Fix minor bug in bridge interface handling.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples6/three-interfaces/interfaces

@@ -12,6 +12,6 @@
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,forward=1
-loc     eth1            detect          tcpflags,forward=1
-dmz     eth2            detect		tcpflags,forward=1
+net     eth0            detect          tcpflags
+loc     eth1            detect          tcpflags
+dmz     eth2            detect

Samples6/two-interfaces/interfaces

@@ -12,5 +12,5 @@
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,forward=1
-loc     eth1            detect          tcpflags,forward=1
+net     eth0            detect          tcpflags
+loc     eth1            detect          tcpflags

Shorewall-init/COPYING

@@ -1,340 +0,0 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-			    Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-			    NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) 19yy  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) 19yy name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
-Public License instead of this License.

Shorewall-init/README.txt

@@ -1 +0,0 @@
-This is the Shorewall-init stable 4.4 branch of Git.

Shorewall-init/ifupdown.sh

@@ -1,100 +0,0 @@
-#!/bin/sh
-#
-# ifupdown script for Shorewall-based products
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-
-IFUPDOWN=0
-PRODUCTS=
-
-if [ -f /etc/default/shorewall-init ]; then
-    . /etc/default/shorewall-init
-elif [ -f /etc/sysconfig/shorewall-init ]; then
-    . /etc/sysconfig/shorewall-init
-fi
-
-[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
-
-if [ -f /etc/debian_version ]; then
-    #
-    # Debian ifupdown system
-    #
-    if [ "$MODE" = start ]; then
-	COMMAND=up
-    elif [ "$MODE" = stop ]; then
-	COMMAND=down
-    else
-	exit 0
-    fi
-
-    case "$PHASE" in
-	pre-*)
-	    exit 0
-	    ;;
-    esac
-elif [ -f /etc/SuSE-release ]; then
-    #
-    # SuSE ifupdown system
-    #
-    IFACE="$2"
-
-    case $0 in
-	*if-up.d*)
-	    COMMAND=up
-	    ;;
-	*if-down.d*)
-	    COMMAND=down
-	    ;;
-	*)
-	    exit 0
-	    ;;
-    esac
-else
-    #
-    # Assume RedHat/Fedora/CentOS/Foobar/...
-    #
-    IFACE="$1"
-    
-    case $0 in 
-	*ifup*)
-	    COMMAND=up
-	    ;;
-	*ifdown*)
-	    COMMAND=down
-	    ;;
-	*dispatcher.d*)
-	    COMMAND="$2"
-	    ;;
-	*)
-	    exit 0
-	    ;;
-    esac
-fi
-
-for PRODUCT in $PRODUCTS; do
-    VARDIR=/var/lib/$PRODUCT
-    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
-    if [ -x $VARDIR/firewall ]; then
-	$VARDIR/firewall -V0 $COMMAND $IFACE
-    fi
-done
-
-exit 0

Shorewall-init/init.debian.sh

@@ -1,129 +0,0 @@
-#!/bin/sh
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-### BEGIN INIT INFO
-# Provides:          shorewall-init
-# Required-Start:    $local_fs
-# X-Start-Before:    $network
-# Required-Stop:     $local_fs
-# X-Stop-After:      $network
-# Default-Start:     S
-# Default-Stop:      0 6
-# Short-Description: Initialize the firewall at boot time
-# Description:       Place the firewall in a safe state at boot time prior to
-#                    bringing up the network
-### END INIT INFO
-
-export VERBOSITY=0
-
-if [ "$(id -u)" != "0" ]
-then
-  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
-fi
-
-echo_notdone () {
-  echo "not done."
-  exit 1
-}
-
-not_configured () {
-	echo "#### WARNING ####"
-	echo "the firewall won't be initialized unless it is configured"
-	if [ "$1" != "stop" ]
-	then
-		echo ""
-		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-init/README.Debian.gz."
-	fi
-	echo "#################"
-	exit 0
-}
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/default/shorewall-init" ]
-then
-	. /etc/default/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		not_configured
-	fi
-else
-	not_configured
-fi
-
-# Initialize the firewall
-shorewall_start () {
-  local product
-  local VARDIR
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall stop || echo_notdone
-      fi
-  done
-
-  echo "done."
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local product
-  local VARDIR
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || echo_notdone
-      fi
-  done
-
-  echo "done."
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  reload|force-reload)
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop|reload|force-reload}"
-     exit 1
-esac
-
-exit 0

Shorewall-init/init.sh

@@ -1,102 +0,0 @@
-#! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# chkconfig: - 09 91
-#
-### BEGIN INIT INFO
-# Provides: shorewall-init
-# Required-start: $local_fs
-# Required-stop:  $local_fs
-# Default-Start:  2 3 5
-# Default-Stop:
-# Short-Description: Initialize the firewall at boot time
-# Description:       Place the firewall in a safe state at boot time
-#                    prior to bringing up the network.  
-### END INIT INFO
-
-if [ "$(id -u)" != "0" ]
-then
-  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
-fi
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/sysconfig/shorewall-init" ]
-then
-	. /etc/sysconfig/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		exit 0
-	fi
-else
-	exit 0
-fi
-
-# Initialize the firewall
-shorewall_start () {
-  local product
-  local vardir
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      vardir=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir 
-      if [ -x ${vardir}/firewall ]; then
-	  ${vardir}/firewall stop || exit 1
-      fi
-  done
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local product
-  local vardir
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      vardir=/var/lib/$PRODUCT
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir 
-      if [ -x ${vardir}/firewall ]; then
-	  ${vardir}/firewall clear || exit 1
-      fi
-  done
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
-     exit 1
-esac
-
-exit 0

Shorewall-init/install.sh

@@ -1,331 +0,0 @@
-#!/bin/sh
-#
-# Script to install Shoreline Firewall Init
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
-#     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-
-VERSION=4.4.10.1
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    echo "       $ME -v"
-    echo "       $ME -h"
-    exit $1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
-install_file() # $1 = source $2 = target $3 = mode
-{
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
-}
-
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
-#
-# Parse the run line
-#
-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
-# ARGS is "yes" if we've already parsed an argument
-#
-ARGS=""
-
-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="shorewall-init"
-fi
-
-while [ $# -gt 0 ] ; do
-    case "$1" in
-	-h|help|?)
-	    usage 0
-	    ;;
-        -v)
-	    echo "Shorewall Init Installer Version $VERSION"
-	    exit 0
-	    ;;
-	*)
-	    usage 1
-	    ;;
-    esac
-    shift
-    ARGS="yes"
-done
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-#
-# Determine where to install the firewall script
-#
-
-case $(uname) in
-    Darwin)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
-	T=
-	;;	
-    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
-	;;
-esac
-
-OWNERSHIP="-o $OWNER -g $GROUP"
-
-if [ -n "$DESTDIR" ]; then
-    if [ `id -u` != 0 ] ; then
-	echo "Not setting file owner/group permissions, not running as root."
-	OWNERSHIP=""
-    fi
-    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-elif [ -f /etc/debian_version ]; then
-    DEBIAN=yes
-elif [ -f /etc/SuSE-release ]; then
-    SUSE=Yes
-elif [ -f /etc/slackware-version ] ; then
-    echo "Shorewall-init is currently not supported on Slackware" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="rc.firewall"
-elif [ -f /etc/arch-release ] ; then
-    echo "Shorewall-init is currently not supported on Arch Linux" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="shorewall-init"
-#   ARCHLINUX=yes
-elif [ -d /etc/sysconfig/network-scripts/ ]; then
-    #
-    # Assume RedHat-based
-    #
-    REDHAT=Yes
-else
-    echo "Unknown distribution: Shorewall-init support is not available" >&2
-    exit 1
-fi
-
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
-echo "Installing Shorewall Init Version $VERSION"
-
-#
-# Check for /usr/share/shorewall-init/version
-#
-if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
-    first_install=""
-else
-    first_install="Yes"
-fi
-
-#
-# Install the Init Script
-#
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-#elif [ -n "$ARCHLINUX" ]; then
-#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
-fi
-
-echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
-
-#
-# Create /usr/share/shorewall-init if needed
-#
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-chmod 755 ${DESTDIR}/usr/share/shorewall-init
-
-#
-# Create the version file
-#
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
-
-#
-# Remove and create the symbolic link to the init script
-#
-if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-init/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
-fi
-
-if [ -n "$DEBIAN" ]; then
-    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
-    fi
-
-    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
-	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}/etc/default
-	fi
-
-	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
-    fi
-else
-    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}/etc/sysconfig
-
-	if [ -z "$RPM" ]; then
-	    if [ -n "$SUSE" ]; then
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
-	    else
-		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
-	    fi
-	fi
-    fi
-
-    if [ -d ${DESTDIR}/etc/sysconfig -a ! -f ${DESTDIR}/etc/sysconfig/shorewall-init ]; then
-	install_file sysconfig ${DESTDIR}/etc/sysconfig/shorewall-init 0644
-    fi 
-fi
-
-#
-# Install the ifupdown script
-#
-
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-
-install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544
-
-if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
-fi
-
-if [ -n "$DEBIAN" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
-elif [ -n "$SUSE" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
-elif [ -n "$REDHAT" ]; then
-    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
-	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
-    else
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
-    fi
-fi
-
-if [ -z "$DESTDIR" ]; then
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
-	    echo "Shorewall Init will start automatically at boot"
-	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall-init ; then
-		    echo "Shorewall Init will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add shorewall-init ; then
-		    echo "Shorewall Init will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-init
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add shorewall-init default; then
-		    echo "Shorewall Init will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
-		cant_autostart
-	    fi
-	fi
-    fi
-else
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    if [ -n "${DESTDIR}" ]; then
-		mkdir -p ${DESTDIR}/etc/rcS.d
-	    fi
-
-	    ln -sf ../init.d/shorewall-init ${DESTDIR}/etc/rcS.d/S38shorewall-init
-	    echo "Shorewall Init will start automatically at boot"
-	fi
-    fi
-fi
-
-#
-#  Report Success
-#
-echo "shorewall Init Version $VERSION Installed"

Shorewall-init/shorewall-init.spec

@@ -1,122 +0,0 @@
-%define name shorewall-init
-%define version 4.4.10
-%define release 1
-
-Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: shoreline_firewall >= 4.4.10
-
-%description
-
-The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
-(iptables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-
-Shorewall Init is a companion product to Shorewall that allows for tigher
-control of connections during boot and that integrates Shorewall with
-ifup/ifdown and NetworkManager.
-
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post
-
-if [ $1 -eq 1 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv /etc/rc.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --add shorewall-init;
-    fi
-fi
-
-if [ -f /etc/SuSE-release ]; then
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
-else
-    if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then
-	if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then
-	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
-	else
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-	fi
-    else
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-    fi
-
-    if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
-	cp -pf /usr/share/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
-    fi
-fi
-
-%preun
-
-if [ $1 -eq 0 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv -r /etc/init.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --del shorewall-init
-    fi
-
-    [ -f /sbin/ifup-local ]   && grep -q Shorewall /sbin/ifup-local   && rm -f /sbin/ifup-local
-    [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local
-
-    rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
-
-%attr(0544,root,root) /etc/init.d/shorewall-init
-%attr(0755,root,root) %dir /usr/share/shorewall-init
-
-%attr(0644,root,root) /usr/share/shorewall-init/version
-%attr(0544,root,root) /usr/share/shorewall-init/ifupdown
-
-%doc COPYING changelog.txt releasenotes.txt
-
-%changelog
-* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-1
-* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC3
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Tue May 18 2010 Tom Eastep tom@shorewall.net
-- Initial version
-
-
-

Shorewall-init/sysconfig

@@ -1,12 +0,0 @@
-# List the Shorewall products that Shorewall-init is to
-# initialize (space-separated list).
-#
-# Sample: PRODUCTS="shorewall shorewall6"
-#
-PRODUCTS=""
-
-#
-# Set this to 1 if you want Shorewall-init to react to 
-# ifup/ifdown and NetworkManager events
-#
-IFUPDOWN=0

Shorewall-init/uninstall.sh

@@ -1,97 +0,0 @@
-#!/bin/sh
-#
-# Script to back uninstall Shoreline Firewall
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.sourceforge.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#    Usage:
-#
-#       You may only use this script to uninstall the version
-#       shown below. Simply run this script to remove Shorewall Firewall
-
-VERSION=4.4.10.1
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    exit $1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
-if [ -f /usr/share/shorewall-init/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall-init/version)"
-    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
-	echo "         and this is the $VERSION uninstaller."
-	VERSION="$INSTALLED_VERSION"
-    fi
-else
-    echo "WARNING: Shorewall Init Version $VERSION is not installed"
-    VERSION=""
-fi
-
-echo "Uninstalling Shorewall Init $VERSION"
-
-INITSCRIPT=/etc/init.d/shorewall-init
-
-if [ -n "$INITSCRIPT" ]; then
-    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-        insserv -r $INITSCRIPT
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-	chkconfig --del $(basename $INITSCRIPT)
-    else
-	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
-    fi
-
-    remove_file $INITSCRIPT
-fi
-
-[ "$(readlink -m -q /sbin/ifup-local)"   = /usr/share/shorewall-init ] && remove_file /sbin/ifup-local
-[ "$(readlink -m -q /sbin/ifdown-local)" = /usr/share/shorewall-init ] && remove_file /sbin/ifdown-local
-
-remove_file /etc/default/shorewall-init
-remove_file /etc/sysconfig/shorewall-init
-
-remove_file /etc/NetworkManager/dispatcher.d/01-shorewall
-
-remove_file /etc/network/if-up.d/shorewall
-remove_file /etc/network/if-down.d/shorewall
-
-remove_file /etc/sysconfig/network/if-up.d/shorewall
-remove_file /etc/sysconfig/network/if-down.d/shorewall
-
-rm -rf /usr/share/shorewall-init
-
-echo "Shorewall Init Uninstalled"
-
-

Shorewall-lite/default.debian

@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null
 
-#
-# Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF

Shorewall-lite/fallback.sh

@@ -0,0 +1,104 @@
+#!/bin/sh
+#
+# Script to back out the installation of Shorewall Lite and to restore the previous version of
+# the program
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#    Usage:
+#
+#       You may only use this script to back out the installation of the version
+#       shown below. Simply run this script to revert to your prior version of
+#       Shoreline Firewall.
+
+VERSION=4.4.8
+
+usage() # $1 = exit status
+{
+    echo "usage: $(basename $0)"
+    exit $1
+}
+
+restore_directory() # $1 = directory to restore
+{
+    if [ -d ${1}-${VERSION}.bkout ]; then
+	if mv -f $1 ${1}-${VERSION} && mv ${1}-${VERSION}.bkout $1; then
+	    echo
+	    echo "$1 restored"
+	    rm -rf ${1}-${VERSION}
+	else
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+	fi
+    fi
+}
+
+restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
+{
+    if [ -n "$2" ]; then
+	local file
+	file=$(basename $1)
+
+	if [ -f $2/$file ]; then
+	    if mv -f $2/$file $1 ; then
+		echo
+		echo "$1 restored"
+		return
+	    fi
+
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+        fi
+    fi
+
+    if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then
+	if (mv -f ${1}-${VERSION}.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+        fi
+    fi
+}
+
+if [ ! -f /usr/share/shorewall-lite-${VERSION}.bkout/version ]; then
+    echo "Shorewall Version $VERSION is not installed"
+    exit 1
+fi
+
+echo "Backing Out Installation of Shorewall $VERSION"
+
+if [ -L /usr/share/shorewall-lite/init ]; then
+    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
+    restore_file $FIREWALL /usr/share/shorewall-lite-${VERSION}.bkout
+else
+    restore_file /etc/init.d/shorewall /usr/share/shorewall-lite-${VERSION}.bkout
+fi
+
+restore_file /sbin/shorewall /var/lib/shorewall-lite-${VERSION}.bkout
+
+restore_directory /etc/shorewall-lite
+restore_directory /usr/share/shorewall-lite
+restore_directory /var/lib/shorewall-lite
+
+echo "Shorewall Lite Restored to Version $(cat /usr/share/shorewall-lite/version)"
+
+

Shorewall-lite/init.debian.sh

@@ -88,11 +88,7 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   echo -n "Stopping \"Shorewall firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
-      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
+  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.10.1
+VERSION=4.4.8
 
 usage() # $1 = exit status
 {
@@ -82,16 +82,15 @@ delete_file() # $1 = file to delete
 
 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    run_install $OWNERSHIP -m $3 $1 ${2}
 }
 
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall-lite"
 fi
 
+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 while [ $# -gt 0 ] ; do
     case "$1" in
 	-h|help|?)
@@ -128,12 +131,10 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 DEBIAN=
 CYGWIN=
-INSTALLD='-D'
-T='-T'
 
 case $(uname) in
     CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -141,10 +142,6 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-    Darwin)
-	INSTALLD=
-	T=
-	;;	   
     *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -153,14 +150,14 @@ esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
     
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
     DEBIAN=yes
 elif [ -f /etc/slackware-version ] ; then
@@ -182,203 +179,184 @@ echo "Installing Shorewall Lite Version $VERSION"
 #
 # Check for /etc/shorewall-lite
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
+if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then
+    first_install=""
     [ -f /etc/shorewall-lite/shorewall.conf ] && \
 	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
-else
-    rm -rf ${DESTDIR}/etc/shorewall-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall-lite
-fi
-
-#
-# Check for /sbin/shorewall-lite
-#
-if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
-    first_install=""
 else
     first_install="Yes"
+    rm -rf ${PREFIX}/etc/shorewall-lite
+    rm -rf ${PREFIX}/usr/share/shorewall-lite
+    rm -rf ${PREFIX}/var/lib/shorewall-lite
 fi
 
-delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
+delete_file ${PREFIX}/usr/share/shorewall-lite/xmodules
 
-install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
+install_file shorewall-lite ${PREFIX}/sbin/shorewall-lite 0544 ${PREFIX}/var/lib/shorewall-lite-${VERSION}.bkout
 
-echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
+echo "Shorewall Lite control program installed in ${PREFIX}/sbin/shorewall-lite"
 
 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh /etc/init.d/shorewall-lite 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 
 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 fi
 
-echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "Shorewall Lite script installed in ${PREFIX}${DEST}/$INIT"
 
 #
 # Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall-lite
+mkdir -p ${PREFIX}/etc/shorewall-lite
+mkdir -p ${PREFIX}/usr/share/shorewall-lite
+mkdir -p ${PREFIX}/var/lib/shorewall-lite
 
-chmod 755 ${DESTDIR}/etc/shorewall-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall-lite
+chmod 755 ${PREFIX}/etc/shorewall-lite
+chmod 755 ${PREFIX}/usr/share/shorewall-lite
 
-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
 fi
 
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
-   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
-   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
+if [ ! -f ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf
+   echo "Config file installed as ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf"
 fi
 
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall-lite/shorewall.conf
 fi
 
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall-lite/Makefile
+echo "Makefile installed as ${PREFIX}/etc/shorewall-lite/Makefile"
 
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall-lite/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall-lite/configpath"
 
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall-lite/$f"
     fi
 done
 
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall-lite/functions
 
-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
+echo "Common functions linked through ${PREFIX}/usr/share/shorewall-lite/functions"
 
 #
 # Install Shorecap
 #
 
-install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755
+install_file shorecap ${PREFIX}/usr/share/shorewall-lite/shorecap 0755
 
 echo
-echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap"
+echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall-lite/shorecap"
 
 #
 # Install wait4ifup
 #
 
-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall-lite/wait4ifup 0755
 
-    echo
-    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup"
-fi
+echo
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall-lite/wait4ifup"
 
 #
 # Install the Modules file
 #
-
-if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
-fi
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall-lite/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall-lite/modules"
 
 #
 # Install the Man Pages
 #
 
-if [ -d manpages ]; then
-    cd manpages
+cd manpages
 
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
+for f in *.5; do
+    gzip -c $f > $f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man5/$f.gz"
+done
 
-    for f in *.5; do
-	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
-    done
+for f in *.8; do
+    gzip -c $f > $f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man8/$f.gz"
+done
 
-    for f in *.8; do
-	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
-    done
+cd ..
 
-    cd ..
+echo "Man Pages Installed"
 
-    echo "Man Pages Installed"
-fi
-
-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall-lite"
 fi
 
 
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall-lite/version
+chmod 644 ${PREFIX}/usr/share/shorewall-lite/version
 #
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
     rm -f /usr/share/shorewall-lite/init
     ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
 fi
 
-if [ -z "$DESTDIR" ]; then
-    touch /var/log/shorewall-lite-init.log
-
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
-	    ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
-	    echo "Shorewall Lite will start automatically at boot"
-	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall-lite ; then
-		    echo "Shorewall Lite will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add shorewall-lite ; then
-		    echo "Shorewall Lite will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-lite
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add shorewall-lite default; then
-		    echo "Shorewall Lite will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+if [ -z "$PREFIX" -a -n "$first_install" ]; then
+    if [ -n "$DEBIAN" ]; then
+	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
+	ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+	echo "Shorewall Lite will start automatically at boot"
+	touch /var/log/shorewall-init.log
+    else
+	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if insserv /etc/init.d/shorewall-lite ; then
+		echo "Shorewall Lite will start automatically at boot"
+	    else
 		cant_autostart
 	    fi
+	elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+	    if chkconfig --add shorewall-lite ; then
+		echo "Shorewall Lite will start automatically in run levels as follows:"
+		chkconfig --list shorewall-lite
+	    else
+		cant_autostart
+	    fi
+	elif [ -x /sbin/rc-update ]; then
+	    if rc-update add shorewall-lite default; then
+		echo "Shorewall Lite will start automatically at boot"
+	    else
+		cant_autostart
+	    fi
+	elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+	    cant_autostart
 	fi
     fi
 fi

Shorewall-lite/logrotate

@@ -1,4 +1,4 @@
-/var/log/shorewall-lite-init.log {
+/var/log/shorewall-init.log {
   missingok
   notifempty
   create 0600 root root

Shorewall-lite/shorewall-lite

@@ -352,7 +352,7 @@ usage() # $1 = exit status
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    echo "   clear"
+    echo "   clear [ -f ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
@@ -376,69 +376,20 @@ usage() # $1 = exit status
     echo "   show connections"
     echo "   show filters"
     echo "   show ip"
-    echo "   show [ -m ] log [<regex>]"
+    echo "   show [ -m ] log"
     echo "   show [ -x ] mangle|nat|raw|routing"
     echo "   show policies"
     echo "   show tc [ device ]"
     echo "   show vardir"
     echo "   show zones"
     echo "   start [ -f ] [ -p ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
     echo "   status"
     echo "   version [ -a ]"
     echo
     exit $1
 }
 
-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
 #
 # Execution begins here
 #
@@ -661,7 +612,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -682,8 +633,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
     version)
-	shift
-	version_command $@
+	echo $SHOREWALL_VERSION Lite
 	;;
     logwatch)
 	logwatch_command $@
@@ -777,9 +727,14 @@ case "$COMMAND" in
 	g_restorepath=${VARDIR}/$RESTOREFILE
 
 	if [ -x $g_restorepath ]; then
+
+	    if [ -x ${g_restorepath}-ipsets ]; then
+		rm -f ${g_restorepath}-ipsets
+		echo "    ${g_restorepath}-ipsets removed"
+	    fi
+
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
-	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"

Shorewall-lite/shorewall-lite.conf

@@ -4,11 +4,12 @@
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.
 #
-#  For information about the settings in this file, type
-#  "man shorewall-lite.conf"
+#  This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#  This file should be placed in /etc/shorewall-lite
+#
+#  (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
-#  Manpage also online at
-#  http://www.shorewall.net/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.10
-%define release 1
+%define version 4.4.8
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}
 
 %description
 
@@ -32,7 +31,7 @@ administrators to centralize the configuration of Shorewall-based firewalls.
 %build
 
 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -102,42 +101,6 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-1
-* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC3
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta1
 * Fri Mar 19 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.8-0base
 * Tue Mar 16 2010 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.10.1
+VERSION=4.4.8
 
 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
 fi
 
 if [ -L /usr/share/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall-lite/init)
+    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
 else
     FIREWALL=/etc/init.d/shorewall-lite
 fi

Shorewall/Macros/macro.mDNS

@@ -9,7 +9,6 @@
 #ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
 #						PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	224.0.0.251		udp	5353
-PARAM	-	-			udp	32768:	5353
 PARAM	-	224.0.0.251		2
 PARAM	DEST	SOURCE:224.0.0.251	udp	5353
 PARAM	DEST	SOURCE:224.0.0.251	2

Shorewall/Perl/Shorewall/Actions.pm

@@ -57,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_10';
+our $VERSION = '4.4_7';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -834,7 +834,7 @@ sub allowBcast( $$$ ) {
 	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
 	} else {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
-	    add_rule $chainref, '-d ff00::/10 -j ACCEPT';
+	    add_rule $chainref, '-d ff00:/10 -j ACCEPT';
 	}
     }
 }
@@ -856,20 +856,19 @@ sub rejNotSyn ( $$$ ) {
 sub dropInvalid ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
-    add_rule $chainref , "$globals{STATEMATCH} INVALID -j DROP";
+    log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
+    add_rule $chainref , '-m state --state INVALID -j DROP';
 }
 
 sub allowInvalid ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
-    add_rule $chainref , "$globals{STATEMATCH} INVALID -j ACCEPT";
+    log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
+    add_rule $chainref , '-m state --state INVALID -j ACCEPT';
 }
 
 sub forwardUPnP ( $$$ ) {
-    my $chainref = dont_optimize 'forwardUPnP';
-    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
+    dont_optimize 'forwardUPnP';
 }
 
 sub allowinUPnP ( $$$ ) {

Shorewall/Perl/Shorewall/Compiler.pm

@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_10';
+our $VERSION = '4.4_8';
 
 our $export;
 
@@ -78,32 +78,27 @@ sub initialize_package_globals() {
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
 #          than those related to writing to the output script file.
 #
-sub generate_script_1( $ ) {
+sub generate_script_1() {
 
-    my $script = shift;
+    if ( $test ) {
+	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
+    } else {
+	my $date = localtime;
 
-    if ( $script ) {
-	if ( $test ) {
-	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
+	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
+
+	if ( $family == F_IPV4 ) {
+	    copy $globals{SHAREDIRPL} . 'prog.header';
 	} else {
-	    my $date = localtime;
-	    
-	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-	    
-	    if ( $family == F_IPV4 ) {
-		copy $globals{SHAREDIRPL} . 'prog.header';
-	    } else {
-		copy $globals{SHAREDIRPL} . 'prog.header6';
-	    }
-	    
-	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
+	    copy $globals{SHAREDIRPL} . 'prog.header6';
 	}
-	
+
+	copy2 $globals{SHAREDIR} . '/lib.common';
     }
 
     my $lib = find_file 'lib.private';
-	
-    copy2( $lib, $debug ) if -f $lib;
+
+    copy2 $lib if -f $lib;
 
     emit <<'EOF';
 ################################################################################
@@ -271,7 +266,7 @@ sub generate_script_2() {
 
 	set_global_variables(1);
 
-	handle_optional_interfaces(0);
+	handle_optional_interfaces;
 
 	emit ';;';
 
@@ -284,7 +279,7 @@ sub generate_script_2() {
 
 	    set_global_variables(0);
 
-	    handle_optional_interfaces(0);
+	    handle_optional_interfaces;
 
 	    emit ';;';
 	}
@@ -294,7 +289,7 @@ sub generate_script_2() {
 
 	emit ( 'esac' ) ,
     } else {
-	emit( 'true' ) unless handle_optional_interfaces(1);
+	emit( 'true' ) unless handle_optional_interfaces;
     }
 
     pop_indent;
@@ -303,6 +298,7 @@ sub generate_script_2() {
     
 }
 
+#
 # Final stage of script generation.
 #
 #    Generate code for loading the various files in /var/lib/shorewall[6][-lite]
@@ -353,17 +349,80 @@ sub generate_script_3($) {
     }
 
     if ( $family == F_IPV4 ) {
-	load_ipsets;
+	my @ipsets = all_ipsets;
+
+	if ( @ipsets || $config{SAVE_IPSETS} ) {
+	    emit ( '',
+		   'local hack',
+		   '',
+		   'case $IPSET in',
+		   '    */*)',
+		   '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
+		   '        ;;',
+		   '    *)',
+		   '        IPSET="$(mywhich $IPSET)"',
+		   '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
+		   '        ;;',
+		   'esac',
+		   '',
+		   'if [ "$COMMAND" = start ]; then' ,
+		   '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		   '        $IPSET -F' ,
+		   '        $IPSET -X' ,
+		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
+		   '    fi' ,
+		   'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
+		   '    if [ -f $(my_pathname)-ipsets ]; then' ,
+		   '        if chain_exists shorewall; then' ,
+		   '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
+		   '        else' ,
+		   '            $IPSET -F' ,
+		   '            $IPSET -X' ,
+		   '            $IPSET -R < $(my_pathname)-ipsets' ,
+		   '        fi' ,
+		   '    fi' ,
+		 );
+
+	    if ( @ipsets ) {
+		emit '';
+
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+		emit ( '' ,
+		       'elif [ "$COMMAND" = restart ]; then' ,
+		       '' );
+
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+		emit ( '' ,
+		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
+		       '        #',
+		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
+		       '        #',
+		       '        hack=\'| grep -v /31\'' ,
+		       '    else' ,
+		       '        hack=' ,
+		       '    fi' ,
+		       '',
+		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
+		       '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
+		       '    fi' );
+	    }
+
+	    emit ( 'fi',
+		   '' );
+	}
 
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	       '   run_refresh_exit' ,
-	       'else' ,
+	       '   run_refresh_exit' );
+
+	emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+	emit ( 'else' ,
 	       '    run_init_exit',
 	       'fi',
 	       '' );
 
-	save_dynamic_chains;
-
 	mark_firewall_not_started;
 
 	emit ('',
@@ -386,7 +445,6 @@ sub generate_script_3($) {
     } else {
 	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
 	       '' );
-	save_dynamic_chains;
 	mark_firewall_not_started;
 	emit '';
     }
@@ -457,6 +515,7 @@ EOF
         set_state "Started"
     else
         setup_netfilter
+        restore_dynamic_rules
         conditionally_flush_conntrack
 EOF
     setup_forwarding( $family , 0 );
@@ -560,8 +619,6 @@ sub compiler {
 	set_shorewall_dir( $directory );
     }
 
-    $verbosity = 1 if $debug && $verbosity < 1;
-
     set_verbosity( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
@@ -628,11 +685,11 @@ sub compiler {
 
     enable_script;
 
-    if ( $scriptfilename || $debug ) {
+    if ( $scriptfilename ) {
 	#
 	# Place Header in the script
 	#
-	generate_script_1( $scriptfilename );
+	generate_script_1;
 	#
 	#                               C O M M O N _ R U L E S
 	#           (Writes the setup_common_rules() function to the compiled script)
@@ -668,7 +725,7 @@ sub compiler {
     #
     setup_zone_mss;
 
-    if ( $scriptfilename || $debug ) {
+    if ( $scriptfilename ) {
 	emit 'return 0';
 	pop_indent;
 	emit '}';
@@ -681,7 +738,7 @@ sub compiler {
     #
     enable_script;
 
-    if ( $scriptfilename || $debug ) {
+    if ( $scriptfilename ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -699,7 +756,7 @@ sub compiler {
     #
     setup_tc;
 
-    if ( $scriptfilename || $debug ) {
+    if ( $scriptfilename ) {
 	pop_indent;
 	emit "}\n";
     }
@@ -766,7 +823,7 @@ sub compiler {
 	#
 	generate_matrix;
 
-	if ( $config{OPTIMIZE} & 0xD ) {
+	if ( $config{OPTIMIZE} & 6 ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -775,7 +832,7 @@ sub compiler {
 	    #
 	    # More Optimization
 	    #
-	    optimize_ruleset if $config{OPTIMIZE} & 0xC;
+	    optimize_ruleset if $config{OPTIMIZE} & 4;
 	}
 
 	enable_script;
@@ -801,11 +858,6 @@ sub compiler {
 	#
 	compile_stop_firewall( $test, $export );
 	#
-	#                               U P D O W N
-	#               (Writes the updown() function to the compiled script)
-	#
-	compile_updown;
-	#
 	# Copy the footer to the script
 	#
 	unless ( $test ) {
@@ -829,9 +881,9 @@ sub compiler {
 	#
 	# Just checking the configuration
 	#
-	if ( $preview || $debug ) {
+	if ( $preview ) {
 	    #
-	    # User wishes to preview the ruleset or we are tracing -- generate the rule matrix
+	    # User wishes to preview the ruleset -- generate the rule matrix
 	    #
 	    generate_matrix;
 
@@ -847,11 +899,7 @@ sub compiler {
 		optimize_ruleset if $config{OPTIMIZE} & 4;
 	    }
 
-	    enable_script if $debug;
-
-	    generate_script_2 if $debug;
-
-	    preview_netfilter_load if $preview;
+	    preview_netfilter_load;
 	}
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
@@ -859,17 +907,11 @@ sub compiler {
 	#
 	Shorewall::Chains::initialize( $family );
 	initialize_chain_table;
-
-	if ( $debug ) {
-	    compile_stop_firewall( $test, $export );
-	    disable_script;
-	} else {
-	    #
-	    # compile_stop_firewall() also validates the routestopped file. Since we don't
-	    # call that function during normal 'check', we must validate routestopped here.
-	    #
-	    process_routestopped;
-	}
+	#
+	# compile_stop_firewall() also validates the routestopped file. Since we don't
+	# call that function during 'check', we must validate routestopped here.
+	#
+	process_routestopped;
 
 	if ( $family == F_IPV4 ) {
 	    progress_message3 "Shorewall configuration verified";

Shorewall/Perl/Shorewall/Config.pm

@@ -98,7 +98,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       pop_open
 				       read_a_line
 				       validate_level
-				       which
 				       qt
 				       ensure_config_path
 				       get_configuration
@@ -118,7 +117,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
-				       $debug
 				       %config
 				       %globals
 
@@ -131,7 +129,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_8';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -339,9 +337,8 @@ sub initialize( $ ) {
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
-		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.10.1",
+		    VERSION => "4.4.8",
 		    CAPVERSION => 40408 ,
 		  );
 
@@ -460,7 +457,6 @@ sub initialize( $ ) {
 	      OPTIMIZE_ACCOUNTING => undef,
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
-	      REQUIRE_INTERFACE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -581,7 +577,6 @@ sub initialize( $ ) {
 	      OPTIMIZE_ACCOUNTING => undef,
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
-	      REQUIRE_INTERFACE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -884,7 +879,7 @@ sub in_hexp( $ ) {
 sub emit {
     assert( $script_enabled );
 
-    if ( $script || $debug ) {
+    if ( $script ) {
 	#
 	# 'compile' as opposed to 'check'
 	#
@@ -894,20 +889,10 @@ sub emit {
 		$line =~ s/^\n// if $lastlineblank;
 		$line =~ s/^/$indent/gm if $indent;
 		$line =~ s/        /\t/gm;
-		print $script "$line\n" if $script;
+		print $script "$line\n";
 		$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
-
-		if ( $debug ) {
-		    $line =~ s/^\n//;
-		    $line =~ s/\n/\nGS-----> /g;
-		    print "GS-----> $line\n";
-		}
 	    } else {
-		unless ( $lastlineblank ) {
-		    print $script "\n"  if $script;
-		    print "GS-----> \n" if $debug;
-		}
-
+		print $script "\n" unless $lastlineblank;
 		$lastlineblank = 1;
 	    }
 	}
@@ -1012,7 +997,7 @@ sub timestamp() {
 }
 
 #
-# Write a message if $verbosity >= 2.
+# Write a message if $verbosity >= 2
 #
 sub progress_message {
     my $havelocaltime = 0;
@@ -1166,7 +1151,7 @@ sub copy1( $ ) {
 
     my $result = 0;
 
-    if ( $script || $debug ) {
+    if ( $script ) {
 	my $file = $_[0];
 
 	open IF , $file or fatal_error "Unable to open $file: $!";
@@ -1177,16 +1162,8 @@ sub copy1( $ ) {
 	    chomp;
 
 	    if ( /^${here_documents}\s*$/ ) {
-		if ( $script ) {
-		    print $script $here_documents if $here_documents;
-		    print $script "\n";
-		}
-		
-		if ( $debug ) {
-		    print "GS-----> $here_documents" if $here_documents;
-		    print "GS----->\n";
-		}
-
+		print $script $here_documents if $here_documents;
+		print $script "\n";
 		$do_indent = 1;
 		$here_documents = '';
 		next;
@@ -1197,17 +1174,8 @@ sub copy1( $ ) {
 		s/^(\s*)/$indent1$1$indent2/;
 		s/        /\t/ if $indent2;
 		$do_indent = 0;
-
-		if ( $script ) {
-		    print $script $_;
-		    print $script "\n";
-		}
-
-		if ( $debug ) {
-		    s/\n/\nGS-----> /g;
-		    print "GS-----> $_\n";
-		}
-
+		print $script $_;
+		print $script "\n";
 		$result = 1;
 		next;
 	    }
@@ -1217,19 +1185,11 @@ sub copy1( $ ) {
 		s/        /\t/ if $indent2;
 	    }
 
-	    if ( $script ) {
-		print $script $_;
-		print $script "\n";
-	    }
-
+	    print $script $_;
+	    print $script "\n";
 	    $do_indent = ! ( $here_documents || /\\$/ );
 
 	    $result = 1 unless $result || /^\s*$/ || /^\s*#/;
-
-	    if ( $debug ) {
-		s/\n/\nGS-----> /g;
-		print "GS-----> $_\n";
-	    }
 	}
 
 	close IF;
@@ -1243,13 +1203,11 @@ sub copy1( $ ) {
 #
 # This one drops header comments and replaces them with a three-line banner
 #
-sub copy2( $$ ) {
-    my ( $file, $trace ) = @_;
-
+sub copy2( $ ) {
     assert( $script_enabled );
     my $empty = 1;
 
-    if ( $script || $trace ) {
+    if ( $script ) {
 	my $file = $_[0];
 
 	open IF , $file or fatal_error "Unable to open $file: $!";
@@ -1259,22 +1217,18 @@ sub copy2( $$ ) {
 	}
 
 	unless ( $empty ) {
-	    emit <<EOF;
+	    print $script <<EOF;
 ################################################################################
 #   Functions imported from $file
 ################################################################################
+
 EOF
-	    chomp;
-	    emit( $_ ) unless /^\s*$/;
+	    print $script $_ unless /^\s*$/;
 
 	    while ( <IF> ) {
 		chomp;
 		if ( /^\s*$/ ) {
-		    unless ( $lastlineblank ) {
-			print $script "\n" if $script;
-			print "GS----->\n" if $trace;
-		    }
-
+		    print $script "\n" unless $lastlineblank;
 		    $lastlineblank = 1;
 		} else {
 		    if  ( $indent ) {
@@ -1282,30 +1236,22 @@ EOF
 			s/        /\t/ if $indent2;
 		    }
 		    
-		    if ( $script ) {
-			print $script $_;
-			print $script "\n";
-		    }
-
-		    if ( $trace ) {
-			s/\n/GS-----> \n/g;
-			print "GS-----> $_\n";
-		    }
-
+		    print $script $_;
+		    print $script "\n";
 		    $lastlineblank = 0;
 		}
 	    }
 	    
 	    close IF;
 	
-	    unless ( $lastlineblank ) {
-		print $script "\n" if $script;
-		print "GS----->\n" if $trace;
-	    }
+	    print $script "\n" unless $lastlineblank;
 
-	    emit( '################################################################################',
-		  "#   End of imports from $file",
-		  '################################################################################' );
+	    print $script <<EOF;
+################################################################################
+#   End of imports from $file
+################################################################################
+EOF
+	    $lastlineblank = 0;
 	}
     }
 }
@@ -1854,7 +1800,6 @@ sub read_a_line() {
 
 		    $currentline = '';
 		} else {
-		    print "IN===> $currentline\n" if $debug;
 		    return 1;
 		}
 	    }
@@ -1876,7 +1821,6 @@ sub read_a_line1() {
 	    $currentline =~ s/#.*$//;       # Remove Trailing Comments
 	    fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
 	    $currentlinenumber = $.;
-	    print "IN===> $currentline\n" if $debug;
 	    return 1;
 	}
 
@@ -2102,7 +2046,7 @@ sub load_kernel_modules( ) {
 
 	$loadedmodules{$_}++ for split_list( $config{DONT_LOAD}, 'module' );
 
-	progress_message2 "Loading Modules...";
+	progress_message "Loading Modules...";
 
 	open LSMOD , '-|', 'lsmod' or fatal_error "Can't run lsmod";
 
@@ -2351,7 +2295,7 @@ sub IPSet_Match() {
     my $ipset  = $config{IPSET} || 'ipset';
     my $result = 0;
 
-    $ipset = which $ipset unless $ipset =~ '/';
+    $ipset = which $ipset unless $ipset =~ '//';
 
     if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
@@ -2505,10 +2449,7 @@ sub determine_capabilities() {
     qt1( "$iptables -N $sillyname1" );
 
     fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
-	unless 
-	    qt1( "$iptables -A $sillyname -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT") ||
-	    qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");;
-	    
+	unless qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");
   
     unless ( $config{ LOAD_HELPERS_ONLY } ) {
 	#
@@ -2665,8 +2606,6 @@ sub process_shorewall_conf() {
 	if ( -r _ ) {
 	    open_file $file;
 
-	    first_entry "Processing $file...";
-
 	    while ( read_a_line ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);
@@ -2818,8 +2757,6 @@ sub get_configuration( $ ) {
 
     get_capabilities( $export );
 
-    $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
-
     if ( $config{LOGRATE} || $config{LOGBURST} ) {
 	if ( defined $config{LOGRATE} ) {
 	    fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
@@ -2877,7 +2814,6 @@ sub get_configuration( $ ) {
 		my $val = numeric_value( $config{LOG_VERBOSITY} );
 		fatal_error "Invalid LOG_VERBOSITY ($config{LOG_VERBOSITY} )" unless defined( $val ) && ( $val >= -1 ) && ( $val <= 2 );
 		$config{STARTUP_LOG} = '' if $config{LOG_VERBOSITY} < 0;
-		$config{LOG_VERBOSITY} = $val;
 	    }
 	} else {
 	    $config{LOG_VERBOSITY} = 2;
@@ -2949,7 +2885,6 @@ sub get_configuration( $ ) {
     default_yes_no 'ACCOUNTING'                 , 'Yes';
     default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
     default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
-    default_yes_no 'REQUIRE_INTERFACE'          , '';
 
     numeric_option 'TC_BITS',          $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
     numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
@@ -3069,7 +3004,7 @@ sub get_configuration( $ ) {
 
     $val = numeric_value $config{OPTIMIZE};
 
-    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless defined( $val ) && $val >= 0 && ( $val & ( 4096 ^ -1 ) ) <= 15;
+    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless defined( $val ) && $val >= 0 && ( $val & ( 4096 ^ -1 ) ) <= 7;
 
     $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre';
 
@@ -3115,8 +3050,7 @@ sub get_configuration( $ ) {
 #
 sub propagateconfig() {
     for my $option ( @propagateconfig ) {
-	my $value = $config{$option};
-	$value = '' unless defined $value;
+	my $value = $config{$option} || '';
 	emit "$option=\"$value\"";
     }
 }
@@ -3158,7 +3092,7 @@ sub run_user_exit( $ ) {
     my $file = find_file $chainref->{name};
 
     if ( -f $file ) {
-	progress_message2 "Processing $file...";
+	progress_message "Processing $file...";
 
 	my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
 
@@ -3179,7 +3113,7 @@ sub run_user_exit1( $ ) {
     my $file = find_file $_[0];
 
     if ( -f $file ) {
-	progress_message2 "Processing $file...";
+	progress_message "Processing $file...";
 	#
 	# File may be empty -- in which case eval would fail
 	#
@@ -3210,7 +3144,7 @@ sub run_user_exit2( $$ ) {
     my ($file, $chainref) = ( find_file $_[0], $_[1] );
 
     if ( -f $file ) {
-	progress_message2 "Processing $file...";
+	progress_message "Processing $file...";
 	#
 	# File may be empty -- in which case eval would fail
 	#

Shorewall/Perl/Shorewall/Nat.pm

@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_6';
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -456,7 +456,7 @@ sub setup_netmap() {
 	    my $ruleout = '';
 	    my $iface = $interface;
 
-	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
+	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
 
 	    unless ( $interfaceref->{root} ) {
 		$rulein  = match_source_dev $interface;
@@ -465,7 +465,7 @@ sub setup_netmap() {
 	    }
 
 	    if ( $type eq 'DNAT' ) {
-		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein  . "-d $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , input_chain $interface )  , $rulein  . "-d $net1 -j NETMAP --to $net2";
 	    } elsif ( $type eq 'SNAT' ) {
 		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
 	    } else {

Shorewall/Perl/Shorewall/Policy.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_7';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
@@ -66,11 +66,11 @@ sub convert_to_policy_chain($$$$$)
 #
 sub new_policy_chain($$$$)
 {
-    my ($source, $dest, $policy, $provisional) = @_;
+    my ($source, $dest, $policy, $optional) = @_;
 
     my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
 
-    convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional );
+    convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
 
     $chainref;
 }
@@ -115,7 +115,7 @@ sub set_policy_chain($$$$$)
 #
 # Process the policy file
 #
-use constant { PROVISIONAL => 1 };
+use constant { OPTIONAL => 1 };
 
 sub add_or_modify_policy_chain( $$ ) {
     my ( $zone, $zone1 ) = @_;
@@ -124,11 +124,11 @@ sub add_or_modify_policy_chain( $$ ) {
 
     if ( $chainref ) {
 	unless( $chainref->{is_policy} ) {
-	    convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', PROVISIONAL );
+	    convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
 	    push @policy_chains, $chainref;
 	}
     } else {
-	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', PROVISIONAL );
+	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
     }
 }
 
@@ -329,8 +329,7 @@ sub validate_policy()
     }
 
     for $zone ( all_zones ) {
-	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL );
-	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL ) if zone_type( $zone ) == BPORT;
+	push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );
 
 	if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
 	    for my $zone1 ( all_zones ) {
@@ -467,7 +466,7 @@ sub apply_policy_rules() {
 sub complete_standard_chain ( $$$$ ) {
     my ( $stdchainref, $zone, $zone2, $default ) = @_;
 
-    add_rule $stdchainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" unless $config{FASTACCEPT};
+    add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT};
 
     run_user_exit $stdchainref;
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_10';
+our $VERSION = '4.4_8';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -836,20 +836,14 @@ sub lookup_provider( $ ) {
 
 #
 # This function is called by the compiler when it is generating the detect_configuration() function.
-# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
-# ..._IS_USABLE interface variables appropriately for the  optional interfaces
+# The function emits code to set the ..._IS_USABLE interface variables appropriately for the
+# optional interfaces
 #
-# Returns true if there were required or optional interfaces
+# Returns true if there were optional interfaces
 #
-sub handle_optional_interfaces( $ ) {
+sub handle_optional_interfaces() {
 
-    my $returnvalue = verify_required_interfaces( shift );
-    #
-    # find_interfaces_by_option1() does not return wildcard interfaces. If an interface is defined
-    # as a wildcard in /etc/shorewall/interfaces, then only specific interfaces matching that 
-    # wildcard are returned.
-    #
-    my $interfaces = find_interfaces_by_option1 'optional';
+    my $interfaces = find_interfaces_by_option 'optional';
 
     if ( @$interfaces ) {
 	for my $interface ( @$interfaces ) {
@@ -857,12 +851,7 @@ sub handle_optional_interfaces( $ ) {
 	    my $physical = get_physical $interface;
 	    my $base     = uc chain_base( $physical );
 
-	    emit( '' );
-
-	    if ( $config{REQUIRE_INTERFACE} ) {
-		emit( 'HAVE_INTERFACE=' );
-		emit( '' );
-	    }
+	    emit '';
 
 	    if ( $provider ) {
 		#
@@ -882,41 +871,14 @@ sub handle_optional_interfaces( $ ) {
 		emit qq(if interface_is_usable $physical; then);
 	    }
 
-	    emit( '    HAVE_INTERFACE=Yes' ) if $config{REQUIRE_INTERFACE};
-
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'else' ,
 		  "    SW_${base}_IS_USABLE=" ,
 		  'fi' );
 	}
 
-	if ( $config{REQUIRE_INTERFACE} ) {
-	    emit( '', 
-		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
-		  '    case "$COMMAND" in',
-		  '        start|restart|restore|refresh)'
-		);
-
-	    if ( $family == F_IPV4 ) {
-		emit( '            if shorewall_is_started; then' );
-	    } else {
-		emit( '            if shorewall6_is_started; then' );
-	    }
-	
-	    emit( '                fatal_error "No network interface available"',
-		  '            else',
-		  '                startup_error "No network interface available',
-		  '            fi',
-		  '            ;;',
-		  '    esac',
-		  'fi'
-		);
-	}
-
-	$returnvalue = 1;
+	1;
     }
-
-    $returnvalue;
 }
 
 #
@@ -998,9 +960,8 @@ sub handle_stickiness( $ ) {
     }
 
     if ( @routemarked_providers ) {
-	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
-	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
+	purge_jump $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
+	purge_jump $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
     }
 }
-
 1;

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -35,7 +35,7 @@ our @EXPORT = qw(
 		  );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_4';
 
 our @proxyarp;
 
@@ -118,7 +118,6 @@ sub setup_proxy_arp() {
 		}
 
 		$interface = get_physical $interface;
-		$external  = get_physical $external;
 
 		$set{$interface}  = 1;
 		$reset{$external} = 1 unless $set{$external};

Shorewall/Perl/Shorewall/Rules.pm

@@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_10';
+our $VERSION = '4.4_8';
 
 #
 # Set to one if we find a SECTION
@@ -283,7 +283,7 @@ sub setup_blacklist() {
 	    warning_message q(There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
 	}
 
-	my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
+	my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
 
 	for my $hostref ( @$hosts ) {
 	    my $interface  = $hostref->[0];
@@ -317,15 +317,13 @@ sub process_routestopped() {
 
     while ( read_a_line ) {
 
+	my $routeback = 0;
+
 	my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
 
-	my $interfaceref;
-
-	fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
+	fatal_error "Unknown interface ($interface)" unless known_interface $interface;
 	$hosts = ALLIP unless $hosts && $hosts ne '-';
 
-	my $routeback = 0;
-
 	my @hosts;
 
 	$seq++;
@@ -340,12 +338,24 @@ sub process_routestopped() {
 	}
 
 	unless ( $options eq '-' ) {
+
 	    for my $option (split /,/, $options ) {
 		if ( $option eq 'routeback' ) {
 		    if ( $routeback ) {
 			warning_message "Duplicate 'routeback' option ignored";
 		    } else {
+			my $chainref = $filter_table->{FORWARD};
+
 			$routeback = 1;
+
+			for my $host ( split /,/, $hosts ) {
+			    add_rule( $chainref , 
+				      match_source_dev( $interface ) . 
+				      match_dest_dev( $interface ) .
+				      match_source_net( $host ) .
+				      match_dest_net( $host ) );
+			    clearrule;
+			}
 		    }
 		} elsif ( $option eq 'source' ) {
 		    for my $host ( split /,/, $hosts ) {
@@ -366,19 +376,6 @@ sub process_routestopped() {
 	    }
 	}
 
-	if ( $routeback || $interfaceref->{options}{routeback} ) {
-	    my $chainref = $filter_table->{FORWARD};
-
-	    for my $host ( split /,/, $hosts ) {
-		add_rule( $chainref , 
-			  match_source_dev( $interface ) . 
-			  match_dest_dev( $interface ) .
-			  match_source_net( $host ) .
-			  match_dest_net( $host ) );
-		clearrule;
-	    }
-	}
-
 	push @allhosts, @hosts;
     }
 
@@ -434,7 +431,7 @@ sub add_common_rules() {
     my $list;
     my $chain;
 
-    my $state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
+    my $state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
     my $level     = $config{BLACKLIST_LOGLEVEL};
     my $rejectref = dont_move new_standard_chain 'reject';
 
@@ -443,13 +440,12 @@ sub add_common_rules() {
 	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), ' ' , 'reject' , $level ;
 	$chainref = dont_optimize( new_standard_chain( 'dynamic' ) );
 	add_jump $filter_table->{$_}, $chainref, 0, $state for qw( INPUT FORWARD );
-	add_commands( $chainref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
     }
 
     setup_mss;
 
     if ( $config{FASTACCEPT} ) {
-	add_rule( $filter_table->{$_} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT );
+	add_rule( $filter_table->{$_} , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT );
     }
 
     for $interface ( all_interfaces ) {
@@ -521,7 +517,7 @@ sub add_common_rules() {
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 
 	    for $chain ( first_chains $interface ) {
-		add_jump $filter_table->{$chain} , $target, 0, join( '', "$globals{STATEMATCH} $state ", match_source_net( $hostref->[2] ),  $policy );
+		add_jump $filter_table->{$chain} , $target, 0, join( '', "-m state --state $state ", match_source_net( $hostref->[2] ),  $policy );
 	    }
 
 	    set_interface_option $interface, 'use_input_chain', 1;
@@ -648,9 +644,7 @@ sub add_common_rules() {
 	if ( @$list ) {
 	    progress_message2 "$doing UPnP";
 
-	    $chainref = dont_optimize new_nat_chain( 'UPnP' );
-
-	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
+	    dont_optimize new_nat_chain( 'UPnP' );
 
 	    $announced = 1;
 
@@ -672,10 +666,10 @@ sub add_common_rules() {
 		if ( interface_is_optional $interface ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
-				  '    echo -A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) ,
+				  qq(    echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) ,
 				  qq(fi) );
 		} else {
-		    add_commands( $chainref, 'echo -A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) );
+		    add_commands( $chainref, qq(echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) );
 		}
 	    }
 	}
@@ -779,12 +773,12 @@ sub setup_mac_lists( $ ) {
 			my $source = match_source_net $address;
 			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
 			    if defined $level && $level ne '';
-			add_jump $chainref , $targetref->{target}, 0, "${mac}${source}";
+			add_rule $chainref , "${mac}${source}-j $targetref->{target}";
 		    }
 		} else {
 		    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
 			if defined $level && $level ne '';
-		    add_jump $chainref , $targetref->{target}, 0, "$mac";
+		    add_rule $chainref , "$mac-j $targetref->{target}";
 		}
 
 		progress_message "      Maclist entry \"$currentline\" $done";
@@ -807,14 +801,14 @@ sub setup_mac_lists( $ ) {
 		my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
 
 		for my $chain ( first_chains $interface ) {
-		    add_jump $filter_table->{$chain} , $chainref, 0, "${source}$globals{STATEMATCH} ${state} ${policy}";
+		    add_jump $filter_table->{$chain} , $chainref, 0, "${source}-m state --state ${state} ${policy}";
 		}
 
 		set_interface_option $interface, 'use_input_chain', 1;
 		set_interface_option $interface, 'use_forward_chain', 1;
 	    } else {
 		my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
-		add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}$globals{STATEMATCH} ${state} ${policy}";
+		add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}-m state --state ${state} ${policy}";
 	    }
 	}
     } else {
@@ -832,8 +826,8 @@ sub setup_mac_lists( $ ) {
 		    if ( have_capability( 'ADDRTYPE' ) ) {
 			add_commands( $chainref,
 				      "for address in $variable; do",
-				      "    echo \"-A -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
-				      "    echo \"-A -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
+				      "    echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
+				      "    echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
 				      'done' );
 		    } else {
 			my $bridge    = source_port_to_bridge( $interface );
@@ -845,19 +839,19 @@ sub setup_mac_lists( $ ) {
 			if ( $bridgeref->{broadcasts} ) {
 			    for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) {
 				add_commands( $chainref ,
-					      "    echo \"-A -s \$address -d $address -j RETURN\" >&3" );
+					      "    echo \"-A $chainref->{name} -s \$address -d $address -j RETURN\" >&3" );
 			    }
 			} else {
 			    my $variable1 = get_interface_bcasts $bridge;
 
 			    add_commands( $chainref,
 					  "    for address1 in $variable1; do" ,
-					  "        echo \"-A -s \$address -d \$address1 -j RETURN\" >&3",
+					  "        echo \"-A $chainref->{name} -s \$address -d \$address1 -j RETURN\" >&3",
 					  "    done" );
 			}
 
 			add_commands( $chainref
-				      , "    echo \"-A -s \$address -d 224.0.0.0/4 -j RETURN\" >&3" ,
+				      , "    echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3" ,
 				      , 'done' );
 		    }
 		}
@@ -1218,7 +1212,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     unless ( $section eq 'NEW' ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
-	$rule .= "$globals{STATEMATCH} $section "
+	$rule .= "-m state --state $section "
     }
 
     #
@@ -1655,16 +1649,16 @@ sub rules_target( $$ ) {
     
     return $chain   if $chainref && $chainref->{referenced};
     return 'ACCEPT' if $zone eq $zone1;
-
+    
     assert( $chainref );
-
+    
     if ( $chainref->{policy} ne 'CONTINUE' ) {
 	my $policyref = $filter_table->{$chainref->{policychain}};
 	assert( $policyref );
 	return $policyref->{name} if $policyref ne $chainref;
 	return $chainref->{policy} eq 'REJECT' ? 'reject' : $chainref->{policy};
     }
-
+    
     ''; # CONTINUE policy
 }
 
@@ -1695,12 +1689,9 @@ sub add_interface_jumps {
     # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
     #
     for my $interface ( @_ ) {
-	my $forwardref   = $filter_table->{forward_chain $interface};
-	my $inputref     = $filter_table->{input_chain $interface};
-	my $outputref    = $filter_table->{output_chain $interface};
-	my $interfaceref = find_interface($interface);
-
-	add_rule ( $filter_table->{FORWARD}, match_source_dev( $interface) . match_dest_dev( $interface) . '-j ACCEPT' ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
+	my $forwardref = $filter_table->{forward_chain $interface};
+	my $inputref   = $filter_table->{input_chain $interface};
+	my $outputref  = $filter_table->{output_chain $interface};
 
 	add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
 	add_jump( $filter_table->{INPUT}   , $inputref ,   0, match_source_dev( $interface ) ) unless $input_jump_added{$interface}   || ! use_input_chain $interface, $inputref;
@@ -1871,7 +1862,7 @@ sub generate_matrix() {
 		    for my $net ( @{$hostref->{hosts}} ) {
 			my $dest   = match_dest_net $net;
 
-			if ( $chain1 && zone_type ( $zone) != BPORT ) {
+			if ( $chain1 ) {
 			    my $chain1ref = $filter_table->{$chain1};
 			    my $nextchain = dest_exclusion( $exclusions, $chain1 );
 			    my $outputref;
@@ -2153,7 +2144,7 @@ sub generate_matrix() {
 		    '' ,
 		    '' ,
 		    'insert' ,
-		    "$globals{STATEMATCH} NEW ";
+		    '-m state --state NEW ';
 	    }
 	}
     }
@@ -2341,7 +2332,7 @@ EOF
 
     my @chains = $config{ADMINISABSENTMINDED} ? qw/INPUT FORWARD/ : qw/INPUT OUTPUT FORWARD/;
 
-    add_rule $filter_table->{$_}, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" for @chains;
+    add_rule $filter_table->{$_}, '-m state --state ESTABLISHED,RELATED -j ACCEPT' for @chains;
 
     if ( $family == F_IPV6 ) {
 	add_rule $input, '-s ff80::/10 -j ACCEPT';
@@ -2448,8 +2439,8 @@ EOF
     }
 
     emit '
-
     set_state "Stopped"
+
     logger -p kern.info "$g_product Stopped"
 
     case $COMMAND in

Shorewall/Perl/Shorewall/Tc.pm

@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_8';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -1374,7 +1374,7 @@ sub setup_tc() {
 		# This is overloading TRACK_PROVIDERS a bit but sending tracked packets through PREROUTING is a PITA for users
 		#
 		for my $interface ( @routemarked_interfaces ) {
-		    add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, match_source_dev( $interface );
+		    add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
 		}
 	    }
 	}

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_7';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
 
-	my $options = $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
+	my $options = $globals{UNTRACKED} ? '-m state --state NEW,UNTRACKED -j ACCEPT' : '-m state --state NEW -j ACCEPT';
 
 	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";

Shorewall/Perl/Shorewall/Zones.pm

@@ -11,7 +11,7 @@
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
-#       This program is distributed in the shope that it will be useful,
+#       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
@@ -54,7 +54,6 @@ our @EXPORT = qw( NOTHING
 		  complex_zones
 		  non_firewall_zones
 		  single_interface
-		  chain_base
 		  validate_interfaces_file
 		  all_interfaces
 		  all_bridges
@@ -68,11 +67,8 @@ our @EXPORT = qw( NOTHING
 		  source_port_to_bridge
 		  interface_is_optional
 		  find_interfaces_by_option
-		  find_interfaces_by_option1
 		  get_interface_option
 		  set_interface_option
-		  verify_required_interfaces
-		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
 		  all_ipsets
@@ -80,7 +76,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_10';
+our $VERSION = '4.4_8';
 
 #
 # IPSEC Option types
@@ -184,9 +180,9 @@ use constant { SIMPLE_IF_OPTION   => 1,
 
 our %validinterfaceoptions;
 
-our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
+our %defaultinterfaceoptions = ( routefilter => 1 );
 
-our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 );
 
 our %validhostoptions;
 
@@ -227,7 +223,6 @@ sub initialize( $ ) {
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
-				  required    => SIMPLE_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
 				  routefilter => NUMERIC_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
@@ -236,7 +231,6 @@ sub initialize( $ ) {
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION,
 				  physical    => STRING_IF_OPTION + IF_OPTION_HOST,
-				  wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -257,14 +251,12 @@ sub initialize( $ ) {
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
-				    required    => SIMPLE_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
 				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
-				    wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -412,17 +404,23 @@ sub process_zone( \$ ) {
     if ( $type eq IPSEC ) {
 	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
 	for ( @parents ) {
-	    set_super( $zones{$_} ) unless $zones{$_}{type} == IPSEC;
+	    unless ( $zones{$_}{type} == IPSEC ) {
+		set_super( $zones{$_} );
+	    }
 	}
     }
 
+    for ( $options, $in_options, $out_options ) {
+	$_ = '' if $_ eq '-';
+    }
+
     $zones{$zone} = { type       => $type,
 		      parents    => \@parents,
 		      bridge     => '',
 		      options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
 				      in      => parse_zone_option_list( $in_options || '', $type ) ,
 				      out     => parse_zone_option_list( $out_options || '', $type ) ,
-				      complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
+				      complex => ($type == IPSEC || $options || $in_options || $out_options ? 1 : 0) ,
 				      nested  => @parents > 0 ,
 				      super   => 0 ,
 				    } ,
@@ -729,30 +727,11 @@ sub firewall_zone() {
     $firewall_zone;
 }
 
-#
-# Determine if the passed physical device is a bridge
-#
-sub is_a_bridge( $ ) {
-    which 'brctl' && qt( "brctl show | tail -n+2 | grep -q '^$_[0]\[\[:space:\]\]'" );
-} 
-
-#
-# Transform the passed interface name into a legal shell variable name.
-#
-sub chain_base($) {
-    my $chain = $_[0];
-
-    $chain =~ s/^@/at_/;
-    $chain =~ tr/[.\-%@]/_/;
-    $chain =~ s/\+$//;
-    $chain;
-}
-
 #
 # Process a record in the interfaces file
 #
-sub process_interface( $$ ) {
-    my ( $nextinum, $export ) = @_;
+sub process_interface( $ ) {
+    my $nextinum = $_[0];
     my $netsref = '';
     my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
     my $zoneref;
@@ -767,6 +746,9 @@ sub process_interface( $$ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
     }
 
+    $bcasts = '' if $bcasts eq '-';
+    $options  = '' if $options  eq '-';
+
     my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
 
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
@@ -811,7 +793,7 @@ sub process_interface( $$ ) {
     my $physical = $interface;
     my $broadcasts;
 
-    unless ( $bcasts eq '-' || $bcasts eq 'detect' ) {
+    unless ( $bcasts eq '' || $bcasts eq 'detect' ) {
 	my @broadcasts = split_list $bcasts, 'address';
 
 	for my $address ( @broadcasts ) {
@@ -831,9 +813,7 @@ sub process_interface( $$ ) {
 
     my $hostoptionsref = {};
 
-    $options{ignore} = 1, $options = '-' if $options eq 'ignore';
-
-    if ( $options ne '-' ) {
+    if ( $options ) {
 
 	my %hostoptions = ( dynamic => 0 );
 
@@ -937,8 +917,6 @@ sub process_interface( $$ ) {
 	    }
 	}
 
-	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};
-
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = "${zone}_" . chain_base $physical;
 	    $netsref = [ "+$ipset" ];
@@ -951,16 +929,10 @@ sub process_interface( $$ ) {
 	    $hostoptions{routeback} = $options{routeback} = 1;
 	}
 
-	$hostoptions{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export || $options{routeback};
-
+	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};
 
 	$hostoptionsref = \%hostoptions;
-    } else {
-	#
-	# No options specified -- auto-detect bridge
-	#
-	$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
-    }	
+    }
 
     $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
 						       bridge     => $bridge ,
@@ -1002,7 +974,7 @@ sub validate_interfaces_file( $ ) {
 
     first_entry "$doing $fn...";
 
-    push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
+    push @ifaces, process_interface( $nextinum++) while read_a_line;
 
     #
     # We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge
@@ -1045,7 +1017,7 @@ sub map_physical( $$ ) {
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
-# If the passed name matches a wildcard, an entry for the name is added in %interfaces to speed up validation of other references to that name.
+# If the passed name matches a wildcard, a entry for the name is added in %interfaces to speed up validation of other references to that name.
 #
 sub known_interface($)
 {
@@ -1176,28 +1148,6 @@ sub find_interfaces_by_option( $ ) {
     \@ints;
 }
 
-#
-# Returns reference to array of interfaces with the passed option
-#
-sub find_interfaces_by_option1( $ ) {
-    my $option = $_[0];
-    my @ints = ();
-
-    for my $interface ( keys %interfaces ) {
-	my $interfaceref = $interfaces{$interface};
-
-	next unless defined $interfaceref->{physical};
-	next if $interfaceref->{physical} =~ /\+/;
-
-	my $optionsref = $interfaceref->{options};
-	if ( $optionsref && defined $optionsref->{$option} ) {
-	    push @ints , $interface
-	}
-    }
-
-    \@ints;
-}
-
 #
 # Return the value of an option for an interface
 #
@@ -1216,258 +1166,6 @@ sub set_interface_option( $$$ ) {
     $interfaces{$interface}{options}{$option} = $value;
 }
 
-#
-# Verify that all required interfaces are available after waiting for any that specify the 'wait' option.
-#
-sub verify_required_interfaces( $ ) {
-
-    my $generate_case = shift;
-    
-    my $returnvalue = 0;
-   
-    my $interfaces = find_interfaces_by_option 'wait';
-
-    if ( @$interfaces ) {
-	emit "local waittime\n";
-
-	for my $interface (@$interfaces ) {
-	    my $wait = $interfaces{$interface}{options}{wait};
-
-	    if ( $wait ) {
-		my $physical = get_physical $interface;
-	    
-		if ( $physical =~ /\+$/ ) {
-		    my $base = uc chain_base $physical;
-
-		    $physical =~ s/\+$/*/;
-
-		    emit( 'for interface in $(find_all_interfaces); do',
-			  '    case $interface in',
-			  "        $physical)",
-			  "            waittime=$wait",
-			  '            while [ $waittime -gt 0 ]; do',
-			  '                interface_is_usable $interface && break',
-			  '                waittime=$(($waittime - 1))',
-			  '            done',
-			  '            ;;',
-			  '    esac',
-			  'done',
-			  '',
-			);
-		} else {
-		    emit qq(if ! interface_is_usable $physical; then);
-		    emit qq(    waittime=$wait);
-		    emit  '';
-		    emit  q(    while [ $waittime -gt 0 ]; do);
-		    emit qq(        interface_is_usable $physical && break);
-		    emit  q(        sleep 1);
-		    emit   '        waittime=$(($waittime - 1))';
-		    emit  q(    done);
-		    emit qq(fi\n);
-		}
-
-		$returnvalue = 1;
-	    }
-	}
-    }
-
-    $interfaces = find_interfaces_by_option 'required';
-
-    if ( @$interfaces ) {
-
-	if ( $generate_case ) {
-	    emit( 'case "$COMMAND" in' );
-	    push_indent;
-	    emit( 'start|restart|restore|refresh)' );
-	    push_indent;
-	}
-
-	for my $interface (@$interfaces ) {
-	    my $physical = get_physical $interface;
-
-	    if ( $physical =~ /\+$/ ) {
-		my $base = uc chain_base $physical;
-
-		$physical =~ s/\+$/*/;
-
-		emit( "${base}_IS_UP=\n",
-		      'for interface in $(find_all_interfaces); do',
-		      '    case $interface in',
-		      "        $physical)",
-		      "            interface_is_usable \$interface && ${base}_IS_UP=Yes && break",
-		      '            ;;',
-		      '    esac',
-		      'done',
-		      '',
-		      "if [ -z \"\$${base}_IS_UP\" ]; then",
-		      "    startup_error \"None of the required interfaces $physical are available\"",
-		      "fi\n"
-		    );
-	    } else {
-		emit qq(if ! interface_is_usable $physical; then);
-		emit qq(    startup_error "Required interface $physical not available");
-		emit qq(fi\n);
-	    }
-	}
-	
-	if ( $generate_case ) {
-	    emit( ';;' );
-	    pop_indent;
-	    pop_indent;
-	    emit( 'esac' );
-	}
-
-	$returnvalue = 1;
-    }
-
-    $returnvalue;
-}
-
-#
-# Emit the updown() function
-#
-sub compile_updown() {
-    emit( '',
-	  '#',
-	  '# Handle the "up" and "down" commands',
-	  '#',
-	  'updown() # $1 = interface',
-	  '{',
-	);
-
-    push_indent;
-
-    emit( 'local state',
-	  'state=cleared',
-	  '' );
-
-    if ( $family == F_IPV4 ) {
-	emit 'if shorewall_is_started; then';
-    } else {
-	emit 'if shorewall6_is_started; then';
-    }
-
-    emit( '    state=started',
-	  'elif [ -f ${VARDIR}/state ]; then',
-	  '    case "$(cat ${VARDIR}/state)" in',
-	  '        Stopped*)',
-	  '            state=stopped',
-	  '            ;;',
-	  '        Cleared*)',
-	  '            ;;',
-	  '        *)',
-	  '            state=unknown',
-	  '            ;;',
-	  '    esac',
-	  'else',
-	  '    state=unknown',
-	  'fi',
-	  ''
-	);
-
-    emit( 'case $1 in' );
-
-    push_indent;
-
-    my $ignore   = find_interfaces_by_option 'ignore';
-    my $required = find_interfaces_by_option 'required';
-    my $optional = find_interfaces_by_option 'optional';
-
-    if ( @$ignore ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$ignore;
-
-	$interfaces =~ s/\+/*/;
-
-	emit( "$interfaces)",
-	      '    exit 0',
-	      '    ;;'
-	    );
-    }
-
-    if ( @$required ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;
-
-	my $wildcard = ( $interfaces =~ s/\+/*/ );
-
-	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then' );
-
-	if ( $wildcard ) {
-	    emit( '        if [ "$state" = started ]; then',
-		  '            COMMAND=restart',
-		  '        else',
-		  '            COMMAND=start',
-		  '        fi' );
-	} else {
-	    emit( '        COMMAND=start' );
-	}
-
-	emit( '        detect_configuration',
-	      '        define_firewall' );
-	
-	if ( $wildcard ) {
-	    emit( '    elif [ "$state" = started ]; then',
-		  '        COMMAND=restart',
-		  '        detect_configuration',
-		  '        define_firewall' );
-	} else {
-	    emit( '    else', 
-		  '        COMMAND=stop',
-		  '        detect_configuration',
-		  '        stop_firewall' );
-	}
-	
-	emit( '    fi',
-	      '    ;;'
-	    );
-    }
-
-    if ( @$optional ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$optional;
-
-	$interfaces =~ s/\+/*/;
-
-	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then',
-	      '        echo 0 > ${VARDIR}/${1}.state',
-	      '    else',
-	      '        echo 1 > ${VARDIR}/${1}.state',
-	      '    fi',
-	      '',
-	      '    if [ "$state" = started ]; then',
-	      '        COMMAND=restart',
-	      '        detect_configuration',
-	      '        define_firewall',
-	      '    elif [ "$state" = stopped ]; then',
-	      '        COMMAND=start',
-	      '        detect_configuration',
-	      '        define_firewall',
-	      '    fi',
-	      '    ;;',
-	    );
-    }
-
-    emit( "*)",
-	  '    case $state in',
-	  '        started)',
-	  '            COMMAND=restart',
-	  '            detect_configuration',
-	  '            define_firewall',
-	  '            ;;',
-	  '    esac',  
-	);
-
-    pop_indent;
-    
-    emit( 'esac' );
-
-    pop_indent;
-
-    emit( '}',
-	  '',
-	);
-}  
-
 #
 # Process a record in the hosts file
 #

Shorewall/Perl/prog.footer

@@ -5,7 +5,7 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
+    echo "Usage: $0 [ options ] [ start|stop|clear|reset|refresh|restart|status|version ]"
     echo 
     echo "Options are:"
     echo
@@ -218,7 +218,6 @@ case "$COMMAND" in
 	else
 	    error_message "$g_product is not running"
 	    progress_message3 "Starting $g_product...."
-	    COMMAND=start
 	fi
 
 	detect_configuration
@@ -256,9 +255,7 @@ case "$COMMAND" in
 	progress_message3 "Clearing $g_product...."
 	clear_firewall
 	status=0
-	if [ -n "$SUBSYSLOCK" ]; then
-	    rm -f $SUBSYSLOCK
-	fi
+	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	progress_message3 "done."
 	;;
     status)
@@ -276,7 +273,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|lClear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -286,13 +283,6 @@ case "$COMMAND" in
 	echo "State:$state"
 	echo
 	;;
-    up|down)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	updown $@
-	status=0;
-	;;
     version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION

Shorewall/Perl/prog.footer6

@@ -5,7 +5,7 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
+    echo "Usage: $0 [ options ] [ start|stop|clear|reset|refresh|restart|status|version ]"
     echo 
     echo "Options are:"
     echo
@@ -184,7 +184,7 @@ else
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
 	    ;;
- 	reset)
+	reset)
 	    if ! shorewall6_is_started ; then
 		error_message "$g_product is not running"
 		status=2
@@ -219,7 +219,6 @@ else
 	    else
 		error_message "$g_product is not running"
 		progress_message3 "Starting $g_product...."
-		COMMAND=start
 	    fi
 
 	    detect_configuration
@@ -257,9 +256,7 @@ else
 	    progress_message3 "Clearing $g_product...."
 	    clear_firewall
 	    status=0
-	    if [ -n "$SUBSYSLOCK" ]; then
-		rm -f $SUBSYSLOCK
-	    fi
+	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
 	    ;;
 	status)
@@ -287,13 +284,6 @@ else
 	    echo "State:$state"
 	    echo
 	    ;;
-	up|down)
-	    [ $# -eq 1 ] && exit 0
-	    shift
-	    [ $# -ne 1 ] && usage 2
-	    updown $1
-	    status=0
-	    ;;
 	version)
 	    [ $# -ne 1 ] && usage 2
 	    echo $SHOREWALL_VERSION

Shorewall/Perl/prog.header

@@ -120,13 +120,6 @@ deleteallchains() {
     run_iptables -X
 }
 
-#
-# Generate a list of all network interfaces on the system
-#
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'    
-}
-
 #
 # Find the value 'dev' in the passed arguments then echo the next value
 #
@@ -663,7 +656,7 @@ fatal_error()
 {
     echo "   ERROR: $@" >&2
 
-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
         timestamp="$(date +'%_b %d %T') "
         echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
     fi
@@ -679,12 +672,6 @@ fatal_error()
 startup_error() # $* = Error Message
 {
     echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
     case $COMMAND in
         start)
 	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
@@ -774,6 +761,34 @@ run_tc() {
     fi
 }
 
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
 #
 # Get a list of all configured broadcast addresses on the system
 #

Shorewall/Perl/prog.header6

@@ -112,13 +112,6 @@ deleteallchains() {
     run_iptables -X
 }
 
-#
-# Generate a list of all network interfaces on the system
-#
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'    
-}
-
 #
 # Find the value 'dev' in the passed arguments then echo the next value
 #
@@ -185,7 +178,7 @@ find_default_interface() {
 # Determine if Interface is up
 #
 interface_is_up() {
-    [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 
 #
@@ -633,12 +626,6 @@ fatal_error()
 startup_error() # $* = Error Message
 {
     echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
     case $COMMAND in
         start)
 	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
@@ -728,6 +715,34 @@ run_tc() {
     fi
 }
 
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
 #
 # Run the .iptables_restore_input as a set of discrete iptables commands
 #

Shorewall/changelog.txt

@@ -1,74 +1,3 @@
-Changes in Shorewall 4.4.10.1
-
-1)  Apply patch from Gabriel.
-
-2)  Fix IPSET match detection when a pathname is specified for IPSET.
-
-Changes in Shorewall 4.4.10
-
-1)  Fix regression with scripts.
-
-2)  Log startup errors.
-
-3)  Implement Shorewall-init.
-
-4)  Add SAFESTOP option to /etc/default/shorewall*
-
-5)  Restore -a functionality to the version command.
-
-6)  Correct Optimization issue
-
-7)  Rename PREFIX to DESTDIR in install scripts
-
-8)  Correct handling of optional/required interfaces with wildcard names.
-
-Changes in Shorewall 4.4.9
-
-1)  Auto-detection of bridges.
-
-2)  Correct handling of a logical interface name in the EXTERNAL column
-    of proxyarp.
-
-3)  More robust 'trace'.
-
-4)  Added IPv6 mDNS macro.
-
-5)  Fix find_first_interface_address() error reporting.
-
-6)  Fix propagation of zero-valued config variables.
-
-7)  Fix OPTIMIZE 4 bug.
-
-8)  Deallocate unused rules.
-
-9)  Keep rule arrays compressed during optimization.
-
-10) Remove remaining fallback scripts.
-
-11) Rationalize startup logs.
-
-12) Optimize 8.
-
-13) Don't create output chains for BPORT zones.
-
-14) Implement 'show log ip-addr' in /sbin/shorewall and
-    /sbin/shorewall-lite/
-
-15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2.
-
-16) Change chain policy on OUTPUT chain with lone ACCEPT rule.
-
-17) Set IP before sourcing the params file.
-
-18) Fix rare optimization bug.
-
-19) Allow definition of an addressless bridge without a zone.
-
-20) In the routestopped file, assume 'routeback' if the interface has
-    'routeback'.
-
-21) Make Shorewall and Shorewall6 installable on OS X.
-
 Changes in Shorewall 4.4.8
 
 1)  Correct handling of RATE LIMIT on NAT rules.

Shorewall/configfiles/shorewall.conf

@@ -1,10 +1,19 @@
 ###############################################################################
+#  /etc/shorewall/shorewall.conf Version 4 - Change the following variables to
+#  match your setup
 #
-#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
+#  This program is under GPL
+#  [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#  This file should be placed in /etc/shorewall
+#
+#  (c) 1999,2000,2001,2002,2003,2004,2005,
+#      2006,2007,2008 - Tom Eastep (teastep@shorewall.net)
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
-#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
+#  Additional information is available at 
+#  http://www.shorewall.net/Documentation.htm#Conf
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################

Shorewall/default.debian

@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null
 
-#
-# Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF

Shorewall/init.debian.sh

@@ -93,11 +93,7 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   echo -n "Stopping \"Shorewall firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
-      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
+  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
@@ -124,7 +120,7 @@ case "$1" in
      ;;
   refresh)
      shorewall_refresh
-     ;;
+  	  ;;
   force-reload|restart)
      shorewall_restart
      ;;

Shorewall/known_problems.txt

@@ -1,21 +1 @@
-1)  The IPv6 allowBcast built-in action generates an invalid ip6tables
-    rule. This defect is present in all versions of Shorewall that 
-    support IPv6.
-
-    Fixed in Shorewall 4.4.10.1.
-
-2)  If IPSET=<pathname> is specified in shorewall.conf, then when an
-    ipset is used in a configuration file entry, the following fatal
-    compilation error occurs:
-
-    ERROR: ipset names in Shorewall configuration files require Ipset
-    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
-
-    You can work around this problem by executing the following at a
-    root shell prompt:
-
-    	 shorewall show -f capabilities > /etc/shorewall/capabilities
-
-    Fixed in Shorewall 4.4.10.1. After installing this fix, if you 
-    executed the above command to work around the problem, we recommend
-    that you remove /etc/shorewall/capabilities.
+There are no known problems in Shorewall 4.4.8

Shorewall/lib.cli

@@ -159,15 +159,6 @@ packet_log() # $1 = number of messages
     fi
 }
 
-search_log() # $1 = IP address to search for
-{
-    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
-    else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
-    fi
-}    
-
 #
 # Show traffic control information
 #
@@ -362,7 +353,17 @@ save_config() {
 		    ;;
 		*)
 		    validate_restorefile RESTOREFILE
-		    do_save && rm -f ${VARDIR}/save
+
+		    if chain_exists dynamic; then
+			if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
+			    echo "   Dynamic Rules Saved"
+			    do_save
+			else
+		            echo "Error Saving the Dynamic Rules" >&2
+			fi
+		    else
+			do_save && rm -f ${VARDIR}/save
+		    fi
 		    ;;
 	    esac
 	fi
@@ -540,17 +541,12 @@ show_command() {
 	    $IPTABLES -t mangle -L $g_ipt_options
 	    ;;
 	log)
-	    [ $# -gt 2 ] && usage 1
+	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
 	    host=$(echo $g_hostname | sed 's/\..*$//')
-
-	    if [ $# -eq 2 ]; then
-		search_log $2
-	    else
-		packet_log 20
-	    fi
+	    packet_log 20
 	    ;;
 	tc)
 	    [ $# -gt 2 ] && usage 1
@@ -1527,8 +1523,7 @@ determine_capabilities() {
 	exit 1
     fi
 
-    if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT &&
-       ! qt $IPTABLES -A $chain -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; then
+    if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then
 	echo "   ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
 	exit 1
     fi

Shorewall/lib.common

@@ -431,7 +431,7 @@ find_first_interface_address() # $1 = interface
     #
     # get the line of output containing the first IP address
     #
-    addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
     #
     # If there wasn't one, bail out now
     #
@@ -448,7 +448,7 @@ find_first_interface_address_if_any() # $1 = interface
     #
     # get the line of output containing the first IP address
     #
-    addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
     #
     # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
     # along with everything else on the line

Shorewall/releasenotes.txt

@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 0
+                       S H O R E W A L L  4 . 4 . 8
 ----------------------------------------------------------------------------
 
 I.    RELEASE 4.4 HIGHLIGHTS
@@ -218,411 +218,6 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
-4.4.10.1
-
-1)  The IPv6 allowBcast action generated an invalid rule.
-
-2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
-    ipset was used in a configuration file entry, the following
-    fatal compilation error occurred:
-
-    ERROR: ipset names in Shorewall configuration files require Ipset
-    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
-
-    If you applied the workaround given in the "Known Problems", then
-    you should remove /etc/shorewall/capabilities after installing
-    this fix.
-
-4.4.10
-
-1)  Startup Errors (those that are detected before the state of the
-    system has been altered), were previously not sent to the
-    STARTUP_LOG.
-
-2)  A regression of sorts occurred in Shorewall 4.4.9. Previously, a
-    Perl extension script could end with a call to add_rule(). Such a
-    script fails under Shorewall 4.4.9 unless the 'trace' option is
-    specified on the run line.
-
-    While this issue has been corrected, users are advised to always
-    end their Perl extension scripts with the following line to insure
-    that the script returns a 'true' value:
-
-    	 1;
-
-3)  Under rare circumstances involving a complex configuration,
-    OPTIMIZE=13 and OPTIMIZE=15 could cause invalid iptables-restore
-    input to be generated. 
-
-    Sample error message:
-
-        iptables-restore v1.4.8: Couldn't load target
-        `sys2sys':/usr/local/libexec/xtables/libipt_sys2sys.so:
-	cannot open shared object file: No such file or directory
-
-4)  Previously, if the 'optional' option was given to an interface with
-    a wildcard physical name, specific instances of the interface were
-    never considered usable.
-
-    Example:
-
-    /etc/shorewall/interfaces:
-
-    #ZONE	INTERFACE	BROADCAST	OPTIONS
-    net		ppp+		-		optional
-
-    /etc/shorewall/providers:
-
-    #PROVIDER	NUMBER	MARK	DUPLICATE	INTERFACE	...
-    XYZTEL	1	-	main		ppp0
-
-    The XYZTEL provider was never usable.
-
-    This configuration now works correctly.
-
-5)  The 'forget' command now correctly removes saved ipsets.
-
-----------------------------------------------------------------------------
-           I V.  K N O W N   P R O B L E M S   R E M A I N I N G
-----------------------------------------------------------------------------
-
-None.
-
-----------------------------------------------------------------------------
-         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
-----------------------------------------------------------------------------
-
-1)  Shorewall 4.4.10 includes a new 'Shorewall Init' package. This new
-    package provides two related features:
-
-    a)  It allows the firewall to be closed prior to bringing up
-        network devices. This insures that unwanted connections are not
-        allowed between the time that the network comes up and when the
-        firewall is started.
-
-    b)  It integrates with NetworkManager and distribution ifup/ifdown
-        systems to allow for 'event-driven' startup and shutdown.
-
-    The two facilities can be enabled separately.
-
-    When Shorewall-init is first installed, it does nothing until you
-    configure it.
-
-    The configuration file is /etc/default/shorewall-init on
-    Debian-based systems and /etc/sysconfig/shorewall-init otherwise.
-
-    There are two settings in the file:
-
-    	  PRODUCTS    - lists the Shorewall packages that you want to
-    	                integrate with Shorewall-init. Example:
-
-			    PRODUCTS="shorewall shorewall6"
-
-          IFUPDOWN      When set to 1, enables integration with
-                        NetworkManager and the ifup/ifdown scripts.
-
-    To close your firewall before networking starts:
-
-    a)  in the Shorewall-init configuration file, set PRODUCTS to the
-        firewall products installed on your system.
-
-    b)  be sure that your current firewall script(s) (normally in
-        /var/lib/<product>/firewall) is(are) compiled with the 4.4.10
-        compiler. 
-
-	Shorewall and Shorewall6 users can execute these commands:
-
-	    shorewall compile
-            shorewall6 compile
-
-        Shorewall-lite and Shorewall6-lite users can execute these
-        commands on the administrative system.
-
-	    shorewall export <firewall-name-or-ip-address>
-	    shorewall6 export <firewall-name-or-ip-address>
-
-    That's all that is required.
-
-    To integrate with NetworkManager and ifup/ifdown, additional steps
-    are required. You probably don't want to enable this feature if you
-    run a link status monitor like swping or LSM.
-
-    a)  In the Shorewall-init configuration file, set IFUPDOWN=1.
-
-    b)  In your Shorewall interfaces file(s), set the 'required' option
-        on any interfaces that must be up in order for the firewall to
-        start. At least one interface must have the 'required' or
-        'optional' option if you perform the next optional step. If
-	'required' is specified on an interface with a wildcard name
-        (the physical name ends with '+'), then at least one interface
-        that matches the name must be in a usable state for the
-        firewall to start successfully.
-
-    c)  (Optional) -- If you have specified at least one 'required'
-        or 'optional interface, you can then disable automatic firewall
-        startup at boot time.
-
-	On Debian-based systems, set startup=0 in /etc/default/<product>.
-
-	On other systems, use your service startup configuration tool
-	(chkconfig, insserv, ...) to disable startup. 
- 
-    The following actions occur when an interface comes up:
-
-    	FIREWALL      INTERFACE     ACTION
-	STATE
-	----------------------------------
-	Any           Required      start
-        stopped       Optional      start
-        started	         -          restart
-
-    The following actions occur when an interface goes down:
-
-    In the INTERFACE column, '-' indicates neither required nor
-    optional
-
-    	FIREWALL      INTERFACE     ACTION
-	STATE
-	----------------------------------
-	Any           Required      stop
-        stopped       Optional      start
-	started	         -          restart
-
-    For optional interfaces, the /var/lib/<product>/<interface>.state
-    files are maintained to reflect the state of the interface.
-
-    Please note that the action is carried out using the current
-    compiled script; the configuration is not recompiled.
-
-    A new option has been added to shorewall.conf and
-    shorewall6.conf. The REQUIRE_INTERFACE option determines the
-    outcome when an attempt to start/restart/restore/refresh the
-    firewall is made and none of the optional interfaces are available.
-    With REQUIRE_INTERFACE=No (the default), the operation is
-    performed. If REQUIRE_INTERFACE=Yes, then the operation fails and
-    the firewall is placed in the stopped state. This option is
-    suitable for a laptop with both ethernet and wireless
-    interfaces. If either come up, the firewall starts. If neither
-    comes up, the firewall remains in the stopped state. Similarly, if
-    an optional interface goes down and there are no optional
-    interfaces remaining in the up state, then the firewall is stopped.
-
-    Shorewall-init may be installed on Debian-based systems, SuSE-based
-    systems and RedHat-based systems.
-
-    On Debian-based systems, during system shutdown the firewall is
-    opened prior to network shutdown (/etc/init.d/shorewall stop
-    performs a 'clear' operation rather than a 'stop'). This is
-    required by Debian standards. You can change this default behavior
-    by setting SAFESTOP=1 in /etc/default/shorewall
-    (/etc/default/shorewall6, ...).
-
-2)  All of the CLIs now support the -a option of the 'version' command.
-
-    Example:
-
-	gateway:~# shorewall6 version -a
-	4.4.10-RC1
-	shorewall: 4.4.10-RC1
-	shorewall-lite: 4.4.10-RC1
-	shorewall6-lite: 4.4.10-RC1
-	shorewall-init: 4.4.10-RC1
-	gateway:~# 
-
-3)  Beginning with this release, the 'restart' and 'refresh' commands
-    now retain the contents of the dynamic blacklist as well as the
-    current UPnP rules. The dynamic blacklist is also preserved over
-    stop/start.
-
-----------------------------------------------------------------------------
-V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
-      I N   P R I O R  R E L E A S E S
-----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 9
-----------------------------------------------------------------------------
-1)  Logical interface names in the EXTERNAL column of
-    /etc/shorewall/proxyarp were previously not mapped to their
-    corresponding physical interface names. This could cause 'start' or
-    'restart' to fail.
-
-2)  If find_first_interface_address() was unable to detect an address,
-    then Shorewall 4.4.8 would issue an obscure message
-    (startup_error: command not found) and continue.
-
-    Now, a meaningful error message is produced and the calling process
-    stops.
-
-3)  If LOG_VERBOSITY=0 in shorewall.conf, then when the compiled script
-    was executed, messages such as the following would be issued:
-
-       /var/lib/shorewall6/.restart: line 65: [: -gt: unary operator
-                                              expected
-
-4)  With optimize 4, if an unnecessary NONAT rule was included in
-    /etc/shorewall/rules (there was no DNAT or REDIRECT rule with the
-    same source zone), then 'shorewall start' and/or 'shorewall restart'
-    could fail with invalid iptables-restore input.
-
-5)  The tarball installers now check for the presence of the CLI
-    program (/sbin/shorewall, /sbin/shorewall6, etc) to determine if a
-    fresh install or an upgrade should be performed. Previously, the
-    installers used the presense of the configuration directory
-    (/etc/shorewall, /etc/shorewall6, etc.) which led to incomplete
-    installations where there was an existing configuration directory.
-
-6)  The fallback.sh scripts have been removed from Shorewall-lite,
-    Shorewall6, and Shorewall6-lite. These scripts no longer work and
-    should have been removed in 4.4.0.
-
-7)  The -lite products previously were inconsistent in how they
-    referred to their startup log. Some references included '-lite'
-    where some did not. This was particularly bad in the case of the
-    Shorewall-lite logrotate file which duplicated the name used by the
-    Shorewall package. This inconsistency could cause logrotate to
-    fail if both packages were installed.
-
-8)  Two additional problems with optimize 4 have been corrected. One
-    manifested as invalid iptables-restore input involving the 'tcpre'
-    mangle chain. The other involved wildcard interface names (those
-    ending in '+') and would likely also result in invalid
-    iptables-restore input.
-
-9)  Previously, Shorewall would set up infrastructure to handle traffic
-    from the firewall to bport zones. Such infrastructure could never
-    be used. Now, Shorewall avoids setting up these unneeded chains
-    and/or rules.
-
-10) If optimization level 2 and there were no OUTPUT rules and the only
-    effective output policy was $FW->all ACCEPT, then the OUTPUT chain
-    was empty and no packets could be sent.
-
-11) If find_first_interface_address() was called in the params file, a
-    fatal error occured on start/restart.
-
-12) The following valid configuration produced invalid
-    iptables-restore input with optimization level 4.
-
-    /etc/shorewall/interfaces:
-
-    #ZONE      INTERFACE       BROADCAST      OPTIONS
-    vpn	       tun+	       -
-
-    /etc/shorewall/masq:
-
-    #INTERFACE	SOURCE		ADDRESS		PROTO	PORT
-    tun0	192.168.1.0/24	
-
-    Use of tunN in the nat and netmap files also produced invalid
-    iptables-restore input.
-
-2)  '/sbin/shorewall version -a' now shows the versions of all installed
-    Shorewall packages.
-
-----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 9
-----------------------------------------------------------------------------
-
-1)  The compiler now auto-detects bridges for the purpose of setting
-    the 'routeback' option. Auto-detection is disabled when compiling
-    for export (-e option); note that -e is implicit in the 'load' and
-    'reload' commands.
-
-2)  When 'trace' is specified on a command that involves the compiler
-    (e.g., shorewall trace check), the compiler now creates a trace to
-    standard output.
-
-    Trace entries are of three types:
-
-    Input  --- begin with IN===>.     Input read from configuration
-                                      files. Comments have been
-                                      stripped, continuation lines
-                                      combined and shell variables
-                                      expanded.
-
-    Output --- begin with GS----->.   Text written to the generated
-                                      script.
-
-    Netfilter -- begin with NF-(x)->. Updates to the compiler's chain
-                                      table, where 'x' is one of the
-                                      following:
-
-        N - Create a chain.
-	A - Append a rule to a chain.
-	R - Replace a rule in a chain.
-	I - Inserted a rule into a chain.
-	T - Shell source text appended/inserted into a chain --
-            converted into rules at run-time.
-	D - Deleted Rule from a chain; note that this causes the 
-	    following rules to be renumbered.
-	X - Deleted a chain
-	P - Change a built-in chains policy. Chains in the filter table
-	    are created with a DROP policy. All other builtin chains
-	    have policy ACCEPT.
-	!   Followed by one or more of the following to indicate that
-            the operation is not allowed on the chain.
-
-	    O - Optimize
-	    D - Delete
-	    M - Move rules
-
-    Netfilter trace records indicate the table and chain being
-    changed. If the change involves a particular rule, then the rule
-    number is also included. 
-
-    Example (append the first rule to the filter FORWARD chain):
-
-	NF-(A)-> filter:FORWARD:1 ...
-
-    If the trace record involves the chain itself, then no rule number
-    is present.
-
-    Example (Delete the mangle tcpost chain):
-
-	NF-(X)-> mangle:tcpost
-
-3)  Thanks to Vincent Smeets, there is now an IPv6 mDNS macro.
-
-4)  Optimize 8 has been added. This optimization level eliminates
-    duplicate chains. So to set all possible optimizations, specify
-    OPTIMIZE=15.
-
-5)  The command-line tools now support 'show log <regex>' where <regex>
-    is a regular expression to search for in the LOGFILE. The command
-    searches the current LOGFILE for Netfilter messages matching the
-    supplied regex.
-
-6)  There are some instances where a bridge with no IP address is
-    configured. Prior to Shorewall 4.4.9, this required the following:
-
-    /etc/shorewall/interfaces:
-    #ZONE	INTERFACE	BROADCAST	OPTIONS
-    dummy	br0		-		routeback
-    
-    /etc/shorewall/policy:
-    #SOURCE	DEST		POLICY
-    dummy	all		DROP
-    all		dummy		DROP
-
-    Beginning in this release, a single entry will suffice:
-
-    /etc/shorewall/interfaces:
-    #ZONE	INTERFACE	BROADCAST	OPTIONS
-    -		br0		-		bridge
-
-7)  The generated ruleset now uses conntrack match for state matching,
-    if it is available.
-
-8)  In /etc/shorewall/routestopped, the 'routeback' option is assumed
-    if the interface has 'routeback' specified (either explicitly or
-    detected).
-
-9)  Apple Macs running OS X may now be used as a Shorewall
-    administrative system. Simply install using the tarball installer.
-
-----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 9
-----------------------------------------------------------------------------
-
 1)  A CONTINUE rule specifying a log level would cause the compiler to 
     generate an incorrect rule sequence. The packet would be logged
     but the CONTINUE action would not occur.
@@ -691,13 +286,14 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     'shorewall refresh' executed, those new changes would not be included
     in the active ruleset.
 
-12) In 4.4.7, it was documented that setting the 'bridge' option in an
-    interfaces file entry also set 'routeback'. That feature was
-    incomplete with the result that 'routeback' still needed to be
-    specified.
+----------------------------------------------------------------------------
+           I V. K N O W N   P R O B L E M S   R E M A I N I N G
+----------------------------------------------------------------------------
+
+None.
 
 ----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 8
+         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
 1)  To avoid variable name collisions, a number of shell variable names
@@ -763,6 +359,9 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     <filename>' rather than 'Started'; <filename> is the saved script
     used to restore the configuration.
  
+----------------------------------------------------------------------------
+V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
+      I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7
 ----------------------------------------------------------------------------

Shorewall/shorewall

@@ -300,20 +300,15 @@ get_config() {
     esac
 }
 
-#
-# Fatal error
-#
-startup_error() {
-    echo "   ERROR: $@" >&2
-    kill $$
-    exit 1
-}
-
 #
 # Run the compiler
 #
 compiler() {
-   
+    startup_error() {
+	echo "   ERROR: $@" >&2
+	exit 1
+    }
+    
     if [ $(id -u) -ne 0 ]; then
 	if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then
 	    startup_error "Ordinary users may not compile the /etc/shorewall configuration"
@@ -1326,7 +1321,7 @@ usage() # $1 = exit status
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   check [ -e ] [ -r ] [ <directory> ]"
-    echo "   clear"
+    echo "   clear [ -f ]"
     echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   drop <address> ..."
@@ -1360,7 +1355,7 @@ usage() # $1 = exit status
     echo "   show dynamic <zone>"
     echo "   show filters"
     echo "   show ip"
-    echo "   show [ -m ] log [<regex>]"
+    echo "   show [ -m ] log"
     echo "   show macro <macro>"
     echo "   show macros"
     echo "   show [ -x ] mangle|nat|raw|routing"
@@ -1369,7 +1364,7 @@ usage() # $1 = exit status
     echo "   show vardir"
     echo "   show zones"
     echo "   start [ -f ] [ -n ] [ -p ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
     echo "   status"
     echo "   try <directory> [ <timeout> ]"
     echo "   version [ -a ]"
@@ -1508,7 +1503,6 @@ version_command() {
     finished=0
     local all
     all=
-    local product
 
     while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1542,14 +1536,7 @@ version_command() {
     [ $# -gt 0 ] && usage 1
 
     echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
+
 }
 
 if [ $# -eq 0 ]; then
@@ -1686,7 +1673,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -1829,7 +1816,6 @@ case "$COMMAND" in
 	if [ -x $g_restorepath ]; then
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
-	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.10
-%define release 1
+%define version 4.4.8
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute perl
-Provides: shoreline_firewall = %{version}-%{release}
 Obsoletes: shorewall-common shorewall-perl shorewall-shell
 
 %description
@@ -29,7 +28,7 @@ a multi-function gateway/ router/server or on a standalone GNU/Linux system.
 %build
 
 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -76,6 +75,7 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall/configfiles
 %attr(0700,root,root) %dir /var/lib/shorewall
 %attr(0644,root,root) %config(noreplace) /etc/shorewall/*
+%attr(0600,root,root) /etc/shorewall/Makefile
 
 %attr(0644,root,root) /etc/logrotate.d/shorewall
 
@@ -103,47 +103,11 @@ fi
 %attr(0644,root,root) /usr/share/shorewall/configfiles/*
 
 %attr(0644,root,root) %{_mandir}/man5/*
-%attr(0644,root,root) %{_mandir}/man8/*
+%attr(0644,root,root) %{_mandir}/man8/shorewall.8.gz
 
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-1
-* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC3
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta1
 * Fri Mar 19 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.8-0base
 * Tue Mar 16 2010 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.10.1
+VERSION=4.4.8
 
 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then
 fi
 
 if [ -L /usr/share/shorewall/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall/init)
+    FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //')
 else
     FIREWALL=/etc/init.d/shorewall
 fi

Shorewall6-lite/default.debian

@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null
 
-#
-# Set this to 1 to cause '/etc/init.d/shorewall6-lite stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF

Shorewall6-lite/fallback.sh

@@ -0,0 +1,104 @@
+#!/bin/sh
+#
+# Script to back out the installation of Shorewall Lite and to restore the previous version of
+# the program
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#    Usage:
+#
+#       You may only use this script to back out the installation of the version
+#       shown below. Simply run this script to revert to your prior version of
+#       Shoreline Firewall.
+
+VERSION=4.4.8
+
+usage() # $1 = exit status
+{
+    echo "usage: $(basename $0)"
+    exit $1
+}
+
+restore_directory() # $1 = directory to restore
+{
+    if [ -d ${1}-${VERSION}.bkout ]; then
+	if mv -f $1 ${1}-${VERSION} && mv ${1}-${VERSION}.bkout $1; then
+	    echo
+	    echo "$1 restored"
+	    rm -rf ${1}-${VERSION}
+	else
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+	fi
+    fi
+}
+
+restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
+{
+    if [ -n "$2" ]; then
+	local file
+	file=$(basename $1)
+
+	if [ -f $2/$file ]; then
+	    if mv -f $2/$file $1 ; then
+		echo
+		echo "$1 restored"
+		return
+	    fi
+
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+        fi
+    fi
+
+    if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then
+	if (mv -f ${1}-${VERSION}.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+        fi
+    fi
+}
+
+if [ ! -f /usr/share/shorewall-lite-${VERSION}.bkout/version ]; then
+    echo "Shorewall Version $VERSION is not installed"
+    exit 1
+fi
+
+echo "Backing Out Installation of Shorewall $VERSION"
+
+if [ -L /usr/share/shorewall-lite/init ]; then
+    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
+    restore_file $FIREWALL /usr/share/shorewall-lite-${VERSION}.bkout
+else
+    restore_file /etc/init.d/shorewall /usr/share/shorewall-lite-${VERSION}.bkout
+fi
+
+restore_file /sbin/shorewall /var/lib/shorewall-lite-${VERSION}.bkout
+
+restore_directory /etc/shorewall-lite
+restore_directory /usr/share/shorewall-lite
+restore_directory /var/lib/shorewall-lite
+
+echo "Shorewall Lite Restored to Version $(cat /usr/share/shorewall-lite/version)"
+
+

Shorewall6-lite/init.debian.sh

@@ -88,11 +88,7 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   echo -n "Stopping \"Shorewall6 Lite firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
-      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
+  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.10.1
+VERSION=4.4.8
 
 usage() # $1 = exit status
 {
@@ -82,16 +82,15 @@ delete_file() # $1 = file to delete
 
 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    run_install $OWNERSHIP -m $3 $1 ${2}
 }
 
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall6-lite"
 fi
 
+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 while [ $# -gt 0 ] ; do
     case "$1" in
 	-h|help|?)
@@ -126,12 +129,11 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 # Determine where to install the firewall script
 #
-INSTALLD='-D'
-T='-T'
+DEBIAN=
 
 case $(uname) in
     CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -139,10 +141,6 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-     Darwin)
-	INSTALLD=
-	T=
-	;;	   
     *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -151,14 +149,14 @@ esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
     
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
     DEBIAN=yes
 elif [ -f /etc/slackware-version ] ; then
@@ -180,201 +178,183 @@ echo "Installing Shorewall6 Lite Version $VERSION"
 #
 # Check for /etc/shorewall6-lite
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall6-lite ]; then
+if [ -z "$PREFIX" -a -d /etc/shorewall6-lite ]; then
+    first_install=""
     [ -f /etc/shorewall6-lite/shorewall.conf ] && \
 	mv -f /etc/shorewall6-lite/shorewall.conf /etc/shorewall6-lite/shorewall6-lite.conf
-else
-    rm -rf ${DESTDIR}/etc/shorewall6-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall6-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall6-lite
-fi
-
-#
-# Check for /sbin/shorewall6-lite
-#
-if [ -f ${DESTDIR}/sbin/shorewall6-lite ]; then
-    first_install=""
 else
     first_install="Yes"
+    rm -rf ${PREFIX}/etc/shorewall6-lite
+    rm -rf ${PREFIX}/usr/share/shorewall6-lite
+    rm -rf ${PREFIX}/var/lib/shorewall6-lite
 fi
 
-delete_file ${DESTDIR}/usr/share/shorewall6-lite/xmodules
+delete_file ${PREFIX}/usr/share/shorewall6-lite/xmodules
 
-install_file shorewall6-lite ${DESTDIR}/sbin/shorewall6-lite 0544
+install_file shorewall6-lite ${PREFIX}/sbin/shorewall6-lite 0544 ${PREFIX}/var/lib/shorewall6-lite-${VERSION}.bkout
 
-echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-lite"
+echo "Shorewall6 Lite control program installed in ${PREFIX}/sbin/shorewall6-lite"
 
 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall6-lite 0544
+    install_file init.debian.sh /etc/init.d/shorewall6-lite 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout
 
 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout
 fi
 
-echo  "Shorewall6 Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "Shorewall6 Lite script installed in ${PREFIX}${DEST}/$INIT"
 
 #
 # Create /etc/shorewall6-lite, /usr/share/shorewall6-lite and /var/lib/shorewall6-lite if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall6-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall6-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall6-lite
+mkdir -p ${PREFIX}/etc/shorewall6-lite
+mkdir -p ${PREFIX}/usr/share/shorewall6-lite
+mkdir -p ${PREFIX}/var/lib/shorewall6-lite
 
-chmod 755 ${DESTDIR}/etc/shorewall6-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall6-lite
+chmod 755 ${PREFIX}/etc/shorewall6-lite
+chmod 755 ${PREFIX}/usr/share/shorewall6-lite
 
-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
 fi
 
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf ]; then
-   install_file shorewall6-lite.conf ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf 0744
-   echo "Config file installed as ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf"
+if [ ! -f ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall6-lite.conf ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf
+   echo "Config file installed as ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf"
 fi
 
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall6-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall6-lite/shorewall.conf
 fi
 
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall6-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall6-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall6-lite/Makefile
+echo "Makefile installed as ${PREFIX}/etc/shorewall6-lite/Makefile"
 
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall6-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall6-lite/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall6-lite/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall6-lite/configpath"
 
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall6-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6-lite/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall6-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6-lite/$f"
     fi
 done
 
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall6-lite/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall6-lite/functions
 
-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall6-lite/functions"
+echo "Common functions linked through ${PREFIX}/usr/share/shorewall6-lite/functions"
 
 #
 # Install Shorecap
 #
 
-install_file shorecap ${DESTDIR}/usr/share/shorewall6-lite/shorecap 0755
+install_file shorecap ${PREFIX}/usr/share/shorewall6-lite/shorecap 0755
 
 echo
-echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall6-lite/shorecap"
+echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall6-lite/shorecap"
 
 #
 # Install wait4ifup
 #
 
-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall6-lite/wait4ifup 0755
 
-    echo
-    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup"
-fi
+echo
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall6-lite/wait4ifup"
 
-if [ -f modules ]; then
-    #
-    # Install the Modules file
-    #
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall6-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall6-lite/modules"
-fi
+#
+# Install the Modules file
+#
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall6-lite/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall6-lite/modules"
 
-if [ -d manpages ]; then
-    #
-    # Install the Man Pages
-    #
+#
+# Install the Man Pages
+#
 
-    cd manpages
+cd manpages
 
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
+for f in *.5; do
+    gzip -c $f > $f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man5/$f.gz"
+done
 
-    for f in *.5; do
-	gzip -c $f > $f.gz
-	run_install $INSTALLD -m 644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
-    done
+for f in *.8; do
+    gzip -c $f > $f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man8/$f.gz"
+done
 
-    for f in *.8; do
-	gzip -c $f > $f.gz
-	run_install $INSTALLD -m 644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
-    done
-    
-    cd ..
+cd ..
 
-    echo "Man Pages Installed"
-fi
+echo "Man Pages Installed"
 
-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall6-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall6-lite"
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6-lite"
 fi
 
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall6-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall6-lite/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall6-lite/version
+chmod 644 ${PREFIX}/usr/share/shorewall6-lite/version
 #
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
     rm -f /usr/share/shorewall6-lite/init
     ln -s ${DEST}/${INIT} /usr/share/shorewall6-lite/init
 fi
 
-if [ -z "$DESTDIR" ]; then
-    touch /var/log/shorewall6-lite-init.log
-
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
-	    ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
-	    echo "Shorewall6 Lite will start automatically at boot"
-	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall6-lite ; then
-		    echo "Shorewall6 Lite will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add shorewall6-lite ; then
-		    echo "Shorewall6 Lite will start automatically in run levels as follows:"
-		    chkconfig --list shorewall6-lite
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add shorewall6-lite default; then
-		    echo "Shorewall6 Lite will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+if [ -z "$PREFIX" -a -n "$first_install" ]; then
+    if [ -n "$DEBIAN" ]; then
+	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
+	ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
+	echo "Shorewall6 Lite will start automatically at boot"
+	touch /var/log/shorewall-init.log
+    else
+	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if insserv /etc/init.d/shorewall6-lite ; then
+		echo "Shorewall6 Lite will start automatically at boot"
+	    else
 		cant_autostart
 	    fi
+	elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+	    if chkconfig --add shorewall6-lite ; then
+		echo "Shorewall6 Lite will start automatically in run levels as follows:"
+		chkconfig --list shorewall6-lite
+	    else
+		cant_autostart
+	    fi
+	elif [ -x /sbin/rc-update ]; then
+	    if rc-update add shorewall6-lite default; then
+		echo "Shorewall6 Lite will start automatically at boot"
+	    else
+		cant_autostart
+	    fi
+	elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+	    cant_autostart
 	fi
     fi
 fi

Shorewall6-lite/logrotate

@@ -1,4 +1,4 @@
-/var/log/shorewall6-lite-init.log {
+/var/log/shorewall6-init.log {
   missingok
   notifempty
   create 0600 root root

Shorewall6-lite/shorewall6-lite

@@ -349,7 +349,7 @@ usage() # $1 = exit status
     echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
     echo "where <command> is one of:"
     echo "   allow <address> ..."
-    echo "   clear"
+    echo "   clear [ -f ]"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
     echo "   forget [ <file name> ]"
@@ -364,64 +364,15 @@ usage() # $1 = exit status
     echo "   restart [ -n ] [ -f ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]capabilities|classifiers|config|connections|filters|ip|log [<regex>]|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
+    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
     echo "   start [ -f ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
     echo "   status"
     echo "   version [ -a ]"
     echo
     exit $1
 }
 
-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
 #
 # Execution begins here
 #
@@ -641,7 +592,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -662,8 +613,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
     version)
-	shift
-	version_command $@
+	echo $SHOREWALL_VERSION Lite
 	;;
     logwatch)
 	logwatch_command $@

Shorewall6-lite/shorewall6-lite.conf

@@ -1,14 +1,15 @@
 ###############################################################################
-#  /etc/shorewall6-lite/shorewall6-lite.conf Version 4 - Change the following 
+#  /etc/shorewall6-lite/shorewall-lite.conf Version 4 - Change the following 
 #  variables to override the values in the shorewall.conf file used to
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.
 #
-#  For information about the settings in this file, type
-#  "man shorewall6-lite.conf"
+#  This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#  This file should be placed in /etc/shorewall-lite
+#
+#  (c) 2006,2007,2008 - Tom Eastep (teastep@shorewall.net)
 #
-#  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6-lite.conf.html.
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.10
-%define release 1
+%define version 4.4.8
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}
 
 %description
 
@@ -32,7 +31,7 @@ administrators to centralize the configuration of Shorewall6-based firewalls.
 %build
 
 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -93,42 +92,6 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-1
-* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC3
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta1
 * Fri Mar 19 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.8-0base
 * Tue Mar 16 2010 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.10.1
+VERSION=4.4.8
 
 usage() # $1 = exit status
 {
@@ -67,7 +67,7 @@ if qt ip6tables -L shorewall -n && [ ! -f /sbin/shorewall6 ]; then
 fi
 
 if [ -L /usr/share/shorewall6-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall6-lite/init)
+    FIREWALL=$(ls -l /usr/share/shorewall6-lite/init | sed 's/^.*> //')
 else
     FIREWALL=/etc/init.d/shorewall6-lite
 fi

Shorewall6/default.debian

@@ -21,16 +21,4 @@ startup=0
 
 OPTIONS=""
 
-#
-# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
-#
-INITLOG=/dev/null
-
-#
-# Set this to 1 to cause '/etc/init.d/shorewall6 stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF

Shorewall6/fallback.sh

@@ -0,0 +1,104 @@
+#!/bin/sh
+#
+# Script to back out the installation of Shoreline Firewall 6 and to restore the previous version of
+# the program
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2001,2002,2003,2004,2005,2008 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#    Usage:
+#
+#       You may only use this script to back out the installation of the version
+#       shown below. Simply run this script to revert to your prior version of
+#       Shoreline Firewall.
+
+VERSION=4.4.8
+
+usage() # $1 = exit status
+{
+    echo "usage: $(basename $0)"
+    exit $1
+}
+
+restore_directory() # $1 = directory to restore
+{
+    if [ -d ${1}-${VERSION}.bkout ]; then
+	if mv -f $1 ${1}-${VERSION} && mv ${1}-${VERSION}.bkout $1; then
+	    echo
+	    echo "$1 restored"
+	    rm -rf ${1}-${VERSION}
+	else
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+	fi
+    fi
+}
+
+restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
+{
+    if [ -n "$2" ]; then
+	local file
+	file=$(basename $1)
+
+	if [ -f $2/$file ]; then
+	    if mv -f $2/$file $1 ; then
+		echo
+		echo "$1 restored"
+		return
+	    fi
+
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+        fi
+    fi
+
+    if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then
+	if (mv -f ${1}-${VERSION}.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+        fi
+    fi
+}
+
+if [ ! -f /usr/share/shorewall6-${VERSION}.bkout/version ]; then
+    echo "Shorewall6 Version $VERSION is not installed"
+    exit 1
+fi
+
+echo "Backing Out Installation of Shorewall6 $VERSION"
+
+if [ -L /usr/share/shorewall6/init ]; then
+    FIREWALL=$(ls -l /usr/share/shorewall6/init | sed 's/^.*> //')
+    restore_file $FIREWALL /usr/share/shorewall6-${VERSION}.bkout
+else
+    restore_file /etc/init.d/shorewall6 /usr/share/shorewall6-${VERSION}.bkout
+fi
+
+restore_file /sbin/shorewall6 /var/lib/shorewall6-${VERSION}.bkout
+
+restore_directory /etc/shorewall6
+restore_directory /usr/share/shorewall6
+restore_directory /var/lib/shorewall6
+
+echo "Shorewall6 Restored to Version $(cat /usr/share/shorewall6/version)"
+
+

Shorewall6/init.debian.sh

@@ -93,11 +93,7 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   echo -n "Stopping \"Shorewall6 firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
-      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
+  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.10.1
+VERSION=4.4.8
 
 usage() # $1 = exit status
 {
@@ -85,13 +85,12 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $OWNERSHIP -m $3 $1 ${2}
 }
 
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,16 +103,18 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall6"
 fi
 
+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 DEBIAN=
 CYGWIN=
-MAC=
 MANDIR=${MANDIR:-"/usr/share/man"}
 SPARSE=
-INSTALLD='-D'
 
 case $(uname) in
     CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -123,18 +124,6 @@ case $(uname) in
 	CYGWIN=Yes
 	SPARSE=Yes
 	;;
-    Darwin)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	    SPARSE=Yes
-	fi
-
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
-	MAC=Yes
-	INSTALLD=
-	;;	
     *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -169,7 +158,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 # Determine where to install the firewall script
 #
 
-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
     if [ -z "$CYGWIN" ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
@@ -177,18 +166,15 @@ if [ -n "$DESTDIR" ]; then
 	fi    
     fi
 	
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
    
     CYGWIN=
-    MAC=
 else
     [ -x /usr/share/shorewall/compiler.pl ] || \
 	{ echo "   ERROR: Shorewall >= 4.3.5 is not installed" >&2; exit 1; }
     if [ -n "$CYGWIN" ]; then
 	echo "Installing Cygwin-specific configuration..."
-    elif [ -n "$MAC" ]; then
-	echo "Installing Mac-specific configuration..."	
     else
 	if [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
 	    echo "Installing Debian-specific configuration..."
@@ -216,20 +202,20 @@ cd "$(dirname $0)"
 echo "Installing Shorewall6 Version $VERSION"
 
 #
-# Check for /sbin/shorewall6
+# Check for /etc/shorewall6
 #
-if [ -f ${DESTDIR}/sbin/shorewall6 ]; then
+if [ -d ${PREFIX}/etc/shorewall6 ]; then
     first_install=""
 else
     first_install="Yes"
 fi
 
 if [ -z "$CYGWIN" ]; then
-   install_file shorewall6 ${DESTDIR}/sbin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
-   echo "shorewall6 control program installed in ${DESTDIR}/sbin/shorewall6"
+   install_file shorewall6 ${PREFIX}/sbin/shorewall6 0755 ${PREFIX}/var/lib/shorewall6-${VERSION}.bkout
+   echo "shorewall6 control program installed in ${PREFIX}/sbin/shorewall6"
 else
-   install_file shorewall6 ${DESTDIR}/bin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
-   echo "shorewall6 control program installed in ${DESTDIR}/bin/shorewall6"
+   install_file shorewall6 ${PREFIX}/bin/shorewall6 0755 ${PREFIX}/var/lib/shorewall6-${VERSION}.bkout
+   echo "shorewall6 control program installed in ${PREFIX}/bin/shorewall6"
 fi
 
 
@@ -237,451 +223,442 @@ fi
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.debian.sh /etc/init.d/shorewall6 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$SLACKWARE" ]; then
-    install_file init.slackware.shorewall6.sh ${DESTDIR}${DEST}/rc.shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.slackware.shorewall6.sh ${PREFIX}${DEST}/rc.shorewall6 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$INIT" ]; then
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 fi
 
-[ -n "$INIT" ] && echo  "Shorewall6 script installed in ${DESTDIR}${DEST}/$INIT"
+[ -n "$CYGWIN" ] || echo  "Shorewall6 script installed in ${PREFIX}${DEST}/$INIT"
 
 #
 # Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall6
-mkdir -p ${DESTDIR}/usr/share/shorewall6
-mkdir -p ${DESTDIR}/usr/share/shorewall6/configfiles
-mkdir -p ${DESTDIR}/var/lib/shorewall6
+mkdir -p ${PREFIX}/etc/shorewall6
+mkdir -p ${PREFIX}/usr/share/shorewall6
+mkdir -p ${PREFIX}/usr/share/shorewall6/configfiles
+mkdir -p ${PREFIX}/var/lib/shorewall6
 
-chmod 755 ${DESTDIR}/etc/shorewall6
-chmod 755 ${DESTDIR}/usr/share/shorewall6
-chmod 755 ${DESTDIR}/usr/share/shorewall6/configfiles
+chmod 755 ${PREFIX}/etc/shorewall6
+chmod 755 ${PREFIX}/usr/share/shorewall6
+chmod 755 ${PREFIX}/usr/share/shorewall6/configfiles
 
-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
 fi
 
 #
 # Install the config file
 #
-run_install $OWNERSHIP -m 0644 shorewall6.conf ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
+run_install $OWNERSHIP -m 0644 shorewall6.conf ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf
 
-perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6|;' ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
-perl -p -w -i -e 's|^STARTUP_LOG=.*|STARTUP_LOG=/var/log/shorewall6-lite-init.log|;' ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
+qt mywhich perl && perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6|;' ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf
 
-if [ ! -f ${DESTDIR}/etc/shorewall6/shorewall6.conf ]; then
-   run_install $OWNERSHIP -m 0644 shorewall6.conf ${DESTDIR}/etc/shorewall6/shorewall6.conf
-
-   if [ -n "$DEBIAN" ] && mywhich perl; then
-       #
-       # Make a Debian-like shorewall6.conf
-       #
-       perl -p -w -i -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|;' ${DESTDIR}/etc/shorewall6/shorewall6.conf
-   fi
-
-   echo "Config file installed as ${DESTDIR}/etc/shorewall6/shorewall6.conf"
+if [ ! -f ${PREFIX}/etc/shorewall6/shorewall6.conf ]; then
+   run_install $OWNERSHIP -m 0644 shorewall6.conf ${PREFIX}/etc/shorewall6/shorewall6.conf
+   echo "Config file installed as ${PREFIX}/etc/shorewall6/shorewall6.conf"
 fi
 
 
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall6/shorewall6.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall6/shorewall6.conf
 fi
 #
 # Install the zones file
 #
-run_install $OWNERSHIP -m 0644 zones ${DESTDIR}/usr/share/shorewall6/configfiles/zones
+run_install $OWNERSHIP -m 0644 zones ${PREFIX}/usr/share/shorewall6/configfiles/zones
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/zones ]; then
-    run_install $OWNERSHIP -m 0744 zones ${DESTDIR}/etc/shorewall6/zones
-    echo "Zones file installed as ${DESTDIR}/etc/shorewall6/zones"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/zones ]; then
+    run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall6/zones
+    echo "Zones file installed as ${PREFIX}/etc/shorewall6/zones"
 fi
 
-delete_file ${DESTDIR}/usr/share/shorewall6/compiler
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.accounting
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.actions
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.dynamiczones
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.maclist
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.nat
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.providers
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.proxyarp
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.tc
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.tcrules
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.tunnels
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.header
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer
+delete_file ${PREFIX}/usr/share/shorewall6/compiler
+delete_file ${PREFIX}/usr/share/shorewall6/lib.accounting
+delete_file ${PREFIX}/usr/share/shorewall6/lib.actions
+delete_file ${PREFIX}/usr/share/shorewall6/lib.dynamiczones
+delete_file ${PREFIX}/usr/share/shorewall6/lib.maclist
+delete_file ${PREFIX}/usr/share/shorewall6/lib.nat
+delete_file ${PREFIX}/usr/share/shorewall6/lib.providers
+delete_file ${PREFIX}/usr/share/shorewall6/lib.proxyarp
+delete_file ${PREFIX}/usr/share/shorewall6/lib.tc
+delete_file ${PREFIX}/usr/share/shorewall6/lib.tcrules
+delete_file ${PREFIX}/usr/share/shorewall6/lib.tunnels
+delete_file ${PREFIX}/usr/share/shorewall6/prog.header
+delete_file ${PREFIX}/usr/share/shorewall6/prog.footer
 
 #
 # Install wait4ifup
 #
 
-install_file wait4ifup ${DESTDIR}/usr/share/shorewall6/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall6/wait4ifup 0755
 
 echo
-echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6/wait4ifup"
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall6/wait4ifup"
 
 #
 # Install the policy file
 #
-run_install $OWNERSHIP -m 0644 policy ${DESTDIR}/usr/share/shorewall6/configfiles/policy
+run_install $OWNERSHIP -m 0644 policy ${PREFIX}/usr/share/shorewall6/configfiles/policy
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/policy ]; then
-    run_install $OWNERSHIP -m 0600 policy ${DESTDIR}/etc/shorewall6/policy
-    echo "Policy file installed as ${DESTDIR}/etc/shorewall6/policy"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/policy ]; then
+    run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall6/policy
+    echo "Policy file installed as ${PREFIX}/etc/shorewall6/policy"
 fi
 #
 # Install the interfaces file
 #
-run_install $OWNERSHIP -m 0644 interfaces ${DESTDIR}/usr/share/shorewall6/configfiles/interfaces
+run_install $OWNERSHIP -m 0644 interfaces ${PREFIX}/usr/share/shorewall6/configfiles/interfaces
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/interfaces ]; then
-    run_install $OWNERSHIP -m 0600 interfaces ${DESTDIR}/etc/shorewall6/interfaces
-    echo "Interfaces file installed as ${DESTDIR}/etc/shorewall6/interfaces"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/interfaces ]; then
+    run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall6/interfaces
+    echo "Interfaces file installed as ${PREFIX}/etc/shorewall6/interfaces"
 fi
 
 #
 # Install the hosts file
 #
-run_install $OWNERSHIP -m 0644 hosts ${DESTDIR}/usr/share/shorewall6/configfiles/hosts
+run_install $OWNERSHIP -m 0644 hosts ${PREFIX}/usr/share/shorewall6/configfiles/hosts
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/hosts ]; then
-    run_install $OWNERSHIP -m 0600 hosts ${DESTDIR}/etc/shorewall6/hosts
-    echo "Hosts file installed as ${DESTDIR}/etc/shorewall6/hosts"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/hosts ]; then
+    run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall6/hosts
+    echo "Hosts file installed as ${PREFIX}/etc/shorewall6/hosts"
 fi
 #
 # Install the rules file
 #
-run_install $OWNERSHIP -m 0644 rules ${DESTDIR}/usr/share/shorewall6/configfiles/rules
+run_install $OWNERSHIP -m 0644 rules ${PREFIX}/usr/share/shorewall6/configfiles/rules
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/rules ]; then
-    run_install $OWNERSHIP -m 0600 rules ${DESTDIR}/etc/shorewall6/rules
-    echo "Rules file installed as ${DESTDIR}/etc/shorewall6/rules"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/rules ]; then
+    run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall6/rules
+    echo "Rules file installed as ${PREFIX}/etc/shorewall6/rules"
 fi
 #
 # Install the Parameters file
 #
-run_install $OWNERSHIP -m 0644 params ${DESTDIR}/usr/share/shorewall6/configfiles/params
+run_install $OWNERSHIP -m 0644 params ${PREFIX}/usr/share/shorewall6/configfiles/params
 
-if [ -f ${DESTDIR}/etc/shorewall6/params ]; then
-    chmod 0644 ${DESTDIR}/etc/shorewall6/params
+if [ -f ${PREFIX}/etc/shorewall6/params ]; then
+    chmod 0644 ${PREFIX}/etc/shorewall6/params
 else
-    run_install $OWNERSHIP -m 0644 params ${DESTDIR}/etc/shorewall6/params
-    echo "Parameter file installed as ${DESTDIR}/etc/shorewall6/params"
+    run_install $OWNERSHIP -m 0644 params ${PREFIX}/etc/shorewall6/params
+    echo "Parameter file installed as ${PREFIX}/etc/shorewall6/params"
 fi
 #
 # Install the Stopped Routing file
 #
-run_install $OWNERSHIP -m 0644 routestopped ${DESTDIR}/usr/share/shorewall6/configfiles/routestopped
+run_install $OWNERSHIP -m 0644 routestopped ${PREFIX}/usr/share/shorewall6/configfiles/routestopped
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/routestopped ]; then
-    run_install $OWNERSHIP -m 0600 routestopped ${DESTDIR}/etc/shorewall6/routestopped
-    echo "Stopped Routing file installed as ${DESTDIR}/etc/shorewall6/routestopped"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/routestopped ]; then
+    run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall6/routestopped
+    echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall6/routestopped"
 fi
 #
 # Install the Mac List file
 #
-run_install $OWNERSHIP -m 0644 maclist ${DESTDIR}/usr/share/shorewall6/configfiles/maclist
+run_install $OWNERSHIP -m 0644 maclist ${PREFIX}/usr/share/shorewall6/configfiles/maclist
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/maclist ]; then
-    run_install $OWNERSHIP -m 0600 maclist ${DESTDIR}/etc/shorewall6/maclist
-    echo "MAC list file installed as ${DESTDIR}/etc/shorewall6/maclist"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/maclist ]; then
+    run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall6/maclist
+    echo "MAC list file installed as ${PREFIX}/etc/shorewall6/maclist"
 fi
 #
 # Install the Modules file
 #
-run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall6/modules
-echo "Modules file installed as ${DESTDIR}/usr/share/shorewall6/modules"
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall6/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall6/modules"
 
 #
 # Install the Module Helpers file
 #
-run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall6/helpers
-echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall6/helpers"
+run_install $OWNERSHIP -m 0600 helpers ${PREFIX}/usr/share/shorewall6/helpers
+echo "Helper modules file installed as ${PREFIX}/usr/share/shorewall6/helpers"
 
 #
 # Install the TC Rules file
 #
-run_install $OWNERSHIP -m 0644 tcrules ${DESTDIR}/usr/share/shorewall6/configfiles/tcrules
+run_install $OWNERSHIP -m 0644 tcrules ${PREFIX}/usr/share/shorewall6/configfiles/tcrules
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcrules ]; then
-    run_install $OWNERSHIP -m 0600 tcrules ${DESTDIR}/etc/shorewall6/tcrules
-    echo "TC Rules file installed as ${DESTDIR}/etc/shorewall6/tcrules"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcrules ]; then
+    run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall6/tcrules
+    echo "TC Rules file installed as ${PREFIX}/etc/shorewall6/tcrules"
 fi
 
 #
 # Install the TC Interfaces file
 #
-run_install $OWNERSHIP -m 0644 tcinterfaces ${DESTDIR}/usr/share/shorewall6/configfiles/tcinterfaces
+run_install $OWNERSHIP -m 0644 tcinterfaces ${PREFIX}/usr/share/shorewall6/configfiles/tcinterfaces
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcinterfaces ]; then
-    run_install $OWNERSHIP -m 0600 tcinterfaces ${DESTDIR}/etc/shorewall6/tcinterfaces
-    echo "TC Interfaces file installed as ${DESTDIR}/etc/shorewall6/tcinterfaces"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcinterfaces ]; then
+    run_install $OWNERSHIP -m 0600 tcinterfaces ${PREFIX}/etc/shorewall6/tcinterfaces
+    echo "TC Interfaces file installed as ${PREFIX}/etc/shorewall6/tcinterfaces"
 fi
 
 #
 # Install the TC Priority file
 #
-run_install $OWNERSHIP -m 0644 tcpri ${DESTDIR}/usr/share/shorewall6/configfiles/tcpri
+run_install $OWNERSHIP -m 0644 tcpri ${PREFIX}/usr/share/shorewall6/configfiles/tcpri
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcpri ]; then
-    run_install $OWNERSHIP -m 0600 tcpri ${DESTDIR}/etc/shorewall6/tcpri
-    echo "TC Priority file installed as ${DESTDIR}/etc/shorewall6/tcpri"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcpri ]; then
+    run_install $OWNERSHIP -m 0600 tcpri ${PREFIX}/etc/shorewall6/tcpri
+    echo "TC Priority file installed as ${PREFIX}/etc/shorewall6/tcpri"
 fi
 
 #
 # Install the TOS file
 #
-run_install $OWNERSHIP -m 0644 tos ${DESTDIR}/usr/share/shorewall6/configfiles/tos
+run_install $OWNERSHIP -m 0644 tos ${PREFIX}/usr/share/shorewall6/configfiles/tos
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tos ]; then
-    run_install $OWNERSHIP -m 0600 tos ${DESTDIR}/etc/shorewall6/tos
-    echo "TOS file installed as ${DESTDIR}/etc/shorewall6/tos"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tos ]; then
+    run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall6/tos
+    echo "TOS file installed as ${PREFIX}/etc/shorewall6/tos"
 fi
 #
 # Install the Tunnels file
 #
-run_install $OWNERSHIP -m 0644 tunnels ${DESTDIR}/usr/share/shorewall6/configfiles/tunnels
+run_install $OWNERSHIP -m 0644 tunnels ${PREFIX}/usr/share/shorewall6/configfiles/tunnels
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tunnels ]; then
-    run_install $OWNERSHIP -m 0600 tunnels ${DESTDIR}/etc/shorewall6/tunnels
-    echo "Tunnels file installed as ${DESTDIR}/etc/shorewall6/tunnels"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tunnels ]; then
+    run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall6/tunnels
+    echo "Tunnels file installed as ${PREFIX}/etc/shorewall6/tunnels"
 fi
 #
 # Install the blacklist file
 #
-run_install $OWNERSHIP -m 0644 blacklist ${DESTDIR}/usr/share/shorewall6/configfiles/blacklist
+run_install $OWNERSHIP -m 0644 blacklist ${PREFIX}/usr/share/shorewall6/configfiles/blacklist
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blacklist ]; then
-    run_install $OWNERSHIP -m 0600 blacklist ${DESTDIR}/etc/shorewall6/blacklist
-    echo "Blacklist file installed as ${DESTDIR}/etc/shorewall6/blacklist"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/blacklist ]; then
+    run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall6/blacklist
+    echo "Blacklist file installed as ${PREFIX}/etc/shorewall6/blacklist"
 fi
 #
 # Install the Providers file
 #
-run_install $OWNERSHIP -m 0644 providers ${DESTDIR}/usr/share/shorewall6/configfiles/providers
+run_install $OWNERSHIP -m 0644 providers ${PREFIX}/usr/share/shorewall6/configfiles/providers
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/providers ]; then
-    run_install $OWNERSHIP -m 0600 providers ${DESTDIR}/etc/shorewall6/providers
-    echo "Providers file installed as ${DESTDIR}/etc/shorewall6/providers"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/providers ]; then
+    run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall6/providers
+    echo "Providers file installed as ${PREFIX}/etc/shorewall6/providers"
 fi
 
 #
 # Install the Route Rules file
 #
-run_install $OWNERSHIP -m 0644 route_rules ${DESTDIR}/usr/share/shorewall6/configfiles/route_rules
+run_install $OWNERSHIP -m 0644 route_rules ${PREFIX}/usr/share/shorewall6/configfiles/route_rules
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/route_rules ]; then
-    run_install $OWNERSHIP -m 0600 route_rules ${DESTDIR}/etc/shorewall6/route_rules
-    echo "Routing rules file installed as ${DESTDIR}/etc/shorewall6/route_rules"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/route_rules ]; then
+    run_install $OWNERSHIP -m 0600 route_rules ${PREFIX}/etc/shorewall6/route_rules
+    echo "Routing rules file installed as ${PREFIX}/etc/shorewall6/route_rules"
 fi
 
 #
 # Install the tcclasses file
 #
-run_install $OWNERSHIP -m 0644 tcclasses ${DESTDIR}/usr/share/shorewall6/configfiles/tcclasses
+run_install $OWNERSHIP -m 0644 tcclasses ${PREFIX}/usr/share/shorewall6/configfiles/tcclasses
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcclasses ]; then
-    run_install $OWNERSHIP -m 0600 tcclasses ${DESTDIR}/etc/shorewall6/tcclasses
-    echo "TC Classes file installed as ${DESTDIR}/etc/shorewall6/tcclasses"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcclasses ]; then
+    run_install $OWNERSHIP -m 0600 tcclasses ${PREFIX}/etc/shorewall6/tcclasses
+    echo "TC Classes file installed as ${PREFIX}/etc/shorewall6/tcclasses"
 fi
 
 #
 # Install the tcdevices file
 #
-run_install $OWNERSHIP -m 0644 tcdevices ${DESTDIR}/usr/share/shorewall6/configfiles/tcdevices
+run_install $OWNERSHIP -m 0644 tcdevices ${PREFIX}/usr/share/shorewall6/configfiles/tcdevices
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcdevices ]; then
-    run_install $OWNERSHIP -m 0600 tcdevices ${DESTDIR}/etc/shorewall6/tcdevices
-    echo "TC Devices file installed as ${DESTDIR}/etc/shorewall6/tcdevices"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcdevices ]; then
+    run_install $OWNERSHIP -m 0600 tcdevices ${PREFIX}/etc/shorewall6/tcdevices
+    echo "TC Devices file installed as ${PREFIX}/etc/shorewall6/tcdevices"
 fi
 
 #
 # Install the Notrack file
 #
-run_install $OWNERSHIP -m 0644 notrack ${DESTDIR}/usr/share/shorewall6/configfiles/notrack
+run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewall6/configfiles/notrack
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/notrack ]; then
-    run_install $OWNERSHIP -m 0600 notrack ${DESTDIR}/etc/shorewall6/notrack
-    echo "Notrack file installed as ${DESTDIR}/etc/shorewall6/notrack"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/notrack ]; then
+    run_install $OWNERSHIP -m 0600 notrack ${PREFIX}/etc/shorewall6/notrack
+    echo "Notrack file installed as ${PREFIX}/etc/shorewall6/notrack"
 fi
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall6/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall6/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall6/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall6/configpath"
 #
 # Install the init file
 #
-run_install $OWNERSHIP -m 0644 init ${DESTDIR}/usr/share/shorewall6/configfiles/init
+run_install $OWNERSHIP -m 0644 init ${PREFIX}/usr/share/shorewall6/configfiles/init
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/init ]; then
-    run_install $OWNERSHIP -m 0600 init ${DESTDIR}/etc/shorewall6/init
-    echo "Init file installed as ${DESTDIR}/etc/shorewall6/init"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/init ]; then
+    run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall6/init
+    echo "Init file installed as ${PREFIX}/etc/shorewall6/init"
 fi
 #
 # Install the start file
 #
-run_install $OWNERSHIP -m 0644 start ${DESTDIR}/usr/share/shorewall6/configfiles/start
+run_install $OWNERSHIP -m 0644 start ${PREFIX}/usr/share/shorewall6/configfiles/start
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/start ]; then
-    run_install $OWNERSHIP -m 0600 start ${DESTDIR}/etc/shorewall6/start
-    echo "Start file installed as ${DESTDIR}/etc/shorewall6/start"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/start ]; then
+    run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall6/start
+    echo "Start file installed as ${PREFIX}/etc/shorewall6/start"
 fi
 #
 # Install the stop file
 #
-run_install $OWNERSHIP -m 0644 stop ${DESTDIR}/usr/share/shorewall6/configfiles/stop
+run_install $OWNERSHIP -m 0644 stop ${PREFIX}/usr/share/shorewall6/configfiles/stop
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/stop ]; then
-    run_install $OWNERSHIP -m 0600 stop ${DESTDIR}/etc/shorewall6/stop
-    echo "Stop file installed as ${DESTDIR}/etc/shorewall6/stop"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/stop ]; then
+    run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall6/stop
+    echo "Stop file installed as ${PREFIX}/etc/shorewall6/stop"
 fi
 #
 # Install the stopped file
 #
-run_install $OWNERSHIP -m 0644 stopped ${DESTDIR}/usr/share/shorewall6/configfiles/stopped
+run_install $OWNERSHIP -m 0644 stopped ${PREFIX}/usr/share/shorewall6/configfiles/stopped
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/stopped ]; then
-    run_install $OWNERSHIP -m 0600 stopped ${DESTDIR}/etc/shorewall6/stopped
-    echo "Stopped file installed as ${DESTDIR}/etc/shorewall6/stopped"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/stopped ]; then
+    run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall6/stopped
+    echo "Stopped file installed as ${PREFIX}/etc/shorewall6/stopped"
 fi
 #
 # Install the Accounting file
 #
-run_install $OWNERSHIP -m 0644 accounting ${DESTDIR}/usr/share/shorewall6/configfiles/accounting
+run_install $OWNERSHIP -m 0644 accounting ${PREFIX}/usr/share/shorewall6/configfiles/accounting
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/accounting ]; then
-    run_install $OWNERSHIP -m 0600 accounting ${DESTDIR}/etc/shorewall6/accounting
-    echo "Accounting file installed as ${DESTDIR}/etc/shorewall6/accounting"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/accounting ]; then
+    run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall6/accounting
+    echo "Accounting file installed as ${PREFIX}/etc/shorewall6/accounting"
 fi
 #
 # Install the Started file
 #
-run_install $OWNERSHIP -m 0644 started ${DESTDIR}/usr/share/shorewall6/configfiles/started
+run_install $OWNERSHIP -m 0644 started ${PREFIX}/usr/share/shorewall6/configfiles/started
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/started ]; then
-    run_install $OWNERSHIP -m 0600 started ${DESTDIR}/etc/shorewall6/started
-    echo "Started file installed as ${DESTDIR}/etc/shorewall6/started"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/started ]; then
+    run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall6/started
+    echo "Started file installed as ${PREFIX}/etc/shorewall6/started"
 fi
 #
 # Install the Restored file
 #
-run_install $OWNERSHIP -m 0644 restored ${DESTDIR}/usr/share/shorewall6/configfiles/restored
+run_install $OWNERSHIP -m 0644 restored ${PREFIX}/usr/share/shorewall6/configfiles/restored
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/restored ]; then
-    run_install $OWNERSHIP -m 0600 restored ${DESTDIR}/etc/shorewall6/restored
-    echo "Restored file installed as ${DESTDIR}/etc/shorewall6/restored"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/restored ]; then
+    run_install $OWNERSHIP -m 0600 restored ${PREFIX}/etc/shorewall6/restored
+    echo "Restored file installed as ${PREFIX}/etc/shorewall6/restored"
 fi
 #
 # Install the Clear file
 #
-run_install $OWNERSHIP -m 0644 clear ${DESTDIR}/usr/share/shorewall6/configfiles/clear
+run_install $OWNERSHIP -m 0644 clear ${PREFIX}/usr/share/shorewall6/configfiles/clear
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/clear ]; then
-    run_install $OWNERSHIP -m 0600 clear ${DESTDIR}/etc/shorewall6/clear
-    echo "Clear file installed as ${DESTDIR}/etc/shorewall6/clear"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/clear ]; then
+    run_install $OWNERSHIP -m 0600 clear ${PREFIX}/etc/shorewall6/clear
+    echo "Clear file installed as ${PREFIX}/etc/shorewall6/clear"
 fi
 #
 # Install the Isusable file
 #
-run_install $OWNERSHIP -m 0644 isusable ${DESTDIR}/usr/share/shorewall6/configfiles/isusable
+run_install $OWNERSHIP -m 0644 isusable ${PREFIX}/usr/share/shorewall6/configfiles/isusable
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/isusable ]; then
-    run_install $OWNERSHIP -m 0600 isusable ${DESTDIR}/etc/shorewall6/isusable
-    echo "Isusable file installed as ${DESTDIR}/etc/shorewall/isusable"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/isusable ]; then
+    run_install $OWNERSHIP -m 0600 isusable ${PREFIX}/etc/shorewall6/isusable
+    echo "Isusable file installed as ${PREFIX}/etc/shorewall/isusable"
 fi
 #
 # Install the Refresh file
 #
-run_install $OWNERSHIP -m 0644 refresh ${DESTDIR}/usr/share/shorewall6/configfiles/refresh
+run_install $OWNERSHIP -m 0644 refresh ${PREFIX}/usr/share/shorewall6/configfiles/refresh
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/refresh ]; then
-    run_install $OWNERSHIP -m 0600 refresh ${DESTDIR}/etc/shorewall6/refresh
-    echo "Refresh file installed as ${DESTDIR}/etc/shorewall6/refresh"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/refresh ]; then
+    run_install $OWNERSHIP -m 0600 refresh ${PREFIX}/etc/shorewall6/refresh
+    echo "Refresh file installed as ${PREFIX}/etc/shorewall6/refresh"
 fi
 #
 # Install the Refreshed file
 #
-run_install $OWNERSHIP -m 0644 refreshed ${DESTDIR}/usr/share/shorewall6/configfiles/refreshed
+run_install $OWNERSHIP -m 0644 refreshed ${PREFIX}/usr/share/shorewall6/configfiles/refreshed
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/refreshed ]; then
-    run_install $OWNERSHIP -m 0600 refreshed ${DESTDIR}/etc/shorewall6/refreshed
-    echo "Refreshed file installed as ${DESTDIR}/etc/shorewall6/refreshed"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/refreshed ]; then
+    run_install $OWNERSHIP -m 0600 refreshed ${PREFIX}/etc/shorewall6/refreshed
+    echo "Refreshed file installed as ${PREFIX}/etc/shorewall6/refreshed"
 fi
 #
 # Install the Tcclear file
 #
-run_install $OWNERSHIP -m 0644 tcclear ${DESTDIR}/usr/share/shorewall6/configfiles/tcclear
+run_install $OWNERSHIP -m 0644 tcclear ${PREFIX}/usr/share/shorewall6/configfiles/tcclear
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcclear ]; then
-    run_install $OWNERSHIP -m 0600 tcclear ${DESTDIR}/etc/shorewall6/tcclear
-    echo "Tcclear file installed as ${DESTDIR}/etc/shorewall6/tcclear"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcclear ]; then
+    run_install $OWNERSHIP -m 0600 tcclear ${PREFIX}/etc/shorewall6/tcclear
+    echo "Tcclear file installed as ${PREFIX}/etc/shorewall6/tcclear"
 fi
 #
 # Install the Standard Actions file
 #
-install_file actions.std ${DESTDIR}/usr/share/shorewall6/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}/usr/shared/shorewall6/actions.std"
+install_file actions.std ${PREFIX}/usr/share/shorewall6/actions.std 0644
+echo "Standard actions file installed as ${PREFIX}/usr/shared/shorewall6/actions.std"
 
 #
 # Install the Actions file
 #
-run_install $OWNERSHIP -m 0644 actions ${DESTDIR}/usr/share/shorewall6/configfiles/actions
+run_install $OWNERSHIP -m 0644 actions ${PREFIX}/usr/share/shorewall6/configfiles/actions
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/actions ]; then
-    run_install $OWNERSHIP -m 0644 actions ${DESTDIR}/etc/shorewall6/actions
-    echo "Actions file installed as ${DESTDIR}/etc/shorewall6/actions"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/actions ]; then
+    run_install $OWNERSHIP -m 0644 actions ${PREFIX}/etc/shorewall6/actions
+    echo "Actions file installed as ${PREFIX}/etc/shorewall6/actions"
 fi
 
 #
 # Install the  Makefiles
 #
-run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}/usr/share/shorewall6/configfiles/Makefile
+run_install $OWNERSHIP -m 0644 Makefile-lite ${PREFIX}/usr/share/shorewall6/configfiles/Makefile
 
 if [ -z "$SPARSE" ]; then
-    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall6/Makefile
-    echo "Makefile installed as ${DESTDIR}/etc/shorewall6/Makefile"
+    run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall6/Makefile
+    echo "Makefile installed as ${PREFIX}/etc/shorewall6/Makefile"
 fi
 #
 # Install the Action files
 #
 for f in action.* ; do
-    install_file $f ${DESTDIR}/usr/share/shorewall6/$f 0644
-    echo "Action ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6/$f"
+    install_file $f ${PREFIX}/usr/share/shorewall6/$f 0644
+    echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6/$f"
 done
 
 # Install the Macro files
 #
 for f in macro.* ; do
-    install_file $f ${DESTDIR}/usr/share/shorewall6/$f 0644
-    echo "Macro ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6/$f"
+    install_file $f ${PREFIX}/usr/share/shorewall6/$f 0644
+    echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6/$f"
 done
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall6/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall6/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6/$f"
     fi
 done
 #
 # Symbolically link 'functions' to lib.base
 #
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall6/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall6/functions
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall6/version
-chmod 644 ${DESTDIR}/usr/share/shorewall6/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall6/version
+chmod 644 ${PREFIX}/usr/share/shorewall6/version
 #
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
     rm -f /usr/share/shorewall6/init
     ln -s ${DEST}/${INIT} /usr/share/shorewall6/init
 fi
@@ -692,30 +669,28 @@ fi
 
 cd manpages
 
-[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
-
 for f in *.5; do
     gzip -c $f > $f.gz
-    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
-    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
+    run_install -D  -m 0644 $f.gz ${PREFIX}${MANDIR}/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}${MANDIR}/man5/$f.gz"
 done
 
 for f in *.8; do
     gzip -c $f > $f.gz
-    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
-    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
+    run_install -D  -m 0644 $f.gz ${PREFIX}${MANDIR}/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}${MANDIR}/man8/$f.gz"
 done
 
 cd ..
 
 echo "Man Pages Installed"
 
-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall6
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall6"
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6"
 fi
 
-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
+if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6
 	ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6

Shorewall6/lib.cli

@@ -140,15 +140,6 @@ packet_log() # $1 = number of messages
     fi
 }
 
-search_log() # $1 = IP address to search for
-{
-    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
-    else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
-    fi
-}    
-
 #
 # Show traffic control information
 #
@@ -456,17 +447,12 @@ show_command() {
 	    $IP6TABLES -t raw -L $g_ipt_options
 	    ;;
 	log)
-	    [ $# -gt 2 ] && usage 1
+	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
 	    host=$(echo $g_hostname | sed 's/\..*$//')
-
-	    if [ $# -eq 2 ]; then
-		search_log $2
-	    else
-		packet_log 20
-	    fi
+	    packet_log 20
 	    ;;
 	tc)
 	    [ $# -gt 2 ] && usage 1
@@ -1222,8 +1208,7 @@ determine_capabilities() {
 	exit 1
     fi
 
-    if ! qt $IP6TABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT &&
-       ! qt $IP6TABLES -A $chain -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; then
+    if ! qt $IP6TABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then
 	echo "   ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
 	exit 1
     fi

Shorewall6/lib.common

@@ -375,7 +375,7 @@ find_first_interface_address() # $1 = interface
     #
     # get the line of output containing the first IP address
     #
-    addr=$(${IP:-ip} -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
+    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
     #
     # If there wasn't one, bail out now
     #
@@ -392,7 +392,7 @@ find_first_interface_address_if_any() # $1 = interface
     #
     # get the line of output containing the first IP address
     #
-    addr=$(${IP:-ip} -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
+    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
     #
     # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
     # along with everything else on the line

Shorewall6/macro.mDNS

@@ -1,15 +0,0 @@
-#
-# Shorewall version 4 - Multicast DNS Macro
-#
-# /usr/share/shorewall6/macro.mDNS
-#
-#	This macro handles multicast DNS traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
-#						PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	<ff02::fb>		udp	5353
-PARAM	-	-			udp	32768:	5353
-PARAM	-	<ff02::fb>		2
-PARAM	DEST	SOURCE:<ff02::fb>	udp	5353
-PARAM	DEST	SOURCE:<ff02::fb>	2

Shorewall6/shorewall6

@@ -226,21 +226,17 @@ get_config() {
     esac
 }
 
-#
-# Issue an error message and die
-#
-startup_error() {
-    echo "   ERROR: $@" >&2
-    kill $$
-    exit 1
-}
-    
 #
 # Run the appropriate compiler
 #
 compiler() {
     pc=${PERLSHAREDIR}/compiler.pl
 
+    startup_error() {
+	echo "   ERROR: $@" >&2
+	exit 1
+    }
+    
     local command
     command=$1
 
@@ -1261,7 +1257,7 @@ usage() # $1 = exit status
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   check [ -e ] [ -r ] [ <directory> ]"
-    echo "   clear"
+    echo "   clear [ -f ]"
     echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   drop <address> ..."
@@ -1282,9 +1278,9 @@ usage() # $1 = exit status
     echo "   restart [ -n ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log [<regex>]|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
+    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
     echo "   start [ -f ] [ -n ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
     echo "   status"
     echo "   try <directory> [ <timeout> ]"
     echo "   version [ -a ]"
@@ -1458,11 +1454,9 @@ version_command() {
     echo $SHOREWALL_VERSION
 
     if [ -n "$all" ]; then
-	for product in shorewall shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
+	if [ -f /usr/share/shorewall/version ]; then
+	    echo "Shorewall $(cat /usr/share/shorewall/version)"
+	fi
     fi
 }
 
@@ -1599,7 +1593,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac

Shorewall6/shorewall6.conf

@@ -1,11 +1,19 @@
 ###############################################################################
+#  /etc/shorewalls/shorewall6.conf Version 4 - Change the following variables to
+#  match your setup
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+#  This program is under GPL
+#  [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#  This file should be placed in /etc/shorewall
+#
+#  (c) 1999,2000,2001,2002,2003,2004,2005,
+#      2006,2007,2008 - Tom Eastep (teastep@shorewall.net)
 #
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
-#  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+#  Additional information is available at 
+#  http://www.shorewall.net/Documentation.htm#Conf
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.10
-%define release 1
+%define version 4.4.8
+%define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute shorewall >= 4.3.5
-Provides: shoreline_firewall = %{version}-%{release}
 
 %description
 
@@ -29,7 +28,7 @@ a multi-function gateway/ router/server or on a standalone GNU/Linux system.
 %build
 
 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -98,42 +97,6 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-1
-* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC3
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta1
 * Fri Mar 19 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.8-0base
 * Tue Mar 16 2010 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.10.1
+VERSION=4.4.8
 
 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt ip6tables -L shorewall6 -n && [ ! -f /sbin/shorewall6-lite ]; then
 fi
 
 if [ -L /usr/share/shorewall6/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall6/init)
+    FIREWALL=$(ls -l /usr/share/shorewall6/init | sed 's/^.*> //')
 else
     FIREWALL=/etc/init.d/shorewall6
 fi

docs/6to4.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>6to4 and 6in4 Tunnels</title>
+    <title>6to4 Tunnels</title>
 
     <authorgroup>
       <author>
@@ -507,141 +507,6 @@ Ping(ACCEPT)     all             all
     </section>
   </section>
 
-  <section id="SixInFour">
-    <title>6in4 Tunnel</title>
-
-    <para>6in4 is very similar to 6to4:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>Both Tunnel IPv6 traffic over IPv4 using Protocol 41</para>
-      </listitem>
-
-      <listitem>
-        <para>Both allow you access to the IPv6 network even though your ISP
-        doesn't offer native IPv6 connectivity.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>The differences are:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>6in4 gives you a /64 prefix outside of the 2002::0/16
-        network</para>
-      </listitem>
-
-      <listitem>
-        <para>You have a dedicated fixed endpoint for the tunnel rather than
-        the nebulous anycast endpoint 192.88.99.1. This is:</para>
-
-        <itemizedlist>
-          <listitem>
-            <para>Much more reliable</para>
-          </listitem>
-
-          <listitem>
-            <para>Much easier to troubleshoot (there is ONE host and one
-            company to call on the other end of the tunnel rather than an
-            indefinite cloud with noone in charge)</para>
-          </listitem>
-        </itemizedlist>
-      </listitem>
-    </itemizedlist>
-
-    <para>I converted to a 6in4 Tunnel from <ulink
-    url="http://tunnelbroker.net/">Hurricane Electric</ulink> in April of
-    2010. Converting from the 6to4 tunnel configuration above to a 6in4 tunnel
-    from HE took less than an hour.</para>
-
-    <para>When I signed up for a tunnel with HE, I received these
-    assignments:</para>
-
-    <blockquote>
-      <para>Server IPv4 address: 216.218.226.238</para>
-
-      <para>Server IPv6 address: 2001:470:a:227::1/64</para>
-
-      <para>Client IPv4 address: 206.124.146.180 (Same as the 6to4
-      tunnel)</para>
-
-      <para>Client IPv6 address: 2001:470:a:227::2/64 </para>
-    </blockquote>
-
-    <para>I also took advantage of their offer for a /48 prefix routed via
-    2001:470:a:227::2. The prefix I was assigned is</para>
-
-    <blockquote>
-      <para>2001:470:e857::/48</para>
-    </blockquote>
-
-    <para>Here are the key changes:</para>
-
-    <para><filename>/etc/network/interfaces:</filename></para>
-
-    <programlisting>iface eth1 inet6 static
-        address <emphasis role="bold">2001:470:e857:1::1</emphasis>
-        netmask 64 
-
-auto eth2
-...
-iface eth2 inet6 static
-      address 2<emphasis role="bold">001:470:e857:2::1</emphasis>
-      netmask 64
-
-auto sit1
-iface sit1 inet6 v4tunnel
-      address <emphasis role="bold">2001:470:a:227::2</emphasis>
-      netmask 64
-      endpoint <emphasis role="bold">216.218.226.238 </emphasis>
-      local 206.124.146.180
-      gateway <emphasis role="bold">2001:470:a:227::1</emphasis>
-      post-up echo 1 &gt; /proc/sys/net/ipv6/conf/all/forwarding
-
-</programlisting>
-
-    <para><filename>/etc/radvd.conf (I'm currently not using RDNSS so I've
-    simply commented out the existing entries)</filename>:</para>
-
-    <programlisting>interface eth1 { 
-        AdvSendAdvert on;
-        MinRtrAdvInterval 60; 
-        MaxRtrAdvInterval 600;
-        AdvDefaultLifetime 9000;
-        prefix <emphasis role="bold">2001:470:e857:1</emphasis>::/64 {
-                AdvOnLink on; 
-                AdvAutonomous on; 
-                AdvRouterAddr off; 
-        };
-        
-        route ::/0 {
-                AdvRouteLifetime infinity;
-        };
-        
-<emphasis role="bold">#       RDNSS 2002:ce7c:92b4:2:221:5aff:fe22:ace0 {
-#                AdvRDNSSOpen on;
-#                AdvRDNSSPreference 2;
-#        };</emphasis>
-};
-
-interface eth2 { 
-        AdvSendAdvert on;
-        MinRtrAdvInterval 60; 
-        MaxRtrAdvInterval 600;
-        prefix <emphasis role="bold">2001:470:e857:2</emphasis>::/64 {
-                AdvOnLink on; 
-                AdvAutonomous on; 
-                AdvRouterAddr off; 
-        };
-
-<emphasis role="bold">#       RDNSS 2002:ce7c:92b4:2:221:5aff:fe22:ace0 {
-#              AdvRDNSSOpen on;
-#               AdvRDNSSPreference 2;
-#        };         </emphasis>  
-};
-</programlisting>
-  </section>
-
   <section id="Tunnel6to4">
     <title>Connecting two IPv6 Networks, by Eric de Thouars</title>
 
@@ -699,4 +564,4 @@ interface eth2 {
     commands as listed above. The systems in both IPv6 subnetworks can now
     talk to each other using IPv6.</para>
   </section>
-</article>
+</article>

docs/Build.xml

@@ -72,10 +72,6 @@
         <listitem>
           <para>Shorewall6-lite</para>
         </listitem>
-
-        <listitem>
-          <para>Shorewall-init</para>
-        </listitem>
       </itemizedlist>
 
       <para>There are also several other directories which are described in
@@ -84,18 +80,20 @@
       <section>
         <title>trunk/docs</title>
 
-        <para>The stable release XML documents. Depending on the point in the
-        release cycle, these documents may also apply to the current
-        development version.</para>
+        <para>The development release XML documents. Depending on the point in
+        the release cycle, these documents may also apply to the current
+        stable version. In that case, there is no docs directory in that
+        release's directory in <emphasis
+        role="bold">branches</emphasis>.</para>
       </section>
 
       <section>
         <title>trunk/manpages, trunk/manpages6, trunk/manpages-lite and
         trunk/manpages6-lite</title>
 
-        <para>The stable release XML manpages. Depending on the point in the
-        release cycle, these documents may also apply to the current
-        development version.</para>
+        <para>The development release XML manpages. Depending on the point in
+        the release cycle, these documents may also apply to the current
+        stable version.</para>
       </section>
     </section>
 
@@ -158,8 +156,7 @@
     <section>
       <title>build44</title>
 
-      <para>This is the script that builds Shorewall 4.4 packages from
-      Git.</para>
+      <para>This is the script that builds Shorewall packages from Git.</para>
 
       <para>The script copies content from Git using the <command>git
       archive</command> command. It then uses that content to build the
@@ -168,7 +165,7 @@
 
       <variablelist>
         <varlistentry>
-          <term>rpmbuild</term>
+          <term>rpmbuild (I use rpm version 4.4.2.3-20.3)</term>
 
           <listitem>
             <para>Required to build the RPM packages.</para>
@@ -176,7 +173,7 @@
         </varlistentry>
 
         <varlistentry>
-          <term>xsltproc (libxslt)</term>
+          <term>xsltproc (libxslt -- I use version 1.1.24-19.1)</term>
 
           <listitem>
             <para>Required to convert the XML documents to other
@@ -185,7 +182,8 @@
         </varlistentry>
 
         <varlistentry>
-          <term>Docbook XSL Stylesheets</term>
+          <term>Docbook XSL Stylesheets (I use docbook-xsl-stylesheets version
+          1.74.0-1.35)</term>
 
           <listitem>
             <para>Required to convert the XML documents to other
@@ -194,7 +192,7 @@
         </varlistentry>
 
         <varlistentry>
-          <term>Perl</term>
+          <term>Perl (I use Perl 5.10.0-62.17.1)</term>
 
           <listitem>
             <para>Required to massage some of the config files.</para>
@@ -202,21 +200,25 @@
         </varlistentry>
 
         <varlistentry>
-          <term>xmlto</term>
+          <term>xmlto (I use version 0.0.18-182.27)</term>
 
           <listitem>
-            <para>Required to convert the XML manpages to manpages. Be sure
-            that you have a recent version; I use 0.0.23.</para>
+            <para>Required to convert the XML manpages to manpages. Note that
+            not all versions of xmlto will work (those released by Debian and
+            Ubuntu, for example, do <emphasis>not</emphasis> work). If you
+            find that xmlto fails, install
+            tools<filename>/build/xmlto</filename> in <filename
+            class="directory">/usr/local/bin</filename>.</para>
           </listitem>
         </varlistentry>
       </variablelist>
 
-      <para>You should ensure that you have the latest scripts. The scripts
+      <para>You should ensure that you have the latest script. The scripts
       change periodically as we move through the release cycles.</para>
 
-      <para>The build44 script may need to be modified to fit your particular
-      environment. There are a number of variables that are set near the top
-      of the file:</para>
+      <para>The scripts may need to be modified to fit your particular
+      environment. There are a number of variables that are set near the front
+      of the script:</para>
 
       <variablelist>
         <varlistentry>
@@ -258,7 +260,7 @@
           <term>GIT</term>
 
           <listitem>
-            <para>Shorewall GIT repository.</para>
+            <para>Shorewall GIT repository</para>
           </listitem>
         </varlistentry>
       </variablelist>
@@ -282,8 +284,8 @@
           <term>opt<emphasis>i</emphasis>ons</term>
 
           <listitem>
-            <para>are one or more of the following. If no options are given
-            then all options are assumed</para>
+            <para>are one of the following. If no options are given then all
+            options are assumed</para>
 
             <variablelist>
               <varlistentry>
@@ -310,14 +312,6 @@
                 </listitem>
               </varlistentry>
 
-              <varlistentry>
-                <term>i</term>
-
-                <listitem>
-                  <para>Build the shorewall-init package.</para>
-                </listitem>
-              </varlistentry>
-
               <varlistentry>
                 <term>l</term>
 
@@ -390,7 +384,7 @@
       against 4.2.7:</para>
 
       <blockquote>
-        <para><command>build44 -trc 4.3.7.1 4.3.7</command></para>
+        <para><command>build44 -trSc 4.3.7.1 4.3.7</command></para>
       </blockquote>
     </section>
 
@@ -435,14 +429,6 @@
                 </listitem>
               </varlistentry>
 
-              <varlistentry>
-                <term>i</term>
-
-                <listitem>
-                  <para>Upload the shorewall-init package.</para>
-                </listitem>
-              </varlistentry>
-
               <varlistentry>
                 <term>6</term>
 
@@ -483,55 +469,5 @@
         <para><command>upload44 -c 4.3.7.3</command></para>
       </blockquote>
     </section>
-
-    <section>
-      <title>install.sh files</title>
-
-      <para>Each product includes an install script
-      (<filename>install.sh</filename>) that may be used to install the
-      product on a machine or into a directory.</para>
-
-      <para>By default, the scripts install the corresponding product into
-      "/'; you can direct them to install into an empty existing directory by
-      setting an environmental variable:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>DESTDIR (release 4.4.10 and later)</para>
-        </listitem>
-
-        <listitem>
-          <para>PREFIX (all releases)</para>
-        </listitem>
-      </itemizedlist>
-
-      <para>There are a number of other environmental variables that you can
-      set to cause the directory to be populated for a particular target
-      environment:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>DEBIAN - Debian-based systems (Debian, Ubuntu, etc.)</para>
-        </listitem>
-
-        <listitem>
-          <para>SUSE - SEL and OpenSuSE</para>
-        </listitem>
-
-        <listitem>
-          <para>REDHAT - RHEL, CentOS, Foobar, etc.</para>
-        </listitem>
-
-        <listitem>
-          <para>MAC - Apple MacIntosh (Shorewall and Shorewall6 packages
-          only)</para>
-        </listitem>
-
-        <listitem>
-          <para>CYGWIN - Cygwin under Windows (Shorewall and Shorewall6
-          packages only)</para>
-        </listitem>
-      </itemizedlist>
-    </section>
   </section>
 </article>

docs/CompiledPrograms.xml

@@ -179,12 +179,6 @@
         network. You need not configure Shorewall there and you may totally
         disable startup of Shorewall in your init scripts. For ease of
         reference, we call this system the 'administrative system'.</para>
-
-        <para>The administrative system may be a Windows system running <ulink
-        url="http://www.cygwin.com/">Cygwin</ulink> or an <ulink
-        url="http://www.apple.com/mac/">Apple MacIntosh</ulink> running OS X.
-        Install from a shell prompt <ulink url="Install.htm">using the
-        install.sh script</ulink>.</para>
       </listitem>
 
       <listitem>

docs/Documentation_Index.xml

@@ -5,7 +5,7 @@
   <!--/$Id$-->
 
   <articleinfo>
-    <title>Shorewall 4.4 Documentation</title>
+    <title>Shorewall 4.4/4.5 Documentation</title>
 
     <authorgroup>
       <author>
@@ -60,18 +60,18 @@
             <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
             Machine)</ulink></entry>
 
-            <entry><ulink url="Laptop.html">Shorewall on a
-            Laptop</ulink></entry>
+            <entry><ulink url="Shorewall-perl.html">Shorewall
+            Perl</ulink></entry>
           </row>
 
           <row>
-            <entry><ulink url="6to4.htm">6to4 and 6in4 Tunnels</ulink></entry>
+            <entry><ulink url="6to4.htm">6to4 Tunnels</ulink></entry>
 
             <entry><ulink url="ConnectionRate.html">Limiting Connection
             Rates</ulink></entry>
 
-            <entry><ulink url="Shorewall-perl.html">Shorewall
-            Perl</ulink></entry>
+            <entry><ulink url="shorewall_setup_guide.htm">Shorewall Setup
+            Guide</ulink></entry>
           </row>
 
           <row>
@@ -79,8 +79,7 @@
 
             <entry><ulink url="shorewall_logging.html">Logging</ulink></entry>
 
-            <entry><ulink url="shorewall_setup_guide.htm">Shorewall Setup
-            Guide</ulink></entry>
+            <entry><ulink url="samba.htm">SMB</ulink></entry>
           </row>
 
           <row>
@@ -88,7 +87,9 @@
 
             <entry><ulink url="Macros.html">Macros</ulink></entry>
 
-            <entry><ulink url="samba.htm">SMB</ulink></entry>
+            <entry><ulink url="two-interface.htm#SNAT">SNAT</ulink>
+            (<firstterm>Source Network Address
+            Translation</firstterm>)</entry>
           </row>
 
           <row>
@@ -98,9 +99,8 @@
             <entry><ulink url="MAC_Validation.html">MAC
             Verification</ulink></entry>
 
-            <entry><ulink url="two-interface.htm#SNAT">SNAT</ulink>
-            (<firstterm>Source Network Address
-            Translation</firstterm>)</entry>
+            <entry><ulink url="SplitDNS.html">Split DNS the Easy
+            Way</ulink></entry>
           </row>
 
           <row>
@@ -109,8 +109,8 @@
 
             <entry><ulink url="Manpages.html">Man Pages</ulink></entry>
 
-            <entry><ulink url="SplitDNS.html">Split DNS the Easy
-            Way</ulink></entry>
+            <entry><ulink url="Shorewall_Squid_Usage.html">Squid with
+            Shorewall</ulink></entry>
           </row>
 
           <row>
@@ -120,8 +120,9 @@
             <entry><ulink url="ManualChains.html">Manual
             Chains</ulink></entry>
 
-            <entry><ulink url="Shorewall_Squid_Usage.html">Squid with
-            Shorewall</ulink></entry>
+            <entry><ulink
+            url="starting_and_stopping_shorewall.htm">Starting/stopping the
+            Firewall</ulink></entry>
           </row>
 
           <row>
@@ -132,9 +133,8 @@
             <entry><ulink
             url="two-interface.htm#SNAT">Masquerading</ulink></entry>
 
-            <entry><ulink
-            url="starting_and_stopping_shorewall.htm">Starting/stopping the
-            Firewall</ulink></entry>
+            <entry><ulink url="NAT.htm">Static (one-to-one)
+            NAT</ulink></entry>
           </row>
 
           <row>
@@ -145,8 +145,7 @@
             from a Single Firewall</ulink> (<ulink
             url="MultiISP_ru.html">Russian</ulink>)</entry>
 
-            <entry><ulink url="NAT.htm">Static (one-to-one)
-            NAT</ulink></entry>
+            <entry><ulink url="support.htm">Support</ulink></entry>
           </row>
 
           <row>
@@ -156,7 +155,8 @@
             <entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
             Interface</ulink></entry>
 
-            <entry><ulink url="support.htm">Support</ulink></entry>
+            <entry><ulink url="configuration_file_basics.htm">Tips and
+            Hints</ulink></entry>
           </row>
 
           <row>
@@ -166,8 +166,8 @@
             <entry><ulink url="MyNetwork.html">My Shorewall
             Configuration</ulink></entry>
 
-            <entry><ulink url="configuration_file_basics.htm">Tips and
-            Hints</ulink></entry>
+            <entry><ulink url="Accounting.html">Traffic
+            Accounting</ulink></entry>
           </row>
 
           <row>
@@ -177,8 +177,8 @@
             <entry><ulink url="NetfilterOverview.html">Netfilter
             Overview</ulink></entry>
 
-            <entry><ulink url="Accounting.html">Traffic
-            Accounting</ulink></entry>
+            <entry> <ulink url="simple_traffic_shaping.html">Traffic
+            Shaping/QOS - Simple</ulink></entry>
           </row>
 
           <row>
@@ -187,8 +187,9 @@
 
             <entry><ulink url="netmap.html">Network Mapping</ulink></entry>
 
-            <entry> <ulink url="simple_traffic_shaping.html">Traffic
-            Shaping/QOS - Simple</ulink></entry>
+            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
+            Complex</ulink> (<ulink
+            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
           </row>
 
           <row>
@@ -198,9 +199,8 @@
             <entry><ulink url="NAT.htm">One-to-one NAT</ulink> (Static
             NAT)</entry>
 
-            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
-            Complex</ulink> (<ulink
-            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
+            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
+            Proxy</ulink></entry>
           </row>
 
           <row>
@@ -209,8 +209,7 @@
             <entry><ulink url="Multiple_Zones.html"><ulink
             url="OPENVPN.html">OpenVPN</ulink></ulink></entry>
 
-            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
-            Proxy</ulink></entry>
+            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
           </row>
 
           <row>
@@ -220,7 +219,8 @@
 
             <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
 
-            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
+            <entry><ulink url="upgrade_issues.htm">Upgrade
+            Issues</ulink></entry>
           </row>
 
           <row>
@@ -229,7 +229,8 @@
             <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
             Shorewall</ulink></entry>
 
-            <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
+            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
           </row>
 
           <row>
@@ -239,8 +240,7 @@
             <entry><ulink url="PacketMarking.html">Packet
             Marking</ulink></entry>
 
-            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
-            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
           </row>
 
           <row>
@@ -251,7 +251,7 @@
             <entry><ulink url="PacketHandling.html">Packet Processing in a
             Shorewall-based Firewall</ulink></entry>
 
-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
           </row>
 
           <row>
@@ -260,7 +260,8 @@
 
             <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
 
-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            Creation</ulink></entry>
           </row>
 
           <row>
@@ -269,8 +270,8 @@
             <entry><ulink url="two-interface.htm#DNAT">Port
             Forwarding</ulink></entry>
 
-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
-            Creation</ulink></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
           </row>
 
           <row>
@@ -279,8 +280,8 @@
 
             <entry><ulink url="ports.htm">Port Information</ulink></entry>
 
-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
           </row>
 
           <row>
@@ -290,8 +291,7 @@
             <entry><ulink url="PortKnocking.html">Port Knocking and Other Uses
             of the 'Recent Match'</ulink></entry>
 
-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry></entry>
           </row>
 
           <row>
@@ -371,8 +371,8 @@
             <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
             Filtering</ulink></entry>
 
-            <entry><ulink url="Shorewall-init.html">Shorewall
-            Init</ulink></entry>
+            <entry><ulink url="Laptop.html">Shorewall on a
+            Laptop</ulink></entry>
 
             <entry></entry>
           </row>

docs/FAQ.xml

@@ -20,7 +20,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2010</year>
+      <year>2001-2009</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -623,8 +623,8 @@ DNAT       net           net:192.168.4.22       tcp      80,443      -         <
           clients or use <ulink url="shorewall_setup_guide.htm#DNS">Bind
           Version 9 <quote>views</quote></ulink> on your main name server)
           such that www.mydomain.com resolves to 130.141.100.69 externally and
-          192.168.1.5 internally. I use a separate DNS server (dnsmasq) here
-          at shorewall.net.</para>
+          192.168.1.5 internally. That's what I do here at shorewall.net for
+          my local systems that use one-to-one NAT.</para>
         </listitem>
       </itemizedlist>
 
@@ -641,8 +641,8 @@ DNAT       net           net:192.168.4.22       tcp      80,443      -         <
       url="SplitDNS.html"><emphasis role="bold">check
       here</emphasis></ulink>.</para>
 
-      <para>If you really want to route traffic between two internal systems
-      through your firewall, then proceed as described below.<warning>
+      <para>But if you are the type of person who prefers quick and dirty
+      hacks to "doing it right", then proceed as described below.<warning>
           <para>All traffic redirected through use of this hack will look to
           the server as if it originated on the firewall rather than on the
           original client! So the server's access logs will be useless for
@@ -666,15 +666,6 @@ loc      eth1         detect       <emphasis role="bold">routeback</emphasis>
 
           <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S)
 <emphasis role="bold">eth1:192.168.1.5        eth1            192.168.1.254   tcp     www</emphasis></programlisting>
-
-          <para>Note: The technique described here is known as
-          <firstterm>hairpinning NAT</firstterm> and is described in section 6
-          of <ulink url="http://www.faqs.org/rfcs/rfc4787.html">RFC
-          4787</ulink>. There it is required that the <emphasis>external IP
-          address</emphasis> be used as the source:</para>
-
-          <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S)
-eth1:192.168.1.5        eth1            <emphasis role="bold">130.151.100.69</emphasis>  tcp     www</programlisting>
         </listitem>
 
         <listitem>
@@ -684,9 +675,8 @@ eth1:192.168.1.5        eth1            <emphasis role="bold">130.151.100.69</em
 #                                                               PORT      DEST.
 <emphasis role="bold">DNAT       loc          loc:192.168.1.5    tcp      www         -         130.151.100.69</emphasis></programlisting>
 
-          <para>That rule (and the second one in the previous bullet) only
-          works of course if you have a static external IP address. If you
-          have a dynamic IP address then include this in
+          <para>That rule only works of course if you have a static external
+          IP address. If you have a dynamic IP address then include this in
           <filename>/etc/shorewall/params</filename> (or your
           <filename>&lt;export directory&gt;/init</filename> file if you are
           using Shorewall Lite on the firewall system):</para>
@@ -850,19 +840,6 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
         role="bold">IP_FORWARDING=On</emphasis> in
         <filename>shorewall.conf</filename>?</para>
       </section>
-
-      <section>
-        <title>(FAQ 2d) Does Shorewall support hairpinning NAT?</title>
-
-        <para><emphasis role="bold">Answer:</emphasis> Yes.</para>
-
-        <para>In the case of simple masquerade/SNAT, see <link
-        linkend="faq2">FAQ 2</link>.</para>
-
-        <para>For one-to-one (static), NAT, simply place 'Yes' in the ALL
-        INTERFACES column of each entry in <ulink
-        url="manpages/shorewall-nat.html">/etc/shorewall/nat</ulink>.</para>
-      </section>
     </section>
   </section>
 
@@ -1111,7 +1088,7 @@ to debug/develop the newnat interface.</programlisting></para>
     <section id="faq33">
       <title>(FAQ 33) From clients behind the firewall, connections to some
       sites fail. Connections to the same sites from the firewall itself work
-      fine. What's wrong?</title>
+      fine. What's wrong.</title>
 
       <para><emphasis role="bold">Answer:</emphasis> Most likely, you need to
       set CLAMPMSS=Yes in <filename><ulink
@@ -1993,10 +1970,14 @@ iptables: Invalid argument
       the init script, <command>stop</command> reverses the effect of
       <command>start</command>.</para>
 
-      <para>Beginning with Shorewall 4.4, when the Shorewall tarballs are
-      installed on a Debian (or derivative) system, the
-      <filename>/etc/init.d/shorewall</filename> file is the same as would be
-      installed by the .deb.</para>
+      <para>One way to avoid these differences is to install Shorewall from
+      the tarballs available from shorewall.net. This places Shorewall outside
+      of the control of the packaging system and provides consistent behavior
+      between the init scripts and <filename>/sbin/shorewall</filename> (and
+      <filename>/sbin/shorewall-lite</filename>). For more information on the
+      factors involved when deciding whether to use the Debian package, see
+      <ulink url="http://wiki.shorewall.net/wiki/ShorewallOnDebian">this
+      article</ulink>.</para>
     </section>
 
     <section id="faq74">
@@ -2061,18 +2042,6 @@ shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall
           <para>Be sure to secure the script for execute access.</para>
         </listitem>
       </itemizedlist>
-
-      <variablelist>
-        <varlistentry>
-          <term>Update:</term>
-
-          <listitem>
-            <para>Beginning with Shorewall 4.4.10, there is a new <ulink
-            url="Manpages/shorewall-init.html">Shorewall Init Package</ulink>
-            that is designed to handle this case.</para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
     </section>
 
     <section id="faq87">
@@ -2710,8 +2679,6 @@ Shorewall has detected the following iptables/netfilter capabilities:
    LOG Target: Available
    Persistent SNAT: Available
 gateway:~# </programlisting>
-
-      <para></para>
     </section>
 
     <section id="faq19">
@@ -2741,74 +2708,5 @@ loc                $FW                     ACCEPT           </programlisting>
       <emphasis>inline</emphasis> more with Shorewall, but no HOWTO exists at
       this time.</para>
     </section>
-
-    <section id="faq89">
-      <title>(FAQ 89) How do I connect to the web server in my aDSL modem from
-      my local LAN?</title>
-
-      <para>Answer: Here's what I did:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>My local network is 172.20.1.0/24, so I set the IP address in
-          the modem to 172.20.1.2.</para>
-        </listitem>
-
-        <listitem>
-          <para>The IP address of my firewall's interface to the LAN is
-          172.20.1.254. The logical name of the DSL interface is EXT_IF and my
-          LAN interface is INT_IF.</para>
-
-          <para>I added the following two configuration entries:</para>
-
-          <para><filename>/etc/shorewall/masq:</filename></para>
-
-          <programlisting>#INTERFACE			SOURCE			ADDRESS
-
-COMMENT DSL Modem
-
-EXT_IF:172.20.1.2	     	0.0.0.0/0		172.20.1.254
-</programlisting>
-
-          <para><filename>/etc/shorewall/proxyarp</filename>:</para>
-
-          <programlisting>#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE	PERSISTENT
-172.20.1.2	EXT_IF		INT_IF		no		yes
-</programlisting>
-        </listitem>
-      </itemizedlist>
-
-      <para>If you can't change the IP address of your modem and its current
-      address isn't in your local network, then you need to change this
-      slightly; assuming that the modem IP address is 192.168.1.1:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>Do not include an entry in
-          <filename>/etc/shorewall/proxyarp</filename>.</para>
-        </listitem>
-
-        <listitem>
-          <para>Add an IP address in 192.168.1.0/24 to your external interface
-          using your configuration's network management tools. For
-          Debian-based systems, that means adding this to the interface's
-          stanza in <filename>/etc/network/interfaces</filename>:</para>
-
-          <programlisting>    post-up /sbin/ip addr add 192.168.1.254/24 dev <replaceable>external-interface</replaceable></programlisting>
-        </listitem>
-
-        <listitem>
-          <para>Your entry in <filename>/etc/shorewall/masq</filename> would
-          then be:</para>
-
-          <programlisting>#INTERFACE			SOURCE			ADDRESS
-
-COMMENT DSL Modem
-
-EXT_IF:192.168.1.1	     	0.0.0.0/0		192.168.1.254
-</programlisting>
-        </listitem>
-      </itemizedlist>
-    </section>
   </section>
 </article>

docs/IPSEC-2.6.xml

@@ -796,7 +796,7 @@ all             all             REJECT          info
     on the firewall that must be accessible to road warriors. The reason for
     the second step is that the policy does not by default allow unrestricted
     access to the firewall itself. Finally, you should protect an exploit
-    where an attacker can exploit your LT2P server due to a hole in the way
+    where an attacker can exploit your LT2P server do to a hole in the way
     that L2TP interacts with UDP connection tracking.</para>
 
     <blockquote>
@@ -806,7 +806,7 @@ all             all             REJECT          info
 #                                       PORT(S) PORT(S)
 SECTION ESTABLISHED
 # Prevent IPSEC bypass by hosts behind a NAT gateway
-L2TP(REJECT)    net     $FW
+L2TP/(REJECT)   net     $FW
 REJECT          $FW     net     udp     -       1701
 # l2tp over the IPsec VPN
 ACCEPT          vpn     $FW     udp     1701

docs/LennyToSqueeze.xml

@@ -165,9 +165,8 @@
         not feasible to install Perl on your firewall, then you should
         consider installing Shorewall on another system in your network (may
         be a <trademark>Windows</trademark> system running
-        <trademark>Cygwin</trademark> or an <trademark>Apple</trademark>
-        <trademark>MacIntosh</trademark> running OS X) and installing
-        Shorewall-lite on your firewall.</para>
+        <trademark>Cygwin</trademark>) and installing Shorewall-lite on your
+        firewall.</para>
       </footnote>. While the two compilers are highly compatible, there are
     some differences. Those differences are detailed in the following
     sections.</para>

docs/MultiISP.xml

@@ -1214,13 +1214,6 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><
           they offer you a place to start.</para>
         </important>
 
-        <important>
-          <para>If you have installed Shorewall-init, you should disable its
-          ifup/ifdown/NetworkManager integration (set IFUPDOWN=0 in the <ulink
-          url="Manpages/shorewall-init.html">Shorewall-init configuration
-          file</ulink>).</para>
-        </important>
-
         <para>The script should be copied to a directory on root's PATH such
         as <filename>/usr/local/sbin/</filename>.</para>
 
@@ -1383,13 +1376,6 @@ fi</programlisting></para>
         more sophisticated monitoring than the simple swping script described
         in the preceding section.</para>
 
-        <important>
-          <para>If you have installed Shorewall-init, you should disable its
-          ifup/ifdown/NetworkManager integration (set IFUPDOWN=0 in the <ulink
-          url="Manpages/shorewall-init.html">Shorewall-init configuration
-          file</ulink>) before installing LSM.</para>
-        </important>
-
         <para>Like many Open Source products, LSM is poorly documented. It's
         main configuration file is normally kept in
         <filename>/etc/lsm/lsm.conf</filename>, but the file's name is passed
@@ -1536,7 +1522,7 @@ EOF
    # Since LSM assumes that interfaces start in the 'up' state, remove any
    # existing status files that might have an interface in the down state
    #
-   rm -f /var/lib/shorewall/*.status
+   rm -f /etc/shorewall/*.status
    #
    # Run LSM -- by default, it forks into the background
    #

docs/OPENVPN.xml

@@ -332,8 +332,6 @@ ping-timer-rem
 persist-tun
 persist-key
 
-push "route 192.168.1.0 255.255.255.0"
-
 verb 3</programlisting>
     </blockquote>
 
@@ -433,104 +431,6 @@ verb 3</programlisting>
     </orderedlist>
   </section>
 
-  <section id="Dupnet">
-    <title>Roadwarrior with Duplicate Network Issue</title>
-
-    <para>The information in this section was contributed by Nicola
-    Moretti.</para>
-
-    <para>If your local lan uses a popular RFC 1918 network like
-    192.168.1.0/24, there will be times when your roadwarriors need to access
-    your lan from a remote location that uses that same network.</para>
-
-    <graphic align="center" fileref="images/Mobile1.png" />
-
-    <para>This may be accomplished by configuring a second server on your
-    firewall that uses a different port and by using <ulink
-    url="netmap.html">NETMAP</ulink> in your Shorewall configuration. The
-    server configuration in the above diagram is modified as shown
-    here:</para>
-
-    <blockquote>
-      <programlisting>dev tun
-
-<emphasis role="bold">server 192.168.3.0 255.255.255.0</emphasis>
-
-dh dh1024.pem
-
-ca /etc/certs/cacert.pem
-
-crl-verify /etc/certs/crl.pem
-
-cert /etc/certs/SystemA.pem
-key /etc/certs/SystemA_key.pem
-
-<emphasis role="bold">port 1195</emphasis>
-
-comp-lzo
-
-user nobody
-
-group nogroup
-
-ping 15
-ping-restart 45
-ping-timer-rem
-persist-tun
-persist-key
-
-<emphasis role="bold">push "route 172.20.1.0 255.255.255.0"</emphasis>
-
-verb 3</programlisting>
-    </blockquote>
-
-    <para>In <filename>/etc/shorewall/netmap</filename>, put these
-    entries:</para>
-
-    <blockquote>
-      <programlisting>#TYPE	NET1			INTERFACE	NET2
-SNAT	192.168.1.0/24		tun1		172.20.1.0/24
-DNAT	172.20.1.0/24		tun1		192.168.1.0/24	
-</programlisting>
-    </blockquote>
-
-    <para>The roadwarrior can now connect to port 1195 and access the lan on
-    the right as 172.20.1.0/24.</para>
-  </section>
-
-  <section>
-    <title>Bridged Roadwarrior</title>
-
-    <para>If you want to use a bridged OpenVPN configuration rather than a
-    routed configuration, then follow any of the available HOWTOs to set up
-    the bridged configuration. Then:</para>
-
-    <orderedlist>
-      <listitem>
-        <para>In your current Shorewall two-interface configuration, replace
-        references to your internal interface with the name of the bridge;
-        and</para>
-      </listitem>
-
-      <listitem>
-        <para>Set the <emphasis role="bold">routeback</emphasis> option in the
-        bridge's entry in <ulink
-        url="manpages/shorewall-interfaces.html">/etc/shorewall/interfaces</ulink>;
-        end</para>
-      </listitem>
-
-      <listitem>
-        <para>Add this entry to <ulink
-        url="manpages/shorewall-tunnels.html">/etc/shorewall/tunnels</ulink>:</para>
-
-        <programlisting>#TYPE               ZONE           GATEWAY        GATEWAY ZONE
-openvpnserver:1194  net            0.0.0.0/0</programlisting>
-      </listitem>
-    </orderedlist>
-
-    <para>This will make the roadwarrior part of your local zone.</para>
-  </section>
-
   <section>
     <title>Bridging Two Networks</title>
 

docs/OpenVZ.xml

@@ -151,7 +151,7 @@ vz       ipv4</programlisting>
       <programlisting>###############################################################################
 #ZONE    INTERFACE          BROADCAST      OPTIONS
 net      eth0               -              proxyarp=1
-vz       venet0             -              <emphasis role="bold">routeback,rp_filter=0</emphasis></programlisting>
+vz       venet0             -              routeback,rp_filter=0</programlisting>
     </section>
 
     <section>

docs/Shorewall-4.xml

@@ -97,11 +97,12 @@
   <section id="Install">
     <title>Shorewall 4.4</title>
 
-    <para>Shorewall 4.4 discontinues the availability of the legacy
-    shell-based compiler. All users must migrate to the perl-based compiler
-    before or during an upgrade to Shorewall version 4.4. We highly recommend
-    that current users of the shell-based compiler migrate before upgrading to
-    4.4 so that both compilers are available during the migration.</para>
+    <para>Shorewall 4.4 (currently in Beta testing) discontinues the
+    availability of the legacy shell-based compiler. All users must migrate to
+    the perl-based compiler before or during an upgrade to Shorewall version
+    4.4. We highly recommend that current users of the shell-based compiler
+    migrate before upgrading to 4.4 so that both compilers are available
+    during the migration.</para>
 
     <para>Shorewall 4.4 contains four packages:</para>
 

docs/Shorewall-init.xml

@@ -1,284 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<article>
-  <!--$Id$-->
-
-  <articleinfo>
-    <title>Shorewall Init</title>
-
-    <authorgroup>
-      <author>
-        <firstname>Tom</firstname>
-
-        <surname>Eastep</surname>
-      </author>
-    </authorgroup>
-
-    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
-
-    <copyright>
-      <year>2010</year>
-
-      <holder>Thomas M. Eastep</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>Permission is granted to copy, distribute and/or modify this
-      document under the terms of the GNU Free Documentation License, Version
-      1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
-      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
-      License</ulink></quote>.</para>
-    </legalnotice>
-  </articleinfo>
-
-  <section>
-    <title>Introduction</title>
-
-    <para>The Shorewall init scripts released from shorewall.net and by most
-    distributions start Shorewall after networking. This allows Shorewall to
-    detect the network configuration and taylor itself accordingly. It is
-    possible to start Shorewall prior to networking but doing so limits the
-    set of Shorewall features that can be used.</para>
-
-    <para>When Shorewall starts after networking, there is the possibility of
-    unwanted connections being accepted between the time that an interface
-    comes up and the time that Shorewall has finished starting up. Also,
-    Shorewall has had no means of reacting when interfaces are brought up and
-    down.</para>
-
-    <para>Beginning with Shorewall 4.4.10, a new package, <firstterm>Shorewall
-    Init</firstterm>, is available. Shorewall Init serves two purposes:</para>
-
-    <orderedlist>
-      <listitem>
-        <para>It can 'close' the firewall before the network interfaces are
-        brought up during boot.</para>
-      </listitem>
-
-      <listitem>
-        <para>It can change the firewall state as the result of interfaces
-        being brought up or taken down.</para>
-      </listitem>
-    </orderedlist>
-
-    <para>These two features can be controlled independently. Shorewall Init
-    can be used together with any combination of the other Shorewall packages.
-    Shorewall-init works on RedHat-based, SuSE-based and Debian-based
-    distributions.</para>
-  </section>
-
-  <section id="Close">
-    <title>Closing the Firewall before the Network Interfaces are brought
-    up</title>
-
-    <para> When Shorewall-init is first installed, it does nothing until you
-    configure it.</para>
-
-    <para>The configuration file is <filename>/etc/default/shorewall-init
-    </filename>on Debian-based systems and
-    <filename>/etc/sysconfig/shorewall-init</filename> otherwise. There are
-    two settings in the file: </para>
-
-    <variablelist>
-      <varlistentry>
-        <term>PRODUCTS</term>
-
-        <listitem>
-          <para>Lists the Shorewall packages that you want to integrate with
-          Shorewall-init.</para>
-
-          <para>Example: PRODUCTS="shorewall shorewall6"</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IFUPDOWN</term>
-
-        <listitem>
-          <para>When set to 1, enables integration with NetworkManager and the
-          ifup/ifdown scripts.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-
-    <para>To close your firewall before networking starts:</para>
-
-    <orderedlist numeration="loweralpha">
-      <listitem>
-        <para>In the Shorewall-init configuration file, set PRODUCTS to the
-        firewall products installed on your system.</para>
-      </listitem>
-
-      <listitem>
-        <para>Be sure that your current firewall script(s) (normally in
-        <filename>/var/lib/&lt;product&gt;/firewall</filename>) is(are)
-        compiled with the 4.4.10 compiler. </para>
-
-        <para>Shorewall and Shorewall6 users can execute these
-        commands:</para>
-
-        <simplelist>
-          <member>shorewall compile</member>
-
-          <member><command>shorewall6 compile</command></member>
-        </simplelist>
-
-        <para>Shorewall-lite and Shorewall6-lite users can execute these
-        commands on the administrative system:</para>
-
-        <simplelist>
-          <member><command>shorewall export
-          <replaceable>firewall-name-or-ip-address</replaceable></command></member>
-
-          <member><command>shorewall6 export
-          <replaceable>firewall-name-or-ip-address</replaceable></command></member>
-        </simplelist>
-      </listitem>
-    </orderedlist>
-
-    <para>That's all that is required. </para>
-  </section>
-
-  <section id="NM">
-    <title>Integration with NetworkManager and ifup/ifdown Scripts</title>
-
-    <para>To integrate with NetworkManager and ifup/ifdown, additional steps
-    are required. You probably don't want to enable this feature if you run a
-    link status monitor like swping or LSM. </para>
-
-    <orderedlist numeration="loweralpha">
-      <listitem>
-        <para>In the Shorewall-init configuration file, set IFUPDOWN=1.</para>
-      </listitem>
-
-      <listitem>
-        <para>In your Shorewall interfaces file(s), set the
-        <option>required</option> option on any interfaces that must be up in
-        order for the firewall to start. At least one interface must have the
-        <option>required</option> or <option>optional</option> option if you
-        perform the next optional step.</para>
-      </listitem>
-
-      <listitem>
-        <para>Optional) -- If you have specified at least one
-        <option>required</option> or <option>optional</option> interface, you
-        can then disable automatic firewall startup at boot time. On
-        Debian-based systems, set startup=0 in
-        <filename>/etc/default/<replaceable>product</replaceable></filename>.
-        On other systems, use your service startup configuration tool
-        (chkconfig, insserv, ...) to disable startup. </para>
-      </listitem>
-    </orderedlist>
-
-    <para>The following actions occur when an interface comes up: </para>
-
-    <informaltable>
-      <tgroup cols="3">
-        <tbody>
-          <row>
-            <entry><emphasis role="bold">FIREWALL STATE</emphasis></entry>
-
-            <entry><emphasis role="bold">INTERFACE</emphasis></entry>
-
-            <entry><emphasis role="bold">ACTION</emphasis></entry>
-          </row>
-
-          <row>
-            <entry>Any</entry>
-
-            <entry>Required</entry>
-
-            <entry>start</entry>
-          </row>
-
-          <row>
-            <entry>stopped</entry>
-
-            <entry>Optional</entry>
-
-            <entry>start</entry>
-          </row>
-
-          <row>
-            <entry>started</entry>
-
-            <entry>Any</entry>
-
-            <entry>restart</entry>
-          </row>
-        </tbody>
-      </tgroup>
-    </informaltable>
-
-    <para>The following actions occur when an interface goes down:</para>
-
-    <informaltable>
-      <tgroup cols="3">
-        <tbody>
-          <row>
-            <entry><emphasis role="bold">FIREWALL STATE</emphasis></entry>
-
-            <entry><emphasis role="bold">INTERFACE</emphasis></entry>
-
-            <entry><emphasis role="bold">ACTION</emphasis></entry>
-          </row>
-
-          <row>
-            <entry>Any</entry>
-
-            <entry>Required</entry>
-
-            <entry>stop</entry>
-          </row>
-
-          <row>
-            <entry>stopped</entry>
-
-            <entry>Optional</entry>
-
-            <entry>start</entry>
-          </row>
-
-          <row>
-            <entry>started</entry>
-
-            <entry>Any</entry>
-
-            <entry>restart</entry>
-          </row>
-        </tbody>
-      </tgroup>
-    </informaltable>
-
-    <para> For optional interfaces, the
-    <filename>/var/lib/<replaceable>product</replaceable>/<replaceable>interface</replaceable>.state</filename>
-    files are maintained to reflect the state of the interface so that they
-    may be used by the standard <firstterm>isusable</firstterm> script. Please
-    note that the action is carried out using the current compiled script; the
-    configuration is not recompiled.</para>
-
-    <para>A new option has been added to <filename>shorewall.conf</filename>
-    and <filename>shorewall6.conf</filename>. The REQUIRE_INTERFACE option
-    determines the outcome when an attempt to start/restart/restore/refresh
-    the firewall is made and none of the optional interfaces are available.
-    With REQUIRE_INTERFACE=No (the default), the operation is performed. If
-    REQUIRE_INTERFACE=Yes, then the operation fails and the firewall is placed
-    in the stopped state. This option is suitable for a laptop with both
-    ethernet and wireless interfaces. If either come up, the firewall starts.
-    If neither comes up, the firewall remains in the stopped state.</para>
-
-    <para>Similarly, if an optional interface goes down and there are no
-    optional interfaces remaining in the up state, then the firewall is
-    stopped. </para>
-
-    <para>On Debian-based systems, during system shutdown the firewall is
-    opened prior to network shutdown (<command>/etc/init.d/shorewall
-    stop</command> performs a 'clear' operation rather than a 'stop'). This is
-    required by Debian standards. You can change this default behavior by
-    setting SAFESTOP=1 in <filename>/etc/default/shorewall</filename>
-    (<filename>/etc/default/shorewall6</filename>, ...). </para>
-  </section>
-</article>

docs/Shorewall-perl.xml

@@ -583,10 +583,8 @@ DNAT-              net                192.168.1.3      tcp          21</programl
       environment. The best way to work around this limitation is to install
       Shorewall-perl on an administrative system and employ Shorewall-lite on
       your embedded systems. Shorewall-perl will run on Windows under <ulink
-      url="http://www.cygwin.com/">Cygwin</ulink> and on an <ulink
-      url="http://www.apple.com/mac/">Apple MacIntosh</ulink> running OS X.
-      Install from a shell prompt <ulink url="Install.htm">using the
-      install.sh script</ulink>.</para>
+      url="http://www.cygwin.com/">Cygwin</ulink>. Install using the
+      install.sh script.</para>
     </section>
   </section>
 
@@ -762,14 +760,6 @@ DNAT-              net                192.168.1.3      tcp          21</programl
       <para>Specifies whether an IPv4 or an IPv6 firewall is to be
       created.</para>
 
-      <simplelist>
-        <member><emphasis role="bold">--preview</emphasis></member>
-      </simplelist>
-
-      <para>Added in Shorewall 4.4.6. If no filename is given, this option
-      causes the generated input to iptables-input to be displayed on standard
-      output.</para>
-
       <para>Example (compiles the configuration in the current directory
       generating a script named 'firewall' and using VERBOSITY
       2).<programlisting><emphasis role="bold">/usr/share/shorewall/compiler.pl -v 2 -d . firewall</emphasis></programlisting><note>
@@ -874,15 +864,6 @@ set +a
             <para>Address family: 4 or 6</para>
           </listitem>
         </varlistentry>
-
-        <varlistentry>
-          <term>preview</term>
-
-          <listitem>
-            <para>Added in Shorewall 4.4.6.l Preview the ruleset on standard
-            output.</para>
-          </listitem>
-        </varlistentry>
       </variablelist>
 
       <para>Those parameters that are supplied must have defined values.

docs/Shorewall_Squid_Usage.xml

@@ -197,29 +197,6 @@ ACCEPT    loc        net      tcp      www</programlisting>
 
       <para>The last rule may be omitted if your loc-&gt;net policy is
       ACCEPT.</para>
-
-      <para>In some cases (when running an LTSP server on the Shorewall
-      system), you might want to transparently proxy web connections that
-      originate on the firewall itself. This requires care to ensure that
-      Squid's own web connections are not proxied.</para>
-
-      <para>First, determine the user id that Squid is running under:</para>
-
-      <programlisting>gateway:/etc/shorewall# <emphasis role="bold">ps aux | fgrep -i squid | fgrep -v fgrep</emphasis>
-root     10085  0.0  0.0  23864   700 ?        Ss   Apr22   0:00 /usr/sbin/squid -D -YC
-<emphasis role="bold">proxy</emphasis>    10088  0.0  0.9  40512 19192 ?        S    Apr22  10:58 <emphasis
-          role="bold">(squid)</emphasis> -D -YC
-gateway:/etc/shorewall# </programlisting>
-
-      <para>In this case, the proxy process <emphasis
-      role="bold">(squid)</emphasis> is running under the <emphasis
-      role="bold">proxy</emphasis> user Id. We add these rules:</para>
-
-      <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL          RATE       USER/
-#                                                       PORT(S)    DEST              LIMIT      GROUP
-ACCEPT    $FW        net      tcp      www
-REDIRECT  $FW        3128     tcp      www              -          -                 -         <emphasis
-          role="bold"> !proxy</emphasis></programlisting>
     </section>
 
     <section id="Local">

docs/UPnP.xml

@@ -20,8 +20,6 @@
     <copyright>
       <year>2005</year>
 
-      <year>2010</year>
-
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -62,8 +60,19 @@
 
       <para>If either of these assumptions are not true then UPnP can be used
       to totally defeat your firewall and to allow incoming connections to
-      arbitrary local systems on any port whatsoever. In short: USE UPnP
-      <emphasis role="bold">AT YOUR OWN RISK.</emphasis></para>
+      arbitrary local systems on any port whatsoever. In short: USE
+      UPnP<emphasis> </emphasis> <emphasis role="bold">AT YOUR OWN
+      RISK.</emphasis></para>
+    </warning>
+
+    <warning>
+      <para>The linux-igd project was inactive for a long time and has just
+      been resurrected. I haven't tried to build using the current code (as of
+      2006-07-22) but the last time I did, I found that building and
+      installing linux-igd was not for the faint of heart. You must download
+      the source from CVS and I had to do quite a bit of fiddling with the
+      include files from libupnp (which is required to build and/or run
+      linux-igd).</para>
     </warning>
   </section>
 
@@ -89,6 +98,25 @@ forward_chain_name = forwardUPnP</programlisting>
 net     eth1            detect          dhcp,routefilter,tcpflags,<emphasis
         role="bold">upnp</emphasis></programlisting>
 
+    <para>If your fw-&gt;loc policy is not ACCEPT then you need this
+    rule:</para>
+
+    <programlisting>#ACTION            SOURCE  DEST
+allowoutUPnP       $FW     loc</programlisting>
+
+    <note>
+      <para>To use 'allowoutUPnP', your iptables and kernel must support the
+      'owner match' feature (see the output of "shorewall show capabilities")
+      and you may not be running kernel version 2.6.14 or later. If you are
+      running 2.6.14 or later, then replace the above rule with:</para>
+    </note>
+
+    <blockquote>
+      <programlisting>#ACTION            SOURCE  DEST   PROTO     DEST PORT(S)     SOURCE     ORIGINAL     RATE     USER/
+#                                                            PORT(S)    DESTINATION  LIMIT    GROUP
+ACCEPT             $FW     loc    all       -                -          -            -        root</programlisting>
+    </blockquote>
+
     <para>If your loc-&gt;fw policy is not ACCEPT then you need this
     rule:</para>
 
@@ -109,30 +137,21 @@ forwardUPnP        net     loc</programlisting>
       this route during <command>start</command> and deletes it during
       <command>stop</command>.</para>
     </note>
-
-    <caution>
-      <para>Shorewall versions prior to 4.4.10 do not retain the dynamic rules
-      added by linux-idg over a <command>shorewall restart</command>.</para>
-    </caution>
   </section>
 
   <section>
     <title>Shorewall on a UPnP Client</title>
 
     <para>It is sometimes desirable to run UPnP-enabled client programs like
-    <ulink url="http://www.transmissionbt.com/">Transmission</ulink>
-    (BitTorrent client) on a Shorewall-protected system. Shorewall provides
-    support for UPnP client access in the form of the <emphasis
-    role="bold">upnpclient</emphasis> option in <ulink
+    Transmission (BitTorrent client) on a Shorewall-protected system.
+    Shorewall provides support for UPnP client access in the form of the
+    <emphasis role="bold">upnpclient</emphasis> option in <ulink
     url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
     (5).</para>
 
     <para>The <emphasis role="bold">upnpclient</emphasis> option causes
     Shorewall to detect the default gateway through the interface and to
     accept UDP packets from that gateway. Note that, like all aspects of UPnP,
-    this is a security hole so use this option at your own risk.</para>
-
-    <para>Note that when multiple clients behind the firewall use UPnP, they
-    must configure their applications to use unique ports.</para>
+    this is a security hole so use this option at your own risk. </para>
   </section>
 </article>

docs/blacklisting_support.xml

@@ -188,11 +188,6 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
         <para>save - save the dynamic blacklisting configuration so that it
         will be automatically restored the next time that the firewall is
         restarted.</para>
-
-        <para><emphasis role="bold">Update:</emphasis> Beginning with
-        Shorewall 4.4.10, the dynamic blacklist is automatically retained over
-        <command>stop/start</command> sequences and over
-        <command>restart</command>.</para>
       </listitem>
 
       <listitem>

docs/configuration_file_basics.xml

@@ -48,17 +48,6 @@
     before you use them with Shorewall.</para>
   </caution>
 
-  <section>
-    <title id="Intro">Introduction</title>
-
-    <para>This article offers hints about how to accomplish common tasks with
-    Shorewall. The <ulink url="Introduction.html">Introduction to
-    Shorewall</ulink> is required reading for being able to use this article
-    effectively. For information about setting up your first Shorewall-based
-    firewall, see the <ulink url="GettingStarted.html">Quickstart
-    Guides</ulink>.</para>
-  </section>
-
   <section id="Files">
     <title>Files</title>
 
@@ -197,8 +186,8 @@
         <listitem>
           <para><filename>/etc/shorewall/tcdevices</filename>,
           <filename>/etc/shorewall/tcclasses</filename>,
-          <filename>/etc/shorewall/tcfilters</filename> - Define complex
-          traffic shaping.</para>
+          <filename>/etc/shorewall/tcfilters</filename> - Define traffic
+          shaping.</para>
         </listitem>
 
         <listitem>
@@ -206,12 +195,6 @@
           traffic for traffic shaping or multiple providers.</para>
         </listitem>
 
-        <listitem>
-          <para><filename>/etc/shorewall/tcinterfaces</filename> and
-          <filename>/etc/shorewall-tcpri</filename> - Define simple traffic
-          shaping.</para>
-        </listitem>
-
         <listitem>
           <para><filename>/etc/shorewall/vardir</filename> - Determines the
           directory where Shorewall maintains its state.</para>
@@ -621,8 +604,8 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
     <title>Using Shell Variables</title>
 
     <para>You may use the <filename>/etc/shorewall/params</filename> file to
-    set shell variables that you can then use in the other configuration
-    files.</para>
+    set shell variables that you can then use in some of the other
+    configuration files.</para>
 
     <para>It is suggested that variable names begin with an upper case letter
     to distinguish them from variables used internally within the Shorewall
@@ -1292,9 +1275,9 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
     packets will be logged. After this, it will be 6 seconds (1 minute divided
     by the rate of 10) before a message will be logged from the rule,
     regardless of how many packets reach it. Also, every 6 seconds which
-    passes, one of the bursts will be regained; if no packets hit the rule for
-    30 seconds, the burst will be fully recharged; back where we
-    started.</para>
+    passes without matching a packet, one of the bursts will be regained; if
+    no packets hit the rule for 30 seconds, the burst will be fully recharged;
+    back where we started.</para>
   </section>
 
   <section id="Logical">

docs/netmap.xml

@@ -311,9 +311,5 @@ SNAT  192.168.1.0/24 vpn              10.10.10.0/24        #RULE 2B</programlist
     /etc/shorewall/netmap and <ulink url="MultiISP.html">multiple
     providers</ulink>. If you try it and get it working, please contribute an
     update to this article.</para>
-
-    <para>See the<ulink url="OPENVPN.html"> OpenVPN documentation</ulink> for
-    a solution contributed by Nicola Moretti for resolving duplicate networks
-    in a roadwarrior VPN environment.</para>
   </section>
 </article>

docs/shorewall_features.xml

@@ -87,8 +87,7 @@
           <listitem>
             <para>Shorewall installed on a single administrative system. May
             be a <trademark>Windows</trademark> PC running
-            <trademark>Cygwin</trademark> or an <trademark>Apple
-            MacIntosh</trademark> running OS X.</para>
+            <trademark>Cygwin</trademark>.</para>
           </listitem>
 
           <listitem>

docs/shorewall_setup_guide.xml

@@ -363,7 +363,7 @@ all              all                 REJECT     info</programlisting>
     class="devicefile">ppp0</filename> or <filename
     class="devicefile">ippp0</filename> then you will want to set CLAMPMSS=yes
     in <filename><ulink
-    url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink></filename>.</para>
+    url="manpages/shorewall.conf.htmlig">/etc/shorewall/shorewall.conf</ulink></filename>.</para>
 
     <para>Your <emphasis>Local Interface</emphasis> will be an Ethernet
     adapter (<filename class="devicefile">eth0</filename>,

docs/standalone.xml

@@ -41,6 +41,12 @@
     release.</emphasis></para>
   </caution>
 
+  <caution>
+    <para><emphasis role="bold">Do not attempt to install Shorewall on a
+    remote system. You are virtually assured to lock yourself out of that
+    system.</emphasis></para>
+  </caution>
+
   <section id="Introduction">
     <title>Introduction</title>
 
@@ -593,7 +599,7 @@ SSH(ACCEPT) net       $FW           </programlisting>
     <important>
       <para>Users of the .deb package must edit
       <filename>/etc/default/shorewall</filename> and set
-      <varname>startup=1.</varname></para>
+      <varname>STARTUP=1.</varname></para>
     </important>
 
     <important>
@@ -631,13 +637,6 @@ SSH(ACCEPT) net       $FW           </programlisting>
       url="starting_and_stopping_shorewall.htm"><quote><command>shorewall
       try</command></quote></ulink> command.</para>
     </warning>
-
-    <para>The firewall will start after your network interface has been
-    brought up. This leaves a small window between the time that the network
-    interface is working and when the firewall is controlling connections
-    through that interface. If this is a concern, you can close that window by
-    installing the <ulink url="Shorewall-init.html">Shorewall Init
-    Package</ulink>.</para>
   </section>
 
   <section id="Problems">

docs/starting_and_stopping_shorewall.xml

@@ -190,15 +190,6 @@
     <filename>/sbin/shorewall</filename> (or
     <filename>/sbin/shorewall-lite</filename>) and your init scripts unless
     you got your Shorewall package from shorewall.net.</para>
-
-    <para><emphasis role="bold">Update:</emphasis><blockquote>
-        <para>In Shorewall 4.4.0 and later, the tarballs from shorewall.net
-        follow the Debian convention when installed on a Debian or Ubuntu
-        system. Beginning with Shorewall 4.4.10, you can revert to the prior
-        behavior by setting SAFESTOP=1 in
-        <filename>/etc/default/shorewall</filename>,
-        <filename>/etc/default/shorewall6</filename>, etc.</para>
-      </blockquote></para>
   </section>
 
   <section id="Trace">

docs/three-interface.xml

@@ -41,6 +41,12 @@
     release.</emphasis></para>
   </caution>
 
+  <caution>
+    <para><emphasis role="bold">Do not attempt to install Shorewall on a
+    remote system. You are virtually assured to lock yourself out of that
+    system.</emphasis></para>
+  </caution>
+
   <section id="Intro">
     <title>Introduction</title>
 
@@ -1145,13 +1151,6 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
         url="starting_and_stopping_shorewall.htm"><command>shorewall
         try</command> command</ulink>.</para>
       </warning></para>
-
-    <para>The firewall will start after your network interfaces have been
-    brought up. This leaves a small window between the time that the network
-    interface are working and when the firewall is controlling connections
-    through those interfaces. If this is a concern, you can close that window
-    by installing the <ulink url="Shorewall-init.html">Shorewall Init
-    Package</ulink>.</para>
   </section>
 
   <section id="Trouble">

docs/traffic_shaping.xml

@@ -148,7 +148,7 @@
     linkend="tcclasses">below</link>.</para>
 
     <para>You can shape incoming traffic through use of an
-    <firstterm>Intermediate Functional Block</firstterm> (IFB) device. <link
+    <firstterm>Intermediate Frame Block</firstterm> (IFB) device. <link
     linkend="IFB">See below</link>. <emphasis role="bold">But beware: using an
     IFB can result in queues building up both at your ISPs router and at your
     own.</emphasis></para>
@@ -428,7 +428,7 @@
         <listitem>
           <para>REDIRECTED INTERFACES — Entries are appropriate in this column
           only if the device in the INTERFACE column names a <link
-          linkend="IFB">Intermediate Functional Block (IFB)</link>. It lists the
+          linkend="IFB">Intermediate Frame Block (IFB)</link>. It lists the
           physical interfaces that will have their input shaped using classes
           defined on the IFB. Neither the IFB nor any of the interfaces listed
           in this column may have an IN-BANDWIDTH specified. You may specify
@@ -1783,7 +1783,7 @@ eth1            4       94mbit          full            4           default #for
   </section>
 
   <section id="IFB">
-    <title>Intermediate Functional Block (IFB) Devices</title>
+    <title>Intermediate Frame Block (IFB) Devices</title>
 
     <para>The principles behind an IFB is fairly simple:</para>
 
@@ -2017,15 +2017,7 @@ eth0              192.168.1.0/24   206.124.146.179</programlisting></para>
       <para><filename>/etc/shorewall/init</filename>:<programlisting>qt modprobe ifb numifbs=1
 qt ip link set dev ifb0 up</programlisting></para>
 
-      <para><filename>/etc/shorewall/interfaces</filename>:</para>
-
-      <programlisting>#ZONE          INTERFACE         BROADCAST
--              ifb0</programlisting>
-
-      <para><filename>/etc/shorewall/tcdevices</filename>:</para>
-
-      <para><programlisting>
-#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH   OPTIONS         REDIRECTED
+      <para><filename>/etc/shorewall/tcdevices</filename>:<programlisting>#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH   OPTIONS         REDIRECTED
 #                                                               INTERFACES
 1:eth0          -               384kbit         classify
 2:ifb0          -               1300kbit        -               eth0</programlisting>

docs/two-interface.xml

@@ -38,6 +38,12 @@
     release.</emphasis></para>
   </caution>
 
+  <caution>
+    <para><emphasis role="bold">Do not attempt to install Shorewall on a
+    remote system. You are virtually assured to lock yourself out of that
+    system.</emphasis></para>
+  </caution>
+
   <section id="Intro">
     <title>Introduction</title>
 
@@ -1062,13 +1068,6 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
         configuration and test it using the <quote><command>shorewall
         try</command></quote> command.</para>
       </warning></para>
-
-    <para>The firewall will start after your network interfaces have been
-    brought up. This leaves a small window between the time that the network
-    interfaces are working and when the firewall is controlling connections
-    through those interfaces. If this is a concern, you can close that window
-    by installing the <ulink url="Shorewall-init.html">Shorewall Init
-    Package</ulink>.</para>
   </section>
 
   <section id="Trouble">

docs/useful_links.xml

@@ -112,11 +112,6 @@
           url="http://www.shorewall.net/Linuxfest-2009.pdf">http://www.shorewall.net/LinuxFestNW-2009.pdf</ulink></entry>
         </row>
 
-        <row>
-          <entry>Tom's 2010 LinuxFest NW Presentation: <ulink
-          url="http://www.shorewall.net/LinuxfestNW-2010.pdf">http://www.shorewall.net/LinuxFestNW-2010.pdf</ulink></entry>
-        </row>
-
         <row>
           <entry>Shorewall CIA tracker <ulink
           url="http://cia.navi.cx/stats/project/shorewall">http://cia.navi.cx/stats/project/shorewall</ulink></entry>

manpages/shorewall-init.xml

@@ -1,175 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<refentry>
-  <refmeta>
-    <refentrytitle>shorewall-init</refentrytitle>
-
-    <manvolnum>8</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>shorewall-init</refname>
-
-    <refpurpose>Companion package</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>/etc/init.d/shorewall-init</command>
-
-      <arg>start|stop</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>Description</title>
-
-    <para>Shorewall-init is an optional package (added in Shorewall 4.4.10)
-    that can be installed along with Shorewall, Shorewall6, Shorewall-lite
-    and/or Shorewall6-lite. It provides two key features:</para>
-
-    <orderedlist>
-      <listitem>
-        <para>It can close (stop) the firewall during boot prior to starting
-        the network. This can prevent unwanted connections from being accepted
-        after the network comes up but before the firewall is started.</para>
-      </listitem>
-
-      <listitem>
-        <para>It can interface with your distribution's ifup/ifdown scripts
-        and/or NetworkManager to allow firewall actions when an interface
-        starts or stops.</para>
-      </listitem>
-    </orderedlist>
-
-    <para>These two capabilities can be enabled separately.</para>
-
-    <para>After you install the shorewall-init package, you can activate it by
-    modifying the <firstterm>Shorewall-init configuration
-    file</firstterm>:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>On Debian-based system, the file is
-        <filename>/etc/default/shorewall-init</filename>.</para>
-      </listitem>
-
-      <listitem>
-        <para>On other systems, the file is
-        <filename>/etc/sysconfig/shorewall-init</filename>.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>To activate the safe boot feature, edit the configuration file and
-    set PRODUCTS to a space-separated list of Shorewall products that you want
-    to be closed before networking starts.</para>
-
-    <para>Example:</para>
-
-    <simplelist>
-      <member>PRODUCTS="shorewall shorewall6"</member>
-    </simplelist>
-
-    <para>You also must insure that the compiled scripts for the listed
-    products are compiled using Shorewall 4.4.10 or later.</para>
-
-    <variablelist>
-      <varlistentry>
-        <term>Shorewall</term>
-
-        <listitem>
-          <para><command>shorewall compile</command></para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Shorewall6</term>
-
-        <listitem>
-          <para><command>shorewall6 compile</command></para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Shorewall-lite</term>
-
-        <listitem>
-          <para>On the administrative system, enter the command
-          <command>shorewall export firewall</command> from the firewall's
-          configuration directory.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>Shorewall6-lite</term>
-
-        <listitem>
-          <para>On the administrative system, enter the command
-          <command>shorewall6 export firewall</command> from the firewall's
-          configuration directory.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-
-    <para>The second feature (ifup/ifdown and NetworkManager integration)
-    should only be activated on systems that do not use a link status monitor
-    line swping or LSM.</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>Edit the configuration file and set IFUPDOWN=1</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>For NetworkManager integration, you will want to disable firewall
-    startup at boot and delay it to when your interface comes up. For this to
-    work correctly, you must set the <firstterm>required</firstterm> or the
-    <firstterm>optional</firstterm> option on at least one interface
-    then:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>On Debian-based systems, edit
-        /etc/default/<replaceable>product</replaceable> for each
-        <replaceable>product</replaceable> listed in the PRODUCTS setting and
-        set <emphasis role="bold">startup=0</emphasis>.</para>
-      </listitem>
-
-      <listitem>
-        <para>On other systems, use the distribution's service control tool
-        (insserv, chkconfig, etc.) to disable startup of the products listed
-        in the PRODUCTS setting.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>On a laptop with both ethernet and wireless interfaces, you will
-    want to make both interfaces optional and set the REQUIRE_INTERFACE option
-    to Yes in <ulink url="shorewall.conf.html">shorewall.conf </ulink>(5) or
-    <ulink url="../Manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
-    (5). This causes the firewall to remain stopped until at least one of the
-    interfaces comes up.</para>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <para><filename>/etc/default/shorewall-init</filename> (Debian-based
-    systems) or <filename>/etc/sysconfig/shorewall-init</filename> (other
-    distributions)</para>
-  </refsect1>
-
-  <refsect1>
-    <title>See ALSO</title>
-
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
-  </refsect1>
-</refentry>

manpages/shorewall-interfaces.xml

@@ -107,15 +107,11 @@ loc     eth2            -</programlisting>
 
             <member>proxyarp</member>
 
-            <member>required</member>
-
             <member>routefilter</member>
 
             <member>sourceroute</member>
 
             <member>upnp</member>
-
-            <member>wait</member>
           </simplelist>
         </listitem>
       </varlistentry>
@@ -386,7 +382,7 @@ loc     eth2            -</programlisting>
             </varlistentry>
 
             <varlistentry>
-              <term>nosmurfs</term>
+              <term><emphasis role="bold">nosmurfs</emphasis></term>
 
               <listitem>
                 <para>Filter packets for smurfs (packets with a broadcast
@@ -420,24 +416,31 @@ loc     eth2            -</programlisting>
                   </listitem>
                 </itemizedlist>
 
-                <para>May not be specified with <emphasis
-                role="bold">required</emphasis>.</para>
+                <para></para>
 
-                <caution>
-                  <para>Use <option>optional</option> at your own risk. If you
-                  [re]start Shorewall when an 'optional' interface is not
-                  available and then do a <command>shorewall save</command>,
-                  subsequent <command>shorewall restore</command> and
-                  <command>shorewall -f start</command> operations will
-                  instantiate a ruleset that does not support that interface,
-                  even if it is available at the time of the
-                  restore/start.</para>
-                </caution>
+                <blockquote>
+                  <para>I specify <option>optional</option> on interfaces to
+                  Xen virtual machines that may or may not be running when
+                  Shorewall is [re]started.</para>
+
+                  <para></para>
+
+                  <caution>
+                    <para>Use <option>optional</option> at your own risk. If
+                    you [re]start Shorewall when an 'optional' interface is
+                    not available and then do a <command>shorewall
+                    save</command>, subsequent <command>shorewall
+                    restore</command> and <command>shorewall -f
+                    start</command> operations will instantiate a ruleset that
+                    does not support that interface, even if it is available
+                    at the time of the restore/start.</para>
+                  </caution>
+                </blockquote>
               </listitem>
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">physical</emphasis>=<emphasis
+              <term>physical=<emphasis
               role="bold"><emphasis>name</emphasis></emphasis></term>
 
               <listitem>
@@ -483,17 +486,6 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">required</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.4.10. If this option is set, the
-                firewall will fail to start if the interface is not usable.
-                May not be specified together with <emphasis
-                role="bold">optional</emphasis>.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">routeback</emphasis></term>
 
@@ -531,9 +523,11 @@ loc     eth2            -</programlisting>
                   the INTERFACE column.</para>
                 </note>
 
-                <para>This option can also be enabled globally in the <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5)
-                file.</para>
+                <blockquote>
+                  <para>This option can also be enabled globally in the <ulink
+                  url="shorewall.conf.html">shorewall.conf</ulink>(5)
+                  file.</para>
+                </blockquote>
               </listitem>
             </varlistentry>
 
@@ -600,19 +594,6 @@ loc     eth2            -</programlisting>
                 this option at your own risk.</para>
               </listitem>
             </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">wait</emphasis>=<emphasis>seconds</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.4.10. Causes the generated script
-                to wait up to <emphasis>seconds</emphasis> seconds for the
-                interface to become usable before applying the <emphasis
-                role="bold">required</emphasis> or <emphasis
-                role="bold">optional</emphasis> options.</para>
-              </listitem>
-            </varlistentry>
           </variablelist>
         </listitem>
       </varlistentry>
@@ -667,18 +648,6 @@ dmz     eth2      detect</programlisting>
 net     ppp0      -</programlisting>
         </listitem>
       </varlistentry>
-
-      <varlistentry>
-        <term>Example 4 (Shorewall 4.4.9 and later):</term>
-
-        <listitem>
-          <para>You have a bridge with no IP address and you want to allow
-          traffic through the bridge.</para>
-
-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
--       br0       -                routeback</programlisting>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 

manpages/shorewall-masq.xml

@@ -528,8 +528,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>Example 5 (using the deprecated form with an
-        <firstterm>interface</firstterm> name in the SOURCE column):</term>
+        <term>Example 5:</term>
 
         <listitem>
           <para>You want all outgoing SMTP traffic entering the firewall on