
+          <para>The above extension scripts will work most of the time but
+          will fail in a <command>shorewall stop</command> -
+          <command>shorewall start</command> sequence if you use ipsets in
+          your routestopped file (see <link
+          linkend="routestopped">below</link>).</para>
+        </listitem>
+
+        <listitem>
+          <para>Your ipsets may not be reloaded until Shorewall is stopped or
+          cleared.</para>
+        </listitem>
+
+        <listitem>
+          <para>If you specify ipsets in your routestopped file then Shorewall
+          must be cleared in order to reload your ipsets.</para>
+        </listitem>
+      </orderedlist>
+    </section>
+  </section>
+
+  <section id="Additional">
+    <title>Additional Sources of Information</title>
+
+    <para>The following articles provide additional information.</para>
+
+    <itemizedlist>
+      <listitem>
+        <para><ulink url="Shorewall-perl.html#Incompatibilities">Shorewall
+        Perl Incompatibilities</ulink></para>
+      </listitem>
+
+      <listitem>
+        <para><ulink url="upgrade_issues.htm">Upgrade Issues</ulink></para>
+      </listitem>
+    </itemizedlist>
+  </section>
+</article>

docs/Macros.xml

@@ -248,7 +248,7 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
       </varlistentry>
     </variablelist>
 
-    <para>One remaining restriction should be noted: macros that are invoked
+    <para>One additional restriction should be noted: macros that are invoked
     from actions cannot themselves invoke other actions.</para>
   </section>
 
@@ -554,6 +554,151 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
           2.6.14).</member>
         </simplelist>
       </listitem>
+
+      <listitem>
+        <para>MARK - (Added in Shorewall-4.4.2) Defines a test on the existing
+        packet or connection mark. The rule will match only if the test
+        returns true. Must be empty or '-' if the macro is to be used within
+        an action.</para>
+
+        <programlisting>     [!]<replaceable>value</replaceable>[/<replaceable>mask</replaceable>][:C]</programlisting>
+
+        <variablelist>
+          <varlistentry>
+            <term>!</term>
+
+            <listitem>
+              <para>Inverts the test (not equal)</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><replaceable>value</replaceable></term>
+
+            <listitem>
+              <para>Value of the packet or connection mark.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><replaceable>mask</replaceable></term>
+
+            <listitem>
+              <para>A mask to be applied to the mark before testing.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>:C</term>
+
+            <listitem>
+              <para>Designates a connection mark. If omitted, the # packet
+              mark's value is tested.</para>
+            </listitem>
+          </varlistentry>
+        </variablelist>
+      </listitem>
+
+      <listitem>
+        <para>CONNLIMIT - (Added in Shorewall-4.4.2) Must be empty or '-' if
+        the macro is to be used within an action.</para>
+
+        <programlisting>     [!]<replaceable>limit</replaceable>[:<replaceable>mask</replaceable>]</programlisting>
+
+        <para>May be used to limit the number of simultaneous connections from
+        each individual host to limit connections. Requires connlimit match in
+        your kernel and iptables. While the limit is only checked on rules
+        specifying CONNLIMIT, the number of current connections is calculated
+        over all current connections from the SOURCE host. By default, the
+        <replaceable>limit</replaceable> is applied to each host but can be
+        made to apply to networks of hosts by specifying a
+        <replaceable>mask</replaceable>. The mask specifies the width of a
+        VLSM mask to be applied to the source address; the number of current
+        connections is then taken over all hosts in the subnet
+        <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
+        When ! is specified, the rule matches when the number of connection
+        exceeds the limit. </para>
+      </listitem>
+
+      <listitem>
+        <para>TIME - (Added in Shorewall-4.4.2) Must be empty or '-' if the
+        macro is to be used within an action.</para>
+
+        <programlisting>     &lt;timeelement&gt;[&amp;...]</programlisting>
+
+        <para><replaceable>timeelement</replaceable> may be:</para>
+
+        <variablelist>
+          <varlistentry>
+            <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+            <listitem>
+              <para>Defines the starting time of day.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+            <listitem>
+              <para>Defines the ending time of day.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>utc</term>
+
+            <listitem>
+              <para>Times are expressed in Greenwich Mean Time.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>localtz</term>
+
+            <listitem>
+              <para>Times are expressed in Local Civil Time (default).</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>weekdays=ddd[,ddd]...</term>
+
+            <listitem>
+              <para>where <replaceable>ddd</replaceable> is one of
+              <option>Mon</option>, <option>Tue</option>,
+              <option>Wed</option>, <option>Thu</option>,
+              <option>Fri</option>, <option>Sat</option> or
+              <option>Sun</option></para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>monthdays=dd[,dd],...</term>
+
+            <listitem>
+              <para>where <replaceable>dd</replaceable> is an ordinal day of
+              the month</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+            <listitem>
+              <para>Defines the starting date and time.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+            <listitem>
+              <para>Defines the ending date and time.</para>
+            </listitem>
+          </varlistentry>
+        </variablelist>
+      </listitem>
     </itemizedlist>
 
     <para>Omitted column entries should be entered using a dash ("-:).</para>

docs/MultiISP.xml

@@ -235,7 +235,7 @@
 
               <listitem>
                 <para>Use mark values &gt; 255 for provider marks in this
-                column. </para>
+                column.</para>
 
                 <itemizedlist>
                   <listitem>
@@ -329,9 +329,18 @@
                 <term>track</term>
 
                 <listitem>
-                  <para>If specified, connections FROM this interface are to
-                  be tracked so that responses may be routed back out this
-                  same interface.</para>
+                  <para><important>
+                      <para>Beginning with Shorwall 4.3.3, <emphasis
+                      role="bold">track</emphasis> defaults to the setting of
+                      the <option>TRACK_PROVIDERS</option> option in <ulink
+                      url="manpages/shorewall.conf">shorewall.conf
+                      </ulink>(5). To disable this option when you have
+                      specified TRACK_PROVIDERS=Yes, you must specify
+                      <emphasis role="bold">notrack</emphasis> (see
+                      below).</para>
+                    </important>If specified, connections FROM this interface
+                  are to be tracked so that responses may be routed back out
+                  this same interface.</para>
 
                   <para>You want to specify 'track' if Internet hosts will be
                   connecting to local servers through this provider. Any time
@@ -350,7 +359,8 @@
                   support</emphasis>).</para>
 
                   <important>
-                    <para>If you are using
+                    <para>If you are running a version of Shorewall earlier
+                    than 4.4.3 and are using
                     <filename>/etc/shorewall/providers</filename> because you
                     have multiple Internet connections, we recommend that you
                     specify <emphasis role="bold">track</emphasis> even if you
@@ -423,11 +433,30 @@
                 <term>loose</term>
 
                 <listitem>
-                  <para>Do not include routing rules that force traffic whose
+                  <para>Do not generate routing rules that force traffic whose
                   source IP is an address of the INTERFACE to be routed to
                   this provider. Useful for defining providers that are to be
                   used only when the appropriate packet mark is
                   applied.</para>
+
+                  <para>Shorewall makes no attempt to consolidate the routing
+                  rules added when <emphasis role="bold">loose</emphasis> is
+                  not specified. So, if you have multiple IP addresses on a
+                  provider interface, you may be able to replace the rules
+                  that Shorewall generates with one or two rules in
+                  <filename>/etc/shorewall/route_rules</filename>. In that
+                  case, you can specify <emphasis role="bold">loose</emphasis>
+                  to suppress Shorewall's rule generation. See the <link
+                  linkend="Complete">example</link> below.</para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term>notrack</term>
+
+                <listitem>
+                  <para>Added in Shorewall 4.4.3. This option turns off the
+                  <emphasis role="bold">track</emphasis> option.</para>
                 </listitem>
               </varlistentry>
 
@@ -1353,19 +1382,85 @@ fi</programlisting></para>
         supported. This allows additional files to be sourced in from the main
         configuration file.</para>
 
+        <para>LSM monitors the status of the links defined in its
+        configuration file and runs a user-provided script when the status of
+        a link changes. The script name is specified in the
+        <firstterm>eventscript</firstterm> option in the configuration file.
+        Key arguments to the script are as follows:</para>
+
+        <variablelist>
+          <varlistentry>
+            <term>$1</term>
+
+            <listitem>
+              <para>The state of the link ('up' or 'down')</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>$2</term>
+
+            <listitem>
+              <para>The name of the connection as specified in the
+              configuration file.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>$4</term>
+
+            <listitem>
+              <para>The name of the network interface associated with the
+              connection.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>$5</term>
+
+            <listitem>
+              <para>The email address of the person specified to receive
+              notifications. Specified in the
+              <firstterm>warn_email</firstterm> option in the configuration
+              file.</para>
+            </listitem>
+          </varlistentry>
+        </variablelist>
+
+        <para>It is the responsibility of the script to perform any action
+        needed in reaction to the connection state change. The default script
+        supplied with LSM composes an email and sends it to $5.</para>
+
         <para>I personally use LSM here at shorewall.net (configuration is
         described <link linkend="Complete">below</link>). I have set things up
-        so that Shorewall [re]starts lsm during processing of the
-        <command>start</command> and <command>restore</command> commands. I
-        don't have Shorewall restart lsm during Shorewall
-        <command>restart</command> because I restart Shorewall much more often
-        than the average user is likely to do. I have Shorewall start lsm
-        because I have a dynamic IP address from one of my providers
-        (Comcast); Shorewall detects the default gateway to that provider and
-        creates a secondary configuration file
-        (<filename>/etc/lsm/shorewall.conf</filename>) that contains the link
-        configurations. That file is included by
-        <filename>/etc/lsm/lsm.conf</filename>.B</para>
+        so that:</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>Shorewall [re]starts lsm during processing of the
+            <command>start</command> and <command>restore</command> commands.
+            I don't have Shorewall restart lsm during Shorewall
+            <command>restart</command> because I restart Shorewall much more
+            often than the average user is likely to do.</para>
+          </listitem>
+
+          <listitem>
+            <para>Shorewall starts lsm because I have a dynamic IP address
+            from one of my providers (Comcast); Shorewall detects the default
+            gateway to that provider and creates a secondary configuration
+            file (<filename>/etc/lsm/shorewall.conf</filename>) that contains
+            the link configurations. That file is included by
+            <filename>/etc/lsm/lsm.conf</filename>.</para>
+          </listitem>
+
+          <listitem>
+            <para>The script run by LSM during state change
+            (<filename>/etc/lsm/script) </filename>writes a<filename>
+            ${VARDIR}/xxx.status</filename> file when the status of an
+            interface changes. Those files are read by the
+            <filename>isusable</filename> extension script (see below).</para>
+          </listitem>
+        </itemizedlist>
 
         <para>Below are my relevant configuration files.</para>
 
@@ -1376,12 +1471,10 @@ fi</programlisting></para>
 
         <para><filename>/etc/shorewall/isusable</filename>:</para>
 
-        <para>Note that <filename>/etc/lsm/script </filename>writes
-        a<filename> ${VARDIR}/xxx.status</filename> file when the status of an
-        interface changes.</para>
-
         <programlisting>local status=0
-
+#
+# Read the status file (if any) created by /etc/lsm/script
+#
 [ -f ${VARDIR}/${1}.status ] &amp;&amp; status=$(cat ${VARDIR}/${1}.status)
 
 return $status</programlisting>
@@ -1394,7 +1487,16 @@ return $status</programlisting>
 # Start lsm
 ###############################################################################
 start_lsm() {
+   #
+   # Kill any existing lsm process(es)
+   #
    killall lsm 2&gt; /dev/null
+   #
+   # Create the Shorewall-specific part of the LSM configuration. This file is
+   # included by /etc/lsm/lsm.conf
+   #
+   # Avvanta has a static gateway while Comcast's is dynamic
+   #
    cat &lt;&lt;EOF &gt; /etc/lsm/shorewall.conf
 connection {
     name=Avvanta
@@ -1410,13 +1512,20 @@ connection {
     ttl=1
 }
 EOF
+   #
+   # Since LSM assumes that interfaces start in the 'up' state, remove any
+   # existing status files that might have an interface in the down state
+   #
    rm -f /etc/shorewall/*.status
+   #
+   # Run LSM -- by default, it forks into the background
+   #
    /usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>
 
         <para>eth3 has a dynamic IP address so I need to use the
         Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default
-        value in the event that detection fails.</para>
+        value to be used in the event that detection fails.</para>
 
         <para><filename>/etc/shorewall/started</filename>:</para>
 
@@ -1454,7 +1563,7 @@ defaults {
   warn_email=teastep@shorewall.net
   check_arp=0
   sourceip=
-  ttl=64
+  ttl=0
 }
 
 include /etc/lsm/shorewall.conf</programlisting>
@@ -1522,11 +1631,11 @@ EOM
 
 echo $state &gt; ${VARDIR}/${DEVICE}.status
 
-/sbin/shorewall -f restart &gt;&gt; /var/log/lsm 2&gt;&amp;1
+/sbin/shorewall restart -f &gt;&gt; /var/log/lsm 2&gt;&amp;1
 
 /sbin/shorewall show routing &gt;&gt; /var/log/lsm
 
-exit 0;
+exit 0
 
 #EOF</programlisting>:</para>
       </section>

docs/NetfilterOverview.xml

@@ -119,34 +119,38 @@
     </important>
 
     <para>The above diagram should help you understand the output of
-    <quote>shorewall status</quote>. You may also wish to refer to <ulink
+    <quote>shorewall dump</quote>. You may also wish to refer to <ulink
     url="PacketHandling.html">this article</ulink> that describes the flow of
     packets through a Shorewall-generated firewall.</para>
 
-    <para>Here are some excerpts from <quote>shorewall status</quote> on a
+    <para>Here are some excerpts from <quote>shorewall dump</quote> on a
     server with one interface (eth0):</para>
 
-    <programlisting>[root@lists html]# shorewall status
+    <programlisting>[root@tipper ~]# shorewall dump
  
-Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003
-                                                                                                                                                                                    
-Counters reset Sat Oct 11 08:12:57 PDT 2003</programlisting>
+Shorewall 4.4.2.2 Dump at tipper - Fri Oct 16 07:38:16 PDT 2009
+
+Counters reset Thu Oct  8 00:38:06 PDT 2009</programlisting>
 
     <para>The first table shown is the <emphasis role="bold">Filter</emphasis>
     table.</para>
 
     <programlisting>Chain INPUT (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination
- 679K  182M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
- 785K   93M accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0
-    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID</programlisting>
+ 6428 1417K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW 
+ 967K  629M eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
+   49  3896 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
+    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED</programlisting>
+
+    <para>The <quote>dynamic</quote> chain above is where dynamic blacklisting
+    is done.</para>
 
     <para>The following rule indicates that all traffic destined for the
     firewall that comes into the firewall on eth0 is passed to a chain called
     <quote>eth0_in</quote>. That chain will be shown further down.</para>
 
     <programlisting> 785K   93M eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
-    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
+    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
     0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
     0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
                                                                                                                                                                                     
@@ -155,87 +159,87 @@ Chain FORWARD (policy DROP 0 packets, 0 bytes)
     0     0 accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0
     0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID
     0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
-    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
+    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
     0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
     0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
                                                                                                                                                                                     
 Chain OUTPUT (policy DROP 1 packets, 60 bytes)
  pkts bytes target     prot opt in     out     source               destination
- 679K  182M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
- 922K  618M accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0
-    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID
- 922K  618M fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
-    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
-    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
-    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0</programlisting>
+ 895K  181M fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
+   49  3896 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
+    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
+    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 
+    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 
+</programlisting>
 
     <para>Here is the eth0_in chain:</para>
 
     <programlisting>Chain eth0_in (1 references)
  pkts bytes target     prot opt in     out     source               destination
- 785K   93M dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
- 785K   93M net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0</programlisting>
-
-    <para>The <quote>dynamic</quote> chain above is where dynamic blacklisting
-    is done.</para>
+   49  3896 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
+    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
+    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 
+    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 
+</programlisting>
 
     <para>Next comes the <emphasis role="bold">Nat</emphasis> table:</para>
 
     <programlisting>NAT Table
- 
-Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)
- pkts bytes target     prot opt in     out     source               destination
-20005 1314K net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
- 
-Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
-Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
-Chain net_dnat (1 references)
- pkts bytes target     prot opt in     out     source               destination
-  638 32968 REDIRECT   tcp  --  *      *       0.0.0.0/0           !206.124.146.177    tcp dpt:80 redir ports 3128
-</programlisting>
 
-    <para>And finally, the <emphasis role="bold">Mangle</emphasis>
-    table:</para>
+Chain PREROUTING (policy ACCEPT 5593 packets, 1181K bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain POSTROUTING (policy ACCEPT 11579 packets, 771K bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain OUTPUT (policy ACCEPT 11579 packets, 771K bytes)
+ pkts bytes target     prot opt in     out     source               destination</programlisting>
+
+    <para>Next, the <emphasis role="bold">Mangle</emphasis> table:</para>
 
     <programlisting>Mangle Table
- 
-Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)
- pkts bytes target     prot opt in     out     source               destination
-1464K  275M pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0
- 
-Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
+
+Chain PREROUTING (policy ACCEPT 967K packets, 629M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+ 967K  629M tcpre      all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+
+Chain INPUT (policy ACCEPT 967K packets, 629M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
-Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)
- pkts bytes target     prot opt in     out     source               destination
-1601K  800M outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0
- 
-Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
-Chain outtos (1 references)
- pkts bytes target     prot opt in     out     source               destination
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS set 0x10
- 315K  311M TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:22 TOS set 0x10
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21 TOS set 0x10
-  683 59143 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:21 TOS set 0x10
- 3667 5357K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:20 TOS set 0x08
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:20 TOS set 0x08
- 
-Chain pretos (1 references)
- pkts bytes target     prot opt in     out     source               destination
- 271K   15M TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS set 0x10
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:22 TOS set 0x10
-  730 41538 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21 TOS set 0x10
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:21 TOS set 0x10
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:20 TOS set 0x08
- 2065  111K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:20 TOS set 0x08</programlisting>
+ pkts bytes target     prot opt in     out     source               destination         
+    0     0 tcfor      all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+
+Chain OUTPUT (policy ACCEPT 895K packets, 181M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+ 895K  181M tcout      all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+
+Chain POSTROUTING (policy ACCEPT 895K packets, 181M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+ 895K  181M tcpost     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+
+Chain tcfor (1 references)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain tcout (1 references)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain tcpost (1 references)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain tcpre (1 references)
+ pkts bytes target     prot opt in     out     source               destination</programlisting>
+
+    <para>And finally, the <emphasis role="bold">Raw</emphasis> table:</para>
+
+    <programlisting>Raw Table
+
+Chain PREROUTING (policy ACCEPT 1004K packets, 658M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain OUTPUT (policy ACCEPT 926K packets, 186M bytes)
+ pkts bytes target     prot opt in     out     source               destination</programlisting>
   </section>
 </article>

docs/Shorewall-perl.xml

@@ -143,7 +143,7 @@
           </itemizedlist>
         </listitem>
 
-        <listitem>
+        <listitem id="Extensions">
           <para>With the shell-based compiler, extension scripts were copied
           into the compiled script and executed at run-time. In many cases,
           this approach doesn't work with Shorewall Perl because (almost) the
@@ -153,67 +153,79 @@
           extension scripts from earlier versions will no longer work.</para>
 
           <para>The following table summarizes when the various extension
-          scripts are run:<informaltable align="left" frame="none">
-              <tgroup cols="3">
-                <tbody>
-                  <row>
-                    <entry><emphasis role="bold">Compile-time (Must be written
-                    in Perl)</emphasis></entry>
+          scripts are run:</para>
 
-                    <entry><emphasis role="bold">Run-time</emphasis></entry>
+          <informaltable align="left" frame="none">
+            <tgroup cols="3">
+              <tbody>
+                <row>
+                  <entry><emphasis role="bold">Compile-time (Must be written
+                  in Perl)</emphasis></entry>
 
-                    <entry><emphasis role="bold">Eliminated</emphasis></entry>
-                  </row>
+                  <entry><emphasis role="bold">Run-time</emphasis></entry>
 
-                  <row>
-                    <entry>initdone</entry>
+                  <entry><emphasis role="bold">Eliminated</emphasis></entry>
+                </row>
 
-                    <entry>clear</entry>
+                <row>
+                  <entry>initdone</entry>
 
-                    <entry>continue</entry>
-                  </row>
+                  <entry>clear</entry>
 
-                  <row>
-                    <entry>maclog</entry>
+                  <entry>continue</entry>
+                </row>
 
-                    <entry>start</entry>
-                  </row>
+                <row>
+                  <entry>maclog</entry>
 
-                  <row>
-                    <entry>Per-chain (including those associated with
-                    actions)</entry>
+                  <entry>init</entry>
 
-                    <entry>started</entry>
+                  <entry></entry>
+                </row>
 
-                    <entry></entry>
-                  </row>
+                <row>
+                  <entry>Per-chain (including those associated with
+                  actions)</entry>
 
-                  <row>
-                    <entry></entry>
+                  <entry>start</entry>
 
-                    <entry>stop</entry>
+                  <entry></entry>
+                </row>
 
-                    <entry></entry>
-                  </row>
+                <row>
+                  <entry></entry>
 
-                  <row>
-                    <entry></entry>
+                  <entry>started</entry>
 
-                    <entry>stopped</entry>
+                  <entry></entry>
+                </row>
 
-                    <entry></entry>
-                  </row>
+                <row>
+                  <entry></entry>
 
-                  <row>
-                    <entry></entry>
+                  <entry>stop</entry>
 
-                    <entry>tcclear</entry>
+                  <entry></entry>
+                </row>
 
-                    <entry></entry>
-                  </row>
-                </tbody>
-              </tgroup>
-            </informaltable></para>
+                <row>
+                  <entry></entry>
+
+                  <entry>stopped</entry>
+
+                  <entry></entry>
+                </row>
+
+                <row>
+                  <entry></entry>
+
+                  <entry>tcclear</entry>
+
+                  <entry></entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </informaltable>
 
           <para>Compile-time extension scripts are executed using the Perl
           'eval `cat &lt;file&gt;`' mechanism. Be sure that each script
@@ -343,7 +355,7 @@ insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
           the tos file released with Shorewall 1.4 and earlier.</para>
         </listitem>
 
-        <listitem>
+        <listitem id="SAVE_IPSETS">
           <para>Shorewall-perl insists that ipset names begin with a letter
           and be composed of alphanumeric characters and underscores (_). When
           used in a Shorewall configuration file, the name must be preceded by
@@ -547,7 +559,8 @@ DNAT-              net                192.168.1.3      tcp          21</programl
           starts/restarts</para>
 
           <para>To avoid this warning, replace interface names by the
-          corresponding network addresses (e.g., 192.168.144.0/24).</para>
+          corresponding network() in CIDR format (e.g.,
+          192.168.144.0/24).</para>
         </listitem>
       </orderedlist>
     </section>
@@ -657,15 +670,15 @@ DNAT-              net                192.168.1.3      tcp          21</programl
   <section id="Modules">
     <title>The Shorewall Perl Modules</title>
 
-    <para>Shorewall's Perl modules are installed in
-    /usr/share/shorewall-perl/Shorewall and the names of the packages are of
-    the form Shorewall::<firstterm>name</firstterm>. So by using this
-    directive<programlisting>use lib '/usr/share/shorewall-perl';</programlisting></para>
+    <para>In Shorewall 4.4 and later, Shorewall's Perl modules are installed
+    in /usr/share/shorewall/Shorewall and the names of the packages are of the
+    form Shorewall::<firstterm>name</firstterm>. So by using this
+    directive<programlisting>use lib '/usr/share/shorewall';</programlisting></para>
 
     <para>You can then load the modules via normal Perl use statements.</para>
 
     <section id="compiler.pl">
-      <title>/usr/share/shorewall-perl/compiler.pl</title>
+      <title>/usr/share/shorewall/compiler.pl</title>
 
       <para>While the compiler is normally run indirectly using
       /sbin/shorewall, it can be run directly as well.<programlisting><command>compiler.pl</command> [ <emphasis>option</emphasis> ... ] [ <emphasis>filename</emphasis> ]</programlisting></para>
@@ -721,25 +734,25 @@ DNAT-              net                192.168.1.3      tcp          21</programl
           role="bold">--log</emphasis>=&lt;logfile&gt;</member>
         </simplelist></para>
 
-      <para>Added in Shorewall 4.2. If given, compiler will log to this file
-      provider that --log_verbosity is &gt; -1.<simplelist>
+      <para>If given, compiler will log to this file provider that
+      --log_verbosity is &gt; -1.<simplelist>
           <member><emphasis
           role="bold">--log_verbosity</emphasis>=-1|0|1|2</member>
         </simplelist></para>
 
-      <para>Added in Shorewall 4.1. If given, controls the verbosity of
-      logging to the log specified by the --log parameter.</para>
+      <para>If given, controls the verbosity of logging to the log specified
+      by the --log parameter.</para>
 
       <simplelist>
         <member><emphasis role="bold">--family=</emphasis>4|6</member>
       </simplelist>
 
-      <para>Added in Shorewall 4.2.4. Specifies whether an IPv4 or an IPv6
-      firewall is to be created.</para>
+      <para>Specifies whether an IPv4 or an IPv6 firewall is to be
+      created.</para>
 
       <para>Example (compiles the configuration in the current directory
       generating a script named 'firewall' and using VERBOSITY
-      2).<programlisting><emphasis role="bold">/usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall</emphasis></programlisting><note>
+      2).<programlisting><emphasis role="bold">/usr/share/shorewall/compiler.pl -v 2 -d . firewall</emphasis></programlisting><note>
           <para>The Perl-based compiler does not process
           <filename>/etc/shorewall/params</filename>. To include definitions
           in that file, you would need to do something like the
@@ -747,216 +760,135 @@ DNAT-              net                192.168.1.3      tcp          21</programl
 set -a                           # Export all variables set in /etc/shorewall/params
 . /etc/shorewall/params
 set +a
-/usr/share/shorewall-perl/compiler.pl ...</command></programlisting></para>
+/usr/share/compiler.pl ...</command></programlisting></para>
         </note></para>
     </section>
 
     <section id="Compiler">
       <title>Shorewall::Compiler</title>
 
-      <section id="Compiler-4.0">
-        <title>Shorewall 4.0</title>
+      <para>To avoid a proliferation of parameters to
+      Shorewall::Compiler::compile(), that function uses named parameters.
+      Parameter names are:</para>
 
-        <para><programlisting> use lib '/usr/share/shorewall-perl';
- use Shorewall::Compiler;
-        
- compiler $filename, $directory, $verbose, $options $chains</programlisting>Arguments
-        to the compiler are:</para>
+      <variablelist>
+        <varlistentry>
+          <term>script ('object' is also accepted but deprecated)</term>
 
-        <variablelist>
-          <varlistentry>
-            <term>$filename</term>
+          <listitem>
+            <para>Output script file. If omitted or '', the configuration is
+            syntax checked.</para>
+          </listitem>
+        </varlistentry>
 
-            <listitem>
-              <para>Name of the compiled script to be created. If the
-              arguments evaluates to false, the configuration is syntax
-              checked.</para>
-            </listitem>
-          </varlistentry>
+        <varlistentry>
+          <term>directory</term>
 
-          <varlistentry>
-            <term>$directory</term>
+          <listitem>
+            <para>Directory. If omitted or '', configuration files are located
+            using CONFIG_PATH. Otherwise, the directory named by this
+            parameter is searched first.</para>
+          </listitem>
+        </varlistentry>
 
-            <listitem>
-              <para>The directory containing the configuration. If passed as
-              '', then <filename class="directory">/etc/shorewall/</filename>
-              is assumed.</para>
-            </listitem>
-          </varlistentry>
+        <varlistentry>
+          <term>verbosity</term>
 
-          <varlistentry>
-            <term>$verbose</term>
+          <listitem>
+            <para>Verbosity; range -1 to 2</para>
+          </listitem>
+        </varlistentry>
 
-            <listitem>
-              <para>The verbosity level that the compiler will run with
-              (0-2).<note>
-                  <para>The VERBOSITY setting in the
-                  <filename>shorewall.conf</filename> file read by the
-                  compiler will determine the default verbosity for the
-                  compiled program.</para>
-                </note></para>
-            </listitem>
-          </varlistentry>
+        <varlistentry>
+          <term>timestamp</term>
 
-          <varlistentry>
-            <term>$options</term>
+          <listitem>
+            <para>0|1 -- timestamp messages.</para>
+          </listitem>
+        </varlistentry>
 
-            <listitem>
-              <para>A bitmap of options. Shorewall::Compiler exports three
-              constants to help building this argument:<simplelist>
-                  <member>EXPORT = 0x01</member>
+        <varlistentry>
+          <term>debug</term>
 
-                  <member>TIMESTAMP = 0x02</member>
+          <listitem>
+            <para>0|1 -- include stack trace in warning/error messages.</para>
+          </listitem>
+        </varlistentry>
 
-                  <member>DEBUG = 0x04</member>
-                </simplelist></para>
-            </listitem>
-          </varlistentry>
+        <varlistentry>
+          <term>export</term>
 
-          <varlistentry>
-            <term>$chains</term>
+          <listitem>
+            <para>0|1 -- compile for export.</para>
+          </listitem>
+        </varlistentry>
 
-            <listitem>
-              <para>A comma-separated list of chains that the generated
-              script's 'refresh' command will reload. If passed as an empty
-              string, then 'blacklist' is assumed.</para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
+        <varlistentry>
+          <term>chains</term>
 
-        <para>The compiler raises an exception with 'die' if it encounters an
-        error; $@ contains the 'ERROR' messages describing the problem. The
-        compiler function can be called repeatedly with different
-        inputs.</para>
-      </section>
+          <listitem>
+            <para>List of chains to be reloaded by 'refresh'</para>
+          </listitem>
+        </varlistentry>
 
-      <section>
-        <title>Shorewall 4.2 and Later</title>
+        <varlistentry>
+          <term>log</term>
 
-        <para>To avoid a proliferation of parameters to
-        Shorewall::Compiler::compile(), that function has been changed to use
-        named parameters. Parameter names are:</para>
+          <listitem>
+            <para>File to log compiler messages to.</para>
+          </listitem>
+        </varlistentry>
 
-        <variablelist>
-          <varlistentry>
-            <term>object</term>
+        <varlistentry>
+          <term>log_verbosity</term>
 
-            <listitem>
-              <para>Object file. If omitted or '', the configuration is syntax
-              checked.</para>
-            </listitem>
-          </varlistentry>
+          <listitem>
+            <para>Log Verbosity; range -1 to 2.</para>
+          </listitem>
+        </varlistentry>
 
-          <varlistentry>
-            <term>directory</term>
+        <varlistentry>
+          <term>family</term>
 
-            <listitem>
-              <para>Directory. If omitted or '', configuration files are
-              located using CONFIG_PATH. Otherwise, the directory named by
-              this parameter is searched first.</para>
-            </listitem>
-          </varlistentry>
+          <listitem>
+            <para>Address family: 4 or 6</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
 
-          <varlistentry>
-            <term>verbosity</term>
+      <para>Those parameters that are supplied must have defined values.
+      Defaults are: <simplelist>
+          <member>script '' ('check' command)</member>
 
-            <listitem>
-              <para>Verbosity; range -1 to 2</para>
-            </listitem>
-          </varlistentry>
+          <member>directory ''</member>
 
-          <varlistentry>
-            <term>timestamp</term>
+          <member>verbosity 1</member>
 
-            <listitem>
-              <para>0|1 -- timestamp messages.</para>
-            </listitem>
-          </varlistentry>
+          <member>timestamp 0</member>
 
-          <varlistentry>
-            <term>debug</term>
+          <member>debug 0</member>
 
-            <listitem>
-              <para>0|1 -- include stack trace in warning/error
-              messages.</para>
-            </listitem>
-          </varlistentry>
+          <member>export 0</member>
 
-          <varlistentry>
-            <term>export</term>
+          <member>chains ''</member>
 
-            <listitem>
-              <para>0|1 -- compile for export.</para>
-            </listitem>
-          </varlistentry>
+          <member>log ''</member>
 
-          <varlistentry>
-            <term>chains</term>
+          <member>log_verbosity -1</member>
 
-            <listitem>
-              <para>List of chains to be reloaded by 'refresh'</para>
-            </listitem>
-          </varlistentry>
+          <member>family 4</member>
+        </simplelist></para>
 
-          <varlistentry>
-            <term>log</term>
-
-            <listitem>
-              <para>File to log compiler messages to.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term>log_verbosity</term>
-
-            <listitem>
-              <para>Log Verbosity; range -1 to 2.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term>family</term>
-
-            <listitem>
-              <para>Address family: 4 or 6</para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
-
-        <para>Those parameters that are supplied must have defined values.
-        Defaults are: <simplelist>
-            <member>object '' ('check' command)</member>
-
-            <member>directory ''</member>
-
-            <member>verbosity 1</member>
-
-            <member>timestamp 0</member>
-
-            <member>debug 0</member>
-
-            <member>export 0</member>
-
-            <member>chains ''</member>
-
-            <member>log ''</member>
-
-            <member>log_verbosity -1</member>
-
-            <member>family 4</member>
-          </simplelist></para>
-
-        <para>Example: <programlisting>use lib '/usr/share/shorewall-perl/';
+      <para>Example: <programlisting>use lib '/usr/share/shorewall/';
 use Shorewall::Compiler;
 
-compiler( object =&gt; '/root/firewall', log =&gt; '/root/compile.log', log_verbosity =&gt; 2 ); </programlisting></para>
-      </section>
+compiler( script =&gt; '/root/firewall', log =&gt; '/root/compile.log', log_verbosity =&gt; 2 ); </programlisting></para>
     </section>
 
     <section id="Chains">
       <title>Shorewall::Chains</title>
 
-      <para><programlisting>use lib '/usr/share/shorewall-perl';
+      <para><programlisting>use lib '/usr/share/shorewall';
 use Shorewall::Chains;
 
 my $chainref1 = chain_new $table, $name1;
@@ -1195,7 +1127,7 @@ my $chainref7 = $filter_table{$name};</programlisting>Shorewall::Chains is
     <section id="Config">
       <title>Shorewall::Config</title>
 
-      <para><programlisting>use lib '/usr/share/shorewall-perl';
+      <para><programlisting>use lib '/usr/share/shorewall';
 use Shorewall::Config;
 
 warning message "This entry is bogus";
@@ -1205,7 +1137,7 @@ progress_message  "This will only be seen if VERBOSITY &gt;= 2";
 progress_message2 "This will only be seen if VERBOSITY &gt;= 1";
 progress_message3 "This will be seen unless VERBOSITY &lt; 0";
 </programlisting>The <emphasis role="bold">shorewall()</emphasis> function may
-      be optionally included:<programlisting>use lib '/usr/share/shorewall-perl';
+      be optionally included:<programlisting>use lib '/usr/share/shorewall';
 use Shorewall::Config qw/shorewall/;
 
 shorewall $config_file_entry;</programlisting>The Shorewall::Config module

docs/SimpleBridge.xml

@@ -93,6 +93,12 @@
     bridge-specific changes are restricted to the
     <filename>/etc/shorewall/interfaces</filename> file.</para>
 
+    <note>
+      <para>Older configurations that specify an interface name in the SOURCE
+      column of <filename>/etc/shorewall/masq</filename> will also need to
+      change that file.</para>
+    </note>
+
     <para>This example illustrates the bridging of two Ethernet devices but
     the types of the devices really isn't important. What is shown here would
     apply equally to bridging an Ethernet device to an <ulink
@@ -138,5 +144,11 @@ loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <
 net            eth0            detect         ...
 loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <emphasis
           role="bold">routeback,bridge</emphasis>,...</programlisting></para>
+
+    <para>Your entry in <filename>/etc/shorewall/masq</filename> should be
+    unchanged:</para>
+
+    <programlisting>#INTERFACE     SOURCE          ADDRESS
+eth0           10.0.1.0/24     ...            # 10.0.1.0/24 is the local network on LAN A and LAN B</programlisting>
   </section>
 </article>

docs/blacklisting_support.xml

@@ -226,5 +226,15 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
 
       <para>Re-enables traffic from 192.0.2.125.</para>
     </example>
+
+    <example>
+      <title>Displaying the Dynamic Blacklist</title>
+
+      <programlisting>    <command>shorewall show dynamic</command></programlisting>
+
+      <para>Displays the 'dynamic' chain which contains rules for the dynamic
+      blacklist. The <firstterm>source</firstterm> column contains the set of
+      blacklisted addresses.</para>
+    </example>
   </section>
 </article>

docs/configuration_file_basics.xml

@@ -37,7 +37,8 @@
   <caution>
     <para><emphasis role="bold">This article applies to Shorewall 4.3 and
     later. If you are running a version of Shorewall earlier than Shorewall
-    4.3.5then please see the documentation for that release.</emphasis></para>
+    4.3.5 then please see the documentation for that
+    release.</emphasis></para>
   </caution>
 
   <caution>
@@ -216,7 +217,7 @@
 
         <listitem>
           <para><filename>/usr/share/shorewall/modules</filename> - directs
-          the firewall to load kernel modules. </para>
+          the firewall to load kernel modules.</para>
         </listitem>
 
         <listitem>
@@ -432,6 +433,79 @@ ACCEPT      net:\
     </example>
   </section>
 
+  <section id="SOURCE-DEST">
+    <title>Specifying SOURCE and DEST</title>
+
+    <para>Entries in Shorewall configuration files often deal with the source
+    (SOURCE) and destination (DEST) of connections and Shorewall implements a
+    uniform way for specifying them.</para>
+
+    <para>A SOURCE or DEST consists of one to three parts separated by colons
+    (":"):</para>
+
+    <orderedlist>
+      <listitem>
+        <para>ZONE — The name of a zone declared in
+        <filename>/etc/shorewall/zones</filename> or
+        <filename>/etc/shorewall6/zones</filename>. This part is only
+        available in the rules file (<filename>/etc/shorewall/rules</filename>
+        and <filename>/etc/shorewall6/rules</filename>).</para>
+      </listitem>
+
+      <listitem>
+        <para>INTERFACE — The name of an interface that matches an entry in
+        <filename>/etc/shorewall/interfaces</filename>
+        (<filename>/etc/shorewall6/interfaces</filename>).</para>
+      </listitem>
+
+      <listitem>
+        <para>ADDRESS LIST — A list of one or more addresses (host or network)
+        or address ranges, separated by commas. In an IPv6 configuration, this
+        list must be includes in angled brackets ("&lt;...&gt;"). The list may
+        have <link linkend="Exclusion">exclusion</link>.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>Examples.</para>
+
+    <orderedlist>
+      <listitem>
+        <para>All hosts in the <emphasis role="bold">net</emphasis> zone —
+        <emphasis role="bold">net</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>Subnet 192.168.1.0/29 in the <emphasis
+        role="bold">loc</emphasis> zone — <emphasis
+        role="bold">loc:192.168.1.0/29</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>All hosts in the net zone connecting through <filename
+        class="devicefile">ppp0</filename> — <emphasis
+        role="bold">net:ppp0</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>All hosts interfaced by <filename
+        class="devicefile">eth3</filename> — <emphasis
+        role="bold">eth3</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>Subnet 10.0.1.0/24 interfacing through <filename><filename
+        class="devicefile">eth2</filename></filename> — <emphasis
+        role="bold">eth2:10.0.1.0/24</emphasis></para>
+      </listitem>
+
+      <listitem>
+        <para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
+        role="bold">loc</emphasis> zone — <emphasis
+        role="bold">loc:&lt;2002:ce7c:92b4:1:a00:27ff:feb1:46a9&gt;</emphasis></para>
+      </listitem>
+    </orderedlist>
+  </section>
+
   <section id="INCLUDE">
     <title>INCLUDE Directive</title>
 
@@ -639,8 +713,8 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
     Perl-based compiler, <firstterm>Embedded scripts</firstterm> offer a
     richer and more flexible extension capability.</para>
 
-    <para>While inline scripts scripts may be written in either Shell or Perl,
-    those written in Perl have a lot more power.</para>
+    <para>While inline scripts may be written in either Shell or Perl, those
+    written in Perl have a lot more power.</para>
 
     <para>Embedded scripts can be either single-line or multi-line. Single
     line scripts take one of the following forms:</para>
@@ -666,17 +740,18 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
 ACCEPT loc fw tcp 22
 ACCEPT dmz fw tcp 22</programlisting></para>
 
-    <para>Perl scripts run in the context of of the compiler process. To
-    produce output that will be processed by the compiler as if it were
-    embedded in the file at the point of the script, pass that output to the
-    shorewall() function. The Perl equivalent of the above SHELL script would
-    be:<programlisting>PERL for ( qw/net loc dmz/ ) { shorewall "ACCEPT $_ fw tcp 22"; }</programlisting>Perl
-    scripts are implicitly prefixed by the following:</para>
+    <para>Perl scripts run in the context of of the compiler process using
+    Perl's eval() function. Perl scripts are implicitly prefixed by the
+    following:</para>
 
     <programlisting>package Shorewall::User;
 use Shorewall::Config qw/shorewall/;</programlisting>
 
-    <para>A couple of more points should be mentioned:</para>
+    <para>To produce output that will be processed by the compiler as if it
+    were embedded in the file at the point of the script, pass that output to
+    the Shorewall::Config::shorewall() function. The Perl equivalent of the
+    above SHELL script would be:<programlisting>PERL for ( qw/net loc dmz/ ) { shorewall "ACCEPT $_ fw tcp 22"; }</programlisting>A
+    couple of more points should be mentioned:</para>
 
     <orderedlist>
       <listitem>

docs/template.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2008</year>
+      <year>2009</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>

docs/traffic_shaping.xml

@@ -645,6 +645,20 @@ ppp0           6000kbit         500kbit</programlisting>
               that means that we want to use the source IP address
               <emphasis>before SNAT</emphasis> as the key.</para>
             </listitem>
+
+            <listitem>
+              <para>pfifo - When specified for a leaf class, the pfifo queing
+              discipline is applied to the class rather than the sfq queuing
+              discipline.</para>
+            </listitem>
+
+            <listitem>
+              <para>limit=<emphasis>number</emphasis> - Added in Shorewall
+              4.4.3. When specified for a leaf class, specifies the maximum
+              number of packets that may be queued within the class. The
+              <emphasis>number</emphasis> must be &gt; 2 and less than 128. If
+              not specified, the value 127 is assumed</para>
+            </listitem>
           </itemizedlist>
         </listitem>
       </itemizedlist>
@@ -2038,4 +2052,4 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300
     <para>At least one Shorewall user has found this tool helpful: <ulink
     url="http://e2epi.internet2.edu/network-performance-toolkit.html">http://e2epi.internet2.edu/network-performance-toolkit.html</ulink></para>
   </section>
-</article>
+</article>

docs/upgrade_issues.xml

@@ -148,7 +148,8 @@
         starts/restarts</para>
 
         <para>To avoid this warning, replace interface names by the
-        corresponding network addresses (e.g., 192.168.144.0/24).</para>
+        corresponding netwok(s) in CIDR format (e.g.,
+        192.168.144.0/24).</para>
       </listitem>
 
       <listitem>
@@ -166,12 +167,6 @@
         need to renumber the class IDs for devices 10 and greater.</para>
       </listitem>
 
-      <listitem>
-        <para>Jozsef Kadlecsik has removed the set binding capability from
-        ipset 3.1. As a consequence, Shorewall 4.3 no longer supports set
-        binding.</para>
-      </listitem>
-
       <listitem>
         <para>Support for the 'norfc1918' interface and host option has been
         removed. If 'norfc1918' is specified for an entry in either the
@@ -206,6 +201,9 @@
         against the parent zone rules.</para>
       </listitem>
     </orderedlist>
+
+    <para>Be sure to check the latest 4.4 Release Notes linked from the <ulink
+    url="index.htm">home page</ulink>.</para>
   </section>
 
   <section>
@@ -865,7 +863,7 @@ all             all             REJECT:MyReject info</programlisting>
         BOGON_LOG_LEVEL option have been eliminated.</para>
       </listitem>
 
-      <listitem>
+      <listitem id="MAPOLDACTIONS">
         <para>Most of the standard actions have been replaced by parameterized
         macros (see below). So for example, the action.AllowSMTP and
         action.DropSMTP have been removed an a parameterized macro macro.SMTP

manpages/shorewall-interfaces.xml

@@ -161,7 +161,7 @@ loc     eth2            -</programlisting>
 
                 <para>Only those interfaces with the
                 <option>arp_filter</option> option will have their setting
-                changes; the value assigned to the setting will be the value
+                changed; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
                 <para></para>
@@ -188,7 +188,7 @@ loc     eth2            -</programlisting>
 
                 <para>2 - reply only if the target IP address is local address
                 configured on the incoming interface and the sender's IP
-                address is part from same subnet on this interface</para>
+                address is part from same subnet on this interface's address</para>
 
                 <para>3 - do not reply for local addresses configured with
                 scope host, only resolutions for global and link</para>
@@ -290,11 +290,11 @@ loc     eth2            -</programlisting>
                 role="bold">logmartians</emphasis>. Even if you do not specify
                 the <option>routefilter</option> option, it is a good idea to
                 specify <option>logmartians</option> because your distribution
-                may be enabling route filtering without you knowing it.</para>
+                may have enabled route filtering without you knowing it.</para>
 
                 <para>Only those interfaces with the
                 <option>logmartians</option> option will have their setting
-                changes; the value assigned to the setting will be the value
+                changed; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
                 <para>To find out if route filtering is set on a given
@@ -510,12 +510,12 @@ loc     eth2            -</programlisting>
                 (sets
                 /proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/accept_source_route
                 to 1). Only set this option if you know what you are doing.
-                This might represent a security risk and is not usually
-                needed.</para>
+                This might represent a security risk and is usually
+                unneeded.</para>
 
                 <para>Only those interfaces with the
                 <option>sourceroute</option> option will have their setting
-                changes; the value assigned to the setting will be the value
+                changed; the value assigned to the setting will be the value
                 specified (if any) or 1 if no value is given.</para>
 
                 <para></para>
@@ -579,7 +579,7 @@ loc     eth2            -</programlisting>
         <listitem>
           <para>Suppose you have eth0 connected to a DSL modem and eth1
           connected to your local network and that your local subnet is
-          192.168.1.0/24. The interface gets it's IP address via DHCP from
+          192.168.1.0/24. The interface gets its IP address via DHCP from
           subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
           using eth2.</para>
 

manpages/shorewall-masq.xml

@@ -409,7 +409,7 @@
           <para>Only locally-generated connections will match if this column
           is non-empty.</para>
 
-          <para>When this column is non-empty, the rule applies only if the
+          <para>When this column is non-empty, the rule matches only if the
           program generating the output is running under the effective
           <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
           specified (or is NOT running under that id if "!" is given).</para>

manpages/shorewall-nat.xml

@@ -63,7 +63,7 @@
         role="bold">:</emphasis>[<emphasis>digit</emphasis>]]</term>
 
         <listitem>
-          <para>Interfacees that have the <emphasis
+          <para>Interfaces that have the <emphasis
           role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
           <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5),
           Shorewall will automatically add the EXTERNAL address to this

manpages/shorewall-netmap.xml

@@ -43,7 +43,7 @@
           <para>Must be DNAT or SNAT.</para>
 
           <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
-          it's destination address rewritten to the corresponding address in
+          its destination address rewritten to the corresponding address in
           NET2.</para>
 
           <para>If SNAT, traffic leaving INTERFACE with a source address in

manpages/shorewall-policy.xml

@@ -41,7 +41,7 @@
 
       <para>For $FW and for all of the zones defined in /etc/shorewall/zones,
       the POLICY for connections from the zone to itself is ACCEPT (with no
-      logging or TCP connection rate limiting but may be overridden by an
+      logging or TCP connection rate limiting) but may be overridden by an
       entry in this file. The overriding entry must be explicit (cannot use
       "all" in the SOURCE or DEST).</para>
 
@@ -95,7 +95,7 @@
         <listitem>
           <para>Policy if no match from the rules file is found.</para>
 
-          <para>If the policy is other than CONTINUE or NONE then the policy
+          <para>If the policy is neither CONTINUE nor NONE then the policy
           may be followed by ":" and one of the following:</para>
 
           <orderedlist numeration="loweralpha">

manpages/shorewall-providers.xml

@@ -163,6 +163,18 @@
                 <para>You want to specify <option>track</option> if internet
                 hosts will be connecting to local servers through this
                 provider.</para>
+
+                <para>Beginning with Shorewall 4.4.3, <option>track</option>
+                is the default. If, for some reason, you don't want
+                <option>track</option> then specify <option>notrack</option>
+                (see below).</para>
+
+                <para>Beginning with Shorewall 4.4.3, <option>track</option>
+                defaults to the setting of the TRACK_PROVIDERS option in
+                <ulink url="shorwewall.conf.html">shorewall.conf</ulink> (5).
+                If you set TRACK_PROVIDERS=Yes and want to override that
+                setting for an individual provider, then specify
+                <option>notrack</option> (see below).</para>
               </listitem>
             </varlistentry>
 
@@ -175,7 +187,7 @@
                 specified will get outbound traffic load-balanced among them.
                 By default, all interfaces with <option>balance</option>
                 specified will have the same weight (1). You can change the
-                weight of an interface by specifiying
+                weight of an interface by specifying
                 <option>balance=</option><replaceable>weight</replaceable>
                 where <replaceable>weight</replaceable> is the weight of the
                 route out of this interface.</para>
@@ -194,6 +206,15 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">notrack</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.3. When specified, turns off
+                <option>track</option>.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">optional
               (deprecated)</emphasis></term>

manpages/shorewall-proxyarp.xml

@@ -67,8 +67,8 @@
           or <emphasis role="bold">yes</emphasis> in this column. Otherwise,
           enter <emphasis role="bold">no</emphasis> or <emphasis
           role="bold">No</emphasis> or leave the column empty and Shorewall
-          will add the route for you. If Shorewall adds the route,the route
-          will be persistent if the <emphasis
+	  will add the route for you. If Shorewall adds the route, its 
+	  persistence depends on the value of the<emphasis
           role="bold">PERSISTENT</emphasis> column contains <emphasis
           role="bold">Yes</emphasis>; otherwise, <emphasis
           role="bold">shorewall stop</emphasis> or <emphasis

manpages/shorewall-rules.xml

@@ -946,7 +946,7 @@
               <term>+upnpd</term>
 
               <listitem>
-                <para>#program named upnpd</para>
+                <para>program named upnpd</para>
 
                 <important>
                   <para>The ability to specify a program name was removed from
@@ -1032,7 +1032,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">TIME</emphasis> -
-        <emphasis>timeelement</emphasis>[,<emphasis>timelement</emphasis>...]</term>
+        <emphasis>timeelement</emphasis>[&amp;<emphasis>timelement</emphasis>...]</term>
 
         <listitem>
           <para>May be used to limit the rule to a particular time period each

manpages/shorewall-tcclasses.xml

@@ -407,6 +407,28 @@
                 <emphasis>before NAT</emphasis> as the key.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>pfifo</term>
+
+              <listitem>
+                <para>When specified for a leaf class, the pfifo queing
+                discipline is applied to the class rather than the sfq queuing
+                discipline.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>limit=<emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.3. When specified for a leaf
+                class, determines the maximum number of packets that may be
+                queued within the class. The <emphasis>number</emphasis> must
+                be &gt; 2 and &lt;=128. If not specified, the value 127 is
+                assumed.</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>

manpages/shorewall-zones.xml

@@ -112,7 +112,7 @@ c:a,b     ipv4</programlisting>
           <para>Where an <emphasis role="bold">ipsec</emphasis> zone is
           explicitly included as a child of an <emphasis
           role="bold">ipv4</emphasis> zone, the ruleset allows CONTINUE
-          policies (explicit or implicit) to work as expected. </para>
+          policies (explicit or implicit) to work as expected.</para>
 
           <para>In the future, Shorewall may make additional use of nesting
           information.</para>
@@ -138,7 +138,8 @@ c:a,b     ipv4</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">ipsec</emphasis></term>
+              <term><emphasis role="bold">ipsec</emphasis> (or <emphasis
+              role="bold">ipsec4</emphasis>)</term>
 
               <listitem>
                 <para>Communication with all zone hosts is encrypted. Your
@@ -160,7 +161,8 @@ c:a,b     ipv4</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>bport (or bport4)</term>
+              <term><emphasis role="bold">bport</emphasis> (or <emphasis
+              role="bold">bport4</emphasis>)</term>
 
               <listitem>
                 <para>The zone is associated with one or more ports on a

manpages/shorewall.conf.xml

@@ -68,7 +68,7 @@
     (although it probably isn't installed by default). Ulogd is also available
     from <ulink
     url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>
-    and can be configured to log all Shorewall message to their own log
+    and can be configured to log all Shorewall messages to their own log
     file</para>
 
     <para>The following options may be set in shorewall.conf.</para>
@@ -262,7 +262,7 @@
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
-          <para>If set, the behavior of the 'start' command is change; if no
+          <para>If set, the behavior of the 'start' command is changed; if no
           files in /etc/shorewall have been changed since the last successful
           <command>start</command> or <command>restart</command> command, then
           the compilation step is skipped and the compiled script that
@@ -362,7 +362,7 @@
         <listitem>
           <para>If this option is set to <emphasis role="bold">No</emphasis>
           then Shorewall won't clear the current traffic control rules during
-          [re]start. This setting is intended for use by people that prefer to
+          [re]start. This setting is intended for use by people who prefer to
           configure traffic shaping when the network interfaces come up rather
           than when the firewall is started. If that is what you want to do,
           set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
@@ -1013,6 +1013,17 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">MAPOLDACTIONS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>This option is included for compatibility with old Shorewall
+          configuration. New installs should always have
+          MAPOLDACTIONS=No.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">MARK_IN_FORWARD_CHAIN=</emphasis>[<emphasis
@@ -1162,30 +1173,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
 
         <listitem>
-          <para>Normally Shorewall attempts to use the iptables packet type
-          match extension to determine broadcast and multicast packets.</para>
-
-          <orderedlist>
-            <listitem>
-              <para>This can cause a message to appear during shorewall start
-              (modprobe: cant locate module ipt_pkttype).</para>
-            </listitem>
-
-            <listitem>
-              <para>Some users have found problems with the packet match
-              extension with the result that their firewall log is flooded
-              with messages relating to broadcast packets.</para>
-            </listitem>
-          </orderedlist>
-
-          <para></para>
-
-          <blockquote>
-            <para>If you are experiencing either of these problems, setting
-            PKTTYPE=No will prevent Shorewall from trying to use the packet
-            type match extension and to use IP address matching to determine
-            which packets are broadcasts or multicasts.</para>
-          </blockquote>
+          <para>This option is included for compatibility with older Shorewall
+          releases. Its setting has no effect.</para>
         </listitem>
       </varlistentry>
 

manpages/shorewall.xml

@@ -538,6 +538,8 @@
 
       <arg><option>-f</option></arg>
 
+      <arg><option>-p</option></arg>
+
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 

manpages6/shorewall6-providers.xml

@@ -152,6 +152,13 @@
                 <para>You want to specify <option>track</option> if internet
                 hosts will be connecting to local servers through this
                 provider.</para>
+
+                <para>Beginning with Shorewall 4.4.3, <option>track</option>
+                defaults to the setting of the TRACK_PROVIDERS option in
+                <ulink url="shorwewall6.conf.html">shorewall6.conf</ulink>
+                (5). If you set TRACK_PROVIDERS=Yes and want to override that
+                setting for an individual provider, then specify
+                <option>notrack</option> (see below).</para>
               </listitem>
             </varlistentry>
 
@@ -167,6 +174,15 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">notrack</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.3. When specified, turns off
+                <option>track</option>.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">optional</emphasis></term>
 

manpages6/shorewall6-rules.xml

@@ -817,7 +817,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">TIME</emphasis> -
-        <emphasis>timeelement</emphasis>[,<emphasis>timelement</emphasis>...]</term>
+        <emphasis>timeelement</emphasis>[&amp;<emphasis>timelement</emphasis>...]</term>
 
         <listitem>
           <para>May be used to limit the rule to a particular time period each

manpages6/shorewall6-tcclasses.xml

@@ -358,6 +358,28 @@
                 <emphasis>before NAT</emphasis> as the key.</para>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>pfifo</term>
+
+              <listitem>
+                <para>When specified for a leaf class, the pfifo queing
+                discipline is applied to the class rather than the sfq queuing
+                discipline.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>limit=<emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.3. When specified for a leaf
+                class, determines the maximum number of packets that may be
+                queued within the class. The <emphasis>number</emphasis> must
+                be &gt; 2 and &lt;= 128. If not specified, the value 127 is
+                assumed.</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>

manpages6/shorewall6-zones.xml

@@ -138,7 +138,8 @@ c:a,b     ipv6</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">ipsec</emphasis></term>
+              <term><emphasis role="bold">ipsec</emphasis> (or <emphasis
+              role="bold">ipsec6</emphasis>)</term>
 
               <listitem>
                 <para>Communication with all zone hosts is encrypted. Your
@@ -160,7 +161,8 @@ c:a,b     ipv6</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>bport (or bport6)</term>
+              <term><emphasis role="bold">bport</emphasis> (or <emphasis
+              role="bold">bport6</emphasis>)</term>
 
               <listitem>
                 <para>The zone is associated with one or more ports on a

manpages6/shorewall6.conf.xml

@@ -551,9 +551,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">Keep</emphasis>]</term>
 
         <listitem>
-          <para>This parameter determines whether Shorewall6 enables or
-          disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward).
-          Possible values are:</para>
+          <para>This rather useless parameter determines whether Shorewall6
+          enables or disables IPV6 Packet Forwarding on all interfaces
+          (/proc/sys/net/ipv6/config/all/forwarding). Possible values
+          are:</para>
 
           <variablelist>
             <varlistentry>