Update known problems

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/Universal/interfaces

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Interfaces File
+#
+# For information about entries in this file, type "man shorewall-interfaces"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-interfaces.html
+#
+###############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	lo		-		ignore
+net	all		-		dhcp,physical=+,routeback,optional

Samples/Universal/policy

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Policy File
+#
+# For information about entries in this file, type "man shorewall-policy"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-policy.html
+#
+###############################################################################
+#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#				LEVEL	BURST		MASK
+$FW	net	ACCEPT
+net	all	DROP

Samples/Universal/rules

@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - Rules File
+#
+# For information on the settings in this file, type "man shorewall-rules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-rules.html
+#
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+SSH(ACCEPT)	net		$FW
+Ping(ACCEPT)	net		$FW

Samples/Universal/shorewall.conf

@@ -0,0 +1,213 @@
+###############################################################################
+#
+#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
+#
+#  For information about the settings in this file, type "man shorewall.conf"
+#
+#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
+###############################################################################
+#		       S T A R T U P   E N A B L E D
+###############################################################################
+
+STARTUP_ENABLED=Yes
+
+###############################################################################
+#		              V E R B O S I T Y
+###############################################################################
+
+VERBOSITY=1
+
+###############################################################################
+#			       L O G G I N G
+###############################################################################
+
+LOGFILE=
+
+STARTUP_LOG=/var/log/shorewall-init.log
+
+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGLIMIT=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
+MACLIST_LOG_LEVEL=info
+
+TCP_FLAGS_LOG_LEVEL=info
+
+SMURF_LOG_LEVEL=info
+
+LOG_MARTIANS=Yes
+
+###############################################################################
+#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
+###############################################################################
+
+IPTABLES=
+
+IP=
+
+TC=
+
+IPSET=
+
+PERL=/usr/bin/perl
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+SHOREWALL_SHELL=/bin/sh
+
+SUBSYSLOCK=
+
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
+RESTOREFILE=
+
+IPSECFILE=zones
+
+LOCKFILE=
+
+###############################################################################
+#		D E F A U L T   A C T I O N S / M A C R O S
+###############################################################################
+
+DROP_DEFAULT="Drop"
+REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
+
+###############################################################################
+#                        R S H / R C P  C O M M A N D S
+###############################################################################
+
+RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+
+###############################################################################
+#			F I R E W A L L	  O P T I O N S
+###############################################################################
+
+IP_FORWARDING=On
+
+ADD_IP_ALIASES=No
+
+ADD_SNAT_ALIASES=No
+
+RETAIN_ALIASES=No
+
+TC_ENABLED=Internal
+
+TC_EXPERT=No
+
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+ROUTE_FILTER=No
+
+DETECT_DNAT_IPADDRS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=ko
+
+DISABLE_IPV6=No
+
+BRIDGING=No
+
+DYNAMIC_ZONES=No
+
+PKTTYPE=Yes
+
+NULL_ROUTE_RFC1918=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+SAVE_IPSETS=No
+
+MAPOLDACTIONS=No
+
+FASTACCEPT=Yes
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+USE_ACTIONS=Yes
+
+OPTIMIZE=15
+
+EXPORTPARAMS=Yes
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=No
+
+DELETE_THEN_ADD=Yes
+
+MULTICAST=No
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+USE_DEFAULT_RT=No
+
+RESTORE_DEFAULT_ROUTE=Yes
+
+AUTOMAKE=No
+
+WIDE_TC_MARKS=Yes
+
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=Yes
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=Yes
+
+###############################################################################
+#			P A C K E T   D I S P O S I T I O N
+###############################################################################
+
+BLACKLIST_DISPOSITION=DROP
+
+MACLIST_DISPOSITION=REJECT
+
+TCP_FLAGS_DISPOSITION=DROP
+
+#LAST LINE -- DO NOT REMOVE

Samples/Universal/zones

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Zones File
+#
+# For information about this file, type "man shorewall-zones"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-zones.html
+#
+###############################################################################
+#ZONE	TYPE		OPTIONS		IN			OUT
+#					OPTIONS			OPTIONS
+fw	firewall
+net	ip
+

Samples/one-interface/shorewall.conf

@@ -42,9 +42,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -70,6 +68,8 @@ TC=
 
 IPSET=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -205,6 +205,12 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/shorewall.conf

@@ -42,9 +42,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -70,6 +68,8 @@ TC=
 
 IPSET=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -205,6 +205,12 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/shorewall.conf

@@ -49,9 +49,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -77,6 +75,8 @@ TC=
 
 IPSET=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -212,6 +212,12 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/Universal/interfaces

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Interfaces File
+#
+# For information about entries in this file, type "man shorewall-interfaces"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-interfaces.html
+#
+###############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	lo		-		ignore
+net	all		-		dhcp,physical=+,routeback
+

Samples6/Universal/policy

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Policy File
+#
+# For information about entries in this file, type "man shorewall-policy"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-policy.html
+#
+###############################################################################
+#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#				LEVEL	BURST		MASK
+fw	net	ACCEPT
+net	all	DROP
+

Samples6/Universal/rules

@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - Rules File
+#
+# For information on the settings in this file, type "man shorewall-rules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-rules.html
+#
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+SSH(ACCEPT)	net		$FW
+Ping(ACCEPT)	net		$FW

Samples6/Universal/shorewall6.conf

@@ -0,0 +1,168 @@
+###############################################################################
+#
+#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+#
+#  For information about the settings in this file, type "man shorewall6.conf"
+#
+#  Manpage also online at
+#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+###############################################################################
+#		       S T A R T U P   E N A B L E D
+###############################################################################
+
+STARTUP_ENABLED=Yes
+
+###############################################################################
+#		              V E R B O S I T Y
+###############################################################################
+
+VERBOSITY=1
+
+###############################################################################
+#			       L O G G I N G
+###############################################################################
+
+LOGFILE=
+
+STARTUP_LOG=/var/log/shorewall6-init.log
+
+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGLIMIT=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
+TCP_FLAGS_LOG_LEVEL=info
+
+SMURF_LOG_LEVEL=info
+
+###############################################################################
+#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
+###############################################################################
+
+IP6TABLES=
+
+IP=
+
+TC=
+
+IPSET=
+
+PERL=/usr/bin/perl
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+SHOREWALL_SHELL=/bin/sh
+
+SUBSYSLOCK=
+
+MODULESDIR=
+
+CONFIG_PATH=/usr/share/shorewall6:/usr/share/shorewall
+
+RESTOREFILE=
+
+LOCKFILE=
+
+###############################################################################
+#		D E F A U L T   A C T I O N S / M A C R O S
+###############################################################################
+
+DROP_DEFAULT="Drop"
+REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
+
+###############################################################################
+#                        R S H / R C P  C O M M A N D S
+###############################################################################
+
+RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+
+###############################################################################
+#			F I R E W A L L	  O P T I O N S
+###############################################################################
+
+IP_FORWARDING=Off
+
+TC_ENABLED=No
+
+TC_EXPERT=No
+
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+MODULE_SUFFIX=ko
+
+FASTACCEPT=Yes
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+OPTIMIZE=15
+
+EXPORTPARAMS=Yes
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=Yes
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+AUTOMAKE=No
+
+WIDE_TC_MARKS=Yes
+
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=Yes
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=Yes
+
+###############################################################################
+#			P A C K E T   D I S P O S I T I O N
+###############################################################################
+
+BLACKLIST_DISPOSITION=DROP
+
+TCP_FLAGS_DISPOSITION=DROP
+
+#LAST LINE -- DO NOT REMOVE

Samples6/Universal/zones

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Zones File
+#
+# For information about this file, type "man shorewall-zones"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-zones.html
+#
+###############################################################################
+#ZONE	TYPE		OPTIONS		IN			OUT
+#					OPTIONS			OPTIONS
+fw	firewall
+net	ip
+

Samples6/one-interface/shorewall6.conf

@@ -40,9 +40,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -58,6 +56,8 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -153,6 +153,12 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/three-interfaces/shorewall6.conf

@@ -40,9 +40,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -58,6 +56,8 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -153,6 +153,12 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/shorewall6.conf

@@ -1,6 +1,6 @@
 ###############################################################################
 #
-# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
+# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -40,9 +40,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -58,6 +56,8 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -153,6 +153,12 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-init/ifupdown.sh

@@ -93,7 +93,11 @@ for PRODUCT in $PRODUCTS; do
     VARDIR=/var/lib/$PRODUCT
     [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
     if [ -x $VARDIR/firewall ]; then
-	$VARDIR/firewall -V0 $COMMAND $IFACE
+	  ( . /usr/share/$PRODUCT/lib.base
+	    mutex_on
+	    ${VARDIR}/firewall -V0 $COMMAND $IFACE || echo_notdone
+	    mutex_off
+	  )
     fi
 done
 

Shorewall-init/init.debian.sh

@@ -84,7 +84,20 @@ shorewall_start () {
       VARDIR=/var/lib/$product
       [ -f /etc/$product/vardir ] && . /etc/$product/vardir
       if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall stop || echo_notdone
+	  #
+	  # Run in a sub-shell to avoid name collisions
+	  #
+	  ( 
+	      . /usr/share/$product/lib.base
+	      #
+	      # Get mutex so the firewall state is stable
+	      #
+	      mutex_on
+	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
+		  ${VARDIR}/firewall stop || echo_notdone
+	      fi
+	      mutex_off
+	  )
       fi
   done
 
@@ -103,7 +116,11 @@ shorewall_stop () {
       VARDIR=/var/lib/$product
       [ -f /etc/$product/vardir ] && . /etc/$product/vardir
       if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || echo_notdone
+	  ( . /usr/share/$product/lib.base
+	    mutex_on
+	    ${VARDIR}/firewall clear || echo_notdone
+	    mutex_off
+	  )
       fi
   done
 

Shorewall-init/init.sh

@@ -55,15 +55,17 @@ fi
 
 # Initialize the firewall
 shorewall_start () {
-  local product
-  local vardir
+  local PRODUCT
+  local VARDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      vardir=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir 
-      if [ -x ${vardir}/firewall ]; then
-	  ${vardir}/firewall stop || exit 1
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	      ${VARDIR}/firewall stop || echo_notdone
+	  fi
       fi
   done
 
@@ -72,15 +74,15 @@ shorewall_start () {
 
 # Clear the firewall
 shorewall_stop () {
-  local product
-  local vardir
+  local PRODUCT
+  local VARDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      vardir=/var/lib/$PRODUCT
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir 
-      if [ -x ${vardir}/firewall ]; then
-	  ${vardir}/firewall clear || exit 1
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  ${VARDIR}/firewall clear || exit 1
       fi
   done
 

Shorewall-init/install.sh

@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.10.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {
@@ -285,7 +285,12 @@ fi
 if [ -z "$DESTDIR" ]; then
     if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
-	    ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
+	    if [ -x /sbin/insserv ]; then
+		insserv /etc/init.d/shorewall-init
+	    else
+		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
+	    fi
+
 	    echo "Shorewall Init will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then

Shorewall-init/shorewall-init.spec

@@ -1,6 +1,6 @@
 %define name shorewall-init
-%define version 4.4.10
-%define release 1
+%define version 4.4.13
+%define release 0base
 
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -99,12 +99,46 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-1
-* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
+* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0base
+* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0RC1
+* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta3
+* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta2
+* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta1
+* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
-* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

Shorewall-init/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.10.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.10.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {
@@ -354,7 +354,13 @@ if [ -z "$DESTDIR" ]; then
     if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
-	    ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+
+	    if [ -x /sbin/insserv ]; then
+		insserv /etc/init.d/shorewall-lite
+	    else
+		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+	    fi
+
 	    echo "Shorewall Lite will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then

Shorewall-lite/shorewall-lite

@@ -628,14 +628,12 @@ case "$COMMAND" in
 	shift
 	start_command $@
 	;;
-    stop|clear)
+    stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	run_it $g_firewall $debugging $nolock $COMMAND
-	;;
-    reset)
-	verify_firewall_script
-	run_it $SHOREWALL_SHELL $g_firewall $debugging $nolock $@
+	[ -n "$nolock" ] || mutex_on
+	run_it $g_firewall $debugging $COMMAND
+	[ -n "$nolock" ] || mutex_off
 	;;
     restart)
 	shift

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.10
-%define release 1
+%define version 4.4.13
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -102,12 +102,46 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-1
-* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
+* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0base
+* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0RC1
+* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta3
+* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta2
+* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta1
+* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
-* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.10.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall/Makefile-lite

@@ -23,10 +23,10 @@
 # to the name of the remote firewall corresponding to the directory.
 #
 #	To make the 'firewall' script, type "make".
-# 
+#
 #	Once the script is compiling correctly, you can install it by
 #	typing "make install".
-#  
+#
 ################################################################################
 #                             V A R I A B L E S
 #
@@ -55,7 +55,7 @@ all: firewall
 #
 # Only generate the capabilities file if it doesn't already exist
 #
-capabilities: 
+capabilities:
 	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
 	scp root@$(HOST):$(LITEDIR)/capabilities .
 #
@@ -78,5 +78,5 @@ save:
 #
 # Remove generated files
 #
-clean: 
+clean:
 	rm -f capabilities firewall firewall.conf reload

Shorewall/Perl/Shorewall/Accounting.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.7';
+our $VERSION = '4.4.13';
 
 #
 # Called by the compiler to [re-]initialize this module's state
@@ -52,7 +52,7 @@ sub process_accounting_rule( ) {
 
     our $jumpchainref;
 
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
 
     if ( $action eq 'COMMENT' ) {
 	process_comment;
@@ -61,6 +61,16 @@ sub process_accounting_rule( ) {
 
     our $disposition = '';
 
+    sub reserved_chain_name($) {
+	$_[0] =~ /^acc(?:ount(?:ing|out)|ipsecin|ipsecout)$/;
+    }
+
+    sub ipsec_chain_name($) {
+	if ( $_[0] =~ /^accipsec(in|out)$/ ) {
+	    $1;
+	}
+    }
+
     sub check_chain( $ ) {
 	my $chainref = shift;
 	fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy};
@@ -72,10 +82,11 @@ sub process_accounting_rule( ) {
 
     sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
-	$jumpchainref = ensure_accounting_chain( $jumpchain );
+	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
+	$jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
-	"-j $jumpchain";
+	$jumpchain;
     }
 
     my $target = '';
@@ -86,16 +97,19 @@ sub process_accounting_rule( ) {
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
     my $rule2 = 0;
-
+    my $jump  = 0;
+    
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
-	    $target = '-j RETURN';
+	    $target = 'RETURN';
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 	    if ( $cmd ) {
 		if ( $cmd eq 'COUNT' ) {
-		    $rule2=1;
-		} elsif ( $cmd ne 'JUMP' ) {
+		    $rule2 = 1;
+		} elsif ( $cmd eq 'JUMP' ) {
+		    $jump = 1;
+		} else {
 		    accounting_error;
 		}
 	    }
@@ -137,7 +151,31 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
     }
 
-    my $chainref = ensure_accounting_chain $chain;
+    my $chainref = $filter_table->{$chain};
+    my $dir;
+
+    if ( ! $chainref ) {
+	$chainref = ensure_accounting_chain $chain, 0;
+	$dir      = ipsec_chain_name( $chain );
+
+	if ( $ipsec ne '-' ) {
+	    if ( $dir ) {
+		$rule .= do_ipsec( $dir, $ipsec );
+		$chainref->{ipsec} = $dir;
+	    } else {
+		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
+	    }
+	} else {
+	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );	    
+	    $chainref->{ipsec} = $dir;
+	}
+    } elsif ( $ipsec ne '-' ) {
+	$dir = $chainref->{ipsec};
+	fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
+	$rule .= do_ipsec( $dir , $ipsec );
+    }
+
+    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
 
     expand_rule
 	$chainref ,
@@ -151,6 +189,22 @@ sub process_accounting_rule( ) {
 	$disposition ,
 	'' ;
 
+    if ( $rule2 || $jump ) {
+	if ( $chainref->{ipsec} ) {
+	    if ( $jumpchainref->{ipsec} ) {
+		fatal_error "IPSEC in/out mismatch on chains $chain and $jumpchainref->{name}";
+	    } else {
+		fatal_error "$jumpchainref->{name} is not an IPSEC chain" if keys %{$jumpchainref->{references}} > 1;
+		$jumpchainref->{ipsec} = $chainref->{ipsec};
+	    }
+	} elsif ( $jumpchainref->{ipsec} ) {
+	    fatal_error "Jump from a non-IPSEC chain to an IPSEC chain not allowed";
+	} else {
+	    $jumpchainref->{ipsec} = $chainref->{ipsec};
+	}
+
+    }
+
     if ( $rule2 ) {
 	expand_rule
 	    $jumpchainref ,
@@ -178,8 +232,6 @@ sub setup_accounting() {
 
     $nonEmpty |= process_accounting_rule while read_a_line;
 
-    fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting};
-
     clear_comment;
 
     if ( have_bridges ) {
@@ -192,13 +244,28 @@ sub setup_accounting() {
 	if ( $filter_table->{accountout} ) {
 	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 	}
-    } else {
-	if ( $filter_table->{accounting} ) {
-	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
-	    }
+    } elsif ( $filter_table->{accounting} ) {
+	for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
+	    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	}
     }
+
+    if ( $filter_table->{accipsecin} ) {
+	for my $chain ( qw/INPUT FORWARD/ ) {
+	    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+	}
+    }
+
+    if ( $filter_table->{accipsecout} ) {
+	for my $chain ( qw/FORWARD OUTPUT/ ) {
+	    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
+	}
+    }
+
+    for ( accounting_chainrefs ) {
+	warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
+    }
+
 }
 
 1;

Shorewall/Perl/Shorewall/Actions.pm

@@ -28,6 +28,7 @@ require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
+use Shorewall::IPAddrs;
 
 use strict;
 
@@ -57,7 +58,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_10';
+our $VERSION = '4.4_13';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -178,9 +179,27 @@ sub find_macro( $ )
 #
 sub split_action ( $ ) {
     my $action = $_[0];
+
+    my $target = '';
+    my $max    = 3;
+    #
+    # The following rather grim RE, when matched, breaks the action into two parts:
+    #
+    #    basicaction(param)
+    #    logging part (may be empty)
+    #
+    # The param may contain one or more ':' characters
+    #
+    if ( $action =~ /^([^(:]+\(.*?\))(:(.*))?$/ ) {
+	$target = $1;
+	$action = $2 ? $3 : '';
+	$max    = 2;
+    }
+	
     my @a = split( /:/ , $action, 4 );
-    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
-    ( shift @a, join ":", @a );
+    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
+    $target = shift @a unless $target;
+    ( $target, join ":", @a );
 }
 
 #
@@ -617,7 +636,7 @@ sub process_action( $$$$$$$$$$$ ) {
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
-		  $action ? "-j $action" : '',
+		  $action ,
 		  $level ,
 		  $action ,
 		  '' );
@@ -776,8 +795,8 @@ sub dropBcast( $$$ ) {
 	    if ( $family == F_IPV4 ) {
 		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	    } else {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d ff00::/10 -j DROP ';
-	    }		
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
+	    }
 	}
 
 	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
@@ -801,7 +820,7 @@ sub dropBcast( $$$ ) {
     if ( $family == F_IPV4 ) {
 	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
     } else {
-	add_rule $chainref, '-d ff00::/10 -j DROP';
+	add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' );
     }
 }
 
@@ -833,8 +852,8 @@ sub allowBcast( $$$ ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
 	} else {
-	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
-	    add_rule $chainref, '-d ff00::/10 -j ACCEPT';
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
+	    add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' );
 	}
     }
 }

Shorewall/Perl/Shorewall/Compiler.pm

@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_10';
+our $VERSION = '4.4_12';
 
 our $export;
 
@@ -87,22 +87,22 @@ sub generate_script_1( $ ) {
 	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
 	    my $date = localtime;
-	    
+
 	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-	    
+
 	    if ( $family == F_IPV4 ) {
 		copy $globals{SHAREDIRPL} . 'prog.header';
 	    } else {
 		copy $globals{SHAREDIRPL} . 'prog.header6';
 	    }
-	    
+
 	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
 	}
-	
+
     }
 
     my $lib = find_file 'lib.private';
-	
+
     copy2( $lib, $debug ) if -f $lib;
 
     emit <<'EOF';
@@ -256,7 +256,7 @@ sub generate_script_2() {
     push_indent;
 
     if ( $global_variables ) {
-	
+
 	emit( 'case $COMMAND in' );
 
 	push_indent;
@@ -300,7 +300,7 @@ sub generate_script_2() {
     pop_indent;
 
     emit "\n}\n"; # End of detect_configuration()
-    
+
 }
 
 # Final stage of script generation.
@@ -384,7 +384,7 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};
 
     } else {
-	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
+	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
 	       '' );
 	save_dynamic_chains;
 	mark_firewall_not_started;
@@ -442,32 +442,37 @@ EOF
     setup_forwarding( $family , 1 );
     push_indent;
 
-    emit<<'EOF';
-    set_state "Started"
+    my $config_dir = $globals{CONFIGDIR};
+
+    emit<<"EOF";
+    set_state Started $config_dir 
     run_restored_exit
 else
-    if [ $COMMAND = refresh ]; then
+    if [ \$COMMAND = refresh ]; then
         chainlist_reload
 EOF
     setup_forwarding( $family , 0 );
 
-    emit<<'EOF';
+    emit<<"EOF";
         run_refreshed_exit
         do_iptables -N shorewall
-        set_state "Started"
+        set_state Started $config_dir
     else
         setup_netfilter
         conditionally_flush_conntrack
 EOF
     setup_forwarding( $family , 0 );
 
-    emit<<'EOF';
+    emit<<"EOF";
         run_start_exit
         do_iptables -N shorewall
-        set_state "Started"
+        set_state Started $config_dir
         run_started_exit
     fi
 
+EOF
+
+    emit<<'EOF';
     [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
 fi
 

Shorewall/Perl/Shorewall/Config.pm

@@ -114,6 +114,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 				       $product
 				       $Product
+				       $toolname
 				       $command
 				       $doing
 				       $done
@@ -131,7 +132,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_13';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -218,6 +219,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 RECENT_MATCH    => 'Recent Match',
 		 OWNER_MATCH     => 'Owner Match',
 		 IPSET_MATCH     => 'Ipset Match',
+		 OLD_IPSET_MATCH => 'Old Ipset Match',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
@@ -249,6 +251,8 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 TPROXY_TARGET   => 'TPROXY Target',
 		 FLOW_FILTER     => 'Flow Classifier',
+		 FWMARK_RT_MASK  => 'fwmark route mask',
+		 MARK_ANYWHERE   => 'Mark in any table',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -288,6 +292,7 @@ our $sillyname;               # Name of temporary filter chains for testing capa
 our $sillyname1;
 our $iptables;                # Path to iptables/ip6tables
 our $tc;                      # Path to tc
+our $ip;                      # Path to ip
 
 use constant { MIN_VERBOSITY => -1,
 	       MAX_VERBOSITY => 2 ,
@@ -335,14 +340,15 @@ sub initialize( $ ) {
     #
     %globals  =   ( SHAREDIR => '/usr/share/shorewall' ,
 		    SHAREDIRPL => '/usr/share/shorewall/' ,
-		    CONFDIR =>  '/etc/shorewall',
+		    CONFDIR =>  '/etc/shorewall',     # Run-time configuration directory
+		    CONFIGDIR => '',                  # Compile-time configuration directory (location of $product.conf)
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.10.1",
-		    CAPVERSION => 40408 ,
+		    VERSION => "4.4.13",
+		    CAPVERSION => 40413 ,
 		  );
 
     #
@@ -360,6 +366,7 @@ sub initialize( $ ) {
 	      LOGFILE => undef,
 	      LOGFORMAT => undef,
 	      LOGTAGONLY => undef,
+	      LOGLIMIT => undef,
 	      LOGRATE => undef,
 	      LOGBURST => undef,
 	      LOGALLNEW => undef,
@@ -378,6 +385,7 @@ sub initialize( $ ) {
 	      IP => undef,
 	      TC => undef,
 	      IPSET => undef,
+	      PERL => undef,
 	      #
 	      #PATH is inherited
 	      #
@@ -461,6 +469,8 @@ sub initialize( $ ) {
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
 	      REQUIRE_INTERFACE => undef,
+	      FORWARD_CLEAR_MARK => undef,
+	      COMPLETE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -505,6 +515,7 @@ sub initialize( $ ) {
 	      LOGFILE => undef,
 	      LOGFORMAT => undef,
 	      LOGTAGONLY => undef,
+	      LOGLIMIT => undef,
 	      LOGRATE => undef,
 	      LOGBURST => undef,
 	      LOGALLNEW => undef,
@@ -520,6 +531,7 @@ sub initialize( $ ) {
 	      IP => undef,
 	      TC => undef,
 	      IPSET => undef,
+	      PERL => undef,
 	      #
 	      #PATH is inherited
 	      #
@@ -582,6 +594,8 @@ sub initialize( $ ) {
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
 	      REQUIRE_INTERFACE => undef,
+	      FORWARD_CLEAR_MARK => undef,
+	      COMPLETE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -631,6 +645,7 @@ sub initialize( $ ) {
 	       RECENT_MATCH => undef,
 	       OWNER_MATCH => undef,
 	       IPSET_MATCH => undef,
+	       OLD_IPSET_MATCH => undef,
 	       CONNMARK => undef,
 	       XCONNMARK => undef,
 	       CONNMARK_MATCH => undef,
@@ -662,6 +677,8 @@ sub initialize( $ ) {
 	       PERSISTENT_SNAT => undef,
 	       OLD_HL_MATCH => undef,
 	       FLOW_FILTER => undef,
+	       FWMARK_RT_MASK => undef,
+	       MARK_ANYWHERE => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -1181,7 +1198,7 @@ sub copy1( $ ) {
 		    print $script $here_documents if $here_documents;
 		    print $script "\n";
 		}
-		
+
 		if ( $debug ) {
 		    print "GS-----> $here_documents" if $here_documents;
 		    print "GS----->\n";
@@ -1281,7 +1298,7 @@ EOF
 			s/^(\s*)/$indent1$1$indent2/;
 			s/        /\t/ if $indent2;
 		    }
-		    
+
 		    if ( $script ) {
 			print $script $_;
 			print $script "\n";
@@ -1295,9 +1312,9 @@ EOF
 		    $lastlineblank = 0;
 		}
 	    }
-	    
+
 	    close IF;
-	
+
 	    unless ( $lastlineblank ) {
 		print $script "\n" if $script;
 		print "GS----->\n" if $trace;
@@ -1462,10 +1479,12 @@ sub split_list1( $$ ) {
 		fatal_error "Invalid $type list ($list)" if $count > 1;
 		push @list2 , $_;
 	    } else {
+		s/\(//;
 		$element = $_;
 	    }
 	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" unless $element && $count == 1;
+	    s/\)//;
 	    push @list2, join ',', $element, $_;
 	    $element = '';
 	} elsif ( $element ) {
@@ -1764,7 +1783,9 @@ sub embedded_perl( $ ) {
 #   - Handle INCLUDE <filename>
 #
 
-sub read_a_line() {
+sub read_a_line(;$) {
+    my $embedded_enabled = defined $_[0] ? shift : 1;
+
     while ( $currentfile ) {
 
 	$currentline = '';
@@ -1810,53 +1831,59 @@ sub read_a_line() {
 	    #
 	    # Must check for shell/perl before doing variable expansion
 	    #
-	    if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
-		embedded_shell( $1 );
-	    } elsif ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
-		embedded_perl( $1 );
-	    } else {
-		my $count = 0;
-		#
-		# Expand Shell Variables using %ENV
-		#
-		#                            $1      $2      $3           -     $4
-		while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
-		    my $val = $ENV{$3};
-
-		    unless ( defined $val ) {
-			fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3};
-			$val = '';
-		    }
-
-		    $currentline = join( '', $1 , $val , $4 );
-		    fatal_error "Variable Expansion Loop" if ++$count > 100;
+	    if ( $embedded_enabled ) {
+		if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
+		    embedded_shell( $1 );
+		    next;
 		}
 
-		if ( $currentline =~ /^\s*INCLUDE\s/ ) {
+		if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
+		    embedded_perl( $1 );
+		    next;
+		}
+	    } 
 
-		    my @line = split ' ', $currentline;
+	    my $count = 0;
+	    #
+	    # Expand Shell Variables using %ENV
+	    #
+	    #                            $1      $2      $3           -     $4
+	    while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
+		my $val = $ENV{$3};
 
-		    fatal_error "Invalid INCLUDE command"    if @line != 2;
-		    fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
+		unless ( defined $val ) {
+		    fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3};
+		    $val = '';
+		}
 
-		    my $filename = find_file $line[1];
+		$currentline = join( '', $1 , $val , $4 );
+		fatal_error "Variable Expansion Loop" if ++$count > 100;
+	    }
 
-		    fatal_error "INCLUDE file $filename not found" unless -f $filename;
-		    fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
+	    if ( $currentline =~ /^\s*INCLUDE\s/ ) {
 
-		    if ( -s _ ) {
-			push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
-			$currentfile = undef;
-			do_open_file $filename;
-		    } else {
-			$currentlinenumber = 0;
-		    }
+		my @line = split ' ', $currentline;
 
-		    $currentline = '';
+		fatal_error "Invalid INCLUDE command"    if @line != 2;
+		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
+
+		my $filename = find_file $line[1];
+
+		fatal_error "INCLUDE file $filename not found" unless -f $filename;
+		fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
+
+		if ( -s _ ) {
+		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+		    $currentfile = undef;
+		    do_open_file $filename;
 		} else {
-		    print "IN===> $currentline\n" if $debug;
-		    return 1;
+		    $currentlinenumber = 0;
 		}
+
+		$currentline = '';
+	    } else {
+		print "IN===> $currentline\n" if $debug;
+		return 1;
 	    }
 	}
 
@@ -1899,9 +1926,11 @@ sub default ( $$ ) {
 sub default_yes_no ( $$ ) {
     my ( $var, $val ) = @_;
 
-    my $curval = "\L$config{$var}";
+    my $curval = $config{$var};
 
     if ( defined $curval && $curval ne '' ) {
+	$curval = lc $curval;
+
 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
 	} else {
@@ -1924,7 +1953,7 @@ sub numeric_option( $$$ ) {
     my $value = $config{$option};
 
     my $val = $default;
-    
+
     if ( defined $value && $value ne '' ) {
 	$val = numeric_value $value;
 	fatal_error "Invalid value ($value) for '$option'" unless defined $val && $val <= 32;
@@ -1937,7 +1966,7 @@ sub numeric_option( $$$ ) {
 
 sub make_mask( $ ) {
     0xffffffff >> ( 32 - $_[0] );
-}   
+}
 
 my @suffixes = qw(group range threshold nlgroup cprange qthreshold);
 
@@ -2183,14 +2212,14 @@ sub Persistent_Snat() {
 	$result = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
 	qt1( "$iptables -t nat -F $sillyname" );
 	qt1( "$iptables -t nat -X $sillyname" );
-	
+
     }
 
     $result;
 }
 
 sub Mangle_Enabled() {
-    if ( qt1( "$iptables -t mangle -L -n" ) ) { 
+    if ( qt1( "$iptables -t mangle -L -n" ) ) {
 	system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
     }
 }
@@ -2300,7 +2329,11 @@ sub Comments() {
 }
 
 sub Hashlimit_Match() {
-    have_capability 'OLD_HL_MATCH' || qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
+    if ( qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" ) ) {
+	! ( $capabilities{OLD_HL_MATCH} = 0 );
+    } else {
+	have_capability 'OLD_HL_MATCH';
+    }
 }
 
 sub Old_Hashlimit_Match() {
@@ -2347,7 +2380,7 @@ sub Raw_Table() {
     qt1( "$iptables -t raw -L -n" );
 }
 
-sub IPSet_Match() {
+sub Old_IPSet_Match() {
     my $ipset  = $config{IPSET} || 'ipset';
     my $result = 0;
 
@@ -2359,7 +2392,31 @@ sub IPSet_Match() {
 	if ( qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
 		qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
-		$result = 1;
+		$result = $capabilities{IPSET_MATCH} = 1;
+	    }
+
+	    qt( "$ipset -X $sillyname" );
+	}
+    }
+
+    $result;
+}
+
+sub IPSet_Match() {
+    my $ipset  = $config{IPSET} || 'ipset';
+    my $result = 0;
+
+    $ipset = which $ipset unless $ipset =~ '/';
+
+    if ( $ipset && -x $ipset ) {
+	qt( "$ipset -X $sillyname" );
+
+	if ( qt( "$ipset -N $sillyname iphash" ) ) {
+	    if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
+		qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
+		$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
+	    } else {
+		$result = have_capability 'OLD_IPSET_MATCH';
 	    }
 
 	    qt( "$ipset -X $sillyname" );
@@ -2417,6 +2474,14 @@ sub Flow_Filter() {
     $tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
 }
 
+sub Fwmark_Rt_Mask() {
+    $ip && system( "$ip rule add help 2>&1 | grep -q /MASK" ) == 0;
+}
+
+sub Mark_Anywhere() {
+    qt1( "$iptables -A $sillyname -j MARK --set-mark 5" );
+}
+
 our %detect_capability =
     ( ADDRTYPE => \&Addrtype,
       CLASSIFY_TARGET => \&Classify_Target,
@@ -2428,6 +2493,7 @@ our %detect_capability =
       ENHANCED_REJECT => \&Enhanced_Reject,
       EXMARK => \&Exmark,
       FLOW_FILTER => \&Flow_Filter,
+      FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
       GOTO_TARGET => \&Goto_Target,
       HASHLIMIT_MATCH => \&Hashlimit_Match,
       HELPER_MATCH => \&Helper_Match,
@@ -2435,6 +2501,7 @@ our %detect_capability =
       IPP2P_MATCH => \&Ipp2p_Match,
       IPRANGE_MATCH => \&IPRange_Match,
       IPSET_MATCH => \&IPSet_Match,
+      OLD_IPSET_MATCH => \&Old_IPSet_Match,
       KLUDGEFREE => \&Kludgefree,
       LENGTH_MATCH => \&Length_Match,
       LOGMARK_TARGET => \&Logmark_Target,
@@ -2442,6 +2509,7 @@ our %detect_capability =
       MANGLE_ENABLED => \&Mangle_Enabled,
       MANGLE_FORWARD => \&Mangle_Forward,
       MARK => \&Mark,
+      MARK_ANYWHERE => \&Mark_Anywhere,
       MULTIPORT => \&Multiport,
       NAT_ENABLED => \&Nat_Enabled,
       NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
@@ -2484,7 +2552,7 @@ sub have_capability( $ ) {
 
     $capabilities{ $capability } = detect_capability( $capability ) unless defined $capabilities{ $capability };
 
-    $capabilities{ $capability }; 
+    $capabilities{ $capability };
 }
 
 #
@@ -2505,11 +2573,11 @@ sub determine_capabilities() {
     qt1( "$iptables -N $sillyname1" );
 
     fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
-	unless 
+	unless
 	    qt1( "$iptables -A $sillyname -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT") ||
 	    qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");;
-	    
-  
+
+
     unless ( $config{ LOAD_HELPERS_ONLY } ) {
 	#
 	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
@@ -2518,7 +2586,7 @@ sub determine_capabilities() {
 	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
 	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
 	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
-	
+
 	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
 	    $capabilities{NEW_CONNTRACK_MATCH} = detect_capability( 'NEW_CONNTRACK_MATCH' );
 	    $capabilities{OLD_CONNTRACK_MATCH} = detect_capability( 'OLD_CONNTRACK_MATCH' );
@@ -2531,7 +2599,7 @@ sub determine_capabilities() {
 	     $capabilities{KLUDGEFREE}  = Kludgefree1;
 	}
 
-	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' ); 
+	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' );
 	$capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' );
 
 	if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) {
@@ -2585,6 +2653,8 @@ sub determine_capabilities() {
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
 	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
+	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
+	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 
 
 	qt1( "$iptables -F $sillyname" );
@@ -2662,12 +2732,15 @@ sub process_shorewall_conf() {
     my $file = find_file "$product.conf";
 
     if ( -f $file ) {
+	$globals{CONFIGDIR} =  $file;
+	$globals{CONFIGDIR} =~ s/$product.conf//;
+
 	if ( -r _ ) {
 	    open_file $file;
 
 	    first_entry "Processing $file...";
 
-	    while ( read_a_line ) {
+	    while ( read_a_line(0) ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);
 		    unless ( exists $config{$var} ) {
@@ -2742,12 +2815,18 @@ sub get_capabilities( $ ) {
 
 	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
 
-	$tc = $config{TC};
+	$tc = $config{TC} || which 'tc';
 
 	if ( $tc ) {
 	    fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
 	}
 
+	$ip = $config{IP} || which 'ip';
+
+	if ( $ip ) {
+	    fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
+	}
+
 	load_kernel_modules;
 
 	if ( open_file 'capabilities' ) {
@@ -2820,7 +2899,60 @@ sub get_configuration( $ ) {
 
     $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
 
-    if ( $config{LOGRATE} || $config{LOGBURST} ) {
+    if ( my $rate = $config{LOGLIMIT} ) {
+	my $limit;
+
+	if ( $rate =~ /^[sd]:/ ) {
+	    require_capability 'HASHLIMIT_MATCH', 'Per-ip log rate limiting' , 's';
+
+	    $limit = "-m hashlimit ";
+
+	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
+	    my $units;
+
+	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
+		fatal_error "Invalid rate ($1)" unless $2;
+		fatal_error "Invalid burst value ($5)" unless $5;
+
+		$limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
+		$units = $4;
+	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
+		fatal_error "Invalid rate ($1)" unless $2;
+		$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
+		$units = $4;
+	    } else {
+		fatal_error "Invalid rate ($rate)";
+	    }
+
+	    $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
+
+	    if ( $units && $units ne 'sec' ) {
+		my $expire = 60000; # 1 minute in milliseconds
+		
+		if ( $units ne 'min' ) {
+		    $expire *= 60; #At least an hour
+		    $expire *= 24 if $units eq 'day';
+		}
+		
+		$limit .= "--hashlimit-htable-expire $expire ";
+	    }
+	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
+	    fatal_error "Invalid rate ($1)" unless $2;
+	    fatal_error "Invalid burst value ($5)" unless $5;
+	    $limit = "-m limit --limit $1 --limit-burst $5 ";
+	} elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
+	    fatal_error "Invalid rate (${1}${2})" unless $1;
+	    $limit = "-m limit --limit $rate ";
+	} else {
+	    fatal_error "Invalid rate ($rate)";
+	}
+
+	$globals{LOGLIMIT} = $limit;
+
+	warning_message "LOGRATE Ignored when LOGLIMIT is specified"  if $config{LOGRATE};
+	warning_message "LOGBURST Ignored when LOGLIMIT is specified" if $config{LOGBURST};
+
+    } elsif ( $config{LOGRATE} || $config{LOGBURST} ) {
 	if ( defined $config{LOGRATE} ) {
 	    fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
 	}
@@ -2837,7 +2969,7 @@ sub get_configuration( $ ) {
     }
 
     check_trivalue ( 'IP_FORWARDING', 'on' );
-    
+
     my $val;
 
     if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
@@ -2856,7 +2988,7 @@ sub get_configuration( $ ) {
     }
 
     if ( $family == F_IPV6 ) {
-	$val = $config{ROUTE_FILTER};	
+	$val = $config{ROUTE_FILTER};
 	fatal_error "ROUTE_FILTER=$val is not supported in IPv6" if $val && $val ne 'off';
     }
 
@@ -2939,7 +3071,7 @@ sub get_configuration( $ ) {
     default_yes_no 'AUTO_COMMENT'               , 'Yes';
     default_yes_no 'MULTICAST'                  , '';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
-    default_yes_no 'MANGLE_ENABLED'             , 'Yes';
+    default_yes_no 'MANGLE_ENABLED'             , have_capability 'MANGLE_ENABLED' ? 'Yes' : '';
     default_yes_no 'NULL_ROUTE_RFC1918'         , '';
     default_yes_no 'USE_DEFAULT_RT'             , '';
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
@@ -2950,15 +3082,24 @@ sub get_configuration( $ ) {
     default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
     default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
     default_yes_no 'REQUIRE_INTERFACE'          , '';
+    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability 'MARK' ? 'Yes' : '';
+    default_yes_no 'COMPLETE'                   , '';
+
+    require_capability 'MARK' , 'FOREWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
 
     numeric_option 'TC_BITS',          $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
     numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
     numeric_option 'PROVIDER_BITS' ,   8, 0;
     numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
-    
+
     if ( $config{PROVIDER_OFFSET} ) {
 	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
-	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 32;
+	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 31' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
+	$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
+    } elsif ( $config{MASK_BITS} >= $config{PROVIDER_BITS} ) {
+	$globals{EXCLUSION_MASK} = 1 << $config{MASK_BITS};
+    } else {
+	$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
     }
 
     $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
@@ -2966,6 +3107,12 @@ sub get_configuration( $ ) {
     $globals{PROVIDER_MIN}           = 1 << $config{PROVIDER_OFFSET};
     $globals{PROVIDER_MASK}          = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
 
+    if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
+	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
+    } else {
+	$globals{USER_MASK} = 0;
+    }
+
     if ( defined ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
     } else {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -73,7 +73,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_7';
+our $VERSION = '4.4_12';
 
 #
 # Some IPv4/6 useful stuff
@@ -87,18 +87,19 @@ our $validate_address;
 our $validate_net;
 our $validate_range;
 our $validate_host;
+our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
-	       IPv6_MULTICAST      => 'FF00::/10' ,
-	       IPv6_LINKLOCAL      => 'FF80::/10' ,
-	       IPv6_SITELOCAL      => 'FFC0::/10' ,
+	       IPv6_MULTICAST      => 'ff00::/8' ,
+	       IPv6_LINKLOCAL      => 'fe80::/10' ,
+	       IPv6_SITELOCAL      => 'feC0::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
-	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
-	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
-	       IPv6_SITE_ALLNODES  => 'FF02::1' ,
-	       IPv6_SITE_ALLRTRS   => 'FF02::2' ,
+	       IPv6_LINK_ALLNODES  => 'ff01::1' ,
+	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
+	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
+	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
 	       ICMP                => 1,
 	       TCP                 => 6,
 	       UDP                 => 17,
@@ -123,8 +124,8 @@ sub valid_4address( $ ) {
 
     my @address = split /\./, $address;
     return 0 unless @address == 4;
-    for my $a ( @address ) {
-	return 0 unless $a =~ /^\d+$/ && $a < 256;
+    for ( @address ) {
+	return 0 unless /^\d+$/ && $_ < 256;
     }
 
     1;
@@ -157,8 +158,8 @@ sub decodeaddr( $ ) {
 
     my $result = shift @address;
 
-    for my $a ( @address ) {
-	$result = ( $result << 8 ) | $a;
+    for ( @address ) {
+	$result = ( $result << 8 ) | $_;
     }
 
     $result;
@@ -292,6 +293,11 @@ sub resolve_proto( $ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 65535 ? $number : undef;
     } else {
+	#
+	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
+	#
+	$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
+	
 	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
     }
 }
@@ -332,7 +338,7 @@ sub validate_portpair( $$ ) {
 
     my @ports = split /:/, $portpair, 2;
 
-    $_ = validate_port( $proto, $_) for ( @ports );
+    $_ = validate_port( $proto, $_) for ( grep $_, @ports );
 
     if ( @ports == 2 ) {
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
@@ -439,7 +445,7 @@ sub expand_port_range( $$ ) {
 	#
 	# Validate the ports
 	#
-	( $first , $last ) = ( validate_port( $proto, $first ) , validate_port( $proto, $last ) );
+	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
 
 	$last++; #Increment last address for limit testing.
 	#
@@ -501,7 +507,7 @@ sub valid_6address( $ ) {
     unless ( $address =~ /::$/  ) {
 	return 0 if $address =~ /:$/;
     }
-		 
+
     for my $a ( @address ) {
 	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 );
     }
@@ -570,7 +576,7 @@ sub normalize_6addr( $ ) {
 	1 while $addr =~ s/::/:0:/;
 
 	$addr =~ s/^0+:/0:/;
-	
+
 	$addr;
     }
 }
@@ -682,7 +688,7 @@ sub validate_host ($$ ) {
 #      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
-    my $family = shift;
+    $family = shift;
 
     if ( $family == F_IPV4 ) {
 	$allip            = ALLIPv4;

Shorewall/Perl/Shorewall/Nat.pm

@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_13';
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -49,56 +49,6 @@ sub initialize() {
     %addresses_to_add = ();
 }
 
-#
-# Handle IPSEC Options in a masq record
-#
-sub do_ipsec_options($)
-{
-    my %validoptions = ( strict       => NOTHING,
-			 next         => NOTHING,
-			 reqid        => NUMERIC,
-			 spi          => NUMERIC,
-			 proto        => IPSECPROTO,
-			 mode         => IPSECMODE,
-			 "tunnel-src" => NETWORK,
-			 "tunnel-dst" => NETWORK,
-		       );
-    my $list=$_[0];
-    my $options = '-m policy --pol ipsec --dir out ';
-    my $fmt;
-
-    for my $e ( split_list $list, 'option' ) {
-	my $val    = undef;
-	my $invert = '';
-
-	if ( $e =~ /([\w-]+)!=(.+)/ ) {
-	    $val    = $2;
-	    $e      = $1;
-	    $invert = '! ';
-	} elsif ( $e =~ /([\w-]+)=(.+)/ ) {
-	    $val = $2;
-	    $e   = $1;
-	}
-
-	$fmt = $validoptions{$e};
-
-	fatal_error "Invalid Option ($e)" unless $fmt;
-
-	if ( $fmt eq NOTHING ) {
-	    fatal_error "Option \"$e\" does not take a value" if defined $val;
-	} else {
-	    fatal_error "Missing value for option \"$e\""        unless defined $val;
-	    fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
-	}
-
-	$options .= $invert;
-	$options .= "--$e ";
-	$options .= "$val " if defined $val;
-    }
-
-    $options;
-}
-
 #
 # Process a single rule from the the masq file
 #
@@ -153,11 +103,11 @@ sub process_one_masq( )
 	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
 
 	if ( $ipsec =~ /^yes$/i ) {
-	    $baserule .= '-m policy --pol ipsec --dir out ';
+	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
 	} elsif ( $ipsec =~ /^no$/i ) {
-	    $baserule .= '-m policy --pol none --dir out ';
+	    $baserule .= do_ipsec_options 'out', 'none', '';
 	} else {
-	    $baserule .= do_ipsec_options $ipsec;
+	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
 	}
     } elsif ( have_ipsec ) {
 	$baserule .= '-m policy --pol none --dir out ';
@@ -175,7 +125,7 @@ sub process_one_masq( )
 
     for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = '-j MASQUERADE ';
+	my $target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -221,7 +171,7 @@ sub process_one_masq( )
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
 		    my $variable = get_interface_address $interface;
-		    $target = "-j SNAT --to-source $variable";
+		    $target = "SNAT --to-source $variable";
 
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
@@ -231,13 +181,13 @@ sub process_one_masq( )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
-		    $target = '-j RETURN';
+		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    $target = '-j SNAT ';
+			    $target = 'SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
@@ -448,7 +398,9 @@ sub setup_netmap() {
 
     while ( read_a_line ) {
 
-	my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
+	my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
+
+	$net3 = ALLIP if $net3 eq '-';
 
 	for my $interface ( split_list $interfacelist, 'interface' ) {
 
@@ -459,15 +411,15 @@ sub setup_netmap() {
 	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
 	    unless ( $interfaceref->{root} ) {
-		$rulein  = match_source_dev $interface;
-		$ruleout = match_dest_dev $interface;
+		$rulein  = match_source_dev( $interface );
+		$ruleout = match_dest_dev( $interface );
 		$interface = $interfaceref->{name};
 	    }
 
 	    if ( $type eq 'DNAT' ) {
-		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein  . "-d $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
 	    } elsif ( $type eq 'SNAT' ) {
-		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
 	    } else {
 		fatal_error "Invalid type ($type)";
 	    }

Shorewall/Perl/Shorewall/Policy.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_12';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
@@ -246,7 +246,7 @@ sub process_a_policy() {
 	$chainref->{synchain}  = $chain
     }
 
-    $chainref->{default}   = $default if $default;
+    $chainref->{default} = $default if $default;
 
     if ( $clientwild ) {
 	if ( $serverwild ) {
@@ -286,7 +286,7 @@ sub save_policies() {
 	    }
 	}
     }
-}	    
+}
 
 sub validate_policy()
 {
@@ -307,6 +307,7 @@ sub validate_policy()
 		 NFQUEUE_DEFAULT => 'NFQUEUE' );
 
     my $zone;
+    my $firewall = firewall_zone;
     our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
 
     for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
@@ -332,13 +333,15 @@ sub validate_policy()
 	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL );
 	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL ) if zone_type( $zone ) == BPORT;
 
-	if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
+	my $zoneref = find_zone( $zone );
+
+	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1 );
 		    add_or_modify_policy_chain( $zone1, $zone );
 		}
-	    }
+	    }		
 	}
     }
 
@@ -415,13 +418,14 @@ sub apply_policy_rules() {
 
     for my $chainref ( @policy_chains ) {
 	my $policy      = $chainref->{policy};
-	my $loglevel    = $chainref->{loglevel};
-	my $provisional = $chainref->{provisional};
-	my $default     = $chainref->{default};
-	my $name        = $chainref->{name};
-	my $synparms    = $chainref->{synparms};
 
-	if ( $policy ne 'NONE' ) {
+	unless ( $policy eq 'NONE' ) {
+	    my $loglevel    = $chainref->{loglevel};
+	    my $provisional = $chainref->{provisional};
+	    my $default     = $chainref->{default};
+	    my $name        = $chainref->{name};
+	    my $synparms    = $chainref->{synparms};
+
 	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
 		if ( $config{OPTIMIZE} & 2 ) {
 		    #
@@ -492,7 +496,14 @@ sub setup_syn_flood_chains() {
 	    my $level = $chainref->{loglevel};
 	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
 	    add_rule $synchainref , "${limit}-j RETURN";
-	    log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
+	    log_rule_limit( $level , 
+			    $synchainref , 
+			    $chainref->{name} , 
+			    'DROP', 
+			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , 
+			    '' , 
+			    'add' , 
+			    '' )
 		if $level ne '';
 	    add_rule $synchainref, '-j DROP';
 	}

Shorewall/Perl/Shorewall/Proc.pm

@@ -58,7 +58,7 @@ sub setup_arp_filtering() {
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'arp_filter';
 	    my $optional = interface_is_optional $interface;
-                           
+
 	    $interface = get_physical $interface;
 
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
@@ -74,7 +74,7 @@ sub setup_arp_filtering() {
 	for my $interface ( @$interfaces1 ) {
 	    my $value = get_interface_option $interface, 'arp_ignore';
 	    my $optional = interface_is_optional $interface;
-                           
+
 	    $interface = get_physical $interface;
 
 	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
@@ -118,7 +118,7 @@ sub setup_route_filtering() {
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'routefilter';
 	    my $optional = interface_is_optional $interface;
-                           
+
 	    $interface = get_physical $interface;
 
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
@@ -169,7 +169,7 @@ sub setup_martian_logging() {
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'logmartians';
 	    my $optional = interface_is_optional $interface;
-                           
+
 	    $interface = get_physical $interface;
 
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";

Shorewall/Perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_10';
+our $VERSION = '4.4_13';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -158,7 +158,7 @@ sub copy_and_edit_table( $$$$ ) {
     my ( $duplicate, $number, $copy, $realm) = @_;
     #
     # Hack to work around problem in iproute
-    #    
+    #
     my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
     #
     # Map physical names in $copy to logical names
@@ -275,7 +275,7 @@ sub add_a_provider( ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
     }
 
-    fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
+    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface, 1 );
     fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
 
     my $physical    = get_physical $interface;
@@ -295,7 +295,7 @@ sub add_a_provider( ) {
 	$gateway = '';
     }
 
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) = 
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) =
 	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
 
     unless ( $options eq '-' ) {
@@ -340,7 +340,7 @@ sub add_a_provider( ) {
 	    } elsif ( $option eq 'local' ) {
 		$local = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0 if$config{USE_DEFAULT_RT}; 
+		$default_balance = 0 if$config{USE_DEFAULT_RT};
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
@@ -435,10 +435,12 @@ sub add_a_provider( ) {
     }
 
     if ( $mark ne '-' ) {
-	emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
+	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
 
-	emit ( "run_ip rule add fwmark $mark pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
+	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
+
+	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
+	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing"
 	     );
     }
 
@@ -546,7 +548,7 @@ sub start_new_if( $ ) {
     emit ( '', qq(if [ -n "\$SW_${current_if}_IS_USABLE" ]; then) );
     push_indent;
 }
-  
+
 #
 # Complete any current 'if' statement in the output script
 #
@@ -843,55 +845,100 @@ sub lookup_provider( $ ) {
 #
 sub handle_optional_interfaces( $ ) {
 
-    my $returnvalue = verify_required_interfaces( shift );
-    #
-    # find_interfaces_by_option1() does not return wildcard interfaces. If an interface is defined
-    # as a wildcard in /etc/shorewall/interfaces, then only specific interfaces matching that 
-    # wildcard are returned.
-    #
-    my $interfaces = find_interfaces_by_option1 'optional';
+    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
 
     if ( @$interfaces ) {
-	for my $interface ( @$interfaces ) {
-	    my $provider = $provider_interfaces{$interface};
-	    my $physical = get_physical $interface;
-	    my $base     = uc chain_base( $physical );
+	my $require     = $config{REQUIRE_INTERFACE};
+	
+	verify_required_interfaces( shift );
 
-	    emit( '' );
+	emit( 'HAVE_INTERFACE=', '' ) if $require;
+	#
+	# Clear the '_IS_USABLE' variables
+	#
+	emit( join( '_', 'SW', uc chain_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
 
-	    if ( $config{REQUIRE_INTERFACE} ) {
-		emit( 'HAVE_INTERFACE=' );
-		emit( '' );
-	    }
+	if ( $wildcards ) {
+	    #
+	    # We must consider all interfaces with an address in $family -- generate a list of such addresses. 
+	    #
+	    emit( '', 
+		  'for interface in $(find_all_interfaces1); do',
+		);
 
-	    if ( $provider ) {
-		#
-		# This interface is associated with a non-shared provider -- get the provider table entry
-		#
-		my $providerref = $providers{$provider};
+	    push_indent;
+	    emit ( 'case "$interface" in' );
+	    push_indent;
+	} else {
+	    emit '';
+	}
 
-		if ( $providerref->{gatewaycase} eq 'detect' ) {
-		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
-		} else {
-		    emit qq(if interface_is_usable $physical; then);
-		}
+	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
+	    my $provider    = $provider_interfaces{$interface};
+	    my $physical    = get_physical $interface;
+	    my $base        = uc chain_base( $physical );
+	    my $providerref = $providers{$provider};
+
+	    emit( "$physical)" ), push_indent if $wildcards;
+
+	    if ( $providerref->{gatewaycase} eq 'detect' ) {
+		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
-		#
-		# Not a provider interface
-		#
 		emit qq(if interface_is_usable $physical; then);
 	    }
 
-	    emit( '    HAVE_INTERFACE=Yes' ) if $config{REQUIRE_INTERFACE};
+	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
 
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
-		  'else' ,
-		  "    SW_${base}_IS_USABLE=" ,
 		  'fi' );
+
+	    emit( ';;' ), pop_indent if $wildcards;
 	}
 
-	if ( $config{REQUIRE_INTERFACE} ) {
-	    emit( '', 
+	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
+	    my $physical    = get_physical $interface;
+	    my $base        = uc chain_base( $physical );
+	    my $case        = $physical;
+	    my $wild        = $case =~ s/\+$/*/;
+
+	    if ( $wildcards ) {
+		emit( "$case)" );
+		push_indent;
+		
+		if ( $wild ) {
+		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
+		    push_indent; 
+		    emit ( 'if interface_is_usable $interface; then' );
+		} else {
+		    emit ( "if interface_is_usable $physical; then" );
+		}
+	    } else {
+		emit ( "if interface_is_usable $physical; then" );
+	    }
+
+	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
+	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
+		   'fi' );
+
+	    if ( $wildcards ) {
+		pop_indent, emit( 'fi' ) if $wild;
+		emit( ';;' );
+		pop_indent;
+	    }
+	}
+
+	if ( $wildcards ) {
+	    emit( '*)' ,
+		  '    ;;'
+		);
+	    pop_indent;
+	    emit( 'esac' );
+	    pop_indent;
+	    emit('done' );
+	}
+
+	if ( $require ) {
+	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
 		  '        start|restart|restore|refresh)'
@@ -902,10 +949,10 @@ sub handle_optional_interfaces( $ ) {
 	    } else {
 		emit( '            if shorewall6_is_started; then' );
 	    }
-	
+
 	    emit( '                fatal_error "No network interface available"',
 		  '            else',
-		  '                startup_error "No network interface available',
+		  '                startup_error "No network interface available"',
 		  '            fi',
 		  '            ;;',
 		  '    esac',
@@ -913,10 +960,10 @@ sub handle_optional_interfaces( $ ) {
 		);
 	}
 
-	$returnvalue = 1;
+	return 1;
     }
 
-    $returnvalue;
+    verify_required_interfaces( shift );
 }
 
 #
@@ -955,14 +1002,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
+			$rule2 = '';
 		    }
 
-		    $rule1 =~ s/-A tcpre //;
-
+		    assert ( $rule1 =~ s/^-A // );
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcpre //;
+			assert ( $rule2 =~ s/^-A // );
 			add_rule $chainref, $rule2;
 		    }
 		}
@@ -982,14 +1029,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
+			$rule2 = '';
 		    }
 
-		    $rule1 =~ s/-A tcout //;
-
+		    assert( $rule1 =~ s/-A // );
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcout //;
+			$rule2 =~ s/-A //;
 			add_rule $chainref, $rule2;
 		    }
 		}

Shorewall/Perl/Shorewall/Raw.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_13';
 
 #
 # Notrack
@@ -50,9 +50,9 @@ sub process_notrack_rule( $$$$$$ ) {
     ( my $zone, $source) = split /:/, $source, 2;
     my $zoneref  = find_zone $zone;
     my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
 
-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
     require_capability 'RAW_TABLE', 'Notrack rules', '';
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
@@ -64,7 +64,7 @@ sub process_notrack_rule( $$$$$$ ) {
 	$source ,
 	$dest ,
 	'' ,
-	'-j NOTRACK' ,
+	'NOTRACK' ,
 	'' ,
 	'NOTRACK' ,
 	'' ;

Shorewall/Perl/Shorewall/Tc.pm

@@ -40,37 +40,44 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_13';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
-		    fw       => 1
+		    fw       => 1,
+		    fwi      => 0,
 		  } ,
 	    CT => { chain  => 'tcpost' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1
+		    fw       => 1 ,
+		    fwi      => 0,
 		    } ,
 	    C  => { target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1
+		    fw       => 1 ,
+		    fwi      => 1 ,
 		    } ,
 	    P  => { chain    => 'tcpre' ,
 		    connmark => 0 ,
-		    fw       => 0
+		    fw       => 0 ,
+		    fwi      => 0 ,
 		    } ,
 	    CP => { chain    => 'tcpre' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 0
+		    fw       => 0 ,
+		    fwi      => 0 ,
 		    } ,
 	    F =>  { chain    => 'tcfor' ,
 		    connmark => 0 ,
-		    fw       => 0
+		    fw       => 0 ,
+		    fwi      => 0 ,
 		    } ,
 	    CF => { chain    => 'tcfor' ,
 		    connmark => 1 ,
 		    fw       => 0 ,
+		    fwi      => 0 ,
 		    } ,
 	    );
 
@@ -158,6 +165,7 @@ our %tcclasses;
 our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
+		      tcin       => INPUT_RESTRICT ,
 		      tcout      => OUTPUT_RESTRICT );
 
 our $family;
@@ -218,12 +226,23 @@ sub process_tc_rule( ) {
 	}
     }
 
+    if ( $dest ) {
+	if ( $dest eq $fw ) {
+	    $chain = 'tcin';
+	    $dest  = '';
+	} else {
+	    $chain = 'tcin' if $dest =~ s/^($fw)://;
+	}
+    }
+
     if ( $designator ) {
 	$tcsref = $tcs{$designator};
 
 	if ( $tcsref ) {
 	    if ( $chain eq 'tcout' ) {
 		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
+	    } elsif ( $chain eq 'tcin' ) {
+		fatal_error "Invalid chain designator for dest $fw" unless $tcsref->{fwi};
 	    }
 
 	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
@@ -250,6 +269,8 @@ sub process_tc_rule( ) {
 
     $list = '';
 
+    my $restriction = 0;
+
     unless ( $classid ) {
       MARK:
 	{
@@ -259,7 +280,7 @@ sub process_tc_rule( ) {
 
 		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
 
-		    $target      = "$tccmd->{target} ";
+		    $target      = $tccmd->{target};
 		    my $marktype = $tccmd->{mark};
 
 		    if ( $marktype == NOMARK ) {
@@ -268,15 +289,19 @@ sub process_tc_rule( ) {
 			$mark =~ s/^[|&]//;
 		    }
 
-		    if ( $target eq 'sticky ' ) {
+		    if ( $target eq 'sticky' ) {
 			if ( $chain eq 'tcout' ) {
 			    $target = 'sticko';
 			} else {
 			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
 			}
 
+			$restriction = DESTIFACE_DISALLOW;
+			
+			ensure_mangle_chain($target);
+
 			$sticky++;
-		    } elsif ( $target eq 'IPMARK ' ) {
+		    } elsif ( $target eq 'IPMARK' ) {
 			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
 
 			require_capability 'IPMARK_TARGET', 'IPMARK', 's';
@@ -313,11 +338,11 @@ sub process_tc_rule( ) {
 			}
 
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
-		    } elsif ( $target eq 'TPROXY ' ) {
+		    } elsif ( $target eq 'TPROXY' ) {
 			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
 
 			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
-			
+
 			$chain = 'tcpre';
 
 			$cmd =~ /TPROXY\((.+?)\)$/;
@@ -337,15 +362,15 @@ sub process_tc_rule( ) {
 			}
 
 			$target .= "--on-port $port";
-			
+
 			if ( defined $ip && $ip ne '' ) {
 			    validate_address $ip, 1;
 			    $target .= " --on-ip $ip";
 			}
 
-			$target .= ' --tproxy-mark';	
+			$target .= ' --tproxy-mark';
 		    }
-			
+
 
 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
@@ -371,14 +396,16 @@ sub process_tc_rule( ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
 		my $limit = $globals{TC_MASK};
-		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
-		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
+		unless ( have_capability 'FWMARK_RT_MASK' ) {
+		    fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+			if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
+		}
 	    }
 	}
     }
 
     if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
-				     $restrictions{$chain} ,
+				     $restrictions{$chain} | $restriction,
 				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
 				     do_test( $testval, $globals{TC_MASK} ) .
@@ -389,9 +416,9 @@ sub process_tc_rule( ) {
 				     $source ,
 				     $dest ,
 				     '' ,
-				     "-j $target $mark" ,
-				     '' ,
+				     $mark ? "$target $mark" : $target,
 				     '' ,
+				     $target ,
 				     '' ) )
 	  && $device ) {
 	#
@@ -408,11 +435,11 @@ sub rate_to_kbit( $ ) {
     my $rate = $_[0];
 
     return 0           if $rate eq '-';
-    return $1          if $rate =~ /^(\d+)kbit$/i;
-    return $1 * 1000   if $rate =~ /^(\d+)mbit$/i;
-    return $1 * 8000   if $rate =~ /^(\d+)mbps$/i;
-    return $1 * 8      if $rate =~ /^(\d+)kbps$/i;
-    return int($1/125) if $rate =~ /^(\d+)(bps)?$/;
+    return $1          if $rate =~ /^((\d+)(\.\d+)?)kbit$/i;
+    return $1 * 1000   if $rate =~ /^((\d+)(\.\d+)?)mbit$/i;
+    return $1 * 8000   if $rate =~ /^((\d+)(\.\d+)?)mbps$/i;
+    return $1 * 8      if $rate =~ /^((\d+)(\.\d+)?)kbps$/i;
+    return ($1/125)    if $rate =~ /^((\d+)(\.\d+)?)(bps)?$/;
     fatal_error "Invalid Rate ($rate)";
 }
 
@@ -431,8 +458,6 @@ sub calculate_quantum( $$ ) {
 sub process_flow($) {
     my $flow = shift;
 
-    $flow =~ s/^\(// if $flow =~ s/\)$//;
-
     my @flow = split /,/, $flow;
 
     for ( @flow ) {
@@ -443,7 +468,7 @@ sub process_flow($) {
 }
 
 sub process_simple_device() {
-    my ( $device , $type , $bandwidth ) = split_line 1, 3, 'tcinterfaces';
+    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces';
 
     fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
     fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
@@ -463,7 +488,21 @@ sub process_simple_device() {
 	}
     }
 
-    $bandwidth = rate_to_kbit( $bandwidth );
+    my $in_burst = '10kb';
+
+    if ( $in_bandwidth =~ /:/ ) {
+	my ( $in_band, $burst ) = split /:/, $in_bandwidth, 2;
+
+	if ( defined $burst && $burst ne '' ) {
+	    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
+	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
+	    $in_burst = $burst;
+	}
+
+	$in_bandwidth = rate_to_kbit( $in_band );
+    } else {
+	$in_bandwidth = rate_to_kbit( $in_bandwidth );
+    }
 
     emit "if interface_is_up $physical; then";
 
@@ -471,14 +510,54 @@ sub process_simple_device() {
 
     emit ( "${dev}_exists=Yes",
 	   "qt \$TC qdisc del dev $physical root",
-	   "qt \$TC qdisc del dev $physical ingress\n"	   
+	   "qt \$TC qdisc del dev $physical ingress\n"
 	 );
 
     emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
-	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${bandwidth}kbit burst 10k drop flowid :1\n"
-	 ) if $bandwidth;
-	  
-    emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
+	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
+	 ) if $in_bandwidth;
+
+    if ( $out_part ne '-' ) {
+	my ( $out_bandwidth, $burst, $latency, $peak, $minburst ) = split ':', $out_part;
+
+	fatal_error "Invalid Out-BANDWIDTH ($out_part)" if ( defined $minburst && $minburst =~ /:/ ) || $out_bandwidth eq '';
+
+	$out_bandwidth = rate_to_kbit( $out_bandwidth );
+
+	my $command = "run_tc qdisc add dev $physical root handle $number: tbf rate ${out_bandwidth}kbit";
+
+	if ( defined $burst && $burst ne '' ) {
+	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    $command .= " burst $burst";
+	} else {
+	    $command .= ' burst 10kb';
+	}
+
+	if ( defined $latency && $latency ne '' ) {
+	    fatal_error "Invalid latency ($latency)" unless $latency =~ /^\d+(?:\.\d+)?(s|sec|secs|ms|msec|msecs|us|usec|usecs)?$/;
+	    $command .= " latency $latency";
+	} else {
+	    $command .= ' latency 200ms';
+	}
+
+	if ( defined $peak && $peak ne '' ) {
+	    fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    $command .= " peakrate $peak";
+	}
+
+	if ( defined $minburst && $minburst ne '' ) {
+	    fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    $command .= " minburst $minburst";
+	}
+
+	emit $command;
+
+	my $id = $number; $number = in_hexp( $devnum | 0x100 );
+
+	emit "run_tc qdisc add dev $physical parent $id: handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
+    } else {
+	emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
+    }
 
     for ( my $i = 1; $i <= 3; $i++ ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
@@ -488,7 +567,7 @@ sub process_simple_device() {
     }
 
     save_progress_message_short qq("   TC Device $physical defined.");
-    
+
     pop_indent;
     emit 'else';
     push_indent;
@@ -497,9 +576,9 @@ sub process_simple_device() {
     emit "${dev}_exists=";
     pop_indent;
     emit "fi\n";
- 
+
     progress_message "  Simple tcdevice \"$currentline\" $done.";
-}    
+}
 
 sub validate_tc_device( ) {
     my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
@@ -1094,14 +1173,14 @@ sub process_tc_priority() {
 		  1 );
     } else {
 	my $postref = $mangle_table->{tcpost};
-	
+
 	if ( $address ne '-' ) {
 	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
 	    add_rule( $postref ,
 		      join( '', match_source_net( $address) , $rule ) ,
 		      1 );
 	} else {
-	    add_rule( $postref , 
+	    add_rule( $postref ,
 		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
 		      1 );
 
@@ -1113,7 +1192,7 @@ sub process_tc_priority() {
 		    $ipp2p = 1;
 		}
 
-		add_rule( $postref , 
+		add_rule( $postref ,
 			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
 			  1 )
 		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
@@ -1139,8 +1218,8 @@ sub setup_simple_traffic_shaping() {
     my $fn1 = open_file 'tcpri';
 
     if ( $fn1 ) {
-	first_entry 
-	    sub { 
+	first_entry
+	    sub {
 		progress_message2 "$doing $fn1...";
 		warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces;
 	    };
@@ -1228,11 +1307,26 @@ sub setup_traffic_shaping() {
 		  qq(fi) );
 	}
 
-	my $inband = rate_to_kbit $devref->{in_bandwidth};
+	my $in_burst = '10kb';
+	my $inband;
+
+	if ( $devref->{in_bandwidth} =~ /:/ ) {
+	    my ( $in_band, $burst ) = split /:/, $devref->{in_bandwidth}, 2;
+
+	    if ( defined $burst && $burst ne '' ) {
+		fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
+		fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
+		$in_burst = $burst;
+	    }
+
+	    $inband = rate_to_kbit( $in_band );
+	} else {
+	    $inband = rate_to_kbit $devref->{in_bandwidth};
+	}
 
 	if ( $inband ) {
 	    emit ( "run_tc qdisc add dev $device handle ffff: ingress",
-		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1"
+		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst $in_burst drop flowid :1"
 		   );
 	}
 
@@ -1350,6 +1444,68 @@ sub setup_traffic_shaping() {
     }
 }
 
+#
+# Process a record in the secmarks file
+#
+sub process_secmark_rule() {
+    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' );
+
+    if ( $secmark eq 'COMMENT' ) {
+	process_comment;
+	return;
+    }
+
+    my %chns = ( T => 'tcpost'  ,
+		 P => 'tcpre'   ,
+		 F => 'tcfor'   ,
+		 I => 'tcin'    ,
+		 O => 'tcout'   , );
+
+    my %state = ( N =>  'NEW' ,
+		  E =>  'ESTABLISHED' , 
+		  ER => 'ESTABLISHED,RELATED' );
+
+    my ( $chain , $state, $rest) = split ':', $chainin , 3;
+
+    fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain;
+
+    my $chain1= $chns{$chain};
+    
+    fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
+    fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout';
+
+    if ( ( $state ||= '' ) ne '' ) {
+	my $state1;
+	fatal_error "Invalid STATE ( $state )" unless $state1 = $state{$state};
+	$state = "$globals{STATEMATCH} $state1 ";
+    }
+
+    my $target = $secmark eq 'SAVE'    ? 'CONNSECMARK --save' :
+	         $secmark eq 'RESTORE' ? 'CONNSECMARK --restore' :
+		 "SECMARK --selctx $secmark";
+
+    my $disposition = $target;
+
+    $disposition =~ s/ .*//;
+
+    expand_rule( ensure_mangle_chain( $chain1 ) , 
+		 $restrictions{$chain1} ,
+		 $state .
+		 do_proto( $proto, $dport, $sport ) .
+		 do_user( $user ) .
+		 do_test( $mark, $globals{TC_MASK} ) ,
+		 $source , 
+		 $dest , 
+		 '' , 
+		 $target , 
+		 '' , 
+		 $disposition,
+		 '' );
+
+    progress_message "Secmarks rule \"$currentline\" $done";
+		 
+}
+
 #
 # Process the tcrules file and setup traffic shaping
 #
@@ -1362,6 +1518,7 @@ sub setup_tc() {
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
 	    ensure_mangle_chain 'tcfor';
 	    ensure_mangle_chain 'tcpost';
+	    ensure_mangle_chain 'tcin';
 	}
 
 	my $mark_part = '';
@@ -1383,9 +1540,12 @@ sub setup_tc() {
 	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
 
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' ) if have_capability 'MARK';
+	    my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : '';
+
+	    add_rule( $mangle_table->{FORWARD},     "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
 	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
 	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
+	    add_jump $mangle_table->{INPUT} ,       'tcin' ,  0;
 	}
     }
 
@@ -1434,7 +1594,7 @@ sub setup_tc() {
 			  mark      => HIGHMARK ,
 			  mask      => '' } ,
 			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
-			  target    => 'MARK --and-mark ' ,
+			  target    => 'MARK --and-mark' ,
 			  mark      => HIGHMARK ,
 			  mask      => '' ,
 			  connmark  => 0
@@ -1456,9 +1616,20 @@ sub setup_tc() {
 	}
     }
 
-    add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
+    if ( $config{MANGLE_ENABLED} ) {
+	if ( my $fn = open_file 'secmarks' ) {
 
-    handle_stickiness( $sticky );
+	    first_entry "$doing $fn...";
+
+	    process_secmark_rule while read_a_line;
+	
+	    clear_comment;
+	}
+
+	add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
+
+	handle_stickiness( $sticky );
+    }
 }
 
 1;

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_13';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
 
-	my $options = $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
+	my $options = $globals{UNTRACKED} ? "-m state --state NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
 
 	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";

Shorewall/Perl/Shorewall/Zones.pm

@@ -37,6 +37,7 @@ our @EXPORT = qw( NOTHING
 		  IPSECPROTO
 		  IPSECMODE
 		  FIREWALL
+		  VSERVER
 		  IP
 		  BPORT
 		  IPSEC
@@ -52,6 +53,8 @@ our @EXPORT = qw( NOTHING
 		  all_zones
 		  all_parent_zones
 		  complex_zones
+		  vserver_zones
+		  off_firewall_zones
 		  non_firewall_zones
 		  single_interface
 		  chain_base
@@ -75,12 +78,13 @@ our @EXPORT = qw( NOTHING
 		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
+		  find_zones_by_option
 		  all_ipsets
 		  have_ipsec
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_10';
+our $VERSION = '4.4_13';
 
 #
 # IPSEC Option types
@@ -91,7 +95,6 @@ use constant { NOTHING    => 'NOTHING',
 	       IPSECPROTO => 'ah|esp|ipcomp',
 	       IPSECMODE  => 'tunnel|transport'
 	       };
-
 #
 # Zone Table.
 #
@@ -152,21 +155,29 @@ our %reservedName = ( all => 1,
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
+#                                     base        => <shell variable base representing this interface>
 #                                   }
 #                 }
 #
+#    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
+#    the same order as the interfaces are encountered in the configuration files. 
+#
 our @interfaces;
 our %interfaces;
 our @bport_zones;
 our %ipsets;
 our %physical;
+our %basemap;
+our %mapbase;
 our $family;
 our $have_ipsec;
+our $baseseq;
 
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 3,
-	       IPSEC    => 4 };
+	       IPSEC    => 4,
+	       VSERVER  => 5 };
 
 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
@@ -180,6 +191,7 @@ use constant { SIMPLE_IF_OPTION   => 1,
 
 	       IF_OPTION_ZONEONLY => 8,
 	       IF_OPTION_HOST     => 16,
+	       IF_OPTION_VSERVER  => 32,
 	   };
 
 our %validinterfaceoptions;
@@ -212,6 +224,9 @@ sub initialize( $ ) {
     @bport_zones = ();
     %ipsets = ();
     %physical = ();
+    %basemap = ();
+    %mapbase = ();
+    $baseseq = 0;
 
     if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -222,13 +237,13 @@ sub initialize( $ ) {
 				  dhcp        => SIMPLE_IF_OPTION,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
-				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
+				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
 				  required    => SIMPLE_IF_OPTION,
-				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
+				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				  routefilter => NUMERIC_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -253,12 +268,12 @@ sub initialize( $ ) {
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
-				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
+				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
+				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
@@ -284,6 +299,7 @@ sub initialize( $ ) {
 sub parse_zone_option_list($$)
 {
     my %validoptions = ( mss          => NUMERIC,
+			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
 			 reqid        => NUMERIC,
@@ -293,10 +309,12 @@ sub parse_zone_option_list($$)
 			 "tunnel-src" => NETWORK,
 			 "tunnel-dst" => NETWORK,
 		       );
+
+    use constant { UNRESTRICTED => 1, NOFW => 2 };
     #
     # Hash of options that have their own key in the returned hash.
     #
-    my %key = ( mss => 'mss' );
+    my %key = ( mss => UNRESTRICTED , blacklist => NOFW );
 
     my ( $list, $zonetype ) = @_;
     my %h;
@@ -329,7 +347,8 @@ sub parse_zone_option_list($$)
 	    }
 
 	    if ( $key{$e} ) {
-		$h{$e} = $val;
+		fatal_error "Option '$e' not permitted with this zone type " if $key{$e} == NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+		$h{$e} = $val || 1;
 	    } else {
 		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
 		$options .= $invert;
@@ -376,6 +395,7 @@ sub process_zone( \$ ) {
 	    fatal_error "Invalid Parent List ($2)" unless $p;
 	    fatal_error "Unknown parent zone ($p)" unless $zones{$p};
 	    fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
+	    fatal_error 'Subzones of a Vserver zone not allowed' if $zones{$p}{type} == VSERVER;
 	    push @{$zones{$p}{children}}, $zone;
 	}
     }
@@ -402,11 +422,14 @@ sub process_zone( \$ ) {
 	$firewall_zone = $zone;
 	$ENV{FW} = $zone;
 	$type = FIREWALL;
+    } elsif ( $type eq 'vserver' ) {
+	fatal_error 'Vserver zones may not be nested' if @parents;
+	$type = VSERVER;
     } elsif ( $type eq '-' ) {
 	$type = IP;
 	$$ip = 1;
     } else {
-	fatal_error "Invalid zone type ($type)" ;
+	fatal_error "Invalid zone type ($type)";
     }
 
     if ( $type eq IPSEC ) {
@@ -416,20 +439,30 @@ sub process_zone( \$ ) {
 	}
     }
 
-    $zones{$zone} = { type       => $type,
-		      parents    => \@parents,
-		      bridge     => '',
-		      options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
-				      in      => parse_zone_option_list( $in_options || '', $type ) ,
-				      out     => parse_zone_option_list( $out_options || '', $type ) ,
-				      complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
-				      nested  => @parents > 0 ,
-				      super   => 0 ,
-				    } ,
-		      interfaces => {} ,
-		      children   => [] ,
-		      hosts      => {}
-		    };
+    my $zoneref = $zones{$zone} = { type       => $type,
+				    parents    => \@parents,
+				    bridge     => '',
+				    options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
+						    in      => parse_zone_option_list( $in_options || '', $type ) ,
+						    out     => parse_zone_option_list( $out_options || '', $type ) ,
+						    complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
+						    nested  => @parents > 0 ,
+						    super   => 0 ,
+						  } ,
+				    interfaces => {} ,
+				    children   => [] ,
+				    hosts      => {}
+				  };
+
+    if ( $zoneref->{options}{in_out}{blacklist} ) {
+	for ( qw/in out/ ) {
+	    unless ( $zoneref->{options}{$_}{blacklist} ) {
+		$zoneref->{options}{$_}{blacklist} = 1;
+	    } else {
+		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
+	    }
+	}
+    }
 
     return $zone;
 
@@ -495,9 +528,9 @@ sub zone_report()
     my @translate;
 
     if ( $family == F_IPV4 ) {
-	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
+	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
     } else {
-	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
+	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
     }
 
     for my $zone ( @zones )
@@ -524,7 +557,7 @@ sub zone_report()
 			    my $grouplist  = join ',', ( @$hosts );
 			    my $exclusions = join ',', @{$groupref->{exclusions}};
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;
-		
+
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
@@ -554,9 +587,9 @@ sub dump_zone_contents()
     my @xlate;
 
     if ( $family == F_IPV4 ) {
-	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
+	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
     } else {
-	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
+	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
     }
 
     for my $zone ( @zones )
@@ -633,7 +666,9 @@ sub add_group_to_zone($$$$$)
     my $allip    = 0;
 
     for my $host ( @$networks ) {
-	$interfaces{$interface}{nets}++;
+	$interfaceref = $interfaces{$interface};
+
+	$interfaceref->{nets}++;
 
 	fatal_error "Invalid Host List" unless defined $host and $host ne '';
 
@@ -650,6 +685,13 @@ sub add_group_to_zone($$$$$)
 		if ( $host eq ALLIP ) {
 		    fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
 		    $interfaces{$interface}{zone} = $zone;
+		    #
+		    # Make 'find_hosts_by_option()' work correctly for this zone
+		    #
+		    for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
+			$options->{$_} = $interfaceref->{options}{$_} if $interfaceref->{options}{$_};
+		    }
+
 		    $allip = 1;
 		}
 	    }
@@ -713,18 +755,30 @@ sub all_zones() {
     @zones;
 }
 
+sub off_firewall_zones() {
+   grep ( ! ( $zones{$_}{type} == FIREWALL || $zones{$_}{type} == VSERVER )  ,  @zones );
+}
+
 sub non_firewall_zones() {
-   grep ( $zones{$_}{type} != FIREWALL ,  @zones );
+   grep ( $zones{$_}{type} != FIREWALL  ,  @zones );
 }
 
 sub all_parent_zones() {
-   grep ( ! @{$zones{$_}{parents}} ,  @zones );
+    #
+    # Although the firewall zone is technically a parent zone, we let the caller decide
+    # if it is to be included or not.
+    #
+    grep ( ! @{$zones{$_}{parents}} , off_firewall_zones );
 }
 
 sub complex_zones() {
     grep( $zones{$_}{options}{complex} , @zones );
 }
 
+sub vserver_zones() {
+    grep ( $zones{$_}{type} == VSERVER, @zones );
+}
+
 sub firewall_zone() {
     $firewall_zone;
 }
@@ -734,18 +788,55 @@ sub firewall_zone() {
 #
 sub is_a_bridge( $ ) {
     which 'brctl' && qt( "brctl show | tail -n+2 | grep -q '^$_[0]\[\[:space:\]\]'" );
-} 
+}
 
 #
 # Transform the passed interface name into a legal shell variable name.
 #
 sub chain_base($) {
     my $chain = $_[0];
-
-    $chain =~ s/^@/at_/;
-    $chain =~ tr/[.\-%@]/_/;
+    my $name  = $basemap{$chain};
+    #
+    # Return existing mapping, if any
+    #
+    return $name if $name;
+    #
+    # Remember initial value 
+    #
+    my $key = $chain;
+    #
+    # Handle VLANs and wildcards
+    #
     $chain =~ s/\+$//;
-    $chain;
+    $chain =~ tr/./_/;
+
+    if ( $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
+	#
+	# Must map. Remove all illegal characters
+	#
+	$chain =~ s/[^\w]//g;
+	#
+	# Prefix with if_ if it begins with a digit
+	#
+	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
+	#
+	# Create a new unique name
+	#
+	1 while $mapbase{$name = join ( '_', $chain, ++$baseseq )};
+    } else {
+	#
+	# We'll store the identity mapping if it is unique
+	#
+	$chain = join( '_', $key , ++$baseseq ) while $mapbase{$name = $chain};
+    }
+    #
+    # Store the reverse mapping
+    #
+    $mapbase{$name} = $key;
+    #
+    # Store the mapping
+    #
+    $basemap{$key} = $name;
 }
 
 #
@@ -788,6 +879,8 @@ sub process_interface( $$ ) {
 	    } else {
 		$zoneref->{bridge} = $interface;
 	    }
+	    
+	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
 	}
 
 	$bridge = $interface;
@@ -795,6 +888,8 @@ sub process_interface( $$ ) {
     } else {
 	fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
 	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} == BPORT;
+	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} == VSERVER;
+
 	$bridge = $interface;
     }
 
@@ -808,6 +903,8 @@ sub process_interface( $$ ) {
 	$root = $interface;
     }
 
+    fatal_error "Invalid interface name ($interface)" if $interface =~ /\*/;
+
     my $physical = $interface;
     my $broadcasts;
 
@@ -831,7 +928,11 @@ sub process_interface( $$ ) {
 
     my $hostoptionsref = {};
 
-    $options{ignore} = 1, $options = '-' if $options eq 'ignore';
+    if ( $options eq 'ignore' ) {
+	fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
+	$options{ignore} = 1;
+	$options = '-';
+    }
 
     if ( $options ne '-' ) {
 
@@ -844,7 +945,11 @@ sub process_interface( $$ ) {
 
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
 
-	    fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;
+	    if ( $zone ) {
+		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
+	    } else { 
+		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
+	    }
 
 	    my $hostopt = $type & IF_OPTION_HOST;
 
@@ -854,8 +959,16 @@ sub process_interface( $$ ) {
 
 	    if ( $type == SIMPLE_IF_OPTION ) {
 		fatal_error "Option $option does not take a value" if defined $value;
-		$options{$option} = 1;
-		$hostoptions{$option} = 1 if $hostopt;
+		if ( $option eq 'blacklist' ) {
+		    if ( $zone ) {
+			$zoneref->{options}{in}{blacklist} = 1;
+		    } else {
+			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
+		    }
+		} else {
+		    $options{$option} = 1;
+		    $hostoptions{$option} = 1 if $hostopt;
+		}
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
@@ -863,8 +976,8 @@ sub process_interface( $$ ) {
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
-		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
 		if ( $option eq 'arp_ignore' ) {
+		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $wildcard;
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
 			    $options{arp_ignore} = $value;
@@ -887,10 +1000,6 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		#
-		# Remove parentheses from address list if present
-		#
-		$value =~ s/\)$// if $value =~ s/^\(//;
-		#
 		# Add all IP to the front of a list if the list begins with '!'
 		#
 		$value = join ',' , ALLIP , $value if $value =~ /^!/;
@@ -923,7 +1032,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 
 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value =~ /^[\w.@%-]+\+?$/;
+		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
 
 		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
 
@@ -953,14 +1062,13 @@ sub process_interface( $$ ) {
 
 	$hostoptions{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export || $options{routeback};
 
-
 	$hostoptionsref = \%hostoptions;
     } else {
 	#
 	# No options specified -- auto-detect bridge
 	#
 	$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
-    }	
+    }
 
     $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
 						       bridge     => $bridge ,
@@ -970,18 +1078,19 @@ sub process_interface( $$ ) {
 						       broadcasts => $broadcasts ,
 						       options    => \%options ,
 						       zone       => '',
-						       physical   => $physical
+						       physical   => $physical ,
+						       base       => chain_base( $physical )
 						     };
 
     if ( $zone ) {
 	$netsref ||= [ allip ];
 	add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, $hostoptionsref );
-	add_group_to_zone( $zone, 
-			   $zoneref->{type}, 
-			   $interface, 
-			   [ IPv4_MULTICAST ], 
+	add_group_to_zone( $zone,
+			   $zoneref->{type},
+			   $interface,
+			   $family == F_IPV4 ? [ IPv4_MULTICAST ] : [ IPv6_MULTICAST ] ,
 			   { destonly => 1 } ) if $hostoptionsref->{multicast} && $interfaces{$interface}{zone} ne $zone;
-    } 
+    }
 
     progress_message "  Interface \"$currentline\" Validated";
 
@@ -1026,6 +1135,27 @@ sub validate_interfaces_file( $ ) {
     # Be sure that we have at least one interface
     #
     fatal_error "No network interfaces defined" unless @interfaces;
+
+    if ( vserver_zones ) {
+	#
+	# While the user thinks that vservers are associated with a particular interface, they really are not.
+	# We create an interface to associated them with.
+	#
+	my $interface = '%vserver%';
+
+	$interfaces{$interface} = { name       => $interface ,
+				    bridge     => $interface ,
+				    nets       => 0 ,
+				    number     => $nextinum ,
+				    root       => $interface ,
+				    broadcasts => undef ,
+				    options    => {} ,
+				    zone       => '',
+				    physical   => 'lo',
+				  };
+
+	push @interfaces, $interface;
+    }
 }
 
 #
@@ -1034,39 +1164,46 @@ sub validate_interfaces_file( $ ) {
 sub map_physical( $$ ) {
     my ( $name, $interfaceref ) = @_;
     my $physical = $interfaceref->{physical};
-    
+
     return $physical if $name eq $interfaceref->{name};
 
     $physical =~ s/\+$//;
 
     $physical . substr( $name, length  $interfaceref->{root} );
-}  
+}
 
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
-# If the passed name matches a wildcard, an entry for the name is added in %interfaces to speed up validation of other references to that name.
+# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in 
+# %interfaces.
 #
-sub known_interface($)
+sub known_interface($;$)
 {
-    my $interface = $_[0];
+    my ( $interface, $cache ) = @_;
     my $interfaceref = $interfaces{$interface};
 
     return $interfaceref if $interfaceref;
 
+    fatal_error "Invalid interface ($interface)" if $interface =~ /\*/;
+
     for my $i ( @interfaces ) {
 	$interfaceref = $interfaces{$i};
 	my $root = $interfaceref->{root};
 	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
-	    #
-	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
-	    #
-	    return $interfaces{$interface} = { options  => $interfaceref->{options}, 
-					       bridge   => $interfaceref->{bridge} , 
-					       name     => $i , 
-					       number   => $interfaceref->{number} ,
-					       physical => map_physical( $interface, $interfaceref )
-					     };
+	    my $physical = map_physical( $interface, $interfaceref );
+	    
+	    my $copyref = { options  => $interfaceref->{options},
+			    bridge   => $interfaceref->{bridge} ,
+			    name     => $i ,
+			    number   => $interfaceref->{number} ,
+			    physical => $physical ,
+			    base     => chain_base( $physical ) ,
+			  };
+
+	    $interfaces{$interface} = $copyref if $cache;
+
+	    return $copyref;
 	}
     }
 
@@ -1164,7 +1301,7 @@ sub find_interfaces_by_option( $ ) {
 
     for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
-	
+
 	next unless $interfaceref->{root};
 
 	my $optionsref = $interfaceref->{options};
@@ -1177,25 +1314,33 @@ sub find_interfaces_by_option( $ ) {
 }
 
 #
-# Returns reference to array of interfaces with the passed option
+# Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
+#
+# - All entries in %interfaces are searched.
+# - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
 #
 sub find_interfaces_by_option1( $ ) {
     my $option = $_[0];
     my @ints = ();
+    my $wild = 0;
 
-    for my $interface ( keys %interfaces ) {
+    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} }
+			keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 
 	next unless defined $interfaceref->{physical};
-	next if $interfaceref->{physical} =~ /\+/;
 
 	my $optionsref = $interfaceref->{options};
+
 	if ( $optionsref && defined $optionsref->{$option} ) {
+	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
 	    push @ints , $interface
 	}
     }
 
-    \@ints;
+    return unless defined wantarray;
+
+    wantarray ? ( \@ints, $wild ) : \@ints;
 }
 
 #
@@ -1222,20 +1367,32 @@ sub set_interface_option( $$$ ) {
 sub verify_required_interfaces( $ ) {
 
     my $generate_case = shift;
-    
+
     my $returnvalue = 0;
-   
+
     my $interfaces = find_interfaces_by_option 'wait';
 
     if ( @$interfaces ) {
-	emit "local waittime\n";
+	my $first = 1;
+
+	emit( "local waittime\n" );
+
+	emit( 'case "$COMMAND" in' );
+
+	push_indent;
+
+	emit( 'start|restart|restore)' );
+
+	push_indent;
 
 	for my $interface (@$interfaces ) {
 	    my $wait = $interfaces{$interface}{options}{wait};
 
+	    emit q() unless $first-- > 0;
+	    
 	    if ( $wait ) {
 		my $physical = get_physical $interface;
-	    
+
 		if ( $physical =~ /\+$/ ) {
 		    my $base = uc chain_base $physical;
 
@@ -1263,12 +1420,20 @@ sub verify_required_interfaces( $ ) {
 		    emit  q(        sleep 1);
 		    emit   '        waittime=$(($waittime - 1))';
 		    emit  q(    done);
-		    emit qq(fi\n);
+		    emit  q(fi);
 		}
 
 		$returnvalue = 1;
 	    }
 	}
+
+	emit( ";;\n" );
+	
+	pop_indent;
+	pop_indent;
+
+	emit( "esac\n" );
+
     }
 
     $interfaces = find_interfaces_by_option 'required';
@@ -1290,16 +1455,16 @@ sub verify_required_interfaces( $ ) {
 
 		$physical =~ s/\+$/*/;
 
-		emit( "${base}_IS_UP=\n",
+		emit( "SW_${base}_IS_UP=\n",
 		      'for interface in $(find_all_interfaces); do',
 		      '    case $interface in',
 		      "        $physical)",
-		      "            interface_is_usable \$interface && ${base}_IS_UP=Yes && break",
+		      "            interface_is_usable \$interface && SW_${base}_IS_UP=Yes && break",
 		      '            ;;',
 		      '    esac',
 		      'done',
 		      '',
-		      "if [ -z \"\$${base}_IS_UP\" ]; then",
+		      "if [ -z \"\$SW_${base}_IS_UP\" ]; then",
 		      "    startup_error \"None of the required interfaces $physical are available\"",
 		      "fi\n"
 		    );
@@ -1309,7 +1474,7 @@ sub verify_required_interfaces( $ ) {
 		emit qq(fi\n);
 	    }
 	}
-	
+
 	if ( $generate_case ) {
 	    emit( ';;' );
 	    pop_indent;
@@ -1341,6 +1506,9 @@ sub compile_updown() {
 	  'state=cleared',
 	  '' );
 
+    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
+    emit '';
+
     if ( $family == F_IPV4 ) {
 	emit 'if shorewall_is_started; then';
     } else {
@@ -1379,6 +1547,7 @@ sub compile_updown() {
 	$interfaces =~ s/\+/*/;
 
 	emit( "$interfaces)",
+	      '    progress_message3 "$COMMAND on interface $1 ignored"',
 	      '    exit 0',
 	      '    ;;'
 	    );
@@ -1402,21 +1571,24 @@ sub compile_updown() {
 	    emit( '        COMMAND=start' );
 	}
 
-	emit( '        detect_configuration',
+	emit( '        progress_message3 "$g_product attempting $COMMAND"',
+	      '        detect_configuration',
 	      '        define_firewall' );
-	
+
 	if ( $wildcard ) {
 	    emit( '    elif [ "$state" = started ]; then',
+		  '        progress_message3 "$g_product attempting restart"',
 		  '        COMMAND=restart',
 		  '        detect_configuration',
 		  '        define_firewall' );
 	} else {
-	    emit( '    else', 
+	    emit( '    else',
 		  '        COMMAND=stop',
+		  '        progress_message3 "$g_product attempting stop"',
 		  '        detect_configuration',
 		  '        stop_firewall' );
 	}
-	
+
 	emit( '    fi',
 	      '    ;;'
 	    );
@@ -1436,12 +1608,16 @@ sub compile_updown() {
 	      '',
 	      '    if [ "$state" = started ]; then',
 	      '        COMMAND=restart',
+	      '        progress_message3 "$g_product attempting restart"',
 	      '        detect_configuration',
 	      '        define_firewall',
 	      '    elif [ "$state" = stopped ]; then',
 	      '        COMMAND=start',
+	      '        progress_message3 "$g_product attempting start"',
 	      '        detect_configuration',
 	      '        define_firewall',
+	      '    else',
+	      '        progress_message3 "$COMMAND on interface $1 ignored"',
 	      '    fi',
 	      '    ;;',
 	    );
@@ -1451,14 +1627,18 @@ sub compile_updown() {
 	  '    case $state in',
 	  '        started)',
 	  '            COMMAND=restart',
+	  '            progress_message3 "$g_product attempting restart"',
 	  '            detect_configuration',
 	  '            define_firewall',
 	  '            ;;',
-	  '    esac',  
+	  '        *)',
+	  '            progress_message3 "$COMMAND on interface $1 ignored"',
+	  '            ;;',
+	  '    esac',
 	);
 
     pop_indent;
-    
+
     emit( 'esac' );
 
     pop_indent;
@@ -1466,7 +1646,7 @@ sub compile_updown() {
     emit( '}',
 	  '',
 	);
-}  
+}
 
 #
 # Process a record in the hosts file
@@ -1508,7 +1688,7 @@ sub process_host( ) {
 	} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
 	    fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
 	}
-    }
+    } 
 
     my $optionsref = { dynamic => 0 };
 
@@ -1523,14 +1703,19 @@ sub process_host( ) {
 		$zoneref->{options}{complex} = 1;
 		$ipsec = 1;
 	    } elsif ( $option eq 'norfc1918' ) {
-		warning_message "The 'norfc1918' option is no longer supported"
+		warning_message "The 'norfc1918' host option is no longer supported"
+	    } elsif ( $option eq 'blacklist' ) {
+		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $validhostoptions{$option}) {
+		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}
 
+	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER; 
+
 	$optionsref = \%options;
     }
 
@@ -1550,6 +1735,7 @@ sub process_host( ) {
     $hosts = join( '', ALLIP , $hosts ) if substr($hosts, 0, 2 ) eq ',!';
 
     if ( $hosts eq 'dynamic' ) {
+	fatal_error "Vserver zones may not be dynamic" if $type == VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
 	my $physical = physical_name $interface;
 	$hosts = "+${zone}_${physical}";
@@ -1557,6 +1743,10 @@ sub process_host( ) {
 	$ipsets{"${zone}_${physical}"} = 1;
 
     }
+    #
+    # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
+    #
+    $interface = '%vserver%' if $type == VSERVER;
 
     add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
 
@@ -1620,6 +1810,21 @@ sub find_hosts_by_option( $ ) {
     \@hosts;
 }
 
+#
+# Returns a reference to a list of zones with the passed in/out option
+#
+
+sub find_zones_by_option( $$ ) {
+    my ($option, $in_out ) = @_;
+    my @zns;
+
+    for my $zone ( @zones ) {
+	push @zns, $zone if $zones{$zone}{options}{$in_out}{$option};
+    }
+
+    \@zns;
+}
+
 sub all_ipsets() {
     sort keys %ipsets;
 }

Shorewall/Perl/prog.footer

@@ -6,7 +6,7 @@
 #
 usage() {
     echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
-    echo 
+    echo
     echo "Options are:"
     echo
     echo "   -v and -q        Standard Shorewall verbosity controls"
@@ -85,7 +85,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 		    t*)
 			g_timestamp=Yes
 			option=${option#t}
-			;;			
+			;;
 		    p*)
 			g_purge=Yes
 			option=${option#p}
@@ -126,7 +126,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 
 			if [ -n "$option" ]; then
 			    case $option in
-				*/*)		    
+				*/*)
 	    			    startup_error "-R must specify a simple file name: $option"
 				    ;;
 				.safe|.try|NONE)

Shorewall/Perl/prog.footer6

@@ -6,7 +6,7 @@
 #
 usage() {
     echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
-    echo 
+    echo
     echo "Options are:"
     echo
     echo "   -v and -q        Standard Shorewall verbosity controls"
@@ -85,7 +85,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 		    t*)
 			g_timestamp=Yes
 			option=${option#t}
-			;;			
+			;;
 		    p*)
 			g_purge=Yes
 			option=${option#p}
@@ -126,7 +126,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 
 			if [ -n "$option" ]; then
 			    case $option in
-				*/*)		    
+				*/*)
 	    			    startup_error "-R must specify a simple file name: $option"
 				    ;;
 				.safe|.try|NONE)

Shorewall/Perl/prog.header

@@ -88,43 +88,18 @@ setpolicy() # $1 = name of chain, $2 = policy
     run_iptables -P $1 $2
 }
 
-#
-# Set a standard chain to enable established and related connections
-#
-setcontinue() # $1 = name of chain
-{
-    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-}
-
-#
-# Flush one of the NAT table chains
-#
-flushnat() # $1 = name of chain
-{
-    run_iptables -t nat -F $1
-}
-
-#
-# Flush one of the Mangle table chains
-#
-flushmangle() # $1 = name of chain
-{
-    run_iptables -t mangle -F $1
-}
-
-#
-# Flush and delete all user-defined chains in the filter table
-#
-deleteallchains() {
-    run_iptables -F
-    run_iptables -X
-}
-
 #
 # Generate a list of all network interfaces on the system
 #
 find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'    
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Generate a list of all network interfaces on the system that have an ipv4 address
+#
+find_all_interfaces1() {
+    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }
 
 #
@@ -533,11 +508,12 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
+    local result
+    
     if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
-	local result
 	result=1
 
 	while read route ; do
@@ -622,9 +598,9 @@ delete_proxyarp() {
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
-    fi
 
-    rm -f ${VARDIR}/proxyarp
+	rm -f ${VARDIR}/proxyarp
+    fi
 }
 
 #
@@ -638,6 +614,7 @@ clear_firewall() {
     setpolicy OUTPUT ACCEPT
 
     run_iptables -F
+    qt $IPTABLES -t raw -F
 
     echo 1 > /proc/sys/net/ipv4/ip_forward
 
@@ -697,7 +674,7 @@ startup_error() # $* = Error Message
 	    ;;
     esac
 
-    if [ $LOG_VERBOSITY -gt 1 ]; then
+    if [ $LOG_VERBOSITY -ge 0 ]; then
         timestamp="$(date +'%_b %d %T') "
 
 	case $COMMAND in

Shorewall/Perl/prog.header6

@@ -88,35 +88,18 @@ setpolicy() # $1 = name of chain, $2 = policy
     run_iptables -P $1 $2
 }
 
-#
-# Set a standard chain to enable established and related connections
-#
-setcontinue() # $1 = name of chain
-{
-    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-}
-
-#
-# Flush one of the Mangle table chains
-#
-flushmangle() # $1 = name of chain
-{
-    run_iptables -t mangle -F $1
-}
-
-#
-# Flush and delete all user-defined chains in the filter table
-#
-deleteallchains() {
-    run_iptables -F
-    run_iptables -X
-}
-
 #
 # Generate a list of all network interfaces on the system
 #
 find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'    
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Generate a list of all network interfaces on the system that have an ipv6 address
+#
+find_all_interfaces1() {
+    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }
 
 #
@@ -513,11 +496,12 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
+    local result
+    
     if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
-	local result
 	result=1
 
 	while read route ; do
@@ -600,6 +584,7 @@ clear_firewall() {
     setpolicy OUTPUT ACCEPT
 
     run_iptables -F
+    qt $IP6TABLES -t raw -F
 
     echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 

Shorewall/changelog.txt

@@ -1,9 +1,102 @@
-Changes in Shorewall 4.4.10.1
+Changes in Shorewall 4.4.13
+
+1)  Allow zone lists in rules SOURCE and DEST.
+
+2)  Fix exclusion in the blacklist file.
+
+3)  Correct several old exclusion bugs.
+
+4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
+
+5)  Re-implement optional interface handling.
+
+6)  Add secmark config file.
+
+7)  Split in and out blacklisting.
+
+8)  Correct handling of [{src|dst},...] in ipset invocation
+
+9)  Correct SAME.
+
+10) TC Enhancements:
+
+    <burst> in IN-BANDWIDTH columns.
+    OUT-BANDWIDTH column in tcinterfaces.
+
+11) Create dynamic zone ipsets on 'start'.
+
+12) Remove new blacklisting implementation.
+
+13) Implement an alternative blacklisting scheme.
+
+14) Use '-m state' for UNTRACKED.
+
+15) Clear raw table on 'clear'
+
+16) Correct port-range check in tcfilters.
+
+17) Disallow '*' in interface names.
+
+Changes in Shorewall 4.4.12
+
+1)  Fix IPv6 shorecap program.
+
+2)  Eradicate incorrect IPv6 Multicast Network
+
+3)  Add ADD/DEL support.
+
+4)  Allow :random to work with REDIRECT
+
+5)  Add per-ip log rate limiting.
+
+6)  Use new hashlimit match syntax if available.
+
+7)  Add Universal sample.
+
+8)  Add COMPLETE option.
+
+9)  Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
+
+10) Support new set match syntax.
+
+11) Blacklisting by DEST IP.
+
+12) Fix duplicate rule generation with 'any'.
+
+13) Fix port range editing problem.
+
+14) Display the .conf file directory in response to the status command.
+
+15)  Correct AUTOMAKE
+
+Changes in Shorewall 4.4.11
 
 1)  Apply patch from Gabriel.
 
 2)  Fix IPSET match detection when a pathname is specified for IPSET.
 
+3)  Fix start priority of shorewall-init on Debian
+
+4)  Make IPv6 log and connections output readable.
+
+5)  Add REQUIRE_INTERFACE to shorewall*.conf
+
+6)  Avoid run-time warnings when options are not listed in
+    shorewall.conf.
+
+7)  Implement Vserver zones.
+
+8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
+    hosts file.
+
+9)  Add CLEAR_FORWARD_MARK option.
+
+10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
+
+11) Add PERL option.
+
+12) Fix nets= in Shorewall6
+
 Changes in Shorewall 4.4.10
 
 1)  Fix regression with scripts.

Shorewall/configfiles/accounting

@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#####################################################################################
-#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK
+#####################################################################################################
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
 #							PORT(S)		PORT(S)	GROUP

Shorewall/configfiles/blacklist

@@ -7,4 +7,5 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT
+#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
+

Shorewall/configfiles/masq

@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###############################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP

Shorewall/configfiles/netmap

@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#TYPE	NET1			INTERFACE	NET2
+#TYPE	NET1			INTERFACE	NET2		NET3

Shorewall/configfiles/secmarks

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Secmarks File
+#
+# For information about entries in this file, type "man shorewall-secmarks"
+#
+############################################################################################################
+#SECMARK			CHAIN:	SOURCE		DEST		PROTO	DEST	SOURCE	USER/	MARK
+#				STATE						PORT(S)	PORT(S) GROUP
+
+
+
+
+								

Shorewall/configfiles/shorewall.conf

@@ -31,9 +31,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -59,6 +57,8 @@ TC=
 
 IPSET=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -194,6 +194,12 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=No
 
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/configfiles/tcinterfaces

@@ -8,4 +8,3 @@
 #
 ###############################################################################
 #INTERFACE	TYPE		IN-BANDWIDTH
-

Shorewall/init.debian.sh

@@ -20,7 +20,7 @@ test -n ${INITLOG:=/var/log/shorewall-init.log}
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {
-	echo "INITLOG cannot be empty, please configure $0" ; 
+	echo "INITLOG cannot be empty, please configure $0" ;
 	exit 1;
 }
 
@@ -32,9 +32,9 @@ fi
 
 echo_notdone () {
 
-  if [ "$INITLOG" = "/dev/null" ] ; then 
+  if [ "$INITLOG" = "/dev/null" ] ; then
 	  echo "not done."
-  else 
+  else
 	  echo "not done (check $INITLOG)."
   fi
 
@@ -71,7 +71,7 @@ fi
 
 export SHOREWALL_INIT_SCRIPT
 
-# wait for an unconfigured interface 
+# wait for an unconfigured interface
 wait_for_pppd () {
 	if [ "$wait_interface" != "" ]
 	then

Shorewall/init.slackware.firewall.sh

@@ -45,7 +45,7 @@ status() {
 
 export SHOREWALL_INIT_SCRIPT=1
 
-case $1 in 
+case $1 in
 	'start')
 	start
 	;;

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.10.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {
@@ -133,7 +133,7 @@ case $(uname) in
 	MAC=Yes
 	INSTALLD=
 	T=
-	;;	
+	;;
     *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -178,7 +178,7 @@ if [ -n "$DESTDIR" ]; then
 
     install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
     install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-    
+
     CYGWIN=
     MAC=
 else
@@ -194,7 +194,7 @@ else
     if [ -n "$CYGWIN" ]; then
 	echo "Installing Cygwin-specific configuration..."
     elif [ -n "$MAC" ]; then
-	echo "Installing Mac-specific configuration..."	
+	echo "Installing Mac-specific configuration..."
     else
 	if [ -f /etc/debian_version ]; then
 	    echo "Installing Debian-specific configuration..."
@@ -270,7 +270,7 @@ if [ -n "$DESTDIR" ]; then
     mkdir -p ${DESTDIR}/etc/logrotate.d
     chmod 755 ${DESTDIR}/etc/logrotate.d
 fi
-    
+
 #
 # Install the config file
 #
@@ -586,6 +586,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcfilters ]; then
     echo "TC Filters file installed as ${DESTDIR}/etc/shorewall/tcfilters"
 fi
 
+#
+# Install the secmarks file
+#
+run_install $OWNERSHIP -m 0644 configfiles/secmarks ${DESTDIR}/usr/share/shorewall/configfiles
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/secmarks ]; then
+    run_install $OWNERSHIP -m 0600 configfiles/secmarks ${DESTDIR}/etc/shorewall
+    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall/secmarks"
+fi
+
 #
 # Install the default config path file
 #
@@ -745,7 +755,7 @@ fi
 #
 # Install the  Makefiles
 #
-install-file Makefile-lite ${DESTDIR}/usr/share/shorewall/configfiles/Makefile 0644
+install_file Makefile-lite ${DESTDIR}/usr/share/shorewall/configfiles/Makefile 0644
 
 if [ -z "$SPARSE" ]; then
     run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall
@@ -867,7 +877,13 @@ fi
 if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
     if [ -n "$DEBIAN" ]; then
 	install_file default.debian /etc/default/shorewall 0644
-	ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
+
+	if [ -x /sbin/insserv ]; then
+	    insserv /etc/init.d/shorewall
+	else
+	    ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
+	fi
+
 	echo "shorewall will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall to enable"
 	touch /var/log/shorewall-init.log

Shorewall/known_problems.txt

@@ -1,21 +1,2 @@
-1)  The IPv6 allowBcast built-in action generates an invalid ip6tables
-    rule. This defect is present in all versions of Shorewall that 
-    support IPv6.
-
-    Fixed in Shorewall 4.4.10.1.
-
-2)  If IPSET=<pathname> is specified in shorewall.conf, then when an
-    ipset is used in a configuration file entry, the following fatal
-    compilation error occurs:
-
-    ERROR: ipset names in Shorewall configuration files require Ipset
-    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
-
-    You can work around this problem by executing the following at a
-    root shell prompt:
-
-    	 shorewall show -f capabilities > /etc/shorewall/capabilities
-
-    Fixed in Shorewall 4.4.10.1. After installing this fix, if you 
-    executed the above command to work around the problem, we recommend
-    that you remove /etc/shorewall/capabilities.
+1)  On systems running Upstart, shorewall-init cannot reliably start the
+    firewall before interfaces are brought up.

Shorewall/lib.base

@@ -29,7 +29,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40408
+SHOREWALL_CAPVERSION=40413
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -185,7 +185,7 @@ valid_address() {
 		;;
 	esac
     done
-    
+
     IFS=$ifs
 
     return 0
@@ -381,7 +381,7 @@ find_echo() {
     result=$(which echo)
     [ -n "$result" ] && { echo "$result -e"; return; }
 
-    echo echo 
+    echo echo
 }
 
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:

Shorewall/lib.cli

@@ -166,7 +166,7 @@ search_log() # $1 = IP address to search for
     else
 	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
     fi
-}    
+}
 
 #
 # Show traffic control information
@@ -226,6 +226,18 @@ show_classifiers() {
 logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
+    if [ -z "$LOGFILE" ]; then
+	LOGFILE=/var/log/messages
+
+	if [ -n "$(syslog_circular_buffer)" ]; then
+	    g_logread="logread | tac"
+	elif [ -r $LOGFILE ]; then
+	    g_logread="tac $LOGFILE"
+	else
+	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    exit 2
+	fi
+    fi
 
     host=$(echo $g_hostname | sed 's/\..*$//')
     oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
@@ -298,7 +310,7 @@ do_save() {
 	status=1
     fi
 
-    case ${SAVE_IPSETS:=No} in 
+    case ${SAVE_IPSETS:=No} in
 	[Yy]es)
 	    case ${IPSET:=ipset} in
 		*/*)
@@ -345,7 +357,7 @@ save_config() {
 
     local result
     result=1
-    
+
     iptables_save=${IPTABLES}-save
 
     [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
@@ -485,7 +497,7 @@ show_command() {
 				    fatal_error "Invalid table name ($s)"
 				    ;;
 			    esac
-			    
+
 			    option=
 			    shift
 			    ;;
@@ -541,6 +553,20 @@ show_command() {
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
+
+	    if [ -z "$LOGFILE" ]; then
+		LOGFILE=/var/log/messages
+		
+		if [ -n "$(syslog_circular_buffer)" ]; then
+		    g_logread="logread | tac"
+		elif [ -r $LOGFILE ]; then
+		    g_logread="tac $LOGFILE"
+		else
+		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+		    exit 2
+		fi
+	    fi
+
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
@@ -703,7 +729,7 @@ show_command() {
 			;;
 		esac
 	    fi
-	    
+
 
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
@@ -719,7 +745,7 @@ show_command() {
 			exit 1
 		    fi
 		done
-		
+
 		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
 		echo
 		show_reset
@@ -781,6 +807,19 @@ dump_command() {
 	esac
     done
 
+    if [ -z "$LOGFILE" ]; then
+	LOGFILE=/var/log/messages
+
+	if [ -n "$(syslog_circular_buffer)" ]; then
+	    g_logread="logread | tac"
+	elif [ -r $LOGFILE ]; then
+	    g_logread="tac $LOGFILE"
+	else
+	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    exit 2
+	fi
+    fi
+
     g_ipt_options="$g_ipt_options $g_ipt_options1"
 
     [ $VERBOSITY -lt 2 ] && VERBOSITY=2
@@ -790,7 +829,7 @@ dump_command() {
     clear_term
     echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
     echo
-    
+
     show_reset
     host=$(echo $g_hostname | sed 's/\..*$//')
     $IPTABLES -L $g_ipt_options
@@ -834,7 +873,7 @@ dump_command() {
 	heading "PFKEY SPD"
 	setkey -DP
 	heading "PFKEY SAD"
-	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys 
+	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys
     fi
 
     heading "/proc"
@@ -1027,6 +1066,10 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     chain=$1
     local finished
     finished=$2
+    local which
+    which='-s'
+    local range
+    range='--src-range'
 
     if ! chain_exists dynamic; then
 	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@@ -1038,19 +1081,31 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
 
     while [ $# -gt 0 ]; do
 	case $1 in
+	    from)
+		which='-s'
+		range='--src-range'
+		shift
+		continue
+		;;
+	    to)
+		which='-d'
+		range='--dst-range'
+		shift
+		continue
+		;;
 	    *-*)
-		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject
-		qt $IPTABLES -D dynamic -m iprange --src-range  $1 -j DROP
-		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
-		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop
-		$IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
+		qt $IPTABLES -D dynamic -m iprange $range $1 -j reject
+		qt $IPTABLES -D dynamic -m iprange $range  $1 -j DROP
+		qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
+		qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop
+		$IPTABLES -A dynamic -m iprange $range $1 -j $chain || break 1
 		;;
 	    *)
-		qt $IPTABLES -D dynamic -s $1 -j reject
-		qt $IPTABLES -D dynamic -s $1 -j DROP
-		qt $IPTABLES -D dynamic -s $1 -j logreject
-		qt $IPTABLES -D dynamic -s $1 -j logdrop
-		$IPTABLES -A dynamic -s $1 -j $chain || break 1
+		qt $IPTABLES -D dynamic $which $1 -j reject
+		qt $IPTABLES -D dynamic $which $1 -j DROP
+		qt $IPTABLES -D dynamic $which $1 -j logreject
+		qt $IPTABLES -D dynamic $which $1 -j logdrop
+		$IPTABLES -A dynamic $which $1 -j $chain || break 1
 		;;
 	esac
 
@@ -1173,7 +1228,7 @@ add_command() {
 	if ! qt $IPSET -L $ipset -n; then
 	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
 	fi
-	
+
 	host=${host#*:}
 
 	if $IPSET -A $ipset $host; then
@@ -1182,7 +1237,7 @@ add_command() {
 	    fatal_error "Unable to add $interface:$host to zone $zone"
 	fi
     done
-	
+
 }
 
 #
@@ -1232,7 +1287,7 @@ delete_command() {
 	if ! qt $IPSET -L $ipset -n; then
 	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
 	fi
-	
+
 	host=${hostent#*:}
 
 	if $IPSET -D $ipset $host; then
@@ -1241,7 +1296,7 @@ delete_command() {
 	    echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
 	fi
     done
-	
+
 }
 
 #
@@ -1340,6 +1395,11 @@ allow_command() {
     [ -n "$g_debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall_is_started ; then
+	local which
+	which='-s'
+	local range
+	range='--src-range'
+
 	if ! chain_exists dynamic; then
 	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	    exit 2
@@ -1349,11 +1409,21 @@ allow_command() {
 	while [ $# -gt 1 ]; do
 	    shift
 	    case $1 in
+		from)
+		    which='-s'
+		    range='--src-range'
+		    continue
+		    ;;
+		to)
+		    which='-d'
+		    range='--dst-range'
+		    continue
+		    ;;
 		*-*)
-		    if  qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject    ||\
-			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP      ||\
-			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop   ||\
-			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
+		    if  qt $IPTABLES -D dynamic -m iprange $range $1 -j reject    ||\
+			qt $IPTABLES -D dynamic -m iprange $range $1 -j DROP      ||\
+			qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop   ||\
+			qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1361,10 +1431,10 @@ allow_command() {
 		    fi
 		    ;;
 		*)
-		    if  qt $IPTABLES -D dynamic -s $1 -j reject    ||\
-			qt $IPTABLES -D dynamic -s $1 -j DROP      ||\
-			qt $IPTABLES -D dynamic -s $1 -j logdrop   ||\
-			qt $IPTABLES -D dynamic -s $1 -j logreject
+		    if  qt $IPTABLES -D dynamic $which $1 -j reject    ||\
+			qt $IPTABLES -D dynamic $which $1 -j DROP      ||\
+			qt $IPTABLES -D dynamic $which $1 -j logdrop   ||\
+			qt $IPTABLES -D dynamic $which $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1393,9 +1463,9 @@ logwatch_command() {
 	case $option in
 	    -*)
 		option=${option#-}
-		
+
 		[ -z "$option" ] && usage 1
-		
+
 		while [ -n "$option" ]; do
 		    case $option in
 			v*)
@@ -1426,7 +1496,7 @@ logwatch_command() {
 		;;
 	esac
     done
-    
+
     [ -n "$g_debugging" ] && set -x
 
     if [ $# -eq 1 ]; then
@@ -1449,6 +1519,10 @@ determine_capabilities() {
 	exit 1
     fi
 
+    [ "$IP" = ip -o -z "$IP" ] && IP=$(which ip)
+
+    [ -n "$IP" -a -x "$IP" ] || IP=
+
     [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
 
     [ -n "$TC" -a -x "$TC" ] || TC=
@@ -1468,6 +1542,7 @@ determine_capabilities() {
     RECENT_MATCH=
     OWNER_MATCH=
     IPSET_MATCH=
+    OLD_IPSET_MATCH=
     CONNMARK=
     XCONNMARK=
     CONNMARK_MATCH=
@@ -1500,6 +1575,8 @@ determine_capabilities() {
     LOG_TARGET=Yes
     PERSISTENT_SNAT=
     FLOW_FILTER=
+    FWMARK_RT_MASK=
+    MARK_ANYWHERE=
 
     chain=fooX$$
 
@@ -1609,9 +1686,13 @@ determine_capabilities() {
 	qt ipset -X $chain # Just in case something went wrong the last time
 
 	if qt ipset -N $chain iphash ; then
-	    if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
+	    if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
+		qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
+		IPSET_MATCH=Yes
+	    elif qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
 		qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
+		OLD_IPSET_MATCH=Yes
 	    fi
 	    qt ipset -X $chain
 	fi
@@ -1624,7 +1705,7 @@ determine_capabilities() {
     if [ -z "$HASHLIMIT_MATCH" ]; then
 	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
-    fi	
+    fi
     qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
     qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
     qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -1633,6 +1714,7 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
     qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
     qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
+    qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
 
     qt $IPTABLES -F $chain
     qt $IPTABLES -X $chain
@@ -1640,6 +1722,7 @@ determine_capabilities() {
     qt $IPTABLES -X $chain1
 
     [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
 
     CAPVERSION=$SHOREWALL_CAPVERSION
     KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@@ -1675,7 +1758,10 @@ report_capabilities() {
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
 	report_capability "Owner Match" $OWNER_MATCH
-	report_capability "Ipset Match" $IPSET_MATCH
+	if [ -n "$IPSET_MATCH" ]; then
+	    report_capability "Ipset Match" $IPSET_MATCH
+	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
+	fi
 	report_capability "CONNMARK Target" $CONNMARK
 	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
 	report_capability "Connmark Match" $CONNMARK_MATCH
@@ -1707,6 +1793,8 @@ report_capabilities() {
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
+	report_capability "fwmark route mask" $FWMARK_RT_MASK
+	report_capability "Mark in any table" $MARK_ANYWHERE
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1738,6 +1826,7 @@ report_capabilities1() {
     report_capability1 RECENT_MATCH
     report_capability1 OWNER_MATCH
     report_capability1 IPSET_MATCH
+    report_capability1 OLD_IPSET_MATCH
     report_capability1 CONNMARK
     report_capability1 XCONNMARK
     report_capability1 CONNMARK_MATCH
@@ -1769,7 +1858,9 @@ report_capabilities1() {
     report_capability1 PERSISTENT_SNAT
     report_capability1 TPROXY_TARGET
     report_capability1 FLOW_FILTER
-    
+    report_capability1 FWMARK_RT_MASK
+    report_capability1 MARK_ANYWHERE
+
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION
 }

Shorewall/lib.common

@@ -45,17 +45,17 @@ get_script_version() { # $1 = script
 	temp=$(echo $temp)
 	IFS=$ifs
 	digits=0
-	
+
 	for temp in $temp; do
 	    version=${version}$(printf '%02d' $temp)
 	    digits=$(($digits + 1))
 	    [ $digits -eq 3 ] && break
 	done
     fi
-    
+
     echo $version
 }
- 
+
 #
 # Do required exports or create the required option string and run the passed script using
 # $SHOREWALL_SHELL
@@ -66,7 +66,7 @@ run_it() {
     local version
 
     export VARDIR
-	
+
     script=$1
     shift
 
@@ -82,7 +82,7 @@ run_it() {
 	export PURGE=$g_purge
 	export TIMESTAMP=$g_timestamp
 	export RECOVERING=$g_recovering
- 
+
 	if [ "$g_product" != Shorewall ]; then
 	    #
 	    # Shorewall Lite
@@ -94,7 +94,12 @@ run_it() {
 	#
 	# 4.4.8 or later -- no additional exports required
 	#
-	options='-'
+	if [ x$1 = xtrace -o x$1 = xdebug ]; then
+	    options="$1 -"
+	    shift;
+	else
+	    options='-'
+	fi
 
 	[ -n "$g_noroutes" ]   && options=${options}n
 	[ -n "$g_timestamp" ]  && options=${options}t
@@ -105,7 +110,7 @@ run_it() {
 
 	[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
     fi
-	
+
     $SHOREWALL_SHELL $script $options $@
 }
 
@@ -509,9 +514,13 @@ find_file()
 #
 # Set the Shorewall state
 #
-set_state () # $1 = state
+set_state () # $1 = state $2 
 {
-    echo "$1 ($(date))" > ${VARDIR}/state
+    if [ $# -gt 1 ]; then
+	echo "$1 ($(date)) from $2" > ${VARDIR}/state
+    else
+	echo "$1 ($(date))" > ${VARDIR}/state
+    fi
 }
 
 #

Shorewall/releasenotes.txt

@@ -1,16 +1,266 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 0
+                      S H O R E W A L L  4 . 4 . 1 3
 ----------------------------------------------------------------------------
 
-I.    RELEASE 4.4 HIGHLIGHTS
-II.   MIGRATION ISSUES
-III.  PROBLEMS CORRECTED IN THIS RELEASE
-IV.   KNOWN PROBLEMS REMAINING
-V.    NEW FEATURES IN THIS RELEASE
-VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES 
+I.    PROBLEMS CORRECTED IN THIS RELEASE
+II.   KNOWN PROBLEMS REMAINING
+III.  NEW FEATURES IN THIS RELEASE
+IV.   RELEASE 4.4 HIGHLIGHTS
+V.    MIGRATION ISSUES
+VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 
 ----------------------------------------------------------------------------
-             I.  R E L E A S E  4 . 4  H I G H L I G H T S
+  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
+----------------------------------------------------------------------------
+
+1)  Under rare circumstances where COMMENT is used to attach comments
+    to rules, OPTIMIZE 8 through 15 could result in invalid
+    iptables-restore (ip6tables-restore) input.
+
+2)  Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
+    could result in invalid iptables-restore (ip6tables-restore) input.
+
+3)  The change in 4.4.12 to detect and use the new ipset match syntax
+    broke the ability to detect the old ipset match capability. Now,
+    both versions of the capability can be correctly detected.
+
+4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
+    if the last optional interface tested was not available.
+
+5)  Exclusion in the blacklist file was correctly validated but was then
+    ignored when generating iptables (ip6tables) rules.
+
+6)  Previously, non-trivial exclusion (more than one excluded
+    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
+    valid but incorrect iptables input. This has been corrected but
+    requires that your iptables/kernel support marking rules in any
+    Netfilter table (CONTINUE in the tcrules file does not require this
+    support).
+
+    This fix implements a new 'Mark in any table' capability; those
+    who utilize a capabilities file should re-generate the file using
+    this release.
+
+7)  Interface handling has been extensively modified in this release
+    to correct a number of problems with the earlier
+    implementation. Among those problems:
+
+    - Invalid shell variable names could be generated in the firewall
+      script. The generated firewall script uses shell variables to
+      track the availability of optional and required interfaces and
+      to record detected gateways, detected addresses, etc.
+
+    - The same shell variable name could be generated by two different
+      interface names.
+
+    - Entries in the interfaces file with a wildcard physical name
+      (physical name ends with "+") and with the 'optional' option were
+      handled strangely.
+
+      o If there were references to specific interfaces that matched
+        the wildcard, those entries were handled as if they had been
+        defined as optional in the interfaces file.
+
+      o If there were no references matching the wildcard, then the
+        'optional' option was effectively ignored. 
+
+    The new implementation:
+
+    - Insures valid shell variable names.
+    
+    - Insures that shell variable names are unique.
+
+    - Handles interface names appearing in the INTERFACE column of the
+      providers file as a special case for 'optional'. If the name
+      matches a wildcard entry in the interfaces file then the
+      usability of the specific interface is tracked individually. 
+
+    - Handles the availabilty of other interfaces matching a wildcard
+      as a group; if there is one useable interface in the group then
+      the wildcard itself is considered usable.
+
+      The following example illustrates this use case:
+
+      /etc/shorewall/interfaces
+
+	net	ppp+	-	optional
+
+      /etc/shorewall/shorewall.conf
+
+	REQUIRE_INTERFACE=Yes
+
+      If there is any usable PPP interface then the firewall will be
+      allowed to start. Previously, the firewall would never be allowed
+      to start.
+
+8)  When a comma-separated list of 'src' and/or 'dst' was specified in
+    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
+    or 'dst' was previously ignored when generating the resulting
+    iptables rule.
+
+9)  Beginning with Shorewall 4.4.9, the SAME target in tcrules has
+    generated invalid iptables (ip6tables) input. That target now
+    generates correct input.
+
+10) Ipsets associated with 'dynamic' zones were being created during
+    'restart' but not during 'start'.
+
+11) To work around an issue in Netfilter/iptables, Shorewall now uses
+    state match rather than conntrack match for UNTRACKED state
+    matching.
+
+12) If the routestopped files contains NOTRACK rules, 'shorewall* clear' 
+    did not clear the raw table.
+
+13) An error message was incorrectly generated if a port range of the
+    form :<port> (e.g., :22) appeared.
+
+14) An error is now generated if '*' appears in an interface name.
+
+----------------------------------------------------------------------------
+           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
+----------------------------------------------------------------------------
+
+1)  On systems running Upstart, shorewall-init cannot reliably start the
+    firewall before interfaces are brought up.
+
+----------------------------------------------------------------------------
+      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
+----------------------------------------------------------------------------
+
+1)  Entries in the rules file (both Shorewall and Shorewall6) may now
+    contain zone lists in the SOURCE and DEST column. A zone list is a
+    comma-separated list of zone names where each name appears in the
+    zones file. A zone list may be optionally followed by a plus sign
+    ("+") to indicate that the rule should apply to intra-zone traffic
+    as well as to inter-zone traffic.
+
+    Zone lists behave like 'all' and 'any' with respect to Optimization
+    1. If the rule matches the applicable policy for a given (source
+    zone, dest zone), then the rule will be suppessed for that pair of
+    zones unless overridden by the '!' suffix on the target in the
+    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
+
+    Additionally, 'any', 'all' and zone lists may be qualified in the
+    same way as a single zone.
+
+    Examples:
+
+	fw,dmz:90.90.191.120/29
+	all:+blacklist
+
+    The 'all' and 'any' keywords now support exclusion in the form of a
+    comma-separated list of excluded zones.
+
+    Examples: 
+
+    	     all!fw         (same as all-).
+	     any+!dmz,loc   (All zones except 'dmz' and 'loc' and
+	     		     include intra-zone rules).
+
+2)  An IPSEC column has been added to the accounting file, allowing you
+    to segregate IPSEC traffic from non-IPSEC traffic. See 'man
+    shorewall-accounting' (man shorewall6-accounting) for details.
+
+    With this change, there are now three trees of accounting chains:
+
+    - The one rooted in the 'accounting' chain.
+    - The one rooted in the 'accipsecin' chain. This tree handles
+      traffic that has been decrypted on the firewall. Rules in this
+      tree cannot specify an interface name in the DEST column.
+    - The one rooted in the 'accipsecout' chain. This tree handles
+      traffic that will be encrypted on the firewall. Rules in this
+      tree cannot specify an interface name in the SOURCE column.
+
+    In reality, when there are bridges defined in the configuration,
+    there is a fourth tree rooted in the 'accountout' chain. That chain
+    handles traffic that originates on the firewall (both IPSEC and
+    non-IPSEC).
+
+    This change also implements a couple of new warnings:
+
+    - WARNING: Adding rule to unreferenced accounting chain <name>
+
+      The first reference to user-defined accounting chain <name> is
+      not a JUMP or COUNT from an already-defined chain.
+
+    - WARNING: Accounting chain <name> has o references
+
+      The named chain contains accounting rules but no JUMP or COUNT
+      specifies that chain as the target.
+
+3)  Shorewall now supports the SECMARK and CONNSECMARK targets for
+    manipulating the SELinux context of packets.
+
+    See the shorewall-secmarks and shorewall6-secmarks manpages for
+    details.
+
+    As part of this change, the tcrules file now accepts $FW in the
+    DEST column for marking packets in the INPUT chain.
+
+4)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
+
+    a) Blacklisting is now based on zones rather than on interfaces and
+       host groups.
+
+    b) Near compatibility with earlier releases is maintained.
+
+    c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
+       column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
+       respectively. The old keywords are still supported.
+
+    d) The 'blacklist' keyword may now appear in the OPTIONS,
+       IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
+
+       i)  In the IN_OPTIONS column, it indicates that packets received
+           on the interface are checked against the 'src' entries in
+           /etc/shorewall/blacklist.
+
+       ii) In the OUT_OPTIONS column, it indicates that packets being
+           sent to the interface are checked against the 'dst' entries.
+
+       iii) Placing 'blacklist' in the OPTIONS column is equivalent to
+           placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
+
+    e) The 'blacklist' option in the OPTIONS column of
+       /etc/shorewall/interfaces or /etc/shorewall/hosts is now
+       equivalent to placing it in the IN_OPTIONS column of the
+       associates record in /etc/shorewall/zones. If no zone is given
+       in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
+       option is ignored with a warning (it was previously ignored
+       silently).
+
+    f) The 'blacklist' option in the /etc/shorewall/interfaces and
+       /etc/shorewall/hosts files is now deprecated but will continue
+       to be supported for several releases. A warning will be added at
+       least one release before support is removed.
+
+5)  There is now an OUT-BANDWIDTH column in
+    /etc/shorewall/tcinterfaces.
+
+    The format of this column is:
+
+    	<rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]]
+
+    These terms are described in tc-tbf(8). Shorewall supplies default
+    values as follows:
+
+    	   <burst>   = 10kb
+	   <latency> = 200ms
+
+    The remaining options are defaulted by tc.
+
+6)  The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and
+    /etc/shorewall/tcinterfaces now accepts an optional burst parameter.
+
+        <rate>[:<burst>]
+
+    The default <burst> is 10kb. A larger <burst> can help make the
+    <rate> more accurate; often for fast lines, the enforced rate is
+    well below the specified <rate>.
+
+----------------------------------------------------------------------------
+             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
 
 1)  Support for Shorewall-shell has been discontinued. Shorewall-perl
@@ -56,7 +306,7 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 
 11) Support for netfilter's TRACE facility has been added. TRACE allows
     you to trace selected packets through Netfilter, including marking
-    by tcrules. 
+    by tcrules.
 
 12) You may now preview the generated ruleset by using the '-r' option
     to the 'check' command (e.g., "shorewall check -r").
@@ -67,8 +317,14 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 
 15) TPROXY support has been added.
 
+16) Explicit support for Linux-vserver has been added. It is now
+    possible to define sub-zones of $FW.
+
+17) A 'Universal' sample configuration is now availale for a
+    'plug-and-play' firewall.
+
 ----------------------------------------------------------------------------
-                  I I.  M I G R A T I O N   I S S U E S
+                   V.  M I G R A T I O N   I S S U E S
 ----------------------------------------------------------------------------
 1)  If you are currently using Shorewall-shell:
 
@@ -155,7 +411,7 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 8)  The install.sh scripts in the Shorewall and Shorewall6 packages no
     longer create a backup copy of the existing configuration. If you
     want your configuration backed up prior to upgrading, you will
-    need to do that yourself. 
+    need to do that yourself.
 
     As part of this change, the fallback.sh scripts are no longer
     released.
@@ -182,7 +438,7 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
     explicitly call the module's 'initialize' function after the module
     has been loaded.
 
-12) Checking for zone membership has been tighened up. Previously, 
+12) Checking for zone membership has been tighened up. Previously,
     a zone could contain <interface>:0.0.0.0/0 along with other hosts;
     now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
     then it may have no additional members in /etc/shorewall/hosts.
@@ -208,17 +464,164 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 	  iface_ADDRESSES                      SW_iface_ADDRESSES
 	  iface_NETWORKS                       SW_iface_NETWORKS
 	  iface_MAC                            SW_iface_MAC
-	  
+
 	  provider_IS_USABLE                   SW_provider_IS_USABLE
 
     where 'iface' is a capitalized interface name (e.g., ETH0) and
     'provider' is the capitalized name of a provider.
-	  
+
+15) Support for the OPTIONS column in /etc/shorewall/blacklist
+    (/etc/shorewall6/blacklist) has been removed. Blacklisting by
+    destination IP address will be included in a later Shorewall
+    release.
+
 ----------------------------------------------------------------------------
-I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
+V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
+      I N   P R I O R  R E L E A S E S
+----------------------------------------------------------------------------
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 2
 ----------------------------------------------------------------------------
 
-4.4.10.1
+1)  Previously, the Shorewall6-lite version of shorecap was using
+    iptables rather than ip6tables, with the result that many capabilities
+    that are only available in IPv4 were being reported as available.
+
+2)  In a number of cases, Shorewall6 generated incorrect rules
+    involving the IPv6 multicast network. The rules specified
+    ff00::/10 where they should have specified ff00::/8. Also, rules
+    instantiated when the firewall was stopped used ff80::/10 rather
+    than fe80::/10 (IPv6 Link Local network).
+
+3)  Previously, using a destination port-range with :random produced a
+    fatal compilation error in REDIRECT rules.
+
+4)  A number of problems associated with Shorewall-init and Upstart
+    have been corrected. 
+
+    If you use Shorewall-init, then when upgrading to this version, be
+    sure to recompile all firewall scripts before you take interfaces
+    down or reboot.
+
+5)  Previously, the Shorewall installer (install.sh) failed to install
+    /usr/share/shorewall/configfiles/Makefile and rather issued the
+    following message:
+
+    	      install-file: command not found 
+
+    This caused the Makefile to be omitted from RPMs as well.
+
+6)  When 'any' was used in the SOURCE column, a duplicate rule was
+    generated in all "fw2*" ("fw-* if ZONE2ZONE="-"). If 'any' was used
+    in the DEST column, then a duplicate rule appeared in all "*2fw"
+    (*-fw) chains.
+
+7)  A port range that omitted the first port number (e.g., ":80") was
+    rejected with the following error:
+
+    	 ERROR: Invalid/Unknown tcp port/service (0) : ......
+
+8)  AUTOMAKE=Yes has been broken for some time. It is now working
+    correctly.
+
+----------------------------------------------------------------------------
+               N E W   F E A T U R E S   I N   4 . 4 . 1 2
+----------------------------------------------------------------------------
+
+1)  Support has been added for ADD and DEL rules in
+    /etc/shorewall/rules. ADD allows either the SOURCE or DESTINATION
+    IP address to be added to an ipset; DEL deletes an address
+    previously added.
+
+2)  Per-ip log rate limiting has been added in the form of the LOGLIMIT
+    option in shorewall.conf. When LOGLIMIT is specified, LOGRATE and
+    LOGBURST are ignored. 
+
+    LOGRATE and LOGBURST are now deprecated.
+
+    LOGLIMIT value format is [{s|d}:]<rate>[/<unit>][:<burst>]
+
+    If the value starts with 's:' then logging is limited per source
+    IP. If the value starts with 'd:', then logging is limited per
+    destination IP. Otherwise, the overall logging rate is limited.
+
+    <unit> is one of sec, min, hour, day.
+
+    If <burst> is not specified, then a value of 5 is assumed.
+
+3)  The sample configurations now include a 'Universal' configuration
+    that will start on any system and protect that system while
+    allowing the system to forward traffic.
+
+    As part of this change, several additional features were added:
+
+    - You may now specify "physical=+" in the interfaces file.
+    - A 'COMPLETE' option is added to shorewall.conf and
+      shorewall6.conf. When you set this option to Yes, you are
+      asserting that the configuration is complete so that your set of
+      zones encompasses any hosts that can send or receive traffic
+      to/from/through the firewall. This causes Shorewall to omit the
+      rules that catch packets in which the source or destination IP
+      address is outside of any of your zones. Default is No.  It is
+      recommended that this option only be set to Yes if:
+
+      o You have defined an interface whose effective physical setting
+        is '+'
+      o That interface is assigned to a zone.
+      o You have no CONTINUE policies or rules.
+
+4)  'icmp' is now accepted as a synonym for 'ipv6-icmp' in IPv6
+    compilations.
+
+5)  Shorewall now detects the presence of a recent ipset iptables
+    module and uses its new syntax. This avoids a warning on iptables
+    1.4.9. This change involves a new capabilities file version so if
+    you use a capabilities file, be sure to regenerate it with 4.4.12
+    shorewall-lite or shorewall6-lite.
+
+6)  Blacklisting can now be done by destination IP address as well as
+    by source address.
+
+    The /etc/shorewall/blacklist and /etc/shorewall6/blacklist files
+    now have an optional OPTIONS column. Initially, this column can
+    contain either 'from' (the default) or 'to'; the latter causes the
+    address(es) in the ADDRESS/SUBNET column to be interpreted as a
+    DESTINATION address rather than a source address.
+
+    Note that static blacklisting is still restricted to traffic
+    ARRIVING on an interface that has the 'blacklist' option set. So to
+    block traffic from your local network to an internet host, you must
+    specify 'blacklist' on your internal interface.
+
+    Similarly, dynamic blacklisting has been enhanced to recognize the
+    'from' and 'to' keywords.
+
+    Example:
+
+	shorewall drop to 1.2.3.4
+
+    This command will silently drop connection requests to1.2.3.4.
+
+    The reciprocal of that command would be:
+
+    	shorewall allow to 1.2.3.4
+
+7)  The status command now displays the directory containing the .conf
+    file (shorewall.conf or shorewall6.conf) when the running
+    configuration was compiled.
+
+    Example:
+
+        gateway:/etc/shorewall# shorewall status
+	Shorewall-4.4.12-RC1 Status at gateway - Thu Aug 12 19:41:51 PDT 2010
+
+	Shorewall is running
+	State:Started (Thu Aug 12 19:41:48 PDT 2010) from /etc/shorewall/
+
+	gateway:/etc/shorewall# 
+
+----------------------------------------------------------------------------
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
+----------------------------------------------------------------------------
 
 1)  The IPv6 allowBcast action generated an invalid rule.
 
@@ -233,8 +636,92 @@ I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
     you should remove /etc/shorewall/capabilities after installing
     this fix.
 
-4.4.10
+3)  The start priority of shorewall-init on Debian and Debian-based
+    distributions was previously too low, making it start too late.
 
+4)  The log output from IPv6 logs was almost unreadable due to display
+    of IPv6 addresses in uncompressed format. A similar problem
+    occurred with 'shorewall6 show connections'. This update makes the
+    displays much clearer at the expense of opening the slight
+    possibility of two '::' sequences being incorrectly shown in the
+    same address.
+
+5)  The new REQUIRE_INTERFACE was inadvertently omitted from
+    shorewall.conf and shorewall6.conf. It has been added.
+
+6)  Under some versions of Perl, a Perl run-time diagnostic was produced
+    when options were omitted from shorewall.conf or shorewall6.conf. 
+
+7) If the following options were specified in /etc/shorewall/interfaces
+   for an interface with '-' in the ZONE column, then these options
+   would be ignored if there was an entry in the hosts file for the
+   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
+   implied when the host list begins with '!').
+
+   	blacklist
+	maclist
+	nosmurfs
+	tcpflags
+
+   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
+
+8) The generated script was missing a closing quote when
+   REQUIRE_INTERFACE=Yes.
+
+9) Previously, if nets= was specified under Shorewall6, this error
+   would result:
+
+   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
+                /etc/shorewall6/interfaces (line 16)
+
+----------------------------------------------------------------------------
+               N E W   F E A T U R E S   I N   4 . 4 . 1 1
+----------------------------------------------------------------------------
+
+1)  Beginning with this release, Shorewall supports a 'vserver'
+    zone type. This zone type is used with Shorewall running on a
+    Linux-vserver host system and allows you to define zones that
+    represent a set of Linux-vserver hosts.
+
+    See http://www.shorewall.net/Vserver.html for details.
+
+2)  A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
+    and shorewall6.conf. 
+
+    Traditionally, Shorewall has cleared the packet mark in the first
+    rule in the mangle FORWARD chain. This behavior is maintained with
+    the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
+    set to No, packet marks set in the PREROUTING chain are retained in
+    the FORWARD chains.
+
+    As part of this change, a new "fwmark route mask" capability has
+    been added. If your version of iproute2 supports this capability,
+    fwmark routing rules may specify a mask to be applied to the mark
+    prior to comparison with the mark value in the rule. The presence
+    of this capability allows Shorewall to relax the restriction that
+    small mark values may not be set in the PREROUTING chain when
+    HIGH_ROUTE_MARKS is in effect. If you take advantage of this
+    capability, be sure that you logically OR mark values in PREROUTING
+    makring rules rather then simply setting them unless you are able
+    to set both the high and low bits in the mark in a single rule.
+
+    As always when a new capability has been introduced, be sure to
+    regenerate your capabilities file(s) after installing this release.
+
+3)  A new column (NET3) has been added to the /etc/shorewall/netmap
+    file. This new column can qualify the INTERFACE column by
+    specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
+    associated with the interface.
+
+4)  To accomodate systems with more than one version of Perl installed,
+    the shorewall.conf and shorewall6.conf files now support a PERL
+    option. If the program specified by that option does not exist or
+    is not executable, Shorewall (and Shorewall6) fall back to
+    /usr/bin/perl.
+
+----------------------------------------------------------------------------
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 0
+----------------------------------------------------------------------------
 1)  Startup Errors (those that are detected before the state of the
     system has been altered), were previously not sent to the
     STARTUP_LOG.
@@ -252,7 +739,7 @@ I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 
 3)  Under rare circumstances involving a complex configuration,
     OPTIMIZE=13 and OPTIMIZE=15 could cause invalid iptables-restore
-    input to be generated. 
+    input to be generated.
 
     Sample error message:
 
@@ -280,16 +767,8 @@ I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 
     This configuration now works correctly.
 
-5)  The 'forget' command now correctly removes saved ipsets.
-
 ----------------------------------------------------------------------------
-           I V.  K N O W N   P R O B L E M S   R E M A I N I N G
-----------------------------------------------------------------------------
-
-None.
-
-----------------------------------------------------------------------------
-         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
+               N E W   F E A T U R E S   I N   4 . 4 . 1 0
 ----------------------------------------------------------------------------
 
 1)  Shorewall 4.4.10 includes a new 'Shorewall Init' package. This new
@@ -328,7 +807,7 @@ None.
 
     b)  be sure that your current firewall script(s) (normally in
         /var/lib/<product>/firewall) is(are) compiled with the 4.4.10
-        compiler. 
+        compiler.
 
 	Shorewall and Shorewall6 users can execute these commands:
 
@@ -365,8 +844,8 @@ None.
 	On Debian-based systems, set startup=0 in /etc/default/<product>.
 
 	On other systems, use your service startup configuration tool
-	(chkconfig, insserv, ...) to disable startup. 
- 
+	(chkconfig, insserv, ...) to disable startup.
+
     The following actions occur when an interface comes up:
 
     	FIREWALL      INTERFACE     ACTION
@@ -427,16 +906,8 @@ None.
 	shorewall-lite: 4.4.10-RC1
 	shorewall6-lite: 4.4.10-RC1
 	shorewall-init: 4.4.10-RC1
-	gateway:~# 
+	gateway:~#
 
-3)  Beginning with this release, the 'restart' and 'refresh' commands
-    now retain the contents of the dynamic blacklist as well as the
-    current UPnP rules. The dynamic blacklist is also preserved over
-    stop/start.
-
-----------------------------------------------------------------------------
-V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
-      I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 9
 ----------------------------------------------------------------------------
@@ -510,7 +981,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     /etc/shorewall/masq:
 
     #INTERFACE	SOURCE		ADDRESS		PROTO	PORT
-    tun0	192.168.1.0/24	
+    tun0	192.168.1.0/24
 
     Use of tunN in the nat and netmap files also produced invalid
     iptables-restore input.
@@ -552,7 +1023,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	I - Inserted a rule into a chain.
 	T - Shell source text appended/inserted into a chain --
             converted into rules at run-time.
-	D - Deleted Rule from a chain; note that this causes the 
+	D - Deleted Rule from a chain; note that this causes the
 	    following rules to be renumbered.
 	X - Deleted a chain
 	P - Change a built-in chains policy. Chains in the filter table
@@ -567,7 +1038,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 
     Netfilter trace records indicate the table and chain being
     changed. If the change involves a particular rule, then the rule
-    number is also included. 
+    number is also included.
 
     Example (append the first rule to the filter FORWARD chain):
 
@@ -597,7 +1068,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     /etc/shorewall/interfaces:
     #ZONE	INTERFACE	BROADCAST	OPTIONS
     dummy	br0		-		routeback
-    
+
     /etc/shorewall/policy:
     #SOURCE	DEST		POLICY
     dummy	all		DROP
@@ -623,7 +1094,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 9
 ----------------------------------------------------------------------------
 
-1)  A CONTINUE rule specifying a log level would cause the compiler to 
+1)  A CONTINUE rule specifying a log level would cause the compiler to
     generate an incorrect rule sequence. The packet would be logged
     but the CONTINUE action would not occur.
 
@@ -655,7 +1126,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     1/2 of the values given in the rule.
 
 5)  Detection of the 'Old hashlimit match' capability was broken in
-    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of 
+    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of
     shorecap.
 
 6)  On older distributions such as RHEL5 and derivatives, Shorewall
@@ -663,7 +1134,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     /etc/shorewall/tcinterfaces and LOAD_HELPERS_ONLY had been
     specified in /etc/shorewall/shorewall.conf.
 
-7)  The Debian init scripts are modified to include $remote_fs in the 
+7)  The Debian init scripts are modified to include $remote_fs in the
     Required-start and Required-stop specifications.
 
 8)  Previously, when a supported command failed, the Debian Shorewall
@@ -727,7 +1198,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	VERBOSE
 	VERBOSE_OFFSET
 	VERSION
-	
+
     See Migration Issue 14 above for additional information.
 
 2)  The Shorewall and Shorewall6 installers now accept a '-s' (sparse)
@@ -751,7 +1222,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 
     Resulting error message
 
-       ERROR: The separator for a port range is ':', not '-' (21-22) : 
+       ERROR: The separator for a port range is ':', not '-' (21-22) :
               /etc/shorewall/rules (line 3)
 
 5)  Support has been added for UDPLITE (proto 136) in that DEST PORT(S)
@@ -762,7 +1233,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     'status' command now gives the detailed status as 'Restored from
     <filename>' rather than 'Started'; <filename> is the saved script
     used to restore the configuration.
- 
+
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7
 ----------------------------------------------------------------------------
@@ -771,7 +1242,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     installer and are included in the rpm.
 
 2)  An invalid octal number (e.g., 080) appearing in a port list
-    resulted in a perl error message. 
+    resulted in a perl error message.
 
     As part of this fix, both hex and octal numbers are now accepted
     for protocol and port numbers.
@@ -836,7 +1307,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
       f) If a chain ends with an unconditional branch to a second chain
          (other than to 'reject'), then the branch is deleted from the
          first chain and the rules from the second chain are appended
-         to it. 
+         to it.
 
       The following chains are exempted from optimization 4:
 
@@ -893,7 +1364,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 
     Modules loaded when LOAD_HELPERS_ONLY=Yes are the protocol
     helpers. These cannot be autoloaded.
-    
+
     In addition, the nf_conntrack_sip module is loaded with
     sip_direct_media=0. This setting is slightly less secure than
     sip_direct_media=1, but it solves many VOIP problems that users
@@ -926,7 +1397,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     the setting of net.ipv4.config.all.rp_filter.
 
     Beginning with kernel 2.6.31, the value is the arithmetic MAX of
-    those two values. 
+    those two values.
 
     Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
     there are any interfaces specifying 'routefilter', specifying
@@ -958,7 +1429,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	Keep	 - Shorewall does not change the setting of
 	           net.ipv4.config.all.rp_filter if the kernel version
 		   is 2.6.31 or later.
-        
+
 	The default remains Keep.
 
     e)  The 'routefilter' interface option can have values 0,1 or 2. If
@@ -1033,7 +1504,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 2)  If any interfaces had the 'bridge' option specified, compilation
     failed with the error:
 
-    Undefined subroutine &Shorewall::Rules::match_source_interface called 
+    Undefined subroutine &Shorewall::Rules::match_source_interface called
     at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
 
 3)  The compiler now flags port number 0 as an error in all
@@ -1061,7 +1532,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 
 9)  The 'reload -c' command would ignore the setting of DONT_LOAD in
     shorewall.conf. The 'reload' command without '-c' worked as
-    expected. 
+    expected.
 
 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   I N   4 . 4 . 5
@@ -1147,7 +1618,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 
     /etc/shorewall/zones:
 
-       #ZONE		TYPE	
+       #ZONE		TYPE
        fw		firewall
        world		ipv4
        z1:world		bport4
@@ -1280,7 +1751,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     	STARTUP_LOG=/var/log/shorewall-init.log
 	LOG_VERBOSITY=2
 
-    The effect is much the same as the old defaults, with the exception 
+    The effect is much the same as the old defaults, with the exception
     that:
 
 	a) Start, stop, etc. commands issued through /sbin/shorewall
@@ -1288,7 +1759,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	b) Logging will occur at maximum verbosity.
 	c) Log entries will be date/time stamped.
 
-    On non-Debian systems, new installs will now log all Shorewall 
+    On non-Debian systems, new installs will now log all Shorewall
     commands to /var/log/shorewall-init.log.
 
 2)  A new TRACK_PROVIDERS option has been added in shorewall.conf.
@@ -1306,9 +1777,9 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
           P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2
 ----------------------------------------------------------------------------
 
-1)  Detection of Persistent SNAT was broken in the rules compiler. 
+1)  Detection of Persistent SNAT was broken in the rules compiler.
 
-2)  Initialization of the compiler's chain table was occurring before 
+2)  Initialization of the compiler's chain table was occurring before
     shorewall.conf had been read and before the capabilities had been
     determined. This could lead to incorrect rules and Perl runtime
     errors.
@@ -1360,14 +1831,14 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
                 N E W   F E A T U R E S   I N   4 . 4 . 2
 ----------------------------------------------------------------------------
 
-1)  Prior to this release, line continuation has taken precedence over 
+1)  Prior to this release, line continuation has taken precedence over
     #-style comments. This prevented us from doing the following:
 
     	    ACCEPT    net:206.124.146.176,\   #Gateway
 	    	          206.124.146.177,\   #Mail
 			  206.124.146.178\    #Server
 			  		      ...
-    
+
     Now, unless a line ends with '\', any trailing comment is stripped
     off (including any white-space preceding the '#'). Then if the line
     ends with '\', it is treated as a continuation line as normal.
@@ -1419,7 +1890,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 7)  MULTICAST=Yes generates an incorrect rule that limits its
     effectiveness to a small part of the multicast address space.
 
-8)  Checking for zone membership has been tighened up. Previously, 
+8)  Checking for zone membership has been tighened up. Previously,
     a zone could contain <interface>:0.0.0.0/0 along with other hosts;
     now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
     then it may have no additional members in /etc/shorewall/hosts.
@@ -1443,7 +1914,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
 
     This feature requires Persistent SNAT support in your kernel and
-    iptables. 
+    iptables.
 
     If you use a capabilities file, you will need to create a new one
     as a result of this feature.
@@ -1456,7 +1927,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     iptables when asked.
 
 2)  A 'clean' target has been added to the Makefiles. It removes backup
-    files (*~ and .*~). 
+    files (*~ and .*~).
 
 3)  The meaning of 'full' has been redefined when used in the context
     of a traffic shaping sub-class. Previously, 'full' always meant the
@@ -1592,7 +2063,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     As always, /var/lib/shorewall[6] is the default directory which may
     be overridden using the /etc/shorewall[6]/vardir file.
 
-5)  Dynamic zone support is once again available for IPv4. This support 
+5)  Dynamic zone support is once again available for IPv4. This support
     is built on top of ipsets so you must have the xtables-addons
     installed on the firewall system.
 
@@ -1610,7 +2081,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     - By specifying <interface>:dynamic in the HOST(S) column of an
       entry for the zone in /etc/shorewall/hosts.
 
-    When there are any dynamic zones present in your configuration, 
+    When there are any dynamic zones present in your configuration,
     Shorewall (Shorewall-lite) will:
 
     a) Execute the following commands during 'shorewall start' or
@@ -1619,7 +2090,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
            ipset -U :all: :all:
 	   ipset -U :all: :default:
 	   ipset -F
-	   ipset -X   
+	   ipset -X
 	   ipset -R < ${VARDIR}/ipsets.save
 
        where $VARDIR normally contains /var/lib/shorewall
@@ -1712,7 +2183,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     	 gateway:~ # shorewall restart
     	 Restarting Shorewall....
     	 done.
-    	 gateway:~ # 
+    	 gateway:~ #
 
     In other words, you can compile the current configuration then
     install it at a later time.
@@ -1762,8 +2233,8 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     This previously generated these two rules (long rules folded):
 
 	 -A loc2net -p 6 --dport 25 -j LOG --log-level 6
-	    --log-prefix "Shorewall:loc2net:reject:" 
-	 -A loc2net -p 6 --dport 25 -j reject 
+	    --log-prefix "Shorewall:loc2net:reject:"
+	 -A loc2net -p 6 --dport 25 -j reject
 
     It now generates these rules:
 
@@ -1772,8 +2243,8 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	 -A loc2net -p 6 --dport 25 -g log0
 	 ...
 	 -A log0 -j LOG --log-level 6
-	    --log-prefix "Shorewall:loc2net:REJECT:" 
-	 -A log0 -j reject 
+	    --log-prefix "Shorewall:loc2net:REJECT:"
+	 -A log0 -j reject
 
     Notice that now there is only a single rule generated in the
     'loc2net' chain where before there were two. Packets for other than
@@ -1873,7 +2344,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     It is important to realize that, while class IDs are composed of a
     <major> and a <minor> value, the set of <minor> values must be
     unique. You must keep this in mind when deciding how to map IP
-    addresses to class IDs. 
+    addresses to class IDs.
 
     For example, suppose that your internal network is 192.168.1.0/29
     (host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion
@@ -1986,7 +2457,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     1:100	-	16mbit		20mbit		2
     1:100:101	-	 8mbit		20mbit		3	default
     1:100:102	-	 8mbit		20mbit		3
-     
+
     /etc/shorewall/tcrules
 
     #MARK	SOURCE		DEST
@@ -2002,7 +2473,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     Local traffic (that coming from the firewall and from the DMZ
     server) is placed in the effectively unrestricted class 1:10. The
     default class is guaranteed half of the download capacity and my
-    work system (172.20.1.107) is guarandeed the other half.	
+    work system (172.20.1.107) is guarandeed the other half.
 
 19) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing
     discipline has been added. HFSC is claimed to be superior to the
@@ -2030,7 +2501,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	         in the class should experience. The delay is expressed
 	         in milliseconds and may be followed by 'ms' (e.g.,
 	      	 10ms. Note that there may be no white space between the
-	      	 number and 'ms'). 
+	      	 number and 'ms').
               3. The maximum transmission unit (UMAX) for this class of
 	         traffic. If not specified, the MTU of the interface is
 		 used. The length is specified in bytes and may be
@@ -2113,7 +2584,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 
 25) A new extension script, 'lib.private' has been added. This file is
     intended to include declarations of shell functions that will be
-    called by the other run-time extension scripts. 
+    called by the other run-time extension scripts.
 
 26) Paul Gear has contributed the following macros:
 
@@ -2190,7 +2661,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     If flow is not supported, you will see:
 
        Unknown filter "flow", hence option "help" is unparsable
-    
+
     If your kernel supports module autoloading, just type (as root):
 
        modprobe cls_flow
@@ -2199,7 +2670,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     see:
 
        FATAL: Module cls_flow not found.
-    
+
     If your kernel is not modularized or does not support module
      autoloading, look at your kernel configuration (either
     /proc/config.gz or the .config file in
@@ -2207,7 +2678,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 
     If 'flow' is supported, you will see:
 
-       NET_CLS_FLOW=m 
+       NET_CLS_FLOW=m
 
     or
 
@@ -2215,4 +2686,4 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 
     For modularized kernels, Shorewall will attempt to load
     /lib/modules/<kernel-version>/net/sched/cls_flow.ko by default.
-       
+

Shorewall/shorewall

@@ -32,7 +32,7 @@
 #     $1 = Yes: read the params file
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
-#     
+#
 get_config() {
     local prog
 
@@ -47,7 +47,7 @@ get_config() {
     fi
 
     config=$(find_file shorewall.conf)
-    
+
     if [ -f $config ]; then
 	if [ -r $config ]; then
 	    . $config
@@ -61,21 +61,21 @@ get_config() {
     fi
 
     ensure_config_path
-    
+
     if [ -z "$g_export" -a "$(id -u)" = 0 ]; then
 	#
 	# This block is avoided for compile for export and when the user isn't root
 	#
 	if [ "$3" = Yes ]; then
-	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
-
-	    if [ -n "$(syslog_circular_buffer)" ]; then
-		g_logread="logread | tac"
-	    elif [ -r $LOGFILE ]; then
-		g_logread="tac $LOGFILE"
-	    else
-		echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		exit 2
+	    if [ -n "$LOGFILE" ]; then
+		if [ -n "$(syslog_circular_buffer)" ]; then
+		    g_logread="logread | tac"
+		elif [ -r $LOGFILE ]; then
+		    g_logread="tac $LOGFILE"
+		else
+		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+		    exit 2
+		fi
 	    fi
 	fi
 
@@ -109,7 +109,7 @@ get_config() {
 		    IP=$prog
 		    ;;
 	    esac
-	else 
+	else
 	    IP='ip'
 	fi
 
@@ -130,7 +130,7 @@ get_config() {
 		    IPSET=$prog
 		    ;;
 	    esac
-	else 
+	else
 	    IPSET='ipset'
 	fi
 
@@ -151,7 +151,7 @@ get_config() {
 		    TC=$prog
 		    ;;
 	    esac
-	else 
+	else
 	    TC='tc'
 	fi
 	#
@@ -196,7 +196,7 @@ get_config() {
 		;;
 	esac
 
-	[ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s' 
+	[ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s'
 
 	[ -n "$LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
 
@@ -222,7 +222,7 @@ get_config() {
     else
 	STARTUP_LOG=
 	LOG_VERBOSITY=-1
-    fi   
+    fi
 
     if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
@@ -313,7 +313,7 @@ startup_error() {
 # Run the compiler
 #
 compiler() {
-   
+
     if [ $(id -u) -ne 0 ]; then
 	if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then
 	    startup_error "Ordinary users may not compile the /etc/shorewall configuration"
@@ -338,10 +338,10 @@ compiler() {
     [ -n "$g_profile" ] && debugflags='-wd:DProf'
 
     # Perl compiler only takes the output file as a argument
-	    
+
     [ "$1" = debug -o "$1" = trace ]  && shift;
     [ "$1" = nolock ] && shift;
-    shift 
+    shift
 
     options="--verbose=$VERBOSITY"
     [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
@@ -356,11 +356,20 @@ compiler() {
     #
     # Run the appropriate params file
     #
-    set -a; 
+    set -a;
     run_user_exit params
     set +a
 
-    perl $debugflags /usr/share/shorewall/compiler.pl $options $@
+    if [ -n "$PERL" ]; then
+	if [ ! -x "$PERL" ]; then
+	    echo "   WARNING: The program specified in the PERL option does not exist or is not executable; falling back to /usr/bin/perl" >&2
+	    PERL=/usr/bin/perl
+	fi
+    else
+	PERL=/usr/bin/perl
+    fi
+
+    $PERL $debugflags /usr/share/shorewall/compiler.pl $options $@
 }
 
 #
@@ -477,7 +486,7 @@ start_command() {
 
 	    export RESTOREFILE
 
-	    if make -qf ${CONFDIR}/Makefile; then
+	    if ! make -qf ${CONFDIR}/Makefile; then
 		g_fast=
 		AUTOMAKE=
 	    fi
@@ -537,7 +546,7 @@ compile_command() {
 			t*)
 			    g_test=Yes
 			    option=${option#t}
-			    ;;			    
+			    ;;
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -755,7 +764,7 @@ restart_command() {
 	fi
     fi
 
-    if [ -z "$g_fast" ]; then  
+    if [ -z "$g_fast" ]; then
 	progress_message3 "Compiling..."
 
 	if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
@@ -774,7 +783,7 @@ restart_command() {
 	rc=$?
 	[ -n "$nolock" ] || mutex_off
     fi
-    
+
     return $rc
 }
 
@@ -958,7 +967,7 @@ safe_commands() {
 	    else
 		${VARDIR}/.$command clear
 	    fi
-	    
+
 	    [ -n "$nolock" ] || mutex_off
 
 	    echo "New configuration has been rejected and the old one restored"
@@ -989,7 +998,7 @@ try_command() {
 		echo "Directory $1 does not exist" >&2 && exit 2
 	    fi
 	fi
-	
+
 	SHOREWALL_DIR=$(resolve_file $1)
     }
 
@@ -1032,7 +1041,7 @@ try_command() {
 	2)
 	    handle_directory $1
 	    timeout=$2
-	    case $timeout in 
+	    case $timeout in
 		*[!0-9]*)
                     echo "   ERROR: Invalid timeout ($timeout)" >&2;
 		    exit 1
@@ -1084,12 +1093,12 @@ try_command() {
 
     if ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
 	sleep $timeout
-	    
+
 	if [ "$command" = "restart" ]; then
 	    ${VARDIR}/.try restore
 	else
 	    ${VARDIR}/.$command clear
-	fi	    
+	fi
     fi
 
     [ -n "$nolock" ] || mutex_off
@@ -1106,7 +1115,7 @@ rsh_command() {
 rcp_command() {
     files="$1"
     destination=$2
-    
+
     eval $RCP_COMMAND
 }
 
@@ -1247,12 +1256,12 @@ reload_command() # $* = original arguments less the command.
 export_command() # $* = original arguments less the command.
 {
     local verbose
-    verbose=$(make_verbose) 
+    verbose=$(make_verbose)
     local file
-    file= 
+    file=
     local finished
-    finished=0 
-    local directory 
+    finished=0
+    local directory
     local target
 
     while [ $finished -eq 0 -a $# -gt 0 ]; do
@@ -1455,7 +1464,7 @@ while [ $finished -eq 0 ]; do
 			;;
 		    v*)
 			option=${option#v}
-			case $option in 
+			case $option in
 			    -1*)
 				g_use_verbosity=-1
 				option=${option#-1}
@@ -1542,7 +1551,7 @@ version_command() {
     [ $# -gt 0 ] && usage 1
 
     echo $SHOREWALL_VERSION
-    
+
     if [ -n "$all" ]; then
 	for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
 	    if [ -f /usr/share/$product/version ]; then
@@ -1570,7 +1579,7 @@ g_timestamp=
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 
 if [ ! -f ${VARDIR}/firewall ]; then
-    [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall 
+    [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall
 fi
 
 g_firewall=${VARDIR}/firewall
@@ -1622,17 +1631,17 @@ case "$COMMAND" in
 	get_config
 	[ $# -ne 1 ] && usage 1
 	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
-	mutex_on
-	run_it $g_firewall $g_debugging $nolock $COMMAND
-	mutex_off
+	[ -n "$nolock" ] || mutex_on
+	run_it $g_firewall $g_debugging $COMMAND
+	[ -n "$nolock" ] || mutex_off
 	;;
     reset)
 	get_config
 	shift
-	mutex_on
+	[ -n "$nolock" ] || mutex_on
 	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
-	run_it $g_firewall $g_debugging $nolock reset $@
-	mutex_off
+	run_it $g_firewall $g_debugging reset $@
+	[ -n "$nolock" ] || mutex_off
 	;;
     compile)
 	get_config Yes
@@ -1921,7 +1930,7 @@ case "$COMMAND" in
 	else
 	    fatal_error "Shorewall is not started"
 	fi
-	;;	
+	;;
      noiptrace)
 	get_config
 	shift
@@ -1931,7 +1940,7 @@ case "$COMMAND" in
 	else
 	    fatal_error "Shorewall is not started"
 	fi
-	;;	
+	;;
     *)
 	usage 1
 	;;

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.10
-%define release 1
+%define version 4.4.13
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -105,15 +105,49 @@ fi
 %attr(0644,root,root) %{_mandir}/man5/*
 %attr(0644,root,root) %{_mandir}/man8/*
 
-%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
+%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
 
 %changelog
-* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-1
-* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
+* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0base
+* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0RC1
+* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta3
+* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta2
+* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta1
+* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
-* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.10.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall/wait4ifup

@@ -33,7 +33,7 @@
 #
 
 interface_is_up() {
-    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] 
+    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ]
 }
 
 case $# in
@@ -57,4 +57,4 @@ done
 
 exit 1
 
-    
+

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.10.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {
@@ -350,7 +350,13 @@ if [ -z "$DESTDIR" ]; then
     if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
-	    ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
+
+	    if [ -x /sbin/insserv ]; then
+		insserv /etc/init.d/shorewall6-lite
+	    else
+		ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
+	    fi
+
 	    echo "Shorewall6 Lite will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then

Shorewall6-lite/shorecap

@@ -58,7 +58,7 @@ g_product="Shorewall Lite"
 
 SHOREWALL_VERSION=$(cat /usr/share/shorewall6-lite/version)
 
-[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich iptables)
+[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables)
 
 VERBOSITY=0
 load_kernel_modules No

Shorewall6-lite/shorewall6-lite

@@ -615,7 +615,9 @@ case "$COMMAND" in
     stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	run_it $g_firewall $debugging $nolock $COMMAND
+	[ -n "$nolock" ] || mutex_on
+	run_it $g_firewall $debugging $COMMAND
+	[ -n "$nolock" ] || mutex_off
 	;;
     restart)
 	shift

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.10
-%define release 1
+%define version 4.4.13
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,12 +93,46 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-1
-* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
+* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0base
+* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0RC1
+* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta3
+* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta2
+* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta1
+* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
-* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.10.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall6/action.Drop

@@ -28,6 +28,11 @@ Auth(REJECT)
 #
 AllowICMPs	-	-	ipv6-icmp
 #
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast
+#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #

Shorewall6/action.Reject

@@ -20,10 +20,16 @@
 #
 Auth(REJECT)
 #
-# ACCEPT critical ICMP types
+# Drop Multicasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
 #
 AllowICMPs	-	-	ipv6-icmp
 #
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast
+#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).

Shorewall6/blacklist

@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT
+#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.10.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {
@@ -311,8 +311,8 @@ delete_file ${DESTDIR}/usr/share/shorewall6/lib.proxyarp
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tc
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tcrules
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tunnels
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.header
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer
+delete_file ${DESTDIR}/usr/share/shorewall6/prog.header6
+delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer6
 
 #
 # Install wait4ifup
@@ -507,6 +507,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/notrack ]; then
     run_install $OWNERSHIP -m 0600 notrack ${DESTDIR}/etc/shorewall6/notrack
     echo "Notrack file installed as ${DESTDIR}/etc/shorewall6/notrack"
 fi
+
+#
+# Install the Secmarks file
+#
+run_install $OWNERSHIP -m 0644 secmarks ${DESTDIR}/usr/share/shorewall6/configfiles/secmarks
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/secmarks ]; then
+    run_install $OWNERSHIP -m 0600 secmarks ${DESTDIR}/etc/shorewall6/secmarks
+    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall6/secmarks"
+fi
 #
 # Install the default config path file
 #
@@ -718,7 +728,13 @@ fi
 if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6
-	ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
+
+	if [ -x /sbin/insserv ]; then
+	    insserv /etc/init.d/shorewall6
+	else
+	    ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
+	fi
+
 	echo "shorewall6 will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall6 to enable"
 	touch /var/log/shorewall6-init.log

Shorewall6/lib.base

@@ -33,7 +33,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40408
+SHOREWALL_CAPVERSION=40413
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]

Shorewall6/lib.cli

@@ -134,18 +134,18 @@ syslog_circular_buffer() {
 packet_log() # $1 = number of messages
 {
     if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
     else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
     fi
 }
 
 search_log() # $1 = IP address to search for
 {
     if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
     else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
     fi
 }    
 
@@ -208,6 +208,19 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
 
+    if [ -z "$LOGFILE" ]; then
+	LOGFILE=/var/log/messages
+
+	if [ -n "$(syslog_circular_buffer)" ]; then
+	    g_logread="logread | tac"
+	elif [ -r $LOGFILE ]; then
+	    g_logread="tac $LOGFILE"
+	else
+	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    exit 2
+	fi
+    fi
+
     host=$(echo $g_hostname | sed 's/\..*$//')
     oldrejects=$($IP6TABLES -L -v -n | grep 'LOG')
 
@@ -439,7 +452,7 @@ show_command() {
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 	    echo
-	    grep '^ipv6' /proc/net/nf_conntrack
+	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
@@ -457,6 +470,20 @@ show_command() {
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
+
+	    if [ -z "$LOGFILE" ]; then
+		LOGFILE=/var/log/messages
+		
+		if [ -n "$(syslog_circular_buffer)" ]; then
+		    g_logread="logread | tac"
+		elif [ -r $LOGFILE ]; then
+		    g_logread="tac $LOGFILE"
+		else
+		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+		    exit 2
+		fi
+	    fi
+
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
@@ -667,6 +694,19 @@ dump_command() {
 	esac
     done
 
+    if [ -z "$LOGFILE" ]; then
+	LOGFILE=/var/log/messages
+
+	if [ -n "$(syslog_circular_buffer)" ]; then
+	    g_logread="logread | tac"
+	elif [ -r $LOGFILE ]; then
+	    g_logread="tac $LOGFILE"
+	else
+	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    exit 2
+	fi
+    fi
+
     g_ipt_options="$g_ipt_options $g_ipt_options1"
 
     [ $VERBOSITY -lt 2 ] && VERBOSITY=2
@@ -747,7 +787,7 @@ dump_command() {
     report_capabilities
 
     echo
-    netstat -tunap
+    netstat -6tunap
 
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -918,6 +958,10 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     chain=$1
     local finished
     finished=$2
+    local which
+    which='-s'
+    local range
+    range='--src-range'
 
     if ! chain_exists dynamic; then
 	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@@ -929,19 +973,31 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
 
     while [ $# -gt 0 ]; do
 	case $1 in
+	    from)
+		which='-s'
+		range='--src-range'
+		shift
+		continue
+		;;
+	    to)
+		which='-d'
+		range='--dst-range'
+		shift
+		continue
+		;;
 	    *-*)
-		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject
-		qt $IP6TABLES -D dynamic -m iprange --src-range  $1 -j DROP
-		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject
-		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop
-		$IP6TABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
+		qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject
+		qt $IP6TABLES -D dynamic -m iprange $range  $1 -j DROP
+		qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
+		qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop
+		$IP6TABLES -A dynamic -m iprange $range $1 -j $chain || break 1
 		;;
 	    *)
-		qt $IP6TABLES -D dynamic -s $1 -j reject
-		qt $IP6TABLES -D dynamic -s $1 -j DROP
-		qt $IP6TABLES -D dynamic -s $1 -j logreject
-		qt $IP6TABLES -D dynamic -s $1 -j logdrop
-		$IP6TABLES -A dynamic -s $1 -j $chain || break 1
+		qt $IP6TABLES -D dynamic $which $1 -j reject
+		qt $IP6TABLES -D dynamic $which $1 -j DROP
+		qt $IP6TABLES -D dynamic $which $1 -j logreject
+		qt $IP6TABLES -D dynamic $which $1 -j logdrop
+		$IP6TABLES -A dynamic $which $1 -j $chain || break 1
 		;;
 	esac
 
@@ -1046,6 +1102,11 @@ allow_command() {
     [ -n "$g_debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall6_is_started ; then
+	local which
+	which='-s'
+	local range
+	range='--src-range'
+
 	if ! chain_exists dynamic; then
 	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	    exit 2
@@ -1055,11 +1116,21 @@ allow_command() {
 	while [ $# -gt 1 ]; do
 	    shift
 	    case $1 in
+		from)
+		    which='-s'
+		    range='--src-range'
+		    continue
+		    ;;
+		to)
+		    which='-d'
+		    range='--dst-range'
+		    continue
+		    ;;
 		*-*)
-		    if  qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject    ||\
-			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j DROP      ||\
-			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop   ||\
-			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject
+		    if  qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject    ||\
+			qt $IP6TABLES -D dynamic -m iprange $range $1 -j DROP      ||\
+			qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop   ||\
+			qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1067,10 +1138,10 @@ allow_command() {
 		    fi
 		    ;;
 		*)
-		    if  qt $IP6TABLES -D dynamic -s $1 -j reject    ||\
-			qt $IP6TABLES -D dynamic -s $1 -j DROP      ||\
-			qt $IP6TABLES -D dynamic -s $1 -j logdrop   ||\
-			qt $IP6TABLES -D dynamic -s $1 -j logreject
+		    if  qt $IP6TABLES -D dynamic $which $1 -j reject    ||\
+			qt $IP6TABLES -D dynamic $which $1 -j DROP      ||\
+			qt $IP6TABLES -D dynamic $which $1 -j logdrop   ||\
+			qt $IP6TABLES -D dynamic $which $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1160,6 +1231,7 @@ determine_capabilities() {
     RECENT_MATCH=
     OWNER_MATCH=
     IPSET_MATCH=
+    OLD_IPSET_MATCH=
     CONNMARK=
     XCONNMARK=
     CONNMARK_MATCH=
@@ -1190,6 +1262,8 @@ determine_capabilities() {
     IPMARK_TARGET=
     LOG_TARGET=Yes
     FLOW_FILTER=
+    FWMARK_RT_MASK=
+    MARK_ANYWHERE=
 
     chain=fooX$$
 
@@ -1204,6 +1278,10 @@ determine_capabilities() {
 
     [ -n "$IP" -a -x "$IP" ] || IP=
 
+    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
+
+    [ -n "$TC" -a -x "$TC" ] || TC=
+
     qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
 
     qt $IP6TABLES -F $chain
@@ -1327,13 +1405,15 @@ determine_capabilities() {
     qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
     qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
     qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
+    qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
 
     qt $IP6TABLES -F $chain
     qt $IP6TABLES -X $chain
     qt $IP6TABLES -F $chain1
     qt $IP6TABLES -X $chain1
 
-    [ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
 
     CAPVERSION=$SHOREWALL_CAPVERSION
     KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@@ -1368,7 +1448,10 @@ report_capabilities() {
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
 	report_capability "Owner Match" $OWNER_MATCH
-	report_capability "Ipset Match" $IPSET_MATCH
+	if [ -n "$IPSET_MATCH" ]; then
+	    report_capability "Ipset Match" $IPSET_MATCH
+	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
+	fi
 	report_capability "CONNMARK Target" $CONNMARK
 	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
 	report_capability "Connmark Match" $CONNMARK_MATCH
@@ -1398,6 +1481,8 @@ report_capabilities() {
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
+	report_capability "fwmark route mask" $FWMARK_RT_MASK
+	report_capability "Mark in any table" $MARK_ANYWHERE
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1428,6 +1513,7 @@ report_capabilities1() {
     report_capability1 RECENT_MATCH
     report_capability1 OWNER_MATCH
     report_capability1 IPSET_MATCH
+    report_capability1 OLD_IPSET_MATCH
     report_capability1 CONNMARK
     report_capability1 XCONNMARK
     report_capability1 CONNMARK_MATCH
@@ -1457,6 +1543,8 @@ report_capabilities1() {
     report_capability1 LOG_TARGET
     report_capability1 TPROXY_TARGET
     report_capability1 FLOW_FILTER
+    report_capability1 FWMARK_RT_MASK
+    report_capability1 MARK_ANYWHERE
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION    

Shorewall6/lib.common

@@ -92,7 +92,12 @@ run_it() {
 	#
 	# 4.4.8 or later -- no additional exports required
 	#
-	options='-'
+	if [ x$1 = xtrace -o x$1 = xdebug ]; then
+	    options="$1 -"
+	    shift;
+	else
+	    options='-'
+	fi
 
 	[ -n "$g_noroutes" ]   && options=${options}n
 	[ -n "$g_timestamp" ]  && options=${options}t
@@ -447,7 +452,11 @@ find_file()
 #
 set_state () # $1 = state
 {
-    echo "$1 ($(date))" > ${VARDIR}/state
+    if [ $# -gt 1 ]; then
+	echo "$1 ($(date)) from $2" > ${VARDIR}/state
+    else
+	echo "$1 ($(date))" > ${VARDIR}/state
+    fi
 }
 
 #

Shorewall6/secmarks

@@ -0,0 +1,8 @@
+#
+# Shorewall6 version 4 - Secmarks File
+#
+# For information about entries in this file, type "man shorewall-secmarks"
+#
+############################################################################################################
+#SECMARK			CHAIN	SOURCE		DEST		PROTO	DEST	SOURCE		MARK
+#										PORT(S)	PORT(S)

Shorewall6/shorewall6

@@ -67,15 +67,15 @@ get_config() {
 	# This block is avoided for compile for export and when the user isn't root
 	#
 	if [ "$3" = Yes ]; then
-	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
-
-	    if [ -n "$(syslog_circular_buffer)" ]; then
-		g_logread="logread | tac"
-	    elif [ -r $LOGFILE ]; then
-		g_logread="tac $LOGFILE"
-	    else
-		echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		exit 2
+	    if [ -n "$LOGFILE" ]; then
+		if [ -n "$(syslog_circular_buffer)" ]; then
+		    g_logread="logread | tac"
+		elif [ -r $LOGFILE ]; then
+		    g_logread="tac $LOGFILE"
+		else
+		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+		    exit 2
+		fi
 	    fi
 	fi
 
@@ -299,7 +299,16 @@ compiler() {
 	set +a
     fi
 
-    $command perl $debugflags $pc $options $@
+    if [ -n "$PERL" ]; then
+	if [ ! -x "$PERL" ]; then
+	    echo "   WARNING: The program specified in the PERL option does not exist or is not executable; falling back to /usr/bin/perl" >&2
+	    PERL=/usr/bin/perl
+	fi
+    else
+	PERL=/usr/bin/perl
+    fi
+
+    $command $PERL $debugflags $pc $options $@
 }    
 
 #
@@ -410,7 +419,7 @@ start_command() {
 
 	    export RESTOREFILE
 
-	    if make -qf ${CONFDIR}/Makefile; then
+	    if ! make -qf ${CONFDIR}/Makefile; then
 		g_fast=
 		AUTOMAKE=
 	    fi
@@ -1535,17 +1544,17 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 1
 	get_config
 	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
-	mutex_on
-	run_it $g_firewall $g_debugging $nolock $COMMAND
-	mutex_off
+	[ -n "$nolock" ] || mutex_on
+	run_it $g_firewall $g_debugging $COMMAND
+	[ -n "$nolock" ] || mutex_off
 	;;
     reset)
 	get_config
 	shift
-	mutex_on
+	[ -n "$nolock" ] || mutex_on
 	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
-	run_it $g_firewall $g_debugging $nolock reset $@
-	mutex_off
+	run_it $g_firewall $g_debugging reset $@
+	[ -n "$nolock" ] || mutex_off
 	;;
     compile)
 	get_config Yes

Shorewall6/shorewall6.conf

@@ -32,9 +32,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -56,6 +54,8 @@ TC=
 
 IPSET=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -151,6 +151,12 @@ DYNAMIC_BLACKLIST=Yes
 
 LOAD_HELPERS_ONLY=No
 
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.10
-%define release 1
+%define version 4.4.13
+%define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -98,12 +98,46 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-1
-* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
+* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0base
+* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0RC1
+* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta3
+* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta2
+* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta1
+* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
-* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.10.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

docs/Accounting.xml

@@ -119,8 +119,7 @@
         (from <filename>/etc/protocols</filename>), a protocol number or
         <quote>ipp2p</quote>. For <quote>ipp2p</quote>, your kernel and
         iptables must have ipp2p match support from <ulink
-        url="http://www.netfilter.org">Netfilter
-        Patch_o_matic_ng</ulink>.</para>
+        url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
       </listitem>
 
       <listitem>
@@ -146,7 +145,7 @@
         only be non-empty if the CHAIN is OUTPUT. The column may
         contain:</para>
 
-        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;][+&lt;program name&gt;]</programlisting>
+        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;]</programlisting>
 
         <para>When this column is non-empty, the rule applies only if the
         program generating the output is running under the effective
@@ -163,9 +162,6 @@
 
           <member>!:kids #program must not be run by a member of the
           <quote>kids</quote> group</member>
-
-          <member>+upnpd #program named upnpd (This feature was removed from
-          Netfilter in kernel version 2.6.14).</member>
         </simplelist>
       </listitem>
 

docs/CompiledPrograms.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2006-2007</year>
+      <year>2006-2010</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -180,11 +180,11 @@
         disable startup of Shorewall in your init scripts. For ease of
         reference, we call this system the 'administrative system'.</para>
 
-        <para>The administrative system may be a Windows system running <ulink
-        url="http://www.cygwin.com/">Cygwin</ulink> or an <ulink
-        url="http://www.apple.com/mac/">Apple MacIntosh</ulink> running OS X.
-        Install from a shell prompt <ulink url="Install.htm">using the
-        install.sh script</ulink>.</para>
+        <para>The administrative system may be a GNU/Linux system, a Windows
+        system running <ulink url="http://www.cygwin.com/">Cygwin</ulink> or
+        an <ulink url="http://www.apple.com/mac/">Apple MacIntosh</ulink>
+        running OS X. Install from a shell prompt <ulink
+        url="Install.htm">using the install.sh script</ulink>.</para>
       </listitem>
 
       <listitem>
@@ -241,8 +241,10 @@
         <orderedlist>
           <listitem>
             <para>modify the files in the corresponding export directory
-            appropriately. It's a good idea to include the IP address of the
-            administrative system in the <ulink
+            appropriately (i.e., <emphasis>just as you would if you were
+            configuring Shorewall on the firewall system itself</emphasis>).
+            It's a good idea to include the IP address of the administrative
+            system in the <ulink
             url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
             file</ulink>.</para>
 
@@ -283,26 +285,29 @@
 
           <listitem>
             <programlisting><command>cd &lt;export directory&gt;</command>
-<command>/sbin/shorewall load -c firewall</command></programlisting>
+<command>/sbin/shorewall load firewall</command></programlisting>
 
             <para>The <ulink
             url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
             command compiles a firewall script from the configuration files in
             the current working directory (using <command>shorewall compile
             -e</command>), copies that file to the remote system via scp and
-            starts Shorewall Lite on the remote system via ssh. The -c option
-            causes the capabilities of the remote system to be generated and
-            copied to a file named <filename>capabilities</filename> in the
-            export directory. See <link
-            linkend="Shorecap">below</link>.</para>
+            starts Shorewall Lite on the remote system via ssh.</para>
 
             <para>Example (firewall's DNS name is 'gateway'):</para>
 
-            <para><command>/sbin/shorewall load -c gateway</command><note>
+            <para><command>/sbin/shorewall load gateway</command><note>
                 <para>Although scp and ssh are used by default, you can use
                 other utilities by setting RSH_COMMAND and RCP_COMMAND in
                 <filename>/etc/shorewall/shorewall.conf</filename>.</para>
               </note></para>
+
+            <para>The first time that you issue a <command>load</command>
+            command, Shorewall will use ssh to run
+            <filename>/usr/share/shorewall-lite/shorecap</filename> on the
+            remote firewall to create a capabilities file in the firewall's
+            administrative direction. See <link
+            linkend="Shorecap">below</link>.</para>
           </listitem>
         </orderedlist>
       </listitem>
@@ -456,7 +461,7 @@ clean:
       </simplelist>
     </blockquote>
 
-    <para>You will normally not need to touch
+    <para>You will normally never touch
     <filename>/etc/shorewall-lite/shorewall-lite.conf</filename> unless you
     run Debian or one of its derivatives (see <link
     linkend="Debian">above</link>).</para>
@@ -559,11 +564,11 @@ clean:
           <blockquote>
             <para>Before editing:</para>
 
-            <programlisting>CONFIG_PATH=/etc/shorewall:/usr/share/shorewall</programlisting>
+            <programlisting>CONFIG_PATH=<emphasis role="bold">/etc/shorewall</emphasis>:/usr/share/shorewall</programlisting>
 
             <para>After editing:</para>
 
-            <programlisting>CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall</programlisting>
+            <programlisting>CONFIG_PATH=<emphasis role="bold">/usr/share/shorewall/configfiles</emphasis>:/usr/share/shorewall</programlisting>
           </blockquote>
 
           <para>Changing CONFIG_PATH will ensure that subsequent compilations
@@ -596,14 +601,21 @@ clean:
 
           <blockquote>
             <programlisting><command>cd &lt;export directory&gt;</command>
-<command>/sbin/shorewall load -c &lt;firewall system&gt;</command>
+<command>/sbin/shorewall load &lt;firewall system&gt;</command>
 </programlisting>
 
             <para>Example (firewall's DNS name is 'gateway'):</para>
 
-            <para><command>/sbin/shorewall load -c gateway</command></para>
+            <para><command>/sbin/shorewall load gateway</command></para>
           </blockquote>
 
+          <para>The first time that you issue a <command>load</command>
+          command, Shorewall will use ssh to run
+          <filename>/usr/share/shorewall-lite/shorecap</filename> on the
+          remote firewall to create a capabilities file in the firewall's
+          administrative direction. See <link
+          linkend="Shorecap">below</link>.</para>
+
           <para>The <ulink
           url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
           command compiles a firewall script from the configuration files in
@@ -640,7 +652,8 @@ clean:
 <command>scp capabilities &lt;admin system&gt;:&lt;this system's config dir&gt;</command></programlisting>
 
           <para>Or simply use the -c option the next time that you use the
-          <command>reload</command> command.</para>
+          <command>reload</command> command (e.g., <command>shorewall reload
+          -c gateway</command>).</para>
         </listitem>
       </orderedlist>
     </section>

docs/Documentation_Index.xml

@@ -57,11 +57,9 @@
           <row>
             <entry></entry>
 
-            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
-            Machine)</ulink></entry>
+            <entry><ulink url="Vserver.html">Linux-vserver</ulink></entry>
 
-            <entry><ulink url="Laptop.html">Shorewall on a
-            Laptop</ulink></entry>
+            <entry></entry>
           </row>
 
           <row>
@@ -104,8 +102,8 @@
           </row>
 
           <row>
-            <entry><ulink url="Anatomy.html">Anatomy of Shorewall</ulink>
-            (<ulink url="Anatomy_ru.html">Russian</ulink>)</entry>
+            <entry><ulink url="Anatomy.html">Anatomy of
+            Shorewall</ulink></entry>
 
             <entry><ulink url="Manpages.html">Man Pages</ulink></entry>
 
@@ -114,8 +112,8 @@
           </row>
 
           <row>
-            <entry><ulink url="traffic_shaping.htm">Bandwidth Control</ulink>
-            (<ulink url="traffic_shaping_ru.html">Russian</ulink>)</entry>
+            <entry><ulink url="traffic_shaping.htm">Bandwidth
+            Control</ulink></entry>
 
             <entry><ulink url="ManualChains.html">Manual
             Chains</ulink></entry>
@@ -125,9 +123,8 @@
           </row>
 
           <row>
-            <entry><ulink url="blacklisting_support.htm">Blacklisting</ulink>
-            (<ulink
-            url="blacklisting_support_ru.html">Russian</ulink>)</entry>
+            <entry><ulink
+            url="blacklisting_support.htm">Blacklisting</ulink></entry>
 
             <entry><ulink
             url="two-interface.htm#SNAT">Masquerading</ulink></entry>
@@ -187,7 +184,7 @@
 
             <entry><ulink url="netmap.html">Network Mapping</ulink></entry>
 
-            <entry> <ulink url="simple_traffic_shaping.html">Traffic
+            <entry><ulink url="simple_traffic_shaping.html">Traffic
             Shaping/QOS - Simple</ulink></entry>
           </row>
 
@@ -199,8 +196,7 @@
             NAT)</entry>
 
             <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
-            Complex</ulink> (<ulink
-            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
+            Complex</ulink></entry>
           </row>
 
           <row>
@@ -322,8 +318,8 @@
           </row>
 
           <row>
-            <entry><ulink url="Install.htm">Installation/Upgrade</ulink>
-            (<ulink url="Install_fr.html">Français</ulink>)</entry>
+            <entry><ulink
+            url="Install.htm">Installation/Upgrade</ulink></entry>
 
             <entry><ulink url="ReleaseModel.html">Release
             Model</ulink></entry>
@@ -386,6 +382,16 @@
 
             <entry></entry>
           </row>
+
+          <row>
+            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
+            Machine)</ulink></entry>
+
+            <entry><ulink url="Laptop.html">Shorewall on a
+            Laptop</ulink></entry>
+
+            <entry></entry>
+          </row>
         </tbody>
       </tgroup>
     </informaltable>

docs/FAQ.xml

@@ -687,11 +687,9 @@ eth1:192.168.1.5        eth1            <emphasis role="bold">130.151.100.69</em
           <para>That rule (and the second one in the previous bullet) only
           works of course if you have a static external IP address. If you
           have a dynamic IP address then include this in
-          <filename>/etc/shorewall/params</filename> (or your
-          <filename>&lt;export directory&gt;/init</filename> file if you are
-          using Shorewall Lite on the firewall system):</para>
+          <filename>/etc/shorewall/params</filename>.</para>
 
-          <programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command>        </programlisting>
+          <programlisting><command>ETH0_IP=$(find_first_interface_address eth0)</command>        </programlisting>
 
           <para>and make your DNAT rule:</para>
 
@@ -712,6 +710,14 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
             will return 0.0.0.0 if the interface has no configured IP address;
             the latter terminates the calling program.</para>
           </note>
+
+          <note>
+            <para>If you run Shorewall-lite on your firewall, you must use the
+            following in the firewall's configuration directory
+            <filename>params</filename> file:</para>
+
+            <programlisting><command>ETH0_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</command></programlisting>
+          </note>
         </listitem>
       </itemizedlist>
 
@@ -1182,6 +1188,18 @@ to debug/develop the newnat interface.</programlisting></para>
   <section id="Logging">
     <title>Logging</title>
 
+    <section id="faq91">
+      <title>(FAQ 91) I changed the shorewall.conf file in /etc/shorewall/ to
+      spit out logs to /var/log/shorewall.log and it's not happening after I
+      restart shorewall. LOGFILE=/var/log/shorewall.log &lt;-- that should be
+      the correct line, right? </title>
+
+      <para><emphasis role="bold">Answer</emphasis>: No, that is not correct.
+      The LOGFILE setting tells Shorewall where to find the log; it does not
+      determine where messages are written. See <link linkend="faq6">the next
+      FAQ</link>.</para>
+    </section>
+
     <section id="faq6">
       <title>(FAQ 6) Where are the log messages written and how do I change
       the destination?</title>
@@ -2090,6 +2108,57 @@ shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall
       <filename>/etc/shorewall/params</filename> when processing the <emphasis
       role="bold">restore</emphasis> command.</para>
     </section>
+
+    <section id="faq90">
+      <title>(FAQ 90) Shorewall starts fine but after several minutes, it
+      stops. Why is it doing that?</title>
+
+      <para><emphasis role="bold">Answer:</emphasis> Shorewall uses the
+      presence of a chain named <emphasis>shorewall</emphasis> to indicate
+      whether is started or stopped. That chain is created during execution of
+      a successful <emphasis role="bold">start</emphasis>, <emphasis
+      role="bold">restart</emphasis> or <emphasis
+      role="bold">restore</emphasis> command and is removed during <emphasis
+      role="bold">stop</emphasis> and <emphasis role="bold">clear</emphasis>.
+      If <emphasis role="bold">shorewall status</emphasis> indicates that
+      Shorewall is stopped, then something has deleted that chain. Look at the
+      output of <emphasis role="bold">shorewall status</emphasis>; if it looks
+      like this:</para>
+
+      <blockquote>
+        <programlisting>gateway:~# shorewall status
+Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:21:41 PDT 2010
+
+Shorewall is <emphasis role="bold">stopped</emphasis>
+State:<emphasis role="bold">Started</emphasis> (Tue Jul 20 16:01:49 PDT 2010)
+
+gateway:~# 
+</programlisting>
+      </blockquote>
+
+      <para>then it means that somehing outside of Shorewall has deleted the
+      chain. This usually means that you were running another firewall package
+      before you installed Shorewall and that other package has replaced
+      Shorewall's Netfilter configuration with its own. You must remove (or at
+      least disable) the other firewall package and restart Shorewall.</para>
+
+      <blockquote>
+        <programlisting>gateway:~# shorewall status
+Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:26:29 PDT 2010
+
+Shorewall is <emphasis role="bold">stopped</emphasis>
+State:<emphasis role="bold">Stopped</emphasis> (Wed Jul 21 13:26:26 PDT 2010)
+
+gateway:~# </programlisting>
+      </blockquote>
+
+      <para>then a <emphasis role="bold">shorewall stop</emphasis> command has
+      been executed (if the State shown in the output is <emphasis
+      role="bold">Cleared</emphasis>, then a <emphasis role="bold">shorewall
+      clear</emphasis> command was executed). Most likely, you have installed
+      and configured the <emphasis>shorewall-init</emphasis> package and a
+      required interface has gone down.</para>
+    </section>
   </section>
 
   <section id="MultiISP">
@@ -2324,9 +2393,13 @@ We have an error talking to the kernel
       subzones? I've got a system with Linux-VServers, it's one interface
       (eth0) with multiple IPs</title>
 
-      <para><emphasis role="bold">Answer</emphasis>: There is no way to create
-      sub-zones of the firewall zone. But you can use shell variables to make
-      vservers easier to deal with.</para>
+      <para><emphasis role="bold">Answer</emphasis>: Beginning with Shorewall
+      4.4.11 Beta 2, you can <ulink url="Vserver.html">create vserver
+      zones</ulink> that are nested within the firewall zone.</para>
+
+      <para>Prior to 4.4.11 Beta 2, there is no way to create sub-zones of the
+      firewall zone. But you can use shell variables to make vservers easier
+      to deal with.</para>
 
       <para><filename>/etc/shorewall/params</filename>:</para>
 

docs/GettingStarted.xml

@@ -22,6 +22,8 @@
 
       <year>2007</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -45,33 +47,41 @@
     </listitem>
   </itemizedlist>
 
+  <para>Now, <ulink url="Install.htm">install Shorewall</ulink>.</para>
+
   <para>Next, read the QuickStart Guide that is appropriate for your
   configuration:</para>
 
+  <para><emphasis role="bold">If you just want to protect a system: (Requires
+  Shorewall 4.4.12-Beta3 or later)</emphasis></para>
+
+  <itemizedlist>
+    <listitem>
+      <para><ulink url="Universal.html">Universal</ulink> configuration --
+      requires no configuration to protect a single system.</para>
+    </listitem>
+  </itemizedlist>
+
   <para><emphasis role="bold">If you have only one public IP
   address:</emphasis></para>
 
   <itemizedlist>
     <listitem>
       <para><ulink url="standalone.htm">Standalone</ulink> Linux System with a
-      single network interface (<ulink url="standalone_fr.html">Version
-      Française</ulink>) <ulink url="standalone_ru.html">(Russian
-      Version)</ulink> <ulink url="standalone_es.html">Version en
-      Español</ulink></para>
+      single network interface (if you are running Shorewall 4.4.12 Beta 3 or
+      later, use the <ulink url="Universal.html">Universal</ulink>
+      configuration instead).</para>
     </listitem>
 
     <listitem>
       <para><ulink url="two-interface.htm">Two-interface</ulink> Linux System
-      acting as a firewall/router for a small local network (<ulink
-      url="two-interface_fr.html">Version Française</ulink>) (<ulink
-      url="two-interface_ru.html">Russian Version</ulink>)</para>
+      acting as a firewall/router for a small local network</para>
     </listitem>
 
     <listitem>
       <para><ulink url="three-interface.htm">Three-interface</ulink> Linux
-      System acting as a firewall/router for a small local network and a DMZ..
-      (<ulink url="three-interface_fr.html">Version Française</ulink>) (<ulink
-      url="three-interface_ru.html">Russian Version</ulink>)</para>
+      System acting as a firewall/router for a small local network and a
+      DMZ.</para>
     </listitem>
   </itemizedlist>
 
@@ -81,11 +91,10 @@
   <itemizedlist>
     <listitem>
       <para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup
-      Guide</ulink> (<ulink url="shorewall_setup_guide_fr.htm">Version
-      Française</ulink>) outlines the steps necessary to set up a firewall
-      where there are multiple public IP addresses involved or if you want to
-      learn more about Shorewall than is explained in the single-address
-      guides above.</para>
+      Guide</ulink> outlines the steps necessary to set up a firewall where
+      there are multiple public IP addresses involved or if you want to learn
+      more about Shorewall than is explained in the single-address guides
+      above.</para>
     </listitem>
   </itemizedlist>
 

docs/Manpages.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall 4.4/4.5 Manpages</title>
+    <title>Shorewall 4.4 Manpages</title>
 
     <authorgroup>
       <author>
@@ -129,6 +129,9 @@
         <member><ulink url="manpages/shorewall-rules.html">rules</ulink> -
         Specify exceptions to policies, including DNAT and REDIRECT.</member>
 
+        <member><ulink url="manpages/shorewall-secmarks.html">secmarks</ulink>
+        - Attach an SELinux context to a packet.</member>
+
         <member><ulink
         url="manpages/shorewall-tcclasses.html">tcclasses</ulink> - Define htb
         classes for traffic shaping.</member>
@@ -137,6 +140,11 @@
         url="manpages/shorewall-tcdevices.html">tcdevices</ulink> - Specify
         speed of devices for traffic shaping.</member>
 
+        <member><ulink
+        url="manpages/shorewall-tcfilters.html">tcfilters</ulink> - Classify
+        traffic for shaping; often used with an IFB to shape ingress
+        traffic.</member>
+
         <member><ulink
         url="manpages/shorewall-tcinterfaces.html">tcinterfaces</ulink> -
         Specify devices for simplified traffic shaping.</member>
@@ -184,6 +192,11 @@
         <member><ulink url="manpages/shorewall.html">shorewall</ulink> -
         /sbin/shorewall command syntax and semantics.</member>
 
+        <member><ulink
+        url="manpages/shorewall-init.html">shorewall-init</ulink> - Companion
+        package that allows for automatic start/stop of other Shorewall
+        products based on network events.</member>
+
         <member><ulink
         url="manpages/shorewall-lite.html">shorewall-lite</ulink> -
         /sbin/shorewall-lite command syntax and semantics.</member>

docs/Manpages6.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall6 4.4/4.5 Manpages</title>
+    <title>Shorewall6 4.4 Manpages</title>
 
     <authorgroup>
       <author>
@@ -114,6 +114,10 @@
         <member><ulink url="manpages6/shorewall6-rules.html">rules</ulink> -
         Specify exceptions to policies, including DNAT and REDIRECT.</member>
 
+        <member><ulink
+        url="manpages6/shorewall6-secmarks.html">secmarks</ulink> - Attached
+        an SELinux context to a packet.</member>
+
         <member><ulink
         url="manpages6/shorewall6-tcclasses.html">tcclasses</ulink> - Define
         htb classes for traffic shaping.</member>

docs/MultiISP.xml

@@ -1100,6 +1100,40 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
       </section>
     </section>
 
+    <section>
+      <title>Looking at the routing tables</title>
+
+      <para>To look at the various routing tables, you must use the <emphasis
+      role="bold">ip</emphasis> utility. To see the entire routing
+      configuration (including rules), the command is <command>shorewall show
+      routing</command>. To look at an individual provider's table use
+      <command>ip route ls table <replaceable>provider</replaceable></command>
+      where <replaceable>provider</replaceable> can be either the provider
+      name or number.</para>
+
+      <para>Example:</para>
+
+      <programlisting>lillycat:- #<command>ip route ls</command>
+144.77.167.142 dev ppp0  proto kernel  scope link  src 144.177.121.199
+71.190.227.208 dev ppp1  proto kernel  scope link  src 71.24.88.151
+192.168.7.254 dev eth1  scope link  src 192.168.7.1
+192.168.7.253 dev eth1  scope link  src 192.168.7.1
+192.168.7.0/24 dev eth1  proto kernel  scope link  src 192.168.7.1
+192.168.5.0/24 via 192.168.4.2 dev eth0
+192.168.4.0/24 dev eth0  proto kernel  scope link  src 192.168.4.223
+192.168.1.0/24 via 192.168.4.222 dev eth0
+default
+        nexthop dev ppp1 weight 2
+        nexthop dev ppp0 weight 1
+lillycat: #ip <command>route ls provider 1</command>
+144.77.167.142 dev ppp0  proto kernel  scope link  src 144.177.121.199 
+192.168.5.0/24 via 192.168.4.2 dev eth0 
+192.168.4.0/24 dev eth0  proto kernel  scope link  src 192.168.4.223 
+192.168.1.0/24 via 192.168.4.222 dev eth0 
+default dev ppp0  scope link 
+lillycat: #</programlisting>
+    </section>
+
     <section id="USE_DEFAULT_RT">
       <title>USE_DEFAULT_RT</title>
 
@@ -1527,7 +1561,7 @@ connection {
 
 connection {
     name=Comcast
-    checkip=${ETH0_GATEWAY:-71.231.152.1}
+    checkip=${SW_ETH0_GATEWAY:-71.231.152.1}
     device=$COM_IF
     ttl=1
 }
@@ -1543,9 +1577,14 @@ EOF
    /usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>
 
-        <para>eth3 has a dynamic IP address so I need to use the
-        Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default
-        value to be used in the event that detection fails.</para>
+        <para>eth0 has a dynamic IP address so I need to use the
+        Shorewall-detected gateway address ($SW_ETH1_GATEWAY). I supply a
+        default value to be used in the event that detection fails.</para>
+
+        <note>
+          <para>In Shorewall 4.4.7 and earlier, the variable name is
+          ETH1_GATEWAY.</para>
+        </note>
 
         <para><filename>/etc/shorewall/started</filename>:</para>
 

docs/NetfilterOverview.xml

@@ -89,8 +89,8 @@
     Shorewall system itself.</para>
 
     <para>A more elaborate version of this flow is available <ulink
-    url="http://shorewall.net/pub/shorewall/misc/netfilterflow.pdf">here</ulink>
-    and <ulink url="http://www.docum.org/docum.org/kptd/">this one</ulink>
+    url="http://jengelh.medozas.de/images/nf-packet-flow.png">here</ulink> and
+    <ulink url="http://www.docum.org/docum.org/kptd/">this one</ulink>
     contrasts the Netfilter flow with that of ipchains.</para>
 
     <para>In the above diagram are boxes similar to this:</para>

docs/OPENVPN.xml

@@ -498,6 +498,202 @@ DNAT	172.20.1.0/24		tun1		192.168.1.0/24
     the right as 172.20.1.0/24.</para>
   </section>
 
+  <section>
+    <title>Roadwarrior with IPv6</title>
+
+    <para>While OpenVPN supports tunneling of IPv6 packets, the version of the
+    code that I run under OS X on my Macbook Pro does not support that option.
+    Nevertheless, I am able to take IPv6 on the road with me by creating a
+    6to4 tunnel through the OpenVPN IPv6 tunnel. In this configuration, the
+    IPv4 address pair (172.20.0.10,172.20.0.11) is used for the OpenVPN tunnel
+    and (2001:470:e857:2::1,2001:470:e857:2::2) is used for the 6to4
+    tunnel.</para>
+
+    <para>Here are my config files:</para>
+
+    <para>Server (conventional routed server config):</para>
+
+    <blockquote>
+      <programlisting>dev tun
+
+local 70.90.191.121
+
+server 172.20.0.0 255.255.255.128
+
+dh dh1024.pem
+
+ca /etc/certs/cacert.pem
+
+crl-verify /etc/certs/crl.pem
+
+cert /etc/certs/gateway.pem
+key /etc/certs/gateway_key.pem
+
+port 1194
+
+comp-lzo
+
+user nobody
+group nogroup
+
+keepalive 15 45
+ping-timer-rem
+persist-tun
+persist-key
+
+client-config-dir /etc/openvpn/clients
+ccd-exclusive
+client-to-client
+
+push "route 172.20.1.0 255.255.255.0"
+
+verb 3</programlisting>
+
+      <para>In the CCD file for the Macbook Pro:</para>
+
+      <programlisting>ifconfig-push <emphasis role="bold">172.20.0.11 172.20.0.10</emphasis></programlisting>
+
+      <para>From <filename>/etc/network/interfaces</filename> (very standard
+      <ulink url="6to4.htm#SixInFour">6to4 tunnel
+      configuration</ulink>):</para>
+
+      <programlisting>auto mac
+iface mac inet6 v4tunnel
+      address <emphasis role="bold">2001:470:e857:2::1</emphasis>
+      netmask 64
+      endpoint <emphasis role="bold">172.20.0.11</emphasis>
+      local <emphasis role="bold">172.20.1.254</emphasis></programlisting>
+
+      <para>Note that while the remote endpoint (172.20.0.11) is also the
+      remote endpoint of the OpenVPN tunnel, the local endpoint (172.20.1.254)
+      of the 6to4 tunnel is not the local endpoint of the OpenVPN tunnel
+      (that;s 172.20.0.10). 172.20.1.254 is the IPv4 address of the Shorewall
+      firewall's LAN interface.</para>
+
+      <para>The following excerpts from the Shorewall configuration show the
+      parts of that configuration that are relevant to these two tunnels (bold
+      font). <emphasis role="bold">This is not a complete
+      configuration.</emphasis></para>
+
+      <para><filename>/etc/shorewall/zones</filename>:</para>
+
+      <programlisting>#ZONE           TYPE
+fw              firewall
+loc             ip              #Local Zone
+drct:loc        ipv4            #Direct internet access
+net             ipv4            #Internet
+<emphasis role="bold">vpn             ipv4 </emphasis>           #OpenVPN clients</programlisting>
+
+      <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+      <programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
+loc    INT_IF     detect    dhcp,logmartians=1,routefilter=1,physical=$INT_IF,required,wait=5
+net    COM_IF     detect    dhcp,blacklist,optional,routefilter=0,logmartians,proxyarp=0,physical=$COM_IF,nosmurfs
+<emphasis role="bold">vpn    TUN_IF+    detect    physical=tun+,routeback</emphasis>
+-      sit1       -         ignore
+<emphasis role="bold">-      mac        -         ignore</emphasis>
+-      EXT_IF     -         ignore
+-      lo         -         ignore</programlisting>
+
+      <para><filename>/etc/shorewall/tunnels</filename>:</para>
+
+      <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
+#                                               ZONE
+<emphasis role="bold">openvpnserver:udp       net</emphasis>
+6to4                    net
+<emphasis role="bold">6to4                    vpn</emphasis></programlisting>
+
+      <para>Similarly, here are exerpts from the Shorewall6
+      configuration.</para>
+
+      <para><filename>/etc/shorewall6/zones</filename>:</para>
+
+      <programlisting>#ZONE     TYPE     OPTIONS        IN            OUT
+#                                 OPTIONS       OPTIONS
+fw        firewall
+net       ipv6
+<emphasis role="bold">loc       ipv6</emphasis>
+rest      ipv6</programlisting>
+
+      <para><filename>/etc/shorewall6/interfaces</filename>:</para>
+
+      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+net     sit1            detect          tcpflags,forward=1,nosmurfs,routeback
+loc     eth4            detect          tcpflags,forward=1
+<emphasis role="bold">loc     mac             detect          tcpflags,forward=1</emphasis>
+rest    eth+</programlisting>
+
+      <para>Note that in the IPv6 firewall configuration, the remove Macbook
+      Pro is considered to be part of the local zone (loc).</para>
+    </blockquote>
+
+    <para>Client (conventional routed client config):</para>
+
+    <blockquote>
+      <programlisting>client
+
+dev tun
+
+proto udp
+
+remote gateway.shorewall.net 1194
+
+resolv-retry infinite
+
+nobind
+
+persist-key
+persist-tun
+
+mute-replay-warnings
+
+ca ca.crt
+cert mac.crt
+key mac.key
+
+ns-cert-type server
+
+comp-lzo
+
+verb 3
+
+up /Users/teastep/bin/up
+down /Users/teastep/bin/down
+</programlisting>
+
+      <para><filename>/Users/teastep/bin/up</filename>:</para>
+
+      <programlisting>#!/bin/bash
+LOCAL_IP=<emphasis role="bold">172.20.0.11</emphasis>
+LOCAL_IPV6=<emphasis role="bold">2001:470:e857:2::2</emphasis>
+REMOTE_IP=<emphasis role="bold">172.20.1.254</emphasis>
+REMOTE_IPV6=<emphasis role="bold">2001:470:e857:2::1</emphasis>
+TUNNEL_IF=gif0
+
+if [ $(ifconfig gif0 | wc -l ) -eq 1 ]; then
+    #
+    # Tunnel interface is not configured yet
+    #
+    /sbin/ifconfig $TUNNEL_IF tunnel $LOCAL_IP $REMOTE_IP
+    /sbin/ifconfig $TUNNEL_IF inet6 $LOCAL_IPV6 $REMOTE_IPV6 prefixlen 128
+else
+    /sbin/ifconfig $TUNNEL_IF up
+fi
+
+/sbin/route -n add -inet6 default $REMOTE_IPV6 &gt; /dev/null 2&gt;&amp;1</programlisting>
+
+      <para><filename>/Users/teastep/bin/down</filename>:</para>
+
+      <programlisting>#!/bin/bash
+
+TUNNEL_IF=gif0
+
+/sbin/ifconfig $TUNNEL_IF down
+/sbin/route -n delete -inet6 default &gt; /dev/null 2&gt;&amp;1
+</programlisting>
+    </blockquote>
+  </section>
+
   <section>
     <title>Bridged Roadwarrior</title>
 

docs/PacketMarking.xml

@@ -267,6 +267,108 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
         <para>Connection marking rules use a mask value of 0xff.</para>
       </listitem>
     </itemizedlist>
+
+    <para>Shorewall actually allows you to have complete control over the
+    layout of the 32-bit mark using the following options in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>TC_BITS</term>
+
+        <listitem>
+          <para>The number of bits at the low end of the mark to be used for
+          traffic shaping marking. May be zero.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PROVIDER_BITS</term>
+
+        <listitem>
+          <para>The number of bits in the mark to be used for provider
+          numbers. May be zero.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PROVIDER_OFFSET</term>
+
+        <listitem>
+          <para>The offset from the right (low-order end) of the provider
+          number field. If non-zero, must be &gt;= TC_BITS (Shorewall
+          automatically adjusts PROVIDER_OFFSET's value). PROVIDER_OFFSET +
+          PROVIDER_BITS must be &lt;= 32.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>MASK_BITS</term>
+
+        <listitem>
+          <para>Number of bits on the right of the mark to be masked when
+          clearing the traffic shaping mark. Must be &gt;= TC_BITS and &lt;=
+          PROVIDER_OFFSET (if PROVIDER_OFFSET &gt; 0)</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>The relationship between these options is shown in this
+    diagram.</para>
+
+    <graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
+
+    <para></para>
+
+    <para>The default values of these options are determined by the settings
+    of other options as follows:</para>
+
+    <table>
+      <title>Default Values</title>
+
+      <tgroup cols="2">
+        <tbody>
+          <row>
+            <entry>WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=No</entry>
+
+            <entry>TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=0,
+            MASK_BITS=8</entry>
+          </row>
+
+          <row>
+            <entry>WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=Yes</entry>
+
+            <entry>TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=8,
+            MASK_BITS=8</entry>
+          </row>
+
+          <row>
+            <entry>WIDE_TC_MARKS=Yes, HIGH_ROUTE_MARKS=No</entry>
+
+            <entry>TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET=0,
+            MASK_BITS=16</entry>
+          </row>
+
+          <row>
+            <entry>WIDE_TC_MARKS=Yes, HIGH_ROUTE_MARKS=Yes</entry>
+
+            <entry>TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET=16,
+            MASK_BITS=16</entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </table>
+
+    <para>The existence of both TC_BITS and MASK_BITS is owed to the way that
+    WIDE_TC_MARKS was originally implemented. Note that TC_BITS is 14 rather
+    than 16 when WIDE_TC_MARKS=Yes.</para>
+
+    <para>Beginning with Shorewall 4.4.12, the field between MASK_BITS and
+    PROVIDER_OFFSET can be used for any purpose you want.</para>
+
+    <para>Beginning with Shorewall 4.4.13, The first unused bit on the left is
+    used by Shorewall as an <firstterm>exclusion mark</firstterm>, allowing
+    exclusion in CONTINUE, NONAT and ACCEPT+ rules.</para>
   </section>
 
   <section id="Shorewall">

docs/Shorewall-init.xml

@@ -74,13 +74,13 @@
     <title>Closing the Firewall before the Network Interfaces are brought
     up</title>
 
-    <para> When Shorewall-init is first installed, it does nothing until you
+    <para>When Shorewall-init is first installed, it does nothing until you
     configure it.</para>
 
     <para>The configuration file is <filename>/etc/default/shorewall-init
     </filename>on Debian-based systems and
     <filename>/etc/sysconfig/shorewall-init</filename> otherwise. There are
-    two settings in the file: </para>
+    two settings in the file:</para>
 
     <variablelist>
       <varlistentry>
@@ -115,7 +115,7 @@
       <listitem>
         <para>Be sure that your current firewall script(s) (normally in
         <filename>/var/lib/&lt;product&gt;/firewall</filename>) is(are)
-        compiled with the 4.4.10 compiler. </para>
+        compiled with the 4.4.10 compiler.</para>
 
         <para>Shorewall and Shorewall6 users can execute these
         commands:</para>
@@ -139,7 +139,7 @@
       </listitem>
     </orderedlist>
 
-    <para>That's all that is required. </para>
+    <para>That's all that is required.</para>
   </section>
 
   <section id="NM">
@@ -147,7 +147,7 @@
 
     <para>To integrate with NetworkManager and ifup/ifdown, additional steps
     are required. You probably don't want to enable this feature if you run a
-    link status monitor like swping or LSM. </para>
+    link status monitor like swping or LSM.</para>
 
     <orderedlist numeration="loweralpha">
       <listitem>
@@ -165,15 +165,21 @@
       <listitem>
         <para>Optional) -- If you have specified at least one
         <option>required</option> or <option>optional</option> interface, you
-        can then disable automatic firewall startup at boot time. On
-        Debian-based systems, set startup=0 in
+        can then disable automatic firewall startup at boot time. On Debian
+        systems, set startup=0 in
         <filename>/etc/default/<replaceable>product</replaceable></filename>.
         On other systems, use your service startup configuration tool
-        (chkconfig, insserv, ...) to disable startup. </para>
+        (chkconfig, insserv, ...) to disable startup.</para>
+
+        <warning>
+          <para>If your system uses Upstart as it's system initialization
+          daemon, you should not disable startup. Upstart is standard on
+          recent Ubuntu and Fedora releases and is optional on Debian.</para>
+        </warning>
       </listitem>
     </orderedlist>
 
-    <para>The following actions occur when an interface comes up: </para>
+    <para>The following actions occur when an interface comes up:</para>
 
     <informaltable>
       <tgroup cols="3">
@@ -253,7 +259,7 @@
       </tgroup>
     </informaltable>
 
-    <para> For optional interfaces, the
+    <para>For optional interfaces, the
     <filename>/var/lib/<replaceable>product</replaceable>/<replaceable>interface</replaceable>.state</filename>
     files are maintained to reflect the state of the interface so that they
     may be used by the standard <firstterm>isusable</firstterm> script. Please
@@ -272,13 +278,13 @@
 
     <para>Similarly, if an optional interface goes down and there are no
     optional interfaces remaining in the up state, then the firewall is
-    stopped. </para>
+    stopped.</para>
 
     <para>On Debian-based systems, during system shutdown the firewall is
     opened prior to network shutdown (<command>/etc/init.d/shorewall
     stop</command> performs a 'clear' operation rather than a 'stop'). This is
     required by Debian standards. You can change this default behavior by
     setting SAFESTOP=1 in <filename>/etc/default/shorewall</filename>
-    (<filename>/etc/default/shorewall6</filename>, ...). </para>
+    (<filename>/etc/default/shorewall6</filename>, ...).</para>
   </section>
 </article>

docs/Shorewall_Squid_Usage.xml

@@ -320,7 +320,7 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>
     url="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4</ulink>.</para>
 
     <para>The following configuration works with Squid running on the firewall
-    itself.</para>
+    itself (assume that Squid is listening on port 3128).</para>
 
     <para><filename>/etc/shorewall/interfaces:</filename></para>
 
@@ -332,7 +332,7 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>
     <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
 Tproxy    1        1        -           lo        -            local</programlisting>
 
-    <para><filename>/etc/shorewall/tcrules</filename> (assume Z interface is
+    <para><filename>/etc/shorewall/tcrules</filename> (assume loc interface is
     eth1):</para>
 
     <programlisting>MARK            SOURCE      DEST        PROTO      PORT(S)
@@ -341,7 +341,7 @@ TPROXY(1,3128)  eth1        0.0.0.0/0   tcp        80</programlisting>
     <para>/etc/shorewall/rules:</para>
 
     <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
-ACCEPT    Z        $FW    tcp     SP
+ACCEPT    loc      $FW    tcp     3128
 ACCEPT    $FW      net    tcp     80</programlisting>
   </section>
 </article>

docs/Universal.xml

@@ -0,0 +1,352 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Universal Configuration</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2010</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Configuring Shorewall</title>
+
+    <para>Once you have installed the Shorewall software, you must configure
+    it. The easiest way to do that is to use one of Shorewall's
+    <firstterm>Sample Configurations</firstterm>. The Universal Configuration
+    is one of those samples.</para>
+  </section>
+
+  <section>
+    <title>What the Universal Configuration does</title>
+
+    <para>The Universal Shorewall configuration requires that you simply copy
+    the configuration to <filename class="directory">/etc/shorewall</filename>
+    and start Shorewall. This sample configuation:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>Allows all outgoing traffic.</para>
+      </listitem>
+
+      <listitem>
+        <para>Blocks all incoming connections except:</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>Secure Shell</para>
+          </listitem>
+
+          <listitem>
+            <para>Ping</para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+
+      <listitem>
+        <para>Allows forwarding of traffic, provided that the system has more
+        than one interface or is set up to route between networks on a single
+        interface.</para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section>
+    <title>How to Install it</title>
+
+    <para>The location of the sample configuration files is dependent on your
+    distribution and <ulink url="Install.htm">how you installed
+    Shorewall</ulink>.</para>
+
+    <orderedlist>
+      <listitem>
+        <para>If you installed using an <acronym>RPM</acronym>, the samples
+        will be in the <filename
+        class="directory">Samples/Universal</filename> subdirectory of the
+        Shorewall documentation directory. If you don't know where the
+        Shorewall documentation directory is, you can find the samples using
+        this command:</para>
+
+        <programlisting>~# rpm -ql shorewall-common | fgrep Universal
+/usr/share/doc/packages/shorewall/Samples/Universal
+/usr/share/doc/packages/shorewall/Samples/Universal/interfaces
+/usr/share/doc/packages/shorewall/Samples/Universal/policy
+/usr/share/doc/packages/shorewall/Samples/Universal/rules
+/usr/share/doc/packages/shorewall/Samples/Universal/zones
+~#</programlisting>
+      </listitem>
+
+      <listitem>
+        <para>If you installed using the tarball, the samples are in the
+        <filename class="directory">Samples/Universal</filename> directory in
+        the tarball.</para>
+      </listitem>
+
+      <listitem>
+        <para>If you installed using a Shorewall 4.x .deb, the samples are in
+        <filename
+        class="directory">/usr/share/doc/shorewall-common/examples/Universal</filename>..
+        You do not need the shorewall-doc package to have access to the
+        samples.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>Simple copy the files from the Universal directory to
+    /etc/shorewall.</para>
+  </section>
+
+  <section>
+    <title>How to Start the firewall</title>
+
+    <para>Before starting Shorewall for the first time, it's a good idea to
+    stop your existing firewall. On Redhat/CentOS/Fedora, at a root prompt
+    type:</para>
+
+    <blockquote>
+      <para><command>service iptables stop</command></para>
+    </blockquote>
+
+    <para>If you are running SuSE, use Yast or Yast2 to stop
+    SuSEFirewall.</para>
+
+    <para>Once you have Shorewall running to your satisfaction, you should
+    totally disable your existing firewall. On /Redhat/CentOS/Fedora:</para>
+
+    <blockquote>
+      <para><command>chkconfig --del iptables</command></para>
+    </blockquote>
+
+    <para>At a root prompt, type:</para>
+
+    <blockquote>
+      <para><command>/sbin/shorewall start</command></para>
+    </blockquote>
+
+    <para>That's it. Shorewall will automatically start again when you
+    reboot.</para>
+  </section>
+
+  <section>
+    <title>Now that it is running, ...</title>
+
+    <section>
+      <title>How do I stop the firewall?</title>
+
+      <para>At a root prompt, type:</para>
+
+      <blockquote>
+        <para><command>/sbin/shorewall clear</command></para>
+      </blockquote>
+
+      <para>The system is now 'wide open'.</para>
+    </section>
+
+    <section>
+      <title>How do I prevent it from responding to ping?</title>
+
+      <para>Edit <filename>/etc/shorewall/rules</filename> and remove the line
+      that reads:</para>
+
+      <blockquote>
+        <para>Ping(ACCEPT) net $FW</para>
+      </blockquote>
+
+      <para>and at a root prompt, type:</para>
+
+      <blockquote>
+        <para><command>/sbin/shorewall restart</command></para>
+      </blockquote>
+    </section>
+
+    <section>
+      <title>How do I allow other kinds of incoming connections?</title>
+
+      <para>Shorewall includes a collection of <firstterm>macros</firstterm>
+      that can be used to quickly allow or deny services. You can find a list
+      of the macros included in your version of Shorewall using the command
+      <command>ls <filename>/usr/share/shorewall/macro.*</filename></command>
+      or at a shell prompt type:</para>
+
+      <blockquote>
+        <para><command>/sbin/shorewall show macros</command></para>
+      </blockquote>
+
+      <para>If you wish to enable connections from the Internet to your
+      firewall and you find an appropriate macro in
+      <filename>/etc/shorewall/macro.*</filename>, the general format of a
+      rule in <filename>/etc/shorewall/rules</filename> is:</para>
+
+      <programlisting>#ACTION         SOURCE    DESTINATION     PROTO       DEST PORT(S)
+&lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net       $FW</programlisting>
+
+      <important>
+        <para>Be sure to add your rules after the line that reads <emphasis
+        role="bold">SECTION NEW.</emphasis></para>
+      </important>
+
+      <example id="Example1">
+        <title>You want to run a Web Server and a IMAP Server on your firewall
+        system:</title>
+
+        <programlisting>#ACTION     SOURCE    DESTINATION     PROTO       DEST PORT(S)
+Web(ACCEPT) net       $FW
+IMAP(ACCEPT)net       $FW</programlisting>
+      </example>
+
+      <para>You may also choose to code your rules directly without using the
+      pre-defined macros. This will be necessary in the event that there is
+      not a pre-defined macro that meets your requirements. In that case the
+      general format of a rule in <filename>/etc/shorewall/rules</filename>
+      is:</para>
+
+      <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
+ACCEPT    net       $FW             <emphasis>&lt;protocol&gt;</emphasis>  <emphasis>&lt;port&gt;</emphasis></programlisting>
+
+      <example id="Example2">
+        <title>You want to run a Web Server and a IMAP Server on your firewall
+        system:</title>
+
+        <para><programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
+ACCEPT    net       $FW             tcp          80
+ACCEPT    net       $FW             tcp          143</programlisting></para>
+      </example>
+
+      <para>If you don't know what port and protocol a particular application
+      uses, see <ulink url="ports.htm">here</ulink>.</para>
+    </section>
+
+    <section>
+      <title>How do I make the firewall log a message when it disallows an
+      incoming connection?</title>
+
+      <para>Shorewall does not maintain a log itself but rather relies on your
+      <ulink url="shorewall_logging.html">system's logging
+      configuration</ulink>. The following <ulink
+      url="manpages/shorewall.html">commands</ulink> rely on knowing where
+      Netfilter messages are logged:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para><command>shorewall show log</command> (Displays the last 20
+          Netfilter log messages)</para>
+        </listitem>
+
+        <listitem>
+          <para><command>shorewall logwatch</command> (Polls the log at a
+          settable interval</para>
+        </listitem>
+
+        <listitem>
+          <para><command>shorewall dump</command> (Produces an extensive
+          report for inclusion in Shorewall problem reports)</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>It is important that these commands work properly because when you
+      encounter connection problems when Shorewall is running, the first thing
+      that you should do is to look at the Netfilter log; with the help of
+      <ulink url="FAQ.htm#faq17">Shorewall FAQ 17</ulink>, you can usually
+      resolve the problem quickly.</para>
+
+      <para>The Netfilter log location is distribution-dependent:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>Debian and its derivatives log Netfilter messages to
+          <filename>/var/log/kern.log</filename>.</para>
+        </listitem>
+
+        <listitem>
+          <para>Recent <trademark>SuSE/OpenSuSE</trademark> releases come
+          preconfigured with syslog-ng and log netfilter messages to
+          <filename>/var/log/firewall</filename>.</para>
+        </listitem>
+
+        <listitem>
+          <para>For other distributions, Netfilter messages are most commonly
+          logged to <filename>/var/log/messages</filename>.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Modify the LOGFILE setting in
+      <filename>/etc/shorewall/shorewall.conf</filename> to specify the name
+      of your log.</para>
+
+      <important>
+        <para>The LOGFILE setting does not control where the Netfilter log is
+        maintained -- it simply tells the /sbin/<filename>shorewall</filename>
+        utility where to find the log.</para>
+      </important>
+
+      <para>Now, edit <filename>/etc/shorewall/policy</filename> and modify
+      the line that reads:</para>
+
+      <blockquote>
+        <para>net all DROP</para>
+      </blockquote>
+
+      <para>to</para>
+
+      <blockquote>
+        <para>net all DROP <emphasis role="bold">info</emphasis></para>
+      </blockquote>
+
+      <para>Then at a root prompt, type:</para>
+
+      <blockquote>
+        <para><command>/sbin/shorewall restart</command></para>
+      </blockquote>
+    </section>
+
+    <section>
+      <title>How do I prevent the firewall from forwarding connection
+      requests?</title>
+
+      <para>Edit /etc/shorewall/interfaces, and remove the routeback option
+      from the interface. e.g., change the line that reads:</para>
+
+      <blockquote>
+        <para>net all - dhcp,physical=+<emphasis
+        role="bold">,routeback</emphasis>,optional</para>
+      </blockquote>
+
+      <para>to</para>
+
+      <blockquote>
+        <para>net all - dhcp,physical=+,optional</para>
+      </blockquote>
+
+      <para>Then at a root prompt, type:</para>
+
+      <blockquote>
+        <para><command>/sbin/shorewall restart</command></para>
+      </blockquote>
+    </section>
+  </section>
+</article>

docs/Vserver.xml

@@ -0,0 +1,172 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Shorewall and Linux-vserver</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2010</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Introduction</title>
+
+    <para>Formal support for Linux-vserver was added in Shorewall 4.4.11
+    Beta2. The centerpiece of that support is the
+    <firstterm>vserver</firstterm> zone type. Vserver zones have the following
+    characteristics:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>They are defined on the Linux-vserver host.</para>
+      </listitem>
+
+      <listitem>
+        <para>The $FW zone is their implicit parent.</para>
+      </listitem>
+
+      <listitem>
+        <para>Their contents must be defined using the <ulink
+        url="manpages/shorewall-hosts.html">shorewall-hosts </ulink>(5) file.
+        The <emphasis role="bold">ipsec</emphasis> option may not be
+        specified.</para>
+      </listitem>
+
+      <listitem>
+        <para>They may not appear in the ZONE column of the <ulink
+        url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+        (5) file.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>If you use these zones, keep in mind that Linux-vserver implements a
+    very weak form of network virtualization:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>From a networking point of view, vservers live on the host
+        system. So if you don't use care, Vserver traffic to/from zone z will
+        be controlled by the fw-&gt;z and z-&gt;fw rules and policies rather
+        than by vserver-&gt;z and z-&gt;vserver rules and policies.</para>
+      </listitem>
+
+      <listitem>
+        <para>Outgoing connections from a vserver will not use the Vserver's
+        address as the SOURCE IP address unless you configure applications
+        running in the Vserver properly. This is especially true for IPv6
+        applications. Such connections will appear to come from the $FW zone
+        rather than the intended Vserver zone.</para>
+      </listitem>
+
+      <listitem>
+        <para>While you can define the vservers to be associated with the
+        network interface where their IP addresses are added at vserver
+        startup time, Shorewall internally associates all vservers with the
+        loopback interface (<emphasis role="bold">lo</emphasis>). Here's an
+        example of how that association can show up:</para>
+
+        <programlisting>gateway:~# shorewall show zones
+Shorewall 4.4.11-Beta2 Zones at gateway - Fri Jul  2 12:26:30 PDT 2010
+
+fw (firewall)
+drct (ipv4)
+   eth4:+drct_eth4
+loc (ipv4)
+   eth4:0.0.0.0/0
+net (ipv4)
+   eth1:0.0.0.0/0
+vpn (ipv4)
+   tun+:0.0.0.0/0
+dmz (<emphasis role="bold">vserver</emphasis>)
+   <emphasis role="bold">lo</emphasis>:70.90.191.124/31
+
+gateway:~#</programlisting>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section>
+    <title>Vserver Zones</title>
+
+    <para>Here is a diagram of the network configuration here at Shorewall.net
+    during the summer of 2010:</para>
+
+    <graphic align="center" fileref="images/Network2010a.png" />
+
+    <para>I created a zone for the vservers as follows:</para>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>#ZONE           TYPE            OPTIONS            ...
+fw              firewall
+loc             ip              #Local Zone
+drct:loc        ipv4            #Direct internet access
+net             ipv4            #Internet
+vpn             ipv4            #OpenVPN clients
+<emphasis role="bold">dmz             vserver         #Vservers</emphasis></programlisting>
+
+    <para><filename>/etc/shorewall/hosts</filename>:</para>
+
+    <programlisting>#ZONE   HOST(S)                                 OPTIONS
+drct    eth4:dynamic
+<emphasis role="bold">dmz     eth1:70.90.191.124/31</emphasis></programlisting>
+
+    <para>While the IP addresses 70.90.191.124 and 70.90.191.125 are
+    configured on eth1, the actual interface name is irrelevate so long as the
+    interface is defined in <ulink
+    url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5).
+    Shorewall will consider all vserver zones to be associated with the
+    loopback interface (<emphasis role="bold">lo</emphasis>).</para>
+
+    <para>Once a vserver zone is defined, it can be used like any other zone
+    type.</para>
+
+    <para>Here is the corresponding IPv6 configuration.</para>
+
+    <para><filename>/etc/shorewall6/zones</filename></para>
+
+    <programlisting>#ZONE	TYPE	OPTIONS			IN			OUT
+#					OPTIONS			OPTIONS
+fw	firewall
+net	ipv6
+loc	ipv6
+vpn	ipv6
+<emphasis role="bold">dmz	vserver</emphasis>
+</programlisting>
+
+    <para><filename>/etc/shorewall6/hosts</filename>:</para>
+
+    <programlisting>#ZONE   HOST(S)                                 OPTIONS
+dmz	sit1:[2001:470:e857:1::/64]</programlisting>
+
+    <para>Note that I choose to place the Vservers on sit1 (the IPv6 net
+    interface) rather than on eth1. Again, it really doesn't matter
+    much.</para>
+  </section>
+</article>

docs/blacklisting_support.xml

@@ -20,6 +20,8 @@
     <copyright>
       <year>2002-2006</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -34,6 +36,13 @@
     </legalnotice>
   </articleinfo>
 
+  <caution>
+    <para><emphasis role="bold">This article applies to Shorewall 4.4 and
+    later. If you are running a version of Shorewall earlier than Shorewall
+    4.3.5 then please see the documentation for that
+    release.</emphasis></para>
+  </caution>
+
   <section id="Intro">
     <title>Introduction</title>
 
@@ -61,6 +70,20 @@
       the blacklists</emphasis>. Blacklists only stop blacklisted hosts from
       connecting to you — they do not stop you or your users from connecting
       to blacklisted hosts .</para>
+
+      <variablelist>
+        <varlistentry>
+          <term>UPDATE</term>
+
+          <listitem>
+            <para>Beginning with Shorewall 4.4.12, you can also blacklist by
+            destination address. See <ulink
+            url="manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>
+            (5) and <ulink url="manpages/shorewall.html">shorewall</ulink> (8)
+            for details.</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
     </important>
 
     <important>
@@ -161,25 +184,28 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
     Prior to that release, the feature is always enabled.</para>
 
     <para>Once enabled, dynamic blacklisting doesn't use any configuration
-    parameters but is rather controlled using /sbin/shorewall[-lite]
-    commands:</para>
+    parameters but is rather controlled using /sbin/shorewall[-lite] commands.
+    <emphasis role="bold">Note</emphasis> that <emphasis
+    role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
+    only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
+    later</emphasis>.</para>
 
     <itemizedlist>
       <listitem>
-        <para>drop <emphasis>&lt;ip address list&gt;</emphasis> - causes
-        packets from the listed IP addresses to be silently dropped by the
+        <para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
+        causes packets from the listed IP addresses to be silently dropped by
+        the firewall.</para>
+      </listitem>
+
+      <listitem>
+        <para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
+        causes packets from the listed IP addresses to be rejected by the
         firewall.</para>
       </listitem>
 
       <listitem>
-        <para>reject <emphasis>&lt;ip address list&gt;</emphasis> - causes
-        packets from the listed IP addresses to be rejected by the
-        firewall.</para>
-      </listitem>
-
-      <listitem>
-        <para>allow <emphasis>&lt;ip address list&gt;</emphasis> - re-enables
-        receipt of packets from hosts previously blacklisted by a
+        <para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
+        re-enables receipt of packets from hosts previously blacklisted by a
         <emphasis>drop</emphasis> or <emphasis>reject</emphasis>
         command.</para>
       </listitem>
@@ -201,19 +227,19 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
       </listitem>
 
       <listitem>
-        <para>logdrop <emphasis>&lt;ip address list&gt;</emphasis> - causes
-        packets from the listed IP addresses to be dropped and logged by the
-        firewall. Logging will occur at the level specified by the
+        <para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
+        causes packets from the listed IP addresses to be dropped and logged
+        by the firewall. Logging will occur at the level specified by the
         BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
         the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
       </listitem>
 
       <listitem>
-        <para>logreject <emphasis>&lt;ip address list&gt;</emphasis> - causes
-        packets from the listed IP addresses to be rejected and logged by the
-        firewall. Logging will occur at the level specified by the
-        BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
-        the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
+        <para>logreject [to|from}<emphasis>&lt;ip address list&gt;</emphasis>
+        - causes packets from the listed IP addresses to be rejected and
+        logged by the firewall. Logging will occur at the level specified by
+        the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
+        at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
       </listitem>
     </itemizedlist>
 

docs/configuration_file_basics.xml

@@ -122,8 +122,9 @@
         </listitem>
 
         <listitem>
-          <para><filename>/etc/shorewall/tcrules </filename>- defines marking
-          of packets for later use by traffic control/shaping or policy
+          <para><filename>/etc/shorewall/tcrules </filename>- The file has a
+          rather unfortunate name because it is used to define marking of
+          packets for later use by both traffic control/shaping and policy
           routing.</para>
         </listitem>
 
@@ -212,6 +213,12 @@
           shaping.</para>
         </listitem>
 
+        <listitem>
+          <para><filename>/etc/shorewall/secmarks</filename> - Added in
+          Shorewall 4.4.13. Attach an SELinux context to selected
+          packets.</para>
+        </listitem>
+
         <listitem>
           <para><filename>/etc/shorewall/vardir</filename> - Determines the
           directory where Shorewall maintains its state.</para>
@@ -289,6 +296,30 @@ ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</progra
     </example>
   </section>
 
+  <section id="Names">
+    <title>Names</title>
+
+    <para>When you define an object in Shorewall (<ulink
+    url="manpages/shorewall-zones.html">Zone</ulink>, <link
+    linkend="Logical">Logical Interface</link>, <ulink
+    url="ipsets.html">ipsets</ulink>, <ulink
+    url="Actions.html">Actions</ulink>, etc., you give it a name. Shorewall
+    names start with a letter and consist of letters, digits or underscores
+    ("_"). Except for Zone names, Shorewall does not impose a limit on name
+    length.</para>
+
+    <para>When an ipset is referenced, the name must be preceded by a plus
+    sign ("+").</para>
+
+    <para>The last character of an interface may also be a plus sign to
+    indicate a wildcard name.</para>
+
+    <para>Physical interface names match names shown by 'ip link ls'; if the
+    name includes an at sign ("@"), do not include that character or any
+    character that follows. For example, "sit1@NONE" is referred to as simply
+    'sit1".</para>
+  </section>
+
   <section id="COMMENT">
     <title>Attach Comment to Netfilter Rules</title>
 
@@ -318,6 +349,10 @@ ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</progra
         <para><filename>/etc/shorewall/rules</filename></para>
       </listitem>
 
+      <listitem>
+        <para><filename>/etc/shorewall/secmarks</filename></para>
+      </listitem>
+
       <listitem>
         <para><filename>/etc/shorewall/tcrules</filename></para>
       </listitem>
@@ -395,7 +430,7 @@ gateway:~ #
 COMMENT SSH
 PARAM   -      -     tcp   22 </programlisting>
     <filename>/etc/shorewall/rules</filename>:<programlisting>COMMENT Allow SSH from home
-SSH/ALLOW    net:$MYIP      $FW
+SSH(ACCEPT)    net:$MYIP      $FW
 COMMENT</programlisting>The comment line in macro.SSH will not override the
     COMMENT line in the rules file and the generated rule will show <emphasis
     role="bold">/* Allow SSH from home */</emphasis> when displayed through
@@ -485,8 +520,9 @@ ACCEPT      net:\
       <listitem>
         <para>ADDRESS LIST — A list of one or more addresses (host or network)
         or address ranges, separated by commas. In an IPv6 configuration, this
-        list must be includes in angled brackets ("&lt;...&gt;"). The list may
-        have <link linkend="Exclusion">exclusion</link>.</para>
+        list must be includef in square or angled brackets ("[...]" or
+        "&lt;...&gt;"). The list may have <link
+        linkend="Exclusion">exclusion</link>.</para>
       </listitem>
     </orderedlist>
 
@@ -525,7 +561,7 @@ ACCEPT      net:\
       <listitem>
         <para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
         role="bold">loc</emphasis> zone — <emphasis
-        role="bold">loc:&lt;2002:ce7c:92b4:1:a00:27ff:feb1:46a9&gt;</emphasis></para>
+        role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
       </listitem>
     </orderedlist>
   </section>
@@ -749,9 +785,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
       </listitem>
 
       <listitem>
-        <para>Should not depend on where the code is called from (the params
-        file is sourced by both /sbin/shorewall and
-        /usr/lib/shorewall/firewall).</para>
+        <para>Should not depend on where the code is called from.</para>
       </listitem>
 
       <listitem>
@@ -1317,7 +1351,7 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
     <para>Beginning with Shorewall 4.4.4, you can use logical interface names
     which are mapped to the actual interface using the
     <option>physical</option> option in <ulink
-    url="manpages/shorewall-interfaces.html">shorewall-interfraces</ulink>
+    url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
     (5).</para>
 
     <para>Here is an example:</para>