Document VERBOSITY fix.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/Universal/shorewall.conf

@@ -126,18 +126,12 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
-BRIDGING=No
-
 DYNAMIC_ZONES=No
 
-PKTTYPE=Yes
-
 NULL_ROUTE_RFC1918=No
 
 MACLIST_TABLE=filter
@@ -196,7 +190,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=Yes
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=Yes
 

Samples/one-interface/shorewall.conf

@@ -137,14 +137,10 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
-BRIDGING=No
-
 DYNAMIC_ZONES=No
 
 PKTTYPE=Yes
@@ -165,8 +161,6 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-USE_ACTIONS=Yes
-
 OPTIMIZE=1
 
 EXPORTPARAMS=No
@@ -207,7 +201,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 

Samples/three-interfaces/shorewall.conf

@@ -137,14 +137,10 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
-BRIDGING=No
-
 DYNAMIC_ZONES=No
 
 PKTTYPE=Yes
@@ -165,8 +161,6 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-USE_ACTIONS=Yes
-
 OPTIMIZE=1
 
 EXPORTPARAMS=No
@@ -207,7 +201,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 

Samples/two-interfaces/shorewall.conf

@@ -144,14 +144,10 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
-BRIDGING=No
-
 DYNAMIC_ZONES=No
 
 PKTTYPE=Yes
@@ -172,8 +168,6 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-USE_ACTIONS=Yes
-
 OPTIMIZE=1
 
 EXPORTPARAMS=No
@@ -214,7 +208,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 

Samples6/Universal/shorewall6.conf

@@ -153,7 +153,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=Yes
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=Yes
 

Samples6/one-interface/shorewall6.conf

@@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 

Samples6/three-interfaces/shorewall6.conf

@@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 

Samples6/two-interfaces/shorewall6.conf

@@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 

Shorewall-init/install.sh

@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {
@@ -285,11 +285,8 @@ fi
 if [ -z "$DESTDIR" ]; then
     if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-init
-	    else
-		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
-	    fi
+	    
+	    update-rc.d shorewall-init defaults
 
 	    echo "Shorewall Init will start automatically at boot"
 	else

Shorewall-init/shorewall-init.spec

@@ -1,6 +1,6 @@
 %define name shorewall-init
-%define version 4.4.13
-%define release 1
+%define version 4.4.14
+%define release 0base
 
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -99,10 +99,18 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0base
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall-init/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {

Shorewall-lite/init.debian.sh

@@ -17,10 +17,9 @@ SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
 
-[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
 export SHOREWALL_INIT_SCRIPT
-
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {
@@ -355,6 +355,8 @@ if [ -z "$DESTDIR" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
 
+	    update-rc.d shorewall-lite defaults
+
 	    if [ -x /sbin/insserv ]; then
 		insserv /etc/init.d/shorewall-lite
 	    else

Shorewall-lite/shorewall-lite

@@ -94,9 +94,9 @@ get_config() {
     [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	LOGREAD="logread | tac"
+	g_logread="logread | tac"
     elif [ -r $LOGFILE ]; then
-	LOGREAD="tac $LOGFILE"
+	g_logread="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	exit 2
@@ -145,6 +145,12 @@ get_config() {
 
     [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
 
+    if [ $VERBOSITY -lt -1 ]; then
+	VERBOSITY=-1
+    elif [ $VERBOSITY -gt 2 ]; then
+	VERBOSITY=2
+    fi
+
     g_hostname=$(hostname 2> /dev/null)
 
     IP=$(mywhich ip 2> /dev/null)
@@ -463,6 +469,7 @@ g_use_verbosity=
 g_noroutes=
 g_timestamp=
 g_recovering=
+g_logread=
 
 finished=0
 

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.13
-%define release 1
+%define version 4.4.14
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -102,10 +102,18 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0base
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Accounting.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.13';
+our $VERSION = '4.4.14';
 
 #
 # Called by the compiler to [re-]initialize this module's state
@@ -224,7 +224,7 @@ sub process_accounting_rule( ) {
 
 sub setup_accounting() {
 
-    my $fn = open_file 'accounting';
+    if ( my $fn = open_file 'accounting' ) {
 
 	first_entry "$doing $fn...";
 
@@ -265,7 +265,7 @@ sub setup_accounting() {
 	for ( accounting_chainrefs ) {
 	    warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
 	}
-
+    }
 }
 
 1;

Shorewall/Perl/Shorewall/Chains.pm

@@ -243,6 +243,9 @@ our $section;
 
 our $comment;
 
+#
+# Target Types
+#
 use constant { STANDARD => 1,              #defined by Netfilter
 	       NATRULE  => 2,              #Involves NAT
 	       BUILTIN  => 4,              #A built-in action
@@ -256,7 +259,9 @@ use constant { STANDARD => 1,              #defined by Netfilter
 	       CHAIN    => 1024,           #Manual Chain
 	       SET      => 2048.           #SET
 	   };
-
+#
+# Valid Targets -- value is a combination of one or more of the above
+#
 our %targets;
 #
 # expand_rule() restrictions
@@ -267,7 +272,7 @@ use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i an
 	       OUTPUT_RESTRICT     => 8,   # OUTPUT chain rule      - -i not allowed
 	       POSTROUTE_RESTRICT  => 16,  # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
 	       ALL_RESTRICT        => 12,  # fw->fw rule            - neither -i nor -o allowed
-	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface
+	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface. Similar to INPUT_RESTRICT but generates a more relevant error message
 	       };
 
 our $iprangematch;
@@ -276,7 +281,6 @@ our $idiotcount;
 our $idiotcount1;
 our $warningcount;
 our $hashlimitset;
-
 our $global_variables;
 
 #
@@ -285,7 +289,7 @@ our $global_variables;
 use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
 
 #
-# These hashes hold the shell code to set shell variables
+# These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
 #
 our %interfaceaddr;         # First interface address
 our %interfaceaddrs;        # All interface addresses
@@ -301,14 +305,16 @@ our %interfacegateways;     # Gateway of default route out of the interface
 our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);
 
 #
-# Mode of the emitter.
+# Mode of the emitter (part of this module that converts rules in the chain table into iptables-restore input)
 #
 use constant { NULL_MODE => 0 ,   # Emitting neither shell commands nor iptables-restore input
 	       CAT_MODE  => 1 ,   # Emitting iptables-restore input
 	       CMD_MODE  => 2 };  # Emitting shell commands.
 
 our $mode;
-
+#
+# Address Family
+#
 our $family;
 
 #
@@ -369,7 +375,7 @@ sub initialize( $ ) {
     #
     $chainseq = 0;
     #
-    # Used to suppress duplicate match specifications.
+    # Used to suppress duplicate match specifications for old iptables binaries.
     #
     $iprangematch = 0;
     #
@@ -717,6 +723,8 @@ sub move_rules( $$ ) {
 	my $count     = @{$chain1->{rules}};
 	my $tableref  = $chain_table{$chain1->{table}};
 	my $blacklist = $chain2->{blacklist};
+
+	assert( ! $chain1->{blacklist} );
 	#
 	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
 	#
@@ -735,11 +743,15 @@ sub move_rules( $$ ) {
 
 	$chain2->{referenced} = 1;
 
-	unless ( $chain2->{blacklist} += $chain1->{blacklist} ) {
 	#
 	# In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain.
 	# This hack avoids that.
 	#
+	if ( $blacklist ) {
+	    my $rule = shift @{$rules};
+	    shift @{$rules} while @{$rules} > 1 && $rules->[0] eq $rules->[1];
+	    unshift @{$rules}, $rule;
+	} else {
 	    shift @{$rules} while @{$rules} > 1 && $rules->[0] eq $rules->[1];
 	}
 
@@ -1745,15 +1757,10 @@ sub check_optimization( $ ) {
 #
 # Perform Optimization
 #
-sub optimize_ruleset() {
-    for my $table ( qw/raw mangle nat filter/ ) {
-
-	next if $family == F_IPV6 && $table eq 'nat';
-
+sub optimize_level4( $$ ) {
+    my ( $table, $tableref ) = @_;
     my $progress = 1;
     my $passes   = 0;
-
-	if ( $config{OPTIMIZE} & 4 ) {
     #
     # Make repeated passes through each table looking for short chains (those with less than 2 entries)
     #
@@ -1768,7 +1775,12 @@ sub optimize_ruleset() {
 	$progress = 0;
 	$passes++;
 
-		for my $chainref ( grep $_->{referenced}, values %{$chain_table{$table}} ) {
+	my @chains  = grep $_->{referenced}, values %$tableref;
+	my $chains  = @chains; 
+	
+	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
+
+	for my $chainref ( @chains ) {
 	    #
 	    # If the chain isn't branched to, then delete it
 	    #
@@ -1861,13 +1873,18 @@ sub optimize_ruleset() {
 	$progress = 0;
 	$passes++;
 
-		for my $chainref ( grep $_->{referenced}, values %{$chain_table{$table}} ) {
+	my @chains  = grep $_->{referenced}, values %$tableref;
+	my $chains  = @chains; 
+	
+	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4b...";
+
+	for my $chainref ( @chains ) {
 	    my $lastrule = $chainref->{rules}[-1];
 
 	    if ( defined $lastrule && $lastrule  =~ /^-A -[jg] (.*)$/ ) {
 		#
 		# Last rule is a simple branch
-			my $targetref = $chain_table{$table}{$1};
+		my $targetref = $tableref->{$1};
 
 		if ( $targetref && ! ( $targetref->{builtin} || $targetref->{dont_move} ) ) {
 		    copy_rules( $targetref, $chainref );
@@ -1876,32 +1893,62 @@ sub optimize_ruleset() {
 	    }
 	}
     }
-	}
 
-	if ( $config{OPTIMIZE} & 8 ) {
-	    #
-	    # Now delete duplicate chains
-	    #
+    $passes;
+}
+
+#
+# Delete duplicate chains replacing their references
+#
+sub optimize_level8( $$$ ) {
+    my ( $table, $tableref , $passes ) = @_;
+    my $progress = 1;
+    my @chains   = ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
+    my @chains1  = @chains;
+    my $chains   = @chains;
+
     $passes++;
     
-	    for my $chainref ( grep $_->{referenced} && ! $_->{builtin}, values %{$chain_table{$table}} ) {
+    progress_message "\n Table $table pass $passes, $chains referenced user chains, level 8...";
+	    
+    for my $chainref ( @chains ) {
 	my $rules    = $chainref->{rules};
-		next if not @$rules;
+	my $numrules = @$rules;
+	#
+	# Shift the current $chainref off of @chains1
+	#
+	shift @chains1;
+	#
+	# Skip empty chains
+	#
+	next if not $numrules;	
       CHAIN:
-		for my $chainref1 ( grep $_->{referenced}, values %{$chain_table{$table}} ) {
-		    next if $chainref eq $chainref1;
+	for my $chainref1 ( @chains1 ) {
 	    my $rules1 = $chainref1->{rules};
-		    next if @$rules != @$rules1;
+	    next if @$rules1 != $numrules;
 	    next if $chainref1->{dont_delete};
 
-		    for ( my $i = 0; $i <= $#$rules; $i++ ) {
+	    for ( my $i = 0; $i < $numrules; $i++ ) {
 		next CHAIN unless $rules->[$i] eq $rules1->[$i];
 	    }
 
 	    replace_references1 $chainref1, $chainref->{name}, '';
 	}
     }
-	}
+
+    $passes;
+}
+
+sub optimize_ruleset() {
+    for my $table ( qw/raw mangle nat filter/ ) {
+
+	next if $family == F_IPV6 && $table eq 'nat';
+
+	my $tableref = $chain_table{$table};
+	my $passes   = 0;
+
+	$passes =  optimize_level4( $table, $tableref )           if $config{OPTIMIZE} & 4;
+	$passes =  optimize_level8( $table, $tableref , $passes ) if $config{OPTIMIZE} & 8;
 
 	progress_message "  Table $table Optimized -- Passes = $passes";
 	progress_message '';
@@ -2566,6 +2613,8 @@ sub get_set_flags( $$ ) {
     have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
 }
 
+sub mysplit( $ );
+
 #
 # Match a Source.
 #
@@ -2586,6 +2635,18 @@ sub match_source_net( $;$ ) {
     } elsif ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
 	join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
+    } elsif ( $net =~ /^\+\[(.+)\]$/ ) {
+	my $result = '';
+	my @sets = mysplit $1;
+
+	require_capability 'KLUDGEFREE', 'Multiple ipset matches', '' if @sets > 1;
+
+	for $net ( @sets ) {
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
+	}
+
+	$result;
     } elsif ( $net =~ s/^!// ) {
 	validate_net $net, 1;
 	"! -s $net ";
@@ -2610,6 +2671,18 @@ sub match_dest_net( $ ) {
     } elsif ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?$/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '');
 	join( '', '-m set ', $1 ? '! ' : '',  get_set_flags( $net, 'dst' ) );
+    } elsif ( $net =~ /^\+\[(.+)\]$/ ) {
+	my $result = '';
+	my @sets = mysplit $1;
+
+	require_capability 'KLUDGEFREE', 'Multiple ipset matches', '' if @sets > 1;
+
+	for $net ( @sets ) {
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
+	}
+
+	$result;
     } elsif ( $net =~ /^!/ ) {
 	$net =~ s/!//;
 	validate_net $net, 1;
@@ -2857,7 +2930,7 @@ sub addnatjump( $$$ ) {
 
 #
 # Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists
-# where an element of the list might be +ipset[binding].
+# where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
 #
 sub mysplit( $ ) {
     my @input = split_list $_[0], 'host';
@@ -2870,12 +2943,12 @@ sub mysplit( $ ) {
 	my $element = shift @input;
 
 	if ( $element =~ /\[/ ) {
-	    while ( substr( $element, -1, 1 ) ne ']' ) {
-		last unless @input;
+	    while ( $element =~ tr/[/[/ > $element =~ tr/]/]/ ) {
+		fatal_error "Missing ']' ($element)" unless @input;
 		$element .= ( ',' . shift @input );
 	    }
 
-	    fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
+	    fatal_error "Mismatched [...] ($element)" unless $element =~ tr/[/[/ == $element =~ tr/]/]/;
 	}
 
 	push @result, $element;
@@ -3180,7 +3253,6 @@ sub have_global_variables() {
 #
 # Generate setting of run-time global shell variables
 #
-
 sub set_global_variables( $ ) {
 
     my $setall = shift;
@@ -3206,6 +3278,84 @@ sub set_global_variables( $ ) {
     }
 }
 
+#
+# Issue an invalid list error message
+#
+sub invalid_network_list ( $$ ) {
+    my ( $srcdst, $list ) = @_;
+    fatal_error "Invalid $srcdst network list ($list)";
+}
+
+#
+# Split a network element into the net part and exclusion part (if any)
+#
+sub split_network( $$$ ) {
+    my ( $input, $srcdst, $list ) = @_;
+
+    my @input = split '!', $input;
+    my @result;
+
+    if ( $input =~ /\[/ ) {
+	while ( @input ) {
+	    my $element = shift @input;
+
+	    if ( $element =~ /\[/ ) {
+		my $openbrackets;
+
+		while ( ( $openbrackets = ( $element =~ tr/[/[/ ) ) > $element =~ tr/]/]/ ) {
+		    fatal_error "Missing ']' ($element)" unless @input;
+		    $element .= ( '!' . shift @input );
+		}
+
+		fatal_error "Mismatched [...] ($element)" unless $openbrackets == $element =~ tr/]/]/;
+	    }
+
+	    push @result, $element;
+	}
+    } else {
+	@result = @input;
+    }
+
+    invalid_network_list( $srcdst, $list ) if @result > 2;
+	
+    @result;
+}
+
+#
+# Handle SOURCE or DEST network list, including exclusion
+#
+sub handle_network_list( $$ ) {
+    my ( $list, $srcdst ) = @_;
+
+    my $nets = '';
+    my $excl = '';
+	
+    my @nets = mysplit $list;
+
+    for ( @nets ) {
+	if ( /!/ ) {
+	    if ( /^!(.*)$/ ) {
+		invalid_network_list( $srcdst, $list) if ( $nets || $excl );
+		$excl = $1;
+	    } else {
+		my ( $temp1, $temp2 ) = split_network $_, $srcdst, $list;
+		$nets = $nets ? join(',', $nets, $temp1 ) : $temp1;
+		if ( $temp2 ) {
+		    invalid_network_list( $srcdst, $list) if $excl;
+		    $excl = $temp2;
+		}
+	    }
+	} elsif ( $excl ) {
+	    $excl .= ",$_";
+	} else {
+	    $nets = $nets ? join(',', $nets, $_ ) : $_;
+	}	    
+    }
+
+    ( $nets, $excl );
+
+}
+
 ################################################################################################################
 #
 # This function provides a uniform way to generate Netfilter[6] rules (something the original Shorewall
@@ -3491,23 +3641,15 @@ sub expand_rule( $$$$$$$$$$;$ )
     # Determine if there is Source Exclusion
     #
     if ( $inets ) {
-	fatal_error "Invalid SOURCE" if $inets =~ /^([^!]+)?,!([^!]+)$/ || $inets =~ /.*!.*!/;
+	( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' );
 
-	if ( $inets =~ /^([^!]+)?!([^!]+)$/ ) {
-	    $inets = $1;
-	    $iexcl = $2;
-	} else {
-	    $iexcl = '';
-	}
-
-	unless ( $inets || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
+	unless ( $inets || $iexcl =~ /^\+\[/ || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
 	    my @iexcl = mysplit $iexcl;
 	    if ( @iexcl == 1 ) {
 		$rule .= match_source_net "!$iexcl" , $restriction;
 		$iexcl = '';
 		$trivialiexcl = 1;
 	    }
-
 	}
     } else {
 	$iexcl = '';
@@ -3517,16 +3659,9 @@ sub expand_rule( $$$$$$$$$$;$ )
     # Determine if there is Destination Exclusion
     #
     if ( $dnets ) {
-	fatal_error "Invalid DEST" if  $dnets =~ /^([^!]+)?,!([^!]+)$/ || $dnets =~ /.*!.*!/;
+	( $dnets, $dexcl ) = handle_network_list( $dnets, 'DEST' );
 
-	if ( $dnets =~ /^([^!]+)?!([^!]+)$/ ) {
-	    $dnets = $1;
-	    $dexcl = $2;
-	} else {
-	    $dexcl = '';
-	}
-
-	unless ( $dnets ) {
+	unless ( $dnets || $dexcl =~ /^\+\[/ ) {
 	    my @dexcl = mysplit $dexcl;
 	    if ( @dexcl == 1 ) {
 		$rule .= match_dest_net "!$dexcl";

Shorewall/Perl/Shorewall/Config.pm

@@ -132,7 +132,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -347,7 +347,7 @@ sub initialize( $ ) {
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.13.1",
+		    VERSION => "4.4.14",
 		    CAPVERSION => 40413 ,
 		  );
 
@@ -1475,11 +1475,12 @@ sub split_list1( $$ ) {
 
 	if ( ( $count = tr/(/(/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" if $element || $count > 1;
+	    s/\(//;
 	    if ( ( $count = tr/)/)/ ) > 0 ) {
 		fatal_error "Invalid $type list ($list)" if $count > 1;
+		s/\)//;
 		push @list2 , $_;
 	    } else {
-		s/\(//;
 		$element = $_;
 	    }
 	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
@@ -1576,7 +1577,12 @@ sub open_file( $ ) {
 
     assert( ! defined $currentfile );
 
-    -f $fname && -s _ ? do_open_file $fname : '';
+    if ( -f $fname && -s _ ) {
+	$first_entry = 0;
+	do_open_file $fname;;
+    } else {
+	'';
+    }
 }
 
 #
@@ -3272,13 +3278,17 @@ sub propagateconfig() {
 # Add a shell script file to the output script -- Return true if the
 # file exists and is not in /usr/share/shorewall/ and is non-empty.
 #
-sub append_file( $;$ ) {
-    my $user_exit = find_file $_[0];
+sub append_file( $;$$ ) {
+    my ( $file, $nomsg, $unindented ) = @_;
+    my $user_exit = find_file $file;
     my $result = 0;
+    my $save_indent = $indent;
+    
+    $indent = '' if $unindented;
 
     unless ( $user_exit =~ /^($globals{SHAREDIR})/ ) {
 	if ( -f $user_exit ) {
-	    if ( $_[1] ) {
+	    if ( $nomsg ) {
 		#
 		# Suppress progress message
 		#
@@ -3294,6 +3304,8 @@ sub append_file( $;$ ) {
 	}
     }
 
+    $indent = $save_indent;
+
     $result;
 }
 
@@ -3415,8 +3427,29 @@ sub generate_aux_config() {
 
     conditionally_add_option1 'TC_ENABLED';
 
-    finalize_aux_config;
+    my $fn = find_file 'scfilter';
 
+    if ( -f $fn ) {
+	emit( '',
+	      'show_connections_filter() {' );
+	push_indent;
+	append_file( $fn,1 ) or emit 'cat -';
+	pop_indent;
+	emit '}';
+    }
+
+    $fn = find_file 'dumpfilter';
+
+    if ( -f $fn ) {
+	emit( '',
+	      'dump_filter() {' );
+	push_indent;
+	append_file( $fn,1 ) or emit 'cat -';
+	pop_indent;
+	emit '}';
+    }
+
+    finalize_aux_config;
 }
 
 END {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -184,7 +184,16 @@ sub validate_4net( $$ ) {
     $net = '' unless defined $net;
 
     fatal_error "Missing address" if $net eq '';
-    fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
+
+    if ( $net =~ /\+(\[?)/ ) {
+	if ( $1 ) {
+	    fatal_error "An ipset list ($net) is not allowed in this context";
+	} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
+	    fatal_error "An ipset name ($net) is not allowed in this context";
+	} else {
+	    fatal_error "Invalid ipset name ($net)";
+	}
+    }
 
     if ( defined $vlsm ) {
         fatal_error "Invalid VLSM ($vlsm)"            unless $vlsm =~ /^\d+$/ && $vlsm <= 32;
@@ -540,7 +549,15 @@ sub validate_6net( $$ ) {
     my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
     my $allow_name = $_[1];
 
-    fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
+    if ( $net =~ /\+(\[?)/ ) {
+	if ( $1 ) {
+	    fatal_error "An ipset list ($net) is not allowed in this context";
+	} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
+	    fatal_error "An ipset name ($net) is not allowed in this context";
+	} else {
+	    fatal_error "Invalid ipset name ($net)";
+	}
+    }
 
     if ( defined $vlsm ) {
         fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;

Shorewall/Perl/Shorewall/Nat.pm

@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -262,14 +262,14 @@ sub process_one_masq( )
 #
 sub setup_masq()
 {
-    my $fn = open_file 'masq';
+    if ( my $fn = open_file 'masq' ) {
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
 
 	process_one_masq while read_a_line;
 
 	clear_comment;
-
+    }
 }
 
 #
@@ -359,7 +359,7 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {
 
-    my $fn = open_file 'nat';
+    if ( my $fn = open_file 'nat' ) {
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
 
@@ -381,10 +381,10 @@ sub setup_nat() {
 
 		progress_message "   NAT entry \"$currentline\" $done";
 	    }
-
 	}
 
 	clear_comment;
+    }
 }
 
 #
@@ -392,7 +392,7 @@ sub setup_nat() {
 #
 sub setup_netmap() {
 
-    my $fn = open_file 'netmap';
+    if ( my $fn = open_file 'netmap' ) {
 
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
 
@@ -428,6 +428,9 @@ sub setup_netmap() {
 	    }
 	}
 
+	clear_comment;
+    }
+
 }
 
 sub add_addresses () {

Shorewall/Perl/Shorewall/Policy.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_14';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
@@ -345,11 +345,12 @@ sub validate_policy()
 	}
     }
 
-    my $fn = open_file 'policy';
-
+    if ( my $fn = open_file 'policy' ) {
 	first_entry "$doing $fn...";
-
 	process_a_policy while read_a_line;
+    } else {
+	fatal_error q(The 'policy' file does not exist or has zero size);
+    }
 
     for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {

Shorewall/Perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -757,7 +757,7 @@ sub setup_providers() {
 
     $lastmark = 0;
 
-    my $fn = open_file 'providers';
+    if ( my $fn = open_file 'providers' ) {
 
 	first_entry sub() {
 	    progress_message2 "$doing $fn...";
@@ -766,6 +766,7 @@ sub setup_providers() {
 	    start_providers; };
  
 	add_a_provider, $providers++ while read_a_line;
+    }
 
     if ( $providers ) {
 	finish_providers;

Shorewall/Perl/Shorewall/Raw.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 #
 # Notrack
@@ -76,7 +76,7 @@ sub process_notrack_rule( $$$$$$ ) {
 
 sub setup_notrack() {
 
-    my $fn = open_file 'notrack';
+    if ( my $fn = open_file 'notrack' ) {
 
 	first_entry "$doing $fn...";
 
@@ -94,6 +94,7 @@ sub setup_notrack() {
 	}
 
 	clear_comment;
+    }
 }
 
 1;

Shorewall/Perl/Shorewall/Rules.pm

@@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 our $macro_nest_level;
 our $current_param;
@@ -322,10 +322,9 @@ sub setup_blacklist() {
 
 sub process_routestopped() {
 
+    if ( my $fn = open_file 'routestopped' ) {
 	my ( @allhosts, %source, %dest , %notrack, @rule );
 
-    my $fn = open_file 'routestopped';
-
 	my $seq = 0;
 
 	first_entry "$doing $fn...";
@@ -354,6 +353,7 @@ sub process_routestopped() {
 		push @rule, $rule;
 	    }
 
+
 	    unless ( $options eq '-' ) {
 		for my $option (split /,/, $options ) {
 		    if ( $option eq 'routeback' ) {
@@ -437,6 +437,7 @@ sub process_routestopped() {
 		}
 	    }
 	}
+    }
 }
 
 sub setup_mss();
@@ -759,7 +760,7 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
 
-	my $fn = open_file 'maclist';
+	if ( my $fn = open_file 'maclist' ) {
 
 	    first_entry "$doing $fn...";
 
@@ -807,6 +808,7 @@ sub setup_mac_lists( $ ) {
 	    }
 
 	    clear_comment;
+	}
 	#
 	# Generate jumps from the input and forward chains
 	#
@@ -1134,7 +1136,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	$dest = $2;
     } elsif ( $dest =~ /.*\..*\./ ) {
 	#
-	# Appears to be an address
+	# Appears to be an IPv4 address (no NAT in IPv6)
 	#
 	$destzone = '-';
     } else {
@@ -1256,7 +1258,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
     #
     if ( $actiontype & NATRULE ) {
 	my ( $server, $serverport );
-	my $randomize = $dest =~ s/:random$// ? '--random ' : '';
+	my $randomize = $dest =~ s/:random$// ? ' --random' : '';
 
 	require_capability( 'NAT_ENABLED' , "$basictarget rules", '' );
 	#
@@ -1307,8 +1309,8 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 
 	if ( $actiontype  & REDIRECT ) {
 	    fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server;
-	    $target  = 'REDIRECT ';
-	    $target .= "--to-port $serverport " if $serverport;
+	    $target  = 'REDIRECT';
+	    $target .= " --to-port $serverport" if $serverport;
 	    if ( $origdest eq '' || $origdest eq '-' ) {
 		$origdest = ALLIP;
 	    } elsif ( $origdest eq 'detect' ) {
@@ -1331,14 +1333,14 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 
 	    if ( $action eq 'DNAT' ) {
-		$target = 'DNAT ';
+		$target = 'DNAT';
 		if ( $server ) {
 		    $serverport = ":$serverport" if $serverport;
 		    for my $serv ( split /,/, $server ) {
-			$target .= "--to-destination ${serv}${serverport} ";
+			$target .= " --to-destination ${serv}${serverport}";
 		    }
 		} else {
-		    $target .= "--to-destination :$serverport ";
+		    $target .= " --to-destination :$serverport";
 		}
 	    }
 
@@ -1653,11 +1655,15 @@ sub process_rules() {
 
     my $fn = open_file 'rules';
 
+    if ( $fn ) {
+
 	first_entry "$doing $fn...";
 
 	process_rule while read_a_line;
 
 	clear_comment;
+    }
+
     $section = 'DONE';
 }
 
@@ -1739,7 +1745,7 @@ sub generate_source_rules( $$$$ ) {
 }
 
 #
-# Loopback traffic -- this is where we assemble the intra-firewall traffic routing
+# Loopback traffic -- this is where we assemble the intra-firewall chains
 #
 sub handle_loopback_traffic() {
     my @zones   = ( vserver_zones, firewall_zone );
@@ -1860,15 +1866,33 @@ sub generate_matrix() {
     our %forward_jump_added = ();
 
     progress_message2 'Generating Rule Matrix...';
+    progress_message  '  Handling blacklisting and complex zones...';
     #
-    # Special processing for complex and blacklisting configurations
+    # Special processing for complex and/or blacklisting configurations
     #
     for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-
+	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	#
+	# Handle blacklisting first
+	#
 	if ( $zoneref->{options}{in}{blacklist} ) {
 	    my $blackref = $filter_table->{blacklst};
 	    add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
+
+	    if ( $simple ) {
+		#
+		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
+		#
+		for my $zone1 ( @zones ) {
+		    my $ruleschain    = rules_chain( $zone, $zone1 );
+		    my $ruleschainref = $filter_table->{$ruleschain};
+
+		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+			add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
+		    }
+		}
+	    }
 	}
 
 	if ( $zoneref->{options}{out}{blacklist} ) {
@@ -1879,13 +1903,13 @@ sub generate_matrix() {
 		my $ruleschain    = rules_chain( $zone1, $zone );
 		my $ruleschainref = $filter_table->{$ruleschain};
 
-		if ( $zone ne $zone1 || ( $ruleschainref && $ruleschainref->{referenced} ) ) {
+		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
 		    add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
 		}
 	    }
 	}
 
-	next if @zones <= 2 && ! $zoneref->{options}{complex};
+	next if $simple;
 
 	#
 	# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
@@ -1939,6 +1963,8 @@ sub generate_matrix() {
     #
     # Main source-zone matrix-generation loop
     #
+    progress_message '  Entering main matrix-generation loop...';
+
     for my $zone ( @zones ) {
 	my $zoneref          = find_zone( $zone );
 	my $source_hosts_ref = $zoneref->{hosts};
@@ -2287,6 +2313,8 @@ sub generate_matrix() {
 	add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
     }
 
+    progress_message '  Finishing matrix...';
+
     add_interface_jumps @interfaces unless $interface_jumps_added;
 
     promote_blacklist_rules;

Shorewall/Perl/Shorewall/Tc.pm

@@ -1365,7 +1365,7 @@ sub setup_traffic_shaping() {
 	my $tcref    = $tcclasses{$device}{$decimalclassnum};
 	my $mark     = $tcref->{mark};
 	my $devicenumber  = in_hexp $devref->{number};
-	my $classid  = join( ':', in_hexp $devicenumber, $classnum);
+	my $classid  = join( ':', $devicenumber, $classnum);
 	my $rate     = "$tcref->{rate}kbit";
 	my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
 
@@ -1390,15 +1390,15 @@ sub setup_traffic_shaping() {
 	emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
 
 	if ( $devref->{qdisc} eq 'htb' ) {
-	    emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
+	    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
 	} else {
 	    my $dmax = $tcref->{dmax};
 
 	    if ( $dmax ) {
 		my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
-		emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
+		emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
 	    } else {
-		emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
+		emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
 	    }
 	}
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -277,7 +277,7 @@ sub setup_tunnels() {
     #
     # Setup_Tunnels() Starts Here
     #
-    my $fn = open_file 'tunnels';
+    if ( my $fn = open_file 'tunnels' ) {
 
 	first_entry "$doing $fn...";
 
@@ -293,6 +293,7 @@ sub setup_tunnels() {
 	}
 
 	clear_comment;
+    }
 }
 
 1;

Shorewall/Perl/Shorewall/Zones.pm

@@ -84,7 +84,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 #
 # IPSEC Option types
@@ -296,7 +296,7 @@ sub initialize( $ ) {
 # => mss   = <MSS setting>
 # => ipsec = <-m policy arguments to match options>
 #
-sub parse_zone_option_list($$)
+sub parse_zone_option_list($$\$)
 {
     my %validoptions = ( mss          => NUMERIC,
 			 blacklist    => NOTHING,
@@ -310,13 +310,13 @@ sub parse_zone_option_list($$)
 			 "tunnel-dst" => NETWORK,
 		       );
 
-    use constant { UNRESTRICTED => 1, NOFW => 2 };
+    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8 };
     #
     # Hash of options that have their own key in the returned hash.
     #
-    my %key = ( mss => UNRESTRICTED , blacklist => NOFW );
+    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW );
 
-    my ( $list, $zonetype ) = @_;
+    my ( $list, $zonetype, $complexref ) = @_;
     my %h;
     my $options = '';
     my $fmt;
@@ -346,14 +346,18 @@ sub parse_zone_option_list($$)
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 	    }
 
-	    if ( $key{$e} ) {
-		fatal_error "Option '$e' not permitted with this zone type " if $key{$e} == NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+	    my $key = $key{$e};
+
+	    if ( $key ) {
+		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
 		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
 		$options .= $invert;
 		$options .= "--$e ";
 		$options .= "$val "if defined $val;
+		$$complexref = 1;
 	    }
 	}
     }
@@ -439,13 +443,15 @@ sub process_zone( \$ ) {
 	}
     }
 
+    my $complex = 0;
+
     my $zoneref = $zones{$zone} = { type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
-				    options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
-						    in      => parse_zone_option_list( $in_options || '', $type ) ,
-						    out     => parse_zone_option_list( $out_options || '', $type ) ,
-						    complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
+				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex ) ,
+						    in      => parse_zone_option_list( $in_options , $type , $complex ) ,
+						    out     => parse_zone_option_list( $out_options , $type , $complex ) ,
+						    complex => ( $type == IPSEC || $complex ) ,
 						    nested  => @parents > 0 ,
 						    super   => 0 ,
 						  } ,
@@ -475,11 +481,12 @@ sub determine_zones()
     my @z;
     my $ip = 0;
 
-    my $fn = open_file 'zones';
-
+    if ( my $fn = open_file 'zones' ) {
 	first_entry "$doing $fn...";
-
 	push @z, process_zone( $ip ) while read_a_line;
+    } else {
+	fatal_error q(The 'zones' file does not exist or has zero size);
+    }
 
     fatal_error "No firewall zone defined" unless $firewall_zone;
     fatal_error "No IP zones defined" unless $ip;
@@ -1103,15 +1110,15 @@ sub process_interface( $$ ) {
 sub validate_interfaces_file( $ ) {
     my $export = shift;
     
-    my $fn = open_file 'interfaces';
-
     my @ifaces;
-
     my $nextinum = 1;
 
+    if ( my $fn = open_file 'interfaces' ) {
 	first_entry "$doing $fn...";
-
 	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
+    } else {
+	fatal_error q(The 'interfaces' file does not exist or has zero size);
+    }
 
     #
     # We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge
@@ -1667,7 +1674,13 @@ sub process_host( ) {
 	if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
 	    $interface = $1;
 	    $hosts = $2;
-	    $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+
+	    if ( $hosts =~ /^\+/ ) {
+		$zoneref->{options}{complex} = 1;
+		fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
+		fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
+	    }
+
 	    fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
@@ -1762,11 +1775,10 @@ sub validate_hosts_file()
 {
     my $ipsec = 0;
 
-    my $fn = open_file 'hosts';
-
+    if ( my $fn = open_file 'hosts' ) {
 	first_entry "$doing $fn...";
-
 	$ipsec |= process_host while read_a_line;
+    }
 
     $have_ipsec = $ipsec || haveipseczones;
 

Shorewall/Perl/prog.footer6

@@ -17,6 +17,19 @@ usage() {
     echo "   -R <file>        Override RESTOREFILE setting"
     exit $1
 }
+
+checkkernelversion() {
+    local kernel
+
+    kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+
+    if [ $kernel -lt 20624 ]; then
+	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	return 1
+    else
+	return 0
+    fi
+}
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
@@ -155,12 +168,8 @@ done
 
 COMMAND="$1"
 
-kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-if [ $kernel -lt 20624 ]; then
-    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-    status=2
-else
-    case "$COMMAND" in
+
+case "$COMMAND" in
     start)
 	[ $# -ne 1 ] && usage 2
 	if shorewall6_is_started; then
@@ -168,27 +177,32 @@ else
 	    status=0
 	else
 	    progress_message3 "Starting $g_product...."
+	    if checkkernelversion; then
 		detect_configuration
 		define_firewall
 		status=$?
 		[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
 		progress_message3 "done."
 	    fi
+	fi
 	;;
     stop)
 	[ $# -ne 1 ] && usage 2
+	if checkkernelversion; then
 	    progress_message3 "Stopping $g_product...."
 	    detect_configuration
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
+	fi
 	;;
     reset)
 	if ! shorewall6_is_started ; then
 	    error_message "$g_product is not running"
 	    status=2
-	    elif [ $# -eq 1 ]; then
+	elif checkkernelversion; then
+	    if [ $# -eq 1 ]; then
 		$IP6TABLES -Z
 		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
@@ -211,6 +225,7 @@ else
 		    fi
 		done
 	    fi
+	fi
 	;;
     restart)
 	[ $# -ne 1 ] && usage 2
@@ -222,6 +237,7 @@ else
 	    COMMAND=start
 	fi
 
+	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
@@ -229,15 +245,18 @@ else
  		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
             fi
 	    progress_message3 "done."
+	fi
 	;;
     refresh)
 	[ $# -ne 1 ] && usage 2
 	if shorewall6_is_started; then
 	    progress_message3 "Refreshing $g_product...."
+	    if checkkernelversion; then
 		detect_configuration
 		define_firewall
 		status=$?
 		progress_message3 "done."
+	    fi
 	else
 	    echo "$g_product is not running" >&2
 	    status=2
@@ -245,22 +264,26 @@ else
 	;;
     restore)
 	[ $# -ne 1 ] && usage 2
+	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
  		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
             fi
+	fi
 	;;
     clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
+	if checkkernelversion; then
 	    clear_firewall
 	    status=0
 	    if [ -n "$SUBSYSLOCK" ]; then
 		rm -f $SUBSYSLOCK
 	    fi
 	    progress_message3 "done."
+	fi
 	;;
     status)
 	[ $# -ne 1 ] && usage 2
@@ -306,7 +329,6 @@ else
     *)
 	usage 2
 	;;
-    esac
-fi
+esac
 
 exit $status

Shorewall/changelog.txt

@@ -1,8 +1,33 @@
-Changes in Shorewall 4.4.13.1
+Changes in Shorewall 4.4.14
 
-1)  Make log messages uniform.
+1)  Support ipset lists.
 
-2)  Fix blacklisting in simple configurations.
+2)  Use conntrack in 'shorewall connections'
+
+3)  Clean up Shorewall6 error messages when running on a kernel <
+    2.6.24
+
+4)  Clean up ipset related error reporting out of validate_net().
+
+5)  Dramatically reduce the amount of CPU time spent in optimization.
+
+6)  Add 'scfilter' script.
+
+7)  Fix -lite init scripts.
+
+8)  Clamp VERBOSITY to valid range.
+
+9)  Delete obsolete options from shorewall.conf.
+
+10) Change value of FORWARD_CLEAR_MARK in *.conf.
+
+11) Use update-rc.d to install init symlinks.
+
+12) Fix split_list().
+
+13) Fix 10+ TC Interfaces.
+
+14) Insure that VERBOSITY=0 when interrogating compiled script's version
 
 Changes in Shorewall 4.4.13
 

Shorewall/configfiles/scfilter

@@ -0,0 +1,15 @@
+#! /bin/sh
+#
+# Shorewall version 4 - Show Connections Filter
+#
+# /etc/shorewall/scfilter
+#
+#	Replace the 'cat' command below to filter the output of
+#       'show connections. Unlike other extension scripts, this file
+#       must be executable before Shorewall will use it.
+#
+# See http://shorewall.net/shorewall_extension_scripts.htm for additional
+# information.
+#
+###############################################################################
+cat -

Shorewall/configfiles/shorewall.conf

@@ -126,14 +126,10 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
-BRIDGING=No
-
 DYNAMIC_ZONES=No
 
 PKTTYPE=Yes
@@ -154,8 +150,6 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
-USE_ACTIONS=Yes
-
 OPTIMIZE=0
 
 EXPORTPARAMS=Yes
@@ -196,7 +190,7 @@ LOAD_HELPERS_ONLY=No
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {
@@ -301,7 +301,7 @@ fi
 run_install $OWNERSHIP -m 0644 configfiles/zones ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/zones ]; then
-    run_install $OWNERSHIP -m 0744 configfiles/zones ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0644 configfiles/zones ${DESTDIR}/etc/shorewall
     echo "Zones file installed as ${DESTDIR}/etc/shorewall/zones"
 fi
 
@@ -737,6 +737,15 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcclear ]; then
     echo "Tcclear file installed as ${DESTDIR}/etc/shorewall/tcclear"
 fi
 #
+# Install the Scfilter file
+#
+run_install $OWNERSHIP -m 644 configfiles/scfilter ${DESTDIR}/usr/share/shorewall/configfiles
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/scfilter ]; then
+    run_install $OWNERSHIP -m 0600 configfiles/scfilter ${DESTDIR}/etc/shorewall
+    echo "Scfilter file installed as ${DESTDIR}/etc/shorewall/scfilter"
+fi
+#
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}/usr/share/shorewall/actions.std 0644
@@ -878,11 +887,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
     if [ -n "$DEBIAN" ]; then
 	install_file default.debian /etc/default/shorewall 0644
 
-	if [ -x /sbin/insserv ]; then
-	    insserv /etc/init.d/shorewall
-	else
-	    ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
-	fi
+	update-rc.d shorewall defaults
 
 	echo "shorewall will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall to enable"

Shorewall/known_problems.txt

@@ -1,11 +1 @@
-1)  On systems running Upstart, shorewall-init cannot reliably start the
-    firewall before interfaces are brought up.
-
-2)  The date/time formatting in the STARTUP_LOG is not uniform.
-
-    Fixed in 4.4.13.1
-
-3)  The blacklisting change in 4.4.13 broke blacklisting in some simple
-    configurations with the effect that blacklisting was not enabled.
-
-    Fixed in 4.4.13.1
+There are no known problems in Shorewall 4.4.14

Shorewall/lib.cli

@@ -433,6 +433,36 @@ list_zone() {
     done
 }
 
+#
+# Show Filter - For Shorewall-lite, if there was an scfilter file at compile-time,
+#               then the compiler generated another version of this function and
+#               embedded it in the firewall.conf file. That version supersedes this
+#               one.
+#
+show_connections_filter() {
+    local filter
+    local command
+    local first
+
+    command=${SHOREWALL_SHELL}
+
+    filter=$(find_file scfilter)
+
+    if [ -f $filter ]; then
+	first=$(head -n1 $filter)
+
+	case $first in
+	    \#!*)
+		command=${first#\#!}
+		;;
+	esac
+
+	$command $filter
+    else
+	cat -
+    fi
+}
+
 #
 # Show Command Executor
 #
@@ -520,15 +550,33 @@ show_command() {
 
     g_ipt_options="$g_ipt_options $g_ipt_options1"
 
+
     [ -n "$g_debugging" ] && set -x
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+
+	    if [ -d /proc/sys/net/netfilter/ ]; then
+		local count
+		local max
+		count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+		max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 		echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
+	    else
+		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+	    fi
+
 	    echo
-	    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
+
+	    if qt mywhich conntrack ; then
+		conntrack -f ipv4 -L | show_connections_filter
+	    else
+		if [ -f /proc/net/ip_conntrack ]; then
+		    cat /proc/net/ip_conntrack | show_connections_filter
+		else
+		    grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
+		fi
+	    fi
 	    ;;
 	nat)
 	    [ $# -gt 1 ] && usage 1
@@ -763,10 +811,40 @@ show_command() {
     esac
 }
 
+#
+# Dump Filter - For Shorewall-lite, if there was a dumpfilter file at compile-time,
+#               then the compiler generated another version of this function and
+#               embedded it in the firewall.conf file. That version supersedes this
+#               one.
+#
+dump_filter() {
+    local filter
+    local command
+    local first
+
+    command=${SHOREWALL_SHELL}
+
+    filter=$(find_file dumpfilter)
+
+    if [ -f $filter ]; then
+	first=$(head -n1 $filter)
+
+	case $first in
+	    \#!*)
+		command=${first#\#!}
+		;;
+	esac
+
+	$command $filter
+    else
+	cat -
+    fi
+}
+
 #
 # Dump Command Executor
 #
-dump_command() {
+do_dump_command() {
     local finished
     finished=0
 
@@ -912,6 +990,10 @@ dump_command() {
 	fi
 }
 
+dump_command() {
+    do_dump_command | dump_filter
+}
+
 #
 # Restore Comand Executor
 #

Shorewall/lib.common

@@ -34,6 +34,10 @@ get_script_version() { # $1 = script
     local version
     local ifs
     local digits
+    local verbosity
+
+    verbosity="$VERBOSITY"
+    VERBOSITY=0
 
     temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
 
@@ -54,6 +58,8 @@ get_script_version() { # $1 = script
     fi
 
     echo $version
+
+    VERBOSITY="$verbosity"
 }
 
 #

Shorewall/releasenotes.txt

@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 3 . 1
+                      S H O R E W A L L  4 . 4 . 1 4
 ----------------------------------------------------------------------------
 
 I.    PROBLEMS CORRECTED IN THIS RELEASE
@@ -13,260 +13,152 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
   I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
-4.4.13.1
-
 1)  Previously, messages to the STARTUP_LOG had inconsistent date formats.
 
 2)  The blacklisting change in 4.4.13 was broken in some simple
     configurations with the effect that blacklisting was not enabled.
 
-4.4.13
+3)  Previously, Shorewall6 produced an untidy sequence of error
+    messages when an attempt was made to start it on a system running a
+    kernel older than 2.6.24:
 
-1)  Under rare circumstances where COMMENT is used to attach comments
-    to rules, OPTIMIZE 8 through 15 could result in invalid
-    iptables-restore (ip6tables-restore) input.
+       [root@localhost shorewall6]# shorewall6 start
+       Compiling...
+       Processing /etc/shorewall6/shorewall6.conf...
+       Loading Modules...
+       Compiling /etc/shorewall6/zones...
+       ...
+       Shorewall configuration compiled to /var/lib/shorewall6/.start
+          ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
+       /usr/share/shorewall6/lib.common: line 73:
+             [: -lt: unary operator expected
+          ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
+       [root@localhost shorewall6]#
 
-2)  Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
-    could result in invalid iptables-restore (ip6tables-restore) input.
+    This has been corrected so that a single ERROR message is
+    generated.
 
-3)  The change in 4.4.12 to detect and use the new ipset match syntax
-    broke the ability to detect the old ipset match capability. Now,
-    both versions of the capability can be correctly detected.
+4)  Previously, an ipset name appearing in the /etc/shorewall/hosts
+    file could be qualified with a list of 'src' and/or 'dst' enclosed
+    in quotes. This was virtually guaranteed not to work since the set
+    must match when used to verify both a packet source and a
+    packet destination. Now, the following error is raised:
 
-4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
-    if the last optional interface tested was not available.
+    	   ERROR: ipset name qualification is disallowed in this file
 
-5)  Exclusion in the blacklist file was correctly validated but was then
-    ignored when generating iptables (ip6tables) rules.
+    As part of this change, the ipset name is now verified to begin
+    with a letter and be composed of letters, digits, underscores ("_")
+    and hyphens ("-").
 
-6)  Previously, non-trivial exclusion (more than one excluded
-    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
-    valid but incorrect iptables input. This has been corrected but
-    requires that your iptables/kernel support marking rules in any
-    Netfilter table (CONTINUE in the tcrules file does not require this
-    support).
+5)  The Shorewall-lite and Shorewall6-lite Debian init scripts contained a
+    syntax error.
 
-    This fix implements a new 'Mark in any table' capability; those
-    who utilize a capabilities file should re-generate the file using
-    this release.
+6)  If the -v or -q options were used in /sbin/shorewall-lite or
+    /sbin/shorewall6-lite commands that involve the compiled firewall
+    script and the resulting effective VERBOSITY was > 2 or < -1, then
+    the command would fail.
 
-7)  Interface handling has been extensively modified in this release
-    to correct a number of problems with the earlier
-    implementation. Among those problems:
+7)  The log reading commands (show log, logwatch, and dump) returned no
+    log records when run on one of the -lite products.
 
-    - Invalid shell variable names could be generated in the firewall
-      script. The generated firewall script uses shell variables to
-      track the availability of optional and required interfaces and
-      to record detected gateways, detected addresses, etc.
+8)  To avoid future confusion, the following obsolete options have been
+    deleted from the sample shorewall.conf files:
 
-    - The same shell variable name could be generated by two different
-      interface names.
+    	    BRIDGING
+    	    DELAYBLACKLISTLOAD
+	    PKTTYPE
 
-    - Entries in the interfaces file with a wildcard physical name
-      (physical name ends with "+") and with the 'optional' option were
-      handled strangely.
+    They will still be recognized by the rules compiler.
 
-      o If there were references to specific interfaces that matched
-        the wildcard, those entries were handled as if they had been
-        defined as optional in the interfaces file.
+9)  All sample .conf files have been changed to specify
 
-      o If there were no references matching the wildcard, then the
-        'optional' option was effectively ignored. 
+    	FORWARD_CLEAR_MARK=
 
-    The new implementation:
+    rather than
 
-    - Insures valid shell variable names.
+    	FORWARD_CLEAR_MARK=Yes
 
-    - Insures that shell variable names are unique.
+    That way, systems without MARK support will still be able to
+    install the sample configurations and FORWARD_CLEAR_MARK will
+    default to Yes on systems with MARK support.
 
-    - Handles interface names appearing in the INTERFACE column of the
-      providers file as a special case for 'optional'. If the name
-      matches a wildcard entry in the interfaces file then the
-      usability of the specific interface is tracked individually. 
+10) The install scripts in the tarballs now correctly create init
+    symlinks on recent Ubuntu releases.
 
-    - Handles the availabilty of other interfaces matching a wildcard
-      as a group; if there is one useable interface in the group then
-      the wildcard itself is considered usable.
+11) Previously, this entry in the OPTIONS column of
+    /etc/shorewall/interfaces incorrectly generated a syntax error.
 
-      The following example illustrates this use case:
+    	nets=(1.2.3.0/24)
 
-      /etc/shorewall/interfaces
+    The error was:
 
-	net	ppp+	-	optional
+    	ERROR: Invalid VLSM (24))
 
-      /etc/shorewall/shorewall.conf
+12) Previously, if 10 or more interfaces were configured in Complex
+    Traffic Shaping (/etc/shorewall/tcdevices), the following
+    compilation diagnostic was generated:
 
-	REQUIRE_INTERFACE=Yes
+        Argument "a" isn't numeric in sprintf at
+	/usr/share/shorewall/Shorewall/Config.pm line 893.
  
-      If there is any usable PPP interface then the firewall will be
-      allowed to start. Previously, the firewall would never be allowed
-      to start.
+    and an invalid TC configuration was generated.
 
-8)  When a comma-separated list of 'src' and/or 'dst' was specified in
-    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
-    or 'dst' was previously ignored when generating the resulting
-    iptables rule.
-
-9)  Beginning with Shorewall 4.4.9, the SAME target in tcrules has
-    generated invalid iptables (ip6tables) input. That target now
-    generates correct input.
-
-10) Ipsets associated with 'dynamic' zones were being created during
-    'restart' but not during 'start'.
-
-11) To work around an issue in Netfilter/iptables, Shorewall now uses
-    state match rather than conntrack match for UNTRACKED state
-    matching.
-
-12) If the routestopped files contains NOTRACK rules, 'shorewall* clear' 
-    did not clear the raw table.
-
-13) An error message was incorrectly generated if a port range of the
-    form :<port> (e.g., :22) appeared.
-
-14) An error is now generated if '*' appears in an interface name.
+13) If the current environment exported the VERBOSITY variable with a
+    non-zero value, startup would fail.
 
 ----------------------------------------------------------------------------
            I I.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
 
-1)  On systems running Upstart, shorewall-init cannot reliably start the
-    firewall before interfaces are brought up.
+1)  On systems running Upstart, shorewall-init cannot reliably secure
+    the firewall before interfaces are brought up.
 
 ----------------------------------------------------------------------------
       I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
-1)  Entries in the rules file (both Shorewall and Shorewall6) may now
-    contain zone lists in the SOURCE and DEST column. A zone list is a
-    comma-separated list of zone names where each name appears in the
-    zones file. A zone list may be optionally followed by a plus sign
-    ("+") to indicate that the rule should apply to intra-zone traffic
-    as well as to inter-zone traffic.
+1)  Multiple source or destination ipset matches can be generated by
+    enclosing the ipset list in +[...].
 
-    Zone lists behave like 'all' and 'any' with respect to Optimization
-    1. If the rule matches the applicable policy for a given (source
-    zone, dest zone), then the rule will be suppessed for that pair of
-    zones unless overridden by the '!' suffix on the target in the
-    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
+    Example (/etc/shorewall/rules):
 
-    Additionally, 'any', 'all' and zone lists may be qualified in the
-    same way as a single zone.
+        ACCEPT $FW net:+[dest-ip-map,dest-port-map]
 
-    Examples:
+2)  Shorewall now uses the 'conntrack' utility for 'show connections'
+    if that utility is installed. Going forward, the Netfilter team
+    will be enhancing this interface rather than the /proc interface.
 
-	fw,dmz:90.90.191.120/29
-	all:+blacklist
+3)  The CPU time required for optimization has been reduced by 2/3.
 
-    The 'all' and 'any' keywords now support exclusion in the form of a
-    comma-separated list of excluded zones.
+4)  An 'scfilter' extension script has been added. This extension
+    script differs from other such scripts in that it is invoked by the
+    command line tools (/sbin/shorewall, /sbin/shorewall6,
+    /sbin/shorewall-lite and /sbin/shorewall6-lite).
 
-    Examples: 
+    The script acts as a filter for the output of the 'show
+    connections' command. Each connection is piped through the filter
+    which can modify and/or drop information as desired.
 
-    	     all!fw         (same as all-).
-	     any+!dmz,loc   (All zones except 'dmz' and 'loc' and
-	     		     include intra-zone rules).
+    Example:
 
-2)  An IPSEC column has been added to the accounting file, allowing you
-    to segregate IPSEC traffic from non-IPSEC traffic. See 'man
-    shorewall-accounting' (man shorewall6-accounting) for details.
+	#!/bin/sh
+ 	sed 's/secmark=0 //'
 
-    With this change, there are now three trees of accounting chains:
+    That script will remove 'secmark=0 ' from each line.
 
-    - The one rooted in the 'accounting' chain.
-    - The one rooted in the 'accipsecin' chain. This tree handles
-      traffic that has been decrypted on the firewall. Rules in this
-      tree cannot specify an interface name in the DEST column.
-    - The one rooted in the 'accipsecout' chain. This tree handles
-      traffic that will be encrypted on the firewall. Rules in this
-      tree cannot specify an interface name in the SOURCE column.
+    The default script is:
 
-    In reality, when there are bridges defined in the configuration,
-    there is a fourth tree rooted in the 'accountout' chain. That chain
-    handles traffic that originates on the firewall (both IPSEC and
-    non-IPSEC).
+    	#!/bin/sh
+	cat -
 
-    This change also implements a couple of new warnings:
+    which passes the output through unmodified.
 
-    - WARNING: Adding rule to unreferenced accounting chain <name>
-
-      The first reference to user-defined accounting chain <name> is
-      not a JUMP or COUNT from an already-defined chain.
-
-    - WARNING: Accounting chain <name> has o references
-
-      The named chain contains accounting rules but no JUMP or COUNT
-      specifies that chain as the target.
-
-3)  Shorewall now supports the SECMARK and CONNSECMARK targets for
-    manipulating the SELinux context of packets.
-
-    See the shorewall-secmarks and shorewall6-secmarks manpages for
-    details.
-
-    As part of this change, the tcrules file now accepts $FW in the
-    DEST column for marking packets in the INPUT chain.
-
-4)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
-
-    a) Blacklisting is now based on zones rather than on interfaces and
-       host groups.
-
-    b) Near compatibility with earlier releases is maintained.
-
-    c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
-       column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
-       respectively. The old keywords are still supported.
-
-    d) The 'blacklist' keyword may now appear in the OPTIONS,
-       IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
-
-       i)  In the IN_OPTIONS column, it indicates that packets received
-           on the interface are checked against the 'src' entries in
-           /etc/shorewall/blacklist.
-
-       ii) In the OUT_OPTIONS column, it indicates that packets being
-           sent to the interface are checked against the 'dst' entries.
-
-       iii) Placing 'blacklist' in the OPTIONS column is equivalent to
-           placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
-
-    e) The 'blacklist' option in the OPTIONS column of
-       /etc/shorewall/interfaces or /etc/shorewall/hosts is now
-       equivalent to placing it in the IN_OPTIONS column of the
-       associates record in /etc/shorewall/zones. If no zone is given
-       in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
-       option is ignored with a warning (it was previously ignored
-       silently).
-
-    f) The 'blacklist' option in the /etc/shorewall/interfaces and
-       /etc/shorewall/hosts files is now deprecated but will continue
-       to be supported for several releases. A warning will be added at
-       least one release before support is removed.
-
-5)  There is now an OUT-BANDWIDTH column in
-    /etc/shorewall/tcinterfaces.
-
-    The format of this column is:
-
-    	<rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]]
-
-    These terms are described in tc-tbf(8). Shorewall supplies default
-    values as follows:
-
-    	   <burst>   = 10kb
-	   <latency> = 200ms
-
-    The remaining options are defaulted by tc.
-
-6)  The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and
-    /etc/shorewall/tcinterfaces now accepts an optional burst parameter.
-
-        <rate>[:<burst>]
-
-    The default <burst> is 10kb. A larger <burst> can help make the
-    <rate> more accurate; often for fast lines, the enforced rate is
-    well below the specified <rate>.
+    If you are using Shorewall-lite and/or Shorewall6-lite, the
+    scfilter file is kept on the administrative system. The compiler
+    encapsulates the script into a shell function that is copied
+    into the generated auxillary configuration file
+    (firewall.conf). That function is then invoked by the 'show
+    connections' command.
 
 ----------------------------------------------------------------------------
              I V.  R E L E A S E  4 . 4  H I G H L I G H T S
@@ -487,6 +379,250 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
       I N   P R I O R  R E L E A S E S
+----------------------------------------------------------------------------
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 3
+----------------------------------------------------------------------------
+
+1)  Under rare circumstances where COMMENT is used to attach comments
+    to rules, OPTIMIZE 8 through 15 could result in invalid
+    iptables-restore (ip6tables-restore) input.
+
+2)  Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
+    could result in invalid iptables-restore (ip6tables-restore) input.
+
+3)  The change in 4.4.12 to detect and use the new ipset match syntax
+    broke the ability to detect the old ipset match capability. Now,
+    both versions of the capability can be correctly detected.
+
+4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
+    if the last optional interface tested was not available.
+
+5)  Exclusion in the blacklist file was correctly validated but was then
+    ignored when generating iptables (ip6tables) rules.
+
+6)  Previously, non-trivial exclusion (more than one excluded
+    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
+    valid but incorrect iptables input. This has been corrected but
+    requires that your iptables/kernel support marking rules in any
+    Netfilter table (CONTINUE in the tcrules file does not require this
+    support).
+
+    This fix implements a new 'Mark in any table' capability; those
+    who utilize a capabilities file should re-generate the file using
+    this release.
+
+7)  Interface handling has been extensively modified in this release
+    to correct a number of problems with the earlier
+    implementation. Among those problems:
+
+    - Invalid shell variable names could be generated in the firewall
+      script. The generated firewall script uses shell variables to
+      track the availability of optional and required interfaces and
+      to record detected gateways, detected addresses, etc.
+
+    - The same shell variable name could be generated by two different
+      interface names.
+
+    - Entries in the interfaces file with a wildcard physical name
+      (physical name ends with "+") and with the 'optional' option were
+      handled strangely.
+
+      o If there were references to specific interfaces that matched
+        the wildcard, those entries were handled as if they had been
+        defined as optional in the interfaces file.
+
+      o If there were no references matching the wildcard, then the
+        'optional' option was effectively ignored.
+
+    The new implementation:
+
+    - Insures valid shell variable names.
+
+    - Insures that shell variable names are unique.
+
+    - Handles interface names appearing in the INTERFACE column of the
+      providers file as a special case for 'optional'. If the name
+      matches a wildcard entry in the interfaces file then the
+      usability of the specific interface is tracked individually.
+
+    - Handles the availabilty of other interfaces matching a wildcard
+      as a group; if there is one useable interface in the group then
+      the wildcard itself is considered usable.
+
+      The following example illustrates this use case:
+
+      /etc/shorewall/interfaces
+
+	net	ppp+	-	optional
+
+      /etc/shorewall/shorewall.conf
+
+	REQUIRE_INTERFACE=Yes
+
+      If there is any usable PPP interface then the firewall will be
+      allowed to start. Previously, the firewall would never be allowed
+      to start.
+
+8)  When a comma-separated list of 'src' and/or 'dst' was specified in
+    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
+    or 'dst' was previously ignored when generating the resulting
+    iptables rule.
+
+9)  Beginning with Shorewall 4.4.9, the SAME target in tcrules has
+    generated invalid iptables (ip6tables) input. That target now
+    generates correct input.
+
+10) Ipsets associated with 'dynamic' zones were being created during
+    'restart' but not during 'start'.
+
+11) To work around an issue in Netfilter/iptables, Shorewall now uses
+    state match rather than conntrack match for UNTRACKED state
+    matching.
+
+12) If the routestopped files contains NOTRACK rules, 'shorewall* clear'
+    did not clear the raw table.
+
+13) An error message was incorrectly generated if a port range of the
+    form :<port> (e.g., :22) appeared.
+
+14) An error message is now generated when '*' appears in an interface
+    name.
+
+----------------------------------------------------------------------------
+               N E W   F E A T U R E S   I N   4 . 4 . 1 3
+----------------------------------------------------------------------------
+
+1)  Entries in the rules file (both Shorewall and Shorewall6) may now
+    contain zone lists in the SOURCE and DEST column. A zone list is a
+    comma-separated list of zone names where each name appears in the
+    zones file. A zone list may be optionally followed by a plus sign
+    ("+") to indicate that the rule should apply to intra-zone traffic
+    as well as to inter-zone traffic.
+
+    Zone lists behave like 'all' and 'any' with respect to Optimization
+    1. If the rule matches the applicable policy for a given (source
+    zone, dest zone), then the rule will be suppessed for that pair of
+    zones unless overridden by the '!' suffix on the target in the
+    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
+
+    Additionally, 'any', 'all' and zone lists may be qualified in the
+    same way as a single zone.
+
+    Examples:
+
+	fw,dmz:90.90.191.120/29
+	all:+blacklist
+
+    The 'all' and 'any' keywords now support exclusion in the form of a
+    comma-separated list of excluded zones.
+
+    Examples:
+
+    	     all!fw         (same as all-).
+	     any+!dmz,loc   (All zones except 'dmz' and 'loc' and
+	     		     include intra-zone rules).
+
+2)  An IPSEC column has been added to the accounting file, allowing you
+    to segregate IPSEC traffic from non-IPSEC traffic. See 'man
+    shorewall-accounting' (man shorewall6-accounting) for details.
+
+    With this change, there are now three trees of accounting chains:
+
+    - The one rooted in the 'accounting' chain.
+    - The one rooted in the 'accipsecin' chain. This tree handles
+      traffic that has been decrypted on the firewall. Rules in this
+      tree cannot specify an interface name in the DEST column.
+    - The one rooted in the 'accipsecout' chain. This tree handles
+      traffic that will be encrypted on the firewall. Rules in this
+      tree cannot specify an interface name in the SOURCE column.
+
+    In reality, when there are bridges defined in the configuration,
+    there is a fourth tree rooted in the 'accountout' chain. That chain
+    handles traffic that originates on the firewall (both IPSEC and
+    non-IPSEC).
+
+    This change also implements a couple of new warnings:
+
+    - WARNING: Adding rule to unreferenced accounting chain <name>
+
+      The first reference to user-defined accounting chain <name> is
+      not a JUMP or COUNT from an already-defined chain.
+
+    - WARNING: Accounting chain <name> has o references
+
+      The named chain contains accounting rules but no JUMP or COUNT
+      specifies that chain as the target.
+
+3)  Shorewall now supports the SECMARK and CONNSECMARK targets for
+    manipulating the SELinux context of packets.
+
+    See the shorewall-secmarks and shorewall6-secmarks manpages for
+    details.
+
+    As part of this change, the tcrules file now accepts $FW in the
+    DEST column for marking packets in the INPUT chain.
+
+4)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
+
+    a) Blacklisting is now based on zones rather than on interfaces and
+       host groups.
+
+    b) Near compatibility with earlier releases is maintained.
+
+    c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
+       column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
+       respectively. The old keywords are still supported.
+
+    d) The 'blacklist' keyword may now appear in the OPTIONS,
+       IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
+
+       i)  In the IN_OPTIONS column, it indicates that packets received
+           on the interface are checked against the 'src' entries in
+           /etc/shorewall/blacklist.
+
+       ii) In the OUT_OPTIONS column, it indicates that packets being
+           sent to the interface are checked against the 'dst' entries.
+
+       iii) Placing 'blacklist' in the OPTIONS column is equivalent to
+           placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
+
+    e) The 'blacklist' option in the OPTIONS column of
+       /etc/shorewall/interfaces or /etc/shorewall/hosts is now
+       equivalent to placing it in the IN_OPTIONS column of the
+       associates record in /etc/shorewall/zones. If no zone is given
+       in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
+       option is ignored with a warning (it was previously ignored
+       silently).
+
+    f) The 'blacklist' option in the /etc/shorewall/interfaces and
+       /etc/shorewall/hosts files is now deprecated but will continue
+       to be supported for several releases. A warning will be added at
+       least one release before support is removed.
+
+5)  There is now an OUT-BANDWIDTH column in
+    /etc/shorewall/tcinterfaces.
+
+    The format of this column is:
+
+    	<rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]]
+
+    These terms are described in tc-tbf(8). Shorewall supplies default
+    values as follows:
+
+    	   <burst>   = 10kb
+	   <latency> = 200ms
+
+    The remaining options are defaulted by tc.
+
+6)  The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and
+    /etc/shorewall/tcinterfaces now accepts an optional burst parameter.
+
+        <rate>[:<burst>]
+
+    The default <burst> is 10kb. A larger <burst> can help make the
+    <rate> more accurate; often for fast lines, the enforced rate is
+    well below the specified <rate>.
+
 ----------------------------------------------------------------------------
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 2
 ----------------------------------------------------------------------------

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.13
-%define release 1
+%define version 4.4.14
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -108,10 +108,18 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0base
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {

Shorewall6-lite/init.debian.sh

@@ -17,7 +17,7 @@ SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
 
-[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
 export SHOREWALL_INIT_SCRIPT
 

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {
@@ -351,11 +351,7 @@ if [ -z "$DESTDIR" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
 
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall6-lite
-	    else
-		ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
-	    fi
+	    update-rc.d shorewall6-lite defaults
 
 	    echo "Shorewall6 Lite will start automatically at boot"
 	else

Shorewall6-lite/shorewall6-lite

@@ -94,9 +94,9 @@ get_config() {
     [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	LOGREAD="logread | tac"
+	g_logread="logread | tac"
     elif [ -r $LOGFILE ]; then
-	LOGREAD="tac $LOGFILE"
+	g_logread="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	exit 2
@@ -145,6 +145,12 @@ get_config() {
 
     [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
 
+    if [ $VERBOSITY -lt -1 ]; then
+	VERBOSITY=-1
+    elif [ $VERBOSITY -gt 2 ]; then
+	VERBOSITY=2
+    fi
+
     g_hostname=$(hostname 2> /dev/null)
 
     IP=$(mywhich ip 2> /dev/null)
@@ -447,6 +453,7 @@ g_noroutes=
 g_timestamp=
 g_recovering=
 g_purge=
+g_logread=
 
 finished=0
 

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.13
-%define release 1
+%define version 4.4.14
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,10 +93,18 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0base
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {
@@ -249,7 +249,7 @@ fi
 [ -n "$INIT" ] && echo  "Shorewall6 script installed in ${DESTDIR}${DEST}/$INIT"
 
 #
-# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
+# Create /etc/shorewall, /usr/share/shorewall and /var/lib/shorewall6 if needed
 #
 mkdir -p ${DESTDIR}/etc/shorewall6
 mkdir -p ${DESTDIR}/usr/share/shorewall6
@@ -296,7 +296,7 @@ fi
 run_install $OWNERSHIP -m 0644 zones ${DESTDIR}/usr/share/shorewall6/configfiles/zones
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/zones ]; then
-    run_install $OWNERSHIP -m 0744 zones ${DESTDIR}/etc/shorewall6/zones
+    run_install $OWNERSHIP -m 0644 zones ${DESTDIR}/etc/shorewall6/zones
     echo "Zones file installed as ${DESTDIR}/etc/shorewall6/zones"
 fi
 
@@ -631,6 +631,15 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcclear ]; then
     echo "Tcclear file installed as ${DESTDIR}/etc/shorewall6/tcclear"
 fi
 #
+# Install the Scfilter file
+#
+run_install $OWNERSHIP -m 0644 tcclear ${DESTDIR}/usr/share/shorewall6/configfiles/scfilter
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/scfilter ]; then
+    run_install $OWNERSHIP -m 0600 scfilter ${DESTDIR}/etc/shorewall6/scfilter
+    echo "Scfilter file installed as ${DESTDIR}/etc/shorewall6/scfilter"
+fi
+#
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}/usr/share/shorewall6/actions.std 0644
@@ -729,11 +738,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6
 
-	if [ -x /sbin/insserv ]; then
-	    insserv /etc/init.d/shorewall6
-	else
-	    ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
-	fi
+	update-rc.d shorewall6 defaults
 
 	echo "shorewall6 will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall6 to enable"

Shorewall6/lib.cli

@@ -357,6 +357,36 @@ show_routing() {
     fi
 }
 
+#
+# Show Filter - For Shorewall6-lite, if there was an scfilter file at compile-time,
+#               then the compiler generated another version of this function and
+#               embedded it in the firewall.conf file. That version supersedes this
+#               one.
+#
+show_connections_filter() {
+    local filter
+    local command
+    local first
+
+    command=${SHOREWALL_SHELL}
+
+    filter=$(find_file scfilter)
+
+    if [ -f $filter ]; then
+	first=$(head -n1 $filter)
+
+	case $first in
+	    \#!*)
+		command=${first#\#!}
+		;;
+	esac
+
+	$command $filter
+    else
+	cat -
+    fi
+}
+
 #
 # Show Command Executor
 #
@@ -448,11 +478,17 @@ show_command() {
     case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
+	    if mywhich conntrack ; then
+		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+		echo
+		conntrack -f ipv6 -L | show_connections_filter
+	    else
 		local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 		local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 		echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 		echo
-	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
+		grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
+	    fi
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
@@ -650,10 +686,40 @@ show_command() {
     esac
 }
 
+#
+# Dump Filter - For Shorewall-lite, if there was a dumpfilter file at compile-time,
+#               then the compiler generated another version of this function and
+#               embedded it in the firewall.conf file. That version supersedes this
+#               one.
+#
+dump_filter() {
+    local filter
+    local command
+    local first
+
+    command=${SHOREWALL_SHELL}
+
+    filter=$(find_file dumpfilter)
+
+    if [ -f $filter ]; then
+	first=$(head -n1 $filter)
+
+	case $first in
+	    \#!*)
+		command=${first#\#!}
+		;;
+	esac
+
+	$command $filter
+    else
+	cat -
+    fi
+}
+
 #
 # Dump Command Executor
 #
-dump_command() {
+do_dump_command() {
     local finished
     finished=0
 
@@ -797,6 +863,10 @@ dump_command() {
 	fi
 }
 
+dump_command() {
+    do_dump_command | dump_filter
+}
+
 #
 # Restore Comand Executor
 #

Shorewall6/lib.common

@@ -32,10 +32,14 @@ get_script_version() { # $1 = script
     local version
     local ifs
     local digits
+    local verbosity
+
+    verbosity="$VERBOSITY"
+    VERBOSITY=0
 
     temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
 
-    if [ $? -ne 0 ]; then
+    if [ -z "$temp" ]; then
 	version=0
     else
 	ifs=$IFS
@@ -52,6 +56,8 @@ get_script_version() { # $1 = script
     fi
     
     echo $version
+
+    VERBOSITY="$verbosity"
 }
   
 #

Shorewall6/scfilter

@@ -0,0 +1,15 @@
+#! /bin/sh
+#
+# Shorewall version 4 - Show Connections Filter
+#
+# /etc/shorewall/scfilter
+#
+#	Replace the 'cat' command below to filter the output of
+#       'show connections. Unlike other extension scripts, this file
+#       must be executable before Shorewall will use it.
+#
+# See http://shorewall.net/shorewall_extension_scripts.htm for additional
+# information.
+#
+###############################################################################
+cat -

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.13
-%define release 1
+%define version 4.4.14
+%define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -98,10 +98,18 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0base
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.1
+VERSION=4.4.14
 
 usage() # $1 = exit status
 {

docs/Documentation_Index.xml

@@ -136,7 +136,7 @@
 
           <row>
             <entry>Bridge: <ulink
-            url="bridge-Shorewall-perl.html">Shorewall-perl</ulink></entry>
+            url="bridge-Shorewall-perl.html">Bridge/Firewall</ulink></entry>
 
             <entry><ulink url="MultiISP.html">Multiple Internet Connections
             from a Single Firewall</ulink> (<ulink
@@ -147,8 +147,8 @@
           </row>
 
           <row>
-            <entry>Bridge: <ulink url="SimpleBridge.html">No control of
-            traffic through the bridge</ulink></entry>
+            <entry>Bridge: <ulink url="SimpleBridge.html">No firewalling of
+            traffic between bridge port</ulink></entry>
 
             <entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
             Interface</ulink></entry>

docs/FAQ.xml

@@ -54,6 +54,31 @@
       url="shorewall_quickstart_guide.htm">QuickStart Guides</ulink>.</para>
     </section>
 
+    <section id="faq92">
+      <title>(FAQ 92) There are lots of Shorewall packages; which one(s) do I
+      install?</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: When first installing
+      Shorewall 4.4.0 or later, you must install the <emphasis
+      role="bold">shorewall</emphasis> package. If you want to configure an
+      IPv6 firewall, you must also install <emphasis
+      role="bold">shorewall6</emphasis>.</para>
+
+      <section id="faq92a">
+        <title>(FAQ 92a) Someone once told me to install shorewall-perl;
+        anything to that?</title>
+
+        <para><emphasis role="bold">Answer</emphasis>: That was good advice in
+        Shorewall 4.2 and earlier. In those releases, there were two packages
+        that provided the basic firewalling functionality: <emphasis
+        role="bold">shorewall-shell</emphasis> and <emphasis
+        role="bold">shorewall-perl</emphasis>. Beginning with Shorewall 4.4.0,
+        <emphasis role="bold">shorewall-shell</emphasis> is discontinued and
+        <emphasis role="bold">shorewall-perl</emphasis> is renamed <emphasis
+        role="bold">shorewall</emphasis>.</para>
+      </section>
+    </section>
+
     <section id="faq37">
       <title>(FAQ 37) I just installed Shorewall on Debian and the
       /etc/shorewall directory is almost empty!!!</title>
@@ -1192,7 +1217,7 @@ to debug/develop the newnat interface.</programlisting></para>
       <title>(FAQ 91) I changed the shorewall.conf file in /etc/shorewall/ to
       spit out logs to /var/log/shorewall.log and it's not happening after I
       restart shorewall. LOGFILE=/var/log/shorewall.log &lt;-- that should be
-      the correct line, right? </title>
+      the correct line, right?</title>
 
       <para><emphasis role="bold">Answer</emphasis>: No, that is not correct.
       The LOGFILE setting tells Shorewall where to find the log; it does not
@@ -2876,12 +2901,24 @@ EXT_IF:172.20.1.2	     	0.0.0.0/0		172.20.1.254
 
           <programlisting>#INTERFACE			SOURCE			ADDRESS
 
-COMMENT DSL Modem
+COMMENT DSL Modemhttp://ipv6.shorewall.net/SimpleBridge.html
 
 EXT_IF:192.168.1.1	     	0.0.0.0/0		192.168.1.254
 </programlisting>
         </listitem>
       </itemizedlist>
     </section>
+
+    <section>
+      <title id="faq93">(FAQ 93) I'm not able to use Shorewall to manage a
+      bridge. I get the following error: ERROR: BRIDGING=Yes is not supported
+      by Shorewall 4.4.13.3.</title>
+
+      <para><emphasis role="bold">Answer:</emphasis> If you want to apply
+      firewall rules to the traffic passing between bridge ports, see <ulink
+      url="bridge-Shorewall-perl.html">http://www.shorewall.net/bridge-Shorewall-perl.html</ulink>.
+      If you simply want to allow all traffic between ports, then see <ulink
+      url="SimpleBridge.html">http://www.shorewall.net/SimpleBridge.html</ulink>.</para>
+    </section>
   </section>
 </article>

docs/Manpages.xml

@@ -83,6 +83,10 @@
         the interfaces on the system and optionally associate them with
         zones.</member>
 
+        <member><ulink url="manpages/shorewall-ipsets.html">ipsets</ulink> -
+        Describes how to specify set names in Shorewall configuration
+        files.</member>
+
         <member><ulink url="manpages/shorewall-maclist.html">maclist</ulink> -
         Define MAC verification.</member>
 

docs/ProxyARP.xml

@@ -34,46 +34,50 @@
     </legalnotice>
   </articleinfo>
 
-  <para>Proxy ARP (RFC 1027) is a way to make a machine physically located on
-  one network appear to be logically part of a different physical network
+  <section>
+    <title>Overview</title>
+
+    <para>Proxy ARP (RFC 1027) is a way to make a machine physically located
+    on one network appear to be logically part of a different physical network
     connected to the same router/firewall. Typically it allows us to hide a
     machine with a public IP address on a private network behind a router, and
-  still have the machine appear to be on the public network "in front of" the
-  router. The router "proxys" ARP requests and all network traffic to and from
-  the hidden machine to make this fiction possible.</para>
+    still have the machine appear to be on the public network "in front of"
+    the router. The router "proxys" ARP requests and all network traffic to
+    and from the hidden machine to make this fiction possible.</para>
 
-  <para>Consider a router with two interface cards, one connected to a public
-  network PUBNET and one connected to a private network PRIVNET. We want to
-  hide a server machine on the PRIVNET network but have it accessible from the
-  PUBNET network. The IP address of the server machine lies in the PUBNET
-  network, even though we are placing the machine on the PRIVNET network
-  behind the router.</para>
+    <para>Consider a router with two interface cards, one connected to a
+    public network PUBNET and one connected to a private network PRIVNET. We
+    want to hide a server machine on the PRIVNET network but have it
+    accessible from the PUBNET network. The IP address of the server machine
+    lies in the PUBNET network, even though we are placing the machine on the
+    PRIVNET network behind the router.</para>
 
-  <para>By enabling proxy ARP on the router, any machine on the PUBNET network
-  that issues an ARP "who has" request for the server's MAC address will get a
-  proxy ARP reply from the router containing the router's MAC address. This
-  tells machines on the PUBNET network that they should be sending packets
-  destined for the server via the router. The router forwards the packets from
-  the machines on the PUBNET network to the server on the PRIVNET
-  network.</para>
+    <para>By enabling proxy ARP on the router, any machine on the PUBNET
+    network that issues an ARP "who has" request for the server's MAC address
+    will get a proxy ARP reply from the router containing the router's MAC
+    address. This tells machines on the PUBNET network that they should be
+    sending packets destined for the server via the router. The router
+    forwards the packets from the machines on the PUBNET network to the server
+    on the PRIVNET network.</para>
 
     <para>Similarly, when the server on the PRIVNET network issues a "who has"
-  request for any machines on the PUBNET network, the router provides its own
-  MAC address via proxy ARP. This tells the server to send packets for
+    request for any machines on the PUBNET network, the router provides its
+    own MAC address via proxy ARP. This tells the server to send packets for
     machines on the PUBNET network via the router. The router forwards the
-  packets from the server on the PRIVNET network to the machines on the PUBNET
-  network.</para>
+    packets from the server on the PRIVNET network to the machines on the
+    PUBNET network.</para>
 
     <para>The proxy ARP provided by the router allows the server on the
     PRIVNETnetwork to appear to be on the PUBNET network. It lets the router
     pass ARP requests and other network packets in both directions between the
     server machine and the PUBNET network, making the server machine appear to
-  be connected to the PUBNET network even though it is on the PRIVNET network
-  hidden behind the router.</para>
+    be connected to the PUBNET network even though it is on the PRIVNET
+    network hidden behind the router.</para>
 
     <para>Before you try to use this technique, I strongly recommend that you
     read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
     Guide</ulink>.</para>
+  </section>
 
   <section id="Example">
     <title>Example</title>

docs/Vserver.xml

@@ -114,7 +114,7 @@ gateway:~#</programlisting>
   <section>
     <title>Vserver Zones</title>
 
-    <para>Here is a diagram of the network configuration here at Shorewall.net
+    <para>This is a diagram of the network configuration here at Shorewall.net
     during the summer of 2010:</para>
 
     <graphic align="center" fileref="images/Network2010a.png" />
@@ -131,6 +131,12 @@ net             ipv4            #Internet
 vpn             ipv4            #OpenVPN clients
 <emphasis role="bold">dmz             vserver         #Vservers</emphasis></programlisting>
 
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE   INTERFACE     BROADCAST           OPTIONS
+<emphasis role="bold">net     eth1          detect              dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
+...</programlisting>
+
     <para><filename>/etc/shorewall/hosts</filename>:</para>
 
     <programlisting>#ZONE   HOST(S)                                 OPTIONS
@@ -160,10 +166,16 @@ vpn	ipv6
 <emphasis role="bold">dmz	vserver</emphasis>
 </programlisting>
 
+    <para><filename>/etc/shorewall6/interfaces</filename>:</para>
+
+    <programlisting>#ZONE   INTERFACE     BROADCAST           OPTIONS
+<emphasis role="bold">net     sit1          detect              tcpflags,forward=1,nosmurfs,routeback</emphasis>
+...</programlisting>
+
     <para><filename>/etc/shorewall6/hosts</filename>:</para>
 
     <programlisting>#ZONE   HOST(S)                                 OPTIONS
-dmz	sit1:[2001:470:e857:1::/64]</programlisting>
+<emphasis role="bold">dmz     sit1:[2001:470:e857:1::/64]</emphasis></programlisting>
 
     <para>Note that I choose to place the Vservers on sit1 (the IPv6 net
     interface) rather than on eth1. Again, it really doesn't matter

docs/bridge-Shorewall-perl.xml

@@ -5,7 +5,7 @@
   <!--$Id$-->
 
   <articleinfo>
-    <title>Shorewall-perl and Bridged Firewalls</title>
+    <title>Bridged Firewalls</title>
 
     <authorgroup>
       <author>
@@ -37,7 +37,7 @@
   </articleinfo>
 
   <caution>
-    <para><emphasis role="bold">This article applies to Shorewall-perl 4.3 and
+    <para><emphasis role="bold">This article applies to Shorewall 4.4 and
     later.</emphasis></para>
   </caution>
 
@@ -533,7 +533,7 @@ rc-update add bridge boot
     source bridge port.</para>
 
     <para>To deal with the asymmetric nature of the new physdev match,
-    Shorewall-perl supports a new type of zone - a <firstterm>Bridge
+    Shorewall supports a new type of zone - a <firstterm>Bridge
     Port</firstterm> (BP) zone. Bridge port zones have a number of
     restrictions:</para>
 
@@ -559,8 +559,9 @@ rc-update add bridge boot
 
     <para>In /etc/shorewall/zones, BP zones are specified using the <emphasis
     role="bold">bport</emphasis> (or <emphasis role="bold">bport4</emphasis>)
-    keyword. Shorewall perl requires that BRIDGING=No in
-    <filename>shorewall.conf</filename>.</para>
+    keyword. If your version of <filename>shorewall.conf</filename> contains
+    the <emphasis role="bold">BRIDGING</emphasis> option, it must be set to
+    <emphasis role="bold">No</emphasis>.</para>
 
     <para>In the scenario pictured above, there would probably be two BP zones
     defined -- one for the Internet and one for the local LAN so in

docs/ipsets.xml

@@ -95,8 +95,8 @@
       </listitem>
 
       <listitem>
-        <para>They must be composed of letters, digits or underscores
-        ("_").</para>
+        <para>They must be composed of letters, digits, dashes ("-") or
+        underscores ("_").</para>
       </listitem>
     </itemizedlist>
 
@@ -128,6 +128,11 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
     blacklist file, you can coerce the rule into matching the destination IP
     address rather than the source.</para>
 
+    <para>Beginning with Shorewall 4.4.14, multiple source or destination
+    matches may be specified by placing multiple set names in '+[...]' (e.g.,
+    +[myset,myotherset]). When so inclosed, the set names need not be prefixed
+    with a plus sign.</para>
+
     <para>Shorewall can save/restore your ipset contents with certain
     restrictions:</para>
 

docs/shorewall_extension_scripts.xml

@@ -200,6 +200,26 @@ esac</programlisting><caution>
         with dhclient on several distributions are available at <ulink
         url="http://www.shorewall.net/pub/shorewall/contrib/findgw/">http://www.shorewall.net/pub/shorewall/contrib/findgw/</ulink></para>
       </listitem>
+
+      <listitem>
+        <para><filename>scfilter</filename> -- Added in Shorewall 4.4.14.
+        Unlike the other scripts, this script is executed by the command-line
+        tools (<filename>/sbin/shorewall</filename>,
+        <filename>/sbin/shorewall6</filename>, etc) and can be used to
+        reformat the output of the <command>show connections</command>
+        command. The connection information is piped through this script so
+        that the script can drop information, add information or alter the
+        format of the information. When using Shorewall Lite or Shorewall6
+        Lite, the script is encapsulated in a function that is copied into the
+        generated auxillary configuration file. That function is invoked by
+        the 'show connections' command.</para>
+
+        <para>The default script is as follows and simply pipes the output
+        through unaltered.</para>
+
+        <programlisting>#! /bin/sh
+cat -</programlisting>
+      </listitem>
     </itemizedlist>
 
     <para><emphasis role="bold">If your version of Shorewall doesn't have the
@@ -288,6 +308,12 @@ esac</programlisting><caution>
             <entry>save</entry>
           </row>
 
+          <row>
+            <entry>scfilter</entry>
+
+            <entry>show connections</entry>
+          </row>
+
           <row>
             <entry>start</entry>
 
@@ -512,6 +538,12 @@ esac</programlisting><caution>
 
                 <entry>restored</entry>
               </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>scfilter</entry>
+              </row>
             </tbody>
           </tgroup>
         </informaltable></para>

docs/upgrade_issues.xml

@@ -285,7 +285,7 @@
           </listitem>
 
           <listitem>
-            <para>Explicitly set LOG_MARTIONS=No to maintain compatibility
+            <para>Explicitly set LOG_MARTIANS=No to maintain compatibility
             with prior versions of Shorewall.</para>
           </listitem>
         </orderedlist>

manpages/shorewall-accounting.xml

@@ -481,7 +481,7 @@
     </ulink></para>
 
     <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-actions.xml

@@ -50,7 +50,7 @@
     url="http://shorewall.net/Actions.html">http://shorewall.net/Actions.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-blacklist.xml

@@ -168,7 +168,7 @@
     url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-ecn.xml

@@ -64,7 +64,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-exclusion.xml

@@ -84,6 +84,31 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
         net ACCEPT rule.</para>
       </blockquote>
     </warning>
+
+    <para>In most contexts, ipset names can be used as an
+    <replaceable>address-or-range</replaceable>. Beginning with Shorewall
+    4.4.14, ipset lists enclosed in +[...] may also be included (see <ulink
+    url="shorewall-ipsets.html">shorewall-ipsets</ulink> (5)). The semantics
+    of these lists when used in an exclusion are as follows:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>!+[<replaceable>set1</replaceable>,<replaceable>set2</replaceable>,...<replaceable>setN</replaceable>]
+        produces a packet match if the packet does not match at least one of
+        the sets. In other words, it is like NOT match
+        <replaceable>set1</replaceable> OR NOT match
+        <replaceable>set2</replaceable> ... OR NOT match
+        <replaceable>setN</replaceable>.</para>
+      </listitem>
+
+      <listitem>
+        <para>+[!<replaceable>set1</replaceable>,!<replaceable>set2</replaceable>,...!<replaceable>setN</replaceable>]
+        produces a packet match if the packet does not match any of the sets.
+        In other words, it is like NOT match <replaceable>set1</replaceable>
+        AND NOT match <replaceable>set2</replaceable> ... AND NOT match
+        <replaceable>setN</replaceable>.</para>
+      </listitem>
+    </itemizedlist>
   </refsect1>
 
   <refsect1>
@@ -151,12 +176,13 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-hosts.xml

@@ -263,7 +263,7 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-nesting(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-init.xml

@@ -163,7 +163,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-ipsets.xml

@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-ipsets</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>ipsets</refname>
+
+    <refpurpose>Specifying the name if an ipset in Shorewall configuration
+    files</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>+<replaceable>ipsetname</replaceable></command>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>+<replaceable>ipsetname</replaceable>[<replaceable>flag</replaceable>,...]</command>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>+[ipsetname,...]</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>Note: In the above syntax descriptions, the square brackets ("[]")
+    are to be taken literally rather than as meta-characters.</para>
+
+    <para>In most places where a network address may be entered, an ipset may
+    be substituted. Set names must be prefixed by the character "+", must
+    start with a letter and may be composed of alphanumeric characters, "-"
+    and "_".</para>
+
+    <para>Whether the set is matched against the packet source or destination
+    is determined by which column the set name appears (SOURCE or DEST). For
+    those set types that specify a tupple, two alternative syntaxes are
+    available:</para>
+
+    <simplelist>
+      <member>[<replaceable>number</replaceable>] - Indicates that 'src' or
+      'dst' should repleated number times. Example: myset[2].</member>
+
+      <member>[<replaceable>flag</replaceable>,...] where
+      <replaceable>flag</replaceable> is <option>src</option> or
+      <option>dst</option>. Example: myset[src,dst].</member>
+    </simplelist>
+
+    <para>In a SOURCE column, the following pairs are equivalent:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>+myset[2] and +myset[src,src]</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>In a DEST column, the following paris are equivalent:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>+myset[2] and +myset[dst,dst]</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Beginning with Shorewall 4.4.14, multiple source or destination
+    matches may be specified by enclosing the set names within +[...]. The set
+    names need not be prefixed with '+'. For information about set lists and
+    exclusion, see <ulink
+    url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Examples</title>
+
+    <para>+myset</para>
+
+    <para>+myset[src]</para>
+
+    <para>+myset[2]</para>
+
+    <para>+[myset1,myset2[dst]]</para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/accounting</para>
+
+    <para>/etc/shorewall/blacklist</para>
+
+    <para>/etc/shorewall/hosts -- <emphasis role="bold">Note:</emphasis>
+    Multiple matches enclosed in +[...] may not be used in this file.</para>
+
+    <para>/etc/shorewall/maclist -- <emphasis role="bold">Note:</emphasis>
+    Multiple matches enclosed in +[...] may not be used in this file.</para>
+
+    <para>/etc/shorewall/masq</para>
+
+    <para>/etc/shorewall/rules</para>
+
+    <para>/etc/shorewall/secmarks</para>
+
+    <para>/etc/shorewall/tcrules</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
+  </refsect1>
+</refentry>

manpages/shorewall-maclist.xml

@@ -102,7 +102,7 @@
     url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-masq.xml

@@ -565,7 +565,7 @@
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
-    shorewall-interfaces(5), shorewall-maclist(5), shorewall-nat(5),
+    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
     shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),

manpages/shorewall-modules.xml

@@ -86,7 +86,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-nat.xml

@@ -138,7 +138,7 @@
     url="http://shorewall.net/NAT.htm">http://shorewall.net/NAT.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-nesting.xml

@@ -204,7 +204,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-netmap.xml

@@ -114,7 +114,7 @@
     url="http://shorewall.net/netmap.html">http://shorewall.net/netmap.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-notrack.xml

@@ -147,7 +147,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-params.xml

@@ -128,7 +128,7 @@ net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
     url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-policy.xml

@@ -313,7 +313,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-providers.xml

@@ -340,7 +340,7 @@
     url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-proxyarp.xml

@@ -132,7 +132,7 @@
     url="http://shorewall.net/ProxyARP.htm">http://shorewall.net/ProxyARP.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-route_rules(5),

manpages/shorewall-route_rules.xml

@@ -165,7 +165,7 @@
     url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-routestopped(5),

manpages/shorewall-routestopped.xml

@@ -200,7 +200,7 @@
     url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-rules.xml

@@ -1370,7 +1370,7 @@
     url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-secmarks.xml

@@ -23,6 +23,14 @@
   <refsect1>
     <title>Description</title>
 
+    <important>
+      <para>Unlike rules in the <ulink
+      url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
+      of rules in this file will continue after a match. So the final secmark
+      for each packet will be the one assigned by the LAST rule that
+      matches.</para>
+    </important>
+
     <para>The secmarks file is used to associate an SELinux context with
     packets. It was added in Shorewall version 4.4.13.</para>
 
@@ -376,12 +384,13 @@ RESTORE                               I:ER</programlisting>
     url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-tcclasses.xml

@@ -500,7 +500,7 @@
     url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tcdevices.xml

@@ -219,7 +219,7 @@
     url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tcfilters.xml

@@ -204,7 +204,7 @@
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tcinterfaces.xml

@@ -203,7 +203,7 @@
     url="http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tcpri.xml

@@ -149,7 +149,7 @@
 
     <para>PRIO(8), shorewall(8), shorewall-accounting(5),
     shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
-    shorewall-interfaces(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
     shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
     shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
     shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),

manpages/shorewall-tcrules.xml

@@ -805,7 +805,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-template.xml

@@ -52,7 +52,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tos.xml

@@ -160,7 +160,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-tunnels.xml

@@ -275,7 +275,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-vardir.xml

@@ -54,7 +54,7 @@
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages/shorewall-zones.xml

@@ -196,8 +196,8 @@ c:a,b     ipv4</programlisting>
 
         <listitem>
           <para>A comma-separated list of options. With the exception of the
-          <option>mss</option> option, these only apply to TYPE
-          <option>ipsec</option> zones.</para>
+          <option>mss</option> and <option>blacklist</option> options, these
+          only apply to TYPE <option>ipsec</option> zones.</para>
 
           <variablelist>
             <varlistentry>
@@ -338,13 +338,13 @@ c:a,b     ipv4</programlisting>
     url="http://www.shorewall.net/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-nesting(8), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
-    shorewall-tunnels(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-nesting(8), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall.conf.xml

@@ -1390,8 +1390,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
 
         <listitem>
-          <para>This option is included for compatibility with older Shorewall
-          releases. Its setting has no effect.</para>
+          <para><emphasis role="bold">Obsolete</emphasis> - This option is
+          included for compatibility with older Shorewall releases. Its
+          setting has no effect.</para>
         </listitem>
       </varlistentry>
 
@@ -1885,13 +1886,13 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-tcinterfaces(5), shorewall-tcpri(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcinterfaces(5),
+    shorewall-tcpri(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall.xml

@@ -1480,7 +1480,7 @@
     url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
 
     <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
     shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
     shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),

manpages6/shorewall6-secmarks.xml

@@ -23,6 +23,14 @@
   <refsect1>
     <title>Description</title>
 
+    <important>
+      <para>Unlike rules in the <ulink
+      url="shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
+      of rules in this file will continue after a match. So the final secmark
+      for each packet will be the one assigned by the LAST rule that
+      matches.</para>
+    </important>
+
     <para>The secmarks file is used to associate an SELinux context with
     packets. It was added in Shorewall6 version 4.4.13.</para>
 

manpages6/shorewall6-zones.xml

@@ -194,8 +194,8 @@ c:a,b     ipv6</programlisting>
 
         <listitem>
           <para>A comma-separated list of options. With the exception of the
-          <option>mss</option> and blacklist options, these only apply to TYPE
-          <option>ipsec</option> zones.</para>
+          <option>mss</option> and <option>blacklist</option> options, these
+          only apply to TYPE <option>ipsec</option> zones.</para>
 
           <variablelist>
             <varlistentry>