Document VERBOSITY fix.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/Universal/shorewall.conf

@@ -126,18 +126,12 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
-BRIDGING=No
-
 DYNAMIC_ZONES=No
 
-PKTTYPE=Yes
-
 NULL_ROUTE_RFC1918=No
 
 MACLIST_TABLE=filter
@@ -196,7 +190,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=Yes
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=Yes
 

Samples/one-interface/shorewall.conf

@@ -137,14 +137,10 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
-BRIDGING=No
-
 DYNAMIC_ZONES=No
 
 PKTTYPE=Yes
@@ -165,8 +161,6 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-USE_ACTIONS=Yes
-
 OPTIMIZE=1
 
 EXPORTPARAMS=No
@@ -207,7 +201,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 

Samples/three-interfaces/shorewall.conf

@@ -137,14 +137,10 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
-BRIDGING=No
-
 DYNAMIC_ZONES=No
 
 PKTTYPE=Yes
@@ -165,8 +161,6 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-USE_ACTIONS=Yes
-
 OPTIMIZE=1
 
 EXPORTPARAMS=No
@@ -207,7 +201,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 

Samples/two-interfaces/shorewall.conf

@@ -144,14 +144,10 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
-BRIDGING=No
-
 DYNAMIC_ZONES=No
 
 PKTTYPE=Yes
@@ -172,8 +168,6 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-USE_ACTIONS=Yes
-
 OPTIMIZE=1
 
 EXPORTPARAMS=No
@@ -214,7 +208,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 

Samples6/Universal/shorewall6.conf

@@ -153,7 +153,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=Yes
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=Yes
 

Samples6/one-interface/shorewall6.conf

@@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 

Samples6/three-interfaces/shorewall6.conf

@@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 

Samples6/two-interfaces/shorewall6.conf

@@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 

Shorewall-init/install.sh

@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {
@@ -285,11 +285,8 @@ fi
 if [ -z "$DESTDIR" ]; then
     if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
-	    if [ -x /sbin/insserv ]; then
+	    
-		insserv /etc/init.d/shorewall-init
+	    update-rc.d shorewall-init defaults
-	    else
-		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
-	    fi
 
 	    echo "Shorewall Init will start automatically at boot"
 	else

Shorewall-init/shorewall-init.spec

@@ -1,6 +1,6 @@
 %define name shorewall-init
-%define version 4.4.13
+%define version 4.4.14
-%define release 1
+%define release 0base
 
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -99,10 +99,18 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
+- Updated to 4.4.14-0base
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall-init/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {

Shorewall-lite/init.debian.sh

@@ -17,10 +17,9 @@ SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
 
-[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
 export SHOREWALL_INIT_SCRIPT
-
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {
@@ -355,6 +355,8 @@ if [ -z "$DESTDIR" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
 
+	    update-rc.d shorewall-lite defaults
+
 	    if [ -x /sbin/insserv ]; then
 		insserv /etc/init.d/shorewall-lite
 	    else

Shorewall-lite/shorewall-lite

@@ -94,9 +94,9 @@ get_config() {
     [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	LOGREAD="logread | tac"
+	g_logread="logread | tac"
     elif [ -r $LOGFILE ]; then
-	LOGREAD="tac $LOGFILE"
+	g_logread="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	exit 2
@@ -145,6 +145,12 @@ get_config() {
 
     [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
 
+    if [ $VERBOSITY -lt -1 ]; then
+	VERBOSITY=-1
+    elif [ $VERBOSITY -gt 2 ]; then
+	VERBOSITY=2
+    fi
+
     g_hostname=$(hostname 2> /dev/null)
 
     IP=$(mywhich ip 2> /dev/null)
@@ -463,6 +469,7 @@ g_use_verbosity=
 g_noroutes=
 g_timestamp=
 g_recovering=
+g_logread=
 
 finished=0
 

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.13
+%define version 4.4.14
-%define release 1
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -102,10 +102,18 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
+- Updated to 4.4.14-0base
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {

Shorewall/Contrib/swping

@@ -224,7 +224,7 @@ while : ; do
 	# One of the interfaces changed state -- restart Shorewall
 	#
 	echo $if1_state > $VARDIR/${IF1}.status
-	echo $if2_state > $VARDIR/${IF2}.status 
+	echo $if2_state > $VARDIR/${IF2}.status
 	eval $COMMAND
 	state_changed=
     fi

Shorewall/Contrib/swping.init

@@ -32,7 +32,7 @@
 ### BEGIN INIT INFO
 # Provides:	  swping
 # Required-Start: shorewall
-# Should-Start: 
+# Should-Start:
 # Required-Stop:
 # Default-Start:  2 3 5
 # Default-Stop:	  0 1 6
@@ -87,7 +87,7 @@ case "$command" in
 	    echo "swping is running"
 	    exit 0
 	else
-	    echo "swping is stopped" 
+	    echo "swping is stopped"
 	    exit 3
 	fi
 	;;

Shorewall/Macros/macro.BitTorrent

@@ -5,7 +5,7 @@
 #
 #	This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
 #
-#	If you are running BitTorrent 3.2 or later, you should use the 
+#	If you are running BitTorrent 3.2 or later, you should use the
 #	BitTorrent32 macro.
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/

Shorewall/Macros/macro.IPPserver

@@ -15,7 +15,7 @@
 #	Example for a two-interface firewall which acts as a print
 #	server for loc:
 #		IPPserver/ACCEPT loc $FW
-#	
+#
 #	NOTE: If you want both to serve requests for local printers and
 #	listen to requests for remote printers (i.e. your CUPS server is
 #	also a client), you need to apply the rule twice, e.g.

Shorewall/Macros/macro.template

@@ -304,9 +304,9 @@
 #					#removed from Netfilter in kernel
 #					#version 2.6.14).
 #
-#	MARK		Specifies a MARK value to match. Must be empty or 
+#	MARK		Specifies a MARK value to match. Must be empty or
 #			'-' if the macro is to be used within an action.
-#			
+#
 #				[!]value[/mask][:C]
 #
 #    			Defines a test on the existing packet or connection
@@ -341,7 +341,7 @@
 #				[!]limit[:mask]
 #
 #			May be used to limit the number of simultaneous
-#			connections from each individual host to limit 
+#			connections from each individual host to limit
 #			connections. Requires connlimit match in your kernel
 #			and iptables. While the limit is only checked on rules
 #			specifying CONNLIMIT, the number of current connections

Shorewall/Perl/Shorewall/Accounting.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.13';
+our $VERSION = '4.4.14';
 
 #
 # Called by the compiler to [re-]initialize this module's state
@@ -98,7 +98,7 @@ sub process_accounting_rule( ) {
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
     my $rule2 = 0;
     my $jump  = 0;
-    
+
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
 	    $target = 'RETURN';
@@ -166,7 +166,7 @@ sub process_accounting_rule( ) {
 		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
 	    }
 	} else {
-	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );	    
+	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
 	    $chainref->{ipsec} = $dir;
 	}
     } elsif ( $ipsec ne '-' ) {
@@ -224,48 +224,48 @@ sub process_accounting_rule( ) {
 
 sub setup_accounting() {
 
-    my $fn = open_file 'accounting';
+    if ( my $fn = open_file 'accounting' ) {
 
-    first_entry "$doing $fn...";
+	first_entry "$doing $fn...";
 
-    my $nonEmpty = 0;
+	my $nonEmpty = 0;
 
-    $nonEmpty |= process_accounting_rule while read_a_line;
+	$nonEmpty |= process_accounting_rule while read_a_line;
 
-    clear_comment;
+	clear_comment;
 
-    if ( have_bridges ) {
+	if ( have_bridges ) {
-	if ( $filter_table->{accounting} ) {
+	    if ( $filter_table->{accounting} ) {
-	    for my $chain ( qw/INPUT FORWARD/ ) {
+		for my $chain ( qw/INPUT FORWARD/ ) {
+		    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+		}
+	    }
+
+	    if ( $filter_table->{accountout} ) {
+		add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+	    }
+	} elsif ( $filter_table->{accounting} ) {
+	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
 
-	if ( $filter_table->{accountout} ) {
+	if ( $filter_table->{accipsecin} ) {
-	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+	    for my $chain ( qw/INPUT FORWARD/ ) {
+		add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+	    }
 	}
-    } elsif ( $filter_table->{accounting} ) {
+
-	for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
+	if ( $filter_table->{accipsecout} ) {
-	    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+	    for my $chain ( qw/FORWARD OUTPUT/ ) {
+		add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
+	    }
+	}
+
+	for ( accounting_chainrefs ) {
+	    warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
 	}
     }
-
-    if ( $filter_table->{accipsecin} ) {
-	for my $chain ( qw/INPUT FORWARD/ ) {
-	    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
-	}
-    }
-
-    if ( $filter_table->{accipsecout} ) {
-	for my $chain ( qw/FORWARD OUTPUT/ ) {
-	    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
-	}
-    }
-
-    for ( accounting_chainrefs ) {
-	warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
-    }
-
 }
 
 1;

Shorewall/Perl/Shorewall/Actions.pm

@@ -195,7 +195,7 @@ sub split_action ( $ ) {
 	$action = $2 ? $3 : '';
 	$max    = 2;
     }
-	
+
     my @a = split( /:/ , $action, 4 );
     fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
     $target = shift @a unless $target;

Shorewall/Perl/Shorewall/Chains.pm

@@ -243,6 +243,9 @@ our $section;
 
 our $comment;
 
+#
+# Target Types
+#
 use constant { STANDARD => 1,              #defined by Netfilter
 	       NATRULE  => 2,              #Involves NAT
 	       BUILTIN  => 4,              #A built-in action
@@ -256,7 +259,9 @@ use constant { STANDARD => 1,              #defined by Netfilter
 	       CHAIN    => 1024,           #Manual Chain
 	       SET      => 2048.           #SET
 	   };
-
+#
+# Valid Targets -- value is a combination of one or more of the above
+#
 our %targets;
 #
 # expand_rule() restrictions
@@ -267,7 +272,7 @@ use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i an
 	       OUTPUT_RESTRICT     => 8,   # OUTPUT chain rule      - -i not allowed
 	       POSTROUTE_RESTRICT  => 16,  # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
 	       ALL_RESTRICT        => 12,  # fw->fw rule            - neither -i nor -o allowed
-	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface
+	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface. Similar to INPUT_RESTRICT but generates a more relevant error message
 	       };
 
 our $iprangematch;
@@ -276,7 +281,6 @@ our $idiotcount;
 our $idiotcount1;
 our $warningcount;
 our $hashlimitset;
-
 our $global_variables;
 
 #
@@ -285,7 +289,7 @@ our $global_variables;
 use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
 
 #
-# These hashes hold the shell code to set shell variables
+# These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
 #
 our %interfaceaddr;         # First interface address
 our %interfaceaddrs;        # All interface addresses
@@ -301,14 +305,16 @@ our %interfacegateways;     # Gateway of default route out of the interface
 our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
 
 #
-# Mode of the emitter.
+# Mode of the emitter (part of this module that converts rules in the chain table into iptables-restore input)
 #
 use constant { NULL_MODE => 0 ,   # Emitting neither shell commands nor iptables-restore input
 	       CAT_MODE  => 1 ,   # Emitting iptables-restore input
 	       CMD_MODE  => 2 };  # Emitting shell commands.
 
 our $mode;
-
+#
+# Address Family
+#
 our $family;
 
 #
@@ -369,7 +375,7 @@ sub initialize( $ ) {
     #
     $chainseq = 0;
     #
-    # Used to suppress duplicate match specifications.
+    # Used to suppress duplicate match specifications for old iptables binaries.
     #
     $iprangematch = 0;
     #
@@ -622,7 +628,7 @@ sub delete_reference( $$ ) {
 #
 # In the first function, the rule number is zero-relative. In the second function,
 # the rule number is one-relative. In the first function, if the rule number is < 0, then
-# the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be 
+# the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be
 # inserted at the front of the chain and the chain's 'blacklist' member incremented.
 #
 sub insert_rule1($$$)
@@ -717,6 +723,8 @@ sub move_rules( $$ ) {
 	my $count     = @{$chain1->{rules}};
 	my $tableref  = $chain_table{$chain1->{table}};
 	my $blacklist = $chain2->{blacklist};
+
+	assert( ! $chain1->{blacklist} );
 	#
 	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
 	#
@@ -725,7 +733,7 @@ sub move_rules( $$ ) {
 	for ( @{$chain1->{rules}} ) {
 	    adjust_reference_counts( $tableref->{$1}, $name1, $name2 ) if / -[jg] ([^\s]+)/;
 	}
-	
+
 	if ( $debug ) {
 	    my $rule = $blacklist;
 	    trace( $chain2, 'A', ++$rule, $_ ) for @{$chain1->{rules}};
@@ -735,14 +743,18 @@ sub move_rules( $$ ) {
 
 	$chain2->{referenced} = 1;
 
-	unless ( $chain2->{blacklist} += $chain1->{blacklist} ) {
+	#
-	    #
+	# In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain.
-	    # In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain.
+	# This hack avoids that.
-	    # This hack avoids that.
+	#
-	    #
+	if ( $blacklist ) {
+	    my $rule = shift @{$rules};
+	    shift @{$rules} while @{$rules} > 1 && $rules->[0] eq $rules->[1];
+	    unshift @{$rules}, $rule;
+	} else {
 	    shift @{$rules} while @{$rules} > 1 && $rules->[0] eq $rules->[1];
 	}
-	    
+
 	delete_chain $chain1;
 
 	$count;
@@ -777,7 +789,7 @@ sub copy_rules( $$ ) {
 	# Chains2 already has a blacklist jump -- delete the one at the head of chain1's rule list
 	#
 	my $rule = shift @rules1;
-	
+
 	$rule =~ / -j ([^\s])/;
 
 	my $chainb = $1;
@@ -802,7 +814,7 @@ sub copy_rules( $$ ) {
 	trace( $chain2, 'A', 1 , $rules1[0]) if $debug;
 
  	unshift @$rules2, shift @rules1;
-	
+
 	$chain1->{blacklist} = 0;
 	$chain2->{blacklist} = 1;
     }
@@ -811,7 +823,7 @@ sub copy_rules( $$ ) {
 	my $rule = @$rules2;
 	trace( $chain2, 'A', ++$rule, $_ ) for @rules1;
     }
-    
+
     push @$rules2, @rules1;
 
     progress_message "  $count rules from $chain1->{name} appended to $chain2->{name}";
@@ -1066,10 +1078,10 @@ sub find_chain($$) {
     my ($table, $chain) = @_;
 
     assert( $table && $chain && $chain_table{$table} );
-    
+
     $chain_table{$table}{$chain};
 }
-    
+
 #
 # Create a chain if it doesn't exist already
 #
@@ -1745,163 +1757,198 @@ sub check_optimization( $ ) {
 #
 # Perform Optimization
 #
-sub optimize_ruleset() {
+sub optimize_level4( $$ ) {
-    for my $table ( qw/raw mangle nat filter/ ) {
+    my ( $table, $tableref ) = @_;
+    my $progress = 1;
+    my $passes   = 0;
+    #
+    # Make repeated passes through each table looking for short chains (those with less than 2 entries)
+    #
+    # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
+    # When an empty chain is found, delete the references to it.
+    # When a chain with a single entry is found, replace it's references by its contents
+    #
+    # The search continues until no short chains remain
+    # Chains with 'dont_optimize = 1' are exempted from optimization
+    #
+    while ( $progress ) {
+	$progress = 0;
+	$passes++;
 
-	next if $family == F_IPV6 && $table eq 'nat';
+	my @chains  = grep $_->{referenced}, values %$tableref;
+	my $chains  = @chains; 
+	
+	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
 
-	my $progress = 1;
+	for my $chainref ( @chains ) {
-	my $passes   = 0;
-
-	if ( $config{OPTIMIZE} & 4 ) {
 	    #
-	    # Make repeated passes through each table looking for short chains (those with less than 2 entries)
+	    # If the chain isn't branched to, then delete it
 	    #
-	    # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
+	    unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) {
-	    # When an empty chain is found, delete the references to it.
+		delete_chain $chainref;
-	    # When a chain with a single entry is found, replace it's references by its contents
+		next;
-	    #
-	    # The search continues until no short chains remain
-	    # Chains with 'dont_optimize = 1' are exempted from optimization
-	    #
-	    while ( $progress ) {
-		$progress = 0;
-		$passes++;
-
-		for my $chainref ( grep $_->{referenced}, values %{$chain_table{$table}} ) {
-		    #
-		    # If the chain isn't branched to, then delete it
-		    #
-		    unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) {
-			delete_chain $chainref;
-			next;
-		    }
-
-		    unless ( $chainref->{dont_optimize} ) {
-			my $numrules = @{$chainref->{rules}};
-
-			if ( $numrules == 0 ) {
-			    #
-			    # No rules in this chain
-			    #
-			    if ( $chainref->{builtin} ) {
-				#
-				# Built-in -- mark it 'dont_optimize' so we ignore it in follow-on passes
-				#
-				$chainref->{dont_optimize} = 1;
-			    } else {
-				#
-				# Not a built-in -- we can delete it and it's references
-				#
-				delete_references $chainref;
-				$progress = 1;
-			    }
-			} elsif ( $numrules == 1 ) {
-			    my $firstrule = $chainref->{rules}[0];
-			    #
-			    # Chain has a single rule
-			    #
-			    if ( $firstrule =~ /^-A -[jg] (.*)$/ ) {
-				#
-				# Easy case -- the rule is a simple jump
-				#
-				if ( $chainref->{builtin} ) {
-				    #
-				    # A built-in chain. If the target is a user chain without 'dont_move',
-				    # we can copy its rules to the built-in
-				    #
-				    if ( conditionally_copy_rules $chainref, $1 ) {
-					#
-					# Target was a user chain -- rules moved
-					#
-					$progress = 1;
-				    } else {
-					#
-					# Target was a built-in. Ignore this chain in follow-on passes
-					#
-					$chainref->{dont_optimize} = 1;
-				    }
-				} else {
-				    #
-				    # Replace all references to this chain with references to the target
-				    #
-				    replace_references $chainref, $1;
-				    $progress = 1;
-				}
-			    } elsif ( $firstrule =~ /-A(.+) -[jg] (.*)$/ ) {
-				#
-				# Not so easy -- the rule contains matches
-				#
-				if ( $chainref->{builtin} || ! have_capability 'KLUDGEFREE' ) {
-				    #
-				    # This case requires a new rule merging algorithm. Ignore this chain for
-				    # now.
-				    #
-				    $chainref->{dont_optimize} = 1;
-				} else {
-				    #
-				    # Replace references to this chain with the target and add the matches
-				    #
-				    replace_references1 $chainref, $2, $1;
-				    $progress = 1;
-				}
-			    }
-			}
-		    }
-		}
 	    }
 
-	    #
+	    unless ( $chainref->{dont_optimize} ) {
-	    # In this loop, we look for chains that end in an unconditional jump. If the target of the jump
+		my $numrules = @{$chainref->{rules}};
-	    # is subject to deletion (dont_delete = false), the jump is replaced by target's rules.
-	    #
-	    $progress = 1;
 
-	    while ( $progress ) {
+		if ( $numrules == 0 ) {
-		$progress = 0;
+		    #
-		$passes++;
+		    # No rules in this chain
-
+		    #
-		for my $chainref ( grep $_->{referenced}, values %{$chain_table{$table}} ) {
+		    if ( $chainref->{builtin} ) {
-		    my $lastrule = $chainref->{rules}[-1];
-
-		    if ( defined $lastrule && $lastrule  =~ /^-A -[jg] (.*)$/ ) {
 			#
-			# Last rule is a simple branch
+			# Built-in -- mark it 'dont_optimize' so we ignore it in follow-on passes
-			my $targetref = $chain_table{$table}{$1};
+			#
-
+			$chainref->{dont_optimize} = 1;
-			if ( $targetref && ! ( $targetref->{builtin} || $targetref->{dont_move} ) ) {
+		    } else {
-			    copy_rules( $targetref, $chainref );
+			#
+			# Not a built-in -- we can delete it and it's references
+			#
+			delete_references $chainref;
+			$progress = 1;
+		    }
+		} elsif ( $numrules == 1 ) {
+		    my $firstrule = $chainref->{rules}[0];
+		    #
+		    # Chain has a single rule
+		    #
+		    if ( $firstrule =~ /^-A -[jg] (.*)$/ ) {
+			#
+			# Easy case -- the rule is a simple jump
+			#
+			if ( $chainref->{builtin} ) {
+			    #
+			    # A built-in chain. If the target is a user chain without 'dont_move',
+			    # we can copy its rules to the built-in
+			    #
+			    if ( conditionally_copy_rules $chainref, $1 ) {
+				#
+				# Target was a user chain -- rules moved
+				#
+				$progress = 1;
+			    } else {
+				#
+				# Target was a built-in. Ignore this chain in follow-on passes
+				#
+				$chainref->{dont_optimize} = 1;
+			    }
+			} else {
+			    #
+			    # Replace all references to this chain with references to the target
+			    #
+			    replace_references $chainref, $1;
+			    $progress = 1;
+			}
+		    } elsif ( $firstrule =~ /-A(.+) -[jg] (.*)$/ ) {
+			#
+			# Not so easy -- the rule contains matches
+			#
+			if ( $chainref->{builtin} || ! have_capability 'KLUDGEFREE' ) {
+			    #
+			    # This case requires a new rule merging algorithm. Ignore this chain for
+			    # now.
+			    #
+			    $chainref->{dont_optimize} = 1;
+			} else {
+			    #
+			    # Replace references to this chain with the target and add the matches
+			    #
+			    replace_references1 $chainref, $2, $1;
 			    $progress = 1;
 			}
 		    }
 		}
 	    }
 	}
+    }
 
-	if ( $config{OPTIMIZE} & 8 ) {
+    #
-	    #
+    # In this loop, we look for chains that end in an unconditional jump. If the target of the jump
-	    # Now delete duplicate chains
+    # is subject to deletion (dont_delete = false), the jump is replaced by target's rules.
-	    #
+    #
-	    $passes++;
+    $progress = 1;
 
-	    for my $chainref ( grep $_->{referenced} && ! $_->{builtin}, values %{$chain_table{$table}} ) {
+    while ( $progress ) {
-		my $rules = $chainref->{rules};
+	$progress = 0;
-		next if not @$rules;
+	$passes++;
-	      CHAIN:
-		for my $chainref1 ( grep $_->{referenced}, values %{$chain_table{$table}} ) {
-		    next if $chainref eq $chainref1;
-		    my $rules1 = $chainref1->{rules};
-		    next if @$rules != @$rules1;
-		    next if $chainref1->{dont_delete};
 
-		    for ( my $i = 0; $i <= $#$rules; $i++ ) {
+	my @chains  = grep $_->{referenced}, values %$tableref;
-			next CHAIN unless $rules->[$i] eq $rules1->[$i];
+	my $chains  = @chains; 
-		    }
+	
+	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4b...";
 
-		    replace_references1 $chainref1, $chainref->{name}, '';
+	for my $chainref ( @chains ) {
+	    my $lastrule = $chainref->{rules}[-1];
+
+	    if ( defined $lastrule && $lastrule  =~ /^-A -[jg] (.*)$/ ) {
+		#
+		# Last rule is a simple branch
+		my $targetref = $tableref->{$1};
+
+		if ( $targetref && ! ( $targetref->{builtin} || $targetref->{dont_move} ) ) {
+		    copy_rules( $targetref, $chainref );
+		    $progress = 1;
 		}
 	    }
 	}
+    }
+
+    $passes;
+}
+
+#
+# Delete duplicate chains replacing their references
+#
+sub optimize_level8( $$$ ) {
+    my ( $table, $tableref , $passes ) = @_;
+    my $progress = 1;
+    my @chains   = ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
+    my @chains1  = @chains;
+    my $chains   = @chains;
+
+    $passes++;
+    
+    progress_message "\n Table $table pass $passes, $chains referenced user chains, level 8...";
+	    
+    for my $chainref ( @chains ) {
+	my $rules    = $chainref->{rules};
+	my $numrules = @$rules;
+	#
+	# Shift the current $chainref off of @chains1
+	#
+	shift @chains1;
+	#
+	# Skip empty chains
+	#
+	next if not $numrules;	
+      CHAIN:
+	for my $chainref1 ( @chains1 ) {
+	    my $rules1 = $chainref1->{rules};
+	    next if @$rules1 != $numrules;
+	    next if $chainref1->{dont_delete};
+
+	    for ( my $i = 0; $i < $numrules; $i++ ) {
+		next CHAIN unless $rules->[$i] eq $rules1->[$i];
+	    }
+
+	    replace_references1 $chainref1, $chainref->{name}, '';
+	}
+    }
+
+    $passes;
+}
+
+sub optimize_ruleset() {
+    for my $table ( qw/raw mangle nat filter/ ) {
+
+	next if $family == F_IPV6 && $table eq 'nat';
+
+	my $tableref = $chain_table{$table};
+	my $passes   = 0;
+
+	$passes =  optimize_level4( $table, $tableref )           if $config{OPTIMIZE} & 4;
+	$passes =  optimize_level8( $table, $tableref , $passes ) if $config{OPTIMIZE} & 8;
 
 	progress_message "  Table $table Optimized -- Passes = $passes";
 	progress_message '';
@@ -2566,6 +2613,8 @@ sub get_set_flags( $$ ) {
     have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
 }
 
+sub mysplit( $ );
+
 #
 # Match a Source.
 #
@@ -2586,6 +2635,18 @@ sub match_source_net( $;$ ) {
     } elsif ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
 	join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
+    } elsif ( $net =~ /^\+\[(.+)\]$/ ) {
+	my $result = '';
+	my @sets = mysplit $1;
+
+	require_capability 'KLUDGEFREE', 'Multiple ipset matches', '' if @sets > 1;
+
+	for $net ( @sets ) {
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
+	}
+
+	$result;
     } elsif ( $net =~ s/^!// ) {
 	validate_net $net, 1;
 	"! -s $net ";
@@ -2610,6 +2671,18 @@ sub match_dest_net( $ ) {
     } elsif ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?$/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '');
 	join( '', '-m set ', $1 ? '! ' : '',  get_set_flags( $net, 'dst' ) );
+    } elsif ( $net =~ /^\+\[(.+)\]$/ ) {
+	my $result = '';
+	my @sets = mysplit $1;
+
+	require_capability 'KLUDGEFREE', 'Multiple ipset matches', '' if @sets > 1;
+
+	for $net ( @sets ) {
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
+	}
+
+	$result;
     } elsif ( $net =~ /^!/ ) {
 	$net =~ s/!//;
 	validate_net $net, 1;
@@ -2749,11 +2822,11 @@ sub do_ipsec($$) {
     fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
 
     my @options = split_list $ipsec, 'IPSEC options';
-	
+
     if ( @options == 1 ) {
 	if ( lc( $options[0] ) =~ /^(yes|ipsec)$/ ) {
 	    return do_ipsec_options $dir, 'ipsec', '';
-	} 
+	}
 
 	if ( lc( $options[0] ) =~ /^(no|none)$/ ) {
 	    return do_ipsec_options $dir, 'none', '';
@@ -2857,7 +2930,7 @@ sub addnatjump( $$$ ) {
 
 #
 # Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists
-# where an element of the list might be +ipset[binding].
+# where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
 #
 sub mysplit( $ ) {
     my @input = split_list $_[0], 'host';
@@ -2870,12 +2943,12 @@ sub mysplit( $ ) {
 	my $element = shift @input;
 
 	if ( $element =~ /\[/ ) {
-	    while ( substr( $element, -1, 1 ) ne ']' ) {
+	    while ( $element =~ tr/[/[/ > $element =~ tr/]/]/ ) {
-		last unless @input;
+		fatal_error "Missing ']' ($element)" unless @input;
 		$element .= ( ',' . shift @input );
 	    }
 
-	    fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
+	    fatal_error "Mismatched [...] ($element)" unless $element =~ tr/[/[/ == $element =~ tr/]/]/;
 	}
 
 	push @result, $element;
@@ -3180,7 +3253,6 @@ sub have_global_variables() {
 #
 # Generate setting of run-time global shell variables
 #
-
 sub set_global_variables( $ ) {
 
     my $setall = shift;
@@ -3206,6 +3278,84 @@ sub set_global_variables( $ ) {
     }
 }
 
+#
+# Issue an invalid list error message
+#
+sub invalid_network_list ( $$ ) {
+    my ( $srcdst, $list ) = @_;
+    fatal_error "Invalid $srcdst network list ($list)";
+}
+
+#
+# Split a network element into the net part and exclusion part (if any)
+#
+sub split_network( $$$ ) {
+    my ( $input, $srcdst, $list ) = @_;
+
+    my @input = split '!', $input;
+    my @result;
+
+    if ( $input =~ /\[/ ) {
+	while ( @input ) {
+	    my $element = shift @input;
+
+	    if ( $element =~ /\[/ ) {
+		my $openbrackets;
+
+		while ( ( $openbrackets = ( $element =~ tr/[/[/ ) ) > $element =~ tr/]/]/ ) {
+		    fatal_error "Missing ']' ($element)" unless @input;
+		    $element .= ( '!' . shift @input );
+		}
+
+		fatal_error "Mismatched [...] ($element)" unless $openbrackets == $element =~ tr/]/]/;
+	    }
+
+	    push @result, $element;
+	}
+    } else {
+	@result = @input;
+    }
+
+    invalid_network_list( $srcdst, $list ) if @result > 2;
+	
+    @result;
+}
+
+#
+# Handle SOURCE or DEST network list, including exclusion
+#
+sub handle_network_list( $$ ) {
+    my ( $list, $srcdst ) = @_;
+
+    my $nets = '';
+    my $excl = '';
+	
+    my @nets = mysplit $list;
+
+    for ( @nets ) {
+	if ( /!/ ) {
+	    if ( /^!(.*)$/ ) {
+		invalid_network_list( $srcdst, $list) if ( $nets || $excl );
+		$excl = $1;
+	    } else {
+		my ( $temp1, $temp2 ) = split_network $_, $srcdst, $list;
+		$nets = $nets ? join(',', $nets, $temp1 ) : $temp1;
+		if ( $temp2 ) {
+		    invalid_network_list( $srcdst, $list) if $excl;
+		    $excl = $temp2;
+		}
+	    }
+	} elsif ( $excl ) {
+	    $excl .= ",$_";
+	} else {
+	    $nets = $nets ? join(',', $nets, $_ ) : $_;
+	}	    
+    }
+
+    ( $nets, $excl );
+
+}
+
 ################################################################################################################
 #
 # This function provides a uniform way to generate Netfilter[6] rules (something the original Shorewall
@@ -3491,23 +3641,15 @@ sub expand_rule( $$$$$$$$$$;$ )
     # Determine if there is Source Exclusion
     #
     if ( $inets ) {
-	fatal_error "Invalid SOURCE" if $inets =~ /^([^!]+)?,!([^!]+)$/ || $inets =~ /.*!.*!/;
+	( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' );
 
-	if ( $inets =~ /^([^!]+)?!([^!]+)$/ ) {
+	unless ( $inets || $iexcl =~ /^\+\[/ || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
-	    $inets = $1;
-	    $iexcl = $2;
-	} else {
-	    $iexcl = '';
-	}
-
-	unless ( $inets || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
 	    my @iexcl = mysplit $iexcl;
 	    if ( @iexcl == 1 ) {
 		$rule .= match_source_net "!$iexcl" , $restriction;
 		$iexcl = '';
 		$trivialiexcl = 1;
 	    }
-
 	}
     } else {
 	$iexcl = '';
@@ -3517,16 +3659,9 @@ sub expand_rule( $$$$$$$$$$;$ )
     # Determine if there is Destination Exclusion
     #
     if ( $dnets ) {
-	fatal_error "Invalid DEST" if  $dnets =~ /^([^!]+)?,!([^!]+)$/ || $dnets =~ /.*!.*!/;
+	( $dnets, $dexcl ) = handle_network_list( $dnets, 'DEST' );
 
-	if ( $dnets =~ /^([^!]+)?!([^!]+)$/ ) {
+	unless ( $dnets || $dexcl =~ /^\+\[/ ) {
-	    $dnets = $1;
-	    $dexcl = $2;
-	} else {
-	    $dexcl = '';
-	}
-
-	unless ( $dnets ) {
 	    my @dexcl = mysplit $dexcl;
 	    if ( @dexcl == 1 ) {
 		$rule .= match_dest_net "!$dexcl";
@@ -3606,14 +3741,14 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    #
 	    # Log rule
 	    #
-	    log_rule_limit( $loglevel , 
+	    log_rule_limit( $loglevel ,
-			    $echainref , 
+			    $echainref ,
-			    $chain, 
+			    $chain,
 			    $disposition eq 'reject' ? 'REJECT' : $disposition ,
-			    '' ,  
+			    '' ,
-			    $logtag , 
+			    $logtag ,
 			    'add' ,
-			    '' ) 
+			    '' )
 		if $loglevel;
 	    #
 	    # Generate Final Rule
@@ -3726,14 +3861,14 @@ sub promote_blacklist_rules() {
 	# Copy 'blacklst''s references since they will change in the following loop
 	#
 	my @references = map $filter_table->{$_}, keys %{$chainbref->{references}};
-	
+
 	for my $chain1ref ( @references ) {
 	    assert( $chain1ref->{blacklist} == 1 );
 
 	    my $copied = 0;
 	    my $rule   = $chain1ref->{rules}[0];
 	    my $chain1 = $chain1ref->{name};
-	    
+
 	    for my $chain2ref ( map $filter_table->{$_}, keys %{$chain1ref->{references}} ) {
 		unless ( $chain2ref->{builtin} ) {
 		    #
@@ -3946,7 +4081,7 @@ sub load_ipsets() {
 	       '        fi' ,
 	       '    fi' ,
 	     );
-	
+
 	if ( @ipsets ) {
 	    emit '';
 

Shorewall/Perl/Shorewall/Compiler.pm

@@ -445,7 +445,7 @@ EOF
     my $config_dir = $globals{CONFIGDIR};
 
     emit<<"EOF";
-    set_state Started $config_dir 
+    set_state Started $config_dir
     run_restored_exit
 else
     if [ \$COMMAND = refresh ]; then

Shorewall/Perl/Shorewall/Config.pm

@@ -132,7 +132,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -347,7 +347,7 @@ sub initialize( $ ) {
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.13.1",
+		    VERSION => "4.4.14",
 		    CAPVERSION => 40413 ,
 		  );
 
@@ -1475,11 +1475,12 @@ sub split_list1( $$ ) {
 
 	if ( ( $count = tr/(/(/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" if $element || $count > 1;
+	    s/\(//;
 	    if ( ( $count = tr/)/)/ ) > 0 ) {
 		fatal_error "Invalid $type list ($list)" if $count > 1;
+		s/\)//;
 		push @list2 , $_;
 	    } else {
-		s/\(//;
 		$element = $_;
 	    }
 	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
@@ -1576,7 +1577,12 @@ sub open_file( $ ) {
 
     assert( ! defined $currentfile );
 
-    -f $fname && -s _ ? do_open_file $fname : '';
+    if ( -f $fname && -s _ ) {
+	$first_entry = 0;
+	do_open_file $fname;;
+    } else {
+	'';
+    }
 }
 
 #
@@ -1841,7 +1847,7 @@ sub read_a_line(;$) {
 		    embedded_perl( $1 );
 		    next;
 		}
-	    } 
+	    }
 
 	    my $count = 0;
 	    #
@@ -2928,12 +2934,12 @@ sub get_configuration( $ ) {
 
 	    if ( $units && $units ne 'sec' ) {
 		my $expire = 60000; # 1 minute in milliseconds
-		
+
 		if ( $units ne 'min' ) {
 		    $expire *= 60; #At least an hour
 		    $expire *= 24 if $units eq 'day';
 		}
-		
+
 		$limit .= "--hashlimit-htable-expire $expire ";
 	    }
 	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
@@ -3272,13 +3278,17 @@ sub propagateconfig() {
 # Add a shell script file to the output script -- Return true if the
 # file exists and is not in /usr/share/shorewall/ and is non-empty.
 #
-sub append_file( $;$ ) {
+sub append_file( $;$$ ) {
-    my $user_exit = find_file $_[0];
+    my ( $file, $nomsg, $unindented ) = @_;
+    my $user_exit = find_file $file;
     my $result = 0;
+    my $save_indent = $indent;
+    
+    $indent = '' if $unindented;
 
     unless ( $user_exit =~ /^($globals{SHAREDIR})/ ) {
 	if ( -f $user_exit ) {
-	    if ( $_[1] ) {
+	    if ( $nomsg ) {
 		#
 		# Suppress progress message
 		#
@@ -3294,6 +3304,8 @@ sub append_file( $;$ ) {
 	}
     }
 
+    $indent = $save_indent;
+
     $result;
 }
 
@@ -3415,8 +3427,29 @@ sub generate_aux_config() {
 
     conditionally_add_option1 'TC_ENABLED';
 
-    finalize_aux_config;
+    my $fn = find_file 'scfilter';
 
+    if ( -f $fn ) {
+	emit( '',
+	      'show_connections_filter() {' );
+	push_indent;
+	append_file( $fn,1 ) or emit 'cat -';
+	pop_indent;
+	emit '}';
+    }
+
+    $fn = find_file 'dumpfilter';
+
+    if ( -f $fn ) {
+	emit( '',
+	      'dump_filter() {' );
+	push_indent;
+	append_file( $fn,1 ) or emit 'cat -';
+	pop_indent;
+	emit '}';
+    }
+
+    finalize_aux_config;
 }
 
 END {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -184,7 +184,16 @@ sub validate_4net( $$ ) {
     $net = '' unless defined $net;
 
     fatal_error "Missing address" if $net eq '';
-    fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
+
+    if ( $net =~ /\+(\[?)/ ) {
+	if ( $1 ) {
+	    fatal_error "An ipset list ($net) is not allowed in this context";
+	} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
+	    fatal_error "An ipset name ($net) is not allowed in this context";
+	} else {
+	    fatal_error "Invalid ipset name ($net)";
+	}
+    }
 
     if ( defined $vlsm ) {
         fatal_error "Invalid VLSM ($vlsm)"            unless $vlsm =~ /^\d+$/ && $vlsm <= 32;
@@ -297,7 +306,7 @@ sub resolve_proto( $ ) {
 	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
 	#
 	$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
-	
+
 	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
     }
 }
@@ -540,7 +549,15 @@ sub validate_6net( $$ ) {
     my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
     my $allow_name = $_[1];
 
-    fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
+    if ( $net =~ /\+(\[?)/ ) {
+	if ( $1 ) {
+	    fatal_error "An ipset list ($net) is not allowed in this context";
+	} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
+	    fatal_error "An ipset name ($net) is not allowed in this context";
+	} else {
+	    fatal_error "Invalid ipset name ($net)";
+	}
+    }
 
     if ( defined $vlsm ) {
         fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;

Shorewall/Perl/Shorewall/Nat.pm

@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -262,14 +262,14 @@ sub process_one_masq( )
 #
 sub setup_masq()
 {
-    my $fn = open_file 'masq';
+    if ( my $fn = open_file 'masq' ) {
 
-    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
 
-    process_one_masq while read_a_line;
+	process_one_masq while read_a_line;
-
-    clear_comment;
 
+	clear_comment;
+    }
 }
 
 #
@@ -359,32 +359,32 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {
 
-    my $fn = open_file 'nat';
+    if ( my $fn = open_file 'nat' ) {
 
-    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
 
-    while ( read_a_line ) {
+	while ( read_a_line ) {
 
-	my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
+	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
 
-	if ( $external eq 'COMMENT' ) {
+	    if ( $external eq 'COMMENT' ) {
-	    process_comment;
+		process_comment;
-	} else {
+	    } else {
-	    ( $interfacelist, my $digit ) = split /:/, $interfacelist;
+		( $interfacelist, my $digit ) = split /:/, $interfacelist;
 
-	    $digit = defined $digit ? ":$digit" : '';
+		$digit = defined $digit ? ":$digit" : '';
 
-	    for my $interface ( split_list $interfacelist , 'interface' ) {
+		for my $interface ( split_list $interfacelist , 'interface' ) {
-		fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
+		    fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
-		do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
+		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
+		}
+
+		progress_message "   NAT entry \"$currentline\" $done";
 	    }
-
-	    progress_message "   NAT entry \"$currentline\" $done";
 	}
 
+	clear_comment;
     }
-
-    clear_comment;
 }
 
 #
@@ -392,40 +392,43 @@ sub setup_nat() {
 #
 sub setup_netmap() {
 
-    my $fn = open_file 'netmap';
+    if ( my $fn = open_file 'netmap' ) {
 
-    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
 
-    while ( read_a_line ) {
+	while ( read_a_line ) {
 
-	my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
+	    my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
 
-	$net3 = ALLIP if $net3 eq '-';
+	    $net3 = ALLIP if $net3 eq '-';
 
-	for my $interface ( split_list $interfacelist, 'interface' ) {
+	    for my $interface ( split_list $interfacelist, 'interface' ) {
 
-	    my $rulein = '';
+		my $rulein = '';
-	    my $ruleout = '';
+		my $ruleout = '';
-	    my $iface = $interface;
+		my $iface = $interface;
 
-	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
+		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
-	    unless ( $interfaceref->{root} ) {
+		unless ( $interfaceref->{root} ) {
-		$rulein  = match_source_dev( $interface );
+		    $rulein  = match_source_dev( $interface );
-		$ruleout = match_dest_dev( $interface );
+		    $ruleout = match_dest_dev( $interface );
-		$interface = $interfaceref->{name};
+		    $interface = $interfaceref->{name};
+		}
+
+		if ( $type eq 'DNAT' ) {
+		    add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
+		} elsif ( $type eq 'SNAT' ) {
+		    add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
+		} else {
+		    fatal_error "Invalid type ($type)";
+		}
+
+		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
-
-	    if ( $type eq 'DNAT' ) {
-		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
-	    } elsif ( $type eq 'SNAT' ) {
-		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
-	    } else {
-		fatal_error "Invalid type ($type)";
-	    }
-
-	    progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	}
+
+	clear_comment;
     }
 
 }

Shorewall/Perl/Shorewall/Policy.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_14';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
@@ -341,15 +341,16 @@ sub validate_policy()
 		    add_or_modify_policy_chain( $zone, $zone1 );
 		    add_or_modify_policy_chain( $zone1, $zone );
 		}
-	    }		
+	    }
 	}
     }
 
-    my $fn = open_file 'policy';
+    if ( my $fn = open_file 'policy' ) {
-
+	first_entry "$doing $fn...";
-    first_entry "$doing $fn...";
+	process_a_policy while read_a_line;
-
+    } else {
-    process_a_policy while read_a_line;
+	fatal_error q(The 'policy' file does not exist or has zero size);
+    }
 
     for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
@@ -496,13 +497,13 @@ sub setup_syn_flood_chains() {
 	    my $level = $chainref->{loglevel};
 	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
 	    add_rule $synchainref , "${limit}-j RETURN";
-	    log_rule_limit( $level , 
+	    log_rule_limit( $level ,
-			    $synchainref , 
+			    $synchainref ,
-			    $chainref->{name} , 
+			    $chainref->{name} ,
-			    'DROP', 
+			    'DROP',
-			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , 
+			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' ,
-			    '' , 
+			    '' ,
-			    'add' , 
+			    'add' ,
 			    '' )
 		if $level ne '';
 	    add_rule $synchainref, '-j DROP';

Shorewall/Perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -757,15 +757,16 @@ sub setup_providers() {
 
     $lastmark = 0;
 
-    my $fn = open_file 'providers';
+    if ( my $fn = open_file 'providers' ) {
 
-    first_entry sub() {
+	first_entry sub() {
-	progress_message2 "$doing $fn...";
+	    progress_message2 "$doing $fn...";
-	emit "\nif [ -z \"\$g_noroutes\" ]; then";
+	    emit "\nif [ -z \"\$g_noroutes\" ]; then";
-	push_indent;
+	    push_indent;
-	start_providers; };
+	    start_providers; };
-
+ 
-    add_a_provider, $providers++ while read_a_line;
+	add_a_provider, $providers++ while read_a_line;
+    }
 
     if ( $providers ) {
 	finish_providers;
@@ -849,7 +850,7 @@ sub handle_optional_interfaces( $ ) {
 
     if ( @$interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
-	
+
 	verify_required_interfaces( shift );
 
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
@@ -860,9 +861,9 @@ sub handle_optional_interfaces( $ ) {
 
 	if ( $wildcards ) {
 	    #
-	    # We must consider all interfaces with an address in $family -- generate a list of such addresses. 
+	    # We must consider all interfaces with an address in $family -- generate a list of such addresses.
 	    #
-	    emit( '', 
+	    emit( '',
 		  'for interface in $(find_all_interfaces1); do',
 		);
 
@@ -904,10 +905,10 @@ sub handle_optional_interfaces( $ ) {
 	    if ( $wildcards ) {
 		emit( "$case)" );
 		push_indent;
-		
+
 		if ( $wild ) {
 		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
-		    push_indent; 
+		    push_indent;
 		    emit ( 'if interface_is_usable $interface; then' );
 		} else {
 		    emit ( "if interface_is_usable $physical; then" );

Shorewall/Perl/Shorewall/Raw.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 #
 # Notrack
@@ -76,24 +76,25 @@ sub process_notrack_rule( $$$$$$ ) {
 
 sub setup_notrack() {
 
-    my $fn = open_file 'notrack';
+    if ( my $fn = open_file 'notrack' ) {
 
-    first_entry "$doing $fn...";
+	first_entry "$doing $fn...";
 
-    my $nonEmpty = 0;
+	my $nonEmpty = 0;
 
-    while ( read_a_line ) {
+	while ( read_a_line ) {
 
-	my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
+	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
 
-	if ( $source eq 'COMMENT' ) {
+	    if ( $source eq 'COMMENT' ) {
-	    process_comment;
+		process_comment;
-	} else {
+	    } else {
-	    process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
+		process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
+	    }
 	}
-    }
 
-    clear_comment;
+	clear_comment;
+    }
 }
 
 1;

Shorewall/Perl/Shorewall/Rules.pm

@@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 our $macro_nest_level;
 our $current_param;
@@ -322,119 +322,120 @@ sub setup_blacklist() {
 
 sub process_routestopped() {
 
-    my ( @allhosts, %source, %dest , %notrack, @rule );
+    if ( my $fn = open_file 'routestopped' ) {
+	my ( @allhosts, %source, %dest , %notrack, @rule );
 
-    my $fn = open_file 'routestopped';
+	my $seq = 0;
 
-    my $seq = 0;
+	first_entry "$doing $fn...";
 
-    first_entry "$doing $fn...";
+	while ( read_a_line ) {
 
-    while ( read_a_line ) {
+	    my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
 
-	my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
+	    my $interfaceref;
 
-	my $interfaceref;
+	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
+	    $hosts = ALLIP unless $hosts && $hosts ne '-';
 
-	fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
+	    my $routeback = 0;
-	$hosts = ALLIP unless $hosts && $hosts ne '-';
 
-	my $routeback = 0;
+	    my @hosts;
 
-	my @hosts;
+	    $seq++;
 
-	$seq++;
+	    my $rule = do_proto( $proto, $ports, $sports, 0 );
-
-	my $rule = do_proto( $proto, $ports, $sports, 0 );
-
-	for my $host ( split /,/, $hosts ) {
-	    fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
-	    validate_host $host, 1;
-	    push @hosts, "$interface|$host|$seq";
-	    push @rule, $rule;
-	}
-
-	unless ( $options eq '-' ) {
-	    for my $option (split /,/, $options ) {
-		if ( $option eq 'routeback' ) {
-		    if ( $routeback ) {
-			warning_message "Duplicate 'routeback' option ignored";
-		    } else {
-			$routeback = 1;
-		    }
-		} elsif ( $option eq 'source' ) {
-		    for my $host ( split /,/, $hosts ) {
-			$source{"$interface|$host|$seq"} = 1;
-		    }
-		} elsif ( $option eq 'dest' ) {
-		    for my $host ( split /,/, $hosts ) {
-			$dest{"$interface|$host|$seq"} = 1;
-		    }
-		} elsif ( $option eq 'notrack' ) {
-		    for my $host ( split /,/, $hosts ) {
-			$notrack{"$interface|$host|$seq"} = 1;
-		    }
-		} else {
-		    warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
-		    warning_message "The 'critical' option is no longer supported (or needed)";
-		}
-	    }
-	}
-
-	if ( $routeback || $interfaceref->{options}{routeback} ) {
-	    my $chainref = $filter_table->{FORWARD};
 
 	    for my $host ( split /,/, $hosts ) {
-		add_rule( $chainref ,
+		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
-			  match_source_dev( $interface ) .
+		validate_host $host, 1;
-			  match_dest_dev( $interface ) .
+		push @hosts, "$interface|$host|$seq";
-			  match_source_net( $host ) .
+		push @rule, $rule;
-			  match_dest_net( $host ) );
-		clearrule;
 	    }
-	}
 
-	push @allhosts, @hosts;
-    }
 
-    for my $host ( @allhosts ) {
+	    unless ( $options eq '-' ) {
-	my ( $interface, $h, $seq ) = split /\|/, $host;
+		for my $option (split /,/, $options ) {
-	my $source  = match_source_net $h;
+		    if ( $option eq 'routeback' ) {
-	my $dest    = match_dest_net $h;
+			if ( $routeback ) {
-	my $sourcei = match_source_dev $interface;
+			    warning_message "Duplicate 'routeback' option ignored";
-	my $desti   = match_dest_dev $interface;
+			} else {
-	my $rule    = shift @rule;
+			    $routeback = 1;
+			}
+		    } elsif ( $option eq 'source' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $source{"$interface|$host|$seq"} = 1;
+			}
+		    } elsif ( $option eq 'dest' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $dest{"$interface|$host|$seq"} = 1;
+			}
+		    } elsif ( $option eq 'notrack' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $notrack{"$interface|$host|$seq"} = 1;
+			}
+		    } else {
+			warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
+			warning_message "The 'critical' option is no longer supported (or needed)";
+		    }
+		}
+	    }
 
-	add_rule $filter_table->{INPUT},  "$sourcei $source $rule -j ACCEPT", 1;
+	    if ( $routeback || $interfaceref->{options}{routeback} ) {
-	add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED};
+		my $chainref = $filter_table->{FORWARD};
 
-	my $matched = 0;
+		for my $host ( split /,/, $hosts ) {
-
+		    add_rule( $chainref ,
-	if ( $source{$host} ) {
+			      match_source_dev( $interface ) .
-	    add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT", 1;
+			      match_dest_dev( $interface ) .
-	    $matched = 1;
+			      match_source_net( $host ) .
-	}
+			      match_dest_net( $host ) );
-
-	if ( $dest{$host} ) {
-	    add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1;
-	    $matched = 1;
-	}
-
-	if ( $notrack{$host} ) {
-	    add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1;
-	    add_rule $raw_table->{OUTPUT},     "$desti $dest $rule -j NOTRACK", 1;
-	}
-
-	unless ( $matched ) {
-	    for my $host1 ( @allhosts ) {
-		unless ( $host eq $host1 ) {
-		    my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
-		    my $dest1 = match_dest_net $h1;
-		    my $desti1 = match_dest_dev $interface1;
-		    add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT", 1;
 		    clearrule;
 		}
 	    }
+
+	    push @allhosts, @hosts;
+	}
+
+	for my $host ( @allhosts ) {
+	    my ( $interface, $h, $seq ) = split /\|/, $host;
+	    my $source  = match_source_net $h;
+	    my $dest    = match_dest_net $h;
+	    my $sourcei = match_source_dev $interface;
+	    my $desti   = match_dest_dev $interface;
+	    my $rule    = shift @rule;
+
+	    add_rule $filter_table->{INPUT},  "$sourcei $source $rule -j ACCEPT", 1;
+	    add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED};
+
+	    my $matched = 0;
+
+	    if ( $source{$host} ) {
+		add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT", 1;
+		$matched = 1;
+	    }
+
+	    if ( $dest{$host} ) {
+		add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1;
+		$matched = 1;
+	    }
+
+	    if ( $notrack{$host} ) {
+		add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1;
+		add_rule $raw_table->{OUTPUT},     "$desti $dest $rule -j NOTRACK", 1;
+	    }
+
+	    unless ( $matched ) {
+		for my $host1 ( @allhosts ) {
+		    unless ( $host eq $host1 ) {
+			my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
+			my $dest1 = match_dest_net $h1;
+			my $desti1 = match_dest_dev $interface1;
+			add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT", 1;
+			clearrule;
+		    }
+		}
+	    }
 	}
     }
 }
@@ -759,54 +760,55 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
 
-	my $fn = open_file 'maclist';
+	if ( my $fn = open_file 'maclist' ) {
 
-	first_entry "$doing $fn...";
+	    first_entry "$doing $fn...";
 
-	while ( read_a_line ) {
+	    while ( read_a_line ) {
 
-	    my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 3, 4, 'maclist file';
+		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 3, 4, 'maclist file';
 
-	    if ( $original_disposition eq 'COMMENT' ) {
+		if ( $original_disposition eq 'COMMENT' ) {
-		process_comment;
+		    process_comment;
-	    } else {
-		my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 );
-
-		fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition;
-
-		my $targetref = $maclist_targets{$disposition};
-
-		fatal_error "Invalid DISPOSITION ($original_disposition)"              if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
-		fatal_error "Unknown Interface ($interface)"                           unless known_interface( $interface );
-		fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface};
-
-		my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
-
-		$mac       = '' unless $mac && ( $mac ne '-' );
-		$addresses = '' unless defined $addresses && ( $addresses ne '-' );
-
-		fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses;
-
-		$mac = mac_match $mac if $mac;
-
-		if ( $addresses ) {
-		    for my $address ( split ',', $addresses ) {
-			my $source = match_source_net $address;
-			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
-			    if defined $level && $level ne '';
-			add_jump $chainref , $targetref->{target}, 0, "${mac}${source}";
-		    }
 		} else {
-		    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
+		    my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 );
-			if defined $level && $level ne '';
+
-		    add_jump $chainref , $targetref->{target}, 0, "$mac";
+		    fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition;
+
+		    my $targetref = $maclist_targets{$disposition};
+
+		    fatal_error "Invalid DISPOSITION ($original_disposition)"              if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
+		    fatal_error "Unknown Interface ($interface)"                           unless known_interface( $interface );
+		    fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface};
+
+		    my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
+
+		    $mac       = '' unless $mac && ( $mac ne '-' );
+		    $addresses = '' unless defined $addresses && ( $addresses ne '-' );
+
+		    fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses;
+
+		    $mac = mac_match $mac if $mac;
+
+		    if ( $addresses ) {
+			for my $address ( split ',', $addresses ) {
+			    my $source = match_source_net $address;
+			    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
+				if defined $level && $level ne '';
+			    add_jump $chainref , $targetref->{target}, 0, "${mac}${source}";
+			}
+		    } else {
+			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
+			    if defined $level && $level ne '';
+			add_jump $chainref , $targetref->{target}, 0, "$mac";
+		    }
+
+		    progress_message "      Maclist entry \"$currentline\" $done";
 		}
-
-		progress_message "      Maclist entry \"$currentline\" $done";
 	    }
-	}
 
-	clear_comment;
+	    clear_comment;
+	}
 	#
 	# Generate jumps from the input and forward chains
 	#
@@ -1064,7 +1066,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	$action = "NFQUEUE --queue-num $paramval";
     } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
-	fatal_error "$action rules require a set name parameter" unless $param;  
+	fatal_error "$action rules require a set name parameter" unless $param;
     } else {
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
     }
@@ -1134,7 +1136,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	$dest = $2;
     } elsif ( $dest =~ /.*\..*\./ ) {
 	#
-	# Appears to be an address
+	# Appears to be an IPv4 address (no NAT in IPv6)
 	#
 	$destzone = '-';
     } else {
@@ -1256,7 +1258,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     #
     if ( $actiontype & NATRULE ) {
 	my ( $server, $serverport );
-	my $randomize = $dest =~ s/:random$// ? '--random ' : '';
+	my $randomize = $dest =~ s/:random$// ? ' --random' : '';
 
 	require_capability( 'NAT_ENABLED' , "$basictarget rules", '' );
 	#
@@ -1307,8 +1309,8 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 
 	if ( $actiontype  & REDIRECT ) {
 	    fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server;
-	    $target  = 'REDIRECT ';
+	    $target  = 'REDIRECT';
-	    $target .= "--to-port $serverport " if $serverport;
+	    $target .= " --to-port $serverport" if $serverport;
 	    if ( $origdest eq '' || $origdest eq '-' ) {
 		$origdest = ALLIP;
 	    } elsif ( $origdest eq 'detect' ) {
@@ -1331,14 +1333,14 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 
 	    if ( $action eq 'DNAT' ) {
-		$target = 'DNAT ';
+		$target = 'DNAT';
 		if ( $server ) {
 		    $serverport = ":$serverport" if $serverport;
 		    for my $serv ( split /,/, $server ) {
-			$target .= "--to-destination ${serv}${serverport} ";
+			$target .= " --to-destination ${serv}${serverport}";
 		    }
 		} else {
-		    $target .= "--to-destination :$serverport ";
+		    $target .= " --to-destination :$serverport";
 		}
 	    }
 
@@ -1531,7 +1533,7 @@ sub process_section ($) {
 	@sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
 	finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
     }
-    
+
     $section = $sect;
 }
 
@@ -1653,11 +1655,15 @@ sub process_rules() {
 
     my $fn = open_file 'rules';
 
-    first_entry "$doing $fn...";
+    if ( $fn ) {
 
-    process_rule while read_a_line;
+	first_entry "$doing $fn...";
+
+	process_rule while read_a_line;
+
+	clear_comment;
+    }
 
-    clear_comment;
     $section = 'DONE';
 }
 
@@ -1698,13 +1704,13 @@ sub generate_dest_rules( $$$$ ) {
 
     if ( $type2 == VSERVER ) {
 	for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) {
-	    my $exclusion   = dest_exclusion( $hostref->{exclusions}, $chain); 
+	    my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
 
 	    for my $net ( @{$hostref->{hosts}} ) {
-		add_jump( $chainref, 
+		add_jump( $chainref,
 			  $exclusion ,
 			  0,
-			  join('', $match, match_dest_net( $net ) ) ) 
+			  join('', $match, match_dest_net( $net ) ) )
 	    }
 	}
     } else {
@@ -1718,7 +1724,7 @@ sub generate_dest_rules( $$$$ ) {
 sub generate_source_rules( $$$$ ) {
     my ( $outchainref, $z1, $z2, $match ) = @_;
     my $chain = rules_target ( $z1, $z2 );
-	    
+
     if ( $chain ) {
 	#
 	# Not a CONTINUE policy with no rules
@@ -1726,20 +1732,20 @@ sub generate_source_rules( $$$$ ) {
 	for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 	    my $ipsec_match = match_ipsec_in $z1 , $hostref;
 	    my $exclusion   = source_exclusion( $hostref->{exclusions}, $chain);
-		
+
 	    for my $net ( @{$hostref->{hosts}} ) {
 		generate_dest_rules( $outchainref,
 				     $exclusion,
-				     $z2,  
+				     $z2,
 				     join('', match_source_net( $net ), $match , $ipsec_match )
 				   );
-	    }	
+	    }
 	}
-    } 
+    }
 }
 
 #
-# Loopback traffic -- this is where we assemble the intra-firewall traffic routing
+# Loopback traffic -- this is where we assemble the intra-firewall chains
 #
 sub handle_loopback_traffic() {
     my @zones   = ( vserver_zones, firewall_zone );
@@ -1780,11 +1786,11 @@ sub handle_loopback_traffic() {
 	    for my $typeref ( values %{$source_hosts_ref} ) {
 		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);
-		
+
 		    for my $net ( @{$hostref->{hosts}} ) {
 			add_jump( $natout, $exclusion, 0, match_source_net( $net ), 0, $rulenum++ );
 		    }
-		}	
+		}
 	    }
 	}
     }
@@ -1860,15 +1866,33 @@ sub generate_matrix() {
     our %forward_jump_added = ();
 
     progress_message2 'Generating Rule Matrix...';
+    progress_message  '  Handling blacklisting and complex zones...';
     #
-    # Special processing for complex and blacklisting configurations
+    # Special processing for complex and/or blacklisting configurations
     #
     for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-
+	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	#
+	# Handle blacklisting first
+	#
 	if ( $zoneref->{options}{in}{blacklist} ) {
 	    my $blackref = $filter_table->{blacklst};
 	    add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
+
+	    if ( $simple ) {
+		#
+		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
+		#
+		for my $zone1 ( @zones ) {
+		    my $ruleschain    = rules_chain( $zone, $zone1 );
+		    my $ruleschainref = $filter_table->{$ruleschain};
+
+		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+			add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
+		    }
+		}
+	    }
 	}
 
 	if ( $zoneref->{options}{out}{blacklist} ) {
@@ -1879,14 +1903,14 @@ sub generate_matrix() {
 		my $ruleschain    = rules_chain( $zone1, $zone );
 		my $ruleschainref = $filter_table->{$ruleschain};
 
-		if ( $zone ne $zone1 || ( $ruleschainref && $ruleschainref->{referenced} ) ) {
+		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
 		    add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
-		} 
+		}
 	    }
 	}
 
-	next if @zones <= 2 && ! $zoneref->{options}{complex};
+	next if $simple;
-	
+
 	#
 	# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
 	#
@@ -1939,6 +1963,8 @@ sub generate_matrix() {
     #
     # Main source-zone matrix-generation loop
     #
+    progress_message '  Entering main matrix-generation loop...';
+
     for my $zone ( @zones ) {
 	my $zoneref          = find_zone( $zone );
 	my $source_hosts_ref = $zoneref->{hosts};
@@ -2008,7 +2034,7 @@ sub generate_matrix() {
 		    my $ipsec_in_match  = match_ipsec_in  $zone , $hostref;
 		    my $ipsec_out_match = match_ipsec_out $zone , $hostref;
 		    my $exclusions = $hostref->{exclusions};
-		    
+
 		    for my $net ( @{$hostref->{hosts}} ) {
 			my $dest   = match_dest_net $net;
 
@@ -2287,6 +2313,8 @@ sub generate_matrix() {
 	add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
     }
 
+    progress_message '  Finishing matrix...';
+
     add_interface_jumps @interfaces unless $interface_jumps_added;
 
     promote_blacklist_rules;

Shorewall/Perl/Shorewall/Tc.pm

@@ -297,7 +297,7 @@ sub process_tc_rule( ) {
 			}
 
 			$restriction = DESTIFACE_DISALLOW;
-			
+
 			ensure_mangle_chain($target);
 
 			$sticky++;
@@ -1365,7 +1365,7 @@ sub setup_traffic_shaping() {
 	my $tcref    = $tcclasses{$device}{$decimalclassnum};
 	my $mark     = $tcref->{mark};
 	my $devicenumber  = in_hexp $devref->{number};
-	my $classid  = join( ':', in_hexp $devicenumber, $classnum);
+	my $classid  = join( ':', $devicenumber, $classnum);
 	my $rate     = "$tcref->{rate}kbit";
 	my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
 
@@ -1390,15 +1390,15 @@ sub setup_traffic_shaping() {
 	emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
 
 	if ( $devref->{qdisc} eq 'htb' ) {
-	    emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
+	    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
 	} else {
 	    my $dmax = $tcref->{dmax};
 
 	    if ( $dmax ) {
 		my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
-		emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
+		emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
 	    } else {
-		emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
+		emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
 	    }
 	}
 
@@ -1462,7 +1462,7 @@ sub process_secmark_rule() {
 		 O => 'tcout'   , );
 
     my %state = ( N =>  'NEW' ,
-		  E =>  'ESTABLISHED' , 
+		  E =>  'ESTABLISHED' ,
 		  ER => 'ESTABLISHED,RELATED' );
 
     my ( $chain , $state, $rest) = split ':', $chainin , 3;
@@ -1470,7 +1470,7 @@ sub process_secmark_rule() {
     fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain;
 
     my $chain1= $chns{$chain};
-    
+
     fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
     fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout';
 
@@ -1488,22 +1488,22 @@ sub process_secmark_rule() {
 
     $disposition =~ s/ .*//;
 
-    expand_rule( ensure_mangle_chain( $chain1 ) , 
+    expand_rule( ensure_mangle_chain( $chain1 ) ,
 		 $restrictions{$chain1} ,
 		 $state .
 		 do_proto( $proto, $dport, $sport ) .
 		 do_user( $user ) .
 		 do_test( $mark, $globals{TC_MASK} ) ,
-		 $source , 
+		 $source ,
-		 $dest , 
+		 $dest ,
-		 '' , 
+		 '' ,
-		 $target , 
+		 $target ,
-		 '' , 
+		 '' ,
 		 $disposition,
 		 '' );
 
     progress_message "Secmarks rule \"$currentline\" $done";
-		 
+
 }
 
 #
@@ -1622,7 +1622,7 @@ sub setup_tc() {
 	    first_entry "$doing $fn...";
 
 	    process_secmark_rule while read_a_line;
-	
+
 	    clear_comment;
 	}
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -277,22 +277,23 @@ sub setup_tunnels() {
     #
     # Setup_Tunnels() Starts Here
     #
-    my $fn = open_file 'tunnels';
+    if ( my $fn = open_file 'tunnels' ) {
 
-    first_entry "$doing $fn...";
+	first_entry "$doing $fn...";
 
-    while ( read_a_line ) {
+	while ( read_a_line ) {
 
-	my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
 
-	if ( $kind eq 'COMMENT' ) {
+	    if ( $kind eq 'COMMENT' ) {
-	    process_comment;
+		process_comment;
-	} else {
+	    } else {
-	    setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
+		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
+	    }
 	}
-    }
 
-    clear_comment;
+	clear_comment;
+    }
 }
 
 1;

Shorewall/Perl/Shorewall/Zones.pm

@@ -84,7 +84,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 #
 # IPSEC Option types
@@ -160,7 +160,7 @@ our %reservedName = ( all => 1,
 #                 }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
-#    the same order as the interfaces are encountered in the configuration files. 
+#    the same order as the interfaces are encountered in the configuration files.
 #
 our @interfaces;
 our %interfaces;
@@ -296,7 +296,7 @@ sub initialize( $ ) {
 # => mss   = <MSS setting>
 # => ipsec = <-m policy arguments to match options>
 #
-sub parse_zone_option_list($$)
+sub parse_zone_option_list($$\$)
 {
     my %validoptions = ( mss          => NUMERIC,
 			 blacklist    => NOTHING,
@@ -310,13 +310,13 @@ sub parse_zone_option_list($$)
 			 "tunnel-dst" => NETWORK,
 		       );
 
-    use constant { UNRESTRICTED => 1, NOFW => 2 };
+    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8 };
     #
     # Hash of options that have their own key in the returned hash.
     #
-    my %key = ( mss => UNRESTRICTED , blacklist => NOFW );
+    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW );
 
-    my ( $list, $zonetype ) = @_;
+    my ( $list, $zonetype, $complexref ) = @_;
     my %h;
     my $options = '';
     my $fmt;
@@ -346,14 +346,18 @@ sub parse_zone_option_list($$)
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 	    }
 
-	    if ( $key{$e} ) {
+	    my $key = $key{$e};
-		fatal_error "Option '$e' not permitted with this zone type " if $key{$e} == NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+
+	    if ( $key ) {
+		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
 		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
 		$options .= $invert;
 		$options .= "--$e ";
 		$options .= "$val "if defined $val;
+		$$complexref = 1;
 	    }
 	}
     }
@@ -439,13 +443,15 @@ sub process_zone( \$ ) {
 	}
     }
 
+    my $complex = 0;
+
     my $zoneref = $zones{$zone} = { type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
-				    options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
+				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex ) ,
-						    in      => parse_zone_option_list( $in_options || '', $type ) ,
+						    in      => parse_zone_option_list( $in_options , $type , $complex ) ,
-						    out     => parse_zone_option_list( $out_options || '', $type ) ,
+						    out     => parse_zone_option_list( $out_options , $type , $complex ) ,
-						    complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
+						    complex => ( $type == IPSEC || $complex ) ,
 						    nested  => @parents > 0 ,
 						    super   => 0 ,
 						  } ,
@@ -475,11 +481,12 @@ sub determine_zones()
     my @z;
     my $ip = 0;
 
-    my $fn = open_file 'zones';
+    if ( my $fn = open_file 'zones' ) {
-
+	first_entry "$doing $fn...";
-    first_entry "$doing $fn...";
+	push @z, process_zone( $ip ) while read_a_line;
-
+    } else {
-    push @z, process_zone( $ip ) while read_a_line;
+	fatal_error q(The 'zones' file does not exist or has zero size);
+    }
 
     fatal_error "No firewall zone defined" unless $firewall_zone;
     fatal_error "No IP zones defined" unless $ip;
@@ -801,7 +808,7 @@ sub chain_base($) {
     #
     return $name if $name;
     #
-    # Remember initial value 
+    # Remember initial value
     #
     my $key = $chain;
     #
@@ -879,7 +886,7 @@ sub process_interface( $$ ) {
 	    } else {
 		$zoneref->{bridge} = $interface;
 	    }
-	    
+
 	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
 	}
 
@@ -947,7 +954,7 @@ sub process_interface( $$ ) {
 
 	    if ( $zone ) {
 		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
-	    } else { 
+	    } else {
 		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
 	    }
 
@@ -1102,16 +1109,16 @@ sub process_interface( $$ ) {
 #
 sub validate_interfaces_file( $ ) {
     my $export = shift;
-
+    
-    my $fn = open_file 'interfaces';
-
     my @ifaces;
-
     my $nextinum = 1;
 
-    first_entry "$doing $fn...";
+    if ( my $fn = open_file 'interfaces' ) {
-
+	first_entry "$doing $fn...";
-    push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
+	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
+    } else {
+	fatal_error q(The 'interfaces' file does not exist or has zero size);
+    }
 
     #
     # We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge
@@ -1175,7 +1182,7 @@ sub map_physical( $$ ) {
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
-# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in 
+# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in
 # %interfaces.
 #
 sub known_interface($;$)
@@ -1192,7 +1199,7 @@ sub known_interface($;$)
 	my $root = $interfaceref->{root};
 	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
 	    my $physical = map_physical( $interface, $interfaceref );
-	    
+
 	    my $copyref = { options  => $interfaceref->{options},
 			    bridge   => $interfaceref->{bridge} ,
 			    name     => $i ,
@@ -1389,7 +1396,7 @@ sub verify_required_interfaces( $ ) {
 	    my $wait = $interfaces{$interface}{options}{wait};
 
 	    emit q() unless $first-- > 0;
-	    
+
 	    if ( $wait ) {
 		my $physical = get_physical $interface;
 
@@ -1428,7 +1435,7 @@ sub verify_required_interfaces( $ ) {
 	}
 
 	emit( ";;\n" );
-	
+
 	pop_indent;
 	pop_indent;
 
@@ -1667,7 +1674,13 @@ sub process_host( ) {
 	if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
 	    $interface = $1;
 	    $hosts = $2;
-	    $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+
+	    if ( $hosts =~ /^\+/ ) {
+		$zoneref->{options}{complex} = 1;
+		fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
+		fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
+	    }
+
 	    fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
@@ -1688,7 +1701,7 @@ sub process_host( ) {
 	} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
 	    fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
 	}
-    } 
+    }
 
     my $optionsref = { dynamic => 0 };
 
@@ -1714,7 +1727,7 @@ sub process_host( ) {
 	    }
 	}
 
-	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER; 
+	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER;
 
 	$optionsref = \%options;
     }
@@ -1762,11 +1775,10 @@ sub validate_hosts_file()
 {
     my $ipsec = 0;
 
-    my $fn = open_file 'hosts';
+    if ( my $fn = open_file 'hosts' ) {
-
+	first_entry "$doing $fn...";
-    first_entry "$doing $fn...";
+	$ipsec |= process_host while read_a_line;
-
+    }
-    $ipsec |= process_host while read_a_line;
 
     $have_ipsec = $ipsec || haveipseczones;
 

Shorewall/Perl/prog.footer6

@@ -17,6 +17,19 @@ usage() {
     echo "   -R <file>        Override RESTOREFILE setting"
     exit $1
 }
+
+checkkernelversion() {
+    local kernel
+
+    kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+
+    if [ $kernel -lt 20624 ]; then
+	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	return 1
+    else
+	return 0
+    fi
+}
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
@@ -155,40 +168,41 @@ done
 
 COMMAND="$1"
 
-kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+
-if [ $kernel -lt 20624 ]; then
+case "$COMMAND" in
-    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+    start)
-    status=2
+	[ $# -ne 1 ] && usage 2
-else
+	if shorewall6_is_started; then
-    case "$COMMAND" in
+	    error_message "$g_product is already Running"
-	start)
+	    status=0
-	    [ $# -ne 1 ] && usage 2
+	else
-	    if shorewall6_is_started; then
+	    progress_message3 "Starting $g_product...."
-		error_message "$g_product is already Running"
+	    if checkkernelversion; then
-		status=0
-	    else
-		progress_message3 "Starting $g_product...."
 		detect_configuration
 		define_firewall
 		status=$?
 		[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
 		progress_message3 "done."
 	    fi
-	    ;;
+	fi
-	stop)
+	;;
-	    [ $# -ne 1 ] && usage 2
+    stop)
+	[ $# -ne 1 ] && usage 2
+	if checkkernelversion; then
 	    progress_message3 "Stopping $g_product...."
 	    detect_configuration
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
-	    ;;
+	fi
- 	reset)
+	;;
-	    if ! shorewall6_is_started ; then
+    reset)
-		error_message "$g_product is not running"
+	if ! shorewall6_is_started ; then
-		status=2
+	    error_message "$g_product is not running"
-	    elif [ $# -eq 1 ]; then
+	    status=2
+	elif checkkernelversion; then
+	    if [ $# -eq 1 ]; then
 		$IP6TABLES -Z
 		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
@@ -211,17 +225,19 @@ else
 		    fi
 		done
 	    fi
-	    ;;
+	fi
-	restart)
+	;;
-	    [ $# -ne 1 ] && usage 2
+    restart)
-	    if shorewall6_is_started; then
+	[ $# -ne 1 ] && usage 2
-		progress_message3 "Restarting $g_product...."
+	if shorewall6_is_started; then
-	    else
+	    progress_message3 "Restarting $g_product...."
-		error_message "$g_product is not running"
+	else
-		progress_message3 "Starting $g_product...."
+	    error_message "$g_product is not running"
-		COMMAND=start
+	    progress_message3 "Starting $g_product...."
-	    fi
+	    COMMAND=start
+	fi
 
+	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
@@ -229,84 +245,90 @@ else
  		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
             fi
 	    progress_message3 "done."
-	    ;;
+	fi
-	refresh)
+	;;
-	    [ $# -ne 1 ] && usage 2
+    refresh)
-	    if shorewall6_is_started; then
+	[ $# -ne 1 ] && usage 2
-		progress_message3 "Refreshing $g_product...."
+	if shorewall6_is_started; then
+	    progress_message3 "Refreshing $g_product...."
+	    if checkkernelversion; then
 		detect_configuration
 		define_firewall
 		status=$?
 		progress_message3 "done."
-	    else
-		echo "$g_product is not running" >&2
-		status=2
 	    fi
-	    ;;
+	else
-	restore)
+	    echo "$g_product is not running" >&2
-	    [ $# -ne 1 ] && usage 2
+	    status=2
+	fi
+	;;
+    restore)
+	[ $# -ne 1 ] && usage 2
+	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
  		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
             fi
-	    ;;
+	fi
-	clear)
+	;;
-	    [ $# -ne 1 ] && usage 2
+    clear)
-	    progress_message3 "Clearing $g_product...."
+	[ $# -ne 1 ] && usage 2
+	progress_message3 "Clearing $g_product...."
+	if checkkernelversion; then
 	    clear_firewall
 	    status=0
 	    if [ -n "$SUBSYSLOCK" ]; then
 		rm -f $SUBSYSLOCK
 	    fi
 	    progress_message3 "done."
-	    ;;
+	fi
-	status)
+	;;
-	    [ $# -ne 1 ] && usage 2
+    status)
-	    echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
+	[ $# -ne 1 ] && usage 2
-	    echo
+	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
-	    if shorewall6_is_started; then
+	echo
-		echo "$g_product is running"
+	if shorewall6_is_started; then
-		status=0
+	    echo "$g_product is running"
-	    else
+	    status=0
-		echo "$g_product is stopped"
+	else
-		status=4
+	    echo "$g_product is stopped"
-	    fi
+	    status=4
+	fi
 
-	    if [ -f ${VARDIR}/state ]; then
+	if [ -f ${VARDIR}/state ]; then
-		state="$(cat ${VARDIR}/state)"
+	    state="$(cat ${VARDIR}/state)"
-		case $state in
+	    case $state in
-		    Stopped*|Clear*)
+		Stopped*|Clear*)
-			status=3
+		    status=3
-			;;
+		    ;;
-		esac
+	    esac
-	    else
+	else
-		state=Unknown
+	    state=Unknown
-	    fi
+	fi
-	    echo "State:$state"
+	echo "State:$state"
-	    echo
+	echo
-	    ;;
+	;;
-	up|down)
+    up|down)
-	    [ $# -eq 1 ] && exit 0
+	[ $# -eq 1 ] && exit 0
-	    shift
+	shift
-	    [ $# -ne 1 ] && usage 2
+	[ $# -ne 1 ] && usage 2
-	    updown $1
+	updown $1
-	    status=0
+	status=0
-	    ;;
+	;;
-	version)
+    version)
-	    [ $# -ne 1 ] && usage 2
+	[ $# -ne 1 ] && usage 2
-	    echo $SHOREWALL_VERSION
+	echo $SHOREWALL_VERSION
-	    status=0
+	status=0
-	    ;;
+	;;
-	help)
+    help)
-	    [ $# -ne 1 ] && usage 2
+	[ $# -ne 1 ] && usage 2
-	    usage 0
+	usage 0
-	    ;;
+	;;
-	*)
+    *)
-	    usage 2
+	usage 2
-	    ;;
+	;;
-    esac
+esac
-fi
 
 exit $status

Shorewall/Perl/prog.header

@@ -509,7 +509,7 @@ undo_routing() {
 #
 restore_default_route() {
     local result
-    
+
     if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=

Shorewall/Perl/prog.header6

@@ -497,7 +497,7 @@ undo_routing() {
 #
 restore_default_route() {
     local result
-    
+
     if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=

Shorewall/changelog.txt

@@ -1,8 +1,33 @@
-Changes in Shorewall 4.4.13.1
+Changes in Shorewall 4.4.14
 
-1)  Make log messages uniform.
+1)  Support ipset lists.
 
-2)  Fix blacklisting in simple configurations.
+2)  Use conntrack in 'shorewall connections'
+
+3)  Clean up Shorewall6 error messages when running on a kernel <
+    2.6.24
+
+4)  Clean up ipset related error reporting out of validate_net().
+
+5)  Dramatically reduce the amount of CPU time spent in optimization.
+
+6)  Add 'scfilter' script.
+
+7)  Fix -lite init scripts.
+
+8)  Clamp VERBOSITY to valid range.
+
+9)  Delete obsolete options from shorewall.conf.
+
+10) Change value of FORWARD_CLEAR_MARK in *.conf.
+
+11) Use update-rc.d to install init symlinks.
+
+12) Fix split_list().
+
+13) Fix 10+ TC Interfaces.
+
+14) Insure that VERBOSITY=0 when interrogating compiled script's version
 
 Changes in Shorewall 4.4.13
 

Shorewall/configfiles/findgw

@@ -3,11 +3,11 @@
 #
 # /etc/shorewall/findgw
 #
-#    The code in this file is executed when Shorewall is trying to detect the 
+#    The code in this file is executed when Shorewall is trying to detect the
 #    gateway through an interface in /etc/shorewall/providers that has GATEWAY
 #    specified as 'detect'.
 #
-#    The function should echo the IP address of the gateway if it knows what 
+#    The function should echo the IP address of the gateway if it knows what
 #    it is; the name of the interface is in $1.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional

Shorewall/configfiles/restored

@@ -4,7 +4,7 @@
 # /etc/shorewall/restored
 #
 #	Add commands below that you want to be executed after shorewall has
-#	completed a 'restore' command. 
+#	completed a 'restore' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/scfilter

@@ -0,0 +1,15 @@
+#! /bin/sh
+#
+# Shorewall version 4 - Show Connections Filter
+#
+# /etc/shorewall/scfilter
+#
+#	Replace the 'cat' command below to filter the output of
+#       'show connections. Unlike other extension scripts, this file
+#       must be executable before Shorewall will use it.
+#
+# See http://shorewall.net/shorewall_extension_scripts.htm for additional
+# information.
+#
+###############################################################################
+cat -

Shorewall/configfiles/secmarks

@@ -10,4 +10,4 @@
 
 
 
-								
+

Shorewall/configfiles/shorewall.conf

@@ -126,14 +126,10 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
-BRIDGING=No
-
 DYNAMIC_ZONES=No
 
 PKTTYPE=Yes
@@ -154,8 +150,6 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-USE_ACTIONS=Yes
-
 OPTIMIZE=0
 
 EXPORTPARAMS=Yes
@@ -196,7 +190,7 @@ LOAD_HELPERS_ONLY=No
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {
@@ -301,7 +301,7 @@ fi
 run_install $OWNERSHIP -m 0644 configfiles/zones ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/zones ]; then
-    run_install $OWNERSHIP -m 0744 configfiles/zones ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0644 configfiles/zones ${DESTDIR}/etc/shorewall
     echo "Zones file installed as ${DESTDIR}/etc/shorewall/zones"
 fi
 
@@ -737,6 +737,15 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcclear ]; then
     echo "Tcclear file installed as ${DESTDIR}/etc/shorewall/tcclear"
 fi
 #
+# Install the Scfilter file
+#
+run_install $OWNERSHIP -m 644 configfiles/scfilter ${DESTDIR}/usr/share/shorewall/configfiles
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/scfilter ]; then
+    run_install $OWNERSHIP -m 0600 configfiles/scfilter ${DESTDIR}/etc/shorewall
+    echo "Scfilter file installed as ${DESTDIR}/etc/shorewall/scfilter"
+fi
+#
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}/usr/share/shorewall/actions.std 0644
@@ -878,11 +887,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
     if [ -n "$DEBIAN" ]; then
 	install_file default.debian /etc/default/shorewall 0644
 
-	if [ -x /sbin/insserv ]; then
+	update-rc.d shorewall defaults
-	    insserv /etc/init.d/shorewall
-	else
-	    ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
-	fi
 
 	echo "shorewall will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall to enable"

Shorewall/known_problems.txt

@@ -1,11 +1 @@
-1)  On systems running Upstart, shorewall-init cannot reliably start the
+There are no known problems in Shorewall 4.4.14
-    firewall before interfaces are brought up.
-
-2)  The date/time formatting in the STARTUP_LOG is not uniform.
-
-    Fixed in 4.4.13.1
-
-3)  The blacklisting change in 4.4.13 broke blacklisting in some simple
-    configurations with the effect that blacklisting was not enabled.
-
-    Fixed in 4.4.13.1

Shorewall/lib.cli

@@ -433,6 +433,36 @@ list_zone() {
     done
 }
 
+#
+# Show Filter - For Shorewall-lite, if there was an scfilter file at compile-time,
+#               then the compiler generated another version of this function and
+#               embedded it in the firewall.conf file. That version supersedes this
+#               one.
+#
+show_connections_filter() {
+    local filter
+    local command
+    local first
+
+    command=${SHOREWALL_SHELL}
+
+    filter=$(find_file scfilter)
+
+    if [ -f $filter ]; then
+	first=$(head -n1 $filter)
+
+	case $first in
+	    \#!*)
+		command=${first#\#!}
+		;;
+	esac
+
+	$command $filter
+    else
+	cat -
+    fi
+}
+
 #
 # Show Command Executor
 #
@@ -520,15 +550,33 @@ show_command() {
 
     g_ipt_options="$g_ipt_options $g_ipt_options1"
 
+
     [ -n "$g_debugging" ] && set -x
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+
-	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    if [ -d /proc/sys/net/netfilter/ ]; then
-	    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
+		local count
+		local max
+		count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+		max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+		echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
+	    else
+		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+	    fi
+
 	    echo
-	    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
+
+	    if qt mywhich conntrack ; then
+		conntrack -f ipv4 -L | show_connections_filter
+	    else
+		if [ -f /proc/net/ip_conntrack ]; then
+		    cat /proc/net/ip_conntrack | show_connections_filter
+		else
+		    grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
+		fi
+	    fi
 	    ;;
 	nat)
 	    [ $# -gt 1 ] && usage 1
@@ -556,7 +604,7 @@ show_command() {
 
 	    if [ -z "$LOGFILE" ]; then
 		LOGFILE=/var/log/messages
-		
+
 		if [ -n "$(syslog_circular_buffer)" ]; then
 		    g_logread="logread | tac"
 		elif [ -r $LOGFILE ]; then
@@ -763,10 +811,40 @@ show_command() {
     esac
 }
 
+#
+# Dump Filter - For Shorewall-lite, if there was a dumpfilter file at compile-time,
+#               then the compiler generated another version of this function and
+#               embedded it in the firewall.conf file. That version supersedes this
+#               one.
+#
+dump_filter() {
+    local filter
+    local command
+    local first
+
+    command=${SHOREWALL_SHELL}
+
+    filter=$(find_file dumpfilter)
+
+    if [ -f $filter ]; then
+	first=$(head -n1 $filter)
+
+	case $first in
+	    \#!*)
+		command=${first#\#!}
+		;;
+	esac
+
+	$command $filter
+    else
+	cat -
+    fi
+}
+
 #
 # Dump Command Executor
 #
-dump_command() {
+do_dump_command() {
     local finished
     finished=0
 
@@ -912,6 +990,10 @@ dump_command() {
 	fi
 }
 
+dump_command() {
+    do_dump_command | dump_filter
+}
+
 #
 # Restore Comand Executor
 #

Shorewall/lib.common

@@ -34,6 +34,10 @@ get_script_version() { # $1 = script
     local version
     local ifs
     local digits
+    local verbosity
+
+    verbosity="$VERBOSITY"
+    VERBOSITY=0
 
     temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
 
@@ -54,6 +58,8 @@ get_script_version() { # $1 = script
     fi
 
     echo $version
+
+    VERBOSITY="$verbosity"
 }
 
 #
@@ -514,7 +520,7 @@ find_file()
 #
 # Set the Shorewall state
 #
-set_state () # $1 = state $2 
+set_state () # $1 = state $2
 {
     if [ $# -gt 1 ]; then
 	echo "$1 ($(date)) from $2" > ${VARDIR}/state

Shorewall/releasenotes.txt

@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 3 . 1
+                      S H O R E W A L L  4 . 4 . 1 4
 ----------------------------------------------------------------------------
 
 I.    PROBLEMS CORRECTED IN THIS RELEASE
@@ -13,260 +13,152 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
   I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
-4.4.13.1
-
 1)  Previously, messages to the STARTUP_LOG had inconsistent date formats.
 
 2)  The blacklisting change in 4.4.13 was broken in some simple
     configurations with the effect that blacklisting was not enabled.
 
-4.4.13
+3)  Previously, Shorewall6 produced an untidy sequence of error
+    messages when an attempt was made to start it on a system running a
+    kernel older than 2.6.24:
+
+       [root@localhost shorewall6]# shorewall6 start
+       Compiling...
+       Processing /etc/shorewall6/shorewall6.conf...
+       Loading Modules...
+       Compiling /etc/shorewall6/zones...
+       ...
+       Shorewall configuration compiled to /var/lib/shorewall6/.start
+          ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
+       /usr/share/shorewall6/lib.common: line 73:
+             [: -lt: unary operator expected
+          ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
+       [root@localhost shorewall6]#
+
+    This has been corrected so that a single ERROR message is
+    generated.
+
+4)  Previously, an ipset name appearing in the /etc/shorewall/hosts
+    file could be qualified with a list of 'src' and/or 'dst' enclosed
+    in quotes. This was virtually guaranteed not to work since the set
+    must match when used to verify both a packet source and a
+    packet destination. Now, the following error is raised:
+
+    	   ERROR: ipset name qualification is disallowed in this file
+
+    As part of this change, the ipset name is now verified to begin
+    with a letter and be composed of letters, digits, underscores ("_")
+    and hyphens ("-").
+
+5)  The Shorewall-lite and Shorewall6-lite Debian init scripts contained a
+    syntax error.
+
+6)  If the -v or -q options were used in /sbin/shorewall-lite or
+    /sbin/shorewall6-lite commands that involve the compiled firewall
+    script and the resulting effective VERBOSITY was > 2 or < -1, then
+    the command would fail.
+
+7)  The log reading commands (show log, logwatch, and dump) returned no
+    log records when run on one of the -lite products.
+
+8)  To avoid future confusion, the following obsolete options have been
+    deleted from the sample shorewall.conf files:
+
+    	    BRIDGING
+    	    DELAYBLACKLISTLOAD
+	    PKTTYPE
+
+    They will still be recognized by the rules compiler.
+
+9)  All sample .conf files have been changed to specify
+
+    	FORWARD_CLEAR_MARK=
+
+    rather than
+
+    	FORWARD_CLEAR_MARK=Yes
+
+    That way, systems without MARK support will still be able to
+    install the sample configurations and FORWARD_CLEAR_MARK will
+    default to Yes on systems with MARK support.
+
+10) The install scripts in the tarballs now correctly create init
+    symlinks on recent Ubuntu releases.
+
+11) Previously, this entry in the OPTIONS column of
+    /etc/shorewall/interfaces incorrectly generated a syntax error.
+
+    	nets=(1.2.3.0/24)
+
+    The error was:
+
+    	ERROR: Invalid VLSM (24))
+
+12) Previously, if 10 or more interfaces were configured in Complex
+    Traffic Shaping (/etc/shorewall/tcdevices), the following
+    compilation diagnostic was generated:
+
+        Argument "a" isn't numeric in sprintf at
+	/usr/share/shorewall/Shorewall/Config.pm line 893.
  
-1)  Under rare circumstances where COMMENT is used to attach comments
+    and an invalid TC configuration was generated.
-    to rules, OPTIMIZE 8 through 15 could result in invalid
-    iptables-restore (ip6tables-restore) input.
 
-2)  Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
+13) If the current environment exported the VERBOSITY variable with a
-    could result in invalid iptables-restore (ip6tables-restore) input.
+    non-zero value, startup would fail.
-
-3)  The change in 4.4.12 to detect and use the new ipset match syntax
-    broke the ability to detect the old ipset match capability. Now,
-    both versions of the capability can be correctly detected.
-
-4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
-    if the last optional interface tested was not available.
-
-5)  Exclusion in the blacklist file was correctly validated but was then
-    ignored when generating iptables (ip6tables) rules.
-
-6)  Previously, non-trivial exclusion (more than one excluded
-    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
-    valid but incorrect iptables input. This has been corrected but
-    requires that your iptables/kernel support marking rules in any
-    Netfilter table (CONTINUE in the tcrules file does not require this
-    support).
-
-    This fix implements a new 'Mark in any table' capability; those
-    who utilize a capabilities file should re-generate the file using
-    this release.
-
-7)  Interface handling has been extensively modified in this release
-    to correct a number of problems with the earlier
-    implementation. Among those problems:
-
-    - Invalid shell variable names could be generated in the firewall
-      script. The generated firewall script uses shell variables to
-      track the availability of optional and required interfaces and
-      to record detected gateways, detected addresses, etc.
-
-    - The same shell variable name could be generated by two different
-      interface names.
-
-    - Entries in the interfaces file with a wildcard physical name
-      (physical name ends with "+") and with the 'optional' option were
-      handled strangely.
-
-      o If there were references to specific interfaces that matched
-        the wildcard, those entries were handled as if they had been
-        defined as optional in the interfaces file.
-
-      o If there were no references matching the wildcard, then the
-        'optional' option was effectively ignored. 
-
-    The new implementation:
-
-    - Insures valid shell variable names.
-    
-    - Insures that shell variable names are unique.
-
-    - Handles interface names appearing in the INTERFACE column of the
-      providers file as a special case for 'optional'. If the name
-      matches a wildcard entry in the interfaces file then the
-      usability of the specific interface is tracked individually. 
-
-    - Handles the availabilty of other interfaces matching a wildcard
-      as a group; if there is one useable interface in the group then
-      the wildcard itself is considered usable.
-
-      The following example illustrates this use case:
-
-      /etc/shorewall/interfaces
-
-	net	ppp+	-	optional
-
-      /etc/shorewall/shorewall.conf
-
-	REQUIRE_INTERFACE=Yes
-
-      If there is any usable PPP interface then the firewall will be
-      allowed to start. Previously, the firewall would never be allowed
-      to start.
-
-8)  When a comma-separated list of 'src' and/or 'dst' was specified in
-    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
-    or 'dst' was previously ignored when generating the resulting
-    iptables rule.
-
-9)  Beginning with Shorewall 4.4.9, the SAME target in tcrules has
-    generated invalid iptables (ip6tables) input. That target now
-    generates correct input.
-
-10) Ipsets associated with 'dynamic' zones were being created during
-    'restart' but not during 'start'.
-
-11) To work around an issue in Netfilter/iptables, Shorewall now uses
-    state match rather than conntrack match for UNTRACKED state
-    matching.
-
-12) If the routestopped files contains NOTRACK rules, 'shorewall* clear' 
-    did not clear the raw table.
-
-13) An error message was incorrectly generated if a port range of the
-    form :<port> (e.g., :22) appeared.
-
-14) An error is now generated if '*' appears in an interface name.
 
 ----------------------------------------------------------------------------
            I I.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
 
-1)  On systems running Upstart, shorewall-init cannot reliably start the
+1)  On systems running Upstart, shorewall-init cannot reliably secure
-    firewall before interfaces are brought up.
+    the firewall before interfaces are brought up.
 
 ----------------------------------------------------------------------------
       I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
-1)  Entries in the rules file (both Shorewall and Shorewall6) may now
+1)  Multiple source or destination ipset matches can be generated by
-    contain zone lists in the SOURCE and DEST column. A zone list is a
+    enclosing the ipset list in +[...].
-    comma-separated list of zone names where each name appears in the
-    zones file. A zone list may be optionally followed by a plus sign
-    ("+") to indicate that the rule should apply to intra-zone traffic
-    as well as to inter-zone traffic.
 
-    Zone lists behave like 'all' and 'any' with respect to Optimization
+    Example (/etc/shorewall/rules):
-    1. If the rule matches the applicable policy for a given (source
-    zone, dest zone), then the rule will be suppessed for that pair of
-    zones unless overridden by the '!' suffix on the target in the
-    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
 
-    Additionally, 'any', 'all' and zone lists may be qualified in the
+        ACCEPT $FW net:+[dest-ip-map,dest-port-map]
-    same way as a single zone.
 
-    Examples:
+2)  Shorewall now uses the 'conntrack' utility for 'show connections'
+    if that utility is installed. Going forward, the Netfilter team
+    will be enhancing this interface rather than the /proc interface.
 
-	fw,dmz:90.90.191.120/29
+3)  The CPU time required for optimization has been reduced by 2/3.
-	all:+blacklist
 
-    The 'all' and 'any' keywords now support exclusion in the form of a
+4)  An 'scfilter' extension script has been added. This extension
-    comma-separated list of excluded zones.
+    script differs from other such scripts in that it is invoked by the
+    command line tools (/sbin/shorewall, /sbin/shorewall6,
+    /sbin/shorewall-lite and /sbin/shorewall6-lite).
 
-    Examples: 
+    The script acts as a filter for the output of the 'show
+    connections' command. Each connection is piped through the filter
+    which can modify and/or drop information as desired.
 
-    	     all!fw         (same as all-).
+    Example:
-	     any+!dmz,loc   (All zones except 'dmz' and 'loc' and
-	     		     include intra-zone rules).
 
-2)  An IPSEC column has been added to the accounting file, allowing you
+	#!/bin/sh
-    to segregate IPSEC traffic from non-IPSEC traffic. See 'man
+ 	sed 's/secmark=0 //'
-    shorewall-accounting' (man shorewall6-accounting) for details.
 
-    With this change, there are now three trees of accounting chains:
+    That script will remove 'secmark=0 ' from each line.
 
-    - The one rooted in the 'accounting' chain.
+    The default script is:
-    - The one rooted in the 'accipsecin' chain. This tree handles
-      traffic that has been decrypted on the firewall. Rules in this
-      tree cannot specify an interface name in the DEST column.
-    - The one rooted in the 'accipsecout' chain. This tree handles
-      traffic that will be encrypted on the firewall. Rules in this
-      tree cannot specify an interface name in the SOURCE column.
 
-    In reality, when there are bridges defined in the configuration,
+    	#!/bin/sh
-    there is a fourth tree rooted in the 'accountout' chain. That chain
+	cat -
-    handles traffic that originates on the firewall (both IPSEC and
-    non-IPSEC).
 
-    This change also implements a couple of new warnings:
+    which passes the output through unmodified.
 
-    - WARNING: Adding rule to unreferenced accounting chain <name>
+    If you are using Shorewall-lite and/or Shorewall6-lite, the
-
+    scfilter file is kept on the administrative system. The compiler
-      The first reference to user-defined accounting chain <name> is
+    encapsulates the script into a shell function that is copied
-      not a JUMP or COUNT from an already-defined chain.
+    into the generated auxillary configuration file
-
+    (firewall.conf). That function is then invoked by the 'show
-    - WARNING: Accounting chain <name> has o references
+    connections' command.
-
-      The named chain contains accounting rules but no JUMP or COUNT
-      specifies that chain as the target.
-
-3)  Shorewall now supports the SECMARK and CONNSECMARK targets for
-    manipulating the SELinux context of packets.
-
-    See the shorewall-secmarks and shorewall6-secmarks manpages for
-    details.
-
-    As part of this change, the tcrules file now accepts $FW in the
-    DEST column for marking packets in the INPUT chain.
-
-4)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
-
-    a) Blacklisting is now based on zones rather than on interfaces and
-       host groups.
-
-    b) Near compatibility with earlier releases is maintained.
-
-    c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
-       column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
-       respectively. The old keywords are still supported.
-
-    d) The 'blacklist' keyword may now appear in the OPTIONS,
-       IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
-
-       i)  In the IN_OPTIONS column, it indicates that packets received
-           on the interface are checked against the 'src' entries in
-           /etc/shorewall/blacklist.
-
-       ii) In the OUT_OPTIONS column, it indicates that packets being
-           sent to the interface are checked against the 'dst' entries.
-
-       iii) Placing 'blacklist' in the OPTIONS column is equivalent to
-           placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
-
-    e) The 'blacklist' option in the OPTIONS column of
-       /etc/shorewall/interfaces or /etc/shorewall/hosts is now
-       equivalent to placing it in the IN_OPTIONS column of the
-       associates record in /etc/shorewall/zones. If no zone is given
-       in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
-       option is ignored with a warning (it was previously ignored
-       silently).
-
-    f) The 'blacklist' option in the /etc/shorewall/interfaces and
-       /etc/shorewall/hosts files is now deprecated but will continue
-       to be supported for several releases. A warning will be added at
-       least one release before support is removed.
-
-5)  There is now an OUT-BANDWIDTH column in
-    /etc/shorewall/tcinterfaces.
-
-    The format of this column is:
-
-    	<rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]]
-
-    These terms are described in tc-tbf(8). Shorewall supplies default
-    values as follows:
-
-    	   <burst>   = 10kb
-	   <latency> = 200ms
-
-    The remaining options are defaulted by tc.
-
-6)  The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and
-    /etc/shorewall/tcinterfaces now accepts an optional burst parameter.
-
-        <rate>[:<burst>]
-
-    The default <burst> is 10kb. A larger <burst> can help make the
-    <rate> more accurate; often for fast lines, the enforced rate is
-    well below the specified <rate>.
 
 ----------------------------------------------------------------------------
              I V.  R E L E A S E  4 . 4  H I G H L I G H T S
@@ -487,6 +379,250 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
       I N   P R I O R  R E L E A S E S
+----------------------------------------------------------------------------
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 3
+----------------------------------------------------------------------------
+
+1)  Under rare circumstances where COMMENT is used to attach comments
+    to rules, OPTIMIZE 8 through 15 could result in invalid
+    iptables-restore (ip6tables-restore) input.
+
+2)  Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
+    could result in invalid iptables-restore (ip6tables-restore) input.
+
+3)  The change in 4.4.12 to detect and use the new ipset match syntax
+    broke the ability to detect the old ipset match capability. Now,
+    both versions of the capability can be correctly detected.
+
+4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
+    if the last optional interface tested was not available.
+
+5)  Exclusion in the blacklist file was correctly validated but was then
+    ignored when generating iptables (ip6tables) rules.
+
+6)  Previously, non-trivial exclusion (more than one excluded
+    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
+    valid but incorrect iptables input. This has been corrected but
+    requires that your iptables/kernel support marking rules in any
+    Netfilter table (CONTINUE in the tcrules file does not require this
+    support).
+
+    This fix implements a new 'Mark in any table' capability; those
+    who utilize a capabilities file should re-generate the file using
+    this release.
+
+7)  Interface handling has been extensively modified in this release
+    to correct a number of problems with the earlier
+    implementation. Among those problems:
+
+    - Invalid shell variable names could be generated in the firewall
+      script. The generated firewall script uses shell variables to
+      track the availability of optional and required interfaces and
+      to record detected gateways, detected addresses, etc.
+
+    - The same shell variable name could be generated by two different
+      interface names.
+
+    - Entries in the interfaces file with a wildcard physical name
+      (physical name ends with "+") and with the 'optional' option were
+      handled strangely.
+
+      o If there were references to specific interfaces that matched
+        the wildcard, those entries were handled as if they had been
+        defined as optional in the interfaces file.
+
+      o If there were no references matching the wildcard, then the
+        'optional' option was effectively ignored.
+
+    The new implementation:
+
+    - Insures valid shell variable names.
+
+    - Insures that shell variable names are unique.
+
+    - Handles interface names appearing in the INTERFACE column of the
+      providers file as a special case for 'optional'. If the name
+      matches a wildcard entry in the interfaces file then the
+      usability of the specific interface is tracked individually.
+
+    - Handles the availabilty of other interfaces matching a wildcard
+      as a group; if there is one useable interface in the group then
+      the wildcard itself is considered usable.
+
+      The following example illustrates this use case:
+
+      /etc/shorewall/interfaces
+
+	net	ppp+	-	optional
+
+      /etc/shorewall/shorewall.conf
+
+	REQUIRE_INTERFACE=Yes
+
+      If there is any usable PPP interface then the firewall will be
+      allowed to start. Previously, the firewall would never be allowed
+      to start.
+
+8)  When a comma-separated list of 'src' and/or 'dst' was specified in
+    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
+    or 'dst' was previously ignored when generating the resulting
+    iptables rule.
+
+9)  Beginning with Shorewall 4.4.9, the SAME target in tcrules has
+    generated invalid iptables (ip6tables) input. That target now
+    generates correct input.
+
+10) Ipsets associated with 'dynamic' zones were being created during
+    'restart' but not during 'start'.
+
+11) To work around an issue in Netfilter/iptables, Shorewall now uses
+    state match rather than conntrack match for UNTRACKED state
+    matching.
+
+12) If the routestopped files contains NOTRACK rules, 'shorewall* clear'
+    did not clear the raw table.
+
+13) An error message was incorrectly generated if a port range of the
+    form :<port> (e.g., :22) appeared.
+
+14) An error message is now generated when '*' appears in an interface
+    name.
+
+----------------------------------------------------------------------------
+               N E W   F E A T U R E S   I N   4 . 4 . 1 3
+----------------------------------------------------------------------------
+
+1)  Entries in the rules file (both Shorewall and Shorewall6) may now
+    contain zone lists in the SOURCE and DEST column. A zone list is a
+    comma-separated list of zone names where each name appears in the
+    zones file. A zone list may be optionally followed by a plus sign
+    ("+") to indicate that the rule should apply to intra-zone traffic
+    as well as to inter-zone traffic.
+
+    Zone lists behave like 'all' and 'any' with respect to Optimization
+    1. If the rule matches the applicable policy for a given (source
+    zone, dest zone), then the rule will be suppessed for that pair of
+    zones unless overridden by the '!' suffix on the target in the
+    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
+
+    Additionally, 'any', 'all' and zone lists may be qualified in the
+    same way as a single zone.
+
+    Examples:
+
+	fw,dmz:90.90.191.120/29
+	all:+blacklist
+
+    The 'all' and 'any' keywords now support exclusion in the form of a
+    comma-separated list of excluded zones.
+
+    Examples:
+
+    	     all!fw         (same as all-).
+	     any+!dmz,loc   (All zones except 'dmz' and 'loc' and
+	     		     include intra-zone rules).
+
+2)  An IPSEC column has been added to the accounting file, allowing you
+    to segregate IPSEC traffic from non-IPSEC traffic. See 'man
+    shorewall-accounting' (man shorewall6-accounting) for details.
+
+    With this change, there are now three trees of accounting chains:
+
+    - The one rooted in the 'accounting' chain.
+    - The one rooted in the 'accipsecin' chain. This tree handles
+      traffic that has been decrypted on the firewall. Rules in this
+      tree cannot specify an interface name in the DEST column.
+    - The one rooted in the 'accipsecout' chain. This tree handles
+      traffic that will be encrypted on the firewall. Rules in this
+      tree cannot specify an interface name in the SOURCE column.
+
+    In reality, when there are bridges defined in the configuration,
+    there is a fourth tree rooted in the 'accountout' chain. That chain
+    handles traffic that originates on the firewall (both IPSEC and
+    non-IPSEC).
+
+    This change also implements a couple of new warnings:
+
+    - WARNING: Adding rule to unreferenced accounting chain <name>
+
+      The first reference to user-defined accounting chain <name> is
+      not a JUMP or COUNT from an already-defined chain.
+
+    - WARNING: Accounting chain <name> has o references
+
+      The named chain contains accounting rules but no JUMP or COUNT
+      specifies that chain as the target.
+
+3)  Shorewall now supports the SECMARK and CONNSECMARK targets for
+    manipulating the SELinux context of packets.
+
+    See the shorewall-secmarks and shorewall6-secmarks manpages for
+    details.
+
+    As part of this change, the tcrules file now accepts $FW in the
+    DEST column for marking packets in the INPUT chain.
+
+4)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
+
+    a) Blacklisting is now based on zones rather than on interfaces and
+       host groups.
+
+    b) Near compatibility with earlier releases is maintained.
+
+    c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
+       column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
+       respectively. The old keywords are still supported.
+
+    d) The 'blacklist' keyword may now appear in the OPTIONS,
+       IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
+
+       i)  In the IN_OPTIONS column, it indicates that packets received
+           on the interface are checked against the 'src' entries in
+           /etc/shorewall/blacklist.
+
+       ii) In the OUT_OPTIONS column, it indicates that packets being
+           sent to the interface are checked against the 'dst' entries.
+
+       iii) Placing 'blacklist' in the OPTIONS column is equivalent to
+           placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
+
+    e) The 'blacklist' option in the OPTIONS column of
+       /etc/shorewall/interfaces or /etc/shorewall/hosts is now
+       equivalent to placing it in the IN_OPTIONS column of the
+       associates record in /etc/shorewall/zones. If no zone is given
+       in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
+       option is ignored with a warning (it was previously ignored
+       silently).
+
+    f) The 'blacklist' option in the /etc/shorewall/interfaces and
+       /etc/shorewall/hosts files is now deprecated but will continue
+       to be supported for several releases. A warning will be added at
+       least one release before support is removed.
+
+5)  There is now an OUT-BANDWIDTH column in
+    /etc/shorewall/tcinterfaces.
+
+    The format of this column is:
+
+    	<rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]]
+
+    These terms are described in tc-tbf(8). Shorewall supplies default
+    values as follows:
+
+    	   <burst>   = 10kb
+	   <latency> = 200ms
+
+    The remaining options are defaulted by tc.
+
+6)  The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and
+    /etc/shorewall/tcinterfaces now accepts an optional burst parameter.
+
+        <rate>[:<burst>]
+
+    The default <burst> is 10kb. A larger <burst> can help make the
+    <rate> more accurate; often for fast lines, the enforced rate is
+    well below the specified <rate>.
+
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 2
 ----------------------------------------------------------------------------
@@ -505,7 +641,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     fatal compilation error in REDIRECT rules.
 
 4)  A number of problems associated with Shorewall-init and Upstart
-    have been corrected. 
+    have been corrected.
 
     If you use Shorewall-init, then when upgrading to this version, be
     sure to recompile all firewall scripts before you take interfaces
@@ -515,7 +651,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     /usr/share/shorewall/configfiles/Makefile and rather issued the
     following message:
 
-    	      install-file: command not found 
+    	      install-file: command not found
 
     This caused the Makefile to be omitted from RPMs as well.
 
@@ -543,7 +679,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 
 2)  Per-ip log rate limiting has been added in the form of the LOGLIMIT
     option in shorewall.conf. When LOGLIMIT is specified, LOGRATE and
-    LOGBURST are ignored. 
+    LOGBURST are ignored.
 
     LOGRATE and LOGBURST are now deprecated.
 
@@ -626,7 +762,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	Shorewall is running
 	State:Started (Thu Aug 12 19:41:48 PDT 2010) from /etc/shorewall/
 
-	gateway:/etc/shorewall# 
+	gateway:/etc/shorewall#
 
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
@@ -659,7 +795,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     shorewall.conf and shorewall6.conf. It has been added.
 
 6)  Under some versions of Perl, a Perl run-time diagnostic was produced
-    when options were omitted from shorewall.conf or shorewall6.conf. 
+    when options were omitted from shorewall.conf or shorewall6.conf.
 
 7) If the following options were specified in /etc/shorewall/interfaces
    for an interface with '-' in the ZONE column, then these options
@@ -680,7 +816,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 9) Previously, if nets= was specified under Shorewall6, this error
    would result:
 
-   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
+   	 ERROR: Invalid IPv6 address (224.0.0.0) :
                 /etc/shorewall6/interfaces (line 16)
 
 ----------------------------------------------------------------------------
@@ -695,7 +831,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     See http://www.shorewall.net/Vserver.html for details.
 
 2)  A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
-    and shorewall6.conf. 
+    and shorewall6.conf.
 
     Traditionally, Shorewall has cleared the packet mark in the first
     rule in the mangle FORWARD chain. This behavior is maintained with

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.13
+%define version 4.4.14
-%define release 1
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -108,10 +108,18 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
+- Updated to 4.4.14-0base
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {

Shorewall6-lite/init.debian.sh

@@ -17,7 +17,7 @@ SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
 
-[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
 export SHOREWALL_INIT_SCRIPT
 

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {
@@ -351,11 +351,7 @@ if [ -z "$DESTDIR" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
 
-	    if [ -x /sbin/insserv ]; then
+	    update-rc.d shorewall6-lite defaults
-		insserv /etc/init.d/shorewall6-lite
-	    else
-		ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
-	    fi
 
 	    echo "Shorewall6 Lite will start automatically at boot"
 	else

Shorewall6-lite/shorewall6-lite

@@ -94,9 +94,9 @@ get_config() {
     [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	LOGREAD="logread | tac"
+	g_logread="logread | tac"
     elif [ -r $LOGFILE ]; then
-	LOGREAD="tac $LOGFILE"
+	g_logread="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	exit 2
@@ -145,6 +145,12 @@ get_config() {
 
     [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
 
+    if [ $VERBOSITY -lt -1 ]; then
+	VERBOSITY=-1
+    elif [ $VERBOSITY -gt 2 ]; then
+	VERBOSITY=2
+    fi
+
     g_hostname=$(hostname 2> /dev/null)
 
     IP=$(mywhich ip 2> /dev/null)
@@ -447,6 +453,7 @@ g_noroutes=
 g_timestamp=
 g_recovering=
 g_purge=
+g_logread=
 
 finished=0
 

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.13
+%define version 4.4.14
-%define release 1
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,10 +93,18 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
+- Updated to 4.4.14-0base
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {
@@ -249,7 +249,7 @@ fi
 [ -n "$INIT" ] && echo  "Shorewall6 script installed in ${DESTDIR}${DEST}/$INIT"
 
 #
-# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
+# Create /etc/shorewall, /usr/share/shorewall and /var/lib/shorewall6 if needed
 #
 mkdir -p ${DESTDIR}/etc/shorewall6
 mkdir -p ${DESTDIR}/usr/share/shorewall6
@@ -296,7 +296,7 @@ fi
 run_install $OWNERSHIP -m 0644 zones ${DESTDIR}/usr/share/shorewall6/configfiles/zones
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/zones ]; then
-    run_install $OWNERSHIP -m 0744 zones ${DESTDIR}/etc/shorewall6/zones
+    run_install $OWNERSHIP -m 0644 zones ${DESTDIR}/etc/shorewall6/zones
     echo "Zones file installed as ${DESTDIR}/etc/shorewall6/zones"
 fi
 
@@ -631,6 +631,15 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcclear ]; then
     echo "Tcclear file installed as ${DESTDIR}/etc/shorewall6/tcclear"
 fi
 #
+# Install the Scfilter file
+#
+run_install $OWNERSHIP -m 0644 tcclear ${DESTDIR}/usr/share/shorewall6/configfiles/scfilter
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/scfilter ]; then
+    run_install $OWNERSHIP -m 0600 scfilter ${DESTDIR}/etc/shorewall6/scfilter
+    echo "Scfilter file installed as ${DESTDIR}/etc/shorewall6/scfilter"
+fi
+#
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}/usr/share/shorewall6/actions.std 0644
@@ -729,11 +738,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6
 
-	if [ -x /sbin/insserv ]; then
+	update-rc.d shorewall6 defaults
-	    insserv /etc/init.d/shorewall6
-	else
-	    ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
-	fi
 
 	echo "shorewall6 will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall6 to enable"

Shorewall6/lib.cli

@@ -357,6 +357,36 @@ show_routing() {
     fi
 }
 
+#
+# Show Filter - For Shorewall6-lite, if there was an scfilter file at compile-time,
+#               then the compiler generated another version of this function and
+#               embedded it in the firewall.conf file. That version supersedes this
+#               one.
+#
+show_connections_filter() {
+    local filter
+    local command
+    local first
+
+    command=${SHOREWALL_SHELL}
+
+    filter=$(find_file scfilter)
+
+    if [ -f $filter ]; then
+	first=$(head -n1 $filter)
+
+	case $first in
+	    \#!*)
+		command=${first#\#!}
+		;;
+	esac
+
+	$command $filter
+    else
+	cat -
+    fi
+}
+
 #
 # Show Command Executor
 #
@@ -448,11 +478,17 @@ show_command() {
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    if mywhich conntrack ; then
-	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
-	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
+		echo
-	    echo
+		conntrack -f ipv6 -L | show_connections_filter
-	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
+	    else
+		local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+		local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+		echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
+		echo
+		grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
+	    fi
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
@@ -650,10 +686,40 @@ show_command() {
     esac
 }
 
+#
+# Dump Filter - For Shorewall-lite, if there was a dumpfilter file at compile-time,
+#               then the compiler generated another version of this function and
+#               embedded it in the firewall.conf file. That version supersedes this
+#               one.
+#
+dump_filter() {
+    local filter
+    local command
+    local first
+
+    command=${SHOREWALL_SHELL}
+
+    filter=$(find_file dumpfilter)
+
+    if [ -f $filter ]; then
+	first=$(head -n1 $filter)
+
+	case $first in
+	    \#!*)
+		command=${first#\#!}
+		;;
+	esac
+
+	$command $filter
+    else
+	cat -
+    fi
+}
+
 #
 # Dump Command Executor
 #
-dump_command() {
+do_dump_command() {
     local finished
     finished=0
 
@@ -797,6 +863,10 @@ dump_command() {
 	fi
 }
 
+dump_command() {
+    do_dump_command | dump_filter
+}
+
 #
 # Restore Comand Executor
 #

Shorewall6/lib.common

@@ -32,10 +32,14 @@ get_script_version() { # $1 = script
     local version
     local ifs
     local digits
+    local verbosity
+
+    verbosity="$VERBOSITY"
+    VERBOSITY=0
 
     temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
 
-    if [ $? -ne 0 ]; then
+    if [ -z "$temp" ]; then
 	version=0
     else
 	ifs=$IFS
@@ -52,6 +56,8 @@ get_script_version() { # $1 = script
     fi
     
     echo $version
+
+    VERBOSITY="$verbosity"
 }
   
 #

Shorewall6/scfilter

@@ -0,0 +1,15 @@
+#! /bin/sh
+#
+# Shorewall version 4 - Show Connections Filter
+#
+# /etc/shorewall/scfilter
+#
+#	Replace the 'cat' command below to filter the output of
+#       'show connections. Unlike other extension scripts, this file
+#       must be executable before Shorewall will use it.
+#
+# See http://shorewall.net/shorewall_extension_scripts.htm for additional
+# information.
+#
+###############################################################################
+cat -

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.13
+%define version 4.4.14
-%define release 1
+%define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -98,10 +98,18 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
+- Updated to 4.4.14-0base
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {

docs/Documentation_Index.xml

@@ -136,7 +136,7 @@
 
           <row>
             <entry>Bridge: <ulink
-            url="bridge-Shorewall-perl.html">Shorewall-perl</ulink></entry>
+            url="bridge-Shorewall-perl.html">Bridge/Firewall</ulink></entry>
 
             <entry><ulink url="MultiISP.html">Multiple Internet Connections
             from a Single Firewall</ulink> (<ulink
@@ -147,8 +147,8 @@
           </row>
 
           <row>
-            <entry>Bridge: <ulink url="SimpleBridge.html">No control of
+            <entry>Bridge: <ulink url="SimpleBridge.html">No firewalling of
-            traffic through the bridge</ulink></entry>
+            traffic between bridge port</ulink></entry>
 
             <entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
             Interface</ulink></entry>

docs/FAQ.xml

@@ -54,6 +54,31 @@
       url="shorewall_quickstart_guide.htm">QuickStart Guides</ulink>.</para>
     </section>
 
+    <section id="faq92">
+      <title>(FAQ 92) There are lots of Shorewall packages; which one(s) do I
+      install?</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: When first installing
+      Shorewall 4.4.0 or later, you must install the <emphasis
+      role="bold">shorewall</emphasis> package. If you want to configure an
+      IPv6 firewall, you must also install <emphasis
+      role="bold">shorewall6</emphasis>.</para>
+
+      <section id="faq92a">
+        <title>(FAQ 92a) Someone once told me to install shorewall-perl;
+        anything to that?</title>
+
+        <para><emphasis role="bold">Answer</emphasis>: That was good advice in
+        Shorewall 4.2 and earlier. In those releases, there were two packages
+        that provided the basic firewalling functionality: <emphasis
+        role="bold">shorewall-shell</emphasis> and <emphasis
+        role="bold">shorewall-perl</emphasis>. Beginning with Shorewall 4.4.0,
+        <emphasis role="bold">shorewall-shell</emphasis> is discontinued and
+        <emphasis role="bold">shorewall-perl</emphasis> is renamed <emphasis
+        role="bold">shorewall</emphasis>.</para>
+      </section>
+    </section>
+
     <section id="faq37">
       <title>(FAQ 37) I just installed Shorewall on Debian and the
       /etc/shorewall directory is almost empty!!!</title>
@@ -1192,7 +1217,7 @@ to debug/develop the newnat interface.</programlisting></para>
       <title>(FAQ 91) I changed the shorewall.conf file in /etc/shorewall/ to
       spit out logs to /var/log/shorewall.log and it's not happening after I
       restart shorewall. LOGFILE=/var/log/shorewall.log &lt;-- that should be
-      the correct line, right? </title>
+      the correct line, right?</title>
 
       <para><emphasis role="bold">Answer</emphasis>: No, that is not correct.
       The LOGFILE setting tells Shorewall where to find the log; it does not
@@ -2876,12 +2901,24 @@ EXT_IF:172.20.1.2	     	0.0.0.0/0		172.20.1.254
 
           <programlisting>#INTERFACE			SOURCE			ADDRESS
 
-COMMENT DSL Modem
+COMMENT DSL Modemhttp://ipv6.shorewall.net/SimpleBridge.html
 
 EXT_IF:192.168.1.1	     	0.0.0.0/0		192.168.1.254
 </programlisting>
         </listitem>
       </itemizedlist>
     </section>
+
+    <section>
+      <title id="faq93">(FAQ 93) I'm not able to use Shorewall to manage a
+      bridge. I get the following error: ERROR: BRIDGING=Yes is not supported
+      by Shorewall 4.4.13.3.</title>
+
+      <para><emphasis role="bold">Answer:</emphasis> If you want to apply
+      firewall rules to the traffic passing between bridge ports, see <ulink
+      url="bridge-Shorewall-perl.html">http://www.shorewall.net/bridge-Shorewall-perl.html</ulink>.
+      If you simply want to allow all traffic between ports, then see <ulink
+      url="SimpleBridge.html">http://www.shorewall.net/SimpleBridge.html</ulink>.</para>
+    </section>
   </section>
 </article>

docs/Manpages.xml

@@ -83,6 +83,10 @@
         the interfaces on the system and optionally associate them with
         zones.</member>
 
+        <member><ulink url="manpages/shorewall-ipsets.html">ipsets</ulink> -
+        Describes how to specify set names in Shorewall configuration
+        files.</member>
+
         <member><ulink url="manpages/shorewall-maclist.html">maclist</ulink> -
         Define MAC verification.</member>
 

docs/ProxyARP.xml

@@ -34,46 +34,50 @@
     </legalnotice>
   </articleinfo>
 
-  <para>Proxy ARP (RFC 1027) is a way to make a machine physically located on
+  <section>
-  one network appear to be logically part of a different physical network
+    <title>Overview</title>
-  connected to the same router/firewall. Typically it allows us to hide a
-  machine with a public IP address on a private network behind a router, and
-  still have the machine appear to be on the public network "in front of" the
-  router. The router "proxys" ARP requests and all network traffic to and from
-  the hidden machine to make this fiction possible.</para>
 
-  <para>Consider a router with two interface cards, one connected to a public
+    <para>Proxy ARP (RFC 1027) is a way to make a machine physically located
-  network PUBNET and one connected to a private network PRIVNET. We want to
+    on one network appear to be logically part of a different physical network
-  hide a server machine on the PRIVNET network but have it accessible from the
+    connected to the same router/firewall. Typically it allows us to hide a
-  PUBNET network. The IP address of the server machine lies in the PUBNET
+    machine with a public IP address on a private network behind a router, and
-  network, even though we are placing the machine on the PRIVNET network
+    still have the machine appear to be on the public network "in front of"
-  behind the router.</para>
+    the router. The router "proxys" ARP requests and all network traffic to
+    and from the hidden machine to make this fiction possible.</para>
 
-  <para>By enabling proxy ARP on the router, any machine on the PUBNET network
+    <para>Consider a router with two interface cards, one connected to a
-  that issues an ARP "who has" request for the server's MAC address will get a
+    public network PUBNET and one connected to a private network PRIVNET. We
-  proxy ARP reply from the router containing the router's MAC address. This
+    want to hide a server machine on the PRIVNET network but have it
-  tells machines on the PUBNET network that they should be sending packets
+    accessible from the PUBNET network. The IP address of the server machine
-  destined for the server via the router. The router forwards the packets from
+    lies in the PUBNET network, even though we are placing the machine on the
-  the machines on the PUBNET network to the server on the PRIVNET
+    PRIVNET network behind the router.</para>
-  network.</para>
 
-  <para>Similarly, when the server on the PRIVNET network issues a "who has"
+    <para>By enabling proxy ARP on the router, any machine on the PUBNET
-  request for any machines on the PUBNET network, the router provides its own
+    network that issues an ARP "who has" request for the server's MAC address
-  MAC address via proxy ARP. This tells the server to send packets for
+    will get a proxy ARP reply from the router containing the router's MAC
-  machines on the PUBNET network via the router. The router forwards the
+    address. This tells machines on the PUBNET network that they should be
-  packets from the server on the PRIVNET network to the machines on the PUBNET
+    sending packets destined for the server via the router. The router
-  network.</para>
+    forwards the packets from the machines on the PUBNET network to the server
+    on the PRIVNET network.</para>
 
-  <para>The proxy ARP provided by the router allows the server on the
+    <para>Similarly, when the server on the PRIVNET network issues a "who has"
-  PRIVNETnetwork to appear to be on the PUBNET network. It lets the router
+    request for any machines on the PUBNET network, the router provides its
-  pass ARP requests and other network packets in both directions between the
+    own MAC address via proxy ARP. This tells the server to send packets for
-  server machine and the PUBNET network, making the server machine appear to
+    machines on the PUBNET network via the router. The router forwards the
-  be connected to the PUBNET network even though it is on the PRIVNET network
+    packets from the server on the PRIVNET network to the machines on the
-  hidden behind the router.</para>
+    PUBNET network.</para>
 
-  <para>Before you try to use this technique, I strongly recommend that you
+    <para>The proxy ARP provided by the router allows the server on the
-  read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
+    PRIVNETnetwork to appear to be on the PUBNET network. It lets the router
-  Guide</ulink>.</para>
+    pass ARP requests and other network packets in both directions between the
+    server machine and the PUBNET network, making the server machine appear to
+    be connected to the PUBNET network even though it is on the PRIVNET
+    network hidden behind the router.</para>
+
+    <para>Before you try to use this technique, I strongly recommend that you
+    read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
+    Guide</ulink>.</para>
+  </section>
 
   <section id="Example">
     <title>Example</title>

docs/Vserver.xml

@@ -114,7 +114,7 @@ gateway:~#</programlisting>
   <section>
     <title>Vserver Zones</title>
 
-    <para>Here is a diagram of the network configuration here at Shorewall.net
+    <para>This is a diagram of the network configuration here at Shorewall.net
     during the summer of 2010:</para>
 
     <graphic align="center" fileref="images/Network2010a.png" />
@@ -131,6 +131,12 @@ net             ipv4            #Internet
 vpn             ipv4            #OpenVPN clients
 <emphasis role="bold">dmz             vserver         #Vservers</emphasis></programlisting>
 
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE   INTERFACE     BROADCAST           OPTIONS
+<emphasis role="bold">net     eth1          detect              dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
+...</programlisting>
+
     <para><filename>/etc/shorewall/hosts</filename>:</para>
 
     <programlisting>#ZONE   HOST(S)                                 OPTIONS
@@ -160,10 +166,16 @@ vpn	ipv6
 <emphasis role="bold">dmz	vserver</emphasis>
 </programlisting>
 
+    <para><filename>/etc/shorewall6/interfaces</filename>:</para>
+
+    <programlisting>#ZONE   INTERFACE     BROADCAST           OPTIONS
+<emphasis role="bold">net     sit1          detect              tcpflags,forward=1,nosmurfs,routeback</emphasis>
+...</programlisting>
+
     <para><filename>/etc/shorewall6/hosts</filename>:</para>
 
     <programlisting>#ZONE   HOST(S)                                 OPTIONS
-dmz	sit1:[2001:470:e857:1::/64]</programlisting>
+<emphasis role="bold">dmz     sit1:[2001:470:e857:1::/64]</emphasis></programlisting>
 
     <para>Note that I choose to place the Vservers on sit1 (the IPv6 net
     interface) rather than on eth1. Again, it really doesn't matter

docs/bridge-Shorewall-perl.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>Shorewall-perl and Bridged Firewalls</title>
+    <title>Bridged Firewalls</title>
 
     <authorgroup>
       <author>
@@ -37,7 +37,7 @@
   </articleinfo>
 
   <caution>
-    <para><emphasis role="bold">This article applies to Shorewall-perl 4.3 and
+    <para><emphasis role="bold">This article applies to Shorewall 4.4 and
     later.</emphasis></para>
   </caution>
 
@@ -533,7 +533,7 @@ rc-update add bridge boot
     source bridge port.</para>
 
     <para>To deal with the asymmetric nature of the new physdev match,
-    Shorewall-perl supports a new type of zone - a <firstterm>Bridge
+    Shorewall supports a new type of zone - a <firstterm>Bridge
     Port</firstterm> (BP) zone. Bridge port zones have a number of
     restrictions:</para>
 
@@ -559,8 +559,9 @@ rc-update add bridge boot
 
     <para>In /etc/shorewall/zones, BP zones are specified using the <emphasis
     role="bold">bport</emphasis> (or <emphasis role="bold">bport4</emphasis>)
-    keyword. Shorewall perl requires that BRIDGING=No in
+    keyword. If your version of <filename>shorewall.conf</filename> contains
-    <filename>shorewall.conf</filename>.</para>
+    the <emphasis role="bold">BRIDGING</emphasis> option, it must be set to
+    <emphasis role="bold">No</emphasis>.</para>
 
     <para>In the scenario pictured above, there would probably be two BP zones
     defined -- one for the Internet and one for the local LAN so in

docs/ipsets.xml

@@ -95,8 +95,8 @@
       </listitem>
 
       <listitem>
-        <para>They must be composed of letters, digits or underscores
+        <para>They must be composed of letters, digits, dashes ("-") or
-        ("_").</para>
+        underscores ("_").</para>
       </listitem>
     </itemizedlist>
 
@@ -128,6 +128,11 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
     blacklist file, you can coerce the rule into matching the destination IP
     address rather than the source.</para>
 
+    <para>Beginning with Shorewall 4.4.14, multiple source or destination
+    matches may be specified by placing multiple set names in '+[...]' (e.g.,
+    +[myset,myotherset]). When so inclosed, the set names need not be prefixed
+    with a plus sign.</para>
+
     <para>Shorewall can save/restore your ipset contents with certain
     restrictions:</para>
 

docs/shorewall_extension_scripts.xml

@@ -200,6 +200,26 @@ esac</programlisting><caution>
         with dhclient on several distributions are available at <ulink
         url="http://www.shorewall.net/pub/shorewall/contrib/findgw/">http://www.shorewall.net/pub/shorewall/contrib/findgw/</ulink></para>
       </listitem>
+
+      <listitem>
+        <para><filename>scfilter</filename> -- Added in Shorewall 4.4.14.
+        Unlike the other scripts, this script is executed by the command-line
+        tools (<filename>/sbin/shorewall</filename>,
+        <filename>/sbin/shorewall6</filename>, etc) and can be used to
+        reformat the output of the <command>show connections</command>
+        command. The connection information is piped through this script so
+        that the script can drop information, add information or alter the
+        format of the information. When using Shorewall Lite or Shorewall6
+        Lite, the script is encapsulated in a function that is copied into the
+        generated auxillary configuration file. That function is invoked by
+        the 'show connections' command.</para>
+
+        <para>The default script is as follows and simply pipes the output
+        through unaltered.</para>
+
+        <programlisting>#! /bin/sh
+cat -</programlisting>
+      </listitem>
     </itemizedlist>
 
     <para><emphasis role="bold">If your version of Shorewall doesn't have the
@@ -288,6 +308,12 @@ esac</programlisting><caution>
             <entry>save</entry>
           </row>
 
+          <row>
+            <entry>scfilter</entry>
+
+            <entry>show connections</entry>
+          </row>
+
           <row>
             <entry>start</entry>
 
@@ -512,6 +538,12 @@ esac</programlisting><caution>
 
                 <entry>restored</entry>
               </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>scfilter</entry>
+              </row>
             </tbody>
           </tgroup>
         </informaltable></para>

docs/upgrade_issues.xml

@@ -285,7 +285,7 @@
           </listitem>
 
           <listitem>
-            <para>Explicitly set LOG_MARTIONS=No to maintain compatibility
+            <para>Explicitly set LOG_MARTIANS=No to maintain compatibility
             with prior versions of Shorewall.</para>
           </listitem>
         </orderedlist>

manpages/shorewall-accounting.xml

@@ -481,7 +481,7 @@
     </ulink></para>
 
     <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-actions.xml

@@ -50,7 +50,7 @@
     url="http://shorewall.net/Actions.html">http://shorewall.net/Actions.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-blacklist.xml

@@ -168,7 +168,7 @@
     url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-ecn.xml

@@ -64,7 +64,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-exclusion.xml

@@ -84,6 +84,31 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
         net ACCEPT rule.</para>
       </blockquote>
     </warning>
+
+    <para>In most contexts, ipset names can be used as an
+    <replaceable>address-or-range</replaceable>. Beginning with Shorewall
+    4.4.14, ipset lists enclosed in +[...] may also be included (see <ulink
+    url="shorewall-ipsets.html">shorewall-ipsets</ulink> (5)). The semantics
+    of these lists when used in an exclusion are as follows:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>!+[<replaceable>set1</replaceable>,<replaceable>set2</replaceable>,...<replaceable>setN</replaceable>]
+        produces a packet match if the packet does not match at least one of
+        the sets. In other words, it is like NOT match
+        <replaceable>set1</replaceable> OR NOT match
+        <replaceable>set2</replaceable> ... OR NOT match
+        <replaceable>setN</replaceable>.</para>
+      </listitem>
+
+      <listitem>
+        <para>+[!<replaceable>set1</replaceable>,!<replaceable>set2</replaceable>,...!<replaceable>setN</replaceable>]
+        produces a packet match if the packet does not match any of the sets.
+        In other words, it is like NOT match <replaceable>set1</replaceable>
+        AND NOT match <replaceable>set2</replaceable> ... AND NOT match
+        <replaceable>setN</replaceable>.</para>
+      </listitem>
+    </itemizedlist>
   </refsect1>
 
   <refsect1>
@@ -151,12 +176,13 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-hosts.xml

@@ -263,7 +263,7 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-nesting(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-init.xml

@@ -163,7 +163,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-ipsets.xml

@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-ipsets</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>ipsets</refname>
+
+    <refpurpose>Specifying the name if an ipset in Shorewall configuration
+    files</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>+<replaceable>ipsetname</replaceable></command>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>+<replaceable>ipsetname</replaceable>[<replaceable>flag</replaceable>,...]</command>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>+[ipsetname,...]</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>Note: In the above syntax descriptions, the square brackets ("[]")
+    are to be taken literally rather than as meta-characters.</para>
+
+    <para>In most places where a network address may be entered, an ipset may
+    be substituted. Set names must be prefixed by the character "+", must
+    start with a letter and may be composed of alphanumeric characters, "-"
+    and "_".</para>
+
+    <para>Whether the set is matched against the packet source or destination
+    is determined by which column the set name appears (SOURCE or DEST). For
+    those set types that specify a tupple, two alternative syntaxes are
+    available:</para>
+
+    <simplelist>
+      <member>[<replaceable>number</replaceable>] - Indicates that 'src' or
+      'dst' should repleated number times. Example: myset[2].</member>
+
+      <member>[<replaceable>flag</replaceable>,...] where
+      <replaceable>flag</replaceable> is <option>src</option> or
+      <option>dst</option>. Example: myset[src,dst].</member>
+    </simplelist>
+
+    <para>In a SOURCE column, the following pairs are equivalent:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>+myset[2] and +myset[src,src]</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>In a DEST column, the following paris are equivalent:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>+myset[2] and +myset[dst,dst]</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Beginning with Shorewall 4.4.14, multiple source or destination
+    matches may be specified by enclosing the set names within +[...]. The set
+    names need not be prefixed with '+'. For information about set lists and
+    exclusion, see <ulink
+    url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Examples</title>
+
+    <para>+myset</para>
+
+    <para>+myset[src]</para>
+
+    <para>+myset[2]</para>
+
+    <para>+[myset1,myset2[dst]]</para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/accounting</para>
+
+    <para>/etc/shorewall/blacklist</para>
+
+    <para>/etc/shorewall/hosts -- <emphasis role="bold">Note:</emphasis>
+    Multiple matches enclosed in +[...] may not be used in this file.</para>
+
+    <para>/etc/shorewall/maclist -- <emphasis role="bold">Note:</emphasis>
+    Multiple matches enclosed in +[...] may not be used in this file.</para>
+
+    <para>/etc/shorewall/masq</para>
+
+    <para>/etc/shorewall/rules</para>
+
+    <para>/etc/shorewall/secmarks</para>
+
+    <para>/etc/shorewall/tcrules</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
+  </refsect1>
+</refentry>

manpages/shorewall-maclist.xml

@@ -102,7 +102,7 @@
     url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-masq.xml

@@ -565,7 +565,7 @@
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
-    shorewall-interfaces(5), shorewall-maclist(5), shorewall-nat(5),
+    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
     shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),

manpages/shorewall-modules.xml

@@ -86,7 +86,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-nat.xml

@@ -138,7 +138,7 @@
     url="http://shorewall.net/NAT.htm">http://shorewall.net/NAT.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-nesting.xml

@@ -204,7 +204,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-netmap.xml

@@ -114,7 +114,7 @@
     url="http://shorewall.net/netmap.html">http://shorewall.net/netmap.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-notrack.xml

@@ -147,7 +147,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-params.xml

@@ -128,7 +128,7 @@ net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
     url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-policy.xml

@@ -313,7 +313,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-providers.xml

@@ -340,7 +340,7 @@
     url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-proxyarp.xml

@@ -132,7 +132,7 @@
     url="http://shorewall.net/ProxyARP.htm">http://shorewall.net/ProxyARP.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-route_rules(5),

manpages/shorewall-route_rules.xml

@@ -165,7 +165,7 @@
     url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-routestopped(5),

manpages/shorewall-routestopped.xml

@@ -200,7 +200,7 @@
     url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-rules.xml

@@ -1370,7 +1370,7 @@
     url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-secmarks.xml

@@ -23,6 +23,14 @@
   <refsect1>
     <title>Description</title>
 
+    <important>
+      <para>Unlike rules in the <ulink
+      url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
+      of rules in this file will continue after a match. So the final secmark
+      for each packet will be the one assigned by the LAST rule that
+      matches.</para>
+    </important>
+
     <para>The secmarks file is used to associate an SELinux context with
     packets. It was added in Shorewall version 4.4.13.</para>
 
@@ -376,12 +384,13 @@ RESTORE                               I:ER</programlisting>
     url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-tcclasses.xml

@@ -500,7 +500,7 @@
     url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tcdevices.xml

@@ -219,7 +219,7 @@
     url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tcfilters.xml

@@ -204,7 +204,7 @@
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tcinterfaces.xml

@@ -203,7 +203,7 @@
     url="http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tcpri.xml

@@ -149,7 +149,7 @@
 
     <para>PRIO(8), shorewall(8), shorewall-accounting(5),
     shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
-    shorewall-interfaces(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
     shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
     shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
     shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),

manpages/shorewall-tcrules.xml

@@ -805,7 +805,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),