Update known problems

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/Universal/interfaces

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Interfaces File
+#
+# For information about entries in this file, type "man shorewall-interfaces"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-interfaces.html
+#
+###############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	lo		-		ignore
+net	all		-		dhcp,physical=+,routeback,optional

Samples/Universal/policy

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Policy File
+#
+# For information about entries in this file, type "man shorewall-policy"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-policy.html
+#
+###############################################################################
+#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#				LEVEL	BURST		MASK
+$FW	net	ACCEPT
+net	all	DROP

Samples/Universal/rules

@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - Rules File
+#
+# For information on the settings in this file, type "man shorewall-rules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-rules.html
+#
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+SSH(ACCEPT)	net		$FW
+Ping(ACCEPT)	net		$FW

Samples/Universal/shorewall.conf

@@ -0,0 +1,213 @@
+###############################################################################
+#
+#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
+#
+#  For information about the settings in this file, type "man shorewall.conf"
+#
+#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
+###############################################################################
+#		       S T A R T U P   E N A B L E D
+###############################################################################
+
+STARTUP_ENABLED=Yes
+
+###############################################################################
+#		              V E R B O S I T Y
+###############################################################################
+
+VERBOSITY=1
+
+###############################################################################
+#			       L O G G I N G
+###############################################################################
+
+LOGFILE=
+
+STARTUP_LOG=/var/log/shorewall-init.log
+
+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGLIMIT=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
+MACLIST_LOG_LEVEL=info
+
+TCP_FLAGS_LOG_LEVEL=info
+
+SMURF_LOG_LEVEL=info
+
+LOG_MARTIANS=Yes
+
+###############################################################################
+#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
+###############################################################################
+
+IPTABLES=
+
+IP=
+
+TC=
+
+IPSET=
+
+PERL=/usr/bin/perl
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+SHOREWALL_SHELL=/bin/sh
+
+SUBSYSLOCK=
+
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
+RESTOREFILE=
+
+IPSECFILE=zones
+
+LOCKFILE=
+
+###############################################################################
+#		D E F A U L T   A C T I O N S / M A C R O S
+###############################################################################
+
+DROP_DEFAULT="Drop"
+REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
+
+###############################################################################
+#                        R S H / R C P  C O M M A N D S
+###############################################################################
+
+RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+
+###############################################################################
+#			F I R E W A L L	  O P T I O N S
+###############################################################################
+
+IP_FORWARDING=On
+
+ADD_IP_ALIASES=No
+
+ADD_SNAT_ALIASES=No
+
+RETAIN_ALIASES=No
+
+TC_ENABLED=Internal
+
+TC_EXPERT=No
+
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+ROUTE_FILTER=No
+
+DETECT_DNAT_IPADDRS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=ko
+
+DISABLE_IPV6=No
+
+BRIDGING=No
+
+DYNAMIC_ZONES=No
+
+PKTTYPE=Yes
+
+NULL_ROUTE_RFC1918=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+SAVE_IPSETS=No
+
+MAPOLDACTIONS=No
+
+FASTACCEPT=Yes
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+USE_ACTIONS=Yes
+
+OPTIMIZE=15
+
+EXPORTPARAMS=Yes
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=No
+
+DELETE_THEN_ADD=Yes
+
+MULTICAST=No
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+USE_DEFAULT_RT=No
+
+RESTORE_DEFAULT_ROUTE=Yes
+
+AUTOMAKE=No
+
+WIDE_TC_MARKS=Yes
+
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=Yes
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=Yes
+
+###############################################################################
+#			P A C K E T   D I S P O S I T I O N
+###############################################################################
+
+BLACKLIST_DISPOSITION=DROP
+
+MACLIST_DISPOSITION=REJECT
+
+TCP_FLAGS_DISPOSITION=DROP
+
+#LAST LINE -- DO NOT REMOVE

Samples/Universal/zones

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Zones File
+#
+# For information about this file, type "man shorewall-zones"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-zones.html
+#
+###############################################################################
+#ZONE	TYPE		OPTIONS		IN			OUT
+#					OPTIONS			OPTIONS
+fw	firewall
+net	ip
+

Samples/one-interface/shorewall.conf

@@ -42,9 +42,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -211,6 +209,8 @@ REQUIRE_INTERFACE=No
 
 FORWARD_CLEAR_MARK=Yes
 
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/shorewall.conf

@@ -42,9 +42,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -211,6 +209,8 @@ REQUIRE_INTERFACE=No
 
 FORWARD_CLEAR_MARK=Yes
 
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/shorewall.conf

@@ -49,9 +49,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -218,6 +216,8 @@ REQUIRE_INTERFACE=No
 
 FORWARD_CLEAR_MARK=Yes
 
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/Universal/interfaces

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Interfaces File
+#
+# For information about entries in this file, type "man shorewall-interfaces"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-interfaces.html
+#
+###############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	lo		-		ignore
+net	all		-		dhcp,physical=+,routeback
+

Samples6/Universal/policy

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Policy File
+#
+# For information about entries in this file, type "man shorewall-policy"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-policy.html
+#
+###############################################################################
+#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#				LEVEL	BURST		MASK
+fw	net	ACCEPT
+net	all	DROP
+

Samples6/Universal/rules

@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - Rules File
+#
+# For information on the settings in this file, type "man shorewall-rules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-rules.html
+#
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+SSH(ACCEPT)	net		$FW
+Ping(ACCEPT)	net		$FW

Samples6/Universal/shorewall6.conf

@@ -0,0 +1,168 @@
+###############################################################################
+#
+#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+#
+#  For information about the settings in this file, type "man shorewall6.conf"
+#
+#  Manpage also online at
+#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+###############################################################################
+#		       S T A R T U P   E N A B L E D
+###############################################################################
+
+STARTUP_ENABLED=Yes
+
+###############################################################################
+#		              V E R B O S I T Y
+###############################################################################
+
+VERBOSITY=1
+
+###############################################################################
+#			       L O G G I N G
+###############################################################################
+
+LOGFILE=
+
+STARTUP_LOG=/var/log/shorewall6-init.log
+
+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGLIMIT=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
+TCP_FLAGS_LOG_LEVEL=info
+
+SMURF_LOG_LEVEL=info
+
+###############################################################################
+#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
+###############################################################################
+
+IP6TABLES=
+
+IP=
+
+TC=
+
+IPSET=
+
+PERL=/usr/bin/perl
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+SHOREWALL_SHELL=/bin/sh
+
+SUBSYSLOCK=
+
+MODULESDIR=
+
+CONFIG_PATH=/usr/share/shorewall6:/usr/share/shorewall
+
+RESTOREFILE=
+
+LOCKFILE=
+
+###############################################################################
+#		D E F A U L T   A C T I O N S / M A C R O S
+###############################################################################
+
+DROP_DEFAULT="Drop"
+REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
+
+###############################################################################
+#                        R S H / R C P  C O M M A N D S
+###############################################################################
+
+RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+
+###############################################################################
+#			F I R E W A L L	  O P T I O N S
+###############################################################################
+
+IP_FORWARDING=Off
+
+TC_ENABLED=No
+
+TC_EXPERT=No
+
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+MODULE_SUFFIX=ko
+
+FASTACCEPT=Yes
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+OPTIMIZE=15
+
+EXPORTPARAMS=Yes
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=Yes
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+AUTOMAKE=No
+
+WIDE_TC_MARKS=Yes
+
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=Yes
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=Yes
+
+###############################################################################
+#			P A C K E T   D I S P O S I T I O N
+###############################################################################
+
+BLACKLIST_DISPOSITION=DROP
+
+TCP_FLAGS_DISPOSITION=DROP
+
+#LAST LINE -- DO NOT REMOVE

Samples6/Universal/zones

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Zones File
+#
+# For information about this file, type "man shorewall-zones"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-zones.html
+#
+###############################################################################
+#ZONE	TYPE		OPTIONS		IN			OUT
+#					OPTIONS			OPTIONS
+fw	firewall
+net	ip
+

Samples6/one-interface/shorewall6.conf

@@ -40,9 +40,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -159,6 +157,8 @@ REQUIRE_INTERFACE=No
 
 FORWARD_CLEAR_MARK=Yes
 
+COMPLETE=No
+
 ##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/three-interfaces/shorewall6.conf

@@ -40,9 +40,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -159,6 +157,8 @@ REQUIRE_INTERFACE=No
 
 FORWARD_CLEAR_MARK=Yes
 
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/shorewall6.conf

@@ -1,6 +1,6 @@
 ###############################################################################
 #
-# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
+# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -40,9 +40,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -159,6 +157,8 @@ REQUIRE_INTERFACE=No
 
 FORWARD_CLEAR_MARK=Yes
 
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-init/ifupdown.sh

@@ -93,7 +93,11 @@ for PRODUCT in $PRODUCTS; do
     VARDIR=/var/lib/$PRODUCT
     [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
     if [ -x $VARDIR/firewall ]; then
-	$VARDIR/firewall -V0 $COMMAND $IFACE
+	  ( . /usr/share/$PRODUCT/lib.base
+	    mutex_on
+	    ${VARDIR}/firewall -V0 $COMMAND $IFACE || echo_notdone
+	    mutex_off
+	  )
     fi
 done
 

Shorewall-init/init.debian.sh

@@ -84,7 +84,20 @@ shorewall_start () {
       VARDIR=/var/lib/$product
       [ -f /etc/$product/vardir ] && . /etc/$product/vardir
       if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall stop || echo_notdone
+	  #
+	  # Run in a sub-shell to avoid name collisions
+	  #
+	  ( 
+	      . /usr/share/$product/lib.base
+	      #
+	      # Get mutex so the firewall state is stable
+	      #
+	      mutex_on
+	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
+		  ${VARDIR}/firewall stop || echo_notdone
+	      fi
+	      mutex_off
+	  )
       fi
   done
 
@@ -103,7 +116,11 @@ shorewall_stop () {
       VARDIR=/var/lib/$product
       [ -f /etc/$product/vardir ] && . /etc/$product/vardir
       if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || echo_notdone
+	  ( . /usr/share/$product/lib.base
+	    mutex_on
+	    ${VARDIR}/firewall clear || echo_notdone
+	    mutex_off
+	  )
       fi
   done
 

Shorewall-init/init.sh

@@ -55,15 +55,17 @@ fi
 
 # Initialize the firewall
 shorewall_start () {
-  local product
-  local vardir
+  local PRODUCT
+  local VARDIR
 
   echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      vardir=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir 
-      if [ -x ${vardir}/firewall ]; then
-	  ${vardir}/firewall stop || exit 1
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	      ${VARDIR}/firewall stop || echo_notdone
+	  fi
       fi
   done
 
@@ -72,15 +74,15 @@ shorewall_start () {
 
 # Clear the firewall
 shorewall_stop () {
-  local product
-  local vardir
+  local PRODUCT
+  local VARDIR
 
   echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      vardir=/var/lib/$PRODUCT
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir 
-      if [ -x ${vardir}/firewall ]; then
-	  ${vardir}/firewall clear || exit 1
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  ${VARDIR}/firewall clear || exit 1
       fi
   done
 

Shorewall-init/install.sh

@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.11.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall-init/shorewall-init.spec

@@ -1,6 +1,6 @@
 %define name shorewall-init
-%define version 4.4.11
-%define release 1
+%define version 4.4.13
+%define release 0base
 
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -99,8 +99,34 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Wed Jul 14 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-1
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net

Shorewall-init/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.11.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.11.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall-lite/shorewall-lite

@@ -628,19 +628,13 @@ case "$COMMAND" in
 	shift
 	start_command $@
 	;;
-    stop|clear)
+    stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
 	[ -n "$nolock" ] || mutex_on
 	run_it $g_firewall $debugging $COMMAND
 	[ -n "$nolock" ] || mutex_off
 	;;
-    reset)
-	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $SHOREWALL_SHELL $g_firewall $debugging $@
-	[ -n "$nolock" ] || mutex_off
-	;;
     restart)
 	shift
 	restart_command

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.11
-%define release 1
+%define version 4.4.13
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -102,8 +102,34 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Wed Jul 14 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-1
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.11.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Accounting.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.7';
+our $VERSION = '4.4.13';
 
 #
 # Called by the compiler to [re-]initialize this module's state
@@ -52,7 +52,7 @@ sub process_accounting_rule( ) {
 
     our $jumpchainref;
 
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
 
     if ( $action eq 'COMMENT' ) {
 	process_comment;
@@ -61,6 +61,16 @@ sub process_accounting_rule( ) {
 
     our $disposition = '';
 
+    sub reserved_chain_name($) {
+	$_[0] =~ /^acc(?:ount(?:ing|out)|ipsecin|ipsecout)$/;
+    }
+
+    sub ipsec_chain_name($) {
+	if ( $_[0] =~ /^accipsec(in|out)$/ ) {
+	    $1;
+	}
+    }
+
     sub check_chain( $ ) {
 	my $chainref = shift;
 	fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy};
@@ -72,10 +82,11 @@ sub process_accounting_rule( ) {
 
     sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
-	$jumpchainref = ensure_accounting_chain( $jumpchain );
+	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
+	$jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
-	"-j $jumpchain";
+	$jumpchain;
     }
 
     my $target = '';
@@ -86,16 +97,19 @@ sub process_accounting_rule( ) {
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
     my $rule2 = 0;
-
+    my $jump  = 0;
+    
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
-	    $target = '-j RETURN';
+	    $target = 'RETURN';
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 	    if ( $cmd ) {
 		if ( $cmd eq 'COUNT' ) {
-		    $rule2=1;
-		} elsif ( $cmd ne 'JUMP' ) {
+		    $rule2 = 1;
+		} elsif ( $cmd eq 'JUMP' ) {
+		    $jump = 1;
+		} else {
 		    accounting_error;
 		}
 	    }
@@ -137,7 +151,31 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
     }
 
-    my $chainref = ensure_accounting_chain $chain;
+    my $chainref = $filter_table->{$chain};
+    my $dir;
+
+    if ( ! $chainref ) {
+	$chainref = ensure_accounting_chain $chain, 0;
+	$dir      = ipsec_chain_name( $chain );
+
+	if ( $ipsec ne '-' ) {
+	    if ( $dir ) {
+		$rule .= do_ipsec( $dir, $ipsec );
+		$chainref->{ipsec} = $dir;
+	    } else {
+		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
+	    }
+	} else {
+	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );	    
+	    $chainref->{ipsec} = $dir;
+	}
+    } elsif ( $ipsec ne '-' ) {
+	$dir = $chainref->{ipsec};
+	fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
+	$rule .= do_ipsec( $dir , $ipsec );
+    }
+
+    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
 
     expand_rule
 	$chainref ,
@@ -151,6 +189,22 @@ sub process_accounting_rule( ) {
 	$disposition ,
 	'' ;
 
+    if ( $rule2 || $jump ) {
+	if ( $chainref->{ipsec} ) {
+	    if ( $jumpchainref->{ipsec} ) {
+		fatal_error "IPSEC in/out mismatch on chains $chain and $jumpchainref->{name}";
+	    } else {
+		fatal_error "$jumpchainref->{name} is not an IPSEC chain" if keys %{$jumpchainref->{references}} > 1;
+		$jumpchainref->{ipsec} = $chainref->{ipsec};
+	    }
+	} elsif ( $jumpchainref->{ipsec} ) {
+	    fatal_error "Jump from a non-IPSEC chain to an IPSEC chain not allowed";
+	} else {
+	    $jumpchainref->{ipsec} = $chainref->{ipsec};
+	}
+
+    }
+
     if ( $rule2 ) {
 	expand_rule
 	    $jumpchainref ,
@@ -178,8 +232,6 @@ sub setup_accounting() {
 
     $nonEmpty |= process_accounting_rule while read_a_line;
 
-    fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting};
-
     clear_comment;
 
     if ( have_bridges ) {
@@ -192,13 +244,28 @@ sub setup_accounting() {
 	if ( $filter_table->{accountout} ) {
 	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 	}
-    } else {
-	if ( $filter_table->{accounting} ) {
-	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
-	    }
+    } elsif ( $filter_table->{accounting} ) {
+	for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
+	    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	}
     }
+
+    if ( $filter_table->{accipsecin} ) {
+	for my $chain ( qw/INPUT FORWARD/ ) {
+	    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+	}
+    }
+
+    if ( $filter_table->{accipsecout} ) {
+	for my $chain ( qw/FORWARD OUTPUT/ ) {
+	    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
+	}
+    }
+
+    for ( accounting_chainrefs ) {
+	warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
+    }
+
 }
 
 1;

Shorewall/Perl/Shorewall/Actions.pm

@@ -58,7 +58,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_13';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -179,9 +179,27 @@ sub find_macro( $ )
 #
 sub split_action ( $ ) {
     my $action = $_[0];
+
+    my $target = '';
+    my $max    = 3;
+    #
+    # The following rather grim RE, when matched, breaks the action into two parts:
+    #
+    #    basicaction(param)
+    #    logging part (may be empty)
+    #
+    # The param may contain one or more ':' characters
+    #
+    if ( $action =~ /^([^(:]+\(.*?\))(:(.*))?$/ ) {
+	$target = $1;
+	$action = $2 ? $3 : '';
+	$max    = 2;
+    }
+	
     my @a = split( /:/ , $action, 4 );
-    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
-    ( shift @a, join ":", @a );
+    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
+    $target = shift @a unless $target;
+    ( $target, join ":", @a );
 }
 
 #
@@ -618,7 +636,7 @@ sub process_action( $$$$$$$$$$$ ) {
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
-		  $action ? "-j $action" : '',
+		  $action ,
 		  $level ,
 		  $action ,
 		  '' );

Shorewall/Perl/Shorewall/Compiler.pm

@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_10';
+our $VERSION = '4.4_12';
 
 our $export;
 
@@ -442,32 +442,37 @@ EOF
     setup_forwarding( $family , 1 );
     push_indent;
 
-    emit<<'EOF';
-    set_state "Started"
+    my $config_dir = $globals{CONFIGDIR};
+
+    emit<<"EOF";
+    set_state Started $config_dir 
     run_restored_exit
 else
-    if [ $COMMAND = refresh ]; then
+    if [ \$COMMAND = refresh ]; then
         chainlist_reload
 EOF
     setup_forwarding( $family , 0 );
 
-    emit<<'EOF';
+    emit<<"EOF";
         run_refreshed_exit
         do_iptables -N shorewall
-        set_state "Started"
+        set_state Started $config_dir
     else
         setup_netfilter
         conditionally_flush_conntrack
 EOF
     setup_forwarding( $family , 0 );
 
-    emit<<'EOF';
+    emit<<"EOF";
         run_start_exit
         do_iptables -N shorewall
-        set_state "Started"
+        set_state Started $config_dir
         run_started_exit
     fi
 
+EOF
+
+    emit<<'EOF';
     [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
 fi
 

Shorewall/Perl/Shorewall/Config.pm

@@ -114,6 +114,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 				       $product
 				       $Product
+				       $toolname
 				       $command
 				       $doing
 				       $done
@@ -131,7 +132,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_13';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -218,6 +219,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 RECENT_MATCH    => 'Recent Match',
 		 OWNER_MATCH     => 'Owner Match',
 		 IPSET_MATCH     => 'Ipset Match',
+		 OLD_IPSET_MATCH => 'Old Ipset Match',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
@@ -250,6 +252,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TPROXY_TARGET   => 'TPROXY Target',
 		 FLOW_FILTER     => 'Flow Classifier',
 		 FWMARK_RT_MASK  => 'fwmark route mask',
+		 MARK_ANYWHERE   => 'Mark in any table',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -337,14 +340,15 @@ sub initialize( $ ) {
     #
     %globals  =   ( SHAREDIR => '/usr/share/shorewall' ,
 		    SHAREDIRPL => '/usr/share/shorewall/' ,
-		    CONFDIR =>  '/etc/shorewall',
+		    CONFDIR =>  '/etc/shorewall',     # Run-time configuration directory
+		    CONFIGDIR => '',                  # Compile-time configuration directory (location of $product.conf)
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.11.1",
-		    CAPVERSION => 40411 ,
+		    VERSION => "4.4.13",
+		    CAPVERSION => 40413 ,
 		  );
 
     #
@@ -362,6 +366,7 @@ sub initialize( $ ) {
 	      LOGFILE => undef,
 	      LOGFORMAT => undef,
 	      LOGTAGONLY => undef,
+	      LOGLIMIT => undef,
 	      LOGRATE => undef,
 	      LOGBURST => undef,
 	      LOGALLNEW => undef,
@@ -465,6 +470,7 @@ sub initialize( $ ) {
 	      LOAD_HELPERS_ONLY => undef,
 	      REQUIRE_INTERFACE => undef,
 	      FORWARD_CLEAR_MARK => undef,
+	      COMPLETE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -509,6 +515,7 @@ sub initialize( $ ) {
 	      LOGFILE => undef,
 	      LOGFORMAT => undef,
 	      LOGTAGONLY => undef,
+	      LOGLIMIT => undef,
 	      LOGRATE => undef,
 	      LOGBURST => undef,
 	      LOGALLNEW => undef,
@@ -524,6 +531,7 @@ sub initialize( $ ) {
 	      IP => undef,
 	      TC => undef,
 	      IPSET => undef,
+	      PERL => undef,
 	      #
 	      #PATH is inherited
 	      #
@@ -587,6 +595,7 @@ sub initialize( $ ) {
 	      LOAD_HELPERS_ONLY => undef,
 	      REQUIRE_INTERFACE => undef,
 	      FORWARD_CLEAR_MARK => undef,
+	      COMPLETE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -636,6 +645,7 @@ sub initialize( $ ) {
 	       RECENT_MATCH => undef,
 	       OWNER_MATCH => undef,
 	       IPSET_MATCH => undef,
+	       OLD_IPSET_MATCH => undef,
 	       CONNMARK => undef,
 	       XCONNMARK => undef,
 	       CONNMARK_MATCH => undef,
@@ -668,6 +678,7 @@ sub initialize( $ ) {
 	       OLD_HL_MATCH => undef,
 	       FLOW_FILTER => undef,
 	       FWMARK_RT_MASK => undef,
+	       MARK_ANYWHERE => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -1468,10 +1479,12 @@ sub split_list1( $$ ) {
 		fatal_error "Invalid $type list ($list)" if $count > 1;
 		push @list2 , $_;
 	    } else {
+		s/\(//;
 		$element = $_;
 	    }
 	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" unless $element && $count == 1;
+	    s/\)//;
 	    push @list2, join ',', $element, $_;
 	    $element = '';
 	} elsif ( $element ) {
@@ -2316,7 +2329,11 @@ sub Comments() {
 }
 
 sub Hashlimit_Match() {
-    have_capability 'OLD_HL_MATCH' || qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
+    if ( qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" ) ) {
+	! ( $capabilities{OLD_HL_MATCH} = 0 );
+    } else {
+	have_capability 'OLD_HL_MATCH';
+    }
 }
 
 sub Old_Hashlimit_Match() {
@@ -2363,7 +2380,7 @@ sub Raw_Table() {
     qt1( "$iptables -t raw -L -n" );
 }
 
-sub IPSet_Match() {
+sub Old_IPSet_Match() {
     my $ipset  = $config{IPSET} || 'ipset';
     my $result = 0;
 
@@ -2375,7 +2392,31 @@ sub IPSet_Match() {
 	if ( qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
 		qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
-		$result = 1;
+		$result = $capabilities{IPSET_MATCH} = 1;
+	    }
+
+	    qt( "$ipset -X $sillyname" );
+	}
+    }
+
+    $result;
+}
+
+sub IPSet_Match() {
+    my $ipset  = $config{IPSET} || 'ipset';
+    my $result = 0;
+
+    $ipset = which $ipset unless $ipset =~ '/';
+
+    if ( $ipset && -x $ipset ) {
+	qt( "$ipset -X $sillyname" );
+
+	if ( qt( "$ipset -N $sillyname iphash" ) ) {
+	    if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
+		qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
+		$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
+	    } else {
+		$result = have_capability 'OLD_IPSET_MATCH';
 	    }
 
 	    qt( "$ipset -X $sillyname" );
@@ -2437,6 +2478,10 @@ sub Fwmark_Rt_Mask() {
     $ip && system( "$ip rule add help 2>&1 | grep -q /MASK" ) == 0;
 }
 
+sub Mark_Anywhere() {
+    qt1( "$iptables -A $sillyname -j MARK --set-mark 5" );
+}
+
 our %detect_capability =
     ( ADDRTYPE => \&Addrtype,
       CLASSIFY_TARGET => \&Classify_Target,
@@ -2456,6 +2501,7 @@ our %detect_capability =
       IPP2P_MATCH => \&Ipp2p_Match,
       IPRANGE_MATCH => \&IPRange_Match,
       IPSET_MATCH => \&IPSet_Match,
+      OLD_IPSET_MATCH => \&Old_IPSet_Match,
       KLUDGEFREE => \&Kludgefree,
       LENGTH_MATCH => \&Length_Match,
       LOGMARK_TARGET => \&Logmark_Target,
@@ -2463,6 +2509,7 @@ our %detect_capability =
       MANGLE_ENABLED => \&Mangle_Enabled,
       MANGLE_FORWARD => \&Mangle_Forward,
       MARK => \&Mark,
+      MARK_ANYWHERE => \&Mark_Anywhere,
       MULTIPORT => \&Multiport,
       NAT_ENABLED => \&Nat_Enabled,
       NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
@@ -2606,6 +2653,8 @@ sub determine_capabilities() {
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
 	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
+	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
+	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 
 
 	qt1( "$iptables -F $sillyname" );
@@ -2683,6 +2732,9 @@ sub process_shorewall_conf() {
     my $file = find_file "$product.conf";
 
     if ( -f $file ) {
+	$globals{CONFIGDIR} =  $file;
+	$globals{CONFIGDIR} =~ s/$product.conf//;
+
 	if ( -r _ ) {
 	    open_file $file;
 
@@ -2847,7 +2899,60 @@ sub get_configuration( $ ) {
 
     $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
 
-    if ( $config{LOGRATE} || $config{LOGBURST} ) {
+    if ( my $rate = $config{LOGLIMIT} ) {
+	my $limit;
+
+	if ( $rate =~ /^[sd]:/ ) {
+	    require_capability 'HASHLIMIT_MATCH', 'Per-ip log rate limiting' , 's';
+
+	    $limit = "-m hashlimit ";
+
+	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
+	    my $units;
+
+	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
+		fatal_error "Invalid rate ($1)" unless $2;
+		fatal_error "Invalid burst value ($5)" unless $5;
+
+		$limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
+		$units = $4;
+	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
+		fatal_error "Invalid rate ($1)" unless $2;
+		$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
+		$units = $4;
+	    } else {
+		fatal_error "Invalid rate ($rate)";
+	    }
+
+	    $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
+
+	    if ( $units && $units ne 'sec' ) {
+		my $expire = 60000; # 1 minute in milliseconds
+		
+		if ( $units ne 'min' ) {
+		    $expire *= 60; #At least an hour
+		    $expire *= 24 if $units eq 'day';
+		}
+		
+		$limit .= "--hashlimit-htable-expire $expire ";
+	    }
+	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
+	    fatal_error "Invalid rate ($1)" unless $2;
+	    fatal_error "Invalid burst value ($5)" unless $5;
+	    $limit = "-m limit --limit $1 --limit-burst $5 ";
+	} elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
+	    fatal_error "Invalid rate (${1}${2})" unless $1;
+	    $limit = "-m limit --limit $rate ";
+	} else {
+	    fatal_error "Invalid rate ($rate)";
+	}
+
+	$globals{LOGLIMIT} = $limit;
+
+	warning_message "LOGRATE Ignored when LOGLIMIT is specified"  if $config{LOGRATE};
+	warning_message "LOGBURST Ignored when LOGLIMIT is specified" if $config{LOGBURST};
+
+    } elsif ( $config{LOGRATE} || $config{LOGBURST} ) {
 	if ( defined $config{LOGRATE} ) {
 	    fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
 	}
@@ -2966,7 +3071,7 @@ sub get_configuration( $ ) {
     default_yes_no 'AUTO_COMMENT'               , 'Yes';
     default_yes_no 'MULTICAST'                  , '';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
-    default_yes_no 'MANGLE_ENABLED'             , 'Yes';
+    default_yes_no 'MANGLE_ENABLED'             , have_capability 'MANGLE_ENABLED' ? 'Yes' : '';
     default_yes_no 'NULL_ROUTE_RFC1918'         , '';
     default_yes_no 'USE_DEFAULT_RT'             , '';
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
@@ -2978,6 +3083,7 @@ sub get_configuration( $ ) {
     default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
     default_yes_no 'REQUIRE_INTERFACE'          , '';
     default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability 'MARK' ? 'Yes' : '';
+    default_yes_no 'COMPLETE'                   , '';
 
     require_capability 'MARK' , 'FOREWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
 
@@ -2988,7 +3094,12 @@ sub get_configuration( $ ) {
 
     if ( $config{PROVIDER_OFFSET} ) {
 	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
-	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 32;
+	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 31' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
+	$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
+    } elsif ( $config{MASK_BITS} >= $config{PROVIDER_BITS} ) {
+	$globals{EXCLUSION_MASK} = 1 << $config{MASK_BITS};
+    } else {
+	$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
     }
 
     $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
@@ -2996,6 +3107,12 @@ sub get_configuration( $ ) {
     $globals{PROVIDER_MIN}           = 1 << $config{PROVIDER_OFFSET};
     $globals{PROVIDER_MASK}          = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
 
+    if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
+	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
+    } else {
+	$globals{USER_MASK} = 0;
+    }
+
     if ( defined ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
     } else {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -73,7 +73,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_12';
 
 #
 # Some IPv4/6 useful stuff
@@ -87,6 +87,7 @@ our $validate_address;
 our $validate_net;
 our $validate_range;
 our $validate_host;
+our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
@@ -123,8 +124,8 @@ sub valid_4address( $ ) {
 
     my @address = split /\./, $address;
     return 0 unless @address == 4;
-    for my $a ( @address ) {
-	return 0 unless $a =~ /^\d+$/ && $a < 256;
+    for ( @address ) {
+	return 0 unless /^\d+$/ && $_ < 256;
     }
 
     1;
@@ -157,8 +158,8 @@ sub decodeaddr( $ ) {
 
     my $result = shift @address;
 
-    for my $a ( @address ) {
-	$result = ( $result << 8 ) | $a;
+    for ( @address ) {
+	$result = ( $result << 8 ) | $_;
     }
 
     $result;
@@ -292,6 +293,11 @@ sub resolve_proto( $ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 65535 ? $number : undef;
     } else {
+	#
+	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
+	#
+	$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
+	
 	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
     }
 }
@@ -332,7 +338,7 @@ sub validate_portpair( $$ ) {
 
     my @ports = split /:/, $portpair, 2;
 
-    $_ = validate_port( $proto, $_) for ( @ports );
+    $_ = validate_port( $proto, $_) for ( grep $_, @ports );
 
     if ( @ports == 2 ) {
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
@@ -439,7 +445,7 @@ sub expand_port_range( $$ ) {
 	#
 	# Validate the ports
 	#
-	( $first , $last ) = ( validate_port( $proto, $first ) , validate_port( $proto, $last ) );
+	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
 
 	$last++; #Increment last address for limit testing.
 	#
@@ -682,7 +688,7 @@ sub validate_host ($$ ) {
 #      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
-    my $family = shift;
+    $family = shift;
 
     if ( $family == F_IPV4 ) {
 	$allip            = ALLIPv4;

Shorewall/Perl/Shorewall/Nat.pm

@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_13';
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -49,56 +49,6 @@ sub initialize() {
     %addresses_to_add = ();
 }
 
-#
-# Handle IPSEC Options in a masq record
-#
-sub do_ipsec_options($)
-{
-    my %validoptions = ( strict       => NOTHING,
-			 next         => NOTHING,
-			 reqid        => NUMERIC,
-			 spi          => NUMERIC,
-			 proto        => IPSECPROTO,
-			 mode         => IPSECMODE,
-			 "tunnel-src" => NETWORK,
-			 "tunnel-dst" => NETWORK,
-		       );
-    my $list=$_[0];
-    my $options = '-m policy --pol ipsec --dir out ';
-    my $fmt;
-
-    for my $e ( split_list $list, 'option' ) {
-	my $val    = undef;
-	my $invert = '';
-
-	if ( $e =~ /([\w-]+)!=(.+)/ ) {
-	    $val    = $2;
-	    $e      = $1;
-	    $invert = '! ';
-	} elsif ( $e =~ /([\w-]+)=(.+)/ ) {
-	    $val = $2;
-	    $e   = $1;
-	}
-
-	$fmt = $validoptions{$e};
-
-	fatal_error "Invalid Option ($e)" unless $fmt;
-
-	if ( $fmt eq NOTHING ) {
-	    fatal_error "Option \"$e\" does not take a value" if defined $val;
-	} else {
-	    fatal_error "Missing value for option \"$e\""        unless defined $val;
-	    fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
-	}
-
-	$options .= $invert;
-	$options .= "--$e ";
-	$options .= "$val " if defined $val;
-    }
-
-    $options;
-}
-
 #
 # Process a single rule from the the masq file
 #
@@ -153,11 +103,11 @@ sub process_one_masq( )
 	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
 
 	if ( $ipsec =~ /^yes$/i ) {
-	    $baserule .= '-m policy --pol ipsec --dir out ';
+	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
 	} elsif ( $ipsec =~ /^no$/i ) {
-	    $baserule .= '-m policy --pol none --dir out ';
+	    $baserule .= do_ipsec_options 'out', 'none', '';
 	} else {
-	    $baserule .= do_ipsec_options $ipsec;
+	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
 	}
     } elsif ( have_ipsec ) {
 	$baserule .= '-m policy --pol none --dir out ';
@@ -175,7 +125,7 @@ sub process_one_masq( )
 
     for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = '-j MASQUERADE ';
+	my $target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -221,7 +171,7 @@ sub process_one_masq( )
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
 		    my $variable = get_interface_address $interface;
-		    $target = "-j SNAT --to-source $variable";
+		    $target = "SNAT --to-source $variable";
 
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
@@ -231,13 +181,13 @@ sub process_one_masq( )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
-		    $target = '-j RETURN';
+		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    $target = '-j SNAT ';
+			    $target = 'SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );

Shorewall/Perl/Shorewall/Policy.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_12';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
@@ -496,7 +496,14 @@ sub setup_syn_flood_chains() {
 	    my $level = $chainref->{loglevel};
 	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
 	    add_rule $synchainref , "${limit}-j RETURN";
-	    log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
+	    log_rule_limit( $level , 
+			    $synchainref , 
+			    $chainref->{name} , 
+			    'DROP', 
+			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , 
+			    '' , 
+			    'add' , 
+			    '' )
 		if $level ne '';
 	    add_rule $synchainref, '-j DROP';
 	}

Shorewall/Perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_13';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -275,7 +275,7 @@ sub add_a_provider( ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
     }
 
-    fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
+    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface, 1 );
     fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
 
     my $physical    = get_physical $interface;
@@ -845,54 +845,99 @@ sub lookup_provider( $ ) {
 #
 sub handle_optional_interfaces( $ ) {
 
-    my $returnvalue = verify_required_interfaces( shift );
-    #
-    # find_interfaces_by_option1() does not return wildcard interfaces. If an interface is defined
-    # as a wildcard in /etc/shorewall/interfaces, then only specific interfaces matching that
-    # wildcard are returned.
-    #
-    my $interfaces = find_interfaces_by_option1 'optional';
+    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
 
     if ( @$interfaces ) {
-	for my $interface ( @$interfaces ) {
-	    my $provider = $provider_interfaces{$interface};
-	    my $physical = get_physical $interface;
-	    my $base     = uc chain_base( $physical );
+	my $require     = $config{REQUIRE_INTERFACE};
+	
+	verify_required_interfaces( shift );
 
-	    emit( '' );
+	emit( 'HAVE_INTERFACE=', '' ) if $require;
+	#
+	# Clear the '_IS_USABLE' variables
+	#
+	emit( join( '_', 'SW', uc chain_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
 
-	    if ( $config{REQUIRE_INTERFACE} ) {
-		emit( 'HAVE_INTERFACE=' );
-		emit( '' );
-	    }
+	if ( $wildcards ) {
+	    #
+	    # We must consider all interfaces with an address in $family -- generate a list of such addresses. 
+	    #
+	    emit( '', 
+		  'for interface in $(find_all_interfaces1); do',
+		);
 
-	    if ( $provider ) {
-		#
-		# This interface is associated with a non-shared provider -- get the provider table entry
-		#
-		my $providerref = $providers{$provider};
+	    push_indent;
+	    emit ( 'case "$interface" in' );
+	    push_indent;
+	} else {
+	    emit '';
+	}
 
-		if ( $providerref->{gatewaycase} eq 'detect' ) {
-		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
-		} else {
-		    emit qq(if interface_is_usable $physical; then);
-		}
+	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
+	    my $provider    = $provider_interfaces{$interface};
+	    my $physical    = get_physical $interface;
+	    my $base        = uc chain_base( $physical );
+	    my $providerref = $providers{$provider};
+
+	    emit( "$physical)" ), push_indent if $wildcards;
+
+	    if ( $providerref->{gatewaycase} eq 'detect' ) {
+		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
-		#
-		# Not a provider interface
-		#
 		emit qq(if interface_is_usable $physical; then);
 	    }
 
-	    emit( '    HAVE_INTERFACE=Yes' ) if $config{REQUIRE_INTERFACE};
+	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
 
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
-		  'else' ,
-		  "    SW_${base}_IS_USABLE=" ,
 		  'fi' );
+
+	    emit( ';;' ), pop_indent if $wildcards;
 	}
 
-	if ( $config{REQUIRE_INTERFACE} ) {
+	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
+	    my $physical    = get_physical $interface;
+	    my $base        = uc chain_base( $physical );
+	    my $case        = $physical;
+	    my $wild        = $case =~ s/\+$/*/;
+
+	    if ( $wildcards ) {
+		emit( "$case)" );
+		push_indent;
+		
+		if ( $wild ) {
+		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
+		    push_indent; 
+		    emit ( 'if interface_is_usable $interface; then' );
+		} else {
+		    emit ( "if interface_is_usable $physical; then" );
+		}
+	    } else {
+		emit ( "if interface_is_usable $physical; then" );
+	    }
+
+	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
+	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
+		   'fi' );
+
+	    if ( $wildcards ) {
+		pop_indent, emit( 'fi' ) if $wild;
+		emit( ';;' );
+		pop_indent;
+	    }
+	}
+
+	if ( $wildcards ) {
+	    emit( '*)' ,
+		  '    ;;'
+		);
+	    pop_indent;
+	    emit( 'esac' );
+	    pop_indent;
+	    emit('done' );
+	}
+
+	if ( $require ) {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
@@ -915,10 +960,10 @@ sub handle_optional_interfaces( $ ) {
 		);
 	}
 
-	$returnvalue = 1;
+	return 1;
     }
 
-    $returnvalue;
+    verify_required_interfaces( shift );
 }
 
 #
@@ -957,14 +1002,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
+			$rule2 = '';
 		    }
 
-		    $rule1 =~ s/-A tcpre //;
-
+		    assert ( $rule1 =~ s/^-A // );
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcpre //;
+			assert ( $rule2 =~ s/^-A // );
 			add_rule $chainref, $rule2;
 		    }
 		}
@@ -984,14 +1029,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
+			$rule2 = '';
 		    }
 
-		    $rule1 =~ s/-A tcout //;
-
+		    assert( $rule1 =~ s/-A // );
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcout //;
+			$rule2 =~ s/-A //;
 			add_rule $chainref, $rule2;
 		    }
 		}

Shorewall/Perl/Shorewall/Raw.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_13';
 
 #
 # Notrack
@@ -64,7 +64,7 @@ sub process_notrack_rule( $$$$$$ ) {
 	$source ,
 	$dest ,
 	'' ,
-	'-j NOTRACK' ,
+	'NOTRACK' ,
 	'' ,
 	'NOTRACK' ,
 	'' ;

Shorewall/Perl/Shorewall/Rules.pm

@@ -46,17 +46,12 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_13';
 
-#
-# Set to one if we find a SECTION
-#
-our $sectioned;
 our $macro_nest_level;
 our $current_param;
 our @param_stack;
 our $family;
-
 #
 # When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these
 #
@@ -76,7 +71,6 @@ my %rules_commands = ( COMMENT => 0,
 #
 sub initialize( $ ) {
     $family = shift;
-    $sectioned = 0;
     $macro_nest_level = 0;
     $current_param = '';
     @param_stack = ();
@@ -150,9 +144,9 @@ sub process_tos() {
 		$src ,
 		$dst ,
 		'' ,
-		"-j TOS --set-tos $tos" ,
-		'' ,
+		"TOS --set-tos $tos" ,
 		'' ,
+		'TOS' ,
 		'';
 	}
 
@@ -219,16 +213,19 @@ sub add_rule_pair( $$$$ ) {
 
 sub setup_blacklist() {
 
-    my $hosts = find_hosts_by_option 'blacklist';
+    my $zones  = find_zones_by_option 'blacklist', 'in';
+    my $zones1 = find_zones_by_option 'blacklist', 'out';
     my $chainref;
+    my $chainref1;
     my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
     my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
     #
-    # We go ahead and generate the blacklist chain and jump to it, even if it turns out to be empty. That is necessary
+    # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
     # for 'refresh' to work properly.
     #
-    if ( @$hosts ) {
-	$chainref = dont_delete new_standard_chain 'blacklst';
+    if ( @$zones || @$zones1 ) {
+	$chainref  = dont_delete new_standard_chain 'blacklst' if @$zones;
+	$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
 
 	if ( defined $level && $level ne '' ) {
 	    my $logchainref = new_standard_chain 'blacklog';
@@ -252,8 +249,8 @@ sub setup_blacklist() {
 	    while ( read_a_line ) {
 
 		if ( $first_entry ) {
-		    unless  ( @$hosts ) {
-			warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' interfaces);
+		    unless  ( @$zones || @$zones1 ) {
+			warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' zones);
 			close_file;
 			last BLACKLIST;
 		    }
@@ -261,46 +258,64 @@ sub setup_blacklist() {
 		    $first_entry = 0;
 		}
 
-		my ( $networks, $protocol, $ports ) = split_line 1, 3, 'blacklist file';
+		my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
 
-		expand_rule(
-			    $chainref ,
-			    NO_RESTRICT ,
-			    do_proto( $protocol , $ports, '' ) ,
-			    $networks ,
-			    '' ,
-			    '' ,
-			    "-j $target" ,
-			    '' ,
-			    $disposition ,
-			    '' );
+		$options = 'src' if $options eq '-';
+
+		my ( $to, $from ) = ( 0, 0 );
+
+		for ( split /,/, $options ) {
+		    if ( $_ =~ /^(?:from|src)$/ ) {
+			if ( $from++ ) {
+			    warning_message "Duplicate 'src' ignored";
+			} else {
+			    if ( @$zones ) {
+				expand_rule(
+					    $chainref ,
+					    NO_RESTRICT ,
+					    do_proto( $protocol , $ports, '' ) ,
+					    $networks,
+					    '',
+					    '' ,
+					    $target ,
+					    '' ,
+					    $target ,
+					    '' );
+			    } else {
+				warning_message '"src" entry ignored because there are no "blacklist in" zones';
+			    }
+			}
+		    } elsif ( $_ =~ /^(?:dst|to)$/ ) {
+			if ( $to++ ) {
+			    warning_message "Duplicate 'dst' ignored";
+			} else {
+			    if ( @$zones1 ) {
+				expand_rule(
+					    $chainref1 ,
+					    NO_RESTRICT ,
+					    do_proto( $protocol , $ports, '' ) ,
+					    '',
+					    $networks,
+					    '' ,
+					    $target ,
+					    '' ,
+					    $target ,
+					    '' );
+			    } else {
+				warning_message '"dst" entry ignored because there are no "blacklist out" zones';
+			    }
+			}
+		    } else {
+			fatal_error "Invalid blacklist option($_)";
+		    }
+		}
 
 		progress_message "  \"$currentline\" added to blacklist";
 	    }
 
-	    warning_message q(There are interfaces or hosts with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$hosts;
-	} elsif ( @$hosts ) {
-	    warning_message q(There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
-	}
-
-	my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
-
-	for my $hostref ( @$hosts ) {
-	    my $interface  = $hostref->[0];
-	    my $ipsec      = $hostref->[1];
-	    my $policy     = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
-	    my $network    = $hostref->[2];
-	    my $source     = match_source_net $network;
-	    my $target     = source_exclusion( $hostref->[3], $chainref );
-
-	    for my $chain ( first_chains $interface ) {
-		add_jump $filter_table->{$chain} , $chainref, 0, "${source}${state}${policy}";
-	    }
-
-	    set_interface_option $interface, 'use_input_chain', 1;
-	    set_interface_option $interface, 'use_forward_chain', 1;
-
-	    progress_message "  Blacklisting enabled on ${interface}:${network}";
+	    warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$zones;
+	} elsif ( @$zones || @$zones1 ) {
+	    warning_message q(There are interfaces or zones with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
 	}
     }
 }
@@ -434,7 +449,7 @@ sub add_common_rules() {
     my $list;
     my $chain;
 
-    my $state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
+    my $state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "-m state --state NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
     my $level     = $config{BLACKLIST_LOGLEVEL};
     my $rejectref = dont_move new_standard_chain 'reject';
 
@@ -512,7 +527,7 @@ sub add_common_rules() {
 	    add_jump( $chainref, $smurfdest, 1, '-s ' . IPv6_MULTICAST . ' ' );
 	}
 
-	my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
+	my $state = $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : "$globals{STATEMATCH} NEW,INVALID ";
 
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
@@ -521,7 +536,7 @@ sub add_common_rules() {
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 
 	    for $chain ( first_chains $interface ) {
-		add_jump $filter_table->{$chain} , $target, 0, join( '', "$globals{STATEMATCH} $state ", match_source_net( $hostref->[2] ),  $policy );
+		add_jump $filter_table->{$chain} , $target, 0, join( '', $state, match_source_net( $hostref->[2] ),  $policy );
 	    }
 
 	    set_interface_option $interface, 'use_input_chain', 1;
@@ -666,12 +681,12 @@ sub add_common_rules() {
 
 	    for $interface ( @$list ) {
 		my $chainref = $filter_table->{input_chain $interface};
-		my $base     = uc chain_base $interface;
+		my $base     = uc chain_base get_physical $interface;
 		my $variable = get_interface_gateway $interface;
 
 		if ( interface_is_optional $interface ) {
 		    add_commands( $chainref,
-				  qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
+				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
 				  '    echo "-A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT" >&3) ,
 				  qq(fi) );
 		} else {
@@ -801,20 +816,20 @@ sub setup_mac_lists( $ ) {
 	    my $policy     = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
 	    my $source     = match_source_net $hostref->[2];
 
-	    my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW';
+	    my $state = $globals{UNTRACKED} ? '-m state --state NEW,UNTRACKED' : "$globals{STATEMATCH} NEW";
 
 	    if ( $table eq 'filter' ) {
 		my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
 
 		for my $chain ( first_chains $interface ) {
-		    add_jump $filter_table->{$chain} , $chainref, 0, "${source}$globals{STATEMATCH} ${state} ${policy}";
+		    add_jump $filter_table->{$chain} , $chainref, 0, "${source}${state} ${policy}";
 		}
 
 		set_interface_option $interface, 'use_input_chain', 1;
 		set_interface_option $interface, 'use_forward_chain', 1;
 	    } else {
 		my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
-		add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}$globals{STATEMATCH} ${state} ${policy}";
+		add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}${state} ${policy}";
 	    }
 	}
     } else {
@@ -883,6 +898,8 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 
     my $format = 1;
 
+    my $generated = 0;
+
     macro_comment $macro;
 
     my $macrofile = $macros{$macro};
@@ -954,21 +971,21 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 	    $mdest = '';
 	}
 
-	process_rule1(
-		      $mtarget,
-		      $msource,
-		      $mdest,
-		      merge_macro_column( $mproto,     $proto ) ,
-		      merge_macro_column( $mports,     $ports ) ,
-		      merge_macro_column( $msports,    $sports ) ,
-		      merge_macro_column( $morigdest,  $origdest ) ,
-		      merge_macro_column( $mrate,      $rate ) ,
-		      merge_macro_column( $muser,      $user ) ,
-		      merge_macro_column( $mmark,      $mark ) ,
-		      merge_macro_column( $mconnlimit, $connlimit) ,
-		      merge_macro_column( $mtime,      $time ),
-		      $wildcard
-		     );
+	$generated |= process_rule1(
+				    $mtarget,
+				    $msource,
+				    $mdest,
+				    merge_macro_column( $mproto,     $proto ) ,
+				    merge_macro_column( $mports,     $ports ) ,
+				    merge_macro_column( $msports,    $sports ) ,
+				    merge_macro_column( $morigdest,  $origdest ) ,
+				    merge_macro_column( $mrate,      $rate ) ,
+				    merge_macro_column( $muser,      $user ) ,
+				    merge_macro_column( $mmark,      $mark ) ,
+				    merge_macro_column( $mconnlimit, $connlimit) ,
+				    merge_macro_column( $mtime,      $time ),
+				    $wildcard
+				   );
 
 	progress_message "   Rule \"$currentline\" $done";
     }
@@ -979,6 +996,8 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 
     clear_comment unless $nocomment;
 
+    return $generated;
+
 }
 #
 # Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
@@ -1016,33 +1035,36 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    $current_param = $param;
 	}
 
-	process_macro( $basictarget,
-		       $target ,
-		       $current_param,
-		       $source,
-		       $dest,
-		       $proto,
-		       $ports,
-		       $sports,
-		       $origdest,
-		       $ratelimit,
-		       $user,
-		       $mark,
-		       $connlimit,
-		       $time,
-		       $wildcard );
+	my $generated = process_macro( $basictarget,
+				       $target ,
+				       $current_param,
+				       $source,
+				       $dest,
+				       $proto,
+				       $ports,
+				       $sports,
+				       $origdest,
+				       $ratelimit,
+				       $user,
+				       $mark,
+				       $connlimit,
+				       $time,
+				       $wildcard );
 
 	$macro_nest_level--;
 
 	$current_param = pop @param_stack if $param ne '';
 
-	return;
+	return $generated;
 
     } elsif ( $actiontype & NFQ ) {
 	require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
 	my $paramval = $param eq '' ? 0 : numeric_value( $param );
 	fatal_error "Invalid value ($param) for NFQUEUE queue number" unless defined($paramval) && $paramval <= 65535;
 	$action = "NFQUEUE --queue-num $paramval";
+    } elsif ( $actiontype & SET ) {
+	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
+	fatal_error "$action rules require a set name parameter" unless $param;  
     } else {
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
     }
@@ -1079,6 +1101,14 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	$action = '';
     } elsif ( $actiontype & LOGRULE ) {
 	fatal_error 'LOG requires a log level' unless defined $loglevel and $loglevel ne '';
+    } elsif ( $actiontype & SET ) {
+	my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
+
+	my ( $setname, $flags, $rest ) = split ':', $param, 3;
+	fatal_error "Invalid ADD/DEL parameter ($param)" if $rest;
+	fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^[a-zA-Z]\w*$/;
+	fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
+	$action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
     }
     #
     # Isolate and validate source and destination zones
@@ -1155,7 +1185,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	#
 	if ( $destref->{type} == BPORT ) {
 	    unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
-		return 1 if $wildcard;
+		return 0 if $wildcard;
 		fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
 	    }
 	}
@@ -1168,7 +1198,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	$policy   = $chainref->{policy};
 
 	if ( $policy eq 'NONE' ) {
-	    return 1 if $wildcard;
+	    return 0 if $wildcard;
 	    fatal_error "Rules may not override a NONE policy";
 	}
 	#
@@ -1177,9 +1207,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	if ( $optimize > 0 ) {
 	    my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 	    if ( $loglevel ne '' ) {
-		return 1 if $target eq "${policy}:$loglevel}";
+		return 0 if $target eq "${policy}:$loglevel}";
 	    } else {
-		return 1 if $basictarget eq $policy;
+		return 0 if $basictarget eq $policy;
 	    }
 	}
 	#
@@ -1277,7 +1307,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 
 	if ( $actiontype  & REDIRECT ) {
 	    fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server;
-	    $target  = '-j REDIRECT ';
+	    $target  = 'REDIRECT ';
 	    $target .= "--to-port $serverport " if $serverport;
 	    if ( $origdest eq '' || $origdest eq '-' ) {
 		$origdest = ALLIP;
@@ -1301,7 +1331,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 
 	    if ( $action eq 'DNAT' ) {
-		$target = '-j DNAT ';
+		$target = 'DNAT ';
 		if ( $server ) {
 		    $serverport = ":$serverport" if $serverport;
 		    for my $serv ( split /,/, $server ) {
@@ -1407,7 +1437,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 			     '', # Source
 			     '', # Dest
 			     '', # Original dest
-			     '-j ACCEPT',
+			     'ACCEPT',
 			     $loglevel,
 			     $log_action,
 			     '',
@@ -1425,7 +1455,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		     $source ,
 		     $dest ,
 		     $origdest ,
-		     "-j $tgt",
+		     $tgt,
 		     $loglevel ,
 		     $log_action ,
 		     '' ,
@@ -1471,46 +1501,118 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		     $source ,
 		     $dest ,
 		     $origdest ,
-		     $action ? "-j $action " : '' ,
+		     $action ,
 		     $loglevel ,
 		     $log_action ,
 		     '' );
     }
+
+    return 1;
+}
+
+#
+# Helper functions for process_rule(). That function deals with the ugliness of wildcard zones ('all' and 'any') and zone lists.
+#
+# Process a SECTION header
+#
+sub process_section ($) {
+    my $sect = shift;
+    #
+    # read_a_line has already verified that there are exactly two tokens on the line
+    #
+    fatal_error "Invalid SECTION ($sect)" unless defined $sections{$sect};
+    fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
+    $sections{$sect} = 1;
+
+    if ( $sect eq 'RELATED' ) {
+	$sections{ESTABLISHED} = 1;
+	finish_section 'ESTABLISHED';
+    } elsif ( $sect eq 'NEW' ) {
+	@sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
+	finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
+    }
+    
+    $section = $sect;
+}
+
+#
+# Build a source or destination zone list
+#
+sub build_zone_list( $$$\$\$ ) {
+    my ($fw, $input, $which, $intrazoneref, $wildref ) = @_;
+    my $any = ( $input =~ s/^any/all/ );
+    my $exclude;
+    my $rest;
+    my %exclude;
+    my @result;
+    #
+    # Handle Wildcards
+    #
+    if ( $input =~ /^(all[-+]*)(![^:]+)?(:.*)?/ ) {
+	$input   = $1;
+	$exclude = $2;
+	$rest    = $3;
+
+	$$wildref = 1;
+
+	if ( defined $exclude ) {
+	    $exclude =~ s/!//;
+	    fatal_error "Invalid exclusion list (!$exclude)" if $exclude =~ /^,|!|,,|,$/;
+	    for ( split /,/, $exclude ) {
+		fatal_error "Unknown zone ($_)" unless defined_zone $_;
+		$exclude{$_} = 1;
+	    }
+	}
+
+	unless ( $input eq 'all' ) {
+	    if ( $input eq 'all+' ) {
+		$$intrazoneref = 1;
+	    } elsif ( ( $input eq 'all+-' ) || ( $input eq 'all-+' ) ) {
+		$$intrazoneref = 1;
+		$exclude{$fw} = 1;
+	    } elsif ( $input eq 'all-' ) {
+		$exclude{$fw} = 1;
+	    } else {
+		fatal_error "Invalid $which ($input)";
+	    }
+	}
+
+	@result = grep ! $exclude{$_}, $any ? all_parent_zones : non_firewall_zones;
+
+	unshift @result, $fw unless $exclude{$fw};
+
+    } elsif ( $input =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
+	$input    = $1;
+	$rest     = $2;
+	$$wildref = 1;
+
+	$$intrazoneref = ( $input =~ s/\+$// );
+
+	@result = split_list $input, 'zone';
+    } else {
+	@result = ( $input );
+    }
+
+    if ( defined $rest ) {
+	$_ .= $rest for @result;
+    }
+
+    @result;
 }
 
 #
 # Process a Record in the rules file
 #
-#     Deals with the ugliness of wildcard zones ('all' in SOURCE and/or DEST column).
-#
 sub process_rule ( ) {
     my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time ) = split_line1 1, 12, 'rules file', \%rules_commands;
 
-    if ( $target eq 'COMMENT' ) {
-	process_comment;
-	return 1;
-    }
-
-    if ( $target eq 'SECTION' ) {
-	#
-	# read_a_line has already verified that there are exactly two tokens on the line
-	#
-	fatal_error "Invalid SECTION ($source)" unless defined $sections{$source};
-	fatal_error "Duplicate or out of order SECTION $source" if $sections{$source};
-	$sectioned = 1;
-	$sections{$source} = 1;
-
-	if ( $source eq 'RELATED' ) {
-	    $sections{ESTABLISHED} = 1;
-	    finish_section 'ESTABLISHED';
-	} elsif ( $source eq 'NEW' ) {
-	    @sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
-	    finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
-	}
-
-	$section = $source;
-	return 1;
-    }
+    process_comment,            return 1 if $target eq 'COMMENT';
+    process_section( $source ), return 1 if $target eq 'SECTION';
+    #
+    # Section Names are optional so once we get to an actual rule, we need to be sure that
+    # we close off any missing sections.
+    #
+    process_section( 'NEW' ) unless $section;
 
     if ( $source =~ /^none(:.*)?$/i || $dest =~ /^none(:.*)?$/i ) {
 	progress_message "Rule \"$currentline\" ignored.";
@@ -1518,113 +1620,30 @@ sub process_rule ( ) {
     }
 
     my $intrazone = 0;
-    my $includesrcfw = 1;
-    my $includedstfw = 1;
-    my $thisline = $currentline;
-    my $anysource = ( $source =~ s/^any/all/ );
-    my $anydest   = ( $dest   =~ s/^any/all/ );
-    #
-    # Section Names are optional so once we get to an actual rule, we need to be sure that
-    # we close off any missing sections.
-    #
-    unless ( $sectioned ) {
-	finish_section 'ESTABLISHED,RELATED';
-	$sections{$section = 'NEW'} = 1;
-	$sectioned = 1;
-    }
-
-    #
-    # Handle Wildcards
-    #
-
-    if ( $source =~ /^all[-+]/ ) {
-	if ( $source eq 'all+' ) {
-	    $source = 'all';
-	    $intrazone = 1;
-	} elsif ( ( $source eq 'all+-' ) || ( $source eq 'all-+' ) ) {
-	    $source = 'all';
-	    $intrazone = 1;
-	    $includesrcfw = 0;
-	} elsif ( $source eq 'all-' ) {
-	    $source = 'all';
-	    $includesrcfw = 0;
-	} else {
-	    fatal_error "Invalid SOURCE ($source)";
-	}
-    }
-
-    if ( $dest =~ /^all[-+]/ ) {
-	if ( $dest eq 'all+' ) {
-	    $dest = 'all';
-	    $intrazone = 1;
-	} elsif ( ( $dest eq 'all+-' ) || ( $dest eq 'all-+' ) ) {
-	    $dest = 'all';
-	    $intrazone = 1;
-	    $includedstfw = 0;
-	} elsif ( $dest eq 'all-' ) {
-	    $dest = 'all';
-	    $includedstfw = 0;
-	} else {
-	    fatal_error "Invalid DEST ($dest)";
-	}
-
-    }
-
-    my $action = isolate_basic_target $target;
-
-    my @source;
-    my @dest;
-
-    if ( $source eq 'all' ) {
-	if ( $anysource ) {
-	    @source = ( all_parent_zones );
-	} else {
-	    @source = ( non_firewall_zones )
-	}
-
-	unshift @source, firewall_zone if $includesrcfw;
-    }
-
-    if ( $dest eq 'all' ) {
-	if ( $anydest ) {
-	    @dest = ( all_parent_zones );
-	} else {
-	    @dest = ( non_firewall_zones )
-	}
-
-	unshift @dest, firewall_zone if $includedstfw;
-    }
+    my $wild      = 0;
+    my $thisline  = $currentline; #We must save $currentline because it is overwritten by macro expansion
+    my $action    = isolate_basic_target $target;
+    my $fw        = firewall_zone;
+    my @source    = build_zone_list ( $fw, $source, 'SOURCE', $intrazone, $wild );
+    my @dest      = build_zone_list ( $fw, $dest,   'DEST'  , $intrazone, $wild );
+    my $generated = 0;
 
     fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
 
-    if ( $source eq 'all' ) {
-	for my $zone ( @source ) {
-	    if ( $dest eq 'all' ) {
-		for my $zone1 ( @dest ) {
-		    if ( $intrazone || ( $zone ne $zone1 ) ) {
-			process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
-		    }
-		}
-	    } else {
-		my $destzone = (split( /:/, $dest, 2 ) )[0];
-		$destzone = $action =~ /^REDIRECT/ ? firewall_zone : '' unless defined_zone $destzone;
-		if ( $intrazone || ( $zone ne $destzone ) ) {
-		    process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
-		}
+    for $source ( @source ) {
+	for $dest ( @dest ) {
+	    my $sourcezone = (split( /:/, $source, 2 ) )[0];
+	    my $destzone   = (split( /:/, $dest,   2 ) )[0];
+	    $destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
+	    if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
+		$generated |= process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild;
 	    }
 	}
-    } elsif ( $dest eq 'all' ) {
-	for my $zone ( @dest ) {
-	    my $sourcezone = ( split( /:/, $source, 2 ) )[0];
-	    if ( ( $sourcezone ne $zone ) || $intrazone ) {
-		process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
-	    }
-	}
-    } else {
-	process_rule1  $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 0;
     }
 
-    progress_message "   Rule \"$thisline\" $done";
+    warning_message  qq(Entry generated no $toolname rules) unless $generated;
+
+    progress_message qq(   Rule "$thisline" $done);
 }
 
 #
@@ -1832,6 +1851,7 @@ sub generate_matrix() {
     my $preroutingref = ensure_chain 'nat', 'dnat';
     my $fw = firewall_zone;
     my $notrackref = $raw_table->{notrack_chain $fw};
+    my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "-m state --state NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
     my @zones = off_firewall_zones;
     my @vservers = vserver_zones;
     my $interface_jumps_added = 0;
@@ -1852,6 +1872,26 @@ sub generate_matrix() {
 	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
 
+	if ( $zoneref->{options}{in}{blacklist} ) {
+	    my $blackref = $filter_table->{blacklst};
+	    add_jump $frwd_ref , $blackref, 0, $state, 0, -1;
+	    add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
+	}
+
+	if ( $zoneref->{options}{out}{blacklist} ) {
+	    my $blackref = $filter_table->{blackout};
+	    add_jump ensure_filter_chain( rules_chain( firewall_zone, $zone ), 1 ) , $blackref , 0, $state, 0, -1;
+
+	    for my $zone1 ( @zones, @vservers ) {
+		my $ruleschain    = rules_chain( $zone1, $zone );
+		my $ruleschainref = $filter_table->{$ruleschain};
+
+		if ( $zone ne $zone1 || ( $ruleschainref && $ruleschainref->{referenced} ) ) {
+		    add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
+		} 
+	    }
+	}
+
 	if ( have_ipsec ) {
 	    #
 	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
@@ -1955,7 +1995,7 @@ sub generate_matrix() {
 	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		my $arrayref = $typeref->{$interface};
 
-		if ( $interface eq '+' ) {
+		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
 		    #
@@ -1966,7 +2006,7 @@ sub generate_matrix() {
 		    my $ipsec_in_match  = match_ipsec_in  $zone , $hostref;
 		    my $ipsec_out_match = match_ipsec_out $zone , $hostref;
 		    my $exclusions = $hostref->{exclusions};
-
+		    
 		    for my $net ( @{$hostref->{hosts}} ) {
 			my $dest   = match_dest_net $net;
 
@@ -2038,6 +2078,7 @@ sub generate_matrix() {
 			my $interfacechainref = $filter_table->{input_chain $interface};
 			my $interfacematch = '';
 			my $use_input;
+			my $blacklist = $zoneref->{options}{in}{blacklist};
 
 			if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 			    $inputchainref = $interfacechainref;
@@ -2246,13 +2287,17 @@ sub generate_matrix() {
 
     add_interface_jumps @interfaces unless $interface_jumps_added;
 
+    promote_blacklist_rules;
+
     my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
 		     nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
 		     filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );
 
-    complete_standard_chain $filter_table->{INPUT}   , 'all' , firewall_zone , 'DROP';
-    complete_standard_chain $filter_table->{OUTPUT}  , firewall_zone , 'all', 'REJECT';
-    complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all', 'REJECT';
+    unless ( $config{COMPLETE} ) {
+	complete_standard_chain $filter_table->{INPUT}   , 'all' , firewall_zone , 'DROP';
+	complete_standard_chain $filter_table->{OUTPUT}  , firewall_zone , 'all', 'REJECT';
+	complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all', 'REJECT';
+    }
 
     if ( $config{LOGALLNEW} ) {
 	for my $table qw/mangle nat filter/ {
@@ -2344,22 +2389,38 @@ EOF
     $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
 
     if ( $family == F_IPV4 ) {
-	emit( '    deletechain() {',
-	      '        qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1' );
-    } else {
-	emit( '    deletechain() {',
-	      '         qt $IP6TABLES -L $1 -n && qt $IP6TABLES -F $1 && qt $IP6TABLES -X $1' );
-    }
-
-    emit <<'EOF';
+	emit <<'EOF';
+    deletechain() {
+        qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
     }
 
     case $COMMAND in
-	stop|clear|restore)
-	    ;;
-	*)
-	    set +x
+        stop|clear|restore)
+            if chain_exists dynamic; then
+                ${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
+            fi
+            ;;
+        *)
+            set +x
+EOF
+    } else {
+	emit <<'EOF';
+    deletechain() {
+        qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
+    }
 
+    case $COMMAND in
+        stop|clear|restore)
+            if chain_exists dynamic; then
+                ${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
+            fi
+            ;;
+        *)
+            set +x
+EOF
+    }
+
+    emit <<'EOF';
             case $COMMAND in
 	        start)
 	            logger -p kern.err "ERROR:$g_product start failed"

Shorewall/Perl/Shorewall/Tc.pm

@@ -40,37 +40,44 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_13';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
-		    fw       => 1
+		    fw       => 1,
+		    fwi      => 0,
 		  } ,
 	    CT => { chain  => 'tcpost' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1
+		    fw       => 1 ,
+		    fwi      => 0,
 		    } ,
 	    C  => { target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1
+		    fw       => 1 ,
+		    fwi      => 1 ,
 		    } ,
 	    P  => { chain    => 'tcpre' ,
 		    connmark => 0 ,
-		    fw       => 0
+		    fw       => 0 ,
+		    fwi      => 0 ,
 		    } ,
 	    CP => { chain    => 'tcpre' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 0
+		    fw       => 0 ,
+		    fwi      => 0 ,
 		    } ,
 	    F =>  { chain    => 'tcfor' ,
 		    connmark => 0 ,
-		    fw       => 0
+		    fw       => 0 ,
+		    fwi      => 0 ,
 		    } ,
 	    CF => { chain    => 'tcfor' ,
 		    connmark => 1 ,
 		    fw       => 0 ,
+		    fwi      => 0 ,
 		    } ,
 	    );
 
@@ -158,6 +165,7 @@ our %tcclasses;
 our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
+		      tcin       => INPUT_RESTRICT ,
 		      tcout      => OUTPUT_RESTRICT );
 
 our $family;
@@ -218,12 +226,23 @@ sub process_tc_rule( ) {
 	}
     }
 
+    if ( $dest ) {
+	if ( $dest eq $fw ) {
+	    $chain = 'tcin';
+	    $dest  = '';
+	} else {
+	    $chain = 'tcin' if $dest =~ s/^($fw)://;
+	}
+    }
+
     if ( $designator ) {
 	$tcsref = $tcs{$designator};
 
 	if ( $tcsref ) {
 	    if ( $chain eq 'tcout' ) {
 		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
+	    } elsif ( $chain eq 'tcin' ) {
+		fatal_error "Invalid chain designator for dest $fw" unless $tcsref->{fwi};
 	    }
 
 	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
@@ -250,6 +269,8 @@ sub process_tc_rule( ) {
 
     $list = '';
 
+    my $restriction = 0;
+
     unless ( $classid ) {
       MARK:
 	{
@@ -259,7 +280,7 @@ sub process_tc_rule( ) {
 
 		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
 
-		    $target      = "$tccmd->{target} ";
+		    $target      = $tccmd->{target};
 		    my $marktype = $tccmd->{mark};
 
 		    if ( $marktype == NOMARK ) {
@@ -268,15 +289,19 @@ sub process_tc_rule( ) {
 			$mark =~ s/^[|&]//;
 		    }
 
-		    if ( $target eq 'sticky ' ) {
+		    if ( $target eq 'sticky' ) {
 			if ( $chain eq 'tcout' ) {
 			    $target = 'sticko';
 			} else {
 			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
 			}
 
+			$restriction = DESTIFACE_DISALLOW;
+			
+			ensure_mangle_chain($target);
+
 			$sticky++;
-		    } elsif ( $target eq 'IPMARK ' ) {
+		    } elsif ( $target eq 'IPMARK' ) {
 			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
 
 			require_capability 'IPMARK_TARGET', 'IPMARK', 's';
@@ -313,7 +338,7 @@ sub process_tc_rule( ) {
 			}
 
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
-		    } elsif ( $target eq 'TPROXY ' ) {
+		    } elsif ( $target eq 'TPROXY' ) {
 			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
 
 			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
@@ -380,7 +405,7 @@ sub process_tc_rule( ) {
     }
 
     if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
-				     $restrictions{$chain} ,
+				     $restrictions{$chain} | $restriction,
 				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
 				     do_test( $testval, $globals{TC_MASK} ) .
@@ -391,9 +416,9 @@ sub process_tc_rule( ) {
 				     $source ,
 				     $dest ,
 				     '' ,
-				     "-j $target $mark" ,
-				     '' ,
+				     $mark ? "$target $mark" : $target,
 				     '' ,
+				     $target ,
 				     '' ) )
 	  && $device ) {
 	#
@@ -410,11 +435,11 @@ sub rate_to_kbit( $ ) {
     my $rate = $_[0];
 
     return 0           if $rate eq '-';
-    return $1          if $rate =~ /^(\d+)kbit$/i;
-    return $1 * 1000   if $rate =~ /^(\d+)mbit$/i;
-    return $1 * 8000   if $rate =~ /^(\d+)mbps$/i;
-    return $1 * 8      if $rate =~ /^(\d+)kbps$/i;
-    return int($1/125) if $rate =~ /^(\d+)(bps)?$/;
+    return $1          if $rate =~ /^((\d+)(\.\d+)?)kbit$/i;
+    return $1 * 1000   if $rate =~ /^((\d+)(\.\d+)?)mbit$/i;
+    return $1 * 8000   if $rate =~ /^((\d+)(\.\d+)?)mbps$/i;
+    return $1 * 8      if $rate =~ /^((\d+)(\.\d+)?)kbps$/i;
+    return ($1/125)    if $rate =~ /^((\d+)(\.\d+)?)(bps)?$/;
     fatal_error "Invalid Rate ($rate)";
 }
 
@@ -433,8 +458,6 @@ sub calculate_quantum( $$ ) {
 sub process_flow($) {
     my $flow = shift;
 
-    $flow =~ s/^\(// if $flow =~ s/\)$//;
-
     my @flow = split /,/, $flow;
 
     for ( @flow ) {
@@ -445,7 +468,7 @@ sub process_flow($) {
 }
 
 sub process_simple_device() {
-    my ( $device , $type , $in_bandwidth ) = split_line 1, 3, 'tcinterfaces';
+    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces';
 
     fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
     fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
@@ -465,7 +488,21 @@ sub process_simple_device() {
 	}
     }
 
-    $in_bandwidth = rate_to_kbit( $in_bandwidth );
+    my $in_burst = '10kb';
+
+    if ( $in_bandwidth =~ /:/ ) {
+	my ( $in_band, $burst ) = split /:/, $in_bandwidth, 2;
+
+	if ( defined $burst && $burst ne '' ) {
+	    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
+	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
+	    $in_burst = $burst;
+	}
+
+	$in_bandwidth = rate_to_kbit( $in_band );
+    } else {
+	$in_bandwidth = rate_to_kbit( $in_bandwidth );
+    }
 
     emit "if interface_is_up $physical; then";
 
@@ -477,10 +514,50 @@ sub process_simple_device() {
 	 );
 
     emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
-	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst 10k drop flowid :1\n"
+	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
 	 ) if $in_bandwidth;
 
-    emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
+    if ( $out_part ne '-' ) {
+	my ( $out_bandwidth, $burst, $latency, $peak, $minburst ) = split ':', $out_part;
+
+	fatal_error "Invalid Out-BANDWIDTH ($out_part)" if ( defined $minburst && $minburst =~ /:/ ) || $out_bandwidth eq '';
+
+	$out_bandwidth = rate_to_kbit( $out_bandwidth );
+
+	my $command = "run_tc qdisc add dev $physical root handle $number: tbf rate ${out_bandwidth}kbit";
+
+	if ( defined $burst && $burst ne '' ) {
+	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    $command .= " burst $burst";
+	} else {
+	    $command .= ' burst 10kb';
+	}
+
+	if ( defined $latency && $latency ne '' ) {
+	    fatal_error "Invalid latency ($latency)" unless $latency =~ /^\d+(?:\.\d+)?(s|sec|secs|ms|msec|msecs|us|usec|usecs)?$/;
+	    $command .= " latency $latency";
+	} else {
+	    $command .= ' latency 200ms';
+	}
+
+	if ( defined $peak && $peak ne '' ) {
+	    fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    $command .= " peakrate $peak";
+	}
+
+	if ( defined $minburst && $minburst ne '' ) {
+	    fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    $command .= " minburst $minburst";
+	}
+
+	emit $command;
+
+	my $id = $number; $number = in_hexp( $devnum | 0x100 );
+
+	emit "run_tc qdisc add dev $physical parent $id: handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
+    } else {
+	emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
+    }
 
     for ( my $i = 1; $i <= 3; $i++ ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
@@ -1230,11 +1307,26 @@ sub setup_traffic_shaping() {
 		  qq(fi) );
 	}
 
-	my $inband = rate_to_kbit $devref->{in_bandwidth};
+	my $in_burst = '10kb';
+	my $inband;
+
+	if ( $devref->{in_bandwidth} =~ /:/ ) {
+	    my ( $in_band, $burst ) = split /:/, $devref->{in_bandwidth}, 2;
+
+	    if ( defined $burst && $burst ne '' ) {
+		fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
+		fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
+		$in_burst = $burst;
+	    }
+
+	    $inband = rate_to_kbit( $in_band );
+	} else {
+	    $inband = rate_to_kbit $devref->{in_bandwidth};
+	}
 
 	if ( $inband ) {
 	    emit ( "run_tc qdisc add dev $device handle ffff: ingress",
-		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1"
+		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst $in_burst drop flowid :1"
 		   );
 	}
 
@@ -1352,6 +1444,68 @@ sub setup_traffic_shaping() {
     }
 }
 
+#
+# Process a record in the secmarks file
+#
+sub process_secmark_rule() {
+    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' );
+
+    if ( $secmark eq 'COMMENT' ) {
+	process_comment;
+	return;
+    }
+
+    my %chns = ( T => 'tcpost'  ,
+		 P => 'tcpre'   ,
+		 F => 'tcfor'   ,
+		 I => 'tcin'    ,
+		 O => 'tcout'   , );
+
+    my %state = ( N =>  'NEW' ,
+		  E =>  'ESTABLISHED' , 
+		  ER => 'ESTABLISHED,RELATED' );
+
+    my ( $chain , $state, $rest) = split ':', $chainin , 3;
+
+    fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain;
+
+    my $chain1= $chns{$chain};
+    
+    fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
+    fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout';
+
+    if ( ( $state ||= '' ) ne '' ) {
+	my $state1;
+	fatal_error "Invalid STATE ( $state )" unless $state1 = $state{$state};
+	$state = "$globals{STATEMATCH} $state1 ";
+    }
+
+    my $target = $secmark eq 'SAVE'    ? 'CONNSECMARK --save' :
+	         $secmark eq 'RESTORE' ? 'CONNSECMARK --restore' :
+		 "SECMARK --selctx $secmark";
+
+    my $disposition = $target;
+
+    $disposition =~ s/ .*//;
+
+    expand_rule( ensure_mangle_chain( $chain1 ) , 
+		 $restrictions{$chain1} ,
+		 $state .
+		 do_proto( $proto, $dport, $sport ) .
+		 do_user( $user ) .
+		 do_test( $mark, $globals{TC_MASK} ) ,
+		 $source , 
+		 $dest , 
+		 '' , 
+		 $target , 
+		 '' , 
+		 $disposition,
+		 '' );
+
+    progress_message "Secmarks rule \"$currentline\" $done";
+		 
+}
+
 #
 # Process the tcrules file and setup traffic shaping
 #
@@ -1364,6 +1518,7 @@ sub setup_tc() {
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
 	    ensure_mangle_chain 'tcfor';
 	    ensure_mangle_chain 'tcpost';
+	    ensure_mangle_chain 'tcin';
 	}
 
 	my $mark_part = '';
@@ -1390,6 +1545,7 @@ sub setup_tc() {
 	    add_rule( $mangle_table->{FORWARD},     "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
 	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
 	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
+	    add_jump $mangle_table->{INPUT} ,       'tcin' ,  0;
 	}
     }
 
@@ -1438,7 +1594,7 @@ sub setup_tc() {
 			  mark      => HIGHMARK ,
 			  mask      => '' } ,
 			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
-			  target    => 'MARK --and-mark ' ,
+			  target    => 'MARK --and-mark' ,
 			  mark      => HIGHMARK ,
 			  mask      => '' ,
 			  connmark  => 0
@@ -1460,9 +1616,20 @@ sub setup_tc() {
 	}
     }
 
-    add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
+    if ( $config{MANGLE_ENABLED} ) {
+	if ( my $fn = open_file 'secmarks' ) {
 
-    handle_stickiness( $sticky );
+	    first_entry "$doing $fn...";
+
+	    process_secmark_rule while read_a_line;
+	
+	    clear_comment;
+	}
+
+	add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
+
+	handle_stickiness( $sticky );
+    }
 }
 
 1;

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_13';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
 
-	my $options = $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
+	my $options = $globals{UNTRACKED} ? "-m state --state NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
 
 	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";

Shorewall/Perl/Shorewall/Zones.pm

@@ -78,12 +78,13 @@ our @EXPORT = qw( NOTHING
 		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
+		  find_zones_by_option
 		  all_ipsets
 		  have_ipsec
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_13';
 
 #
 # IPSEC Option types
@@ -94,7 +95,6 @@ use constant { NOTHING    => 'NOTHING',
 	       IPSECPROTO => 'ah|esp|ipcomp',
 	       IPSECMODE  => 'tunnel|transport'
 	       };
-
 #
 # Zone Table.
 #
@@ -155,16 +155,23 @@ our %reservedName = ( all => 1,
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
+#                                     base        => <shell variable base representing this interface>
 #                                   }
 #                 }
 #
+#    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
+#    the same order as the interfaces are encountered in the configuration files. 
+#
 our @interfaces;
 our %interfaces;
 our @bport_zones;
 our %ipsets;
 our %physical;
+our %basemap;
+our %mapbase;
 our $family;
 our $have_ipsec;
+our $baseseq;
 
 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -217,6 +224,9 @@ sub initialize( $ ) {
     @bport_zones = ();
     %ipsets = ();
     %physical = ();
+    %basemap = ();
+    %mapbase = ();
+    $baseseq = 0;
 
     if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -289,6 +299,7 @@ sub initialize( $ ) {
 sub parse_zone_option_list($$)
 {
     my %validoptions = ( mss          => NUMERIC,
+			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
 			 reqid        => NUMERIC,
@@ -298,10 +309,12 @@ sub parse_zone_option_list($$)
 			 "tunnel-src" => NETWORK,
 			 "tunnel-dst" => NETWORK,
 		       );
+
+    use constant { UNRESTRICTED => 1, NOFW => 2 };
     #
     # Hash of options that have their own key in the returned hash.
     #
-    my %key = ( mss => 'mss' );
+    my %key = ( mss => UNRESTRICTED , blacklist => NOFW );
 
     my ( $list, $zonetype ) = @_;
     my %h;
@@ -334,7 +347,8 @@ sub parse_zone_option_list($$)
 	    }
 
 	    if ( $key{$e} ) {
-		$h{$e} = $val;
+		fatal_error "Option '$e' not permitted with this zone type " if $key{$e} == NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+		$h{$e} = $val || 1;
 	    } else {
 		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
 		$options .= $invert;
@@ -425,20 +439,30 @@ sub process_zone( \$ ) {
 	}
     }
 
-    $zones{$zone} = { type       => $type,
-		      parents    => \@parents,
-		      bridge     => '',
-		      options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
-				      in      => parse_zone_option_list( $in_options || '', $type ) ,
-				      out     => parse_zone_option_list( $out_options || '', $type ) ,
-				      complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
-				      nested  => @parents > 0 ,
-				      super   => 0 ,
-				    } ,
-		      interfaces => {} ,
-		      children   => [] ,
-		      hosts      => {}
-		    };
+    my $zoneref = $zones{$zone} = { type       => $type,
+				    parents    => \@parents,
+				    bridge     => '',
+				    options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
+						    in      => parse_zone_option_list( $in_options || '', $type ) ,
+						    out     => parse_zone_option_list( $out_options || '', $type ) ,
+						    complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
+						    nested  => @parents > 0 ,
+						    super   => 0 ,
+						  } ,
+				    interfaces => {} ,
+				    children   => [] ,
+				    hosts      => {}
+				  };
+
+    if ( $zoneref->{options}{in_out}{blacklist} ) {
+	for ( qw/in out/ ) {
+	    unless ( $zoneref->{options}{$_}{blacklist} ) {
+		$zoneref->{options}{$_}{blacklist} = 1;
+	    } else {
+		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
+	    }
+	}
+    }
 
     return $zone;
 
@@ -665,7 +689,7 @@ sub add_group_to_zone($$$$$)
 		    # Make 'find_hosts_by_option()' work correctly for this zone
 		    #
 		    for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
-			$options->{$_} = 1 if $interfaceref->{options}{$_};
+			$options->{$_} = $interfaceref->{options}{$_} if $interfaceref->{options}{$_};
 		    }
 
 		    $allip = 1;
@@ -740,7 +764,11 @@ sub non_firewall_zones() {
 }
 
 sub all_parent_zones() {
-   grep ( ! @{$zones{$_}{parents}} ,  @zones );
+    #
+    # Although the firewall zone is technically a parent zone, we let the caller decide
+    # if it is to be included or not.
+    #
+    grep ( ! @{$zones{$_}{parents}} , off_firewall_zones );
 }
 
 sub complex_zones() {
@@ -767,11 +795,48 @@ sub is_a_bridge( $ ) {
 #
 sub chain_base($) {
     my $chain = $_[0];
-
-    $chain =~ s/^@/at_/;
-    $chain =~ tr/[.\-%@]/_/;
+    my $name  = $basemap{$chain};
+    #
+    # Return existing mapping, if any
+    #
+    return $name if $name;
+    #
+    # Remember initial value 
+    #
+    my $key = $chain;
+    #
+    # Handle VLANs and wildcards
+    #
     $chain =~ s/\+$//;
-    $chain;
+    $chain =~ tr/./_/;
+
+    if ( $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
+	#
+	# Must map. Remove all illegal characters
+	#
+	$chain =~ s/[^\w]//g;
+	#
+	# Prefix with if_ if it begins with a digit
+	#
+	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
+	#
+	# Create a new unique name
+	#
+	1 while $mapbase{$name = join ( '_', $chain, ++$baseseq )};
+    } else {
+	#
+	# We'll store the identity mapping if it is unique
+	#
+	$chain = join( '_', $key , ++$baseseq ) while $mapbase{$name = $chain};
+    }
+    #
+    # Store the reverse mapping
+    #
+    $mapbase{$name} = $key;
+    #
+    # Store the mapping
+    #
+    $basemap{$key} = $name;
 }
 
 #
@@ -838,6 +903,8 @@ sub process_interface( $$ ) {
 	$root = $interface;
     }
 
+    fatal_error "Invalid interface name ($interface)" if $interface =~ /\*/;
+
     my $physical = $interface;
     my $broadcasts;
 
@@ -892,8 +959,16 @@ sub process_interface( $$ ) {
 
 	    if ( $type == SIMPLE_IF_OPTION ) {
 		fatal_error "Option $option does not take a value" if defined $value;
-		$options{$option} = 1;
-		$hostoptions{$option} = 1 if $hostopt;
+		if ( $option eq 'blacklist' ) {
+		    if ( $zone ) {
+			$zoneref->{options}{in}{blacklist} = 1;
+		    } else {
+			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
+		    }
+		} else {
+		    $options{$option} = 1;
+		    $hostoptions{$option} = 1 if $hostopt;
+		}
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
@@ -901,8 +976,8 @@ sub process_interface( $$ ) {
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
-		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
 		if ( $option eq 'arp_ignore' ) {
+		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $wildcard;
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
 			    $options{arp_ignore} = $value;
@@ -925,10 +1000,6 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		#
-		# Remove parentheses from address list if present
-		#
-		$value =~ s/\)$// if $value =~ s/^\(//;
-		#
 		# Add all IP to the front of a list if the list begins with '!'
 		#
 		$value = join ',' , ALLIP , $value if $value =~ /^!/;
@@ -961,7 +1032,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 
 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value =~ /^[\w.@%-]+\+?$/;
+		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
 
 		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
 
@@ -991,7 +1062,6 @@ sub process_interface( $$ ) {
 
 	$hostoptions{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export || $options{routeback};
 
-
 	$hostoptionsref = \%hostoptions;
     } else {
 	#
@@ -1008,7 +1078,8 @@ sub process_interface( $$ ) {
 						       broadcasts => $broadcasts ,
 						       options    => \%options ,
 						       zone       => '',
-						       physical   => $physical
+						       physical   => $physical ,
+						       base       => chain_base( $physical )
 						     };
 
     if ( $zone ) {
@@ -1104,28 +1175,35 @@ sub map_physical( $$ ) {
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
-# If the passed name matches a wildcard, an entry for the name is added in %interfaces to speed up validation of other references to that name.
+# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in 
+# %interfaces.
 #
-sub known_interface($)
+sub known_interface($;$)
 {
-    my $interface = $_[0];
+    my ( $interface, $cache ) = @_;
     my $interfaceref = $interfaces{$interface};
 
     return $interfaceref if $interfaceref;
 
+    fatal_error "Invalid interface ($interface)" if $interface =~ /\*/;
+
     for my $i ( @interfaces ) {
 	$interfaceref = $interfaces{$i};
 	my $root = $interfaceref->{root};
 	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
-	    #
-	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
-	    #
-	    return $interfaces{$interface} = { options  => $interfaceref->{options},
-					       bridge   => $interfaceref->{bridge} ,
-					       name     => $i ,
-					       number   => $interfaceref->{number} ,
-					       physical => map_physical( $interface, $interfaceref )
-					     };
+	    my $physical = map_physical( $interface, $interfaceref );
+	    
+	    my $copyref = { options  => $interfaceref->{options},
+			    bridge   => $interfaceref->{bridge} ,
+			    name     => $i ,
+			    number   => $interfaceref->{number} ,
+			    physical => $physical ,
+			    base     => chain_base( $physical ) ,
+			  };
+
+	    $interfaces{$interface} = $copyref if $cache;
+
+	    return $copyref;
 	}
     }
 
@@ -1236,25 +1314,33 @@ sub find_interfaces_by_option( $ ) {
 }
 
 #
-# Returns reference to array of interfaces with the passed option
+# Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
+#
+# - All entries in %interfaces are searched.
+# - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
 #
 sub find_interfaces_by_option1( $ ) {
     my $option = $_[0];
     my @ints = ();
+    my $wild = 0;
 
-    for my $interface ( keys %interfaces ) {
+    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} }
+			keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 
 	next unless defined $interfaceref->{physical};
-	next if $interfaceref->{physical} =~ /\+/;
 
 	my $optionsref = $interfaceref->{options};
+
 	if ( $optionsref && defined $optionsref->{$option} ) {
+	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
 	    push @ints , $interface
 	}
     }
 
-    \@ints;
+    return unless defined wantarray;
+
+    wantarray ? ( \@ints, $wild ) : \@ints;
 }
 
 #
@@ -1287,6 +1373,8 @@ sub verify_required_interfaces( $ ) {
     my $interfaces = find_interfaces_by_option 'wait';
 
     if ( @$interfaces ) {
+	my $first = 1;
+
 	emit( "local waittime\n" );
 
 	emit( 'case "$COMMAND" in' );
@@ -1300,6 +1388,8 @@ sub verify_required_interfaces( $ ) {
 	for my $interface (@$interfaces ) {
 	    my $wait = $interfaces{$interface}{options}{wait};
 
+	    emit q() unless $first-- > 0;
+	    
 	    if ( $wait ) {
 		my $physical = get_physical $interface;
 
@@ -1330,7 +1420,7 @@ sub verify_required_interfaces( $ ) {
 		    emit  q(        sleep 1);
 		    emit   '        waittime=$(($waittime - 1))';
 		    emit  q(    done);
-		    emit qq(fi\n);
+		    emit  q(fi);
 		}
 
 		$returnvalue = 1;
@@ -1342,7 +1432,7 @@ sub verify_required_interfaces( $ ) {
 	pop_indent;
 	pop_indent;
 
-	emit( 'esac' );
+	emit( "esac\n" );
 
     }
 
@@ -1365,16 +1455,16 @@ sub verify_required_interfaces( $ ) {
 
 		$physical =~ s/\+$/*/;
 
-		emit( "${base}_IS_UP=\n",
+		emit( "SW_${base}_IS_UP=\n",
 		      'for interface in $(find_all_interfaces); do',
 		      '    case $interface in',
 		      "        $physical)",
-		      "            interface_is_usable \$interface && ${base}_IS_UP=Yes && break",
+		      "            interface_is_usable \$interface && SW_${base}_IS_UP=Yes && break",
 		      '            ;;',
 		      '    esac',
 		      'done',
 		      '',
-		      "if [ -z \"\$${base}_IS_UP\" ]; then",
+		      "if [ -z \"\$SW_${base}_IS_UP\" ]; then",
 		      "    startup_error \"None of the required interfaces $physical are available\"",
 		      "fi\n"
 		    );
@@ -1613,7 +1703,9 @@ sub process_host( ) {
 		$zoneref->{options}{complex} = 1;
 		$ipsec = 1;
 	    } elsif ( $option eq 'norfc1918' ) {
-		warning_message "The 'norfc1918' option is no longer supported"
+		warning_message "The 'norfc1918' host option is no longer supported"
+	    } elsif ( $option eq 'blacklist' ) {
+		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $validhostoptions{$option}) {
 		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
@@ -1718,6 +1810,21 @@ sub find_hosts_by_option( $ ) {
     \@hosts;
 }
 
+#
+# Returns a reference to a list of zones with the passed in/out option
+#
+
+sub find_zones_by_option( $$ ) {
+    my ($option, $in_out ) = @_;
+    my @zns;
+
+    for my $zone ( @zones ) {
+	push @zns, $zone if $zones{$zone}{options}{$in_out}{$option};
+    }
+
+    \@zns;
+}
+
 sub all_ipsets() {
     sort keys %ipsets;
 }

Shorewall/Perl/prog.header

@@ -88,43 +88,18 @@ setpolicy() # $1 = name of chain, $2 = policy
     run_iptables -P $1 $2
 }
 
-#
-# Set a standard chain to enable established and related connections
-#
-setcontinue() # $1 = name of chain
-{
-    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-}
-
-#
-# Flush one of the NAT table chains
-#
-flushnat() # $1 = name of chain
-{
-    run_iptables -t nat -F $1
-}
-
-#
-# Flush one of the Mangle table chains
-#
-flushmangle() # $1 = name of chain
-{
-    run_iptables -t mangle -F $1
-}
-
-#
-# Flush and delete all user-defined chains in the filter table
-#
-deleteallchains() {
-    run_iptables -F
-    run_iptables -X
-}
-
 #
 # Generate a list of all network interfaces on the system
 #
 find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Generate a list of all network interfaces on the system that have an ipv4 address
+#
+find_all_interfaces1() {
+    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }
 
 #
@@ -533,11 +508,12 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
+    local result
+    
     if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
-	local result
 	result=1
 
 	while read route ; do
@@ -622,9 +598,9 @@ delete_proxyarp() {
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
-    fi
 
-    rm -f ${VARDIR}/proxyarp
+	rm -f ${VARDIR}/proxyarp
+    fi
 }
 
 #
@@ -638,6 +614,7 @@ clear_firewall() {
     setpolicy OUTPUT ACCEPT
 
     run_iptables -F
+    qt $IPTABLES -t raw -F
 
     echo 1 > /proc/sys/net/ipv4/ip_forward
 

Shorewall/Perl/prog.header6

@@ -88,35 +88,18 @@ setpolicy() # $1 = name of chain, $2 = policy
     run_iptables -P $1 $2
 }
 
-#
-# Set a standard chain to enable established and related connections
-#
-setcontinue() # $1 = name of chain
-{
-    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-}
-
-#
-# Flush one of the Mangle table chains
-#
-flushmangle() # $1 = name of chain
-{
-    run_iptables -t mangle -F $1
-}
-
-#
-# Flush and delete all user-defined chains in the filter table
-#
-deleteallchains() {
-    run_iptables -F
-    run_iptables -X
-}
-
 #
 # Generate a list of all network interfaces on the system
 #
 find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Generate a list of all network interfaces on the system that have an ipv6 address
+#
+find_all_interfaces1() {
+    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }
 
 #
@@ -513,11 +496,12 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
+    local result
+    
     if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
-	local result
 	result=1
 
 	while read route ; do
@@ -600,6 +584,7 @@ clear_firewall() {
     setpolicy OUTPUT ACCEPT
 
     run_iptables -F
+    qt $IP6TABLES -t raw -F
 
     echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 

Shorewall/changelog.txt

@@ -1,14 +1,73 @@
-Changes in Shorewall 4.4.11.1
+Changes in Shorewall 4.4.13
+
+1)  Allow zone lists in rules SOURCE and DEST.
+
+2)  Fix exclusion in the blacklist file.
+
+3)  Correct several old exclusion bugs.
+
+4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
+
+5)  Re-implement optional interface handling.
+
+6)  Add secmark config file.
+
+7)  Split in and out blacklisting.
+
+8)  Correct handling of [{src|dst},...] in ipset invocation
+
+9)  Correct SAME.
+
+10) TC Enhancements:
+
+    <burst> in IN-BANDWIDTH columns.
+    OUT-BANDWIDTH column in tcinterfaces.
+
+11) Create dynamic zone ipsets on 'start'.
+
+12) Remove new blacklisting implementation.
+
+13) Implement an alternative blacklisting scheme.
+
+14) Use '-m state' for UNTRACKED.
+
+15) Clear raw table on 'clear'
+
+16) Correct port-range check in tcfilters.
+
+17) Disallow '*' in interface names.
+
+Changes in Shorewall 4.4.12
 
 1)  Fix IPv6 shorecap program.
 
 2)  Eradicate incorrect IPv6 Multicast Network
 
-3)  Allow :random to work with REDIRECT
+3)  Add ADD/DEL support.
 
-4)  Don't slow down 'stop' with 'wait'.
+4)  Allow :random to work with REDIRECT
 
-5)  Resolve mutex/nolock issues.
+5)  Add per-ip log rate limiting.
+
+6)  Use new hashlimit match syntax if available.
+
+7)  Add Universal sample.
+
+8)  Add COMPLETE option.
+
+9)  Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
+
+10) Support new set match syntax.
+
+11) Blacklisting by DEST IP.
+
+12) Fix duplicate rule generation with 'any'.
+
+13) Fix port range editing problem.
+
+14) Display the .conf file directory in response to the status command.
+
+15)  Correct AUTOMAKE
 
 Changes in Shorewall 4.4.11
 
@@ -20,7 +79,7 @@ Changes in Shorewall 4.4.11
 
 4)  Make IPv6 log and connections output readable.
 
-5) Add REQUIRE_INTERFACE to shorewall*.conf
+5)  Add REQUIRE_INTERFACE to shorewall*.conf
 
 6)  Avoid run-time warnings when options are not listed in
     shorewall.conf.

Shorewall/configfiles/accounting

@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#####################################################################################
-#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK
+#####################################################################################################
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
 #							PORT(S)		PORT(S)	GROUP

Shorewall/configfiles/blacklist

@@ -7,4 +7,5 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT
+#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
+

Shorewall/configfiles/masq

@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###############################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP

Shorewall/configfiles/secmarks

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Secmarks File
+#
+# For information about entries in this file, type "man shorewall-secmarks"
+#
+############################################################################################################
+#SECMARK			CHAIN:	SOURCE		DEST		PROTO	DEST	SOURCE	USER/	MARK
+#				STATE						PORT(S)	PORT(S) GROUP
+
+
+
+
+								

Shorewall/configfiles/shorewall.conf

@@ -31,9 +31,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -200,6 +198,8 @@ REQUIRE_INTERFACE=No
 
 FORWARD_CLEAR_MARK=Yes
 
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/configfiles/tcinterfaces

@@ -8,4 +8,3 @@
 #
 ###############################################################################
 #INTERFACE	TYPE		IN-BANDWIDTH
-

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.11.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {
@@ -586,6 +586,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcfilters ]; then
     echo "TC Filters file installed as ${DESTDIR}/etc/shorewall/tcfilters"
 fi
 
+#
+# Install the secmarks file
+#
+run_install $OWNERSHIP -m 0644 configfiles/secmarks ${DESTDIR}/usr/share/shorewall/configfiles
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/secmarks ]; then
+    run_install $OWNERSHIP -m 0600 configfiles/secmarks ${DESTDIR}/etc/shorewall
+    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall/secmarks"
+fi
+
 #
 # Install the default config path file
 #
@@ -745,7 +755,7 @@ fi
 #
 # Install the  Makefiles
 #
-install-file Makefile-lite ${DESTDIR}/usr/share/shorewall/configfiles/Makefile 0644
+install_file Makefile-lite ${DESTDIR}/usr/share/shorewall/configfiles/Makefile 0644
 
 if [ -z "$SPARSE" ]; then
     run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall

Shorewall/known_problems.txt

@@ -1,50 +1,2 @@
-1)  In all versions of Shorewall6 lite, the 'shorecap' program is
-    using the 'iptables' program rather than the 'ip6tables' program.
-    This causes many capabilities that are not available in IPv6 to
-    be incorrectly reported as available.
-
-    This results in errors such as:
-
-    	 ip6tables-restore v1.4.2: Couldn't load match `addrtype':
-	   /lib/xtables/libip6t_addrtype.so: cannot open shared
-	   object file: No such file or directory
-
-    To work around this problem, on the administrative system:
-
-    a)  Remove the incorrect capabilties file.
-    b)  In shorewall6.conf, set the IP6TABLES option to the
-        path name of ip6tables on the firewall (example:
-	IP6TABLES=/sbin/ip6tables).
-    c)  'shorewall6 load <firewall>'.
-
-    Corrected in Shorewall 4.4.11.1
-
-2)  In a number of cases, Shorewall6 generates incorrect rules
-    involving the IPv6 multicast network. The rules specify
-    ff00::/10 where they should specify ff00::/8.  Also, rules
-    instantiated when the IPv6 firewall is stopped use ff80::/10 rather
-    than fe80::/10 (IPv6 link local network).
-
-    Corrected in Shorewall 4.4.11.1
-
-3)  Using a destination port-range with :random produces a fatal
-    compilation error in REDIRECT rules unless the firewall zone is
-    explicitly specified (e.g., $FW::2000-2010:random).
-
-    Corrected in Shorewall 4.4.11.1
-
-4)  /sbin/shorewall and /sbin/shorewall6 sometimes fail to honor the
-    'nolock' option. In other cases, this option is incorrectly passed
-    on to the compiled script, causing the script to issue a usage
-    synopsis and to terminate.
- 
-    Corrected in Shorewall 4.4.11.1
-
-5)  On systems that use the Upstart init system (such as Ubuntu and
-    Fedora), Shorewall-init is not reliable at starting the firewall
-    during boot when normal firewall startup is disabled and UPDOWN=1
-    is specified in /etc/default/shorewall-init.
-
-    Suggested workaround is to not disable normal startup (e.g., do not
-    set startup=0 on Debian-based systems and do not 'checkconfig
-    --del...' on Fedora).
+1)  On systems running Upstart, shorewall-init cannot reliably start the
+    firewall before interfaces are brought up.

Shorewall/lib.base

@@ -29,7 +29,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40411
+SHOREWALL_CAPVERSION=40413
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]

Shorewall/lib.cli

@@ -226,6 +226,18 @@ show_classifiers() {
 logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
+    if [ -z "$LOGFILE" ]; then
+	LOGFILE=/var/log/messages
+
+	if [ -n "$(syslog_circular_buffer)" ]; then
+	    g_logread="logread | tac"
+	elif [ -r $LOGFILE ]; then
+	    g_logread="tac $LOGFILE"
+	else
+	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    exit 2
+	fi
+    fi
 
     host=$(echo $g_hostname | sed 's/\..*$//')
     oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
@@ -541,6 +553,20 @@ show_command() {
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
+
+	    if [ -z "$LOGFILE" ]; then
+		LOGFILE=/var/log/messages
+		
+		if [ -n "$(syslog_circular_buffer)" ]; then
+		    g_logread="logread | tac"
+		elif [ -r $LOGFILE ]; then
+		    g_logread="tac $LOGFILE"
+		else
+		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+		    exit 2
+		fi
+	    fi
+
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
@@ -781,6 +807,19 @@ dump_command() {
 	esac
     done
 
+    if [ -z "$LOGFILE" ]; then
+	LOGFILE=/var/log/messages
+
+	if [ -n "$(syslog_circular_buffer)" ]; then
+	    g_logread="logread | tac"
+	elif [ -r $LOGFILE ]; then
+	    g_logread="tac $LOGFILE"
+	else
+	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    exit 2
+	fi
+    fi
+
     g_ipt_options="$g_ipt_options $g_ipt_options1"
 
     [ $VERBOSITY -lt 2 ] && VERBOSITY=2
@@ -1027,6 +1066,10 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     chain=$1
     local finished
     finished=$2
+    local which
+    which='-s'
+    local range
+    range='--src-range'
 
     if ! chain_exists dynamic; then
 	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@@ -1038,19 +1081,31 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
 
     while [ $# -gt 0 ]; do
 	case $1 in
+	    from)
+		which='-s'
+		range='--src-range'
+		shift
+		continue
+		;;
+	    to)
+		which='-d'
+		range='--dst-range'
+		shift
+		continue
+		;;
 	    *-*)
-		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject
-		qt $IPTABLES -D dynamic -m iprange --src-range  $1 -j DROP
-		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
-		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop
-		$IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
+		qt $IPTABLES -D dynamic -m iprange $range $1 -j reject
+		qt $IPTABLES -D dynamic -m iprange $range  $1 -j DROP
+		qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
+		qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop
+		$IPTABLES -A dynamic -m iprange $range $1 -j $chain || break 1
 		;;
 	    *)
-		qt $IPTABLES -D dynamic -s $1 -j reject
-		qt $IPTABLES -D dynamic -s $1 -j DROP
-		qt $IPTABLES -D dynamic -s $1 -j logreject
-		qt $IPTABLES -D dynamic -s $1 -j logdrop
-		$IPTABLES -A dynamic -s $1 -j $chain || break 1
+		qt $IPTABLES -D dynamic $which $1 -j reject
+		qt $IPTABLES -D dynamic $which $1 -j DROP
+		qt $IPTABLES -D dynamic $which $1 -j logreject
+		qt $IPTABLES -D dynamic $which $1 -j logdrop
+		$IPTABLES -A dynamic $which $1 -j $chain || break 1
 		;;
 	esac
 
@@ -1340,6 +1395,11 @@ allow_command() {
     [ -n "$g_debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall_is_started ; then
+	local which
+	which='-s'
+	local range
+	range='--src-range'
+
 	if ! chain_exists dynamic; then
 	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	    exit 2
@@ -1349,11 +1409,21 @@ allow_command() {
 	while [ $# -gt 1 ]; do
 	    shift
 	    case $1 in
+		from)
+		    which='-s'
+		    range='--src-range'
+		    continue
+		    ;;
+		to)
+		    which='-d'
+		    range='--dst-range'
+		    continue
+		    ;;
 		*-*)
-		    if  qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject    ||\
-			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP      ||\
-			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop   ||\
-			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
+		    if  qt $IPTABLES -D dynamic -m iprange $range $1 -j reject    ||\
+			qt $IPTABLES -D dynamic -m iprange $range $1 -j DROP      ||\
+			qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop   ||\
+			qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1361,10 +1431,10 @@ allow_command() {
 		    fi
 		    ;;
 		*)
-		    if  qt $IPTABLES -D dynamic -s $1 -j reject    ||\
-			qt $IPTABLES -D dynamic -s $1 -j DROP      ||\
-			qt $IPTABLES -D dynamic -s $1 -j logdrop   ||\
-			qt $IPTABLES -D dynamic -s $1 -j logreject
+		    if  qt $IPTABLES -D dynamic $which $1 -j reject    ||\
+			qt $IPTABLES -D dynamic $which $1 -j DROP      ||\
+			qt $IPTABLES -D dynamic $which $1 -j logdrop   ||\
+			qt $IPTABLES -D dynamic $which $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1472,6 +1542,7 @@ determine_capabilities() {
     RECENT_MATCH=
     OWNER_MATCH=
     IPSET_MATCH=
+    OLD_IPSET_MATCH=
     CONNMARK=
     XCONNMARK=
     CONNMARK_MATCH=
@@ -1505,6 +1576,7 @@ determine_capabilities() {
     PERSISTENT_SNAT=
     FLOW_FILTER=
     FWMARK_RT_MASK=
+    MARK_ANYWHERE=
 
     chain=fooX$$
 
@@ -1614,9 +1686,13 @@ determine_capabilities() {
 	qt ipset -X $chain # Just in case something went wrong the last time
 
 	if qt ipset -N $chain iphash ; then
-	    if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
+	    if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
+		qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
+		IPSET_MATCH=Yes
+	    elif qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
 		qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
+		OLD_IPSET_MATCH=Yes
 	    fi
 	    qt ipset -X $chain
 	fi
@@ -1638,6 +1714,7 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
     qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
     qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
+    qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
 
     qt $IPTABLES -F $chain
     qt $IPTABLES -X $chain
@@ -1681,7 +1758,10 @@ report_capabilities() {
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
 	report_capability "Owner Match" $OWNER_MATCH
-	report_capability "Ipset Match" $IPSET_MATCH
+	if [ -n "$IPSET_MATCH" ]; then
+	    report_capability "Ipset Match" $IPSET_MATCH
+	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
+	fi
 	report_capability "CONNMARK Target" $CONNMARK
 	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
 	report_capability "Connmark Match" $CONNMARK_MATCH
@@ -1714,6 +1794,7 @@ report_capabilities() {
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
 	report_capability "fwmark route mask" $FWMARK_RT_MASK
+	report_capability "Mark in any table" $MARK_ANYWHERE
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1745,6 +1826,7 @@ report_capabilities1() {
     report_capability1 RECENT_MATCH
     report_capability1 OWNER_MATCH
     report_capability1 IPSET_MATCH
+    report_capability1 OLD_IPSET_MATCH
     report_capability1 CONNMARK
     report_capability1 XCONNMARK
     report_capability1 CONNMARK_MATCH
@@ -1777,6 +1859,7 @@ report_capabilities1() {
     report_capability1 TPROXY_TARGET
     report_capability1 FLOW_FILTER
     report_capability1 FWMARK_RT_MASK
+    report_capability1 MARK_ANYWHERE
 
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION

Shorewall/lib.common

@@ -514,9 +514,13 @@ find_file()
 #
 # Set the Shorewall state
 #
-set_state () # $1 = state
+set_state () # $1 = state $2 
 {
-    echo "$1 ($(date))" > ${VARDIR}/state
+    if [ $# -gt 1 ]; then
+	echo "$1 ($(date)) from $2" > ${VARDIR}/state
+    else
+	echo "$1 ($(date))" > ${VARDIR}/state
+    fi
 }
 
 #

Shorewall/releasenotes.txt

@@ -1,16 +1,266 @@
 ----------------------------------------------------------------------------
-                    S H O R E W A L L  4 . 4 . 1 1 . 1
+                      S H O R E W A L L  4 . 4 . 1 3
 ----------------------------------------------------------------------------
 
-I.    RELEASE 4.4 HIGHLIGHTS
-II.   MIGRATION ISSUES
-III.  PROBLEMS CORRECTED IN THIS RELEASE
-IV.   KNOWN PROBLEMS REMAINING
-V.    NEW FEATURES IN THIS RELEASE
+I.    PROBLEMS CORRECTED IN THIS RELEASE
+II.   KNOWN PROBLEMS REMAINING
+III.  NEW FEATURES IN THIS RELEASE
+IV.   RELEASE 4.4 HIGHLIGHTS
+V.    MIGRATION ISSUES
 VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 
 ----------------------------------------------------------------------------
-             I.  R E L E A S E  4 . 4  H I G H L I G H T S
+  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
+----------------------------------------------------------------------------
+
+1)  Under rare circumstances where COMMENT is used to attach comments
+    to rules, OPTIMIZE 8 through 15 could result in invalid
+    iptables-restore (ip6tables-restore) input.
+
+2)  Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
+    could result in invalid iptables-restore (ip6tables-restore) input.
+
+3)  The change in 4.4.12 to detect and use the new ipset match syntax
+    broke the ability to detect the old ipset match capability. Now,
+    both versions of the capability can be correctly detected.
+
+4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
+    if the last optional interface tested was not available.
+
+5)  Exclusion in the blacklist file was correctly validated but was then
+    ignored when generating iptables (ip6tables) rules.
+
+6)  Previously, non-trivial exclusion (more than one excluded
+    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
+    valid but incorrect iptables input. This has been corrected but
+    requires that your iptables/kernel support marking rules in any
+    Netfilter table (CONTINUE in the tcrules file does not require this
+    support).
+
+    This fix implements a new 'Mark in any table' capability; those
+    who utilize a capabilities file should re-generate the file using
+    this release.
+
+7)  Interface handling has been extensively modified in this release
+    to correct a number of problems with the earlier
+    implementation. Among those problems:
+
+    - Invalid shell variable names could be generated in the firewall
+      script. The generated firewall script uses shell variables to
+      track the availability of optional and required interfaces and
+      to record detected gateways, detected addresses, etc.
+
+    - The same shell variable name could be generated by two different
+      interface names.
+
+    - Entries in the interfaces file with a wildcard physical name
+      (physical name ends with "+") and with the 'optional' option were
+      handled strangely.
+
+      o If there were references to specific interfaces that matched
+        the wildcard, those entries were handled as if they had been
+        defined as optional in the interfaces file.
+
+      o If there were no references matching the wildcard, then the
+        'optional' option was effectively ignored. 
+
+    The new implementation:
+
+    - Insures valid shell variable names.
+    
+    - Insures that shell variable names are unique.
+
+    - Handles interface names appearing in the INTERFACE column of the
+      providers file as a special case for 'optional'. If the name
+      matches a wildcard entry in the interfaces file then the
+      usability of the specific interface is tracked individually. 
+
+    - Handles the availabilty of other interfaces matching a wildcard
+      as a group; if there is one useable interface in the group then
+      the wildcard itself is considered usable.
+
+      The following example illustrates this use case:
+
+      /etc/shorewall/interfaces
+
+	net	ppp+	-	optional
+
+      /etc/shorewall/shorewall.conf
+
+	REQUIRE_INTERFACE=Yes
+
+      If there is any usable PPP interface then the firewall will be
+      allowed to start. Previously, the firewall would never be allowed
+      to start.
+
+8)  When a comma-separated list of 'src' and/or 'dst' was specified in
+    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
+    or 'dst' was previously ignored when generating the resulting
+    iptables rule.
+
+9)  Beginning with Shorewall 4.4.9, the SAME target in tcrules has
+    generated invalid iptables (ip6tables) input. That target now
+    generates correct input.
+
+10) Ipsets associated with 'dynamic' zones were being created during
+    'restart' but not during 'start'.
+
+11) To work around an issue in Netfilter/iptables, Shorewall now uses
+    state match rather than conntrack match for UNTRACKED state
+    matching.
+
+12) If the routestopped files contains NOTRACK rules, 'shorewall* clear' 
+    did not clear the raw table.
+
+13) An error message was incorrectly generated if a port range of the
+    form :<port> (e.g., :22) appeared.
+
+14) An error is now generated if '*' appears in an interface name.
+
+----------------------------------------------------------------------------
+           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
+----------------------------------------------------------------------------
+
+1)  On systems running Upstart, shorewall-init cannot reliably start the
+    firewall before interfaces are brought up.
+
+----------------------------------------------------------------------------
+      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
+----------------------------------------------------------------------------
+
+1)  Entries in the rules file (both Shorewall and Shorewall6) may now
+    contain zone lists in the SOURCE and DEST column. A zone list is a
+    comma-separated list of zone names where each name appears in the
+    zones file. A zone list may be optionally followed by a plus sign
+    ("+") to indicate that the rule should apply to intra-zone traffic
+    as well as to inter-zone traffic.
+
+    Zone lists behave like 'all' and 'any' with respect to Optimization
+    1. If the rule matches the applicable policy for a given (source
+    zone, dest zone), then the rule will be suppessed for that pair of
+    zones unless overridden by the '!' suffix on the target in the
+    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
+
+    Additionally, 'any', 'all' and zone lists may be qualified in the
+    same way as a single zone.
+
+    Examples:
+
+	fw,dmz:90.90.191.120/29
+	all:+blacklist
+
+    The 'all' and 'any' keywords now support exclusion in the form of a
+    comma-separated list of excluded zones.
+
+    Examples: 
+
+    	     all!fw         (same as all-).
+	     any+!dmz,loc   (All zones except 'dmz' and 'loc' and
+	     		     include intra-zone rules).
+
+2)  An IPSEC column has been added to the accounting file, allowing you
+    to segregate IPSEC traffic from non-IPSEC traffic. See 'man
+    shorewall-accounting' (man shorewall6-accounting) for details.
+
+    With this change, there are now three trees of accounting chains:
+
+    - The one rooted in the 'accounting' chain.
+    - The one rooted in the 'accipsecin' chain. This tree handles
+      traffic that has been decrypted on the firewall. Rules in this
+      tree cannot specify an interface name in the DEST column.
+    - The one rooted in the 'accipsecout' chain. This tree handles
+      traffic that will be encrypted on the firewall. Rules in this
+      tree cannot specify an interface name in the SOURCE column.
+
+    In reality, when there are bridges defined in the configuration,
+    there is a fourth tree rooted in the 'accountout' chain. That chain
+    handles traffic that originates on the firewall (both IPSEC and
+    non-IPSEC).
+
+    This change also implements a couple of new warnings:
+
+    - WARNING: Adding rule to unreferenced accounting chain <name>
+
+      The first reference to user-defined accounting chain <name> is
+      not a JUMP or COUNT from an already-defined chain.
+
+    - WARNING: Accounting chain <name> has o references
+
+      The named chain contains accounting rules but no JUMP or COUNT
+      specifies that chain as the target.
+
+3)  Shorewall now supports the SECMARK and CONNSECMARK targets for
+    manipulating the SELinux context of packets.
+
+    See the shorewall-secmarks and shorewall6-secmarks manpages for
+    details.
+
+    As part of this change, the tcrules file now accepts $FW in the
+    DEST column for marking packets in the INPUT chain.
+
+4)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
+
+    a) Blacklisting is now based on zones rather than on interfaces and
+       host groups.
+
+    b) Near compatibility with earlier releases is maintained.
+
+    c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
+       column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
+       respectively. The old keywords are still supported.
+
+    d) The 'blacklist' keyword may now appear in the OPTIONS,
+       IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
+
+       i)  In the IN_OPTIONS column, it indicates that packets received
+           on the interface are checked against the 'src' entries in
+           /etc/shorewall/blacklist.
+
+       ii) In the OUT_OPTIONS column, it indicates that packets being
+           sent to the interface are checked against the 'dst' entries.
+
+       iii) Placing 'blacklist' in the OPTIONS column is equivalent to
+           placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
+
+    e) The 'blacklist' option in the OPTIONS column of
+       /etc/shorewall/interfaces or /etc/shorewall/hosts is now
+       equivalent to placing it in the IN_OPTIONS column of the
+       associates record in /etc/shorewall/zones. If no zone is given
+       in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
+       option is ignored with a warning (it was previously ignored
+       silently).
+
+    f) The 'blacklist' option in the /etc/shorewall/interfaces and
+       /etc/shorewall/hosts files is now deprecated but will continue
+       to be supported for several releases. A warning will be added at
+       least one release before support is removed.
+
+5)  There is now an OUT-BANDWIDTH column in
+    /etc/shorewall/tcinterfaces.
+
+    The format of this column is:
+
+    	<rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]]
+
+    These terms are described in tc-tbf(8). Shorewall supplies default
+    values as follows:
+
+    	   <burst>   = 10kb
+	   <latency> = 200ms
+
+    The remaining options are defaulted by tc.
+
+6)  The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and
+    /etc/shorewall/tcinterfaces now accepts an optional burst parameter.
+
+        <rate>[:<burst>]
+
+    The default <burst> is 10kb. A larger <burst> can help make the
+    <rate> more accurate; often for fast lines, the enforced rate is
+    well below the specified <rate>.
+
+----------------------------------------------------------------------------
+             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
 
 1)  Support for Shorewall-shell has been discontinued. Shorewall-perl
@@ -67,8 +317,14 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 
 15) TPROXY support has been added.
 
+16) Explicit support for Linux-vserver has been added. It is now
+    possible to define sub-zones of $FW.
+
+17) A 'Universal' sample configuration is now availale for a
+    'plug-and-play' firewall.
+
 ----------------------------------------------------------------------------
-                  I I.  M I G R A T I O N   I S S U E S
+                   V.  M I G R A T I O N   I S S U E S
 ----------------------------------------------------------------------------
 1)  If you are currently using Shorewall-shell:
 
@@ -214,31 +470,158 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
     where 'iface' is a capitalized interface name (e.g., ETH0) and
     'provider' is the capitalized name of a provider.
 
+15) Support for the OPTIONS column in /etc/shorewall/blacklist
+    (/etc/shorewall6/blacklist) has been removed. Blacklisting by
+    destination IP address will be included in a later Shorewall
+    release.
+
 ----------------------------------------------------------------------------
-I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
+V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
+      I N   P R I O R  R E L E A S E S
+----------------------------------------------------------------------------
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 2
 ----------------------------------------------------------------------------
 
-4.4.11.1
-
-1)  Previously, the Shoreall6-lite version of shorecap was using
+1)  Previously, the Shorewall6-lite version of shorecap was using
     iptables rather than ip6tables, with the result that many capabilities
     that are only available in IPv4 were being reported as available.
 
 2)  In a number of cases, Shorewall6 generated incorrect rules
-    involving the IPv6 multicast network. The rules specify
-    ff00::/10 where they should specify ff00::/8. Also, rules
-    instantiated when the IPv6 firewall is stopped used ff80::/10 rather
-    than fe80::/10 (Ipv6 Link Local network).
+    involving the IPv6 multicast network. The rules specified
+    ff00::/10 where they should have specified ff00::/8. Also, rules
+    instantiated when the firewall was stopped used ff80::/10 rather
+    than fe80::/10 (IPv6 Link Local network).
 
 3)  Previously, using a destination port-range with :random produced a
     fatal compilation error in REDIRECT rules.
 
-4)  /sbin/shorewall and /sbin/shorewall6 sometimes failed to honor the
-    'nolock' option. In other cases, this option was incorrectly passed
-    on to the compiled script, causing the script to issue a usage
-    synopsis and to terminate.
- 
-4.4.11
+4)  A number of problems associated with Shorewall-init and Upstart
+    have been corrected. 
+
+    If you use Shorewall-init, then when upgrading to this version, be
+    sure to recompile all firewall scripts before you take interfaces
+    down or reboot.
+
+5)  Previously, the Shorewall installer (install.sh) failed to install
+    /usr/share/shorewall/configfiles/Makefile and rather issued the
+    following message:
+
+    	      install-file: command not found 
+
+    This caused the Makefile to be omitted from RPMs as well.
+
+6)  When 'any' was used in the SOURCE column, a duplicate rule was
+    generated in all "fw2*" ("fw-* if ZONE2ZONE="-"). If 'any' was used
+    in the DEST column, then a duplicate rule appeared in all "*2fw"
+    (*-fw) chains.
+
+7)  A port range that omitted the first port number (e.g., ":80") was
+    rejected with the following error:
+
+    	 ERROR: Invalid/Unknown tcp port/service (0) : ......
+
+8)  AUTOMAKE=Yes has been broken for some time. It is now working
+    correctly.
+
+----------------------------------------------------------------------------
+               N E W   F E A T U R E S   I N   4 . 4 . 1 2
+----------------------------------------------------------------------------
+
+1)  Support has been added for ADD and DEL rules in
+    /etc/shorewall/rules. ADD allows either the SOURCE or DESTINATION
+    IP address to be added to an ipset; DEL deletes an address
+    previously added.
+
+2)  Per-ip log rate limiting has been added in the form of the LOGLIMIT
+    option in shorewall.conf. When LOGLIMIT is specified, LOGRATE and
+    LOGBURST are ignored. 
+
+    LOGRATE and LOGBURST are now deprecated.
+
+    LOGLIMIT value format is [{s|d}:]<rate>[/<unit>][:<burst>]
+
+    If the value starts with 's:' then logging is limited per source
+    IP. If the value starts with 'd:', then logging is limited per
+    destination IP. Otherwise, the overall logging rate is limited.
+
+    <unit> is one of sec, min, hour, day.
+
+    If <burst> is not specified, then a value of 5 is assumed.
+
+3)  The sample configurations now include a 'Universal' configuration
+    that will start on any system and protect that system while
+    allowing the system to forward traffic.
+
+    As part of this change, several additional features were added:
+
+    - You may now specify "physical=+" in the interfaces file.
+    - A 'COMPLETE' option is added to shorewall.conf and
+      shorewall6.conf. When you set this option to Yes, you are
+      asserting that the configuration is complete so that your set of
+      zones encompasses any hosts that can send or receive traffic
+      to/from/through the firewall. This causes Shorewall to omit the
+      rules that catch packets in which the source or destination IP
+      address is outside of any of your zones. Default is No.  It is
+      recommended that this option only be set to Yes if:
+
+      o You have defined an interface whose effective physical setting
+        is '+'
+      o That interface is assigned to a zone.
+      o You have no CONTINUE policies or rules.
+
+4)  'icmp' is now accepted as a synonym for 'ipv6-icmp' in IPv6
+    compilations.
+
+5)  Shorewall now detects the presence of a recent ipset iptables
+    module and uses its new syntax. This avoids a warning on iptables
+    1.4.9. This change involves a new capabilities file version so if
+    you use a capabilities file, be sure to regenerate it with 4.4.12
+    shorewall-lite or shorewall6-lite.
+
+6)  Blacklisting can now be done by destination IP address as well as
+    by source address.
+
+    The /etc/shorewall/blacklist and /etc/shorewall6/blacklist files
+    now have an optional OPTIONS column. Initially, this column can
+    contain either 'from' (the default) or 'to'; the latter causes the
+    address(es) in the ADDRESS/SUBNET column to be interpreted as a
+    DESTINATION address rather than a source address.
+
+    Note that static blacklisting is still restricted to traffic
+    ARRIVING on an interface that has the 'blacklist' option set. So to
+    block traffic from your local network to an internet host, you must
+    specify 'blacklist' on your internal interface.
+
+    Similarly, dynamic blacklisting has been enhanced to recognize the
+    'from' and 'to' keywords.
+
+    Example:
+
+	shorewall drop to 1.2.3.4
+
+    This command will silently drop connection requests to1.2.3.4.
+
+    The reciprocal of that command would be:
+
+    	shorewall allow to 1.2.3.4
+
+7)  The status command now displays the directory containing the .conf
+    file (shorewall.conf or shorewall6.conf) when the running
+    configuration was compiled.
+
+    Example:
+
+        gateway:/etc/shorewall# shorewall status
+	Shorewall-4.4.12-RC1 Status at gateway - Thu Aug 12 19:41:51 PDT 2010
+
+	Shorewall is running
+	State:Started (Thu Aug 12 19:41:48 PDT 2010) from /etc/shorewall/
+
+	gateway:/etc/shorewall# 
+
+----------------------------------------------------------------------------
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
+----------------------------------------------------------------------------
 
 1)  The IPv6 allowBcast action generated an invalid rule.
 
@@ -292,20 +675,7 @@ I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
                 /etc/shorewall6/interfaces (line 16)
 
 ----------------------------------------------------------------------------
-           I V.  K N O W N   P R O B L E M S   R E M A I N I N G
-----------------------------------------------------------------------------
-
-1)  On systems that use the Upstart init system (such as Ubuntu and
-    Fedora), Shorewall-init is not reliable at starting the firewall
-    during boot when normal firewall startup is disabled and UPDOWN=1
-    is specified in /etc/default/shorewall-init.
-
-    Suggested workaround is to not disable normal startup (e.g., do not
-    set startup=0 on Debian-based systems and do not 'checkconfig
-    --del...' on Fedora).
-
-----------------------------------------------------------------------------
-         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
+               N E W   F E A T U R E S   I N   4 . 4 . 1 1
 ----------------------------------------------------------------------------
 
 1)  Beginning with this release, Shorewall supports a 'vserver'
@@ -349,9 +719,6 @@ I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
     is not executable, Shorewall (and Shorewall6) fall back to
     /usr/bin/perl.
 
-----------------------------------------------------------------------------
-V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
-      I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 0
 ----------------------------------------------------------------------------

Shorewall/shorewall

@@ -67,15 +67,15 @@ get_config() {
 	# This block is avoided for compile for export and when the user isn't root
 	#
 	if [ "$3" = Yes ]; then
-	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
-
-	    if [ -n "$(syslog_circular_buffer)" ]; then
-		g_logread="logread | tac"
-	    elif [ -r $LOGFILE ]; then
-		g_logread="tac $LOGFILE"
-	    else
-		echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		exit 2
+	    if [ -n "$LOGFILE" ]; then
+		if [ -n "$(syslog_circular_buffer)" ]; then
+		    g_logread="logread | tac"
+		elif [ -r $LOGFILE ]; then
+		    g_logread="tac $LOGFILE"
+		else
+		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+		    exit 2
+		fi
 	    fi
 	fi
 
@@ -486,7 +486,7 @@ start_command() {
 
 	    export RESTOREFILE
 
-	    if make -qf ${CONFDIR}/Makefile; then
+	    if ! make -qf ${CONFDIR}/Makefile; then
 		g_fast=
 		AUTOMAKE=
 	    fi

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.11
-%define release 1
+%define version 4.4.13
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -108,8 +108,34 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
 
 %changelog
-* Wed Jul 14 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-1
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.11.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.11.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall6-lite/shorewall6-lite

@@ -617,7 +617,7 @@ case "$COMMAND" in
 	verify_firewall_script
 	[ -n "$nolock" ] || mutex_on
 	run_it $g_firewall $debugging $COMMAND
-	[ -n "$nolock" ] || mutex_on
+	[ -n "$nolock" ] || mutex_off
 	;;
     restart)
 	shift

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.11
-%define release 1
+%define version 4.4.13
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,8 +93,34 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Wed Jul 14 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-1
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.11.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

Shorewall6/blacklist

@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT
+#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.11.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {
@@ -311,8 +311,8 @@ delete_file ${DESTDIR}/usr/share/shorewall6/lib.proxyarp
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tc
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tcrules
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tunnels
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.header
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer
+delete_file ${DESTDIR}/usr/share/shorewall6/prog.header6
+delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer6
 
 #
 # Install wait4ifup
@@ -507,6 +507,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/notrack ]; then
     run_install $OWNERSHIP -m 0600 notrack ${DESTDIR}/etc/shorewall6/notrack
     echo "Notrack file installed as ${DESTDIR}/etc/shorewall6/notrack"
 fi
+
+#
+# Install the Secmarks file
+#
+run_install $OWNERSHIP -m 0644 secmarks ${DESTDIR}/usr/share/shorewall6/configfiles/secmarks
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/secmarks ]; then
+    run_install $OWNERSHIP -m 0600 secmarks ${DESTDIR}/etc/shorewall6/secmarks
+    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall6/secmarks"
+fi
 #
 # Install the default config path file
 #

Shorewall6/lib.base

@@ -33,7 +33,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40411
+SHOREWALL_CAPVERSION=40413
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]

Shorewall6/lib.cli

@@ -208,6 +208,19 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
 
+    if [ -z "$LOGFILE" ]; then
+	LOGFILE=/var/log/messages
+
+	if [ -n "$(syslog_circular_buffer)" ]; then
+	    g_logread="logread | tac"
+	elif [ -r $LOGFILE ]; then
+	    g_logread="tac $LOGFILE"
+	else
+	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    exit 2
+	fi
+    fi
+
     host=$(echo $g_hostname | sed 's/\..*$//')
     oldrejects=$($IP6TABLES -L -v -n | grep 'LOG')
 
@@ -457,6 +470,20 @@ show_command() {
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
+
+	    if [ -z "$LOGFILE" ]; then
+		LOGFILE=/var/log/messages
+		
+		if [ -n "$(syslog_circular_buffer)" ]; then
+		    g_logread="logread | tac"
+		elif [ -r $LOGFILE ]; then
+		    g_logread="tac $LOGFILE"
+		else
+		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+		    exit 2
+		fi
+	    fi
+
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
@@ -667,6 +694,19 @@ dump_command() {
 	esac
     done
 
+    if [ -z "$LOGFILE" ]; then
+	LOGFILE=/var/log/messages
+
+	if [ -n "$(syslog_circular_buffer)" ]; then
+	    g_logread="logread | tac"
+	elif [ -r $LOGFILE ]; then
+	    g_logread="tac $LOGFILE"
+	else
+	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    exit 2
+	fi
+    fi
+
     g_ipt_options="$g_ipt_options $g_ipt_options1"
 
     [ $VERBOSITY -lt 2 ] && VERBOSITY=2
@@ -918,6 +958,10 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     chain=$1
     local finished
     finished=$2
+    local which
+    which='-s'
+    local range
+    range='--src-range'
 
     if ! chain_exists dynamic; then
 	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@@ -929,19 +973,31 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
 
     while [ $# -gt 0 ]; do
 	case $1 in
+	    from)
+		which='-s'
+		range='--src-range'
+		shift
+		continue
+		;;
+	    to)
+		which='-d'
+		range='--dst-range'
+		shift
+		continue
+		;;
 	    *-*)
-		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject
-		qt $IP6TABLES -D dynamic -m iprange --src-range  $1 -j DROP
-		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject
-		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop
-		$IP6TABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
+		qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject
+		qt $IP6TABLES -D dynamic -m iprange $range  $1 -j DROP
+		qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
+		qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop
+		$IP6TABLES -A dynamic -m iprange $range $1 -j $chain || break 1
 		;;
 	    *)
-		qt $IP6TABLES -D dynamic -s $1 -j reject
-		qt $IP6TABLES -D dynamic -s $1 -j DROP
-		qt $IP6TABLES -D dynamic -s $1 -j logreject
-		qt $IP6TABLES -D dynamic -s $1 -j logdrop
-		$IP6TABLES -A dynamic -s $1 -j $chain || break 1
+		qt $IP6TABLES -D dynamic $which $1 -j reject
+		qt $IP6TABLES -D dynamic $which $1 -j DROP
+		qt $IP6TABLES -D dynamic $which $1 -j logreject
+		qt $IP6TABLES -D dynamic $which $1 -j logdrop
+		$IP6TABLES -A dynamic $which $1 -j $chain || break 1
 		;;
 	esac
 
@@ -1046,6 +1102,11 @@ allow_command() {
     [ -n "$g_debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall6_is_started ; then
+	local which
+	which='-s'
+	local range
+	range='--src-range'
+
 	if ! chain_exists dynamic; then
 	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	    exit 2
@@ -1055,11 +1116,21 @@ allow_command() {
 	while [ $# -gt 1 ]; do
 	    shift
 	    case $1 in
+		from)
+		    which='-s'
+		    range='--src-range'
+		    continue
+		    ;;
+		to)
+		    which='-d'
+		    range='--dst-range'
+		    continue
+		    ;;
 		*-*)
-		    if  qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject    ||\
-			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j DROP      ||\
-			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop   ||\
-			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject
+		    if  qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject    ||\
+			qt $IP6TABLES -D dynamic -m iprange $range $1 -j DROP      ||\
+			qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop   ||\
+			qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1067,10 +1138,10 @@ allow_command() {
 		    fi
 		    ;;
 		*)
-		    if  qt $IP6TABLES -D dynamic -s $1 -j reject    ||\
-			qt $IP6TABLES -D dynamic -s $1 -j DROP      ||\
-			qt $IP6TABLES -D dynamic -s $1 -j logdrop   ||\
-			qt $IP6TABLES -D dynamic -s $1 -j logreject
+		    if  qt $IP6TABLES -D dynamic $which $1 -j reject    ||\
+			qt $IP6TABLES -D dynamic $which $1 -j DROP      ||\
+			qt $IP6TABLES -D dynamic $which $1 -j logdrop   ||\
+			qt $IP6TABLES -D dynamic $which $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1160,6 +1231,7 @@ determine_capabilities() {
     RECENT_MATCH=
     OWNER_MATCH=
     IPSET_MATCH=
+    OLD_IPSET_MATCH=
     CONNMARK=
     XCONNMARK=
     CONNMARK_MATCH=
@@ -1191,6 +1263,7 @@ determine_capabilities() {
     LOG_TARGET=Yes
     FLOW_FILTER=
     FWMARK_RT_MASK=
+    MARK_ANYWHERE=
 
     chain=fooX$$
 
@@ -1332,6 +1405,7 @@ determine_capabilities() {
     qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
     qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
     qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
+    qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
 
     qt $IP6TABLES -F $chain
     qt $IP6TABLES -X $chain
@@ -1374,7 +1448,10 @@ report_capabilities() {
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
 	report_capability "Owner Match" $OWNER_MATCH
-	report_capability "Ipset Match" $IPSET_MATCH
+	if [ -n "$IPSET_MATCH" ]; then
+	    report_capability "Ipset Match" $IPSET_MATCH
+	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
+	fi
 	report_capability "CONNMARK Target" $CONNMARK
 	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
 	report_capability "Connmark Match" $CONNMARK_MATCH
@@ -1405,6 +1482,7 @@ report_capabilities() {
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
 	report_capability "fwmark route mask" $FWMARK_RT_MASK
+	report_capability "Mark in any table" $MARK_ANYWHERE
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1435,6 +1513,7 @@ report_capabilities1() {
     report_capability1 RECENT_MATCH
     report_capability1 OWNER_MATCH
     report_capability1 IPSET_MATCH
+    report_capability1 OLD_IPSET_MATCH
     report_capability1 CONNMARK
     report_capability1 XCONNMARK
     report_capability1 CONNMARK_MATCH
@@ -1465,6 +1544,7 @@ report_capabilities1() {
     report_capability1 TPROXY_TARGET
     report_capability1 FLOW_FILTER
     report_capability1 FWMARK_RT_MASK
+    report_capability1 MARK_ANYWHERE
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION    

Shorewall6/lib.common

@@ -452,7 +452,11 @@ find_file()
 #
 set_state () # $1 = state
 {
-    echo "$1 ($(date))" > ${VARDIR}/state
+    if [ $# -gt 1 ]; then
+	echo "$1 ($(date)) from $2" > ${VARDIR}/state
+    else
+	echo "$1 ($(date))" > ${VARDIR}/state
+    fi
 }
 
 #

Shorewall6/secmarks

@@ -0,0 +1,8 @@
+#
+# Shorewall6 version 4 - Secmarks File
+#
+# For information about entries in this file, type "man shorewall-secmarks"
+#
+############################################################################################################
+#SECMARK			CHAIN	SOURCE		DEST		PROTO	DEST	SOURCE		MARK
+#										PORT(S)	PORT(S)

Shorewall6/shorewall6

@@ -67,15 +67,15 @@ get_config() {
 	# This block is avoided for compile for export and when the user isn't root
 	#
 	if [ "$3" = Yes ]; then
-	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
-
-	    if [ -n "$(syslog_circular_buffer)" ]; then
-		g_logread="logread | tac"
-	    elif [ -r $LOGFILE ]; then
-		g_logread="tac $LOGFILE"
-	    else
-		echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		exit 2
+	    if [ -n "$LOGFILE" ]; then
+		if [ -n "$(syslog_circular_buffer)" ]; then
+		    g_logread="logread | tac"
+		elif [ -r $LOGFILE ]; then
+		    g_logread="tac $LOGFILE"
+		else
+		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+		    exit 2
+		fi
 	    fi
 	fi
 
@@ -419,7 +419,7 @@ start_command() {
 
 	    export RESTOREFILE
 
-	    if make -qf ${CONFDIR}/Makefile; then
+	    if ! make -qf ${CONFDIR}/Makefile; then
 		g_fast=
 		AUTOMAKE=
 	    fi

Shorewall6/shorewall6.conf

@@ -32,9 +32,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -153,7 +151,11 @@ DYNAMIC_BLACKLIST=Yes
 
 LOAD_HELPERS_ONLY=No
 
-FORWARD_CLEAR_MARK=yes
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
 
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.11
-%define release 1
+%define version 4.4.13
+%define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -98,8 +98,34 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Wed Jul 14 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-1
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.11.1
+VERSION=4.4.13
 
 usage() # $1 = exit status
 {

docs/Accounting.xml

@@ -119,8 +119,7 @@
         (from <filename>/etc/protocols</filename>), a protocol number or
         <quote>ipp2p</quote>. For <quote>ipp2p</quote>, your kernel and
         iptables must have ipp2p match support from <ulink
-        url="http://www.netfilter.org">Netfilter
-        Patch_o_matic_ng</ulink>.</para>
+        url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
       </listitem>
 
       <listitem>
@@ -146,7 +145,7 @@
         only be non-empty if the CHAIN is OUTPUT. The column may
         contain:</para>
 
-        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;][+&lt;program name&gt;]</programlisting>
+        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;]</programlisting>
 
         <para>When this column is non-empty, the rule applies only if the
         program generating the output is running under the effective
@@ -163,9 +162,6 @@
 
           <member>!:kids #program must not be run by a member of the
           <quote>kids</quote> group</member>
-
-          <member>+upnpd #program named upnpd (This feature was removed from
-          Netfilter in kernel version 2.6.14).</member>
         </simplelist>
       </listitem>
 

docs/CompiledPrograms.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2006-2007</year>
+      <year>2006-2010</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -180,11 +180,11 @@
         disable startup of Shorewall in your init scripts. For ease of
         reference, we call this system the 'administrative system'.</para>
 
-        <para>The administrative system may be a Windows system running <ulink
-        url="http://www.cygwin.com/">Cygwin</ulink> or an <ulink
-        url="http://www.apple.com/mac/">Apple MacIntosh</ulink> running OS X.
-        Install from a shell prompt <ulink url="Install.htm">using the
-        install.sh script</ulink>.</para>
+        <para>The administrative system may be a GNU/Linux system, a Windows
+        system running <ulink url="http://www.cygwin.com/">Cygwin</ulink> or
+        an <ulink url="http://www.apple.com/mac/">Apple MacIntosh</ulink>
+        running OS X. Install from a shell prompt <ulink
+        url="Install.htm">using the install.sh script</ulink>.</para>
       </listitem>
 
       <listitem>
@@ -241,8 +241,10 @@
         <orderedlist>
           <listitem>
             <para>modify the files in the corresponding export directory
-            appropriately. It's a good idea to include the IP address of the
-            administrative system in the <ulink
+            appropriately (i.e., <emphasis>just as you would if you were
+            configuring Shorewall on the firewall system itself</emphasis>).
+            It's a good idea to include the IP address of the administrative
+            system in the <ulink
             url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
             file</ulink>.</para>
 
@@ -283,26 +285,29 @@
 
           <listitem>
             <programlisting><command>cd &lt;export directory&gt;</command>
-<command>/sbin/shorewall load -c firewall</command></programlisting>
+<command>/sbin/shorewall load firewall</command></programlisting>
 
             <para>The <ulink
             url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
             command compiles a firewall script from the configuration files in
             the current working directory (using <command>shorewall compile
             -e</command>), copies that file to the remote system via scp and
-            starts Shorewall Lite on the remote system via ssh. The -c option
-            causes the capabilities of the remote system to be generated and
-            copied to a file named <filename>capabilities</filename> in the
-            export directory. See <link
-            linkend="Shorecap">below</link>.</para>
+            starts Shorewall Lite on the remote system via ssh.</para>
 
             <para>Example (firewall's DNS name is 'gateway'):</para>
 
-            <para><command>/sbin/shorewall load -c gateway</command><note>
+            <para><command>/sbin/shorewall load gateway</command><note>
                 <para>Although scp and ssh are used by default, you can use
                 other utilities by setting RSH_COMMAND and RCP_COMMAND in
                 <filename>/etc/shorewall/shorewall.conf</filename>.</para>
               </note></para>
+
+            <para>The first time that you issue a <command>load</command>
+            command, Shorewall will use ssh to run
+            <filename>/usr/share/shorewall-lite/shorecap</filename> on the
+            remote firewall to create a capabilities file in the firewall's
+            administrative direction. See <link
+            linkend="Shorecap">below</link>.</para>
           </listitem>
         </orderedlist>
       </listitem>
@@ -456,7 +461,7 @@ clean:
       </simplelist>
     </blockquote>
 
-    <para>You will normally not need to touch
+    <para>You will normally never touch
     <filename>/etc/shorewall-lite/shorewall-lite.conf</filename> unless you
     run Debian or one of its derivatives (see <link
     linkend="Debian">above</link>).</para>
@@ -559,11 +564,11 @@ clean:
           <blockquote>
             <para>Before editing:</para>
 
-            <programlisting>CONFIG_PATH=/etc/shorewall:/usr/share/shorewall</programlisting>
+            <programlisting>CONFIG_PATH=<emphasis role="bold">/etc/shorewall</emphasis>:/usr/share/shorewall</programlisting>
 
             <para>After editing:</para>
 
-            <programlisting>CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall</programlisting>
+            <programlisting>CONFIG_PATH=<emphasis role="bold">/usr/share/shorewall/configfiles</emphasis>:/usr/share/shorewall</programlisting>
           </blockquote>
 
           <para>Changing CONFIG_PATH will ensure that subsequent compilations
@@ -596,14 +601,21 @@ clean:
 
           <blockquote>
             <programlisting><command>cd &lt;export directory&gt;</command>
-<command>/sbin/shorewall load -c &lt;firewall system&gt;</command>
+<command>/sbin/shorewall load &lt;firewall system&gt;</command>
 </programlisting>
 
             <para>Example (firewall's DNS name is 'gateway'):</para>
 
-            <para><command>/sbin/shorewall load -c gateway</command></para>
+            <para><command>/sbin/shorewall load gateway</command></para>
           </blockquote>
 
+          <para>The first time that you issue a <command>load</command>
+          command, Shorewall will use ssh to run
+          <filename>/usr/share/shorewall-lite/shorecap</filename> on the
+          remote firewall to create a capabilities file in the firewall's
+          administrative direction. See <link
+          linkend="Shorecap">below</link>.</para>
+
           <para>The <ulink
           url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
           command compiles a firewall script from the configuration files in
@@ -640,7 +652,8 @@ clean:
 <command>scp capabilities &lt;admin system&gt;:&lt;this system's config dir&gt;</command></programlisting>
 
           <para>Or simply use the -c option the next time that you use the
-          <command>reload</command> command.</para>
+          <command>reload</command> command (e.g., <command>shorewall reload
+          -c gateway</command>).</para>
         </listitem>
       </orderedlist>
     </section>

docs/Documentation_Index.xml

@@ -102,8 +102,8 @@
           </row>
 
           <row>
-            <entry><ulink url="Anatomy.html">Anatomy of Shorewall</ulink>
-            (<ulink url="Anatomy_ru.html">Russian</ulink>)</entry>
+            <entry><ulink url="Anatomy.html">Anatomy of
+            Shorewall</ulink></entry>
 
             <entry><ulink url="Manpages.html">Man Pages</ulink></entry>
 
@@ -112,8 +112,8 @@
           </row>
 
           <row>
-            <entry><ulink url="traffic_shaping.htm">Bandwidth Control</ulink>
-            (<ulink url="traffic_shaping_ru.html">Russian</ulink>)</entry>
+            <entry><ulink url="traffic_shaping.htm">Bandwidth
+            Control</ulink></entry>
 
             <entry><ulink url="ManualChains.html">Manual
             Chains</ulink></entry>
@@ -123,9 +123,8 @@
           </row>
 
           <row>
-            <entry><ulink url="blacklisting_support.htm">Blacklisting</ulink>
-            (<ulink
-            url="blacklisting_support_ru.html">Russian</ulink>)</entry>
+            <entry><ulink
+            url="blacklisting_support.htm">Blacklisting</ulink></entry>
 
             <entry><ulink
             url="two-interface.htm#SNAT">Masquerading</ulink></entry>
@@ -197,8 +196,7 @@
             NAT)</entry>
 
             <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
-            Complex</ulink> (<ulink
-            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
+            Complex</ulink></entry>
           </row>
 
           <row>
@@ -320,8 +318,8 @@
           </row>
 
           <row>
-            <entry><ulink url="Install.htm">Installation/Upgrade</ulink>
-            (<ulink url="Install_fr.html">Français</ulink>)</entry>
+            <entry><ulink
+            url="Install.htm">Installation/Upgrade</ulink></entry>
 
             <entry><ulink url="ReleaseModel.html">Release
             Model</ulink></entry>

docs/FAQ.xml

@@ -687,11 +687,9 @@ eth1:192.168.1.5        eth1            <emphasis role="bold">130.151.100.69</em
           <para>That rule (and the second one in the previous bullet) only
           works of course if you have a static external IP address. If you
           have a dynamic IP address then include this in
-          <filename>/etc/shorewall/params</filename> (or your
-          <filename>&lt;export directory&gt;/init</filename> file if you are
-          using Shorewall Lite on the firewall system):</para>
+          <filename>/etc/shorewall/params</filename>.</para>
 
-          <programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command>        </programlisting>
+          <programlisting><command>ETH0_IP=$(find_first_interface_address eth0)</command>        </programlisting>
 
           <para>and make your DNAT rule:</para>
 
@@ -712,6 +710,14 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
             will return 0.0.0.0 if the interface has no configured IP address;
             the latter terminates the calling program.</para>
           </note>
+
+          <note>
+            <para>If you run Shorewall-lite on your firewall, you must use the
+            following in the firewall's configuration directory
+            <filename>params</filename> file:</para>
+
+            <programlisting><command>ETH0_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</command></programlisting>
+          </note>
         </listitem>
       </itemizedlist>
 
@@ -1182,6 +1188,18 @@ to debug/develop the newnat interface.</programlisting></para>
   <section id="Logging">
     <title>Logging</title>
 
+    <section id="faq91">
+      <title>(FAQ 91) I changed the shorewall.conf file in /etc/shorewall/ to
+      spit out logs to /var/log/shorewall.log and it's not happening after I
+      restart shorewall. LOGFILE=/var/log/shorewall.log &lt;-- that should be
+      the correct line, right? </title>
+
+      <para><emphasis role="bold">Answer</emphasis>: No, that is not correct.
+      The LOGFILE setting tells Shorewall where to find the log; it does not
+      determine where messages are written. See <link linkend="faq6">the next
+      FAQ</link>.</para>
+    </section>
+
     <section id="faq6">
       <title>(FAQ 6) Where are the log messages written and how do I change
       the destination?</title>
@@ -2090,6 +2108,57 @@ shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall
       <filename>/etc/shorewall/params</filename> when processing the <emphasis
       role="bold">restore</emphasis> command.</para>
     </section>
+
+    <section id="faq90">
+      <title>(FAQ 90) Shorewall starts fine but after several minutes, it
+      stops. Why is it doing that?</title>
+
+      <para><emphasis role="bold">Answer:</emphasis> Shorewall uses the
+      presence of a chain named <emphasis>shorewall</emphasis> to indicate
+      whether is started or stopped. That chain is created during execution of
+      a successful <emphasis role="bold">start</emphasis>, <emphasis
+      role="bold">restart</emphasis> or <emphasis
+      role="bold">restore</emphasis> command and is removed during <emphasis
+      role="bold">stop</emphasis> and <emphasis role="bold">clear</emphasis>.
+      If <emphasis role="bold">shorewall status</emphasis> indicates that
+      Shorewall is stopped, then something has deleted that chain. Look at the
+      output of <emphasis role="bold">shorewall status</emphasis>; if it looks
+      like this:</para>
+
+      <blockquote>
+        <programlisting>gateway:~# shorewall status
+Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:21:41 PDT 2010
+
+Shorewall is <emphasis role="bold">stopped</emphasis>
+State:<emphasis role="bold">Started</emphasis> (Tue Jul 20 16:01:49 PDT 2010)
+
+gateway:~# 
+</programlisting>
+      </blockquote>
+
+      <para>then it means that somehing outside of Shorewall has deleted the
+      chain. This usually means that you were running another firewall package
+      before you installed Shorewall and that other package has replaced
+      Shorewall's Netfilter configuration with its own. You must remove (or at
+      least disable) the other firewall package and restart Shorewall.</para>
+
+      <blockquote>
+        <programlisting>gateway:~# shorewall status
+Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:26:29 PDT 2010
+
+Shorewall is <emphasis role="bold">stopped</emphasis>
+State:<emphasis role="bold">Stopped</emphasis> (Wed Jul 21 13:26:26 PDT 2010)
+
+gateway:~# </programlisting>
+      </blockquote>
+
+      <para>then a <emphasis role="bold">shorewall stop</emphasis> command has
+      been executed (if the State shown in the output is <emphasis
+      role="bold">Cleared</emphasis>, then a <emphasis role="bold">shorewall
+      clear</emphasis> command was executed). Most likely, you have installed
+      and configured the <emphasis>shorewall-init</emphasis> package and a
+      required interface has gone down.</para>
+    </section>
   </section>
 
   <section id="MultiISP">
@@ -2326,7 +2395,7 @@ We have an error talking to the kernel
 
       <para><emphasis role="bold">Answer</emphasis>: Beginning with Shorewall
       4.4.11 Beta 2, you can <ulink url="Vserver.html">create vserver
-      zones</ulink> that are nested within the firewall zone. </para>
+      zones</ulink> that are nested within the firewall zone.</para>
 
       <para>Prior to 4.4.11 Beta 2, there is no way to create sub-zones of the
       firewall zone. But you can use shell variables to make vservers easier

docs/GettingStarted.xml

@@ -22,6 +22,8 @@
 
       <year>2007</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -45,33 +47,41 @@
     </listitem>
   </itemizedlist>
 
+  <para>Now, <ulink url="Install.htm">install Shorewall</ulink>.</para>
+
   <para>Next, read the QuickStart Guide that is appropriate for your
   configuration:</para>
 
+  <para><emphasis role="bold">If you just want to protect a system: (Requires
+  Shorewall 4.4.12-Beta3 or later)</emphasis></para>
+
+  <itemizedlist>
+    <listitem>
+      <para><ulink url="Universal.html">Universal</ulink> configuration --
+      requires no configuration to protect a single system.</para>
+    </listitem>
+  </itemizedlist>
+
   <para><emphasis role="bold">If you have only one public IP
   address:</emphasis></para>
 
   <itemizedlist>
     <listitem>
       <para><ulink url="standalone.htm">Standalone</ulink> Linux System with a
-      single network interface (<ulink url="standalone_fr.html">Version
-      Française</ulink>) <ulink url="standalone_ru.html">(Russian
-      Version)</ulink> <ulink url="standalone_es.html">Version en
-      Español</ulink></para>
+      single network interface (if you are running Shorewall 4.4.12 Beta 3 or
+      later, use the <ulink url="Universal.html">Universal</ulink>
+      configuration instead).</para>
     </listitem>
 
     <listitem>
       <para><ulink url="two-interface.htm">Two-interface</ulink> Linux System
-      acting as a firewall/router for a small local network (<ulink
-      url="two-interface_fr.html">Version Française</ulink>) (<ulink
-      url="two-interface_ru.html">Russian Version</ulink>)</para>
+      acting as a firewall/router for a small local network</para>
     </listitem>
 
     <listitem>
       <para><ulink url="three-interface.htm">Three-interface</ulink> Linux
-      System acting as a firewall/router for a small local network and a DMZ..
-      (<ulink url="three-interface_fr.html">Version Française</ulink>) (<ulink
-      url="three-interface_ru.html">Russian Version</ulink>)</para>
+      System acting as a firewall/router for a small local network and a
+      DMZ.</para>
     </listitem>
   </itemizedlist>
 
@@ -81,11 +91,10 @@
   <itemizedlist>
     <listitem>
       <para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup
-      Guide</ulink> (<ulink url="shorewall_setup_guide_fr.htm">Version
-      Française</ulink>) outlines the steps necessary to set up a firewall
-      where there are multiple public IP addresses involved or if you want to
-      learn more about Shorewall than is explained in the single-address
-      guides above.</para>
+      Guide</ulink> outlines the steps necessary to set up a firewall where
+      there are multiple public IP addresses involved or if you want to learn
+      more about Shorewall than is explained in the single-address guides
+      above.</para>
     </listitem>
   </itemizedlist>
 

docs/Manpages.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall 4.4/4.5 Manpages</title>
+    <title>Shorewall 4.4 Manpages</title>
 
     <authorgroup>
       <author>
@@ -129,6 +129,9 @@
         <member><ulink url="manpages/shorewall-rules.html">rules</ulink> -
         Specify exceptions to policies, including DNAT and REDIRECT.</member>
 
+        <member><ulink url="manpages/shorewall-secmarks.html">secmarks</ulink>
+        - Attach an SELinux context to a packet.</member>
+
         <member><ulink
         url="manpages/shorewall-tcclasses.html">tcclasses</ulink> - Define htb
         classes for traffic shaping.</member>
@@ -189,6 +192,11 @@
         <member><ulink url="manpages/shorewall.html">shorewall</ulink> -
         /sbin/shorewall command syntax and semantics.</member>
 
+        <member><ulink
+        url="manpages/shorewall-init.html">shorewall-init</ulink> - Companion
+        package that allows for automatic start/stop of other Shorewall
+        products based on network events.</member>
+
         <member><ulink
         url="manpages/shorewall-lite.html">shorewall-lite</ulink> -
         /sbin/shorewall-lite command syntax and semantics.</member>

docs/Manpages6.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall6 4.4/4.5 Manpages</title>
+    <title>Shorewall6 4.4 Manpages</title>
 
     <authorgroup>
       <author>
@@ -114,6 +114,10 @@
         <member><ulink url="manpages6/shorewall6-rules.html">rules</ulink> -
         Specify exceptions to policies, including DNAT and REDIRECT.</member>
 
+        <member><ulink
+        url="manpages6/shorewall6-secmarks.html">secmarks</ulink> - Attached
+        an SELinux context to a packet.</member>
+
         <member><ulink
         url="manpages6/shorewall6-tcclasses.html">tcclasses</ulink> - Define
         htb classes for traffic shaping.</member>

docs/MultiISP.xml

@@ -1100,6 +1100,40 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
       </section>
     </section>
 
+    <section>
+      <title>Looking at the routing tables</title>
+
+      <para>To look at the various routing tables, you must use the <emphasis
+      role="bold">ip</emphasis> utility. To see the entire routing
+      configuration (including rules), the command is <command>shorewall show
+      routing</command>. To look at an individual provider's table use
+      <command>ip route ls table <replaceable>provider</replaceable></command>
+      where <replaceable>provider</replaceable> can be either the provider
+      name or number.</para>
+
+      <para>Example:</para>
+
+      <programlisting>lillycat:- #<command>ip route ls</command>
+144.77.167.142 dev ppp0  proto kernel  scope link  src 144.177.121.199
+71.190.227.208 dev ppp1  proto kernel  scope link  src 71.24.88.151
+192.168.7.254 dev eth1  scope link  src 192.168.7.1
+192.168.7.253 dev eth1  scope link  src 192.168.7.1
+192.168.7.0/24 dev eth1  proto kernel  scope link  src 192.168.7.1
+192.168.5.0/24 via 192.168.4.2 dev eth0
+192.168.4.0/24 dev eth0  proto kernel  scope link  src 192.168.4.223
+192.168.1.0/24 via 192.168.4.222 dev eth0
+default
+        nexthop dev ppp1 weight 2
+        nexthop dev ppp0 weight 1
+lillycat: #ip <command>route ls provider 1</command>
+144.77.167.142 dev ppp0  proto kernel  scope link  src 144.177.121.199 
+192.168.5.0/24 via 192.168.4.2 dev eth0 
+192.168.4.0/24 dev eth0  proto kernel  scope link  src 192.168.4.223 
+192.168.1.0/24 via 192.168.4.222 dev eth0 
+default dev ppp0  scope link 
+lillycat: #</programlisting>
+    </section>
+
     <section id="USE_DEFAULT_RT">
       <title>USE_DEFAULT_RT</title>
 
@@ -1527,7 +1561,7 @@ connection {
 
 connection {
     name=Comcast
-    checkip=${ETH0_GATEWAY:-71.231.152.1}
+    checkip=${SW_ETH0_GATEWAY:-71.231.152.1}
     device=$COM_IF
     ttl=1
 }
@@ -1543,9 +1577,14 @@ EOF
    /usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>
 
-        <para>eth3 has a dynamic IP address so I need to use the
-        Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default
-        value to be used in the event that detection fails.</para>
+        <para>eth0 has a dynamic IP address so I need to use the
+        Shorewall-detected gateway address ($SW_ETH1_GATEWAY). I supply a
+        default value to be used in the event that detection fails.</para>
+
+        <note>
+          <para>In Shorewall 4.4.7 and earlier, the variable name is
+          ETH1_GATEWAY.</para>
+        </note>
 
         <para><filename>/etc/shorewall/started</filename>:</para>
 

docs/NetfilterOverview.xml

@@ -89,8 +89,8 @@
     Shorewall system itself.</para>
 
     <para>A more elaborate version of this flow is available <ulink
-    url="http://shorewall.net/pub/shorewall/misc/netfilterflow.pdf">here</ulink>
-    and <ulink url="http://www.docum.org/docum.org/kptd/">this one</ulink>
+    url="http://jengelh.medozas.de/images/nf-packet-flow.png">here</ulink> and
+    <ulink url="http://www.docum.org/docum.org/kptd/">this one</ulink>
     contrasts the Netfilter flow with that of ipchains.</para>
 
     <para>In the above diagram are boxes similar to this:</para>

docs/PacketMarking.xml

@@ -267,6 +267,108 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
         <para>Connection marking rules use a mask value of 0xff.</para>
       </listitem>
     </itemizedlist>
+
+    <para>Shorewall actually allows you to have complete control over the
+    layout of the 32-bit mark using the following options in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>TC_BITS</term>
+
+        <listitem>
+          <para>The number of bits at the low end of the mark to be used for
+          traffic shaping marking. May be zero.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PROVIDER_BITS</term>
+
+        <listitem>
+          <para>The number of bits in the mark to be used for provider
+          numbers. May be zero.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PROVIDER_OFFSET</term>
+
+        <listitem>
+          <para>The offset from the right (low-order end) of the provider
+          number field. If non-zero, must be &gt;= TC_BITS (Shorewall
+          automatically adjusts PROVIDER_OFFSET's value). PROVIDER_OFFSET +
+          PROVIDER_BITS must be &lt;= 32.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>MASK_BITS</term>
+
+        <listitem>
+          <para>Number of bits on the right of the mark to be masked when
+          clearing the traffic shaping mark. Must be &gt;= TC_BITS and &lt;=
+          PROVIDER_OFFSET (if PROVIDER_OFFSET &gt; 0)</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>The relationship between these options is shown in this
+    diagram.</para>
+
+    <graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
+
+    <para></para>
+
+    <para>The default values of these options are determined by the settings
+    of other options as follows:</para>
+
+    <table>
+      <title>Default Values</title>
+
+      <tgroup cols="2">
+        <tbody>
+          <row>
+            <entry>WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=No</entry>
+
+            <entry>TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=0,
+            MASK_BITS=8</entry>
+          </row>
+
+          <row>
+            <entry>WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=Yes</entry>
+
+            <entry>TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=8,
+            MASK_BITS=8</entry>
+          </row>
+
+          <row>
+            <entry>WIDE_TC_MARKS=Yes, HIGH_ROUTE_MARKS=No</entry>
+
+            <entry>TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET=0,
+            MASK_BITS=16</entry>
+          </row>
+
+          <row>
+            <entry>WIDE_TC_MARKS=Yes, HIGH_ROUTE_MARKS=Yes</entry>
+
+            <entry>TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET=16,
+            MASK_BITS=16</entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </table>
+
+    <para>The existence of both TC_BITS and MASK_BITS is owed to the way that
+    WIDE_TC_MARKS was originally implemented. Note that TC_BITS is 14 rather
+    than 16 when WIDE_TC_MARKS=Yes.</para>
+
+    <para>Beginning with Shorewall 4.4.12, the field between MASK_BITS and
+    PROVIDER_OFFSET can be used for any purpose you want.</para>
+
+    <para>Beginning with Shorewall 4.4.13, The first unused bit on the left is
+    used by Shorewall as an <firstterm>exclusion mark</firstterm>, allowing
+    exclusion in CONTINUE, NONAT and ACCEPT+ rules.</para>
   </section>
 
   <section id="Shorewall">

docs/Shorewall-init.xml

@@ -74,13 +74,13 @@
     <title>Closing the Firewall before the Network Interfaces are brought
     up</title>
 
-    <para> When Shorewall-init is first installed, it does nothing until you
+    <para>When Shorewall-init is first installed, it does nothing until you
     configure it.</para>
 
     <para>The configuration file is <filename>/etc/default/shorewall-init
     </filename>on Debian-based systems and
     <filename>/etc/sysconfig/shorewall-init</filename> otherwise. There are
-    two settings in the file: </para>
+    two settings in the file:</para>
 
     <variablelist>
       <varlistentry>
@@ -115,7 +115,7 @@
       <listitem>
         <para>Be sure that your current firewall script(s) (normally in
         <filename>/var/lib/&lt;product&gt;/firewall</filename>) is(are)
-        compiled with the 4.4.10 compiler. </para>
+        compiled with the 4.4.10 compiler.</para>
 
         <para>Shorewall and Shorewall6 users can execute these
         commands:</para>
@@ -139,7 +139,7 @@
       </listitem>
     </orderedlist>
 
-    <para>That's all that is required. </para>
+    <para>That's all that is required.</para>
   </section>
 
   <section id="NM">
@@ -147,7 +147,7 @@
 
     <para>To integrate with NetworkManager and ifup/ifdown, additional steps
     are required. You probably don't want to enable this feature if you run a
-    link status monitor like swping or LSM. </para>
+    link status monitor like swping or LSM.</para>
 
     <orderedlist numeration="loweralpha">
       <listitem>
@@ -165,15 +165,21 @@
       <listitem>
         <para>Optional) -- If you have specified at least one
         <option>required</option> or <option>optional</option> interface, you
-        can then disable automatic firewall startup at boot time. On
-        Debian-based systems, set startup=0 in
+        can then disable automatic firewall startup at boot time. On Debian
+        systems, set startup=0 in
         <filename>/etc/default/<replaceable>product</replaceable></filename>.
         On other systems, use your service startup configuration tool
-        (chkconfig, insserv, ...) to disable startup. </para>
+        (chkconfig, insserv, ...) to disable startup.</para>
+
+        <warning>
+          <para>If your system uses Upstart as it's system initialization
+          daemon, you should not disable startup. Upstart is standard on
+          recent Ubuntu and Fedora releases and is optional on Debian.</para>
+        </warning>
       </listitem>
     </orderedlist>
 
-    <para>The following actions occur when an interface comes up: </para>
+    <para>The following actions occur when an interface comes up:</para>
 
     <informaltable>
       <tgroup cols="3">
@@ -253,7 +259,7 @@
       </tgroup>
     </informaltable>
 
-    <para> For optional interfaces, the
+    <para>For optional interfaces, the
     <filename>/var/lib/<replaceable>product</replaceable>/<replaceable>interface</replaceable>.state</filename>
     files are maintained to reflect the state of the interface so that they
     may be used by the standard <firstterm>isusable</firstterm> script. Please
@@ -272,13 +278,13 @@
 
     <para>Similarly, if an optional interface goes down and there are no
     optional interfaces remaining in the up state, then the firewall is
-    stopped. </para>
+    stopped.</para>
 
     <para>On Debian-based systems, during system shutdown the firewall is
     opened prior to network shutdown (<command>/etc/init.d/shorewall
     stop</command> performs a 'clear' operation rather than a 'stop'). This is
     required by Debian standards. You can change this default behavior by
     setting SAFESTOP=1 in <filename>/etc/default/shorewall</filename>
-    (<filename>/etc/default/shorewall6</filename>, ...). </para>
+    (<filename>/etc/default/shorewall6</filename>, ...).</para>
   </section>
 </article>

docs/Universal.xml

@@ -0,0 +1,352 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Universal Configuration</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2010</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Configuring Shorewall</title>
+
+    <para>Once you have installed the Shorewall software, you must configure
+    it. The easiest way to do that is to use one of Shorewall's
+    <firstterm>Sample Configurations</firstterm>. The Universal Configuration
+    is one of those samples.</para>
+  </section>
+
+  <section>
+    <title>What the Universal Configuration does</title>
+
+    <para>The Universal Shorewall configuration requires that you simply copy
+    the configuration to <filename class="directory">/etc/shorewall</filename>
+    and start Shorewall. This sample configuation:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>Allows all outgoing traffic.</para>
+      </listitem>
+
+      <listitem>
+        <para>Blocks all incoming connections except:</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>Secure Shell</para>
+          </listitem>
+
+          <listitem>
+            <para>Ping</para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+
+      <listitem>
+        <para>Allows forwarding of traffic, provided that the system has more
+        than one interface or is set up to route between networks on a single
+        interface.</para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
+  <section>
+    <title>How to Install it</title>
+
+    <para>The location of the sample configuration files is dependent on your
+    distribution and <ulink url="Install.htm">how you installed
+    Shorewall</ulink>.</para>
+
+    <orderedlist>
+      <listitem>
+        <para>If you installed using an <acronym>RPM</acronym>, the samples
+        will be in the <filename
+        class="directory">Samples/Universal</filename> subdirectory of the
+        Shorewall documentation directory. If you don't know where the
+        Shorewall documentation directory is, you can find the samples using
+        this command:</para>
+
+        <programlisting>~# rpm -ql shorewall-common | fgrep Universal
+/usr/share/doc/packages/shorewall/Samples/Universal
+/usr/share/doc/packages/shorewall/Samples/Universal/interfaces
+/usr/share/doc/packages/shorewall/Samples/Universal/policy
+/usr/share/doc/packages/shorewall/Samples/Universal/rules
+/usr/share/doc/packages/shorewall/Samples/Universal/zones
+~#</programlisting>
+      </listitem>
+
+      <listitem>
+        <para>If you installed using the tarball, the samples are in the
+        <filename class="directory">Samples/Universal</filename> directory in
+        the tarball.</para>
+      </listitem>
+
+      <listitem>
+        <para>If you installed using a Shorewall 4.x .deb, the samples are in
+        <filename
+        class="directory">/usr/share/doc/shorewall-common/examples/Universal</filename>..
+        You do not need the shorewall-doc package to have access to the
+        samples.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>Simple copy the files from the Universal directory to
+    /etc/shorewall.</para>
+  </section>
+
+  <section>
+    <title>How to Start the firewall</title>
+
+    <para>Before starting Shorewall for the first time, it's a good idea to
+    stop your existing firewall. On Redhat/CentOS/Fedora, at a root prompt
+    type:</para>
+
+    <blockquote>
+      <para><command>service iptables stop</command></para>
+    </blockquote>
+
+    <para>If you are running SuSE, use Yast or Yast2 to stop
+    SuSEFirewall.</para>
+
+    <para>Once you have Shorewall running to your satisfaction, you should
+    totally disable your existing firewall. On /Redhat/CentOS/Fedora:</para>
+
+    <blockquote>
+      <para><command>chkconfig --del iptables</command></para>
+    </blockquote>
+
+    <para>At a root prompt, type:</para>
+
+    <blockquote>
+      <para><command>/sbin/shorewall start</command></para>
+    </blockquote>
+
+    <para>That's it. Shorewall will automatically start again when you
+    reboot.</para>
+  </section>
+
+  <section>
+    <title>Now that it is running, ...</title>
+
+    <section>
+      <title>How do I stop the firewall?</title>
+
+      <para>At a root prompt, type:</para>
+
+      <blockquote>
+        <para><command>/sbin/shorewall clear</command></para>
+      </blockquote>
+
+      <para>The system is now 'wide open'.</para>
+    </section>
+
+    <section>
+      <title>How do I prevent it from responding to ping?</title>
+
+      <para>Edit <filename>/etc/shorewall/rules</filename> and remove the line
+      that reads:</para>
+
+      <blockquote>
+        <para>Ping(ACCEPT) net $FW</para>
+      </blockquote>
+
+      <para>and at a root prompt, type:</para>
+
+      <blockquote>
+        <para><command>/sbin/shorewall restart</command></para>
+      </blockquote>
+    </section>
+
+    <section>
+      <title>How do I allow other kinds of incoming connections?</title>
+
+      <para>Shorewall includes a collection of <firstterm>macros</firstterm>
+      that can be used to quickly allow or deny services. You can find a list
+      of the macros included in your version of Shorewall using the command
+      <command>ls <filename>/usr/share/shorewall/macro.*</filename></command>
+      or at a shell prompt type:</para>
+
+      <blockquote>
+        <para><command>/sbin/shorewall show macros</command></para>
+      </blockquote>
+
+      <para>If you wish to enable connections from the Internet to your
+      firewall and you find an appropriate macro in
+      <filename>/etc/shorewall/macro.*</filename>, the general format of a
+      rule in <filename>/etc/shorewall/rules</filename> is:</para>
+
+      <programlisting>#ACTION         SOURCE    DESTINATION     PROTO       DEST PORT(S)
+&lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net       $FW</programlisting>
+
+      <important>
+        <para>Be sure to add your rules after the line that reads <emphasis
+        role="bold">SECTION NEW.</emphasis></para>
+      </important>
+
+      <example id="Example1">
+        <title>You want to run a Web Server and a IMAP Server on your firewall
+        system:</title>
+
+        <programlisting>#ACTION     SOURCE    DESTINATION     PROTO       DEST PORT(S)
+Web(ACCEPT) net       $FW
+IMAP(ACCEPT)net       $FW</programlisting>
+      </example>
+
+      <para>You may also choose to code your rules directly without using the
+      pre-defined macros. This will be necessary in the event that there is
+      not a pre-defined macro that meets your requirements. In that case the
+      general format of a rule in <filename>/etc/shorewall/rules</filename>
+      is:</para>
+
+      <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
+ACCEPT    net       $FW             <emphasis>&lt;protocol&gt;</emphasis>  <emphasis>&lt;port&gt;</emphasis></programlisting>
+
+      <example id="Example2">
+        <title>You want to run a Web Server and a IMAP Server on your firewall
+        system:</title>
+
+        <para><programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
+ACCEPT    net       $FW             tcp          80
+ACCEPT    net       $FW             tcp          143</programlisting></para>
+      </example>
+
+      <para>If you don't know what port and protocol a particular application
+      uses, see <ulink url="ports.htm">here</ulink>.</para>
+    </section>
+
+    <section>
+      <title>How do I make the firewall log a message when it disallows an
+      incoming connection?</title>
+
+      <para>Shorewall does not maintain a log itself but rather relies on your
+      <ulink url="shorewall_logging.html">system's logging
+      configuration</ulink>. The following <ulink
+      url="manpages/shorewall.html">commands</ulink> rely on knowing where
+      Netfilter messages are logged:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para><command>shorewall show log</command> (Displays the last 20
+          Netfilter log messages)</para>
+        </listitem>
+
+        <listitem>
+          <para><command>shorewall logwatch</command> (Polls the log at a
+          settable interval</para>
+        </listitem>
+
+        <listitem>
+          <para><command>shorewall dump</command> (Produces an extensive
+          report for inclusion in Shorewall problem reports)</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>It is important that these commands work properly because when you
+      encounter connection problems when Shorewall is running, the first thing
+      that you should do is to look at the Netfilter log; with the help of
+      <ulink url="FAQ.htm#faq17">Shorewall FAQ 17</ulink>, you can usually
+      resolve the problem quickly.</para>
+
+      <para>The Netfilter log location is distribution-dependent:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>Debian and its derivatives log Netfilter messages to
+          <filename>/var/log/kern.log</filename>.</para>
+        </listitem>
+
+        <listitem>
+          <para>Recent <trademark>SuSE/OpenSuSE</trademark> releases come
+          preconfigured with syslog-ng and log netfilter messages to
+          <filename>/var/log/firewall</filename>.</para>
+        </listitem>
+
+        <listitem>
+          <para>For other distributions, Netfilter messages are most commonly
+          logged to <filename>/var/log/messages</filename>.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Modify the LOGFILE setting in
+      <filename>/etc/shorewall/shorewall.conf</filename> to specify the name
+      of your log.</para>
+
+      <important>
+        <para>The LOGFILE setting does not control where the Netfilter log is
+        maintained -- it simply tells the /sbin/<filename>shorewall</filename>
+        utility where to find the log.</para>
+      </important>
+
+      <para>Now, edit <filename>/etc/shorewall/policy</filename> and modify
+      the line that reads:</para>
+
+      <blockquote>
+        <para>net all DROP</para>
+      </blockquote>
+
+      <para>to</para>
+
+      <blockquote>
+        <para>net all DROP <emphasis role="bold">info</emphasis></para>
+      </blockquote>
+
+      <para>Then at a root prompt, type:</para>
+
+      <blockquote>
+        <para><command>/sbin/shorewall restart</command></para>
+      </blockquote>
+    </section>
+
+    <section>
+      <title>How do I prevent the firewall from forwarding connection
+      requests?</title>
+
+      <para>Edit /etc/shorewall/interfaces, and remove the routeback option
+      from the interface. e.g., change the line that reads:</para>
+
+      <blockquote>
+        <para>net all - dhcp,physical=+<emphasis
+        role="bold">,routeback</emphasis>,optional</para>
+      </blockquote>
+
+      <para>to</para>
+
+      <blockquote>
+        <para>net all - dhcp,physical=+,optional</para>
+      </blockquote>
+
+      <para>Then at a root prompt, type:</para>
+
+      <blockquote>
+        <para><command>/sbin/shorewall restart</command></para>
+      </blockquote>
+    </section>
+  </section>
+</article>

docs/Vserver.xml

@@ -134,7 +134,7 @@ vpn             ipv4            #OpenVPN clients
     <para><filename>/etc/shorewall/hosts</filename>:</para>
 
     <programlisting>#ZONE   HOST(S)                                 OPTIONS
-drct    eth3:dynamic
+drct    eth4:dynamic
 <emphasis role="bold">dmz     eth1:70.90.191.124/31</emphasis></programlisting>
 
     <para>While the IP addresses 70.90.191.124 and 70.90.191.125 are

docs/blacklisting_support.xml

@@ -20,6 +20,8 @@
     <copyright>
       <year>2002-2006</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -34,6 +36,13 @@
     </legalnotice>
   </articleinfo>
 
+  <caution>
+    <para><emphasis role="bold">This article applies to Shorewall 4.4 and
+    later. If you are running a version of Shorewall earlier than Shorewall
+    4.3.5 then please see the documentation for that
+    release.</emphasis></para>
+  </caution>
+
   <section id="Intro">
     <title>Introduction</title>
 
@@ -61,6 +70,20 @@
       the blacklists</emphasis>. Blacklists only stop blacklisted hosts from
       connecting to you — they do not stop you or your users from connecting
       to blacklisted hosts .</para>
+
+      <variablelist>
+        <varlistentry>
+          <term>UPDATE</term>
+
+          <listitem>
+            <para>Beginning with Shorewall 4.4.12, you can also blacklist by
+            destination address. See <ulink
+            url="manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>
+            (5) and <ulink url="manpages/shorewall.html">shorewall</ulink> (8)
+            for details.</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
     </important>
 
     <important>
@@ -161,25 +184,28 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
     Prior to that release, the feature is always enabled.</para>
 
     <para>Once enabled, dynamic blacklisting doesn't use any configuration
-    parameters but is rather controlled using /sbin/shorewall[-lite]
-    commands:</para>
+    parameters but is rather controlled using /sbin/shorewall[-lite] commands.
+    <emphasis role="bold">Note</emphasis> that <emphasis
+    role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
+    only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
+    later</emphasis>.</para>
 
     <itemizedlist>
       <listitem>
-        <para>drop <emphasis>&lt;ip address list&gt;</emphasis> - causes
-        packets from the listed IP addresses to be silently dropped by the
+        <para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
+        causes packets from the listed IP addresses to be silently dropped by
+        the firewall.</para>
+      </listitem>
+
+      <listitem>
+        <para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
+        causes packets from the listed IP addresses to be rejected by the
         firewall.</para>
       </listitem>
 
       <listitem>
-        <para>reject <emphasis>&lt;ip address list&gt;</emphasis> - causes
-        packets from the listed IP addresses to be rejected by the
-        firewall.</para>
-      </listitem>
-
-      <listitem>
-        <para>allow <emphasis>&lt;ip address list&gt;</emphasis> - re-enables
-        receipt of packets from hosts previously blacklisted by a
+        <para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
+        re-enables receipt of packets from hosts previously blacklisted by a
         <emphasis>drop</emphasis> or <emphasis>reject</emphasis>
         command.</para>
       </listitem>
@@ -201,19 +227,19 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
       </listitem>
 
       <listitem>
-        <para>logdrop <emphasis>&lt;ip address list&gt;</emphasis> - causes
-        packets from the listed IP addresses to be dropped and logged by the
-        firewall. Logging will occur at the level specified by the
+        <para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
+        causes packets from the listed IP addresses to be dropped and logged
+        by the firewall. Logging will occur at the level specified by the
         BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
         the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
       </listitem>
 
       <listitem>
-        <para>logreject <emphasis>&lt;ip address list&gt;</emphasis> - causes
-        packets from the listed IP addresses to be rejected and logged by the
-        firewall. Logging will occur at the level specified by the
-        BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
-        the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
+        <para>logreject [to|from}<emphasis>&lt;ip address list&gt;</emphasis>
+        - causes packets from the listed IP addresses to be rejected and
+        logged by the firewall. Logging will occur at the level specified by
+        the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
+        at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
       </listitem>
     </itemizedlist>
 

docs/configuration_file_basics.xml

@@ -213,6 +213,12 @@
           shaping.</para>
         </listitem>
 
+        <listitem>
+          <para><filename>/etc/shorewall/secmarks</filename> - Added in
+          Shorewall 4.4.13. Attach an SELinux context to selected
+          packets.</para>
+        </listitem>
+
         <listitem>
           <para><filename>/etc/shorewall/vardir</filename> - Determines the
           directory where Shorewall maintains its state.</para>
@@ -290,6 +296,30 @@ ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</progra
     </example>
   </section>
 
+  <section id="Names">
+    <title>Names</title>
+
+    <para>When you define an object in Shorewall (<ulink
+    url="manpages/shorewall-zones.html">Zone</ulink>, <link
+    linkend="Logical">Logical Interface</link>, <ulink
+    url="ipsets.html">ipsets</ulink>, <ulink
+    url="Actions.html">Actions</ulink>, etc., you give it a name. Shorewall
+    names start with a letter and consist of letters, digits or underscores
+    ("_"). Except for Zone names, Shorewall does not impose a limit on name
+    length.</para>
+
+    <para>When an ipset is referenced, the name must be preceded by a plus
+    sign ("+").</para>
+
+    <para>The last character of an interface may also be a plus sign to
+    indicate a wildcard name.</para>
+
+    <para>Physical interface names match names shown by 'ip link ls'; if the
+    name includes an at sign ("@"), do not include that character or any
+    character that follows. For example, "sit1@NONE" is referred to as simply
+    'sit1".</para>
+  </section>
+
   <section id="COMMENT">
     <title>Attach Comment to Netfilter Rules</title>
 
@@ -319,6 +349,10 @@ ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</progra
         <para><filename>/etc/shorewall/rules</filename></para>
       </listitem>
 
+      <listitem>
+        <para><filename>/etc/shorewall/secmarks</filename></para>
+      </listitem>
+
       <listitem>
         <para><filename>/etc/shorewall/tcrules</filename></para>
       </listitem>
@@ -396,7 +430,7 @@ gateway:~ #
 COMMENT SSH
 PARAM   -      -     tcp   22 </programlisting>
     <filename>/etc/shorewall/rules</filename>:<programlisting>COMMENT Allow SSH from home
-SSH/ALLOW    net:$MYIP      $FW
+SSH(ACCEPT)    net:$MYIP      $FW
 COMMENT</programlisting>The comment line in macro.SSH will not override the
     COMMENT line in the rules file and the generated rule will show <emphasis
     role="bold">/* Allow SSH from home */</emphasis> when displayed through
@@ -486,8 +520,9 @@ ACCEPT      net:\
       <listitem>
         <para>ADDRESS LIST — A list of one or more addresses (host or network)
         or address ranges, separated by commas. In an IPv6 configuration, this
-        list must be includes in angled brackets ("&lt;...&gt;"). The list may
-        have <link linkend="Exclusion">exclusion</link>.</para>
+        list must be includef in square or angled brackets ("[...]" or
+        "&lt;...&gt;"). The list may have <link
+        linkend="Exclusion">exclusion</link>.</para>
       </listitem>
     </orderedlist>
 
@@ -526,7 +561,7 @@ ACCEPT      net:\
       <listitem>
         <para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
         role="bold">loc</emphasis> zone — <emphasis
-        role="bold">loc:&lt;2002:ce7c:92b4:1:a00:27ff:feb1:46a9&gt;</emphasis></para>
+        role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
       </listitem>
     </orderedlist>
   </section>
@@ -750,9 +785,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
       </listitem>
 
       <listitem>
-        <para>Should not depend on where the code is called from (the params
-        file is sourced by both /sbin/shorewall and
-        /usr/lib/shorewall/firewall).</para>
+        <para>Should not depend on where the code is called from.</para>
       </listitem>
 
       <listitem>
@@ -1318,7 +1351,7 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
     <para>Beginning with Shorewall 4.4.4, you can use logical interface names
     which are mapped to the actual interface using the
     <option>physical</option> option in <ulink
-    url="manpages/shorewall-interfaces.html">shorewall-interfraces</ulink>
+    url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
     (5).</para>
 
     <para>Here is an example:</para>

docs/ipsets.xml

@@ -22,6 +22,8 @@
 
       <year>2008</year>
 
+      <year>2010</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -36,6 +38,13 @@
     </legalnotice>
   </articleinfo>
 
+  <caution>
+    <para><emphasis role="bold">This article applies to Shorewall 4.4 and
+    later. If you are running a version of Shorewall earlier than Shorewall
+    4.4.0 then please see the documentation appropriate for your
+    version.</emphasis></para>
+  </caution>
+
   <section id="Ipsets">
     <title>What are Ipsets?</title>
 
@@ -104,49 +113,41 @@
     <para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION      SOURCE      DEST     PROTO    DEST PORT(S)
 ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
 
-    <para>Shorewall is not in the ipset load/reload business because the
-    Netfilter rule set is never cleared. That means that there is no
-    opportunity for Shorewall to load/reload your ipsets since that cannot be
-    done while there are any current rules using ipsets.</para>
+    <para>The name of the ipset can be optionally followed by a
+    comma-separated list of flags enclosed in square brackets ([...]). Each
+    flag is either <emphasis role="bold">src</emphasis> or <emphasis
+    role="bold">dst</emphasis> and specifies whether it is the SOURCE address
+    or port number or the DESTINATION address or port number that should be
+    matched. The number of flags must be appropriate for the type of ipset. If
+    no flags are given, Shorewall assumes that the set takes a single flag and
+    will select the flag based on the context. For example, in the blacklist
+    file and when the ipset appears in the SOURCE column of the rules file,
+    <emphasis role="bold">src</emphasis> is assumed. If the ipset appears in
+    the DEST column of the rules file, <emphasis role="bold">dst</emphasis> is
+    assumed. Note that by using <emphasis role="bold">[dst]</emphasis> in the
+    blacklist file, you can coerce the rule into matching the destination IP
+    address rather than the source.</para>
 
-    <para>So:</para>
+    <para>Shorewall can save/restore your ipset contents with certain
+    restrictions:</para>
 
-    <orderedlist numeration="upperroman">
+    <orderedlist>
       <listitem>
-        <para>Your ipsets must be loaded before Shorewall starts. You are free
-        to try to do that with the following code in
-        <filename>/etc/shorewall/init (it works for me; your mileage may
-        vary)</filename>:</para>
-
-        <programlisting>if [ "$COMMAND" = start ]; then
-    ipset -F
-    ipset -X
-    ipset -R &lt; /etc/shorewall/ipsets
-fi</programlisting>
-
-        <para>The file <filename>/etc/shorewall/ipsets</filename> will
-        normally be produced using the <command>ipset -S</command>
-        command.</para>
-
-        <para>The above will work most of the time but will fail in a
-        <command>shorewall stop</command> - <command>shorewall start</command>
-        sequence if you use ipsets in your routestopped file (see
-        below).</para>
+        <para>You must set SAVE_IPSETS=Yes in <ulink
+        url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
       </listitem>
 
       <listitem>
-        <para>Your ipsets may not be reloaded until Shorewall is stopped or
-        cleared.</para>
+        <para>You cannot use an ipset in <ulink
+        url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
+        (5).</para>
       </listitem>
 
       <listitem>
-        <para>If you specify ipsets in your routestopped file then Shorewall
-        must be cleared in order to reload your ipsets.</para>
+        <para>The <command>restore</command> command cannot restore ipset
+        contents saved by the <command>save</command> command unless the
+        firewall is first stopped.</para>
       </listitem>
     </orderedlist>
-
-    <para>As a consequence, scripts generated by the Perl-based compiler will
-    ignore <filename>/etc/shorewall/ipsets</filename> and will issue a warning
-    if you set SAVE_IPSETS=Yes in <filename>shorewall.conf</filename></para>
   </section>
 </article>

docs/shorewall_extension_scripts.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2007</year>
+      <year>2001-2010</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -596,6 +596,9 @@ esac</programlisting><caution>
       <para>Example:</para>
 
       <programlisting>my $chainref = $filter_table-&gt;{INPUT}; #Same as above with a few less keystrokes; runs faster too</programlisting>
+
+      <para>For imformation about the 'compile' extension script, see the
+      <ulink url="ManualChains.html">Manual Chains article</ulink>.</para>
     </section>
   </section>
 </article>

docs/shorewall_features.xml

@@ -16,7 +16,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2009</year>
+      <year>2001-2010</year>
 
       <holder>Thomas M Eastep</holder>
     </copyright>
@@ -246,6 +246,37 @@
         <para><ulink url="IPv6Support.html"><emphasis
         role="bold">IPv6</emphasis> Support</ulink></para>
       </listitem>
+
+      <listitem>
+        <para>Works with a wide range of <emphasis
+        role="bold">Virtualization</emphasis> Solutions:</para>
+
+        <itemizedlist>
+          <listitem>
+            <para><ulink url="KVM.html"><emphasis
+            role="bold">KVM</emphasis></ulink></para>
+          </listitem>
+
+          <listitem>
+            <para><ulink url="XenMyWay-Routed.html"><emphasis
+            role="bold">Xen</emphasis></ulink></para>
+          </listitem>
+
+          <listitem>
+            <para><ulink url="Vserver.html"><emphasis
+            role="bold">Linux-Vserver</emphasis></ulink></para>
+          </listitem>
+
+          <listitem>
+            <para><ulink url="OpenVZ.html"><emphasis
+            role="bold">OpenVZ</emphasis></ulink></para>
+          </listitem>
+
+          <listitem>
+            <para>VirtualBox</para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
     </itemizedlist>
   </section>
 </article>

docs/simple_traffic_shaping.xml

@@ -62,7 +62,7 @@
 
     <para>Assuming that your external interface is eth0:</para>
 
-    <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH
+    <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH        OUT-BANDWIDTH
 eth0                   External</programlisting>
 
     <note>
@@ -214,13 +214,13 @@ eth0                   External</programlisting>
     is NO space between the number and the unit (it is 100kbit not 100 kbit).
     <emphasis role="bold">mbit</emphasis>, <emphasis
     role="bold">mbps</emphasis> or a raw number (which means bytes) can be
-    used, but note that only integer numbers are supported (0.5 is not valid).
-    To pick an appropriate setting, we recommend that you start by setting
-    IN-BANDWIDTH significantly below your measured download bandwidth (20% or
-    so). While downloading, measure the ping response time from the firewall
-    to the upstream router as you gradually increase the setting. The optimal
-    setting is at the point beyond which the ping time increases sharply as
-    you increase the setting.</para>
+    used, but note that before Shorewall 4.4.13 only integer numbers were
+    supported (0.5 was not valid). To pick an appropriate setting, we
+    recommend that you start by setting IN-BANDWIDTH significantly below your
+    measured download bandwidth (20% or so). While downloading, measure the
+    ping response time from the firewall to the upstream router as you
+    gradually increase the setting. The optimal setting is at the point beyond
+    which the ping time increases sharply as you increase the setting.</para>
 
     <para>Simple Traffic Shaping is only appropriate on interfaces where
     output queuing occurs. As a consequence, you usually only use it on
@@ -231,6 +231,19 @@ eth0                   External</programlisting>
 
     <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH
 tun0                   Internal</programlisting>
+
+    <para>For fast lines, the actual download rate may be significantly less
+    than the specified IN-BANDWIDTH. Beginning with Shoreall 4.4.13, you can
+    specify an optional burst </para>
+
+    <para>Also beginning with Shorewall 4.4.13, an OUT-BANDWIDTH column is
+    available in <ulink
+    url="manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5). Limiting
+    to outgoing bandwidth can have a positive effect on latency for
+    applications like VOIP. We recommend that you begin with a setting that is
+    at least 20% less than your measured upload rate and then gradually
+    increase it until latency becomes unacceptable. Then reduce it back to the
+    point where latency is acceptable.</para>
   </section>
 
   <section>

docs/support.xml

@@ -428,9 +428,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
     below).</para>
 
     <para>For <emphasis role="bold">quick questions</emphasis>, there is also
-    a #shorewall channel at irc.freenode.net. <emphasis role="bold">You must
-    have a registered Nic on freenode in order to post on the
-    channel.</emphasis></para>
+    a #shorewall channel at irc.freenode.net. </para>
   </section>
 
   <section id="Users">

docs/template.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2009</year>
+      <year>2010</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>

docs/traffic_shaping.xml

@@ -428,11 +428,12 @@
         <listitem>
           <para>REDIRECTED INTERFACES — Entries are appropriate in this column
           only if the device in the INTERFACE column names a <link
-          linkend="IFB">Intermediate Functional Block (IFB)</link>. It lists the
-          physical interfaces that will have their input shaped using classes
-          defined on the IFB. Neither the IFB nor any of the interfaces listed
-          in this column may have an IN-BANDWIDTH specified. You may specify
-          zero (0) or a dash ("-:) in the IN-BANDWIDTH column.</para>
+          linkend="IFB">Intermediate Functional Block (IFB)</link>. It lists
+          the physical interfaces that will have their input shaped using
+          classes defined on the IFB. Neither the IFB nor any of the
+          interfaces listed in this column may have an IN-BANDWIDTH specified.
+          You may specify zero (0) or a dash ("-:) in the IN-BANDWIDTH
+          column.</para>
 
           <para>IFB devices automatically get the <emphasis
           role="bold">classify</emphasis> option.</para>
@@ -816,12 +817,9 @@ ppp0           6000kbit         500kbit</programlisting>
       in-depth look at the packet marking facility in Netfilter/Shorewall,
       please see <ulink url="PacketMarking.html">this article</ulink>.</para>
 
-      <para>Normally, packet marking occurs in the PREROUTING chain before any
-      address rewriting takes place. This makes it impossible to mark inbound
-      packets based on their destination address when SNAT or Masquerading are
-      being used. You can cause packet marking to occur in the FORWARD chain
-      by using the MARK_IN_FORWARD_CHAIN option in shorewall.conf or by using
-      the :F qualifier (see below).</para>
+      <para><emphasis role="bold">For marking forwarded traffic, you must
+      either set MARK_IN_FORWARD_CHAIN=Yes shorewall.conf or by using the :F
+      qualifier (see below).</emphasis></para>
 
       <para>Columns in the file are as follows:</para>
 

manpages/shorewall-accounting.xml

@@ -35,7 +35,8 @@
         <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
         role="bold">COUNT</emphasis>|<emphasis
         role="bold">DONE</emphasis>|<emphasis>chain</emphasis>[:<emphasis
-        role="bold">COUNT</emphasis>]}</term>
+        role="bold">{COUNT</emphasis>:JUMP}]|COUNT
+        <emphasis>comment</emphasis>}</term>
 
         <listitem>
           <para>What to do when a matching packet is found.</para>
@@ -76,6 +77,15 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis>chain</emphasis>:JUMP</term>
+
+              <listitem>
+                <para>Like the previous option without the <emphasis
+                role="bold">:COUNT</emphasis> part.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>COMMENT</term>
 
@@ -306,6 +316,147 @@
           </variablelist>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
+        (Optional - Added in Shorewall 4.4.13 )</emphasis></term>
+
+        <listitem>
+          <para>The option-list consists of a comma-separated list of options
+          from the following list. Only packets that will be encrypted or have
+          been de-crypted via an SA that matches these options will have their
+          source address changed.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis
+              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>where <emphasis>number</emphasis> is specified using
+                setkey(8) using the 'unique:<emphasis>number</emphasis> option
+                for the SPD level.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">spi=</emphasis>&lt;number&gt;</term>
+
+              <listitem>
+                <para>where <emphasis>number</emphasis> is the SPI of the SA
+                used to encrypt/decrypt packets.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">proto=</emphasis><emphasis
+              role="bold">ah</emphasis>|<emphasis
+              role="bold">esp</emphasis>|<emphasis
+              role="bold">ipcomp</emphasis></term>
+
+              <listitem>
+                <para>IPSEC Encapsulation Protocol</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">mss=</emphasis><emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>sets the MSS field in TCP packets</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">mode=</emphasis><emphasis
+              role="bold">transport</emphasis>|<emphasis
+              role="bold">tunnel</emphasis></term>
+
+              <listitem>
+                <para>IPSEC mode</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">tunnel-src=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
+
+              <listitem>
+                <para>only available with mode=tunnel</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">tunnel-dst=</emphasis><emphasis>address</emphasis>[/<emphasis>mask</emphasis>]</term>
+
+              <listitem>
+                <para>only available with mode=tunnel</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">strict</emphasis></term>
+
+              <listitem>
+                <para>Means that packets must match all rules.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">next</emphasis></term>
+
+              <listitem>
+                <para>Separates rules; can only be used with strict</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">yes</emphasis> or <emphasis
+              role="bold">ipsec</emphasis></term>
+
+              <listitem>
+                <para>When used by itself, causes all traffic that will be
+                encrypted/encapsulated or has been decrypted/un-encapsulted to
+                match the rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">no</emphasis> or <emphasis
+              role="bold">none</emphasis></term>
+
+              <listitem>
+                <para>When used by itself, causes all traffic that will not be
+                encrypted/encapsulated or has been decrypted/un-encapsulted to
+                match the rule.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>If this column is non-empty, then:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>A chain NAME may appearing in the ACTION column must be a
+              chain branched either directly or indirectly from the <emphasis
+              role="bold">accountin</emphasis> or <emphasis
+              role="bold">accountout</emphasis> chain.</para>
+            </listitem>
+
+            <listitem>
+              <para>The CHAIN column must contain either <emphasis
+              role="bold">accountin</emphasis> or <emphasis
+              role="bold">accountout</emphasis> or a chain branched either
+              directly or indirectly from those chains.</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>These rules will NOT appear in the <emphasis
+          role="bold">accounting</emphasis> chain.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
 
     <para>In all of the above columns except <emphasis
@@ -330,12 +481,13 @@
     </ulink></para>
 
     <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall-route_rules(5),
     shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-actions.xml

@@ -1,4 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
   <refmeta>
     <refentrytitle>shorewall-actions</refentrytitle>
@@ -48,11 +50,11 @@
     url="http://shorewall.net/Actions.html">http://shorewall.net/Actions.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
     shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
     shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>