Add IP_FORWARDING=On to FAQ 1g

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/Universal/interfaces

@@ -1,12 +0,0 @@
-#
-# Shorewall version 4 - Interfaces File
-#
-# For information about entries in this file, type "man shorewall-interfaces"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-interfaces.html
-#
-###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	lo		-		ignore
-net	all		-		dhcp,physical=+,routeback,optional

Samples/Universal/policy

@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Policy File
-#
-# For information about entries in this file, type "man shorewall-policy"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-policy.html
-#
-###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
-#				LEVEL	BURST		MASK
-$FW	net	ACCEPT
-net	all	DROP

Samples/Universal/rules

@@ -1,17 +0,0 @@
-#
-# Shorewall version 4 - Rules File
-#
-# For information on the settings in this file, type "man shorewall-rules"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-rules.html
-#
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
-
-SSH(ACCEPT)	net		$FW
-Ping(ACCEPT)	net		$FW

Samples/Universal/shorewall.conf

@@ -1,213 +0,0 @@
-###############################################################################
-#
-#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
-#
-#  For information about the settings in this file, type "man shorewall.conf"
-#
-#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
-###############################################################################
-#		       S T A R T U P   E N A B L E D
-###############################################################################
-
-STARTUP_ENABLED=Yes
-
-###############################################################################
-#		              V E R B O S I T Y
-###############################################################################
-
-VERBOSITY=1
-
-###############################################################################
-#			       L O G G I N G
-###############################################################################
-
-LOGFILE=
-
-STARTUP_LOG=/var/log/shorewall-init.log
-
-LOG_VERBOSITY=2
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGTAGONLY=No
-
-LOGLIMIT=
-
-LOGALLNEW=
-
-BLACKLIST_LOGLEVEL=
-
-MACLIST_LOG_LEVEL=info
-
-TCP_FLAGS_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
-
-LOG_MARTIANS=Yes
-
-###############################################################################
-#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
-###############################################################################
-
-IPTABLES=
-
-IP=
-
-TC=
-
-IPSET=
-
-PERL=/usr/bin/perl
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-SHOREWALL_SHELL=/bin/sh
-
-SUBSYSLOCK=
-
-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
-RESTOREFILE=
-
-IPSECFILE=zones
-
-LOCKFILE=
-
-###############################################################################
-#		D E F A U L T   A C T I O N S / M A C R O S
-###############################################################################
-
-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
-ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT="none"
-
-###############################################################################
-#                        R S H / R C P  C O M M A N D S
-###############################################################################
-
-RSH_COMMAND='ssh ${root}@${system} ${command}'
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
-
-###############################################################################
-#			F I R E W A L L	  O P T I O N S
-###############################################################################
-
-IP_FORWARDING=On
-
-ADD_IP_ALIASES=No
-
-ADD_SNAT_ALIASES=No
-
-RETAIN_ALIASES=No
-
-TC_ENABLED=Internal
-
-TC_EXPERT=No
-
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-ROUTE_FILTER=No
-
-DETECT_DNAT_IPADDRS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-DELAYBLACKLISTLOAD=No
-
-MODULE_SUFFIX=ko
-
-DISABLE_IPV6=No
-
-BRIDGING=No
-
-DYNAMIC_ZONES=No
-
-PKTTYPE=Yes
-
-NULL_ROUTE_RFC1918=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-SAVE_IPSETS=No
-
-MAPOLDACTIONS=No
-
-FASTACCEPT=Yes
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-USE_ACTIONS=Yes
-
-OPTIMIZE=15
-
-EXPORTPARAMS=Yes
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=No
-
-DELETE_THEN_ADD=Yes
-
-MULTICAST=No
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
-
-USE_DEFAULT_RT=No
-
-RESTORE_DEFAULT_ROUTE=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=Yes
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=Yes
-
-###############################################################################
-#			P A C K E T   D I S P O S I T I O N
-###############################################################################
-
-BLACKLIST_DISPOSITION=DROP
-
-MACLIST_DISPOSITION=REJECT
-
-TCP_FLAGS_DISPOSITION=DROP
-
-#LAST LINE -- DO NOT REMOVE

Samples/Universal/zones

@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - Zones File
-#
-# For information about this file, type "man shorewall-zones"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-zones.html
-#
-###############################################################################
-#ZONE	TYPE		OPTIONS		IN			OUT
-#					OPTIONS			OPTIONS
-fw	firewall
-net	ip
-

Samples/one-interface/shorewall.conf

@@ -42,7 +42,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -68,8 +70,6 @@ TC=
 
 IPSET=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -205,12 +205,6 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/shorewall.conf

@@ -42,7 +42,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -68,8 +70,6 @@ TC=
 
 IPSET=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -205,12 +205,6 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/shorewall.conf

@@ -49,7 +49,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -75,8 +77,6 @@ TC=
 
 IPSET=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -212,12 +212,6 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/Universal/interfaces

@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Interfaces File
-#
-# For information about entries in this file, type "man shorewall-interfaces"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-interfaces.html
-#
-###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	lo		-		ignore
-net	all		-		dhcp,physical=+,routeback
-

Samples6/Universal/policy

@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - Policy File
-#
-# For information about entries in this file, type "man shorewall-policy"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-policy.html
-#
-###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
-#				LEVEL	BURST		MASK
-fw	net	ACCEPT
-net	all	DROP
-

Samples6/Universal/rules

@@ -1,17 +0,0 @@
-#
-# Shorewall version 4 - Rules File
-#
-# For information on the settings in this file, type "man shorewall-rules"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-rules.html
-#
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
-
-SSH(ACCEPT)	net		$FW
-Ping(ACCEPT)	net		$FW

Samples6/Universal/shorewall6.conf

@@ -1,168 +0,0 @@
-###############################################################################
-#
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
-#
-#  For information about the settings in this file, type "man shorewall6.conf"
-#
-#  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
-###############################################################################
-#		       S T A R T U P   E N A B L E D
-###############################################################################
-
-STARTUP_ENABLED=Yes
-
-###############################################################################
-#		              V E R B O S I T Y
-###############################################################################
-
-VERBOSITY=1
-
-###############################################################################
-#			       L O G G I N G
-###############################################################################
-
-LOGFILE=
-
-STARTUP_LOG=/var/log/shorewall6-init.log
-
-LOG_VERBOSITY=2
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGTAGONLY=No
-
-LOGLIMIT=
-
-LOGALLNEW=
-
-BLACKLIST_LOGLEVEL=
-
-TCP_FLAGS_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
-
-###############################################################################
-#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
-###############################################################################
-
-IP6TABLES=
-
-IP=
-
-TC=
-
-IPSET=
-
-PERL=/usr/bin/perl
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-SHOREWALL_SHELL=/bin/sh
-
-SUBSYSLOCK=
-
-MODULESDIR=
-
-CONFIG_PATH=/usr/share/shorewall6:/usr/share/shorewall
-
-RESTOREFILE=
-
-LOCKFILE=
-
-###############################################################################
-#		D E F A U L T   A C T I O N S / M A C R O S
-###############################################################################
-
-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
-ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT="none"
-
-###############################################################################
-#                        R S H / R C P  C O M M A N D S
-###############################################################################
-
-RSH_COMMAND='ssh ${root}@${system} ${command}'
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
-
-###############################################################################
-#			F I R E W A L L	  O P T I O N S
-###############################################################################
-
-IP_FORWARDING=Off
-
-TC_ENABLED=No
-
-TC_EXPERT=No
-
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-FASTACCEPT=Yes
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-OPTIMIZE=15
-
-EXPORTPARAMS=Yes
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=Yes
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-DYNAMIC_BLACKLIST=Yes
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=Yes
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=Yes
-
-###############################################################################
-#			P A C K E T   D I S P O S I T I O N
-###############################################################################
-
-BLACKLIST_DISPOSITION=DROP
-
-TCP_FLAGS_DISPOSITION=DROP
-
-#LAST LINE -- DO NOT REMOVE

Samples6/Universal/zones

@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - Zones File
-#
-# For information about this file, type "man shorewall-zones"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-zones.html
-#
-###############################################################################
-#ZONE	TYPE		OPTIONS		IN			OUT
-#					OPTIONS			OPTIONS
-fw	firewall
-net	ip
-

Samples6/one-interface/shorewall6.conf

@@ -40,7 +40,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -153,12 +153,6 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/three-interfaces/shorewall6.conf

@@ -40,7 +40,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -153,12 +153,6 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/shorewall6.conf

@@ -1,6 +1,6 @@
 ###############################################################################
 #
-# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
+# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -40,7 +40,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -153,12 +153,6 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-init/COPYING

@@ -1,340 +0,0 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-			    Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-			    NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) 19yy  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) 19yy name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
-Public License instead of this License.

Shorewall-init/README.txt

@@ -1 +0,0 @@
-This is the Shorewall-init stable 4.4 branch of Git.

Shorewall-init/ifupdown.sh

@@ -1,104 +0,0 @@
-#!/bin/sh
-#
-# ifupdown script for Shorewall-based products
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-
-IFUPDOWN=0
-PRODUCTS=
-
-if [ -f /etc/default/shorewall-init ]; then
-    . /etc/default/shorewall-init
-elif [ -f /etc/sysconfig/shorewall-init ]; then
-    . /etc/sysconfig/shorewall-init
-fi
-
-[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
-
-if [ -f /etc/debian_version ]; then
-    #
-    # Debian ifupdown system
-    #
-    if [ "$MODE" = start ]; then
-	COMMAND=up
-    elif [ "$MODE" = stop ]; then
-	COMMAND=down
-    else
-	exit 0
-    fi
-
-    case "$PHASE" in
-	pre-*)
-	    exit 0
-	    ;;
-    esac
-elif [ -f /etc/SuSE-release ]; then
-    #
-    # SuSE ifupdown system
-    #
-    IFACE="$2"
-
-    case $0 in
-	*if-up.d*)
-	    COMMAND=up
-	    ;;
-	*if-down.d*)
-	    COMMAND=down
-	    ;;
-	*)
-	    exit 0
-	    ;;
-    esac
-else
-    #
-    # Assume RedHat/Fedora/CentOS/Foobar/...
-    #
-    IFACE="$1"
-    
-    case $0 in 
-	*ifup*)
-	    COMMAND=up
-	    ;;
-	*ifdown*)
-	    COMMAND=down
-	    ;;
-	*dispatcher.d*)
-	    COMMAND="$2"
-	    ;;
-	*)
-	    exit 0
-	    ;;
-    esac
-fi
-
-for PRODUCT in $PRODUCTS; do
-    VARDIR=/var/lib/$PRODUCT
-    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
-    if [ -x $VARDIR/firewall ]; then
-	  ( . /usr/share/$PRODUCT/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall -V0 $COMMAND $IFACE || echo_notdone
-	    mutex_off
-	  )
-    fi
-done
-
-exit 0

Shorewall-init/init.debian.sh

@@ -1,146 +0,0 @@
-#!/bin/sh
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-### BEGIN INIT INFO
-# Provides:          shorewall-init
-# Required-Start:    $local_fs
-# X-Start-Before:    $network
-# Required-Stop:     $local_fs
-# X-Stop-After:      $network
-# Default-Start:     S
-# Default-Stop:      0 6
-# Short-Description: Initialize the firewall at boot time
-# Description:       Place the firewall in a safe state at boot time prior to
-#                    bringing up the network
-### END INIT INFO
-
-export VERBOSITY=0
-
-if [ "$(id -u)" != "0" ]
-then
-  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
-fi
-
-echo_notdone () {
-  echo "not done."
-  exit 1
-}
-
-not_configured () {
-	echo "#### WARNING ####"
-	echo "the firewall won't be initialized unless it is configured"
-	if [ "$1" != "stop" ]
-	then
-		echo ""
-		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-init/README.Debian.gz."
-	fi
-	echo "#################"
-	exit 0
-}
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/default/shorewall-init" ]
-then
-	. /etc/default/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		not_configured
-	fi
-else
-	not_configured
-fi
-
-# Initialize the firewall
-shorewall_start () {
-  local product
-  local VARDIR
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  #
-	  # Run in a sub-shell to avoid name collisions
-	  #
-	  ( 
-	      . /usr/share/$product/lib.base
-	      #
-	      # Get mutex so the firewall state is stable
-	      #
-	      mutex_on
-	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/firewall stop || echo_notdone
-	      fi
-	      mutex_off
-	  )
-      fi
-  done
-
-  echo "done."
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local product
-  local VARDIR
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  ( . /usr/share/$product/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall clear || echo_notdone
-	    mutex_off
-	  )
-      fi
-  done
-
-  echo "done."
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  reload|force-reload)
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop|reload|force-reload}"
-     exit 1
-esac
-
-exit 0

Shorewall-init/init.sh

@@ -1,104 +0,0 @@
-#! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# chkconfig: - 09 91
-#
-### BEGIN INIT INFO
-# Provides: shorewall-init
-# Required-start: $local_fs
-# Required-stop:  $local_fs
-# Default-Start:  2 3 5
-# Default-Stop:
-# Short-Description: Initialize the firewall at boot time
-# Description:       Place the firewall in a safe state at boot time
-#                    prior to bringing up the network.  
-### END INIT INFO
-
-if [ "$(id -u)" != "0" ]
-then
-  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
-fi
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/sysconfig/shorewall-init" ]
-then
-	. /etc/sysconfig/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		exit 0
-	fi
-else
-	exit 0
-fi
-
-# Initialize the firewall
-shorewall_start () {
-  local PRODUCT
-  local VARDIR
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
-	  fi
-      fi
-  done
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local PRODUCT
-  local VARDIR
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
-      fi
-  done
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
-     exit 1
-esac
-
-exit 0

Shorewall-init/install.sh

@@ -1,336 +0,0 @@
-#!/bin/sh
-#
-# Script to install Shoreline Firewall Init
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
-#     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-
-VERSION=4.4.13.1
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    echo "       $ME -v"
-    echo "       $ME -h"
-    exit $1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
-install_file() # $1 = source $2 = target $3 = mode
-{
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
-}
-
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
-#
-# Parse the run line
-#
-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
-# ARGS is "yes" if we've already parsed an argument
-#
-ARGS=""
-
-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="shorewall-init"
-fi
-
-while [ $# -gt 0 ] ; do
-    case "$1" in
-	-h|help|?)
-	    usage 0
-	    ;;
-        -v)
-	    echo "Shorewall Init Installer Version $VERSION"
-	    exit 0
-	    ;;
-	*)
-	    usage 1
-	    ;;
-    esac
-    shift
-    ARGS="yes"
-done
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-#
-# Determine where to install the firewall script
-#
-
-case $(uname) in
-    Darwin)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
-	T=
-	;;	
-    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
-	;;
-esac
-
-OWNERSHIP="-o $OWNER -g $GROUP"
-
-if [ -n "$DESTDIR" ]; then
-    if [ `id -u` != 0 ] ; then
-	echo "Not setting file owner/group permissions, not running as root."
-	OWNERSHIP=""
-    fi
-    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-elif [ -f /etc/debian_version ]; then
-    DEBIAN=yes
-elif [ -f /etc/SuSE-release ]; then
-    SUSE=Yes
-elif [ -f /etc/slackware-version ] ; then
-    echo "Shorewall-init is currently not supported on Slackware" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="rc.firewall"
-elif [ -f /etc/arch-release ] ; then
-    echo "Shorewall-init is currently not supported on Arch Linux" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="shorewall-init"
-#   ARCHLINUX=yes
-elif [ -d /etc/sysconfig/network-scripts/ ]; then
-    #
-    # Assume RedHat-based
-    #
-    REDHAT=Yes
-else
-    echo "Unknown distribution: Shorewall-init support is not available" >&2
-    exit 1
-fi
-
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
-echo "Installing Shorewall Init Version $VERSION"
-
-#
-# Check for /usr/share/shorewall-init/version
-#
-if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
-    first_install=""
-else
-    first_install="Yes"
-fi
-
-#
-# Install the Init Script
-#
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-#elif [ -n "$ARCHLINUX" ]; then
-#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
-fi
-
-echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
-
-#
-# Create /usr/share/shorewall-init if needed
-#
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-chmod 755 ${DESTDIR}/usr/share/shorewall-init
-
-#
-# Create the version file
-#
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
-
-#
-# Remove and create the symbolic link to the init script
-#
-if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-init/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
-fi
-
-if [ -n "$DEBIAN" ]; then
-    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
-    fi
-
-    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
-	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}/etc/default
-	fi
-
-	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
-    fi
-else
-    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}/etc/sysconfig
-
-	if [ -z "$RPM" ]; then
-	    if [ -n "$SUSE" ]; then
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
-	    else
-		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
-	    fi
-	fi
-    fi
-
-    if [ -d ${DESTDIR}/etc/sysconfig -a ! -f ${DESTDIR}/etc/sysconfig/shorewall-init ]; then
-	install_file sysconfig ${DESTDIR}/etc/sysconfig/shorewall-init 0644
-    fi 
-fi
-
-#
-# Install the ifupdown script
-#
-
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-
-install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544
-
-if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
-fi
-
-if [ -n "$DEBIAN" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
-elif [ -n "$SUSE" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
-elif [ -n "$REDHAT" ]; then
-    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
-	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
-    else
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
-    fi
-fi
-
-if [ -z "$DESTDIR" ]; then
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-init
-	    else
-		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
-	    fi
-
-	    echo "Shorewall Init will start automatically at boot"
-	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall-init ; then
-		    echo "Shorewall Init will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add shorewall-init ; then
-		    echo "Shorewall Init will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-init
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add shorewall-init default; then
-		    echo "Shorewall Init will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
-		cant_autostart
-	    fi
-	fi
-    fi
-else
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    if [ -n "${DESTDIR}" ]; then
-		mkdir -p ${DESTDIR}/etc/rcS.d
-	    fi
-
-	    ln -sf ../init.d/shorewall-init ${DESTDIR}/etc/rcS.d/S38shorewall-init
-	    echo "Shorewall Init will start automatically at boot"
-	fi
-    fi
-fi
-
-#
-#  Report Success
-#
-echo "shorewall Init Version $VERSION Installed"

Shorewall-init/shorewall-init.spec

@@ -1,158 +0,0 @@
-%define name shorewall-init
-%define version 4.4.13
-%define release 1
-
-Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: shoreline_firewall >= 4.4.10
-
-%description
-
-The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
-(iptables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-
-Shorewall Init is a companion product to Shorewall that allows for tigher
-control of connections during boot and that integrates Shorewall with
-ifup/ifdown and NetworkManager.
-
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post
-
-if [ $1 -eq 1 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv /etc/rc.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --add shorewall-init;
-    fi
-fi
-
-if [ -f /etc/SuSE-release ]; then
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
-else
-    if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then
-	if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then
-	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
-	else
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-	fi
-    else
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-    fi
-
-    if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
-	cp -pf /usr/share/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
-    fi
-fi
-
-%preun
-
-if [ $1 -eq 0 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv -r /etc/init.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --del shorewall-init
-    fi
-
-    [ -f /sbin/ifup-local ]   && grep -q Shorewall /sbin/ifup-local   && rm -f /sbin/ifup-local
-    [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local
-
-    rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
-
-%attr(0544,root,root) /etc/init.d/shorewall-init
-%attr(0755,root,root) %dir /usr/share/shorewall-init
-
-%attr(0644,root,root) /usr/share/shorewall-init/version
-%attr(0544,root,root) /usr/share/shorewall-init/ifupdown
-
-%doc COPYING changelog.txt releasenotes.txt
-
-%changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Tue May 18 2010 Tom Eastep tom@shorewall.net
-- Initial version
-
-
-

Shorewall-init/sysconfig

@@ -1,12 +0,0 @@
-# List the Shorewall products that Shorewall-init is to
-# initialize (space-separated list).
-#
-# Sample: PRODUCTS="shorewall shorewall6"
-#
-PRODUCTS=""
-
-#
-# Set this to 1 if you want Shorewall-init to react to 
-# ifup/ifdown and NetworkManager events
-#
-IFUPDOWN=0

Shorewall-init/uninstall.sh

@@ -1,97 +0,0 @@
-#!/bin/sh
-#
-# Script to back uninstall Shoreline Firewall
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.sourceforge.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#    Usage:
-#
-#       You may only use this script to uninstall the version
-#       shown below. Simply run this script to remove Shorewall Firewall
-
-VERSION=4.4.13.1
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    exit $1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
-if [ -f /usr/share/shorewall-init/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall-init/version)"
-    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
-	echo "         and this is the $VERSION uninstaller."
-	VERSION="$INSTALLED_VERSION"
-    fi
-else
-    echo "WARNING: Shorewall Init Version $VERSION is not installed"
-    VERSION=""
-fi
-
-echo "Uninstalling Shorewall Init $VERSION"
-
-INITSCRIPT=/etc/init.d/shorewall-init
-
-if [ -n "$INITSCRIPT" ]; then
-    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-        insserv -r $INITSCRIPT
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-	chkconfig --del $(basename $INITSCRIPT)
-    else
-	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
-    fi
-
-    remove_file $INITSCRIPT
-fi
-
-[ "$(readlink -m -q /sbin/ifup-local)"   = /usr/share/shorewall-init ] && remove_file /sbin/ifup-local
-[ "$(readlink -m -q /sbin/ifdown-local)" = /usr/share/shorewall-init ] && remove_file /sbin/ifdown-local
-
-remove_file /etc/default/shorewall-init
-remove_file /etc/sysconfig/shorewall-init
-
-remove_file /etc/NetworkManager/dispatcher.d/01-shorewall
-
-remove_file /etc/network/if-up.d/shorewall
-remove_file /etc/network/if-down.d/shorewall
-
-remove_file /etc/sysconfig/network/if-up.d/shorewall
-remove_file /etc/sysconfig/network/if-down.d/shorewall
-
-rm -rf /usr/share/shorewall-init
-
-echo "Shorewall Init Uninstalled"
-
-

Shorewall-lite/default.debian

@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null
 
-#
-# Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF

Shorewall-lite/init.debian.sh

@@ -88,11 +88,7 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   echo -n "Stopping \"Shorewall firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
   $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
   return 0
 }
 

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.1
+VERSION=4.4.9
 
 usage() # $1 = exit status
 {
@@ -82,16 +82,15 @@ delete_file() # $1 = file to delete
 
 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    run_install $OWNERSHIP -m $3 $1 ${2}
 }
 
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall-lite"
 fi
 
+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 while [ $# -gt 0 ] ; do
     case "$1" in
 	-h|help|?)
@@ -128,12 +131,10 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 DEBIAN=
 CYGWIN=
-INSTALLD='-D'
-T='-T'
 
 case $(uname) in
     CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -141,10 +142,6 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-    Darwin)
-	INSTALLD=
-	T=
-	;;	   
     *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -153,14 +150,14 @@ esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
     
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
     DEBIAN=yes
 elif [ -f /etc/slackware-version ] ; then
@@ -182,185 +179,170 @@ echo "Installing Shorewall Lite Version $VERSION"
 #
 # Check for /etc/shorewall-lite
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
+if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then
     [ -f /etc/shorewall-lite/shorewall.conf ] && \
 	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
 else
-    rm -rf ${DESTDIR}/etc/shorewall-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall-lite
+    rm -rf ${PREFIX}/etc/shorewall-lite
+    rm -rf ${PREFIX}/usr/share/shorewall-lite
+    rm -rf ${PREFIX}/var/lib/shorewall-lite
 fi
 
 #
 # Check for /sbin/shorewall-lite
 #
-if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
+if [ -f ${PREFIX}/sbin/shorewall-lite ]; then
     first_install=""
 else
     first_install="Yes"
 fi
 
-delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
+delete_file ${PREFIX}/usr/share/shorewall-lite/xmodules
 
-install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
+install_file shorewall-lite ${PREFIX}/sbin/shorewall-lite 0544 ${PREFIX}/var/lib/shorewall-lite-${VERSION}.bkout
 
-echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
+echo "Shorewall Lite control program installed in ${PREFIX}/sbin/shorewall-lite"
 
 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh /etc/init.d/shorewall-lite 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 
 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 fi
 
-echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "Shorewall Lite script installed in ${PREFIX}${DEST}/$INIT"
 
 #
 # Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall-lite
+mkdir -p ${PREFIX}/etc/shorewall-lite
+mkdir -p ${PREFIX}/usr/share/shorewall-lite
+mkdir -p ${PREFIX}/var/lib/shorewall-lite
 
-chmod 755 ${DESTDIR}/etc/shorewall-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall-lite
+chmod 755 ${PREFIX}/etc/shorewall-lite
+chmod 755 ${PREFIX}/usr/share/shorewall-lite
 
-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
 fi
 
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
-   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
-   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
+if [ ! -f ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf
+   echo "Config file installed as ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf"
 fi
 
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall-lite/shorewall.conf
 fi
 
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall-lite/Makefile
+echo "Makefile installed as ${PREFIX}/etc/shorewall-lite/Makefile"
 
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall-lite/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall-lite/configpath"
 
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall-lite/$f"
     fi
 done
 
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall-lite/functions
 
-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
+echo "Common functions linked through ${PREFIX}/usr/share/shorewall-lite/functions"
 
 #
 # Install Shorecap
 #
 
-install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755
+install_file shorecap ${PREFIX}/usr/share/shorewall-lite/shorecap 0755
 
 echo
-echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap"
+echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall-lite/shorecap"
 
 #
 # Install wait4ifup
 #
 
-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall-lite/wait4ifup 0755
 
-    echo
-    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup"
-fi
+echo
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall-lite/wait4ifup"
 
 #
 # Install the Modules file
 #
-
-if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
-fi
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall-lite/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall-lite/modules"
 
 #
 # Install the Man Pages
 #
 
-if [ -d manpages ]; then
-    cd manpages
+cd manpages
 
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
-
-    for f in *.5; do
+for f in *.5; do
     gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
-    done
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man5/$f.gz"
+done
 
-    for f in *.8; do
+for f in *.8; do
     gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
-    done
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man8/$f.gz"
+done
 
-    cd ..
+cd ..
 
-    echo "Man Pages Installed"
-fi
+echo "Man Pages Installed"
 
-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall-lite"
 fi
 
 
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall-lite/version
+chmod 644 ${PREFIX}/usr/share/shorewall-lite/version
 #
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
     rm -f /usr/share/shorewall-lite/init
     ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
 fi
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
     touch /var/log/shorewall-lite-init.log
 
     if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
-
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-lite
-	    else
 	    ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
-	    fi
-
 	    echo "Shorewall Lite will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then

Shorewall-lite/shorewall-lite

@@ -352,7 +352,7 @@ usage() # $1 = exit status
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    echo "   clear"
+    echo "   clear [ -f ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
@@ -383,62 +383,13 @@ usage() # $1 = exit status
     echo "   show vardir"
     echo "   show zones"
     echo "   start [ -f ] [ -p ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
     echo "   status"
     echo "   version [ -a ]"
     echo
     exit $1
 }
 
-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
 #
 # Execution begins here
 #
@@ -628,12 +579,14 @@ case "$COMMAND" in
 	shift
 	start_command $@
 	;;
-    stop|reset|clear)
+    stop|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	run_it $g_firewall $debugging $nolock $COMMAND
+	;;
+    reset)
+	verify_firewall_script
+	run_it $SHOREWALL_SHELL $g_firewall $debugging $nolock $@
 	;;
     restart)
 	shift
@@ -659,7 +612,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -680,8 +633,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
     version)
-	shift
-	version_command $@
+	echo $SHOREWALL_VERSION Lite
 	;;
     logwatch)
 	logwatch_command $@
@@ -775,9 +727,14 @@ case "$COMMAND" in
 	g_restorepath=${VARDIR}/$RESTOREFILE
 
 	if [ -x $g_restorepath ]; then
+
+	    if [ -x ${g_restorepath}-ipsets ]; then
+		rm -f ${g_restorepath}-ipsets
+		echo "    ${g_restorepath}-ipsets removed"
+	    fi
+
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
-	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.13
-%define release 1
+%define version 4.4.9
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}
 
 %description
 
@@ -32,7 +31,7 @@ administrators to centralize the configuration of Shorewall-based firewalls.
 %build
 
 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -102,62 +101,6 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
 * Mon May 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0base
 * Sun May 02 2010 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.1
+VERSION=4.4.9
 
 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
 fi
 
 if [ -L /usr/share/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall-lite/init)
+    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
 else
     FIREWALL=/etc/init.d/shorewall-lite
 fi

Shorewall/Perl/Shorewall/Accounting.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.13';
+our $VERSION = '4.4.7';
 
 #
 # Called by the compiler to [re-]initialize this module's state
@@ -52,7 +52,7 @@ sub process_accounting_rule( ) {
 
     our $jumpchainref;
 
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
 
     if ( $action eq 'COMMENT' ) {
 	process_comment;
@@ -61,16 +61,6 @@ sub process_accounting_rule( ) {
 
     our $disposition = '';
 
-    sub reserved_chain_name($) {
-	$_[0] =~ /^acc(?:ount(?:ing|out)|ipsecin|ipsecout)$/;
-    }
-
-    sub ipsec_chain_name($) {
-	if ( $_[0] =~ /^accipsec(in|out)$/ ) {
-	    $1;
-	}
-    }
-
     sub check_chain( $ ) {
 	my $chainref = shift;
 	fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy};
@@ -82,11 +72,10 @@ sub process_accounting_rule( ) {
 
     sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
-	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
-	$jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
+	$jumpchainref = ensure_accounting_chain( $jumpchain );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
-	$jumpchain;
+	"-j $jumpchain";
     }
 
     my $target = '';
@@ -97,19 +86,16 @@ sub process_accounting_rule( ) {
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
     my $rule2 = 0;
-    my $jump  = 0;
 
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
-	    $target = 'RETURN';
+	    $target = '-j RETURN';
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 	    if ( $cmd ) {
 		if ( $cmd eq 'COUNT' ) {
-		    $rule2 = 1;
-		} elsif ( $cmd eq 'JUMP' ) {
-		    $jump = 1;
-		} else {
+		    $rule2=1;
+		} elsif ( $cmd ne 'JUMP' ) {
 		    accounting_error;
 		}
 	    }
@@ -151,31 +137,7 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
     }
 
-    my $chainref = $filter_table->{$chain};
-    my $dir;
-
-    if ( ! $chainref ) {
-	$chainref = ensure_accounting_chain $chain, 0;
-	$dir      = ipsec_chain_name( $chain );
-
-	if ( $ipsec ne '-' ) {
-	    if ( $dir ) {
-		$rule .= do_ipsec( $dir, $ipsec );
-		$chainref->{ipsec} = $dir;
-	    } else {
-		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
-	    }
-	} else {
-	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );	    
-	    $chainref->{ipsec} = $dir;
-	}
-    } elsif ( $ipsec ne '-' ) {
-	$dir = $chainref->{ipsec};
-	fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
-	$rule .= do_ipsec( $dir , $ipsec );
-    }
-
-    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
+    my $chainref = ensure_accounting_chain $chain;
 
     expand_rule
 	$chainref ,
@@ -189,22 +151,6 @@ sub process_accounting_rule( ) {
 	$disposition ,
 	'' ;
 
-    if ( $rule2 || $jump ) {
-	if ( $chainref->{ipsec} ) {
-	    if ( $jumpchainref->{ipsec} ) {
-		fatal_error "IPSEC in/out mismatch on chains $chain and $jumpchainref->{name}";
-	    } else {
-		fatal_error "$jumpchainref->{name} is not an IPSEC chain" if keys %{$jumpchainref->{references}} > 1;
-		$jumpchainref->{ipsec} = $chainref->{ipsec};
-	    }
-	} elsif ( $jumpchainref->{ipsec} ) {
-	    fatal_error "Jump from a non-IPSEC chain to an IPSEC chain not allowed";
-	} else {
-	    $jumpchainref->{ipsec} = $chainref->{ipsec};
-	}
-
-    }
-
     if ( $rule2 ) {
 	expand_rule
 	    $jumpchainref ,
@@ -232,6 +178,8 @@ sub setup_accounting() {
 
     $nonEmpty |= process_accounting_rule while read_a_line;
 
+    fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting};
+
     clear_comment;
 
     if ( have_bridges ) {
@@ -244,28 +192,13 @@ sub setup_accounting() {
 	if ( $filter_table->{accountout} ) {
 	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 	}
-    } elsif ( $filter_table->{accounting} ) {
+    } else {
+	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
-
-    if ( $filter_table->{accipsecin} ) {
-	for my $chain ( qw/INPUT FORWARD/ ) {
-	    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
     }
-    }
-
-    if ( $filter_table->{accipsecout} ) {
-	for my $chain ( qw/FORWARD OUTPUT/ ) {
-	    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
-	}
-    }
-
-    for ( accounting_chainrefs ) {
-	warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
-    }
-
 }
 
 1;

Shorewall/Perl/Shorewall/Actions.pm

@@ -28,7 +28,6 @@ require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
-use Shorewall::IPAddrs;
 
 use strict;
 
@@ -58,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -179,27 +178,9 @@ sub find_macro( $ )
 #
 sub split_action ( $ ) {
     my $action = $_[0];
-
-    my $target = '';
-    my $max    = 3;
-    #
-    # The following rather grim RE, when matched, breaks the action into two parts:
-    #
-    #    basicaction(param)
-    #    logging part (may be empty)
-    #
-    # The param may contain one or more ':' characters
-    #
-    if ( $action =~ /^([^(:]+\(.*?\))(:(.*))?$/ ) {
-	$target = $1;
-	$action = $2 ? $3 : '';
-	$max    = 2;
-    }
-	
     my @a = split( /:/ , $action, 4 );
-    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
-    $target = shift @a unless $target;
-    ( $target, join ":", @a );
+    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
+    ( shift @a, join ":", @a );
 }
 
 #
@@ -636,7 +617,7 @@ sub process_action( $$$$$$$$$$$ ) {
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
-		  $action ,
+		  $action ? "-j $action" : '',
 		  $level ,
 		  $action ,
 		  '' );
@@ -795,7 +776,7 @@ sub dropBcast( $$$ ) {
 	    if ( $family == F_IPV4 ) {
 		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	    } else {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d ff00::/10 -j DROP ';
 	    }		
 	}
 
@@ -820,7 +801,7 @@ sub dropBcast( $$$ ) {
     if ( $family == F_IPV4 ) {
 	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
     } else {
-	add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' );
+	add_rule $chainref, '-d ff00::/10 -j DROP';
     }
 }
 
@@ -852,8 +833,8 @@ sub allowBcast( $$$ ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
 	} else {
-	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
-	    add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' );
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
+	    add_rule $chainref, '-d ff00:/10 -j ACCEPT';
 	}
     }
 }
@@ -887,8 +868,7 @@ sub allowInvalid ( $$$ ) {
 }
 
 sub forwardUPnP ( $$$ ) {
-    my $chainref = dont_optimize 'forwardUPnP';
-    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
+    dont_optimize 'forwardUPnP';
 }
 
 sub allowinUPnP ( $$$ ) {

Shorewall/Perl/Shorewall/Compiler.pm

@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_9';
 
 our $export;
 
@@ -271,7 +271,7 @@ sub generate_script_2() {
 
 	set_global_variables(1);
 
-	handle_optional_interfaces(0);
+	handle_optional_interfaces;
 
 	emit ';;';
 
@@ -284,7 +284,7 @@ sub generate_script_2() {
 
 	    set_global_variables(0);
 
-	    handle_optional_interfaces(0);
+	    handle_optional_interfaces;
 
 	    emit ';;';
 	}
@@ -294,7 +294,7 @@ sub generate_script_2() {
 
 	emit ( 'esac' ) ,
     } else {
-	emit( 'true' ) unless handle_optional_interfaces(1);
+	emit( 'true' ) unless handle_optional_interfaces;
     }
 
     pop_indent;
@@ -303,6 +303,7 @@ sub generate_script_2() {
     
 }
 
+#
 # Final stage of script generation.
 #
 #    Generate code for loading the various files in /var/lib/shorewall[6][-lite]
@@ -353,17 +354,80 @@ sub generate_script_3($) {
     }
 
     if ( $family == F_IPV4 ) {
-	load_ipsets;
+	my @ipsets = all_ipsets;
+
+	if ( @ipsets || $config{SAVE_IPSETS} ) {
+	    emit ( '',
+		   'local hack',
+		   '',
+		   'case $IPSET in',
+		   '    */*)',
+		   '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
+		   '        ;;',
+		   '    *)',
+		   '        IPSET="$(mywhich $IPSET)"',
+		   '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
+		   '        ;;',
+		   'esac',
+		   '',
+		   'if [ "$COMMAND" = start ]; then' ,
+		   '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		   '        $IPSET -F' ,
+		   '        $IPSET -X' ,
+		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
+		   '    fi' ,
+		   'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
+		   '    if [ -f $(my_pathname)-ipsets ]; then' ,
+		   '        if chain_exists shorewall; then' ,
+		   '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
+		   '        else' ,
+		   '            $IPSET -F' ,
+		   '            $IPSET -X' ,
+		   '            $IPSET -R < $(my_pathname)-ipsets' ,
+		   '        fi' ,
+		   '    fi' ,
+		 );
+
+	    if ( @ipsets ) {
+		emit '';
+
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+		emit ( '' ,
+		       'elif [ "$COMMAND" = restart ]; then' ,
+		       '' );
+
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+		emit ( '' ,
+		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
+		       '        #',
+		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
+		       '        #',
+		       '        hack=\'| grep -v /31\'' ,
+		       '    else' ,
+		       '        hack=' ,
+		       '    fi' ,
+		       '',
+		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
+		       '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
+		       '    fi' );
+	    }
+
+	    emit ( 'fi',
+		   '' );
+	}
 
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	       '   run_refresh_exit' ,
-	       'else' ,
+	       '   run_refresh_exit' );
+
+	emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+	emit ( 'else' ,
 	       '    run_init_exit',
 	       'fi',
 	       '' );
 
-	save_dynamic_chains;
-
 	mark_firewall_not_started;
 
 	emit ('',
@@ -386,7 +450,6 @@ sub generate_script_3($) {
     } else {
 	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
 	       '' );
-	save_dynamic_chains;
 	mark_firewall_not_started;
 	emit '';
     }
@@ -442,37 +505,33 @@ EOF
     setup_forwarding( $family , 1 );
     push_indent;
 
-    my $config_dir = $globals{CONFIGDIR};
-
-    emit<<"EOF";
-    set_state Started $config_dir 
+    emit<<'EOF';
+    set_state "Started"
     run_restored_exit
 else
-    if [ \$COMMAND = refresh ]; then
+    if [ $COMMAND = refresh ]; then
         chainlist_reload
 EOF
     setup_forwarding( $family , 0 );
 
-    emit<<"EOF";
+    emit<<'EOF';
         run_refreshed_exit
         do_iptables -N shorewall
-        set_state Started $config_dir
+        set_state "Started"
     else
         setup_netfilter
+        restore_dynamic_rules
         conditionally_flush_conntrack
 EOF
     setup_forwarding( $family , 0 );
 
-    emit<<"EOF";
+    emit<<'EOF';
         run_start_exit
         do_iptables -N shorewall
-        set_state Started $config_dir
+        set_state "Started"
         run_started_exit
     fi
 
-EOF
-
-    emit<<'EOF';
     [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
 fi
 
@@ -806,11 +865,6 @@ sub compiler {
 	#
 	compile_stop_firewall( $test, $export );
 	#
-	#                               U P D O W N
-	#               (Writes the updown() function to the compiled script)
-	#
-	compile_updown;
-	#
 	# Copy the footer to the script
 	#
 	unless ( $test ) {

Shorewall/Perl/Shorewall/Config.pm

@@ -114,7 +114,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 				       $product
 				       $Product
-				       $toolname
 				       $command
 				       $doing
 				       $done
@@ -132,7 +131,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -219,7 +218,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 RECENT_MATCH    => 'Recent Match',
 		 OWNER_MATCH     => 'Owner Match',
 		 IPSET_MATCH     => 'Ipset Match',
-		 OLD_IPSET_MATCH => 'Old Ipset Match',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
@@ -251,8 +249,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 TPROXY_TARGET   => 'TPROXY Target',
 		 FLOW_FILTER     => 'Flow Classifier',
-		 FWMARK_RT_MASK  => 'fwmark route mask',
-		 MARK_ANYWHERE   => 'Mark in any table',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -292,7 +288,6 @@ our $sillyname;               # Name of temporary filter chains for testing capa
 our $sillyname1;
 our $iptables;                # Path to iptables/ip6tables
 our $tc;                      # Path to tc
-our $ip;                      # Path to ip
 
 use constant { MIN_VERBOSITY => -1,
 	       MAX_VERBOSITY => 2 ,
@@ -340,15 +335,14 @@ sub initialize( $ ) {
     #
     %globals  =   ( SHAREDIR => '/usr/share/shorewall' ,
 		    SHAREDIRPL => '/usr/share/shorewall/' ,
-		    CONFDIR =>  '/etc/shorewall',     # Run-time configuration directory
-		    CONFIGDIR => '',                  # Compile-time configuration directory (location of $product.conf)
+		    CONFDIR =>  '/etc/shorewall',
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.13.1",
-		    CAPVERSION => 40413 ,
+		    VERSION => "4.4.9",
+		    CAPVERSION => 40408 ,
 		  );
 
     #
@@ -366,7 +360,6 @@ sub initialize( $ ) {
 	      LOGFILE => undef,
 	      LOGFORMAT => undef,
 	      LOGTAGONLY => undef,
-	      LOGLIMIT => undef,
 	      LOGRATE => undef,
 	      LOGBURST => undef,
 	      LOGALLNEW => undef,
@@ -385,7 +378,6 @@ sub initialize( $ ) {
 	      IP => undef,
 	      TC => undef,
 	      IPSET => undef,
-	      PERL => undef,
 	      #
 	      #PATH is inherited
 	      #
@@ -468,9 +460,6 @@ sub initialize( $ ) {
 	      OPTIMIZE_ACCOUNTING => undef,
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
-	      REQUIRE_INTERFACE => undef,
-	      FORWARD_CLEAR_MARK => undef,
-	      COMPLETE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -515,7 +504,6 @@ sub initialize( $ ) {
 	      LOGFILE => undef,
 	      LOGFORMAT => undef,
 	      LOGTAGONLY => undef,
-	      LOGLIMIT => undef,
 	      LOGRATE => undef,
 	      LOGBURST => undef,
 	      LOGALLNEW => undef,
@@ -531,7 +519,6 @@ sub initialize( $ ) {
 	      IP => undef,
 	      TC => undef,
 	      IPSET => undef,
-	      PERL => undef,
 	      #
 	      #PATH is inherited
 	      #
@@ -593,9 +580,6 @@ sub initialize( $ ) {
 	      OPTIMIZE_ACCOUNTING => undef,
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
-	      REQUIRE_INTERFACE => undef,
-	      FORWARD_CLEAR_MARK => undef,
-	      COMPLETE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -645,7 +629,6 @@ sub initialize( $ ) {
 	       RECENT_MATCH => undef,
 	       OWNER_MATCH => undef,
 	       IPSET_MATCH => undef,
-	       OLD_IPSET_MATCH => undef,
 	       CONNMARK => undef,
 	       XCONNMARK => undef,
 	       CONNMARK_MATCH => undef,
@@ -677,8 +660,6 @@ sub initialize( $ ) {
 	       PERSISTENT_SNAT => undef,
 	       OLD_HL_MATCH => undef,
 	       FLOW_FILTER => undef,
-	       FWMARK_RT_MASK => undef,
-	       MARK_ANYWHERE => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -1093,7 +1074,7 @@ sub progress_message2 {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1114,7 +1095,7 @@ sub progress_message3 {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1479,12 +1460,10 @@ sub split_list1( $$ ) {
 		fatal_error "Invalid $type list ($list)" if $count > 1;
 		push @list2 , $_;
 	    } else {
-		s/\(//;
 		$element = $_;
 	    }
 	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" unless $element && $count == 1;
-	    s/\)//;
 	    push @list2, join ',', $element, $_;
 	    $element = '';
 	} elsif ( $element ) {
@@ -1783,9 +1762,7 @@ sub embedded_perl( $ ) {
 #   - Handle INCLUDE <filename>
 #
 
-sub read_a_line(;$) {
-    my $embedded_enabled = defined $_[0] ? shift : 1;
-
+sub read_a_line() {
     while ( $currentfile ) {
 
 	$currentline = '';
@@ -1831,18 +1808,11 @@ sub read_a_line(;$) {
 	    #
 	    # Must check for shell/perl before doing variable expansion
 	    #
-	    if ( $embedded_enabled ) {
 	    if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
 		embedded_shell( $1 );
-		    next;
-		}
-
-		if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
+	    } elsif ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
 		embedded_perl( $1 );
-		    next;
-		}
-	    } 
-
+	    } else {
 		my $count = 0;
 		#
 		# Expand Shell Variables using %ENV
@@ -1886,6 +1856,7 @@ sub read_a_line(;$) {
 		    return 1;
 		}
 	    }
+	}
 
 	close_file;
     }
@@ -1926,11 +1897,9 @@ sub default ( $$ ) {
 sub default_yes_no ( $$ ) {
     my ( $var, $val ) = @_;
 
-    my $curval = $config{$var};
+    my $curval = "\L$config{$var}";
 
     if ( defined $curval && $curval ne '' ) {
-	$curval = lc $curval;
-
 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
 	} else {
@@ -2329,11 +2298,7 @@ sub Comments() {
 }
 
 sub Hashlimit_Match() {
-    if ( qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" ) ) {
-	! ( $capabilities{OLD_HL_MATCH} = 0 );
-    } else {
-	have_capability 'OLD_HL_MATCH';
-    }
+    have_capability 'OLD_HL_MATCH' || qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
 }
 
 sub Old_Hashlimit_Match() {
@@ -2380,11 +2345,11 @@ sub Raw_Table() {
     qt1( "$iptables -t raw -L -n" );
 }
 
-sub Old_IPSet_Match() {
+sub IPSet_Match() {
     my $ipset  = $config{IPSET} || 'ipset';
     my $result = 0;
 
-    $ipset = which $ipset unless $ipset =~ '/';
+    $ipset = which $ipset unless $ipset =~ '//';
 
     if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
@@ -2392,31 +2357,7 @@ sub Old_IPSet_Match() {
 	if ( qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
 		qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
-		$result = $capabilities{IPSET_MATCH} = 1;
-	    }
-
-	    qt( "$ipset -X $sillyname" );
-	}
-    }
-
-    $result;
-}
-
-sub IPSet_Match() {
-    my $ipset  = $config{IPSET} || 'ipset';
-    my $result = 0;
-
-    $ipset = which $ipset unless $ipset =~ '/';
-
-    if ( $ipset && -x $ipset ) {
-	qt( "$ipset -X $sillyname" );
-
-	if ( qt( "$ipset -N $sillyname iphash" ) ) {
-	    if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
-		qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
-		$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
-	    } else {
-		$result = have_capability 'OLD_IPSET_MATCH';
+		$result = 1;
 	    }
 
 	    qt( "$ipset -X $sillyname" );
@@ -2474,14 +2415,6 @@ sub Flow_Filter() {
     $tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
 }
 
-sub Fwmark_Rt_Mask() {
-    $ip && system( "$ip rule add help 2>&1 | grep -q /MASK" ) == 0;
-}
-
-sub Mark_Anywhere() {
-    qt1( "$iptables -A $sillyname -j MARK --set-mark 5" );
-}
-
 our %detect_capability =
     ( ADDRTYPE => \&Addrtype,
       CLASSIFY_TARGET => \&Classify_Target,
@@ -2493,7 +2426,6 @@ our %detect_capability =
       ENHANCED_REJECT => \&Enhanced_Reject,
       EXMARK => \&Exmark,
       FLOW_FILTER => \&Flow_Filter,
-      FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
       GOTO_TARGET => \&Goto_Target,
       HASHLIMIT_MATCH => \&Hashlimit_Match,
       HELPER_MATCH => \&Helper_Match,
@@ -2501,7 +2433,6 @@ our %detect_capability =
       IPP2P_MATCH => \&Ipp2p_Match,
       IPRANGE_MATCH => \&IPRange_Match,
       IPSET_MATCH => \&IPSet_Match,
-      OLD_IPSET_MATCH => \&Old_IPSet_Match,
       KLUDGEFREE => \&Kludgefree,
       LENGTH_MATCH => \&Length_Match,
       LOGMARK_TARGET => \&Logmark_Target,
@@ -2509,7 +2440,6 @@ our %detect_capability =
       MANGLE_ENABLED => \&Mangle_Enabled,
       MANGLE_FORWARD => \&Mangle_Forward,
       MARK => \&Mark,
-      MARK_ANYWHERE => \&Mark_Anywhere,
       MULTIPORT => \&Multiport,
       NAT_ENABLED => \&Nat_Enabled,
       NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
@@ -2653,8 +2583,6 @@ sub determine_capabilities() {
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
 	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
-	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
-	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 
 
 	qt1( "$iptables -F $sillyname" );
@@ -2732,15 +2660,12 @@ sub process_shorewall_conf() {
     my $file = find_file "$product.conf";
 
     if ( -f $file ) {
-	$globals{CONFIGDIR} =  $file;
-	$globals{CONFIGDIR} =~ s/$product.conf//;
-
 	if ( -r _ ) {
 	    open_file $file;
 
 	    first_entry "Processing $file...";
 
-	    while ( read_a_line(0) ) {
+	    while ( read_a_line ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);
 		    unless ( exists $config{$var} ) {
@@ -2815,18 +2740,12 @@ sub get_capabilities( $ ) {
 
 	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
 
-	$tc = $config{TC} || which 'tc';
+	$tc = $config{TC};
 
 	if ( $tc ) {
 	    fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
 	}
 
-	$ip = $config{IP} || which 'ip';
-
-	if ( $ip ) {
-	    fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
-	}
-
 	load_kernel_modules;
 
 	if ( open_file 'capabilities' ) {
@@ -2899,60 +2818,7 @@ sub get_configuration( $ ) {
 
     $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
 
-    if ( my $rate = $config{LOGLIMIT} ) {
-	my $limit;
-
-	if ( $rate =~ /^[sd]:/ ) {
-	    require_capability 'HASHLIMIT_MATCH', 'Per-ip log rate limiting' , 's';
-
-	    $limit = "-m hashlimit ";
-
-	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
-	    my $units;
-
-	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
-		fatal_error "Invalid rate ($1)" unless $2;
-		fatal_error "Invalid burst value ($5)" unless $5;
-
-		$limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
-		$units = $4;
-	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
-		fatal_error "Invalid rate ($1)" unless $2;
-		$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
-		$units = $4;
-	    } else {
-		fatal_error "Invalid rate ($rate)";
-	    }
-
-	    $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
-
-	    if ( $units && $units ne 'sec' ) {
-		my $expire = 60000; # 1 minute in milliseconds
-		
-		if ( $units ne 'min' ) {
-		    $expire *= 60; #At least an hour
-		    $expire *= 24 if $units eq 'day';
-		}
-		
-		$limit .= "--hashlimit-htable-expire $expire ";
-	    }
-	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
-	    fatal_error "Invalid rate ($1)" unless $2;
-	    fatal_error "Invalid burst value ($5)" unless $5;
-	    $limit = "-m limit --limit $1 --limit-burst $5 ";
-	} elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
-	    fatal_error "Invalid rate (${1}${2})" unless $1;
-	    $limit = "-m limit --limit $rate ";
-	} else {
-	    fatal_error "Invalid rate ($rate)";
-	}
-
-	$globals{LOGLIMIT} = $limit;
-
-	warning_message "LOGRATE Ignored when LOGLIMIT is specified"  if $config{LOGRATE};
-	warning_message "LOGBURST Ignored when LOGLIMIT is specified" if $config{LOGBURST};
-
-    } elsif ( $config{LOGRATE} || $config{LOGBURST} ) {
+    if ( $config{LOGRATE} || $config{LOGBURST} ) {
 	if ( defined $config{LOGRATE} ) {
 	    fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
 	}
@@ -3071,7 +2937,7 @@ sub get_configuration( $ ) {
     default_yes_no 'AUTO_COMMENT'               , 'Yes';
     default_yes_no 'MULTICAST'                  , '';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
-    default_yes_no 'MANGLE_ENABLED'             , have_capability 'MANGLE_ENABLED' ? 'Yes' : '';
+    default_yes_no 'MANGLE_ENABLED'             , 'Yes';
     default_yes_no 'NULL_ROUTE_RFC1918'         , '';
     default_yes_no 'USE_DEFAULT_RT'             , '';
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
@@ -3081,11 +2947,6 @@ sub get_configuration( $ ) {
     default_yes_no 'ACCOUNTING'                 , 'Yes';
     default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
     default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
-    default_yes_no 'REQUIRE_INTERFACE'          , '';
-    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability 'MARK' ? 'Yes' : '';
-    default_yes_no 'COMPLETE'                   , '';
-
-    require_capability 'MARK' , 'FOREWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
 
     numeric_option 'TC_BITS',          $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
     numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
@@ -3094,12 +2955,7 @@ sub get_configuration( $ ) {
     
     if ( $config{PROVIDER_OFFSET} ) {
 	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
-	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 31' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
-	$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
-    } elsif ( $config{MASK_BITS} >= $config{PROVIDER_BITS} ) {
-	$globals{EXCLUSION_MASK} = 1 << $config{MASK_BITS};
-    } else {
-	$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
+	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 32;
     }
 
     $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
@@ -3107,12 +2963,6 @@ sub get_configuration( $ ) {
     $globals{PROVIDER_MIN}           = 1 << $config{PROVIDER_OFFSET};
     $globals{PROVIDER_MASK}          = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
 
-    if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
-	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
-    } else {
-	$globals{USER_MASK} = 0;
-    }
-
     if ( defined ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
     } else {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -73,7 +73,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_7';
 
 #
 # Some IPv4/6 useful stuff
@@ -87,19 +87,18 @@ our $validate_address;
 our $validate_net;
 our $validate_range;
 our $validate_host;
-our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
-	       IPv6_MULTICAST      => 'ff00::/8' ,
-	       IPv6_LINKLOCAL      => 'fe80::/10' ,
-	       IPv6_SITELOCAL      => 'feC0::/10' ,
+	       IPv6_MULTICAST      => 'FF00::/10' ,
+	       IPv6_LINKLOCAL      => 'FF80::/10' ,
+	       IPv6_SITELOCAL      => 'FFC0::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
-	       IPv6_LINK_ALLNODES  => 'ff01::1' ,
-	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
-	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
-	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
+	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
+	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
+	       IPv6_SITE_ALLNODES  => 'FF02::1' ,
+	       IPv6_SITE_ALLRTRS   => 'FF02::2' ,
 	       ICMP                => 1,
 	       TCP                 => 6,
 	       UDP                 => 17,
@@ -124,8 +123,8 @@ sub valid_4address( $ ) {
 
     my @address = split /\./, $address;
     return 0 unless @address == 4;
-    for ( @address ) {
-	return 0 unless /^\d+$/ && $_ < 256;
+    for my $a ( @address ) {
+	return 0 unless $a =~ /^\d+$/ && $a < 256;
     }
 
     1;
@@ -158,8 +157,8 @@ sub decodeaddr( $ ) {
 
     my $result = shift @address;
 
-    for ( @address ) {
-	$result = ( $result << 8 ) | $_;
+    for my $a ( @address ) {
+	$result = ( $result << 8 ) | $a;
     }
 
     $result;
@@ -293,11 +292,6 @@ sub resolve_proto( $ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 65535 ? $number : undef;
     } else {
-	#
-	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
-	#
-	$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
-	
 	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
     }
 }
@@ -338,7 +332,7 @@ sub validate_portpair( $$ ) {
 
     my @ports = split /:/, $portpair, 2;
 
-    $_ = validate_port( $proto, $_) for ( grep $_, @ports );
+    $_ = validate_port( $proto, $_) for ( @ports );
 
     if ( @ports == 2 ) {
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
@@ -445,7 +439,7 @@ sub expand_port_range( $$ ) {
 	#
 	# Validate the ports
 	#
-	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
+	( $first , $last ) = ( validate_port( $proto, $first ) , validate_port( $proto, $last ) );
 
 	$last++; #Increment last address for limit testing.
 	#
@@ -688,7 +682,7 @@ sub validate_host ($$ ) {
 #      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
-    $family = shift;
+    my $family = shift;
 
     if ( $family == F_IPV4 ) {
 	$allip            = ALLIPv4;

Shorewall/Perl/Shorewall/Nat.pm

@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -49,6 +49,56 @@ sub initialize() {
     %addresses_to_add = ();
 }
 
+#
+# Handle IPSEC Options in a masq record
+#
+sub do_ipsec_options($)
+{
+    my %validoptions = ( strict       => NOTHING,
+			 next         => NOTHING,
+			 reqid        => NUMERIC,
+			 spi          => NUMERIC,
+			 proto        => IPSECPROTO,
+			 mode         => IPSECMODE,
+			 "tunnel-src" => NETWORK,
+			 "tunnel-dst" => NETWORK,
+		       );
+    my $list=$_[0];
+    my $options = '-m policy --pol ipsec --dir out ';
+    my $fmt;
+
+    for my $e ( split_list $list, 'option' ) {
+	my $val    = undef;
+	my $invert = '';
+
+	if ( $e =~ /([\w-]+)!=(.+)/ ) {
+	    $val    = $2;
+	    $e      = $1;
+	    $invert = '! ';
+	} elsif ( $e =~ /([\w-]+)=(.+)/ ) {
+	    $val = $2;
+	    $e   = $1;
+	}
+
+	$fmt = $validoptions{$e};
+
+	fatal_error "Invalid Option ($e)" unless $fmt;
+
+	if ( $fmt eq NOTHING ) {
+	    fatal_error "Option \"$e\" does not take a value" if defined $val;
+	} else {
+	    fatal_error "Missing value for option \"$e\""        unless defined $val;
+	    fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
+	}
+
+	$options .= $invert;
+	$options .= "--$e ";
+	$options .= "$val " if defined $val;
+    }
+
+    $options;
+}
+
 #
 # Process a single rule from the the masq file
 #
@@ -103,11 +153,11 @@ sub process_one_masq( )
 	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
 
 	if ( $ipsec =~ /^yes$/i ) {
-	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
+	    $baserule .= '-m policy --pol ipsec --dir out ';
 	} elsif ( $ipsec =~ /^no$/i ) {
-	    $baserule .= do_ipsec_options 'out', 'none', '';
+	    $baserule .= '-m policy --pol none --dir out ';
 	} else {
-	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
+	    $baserule .= do_ipsec_options $ipsec;
 	}
     } elsif ( have_ipsec ) {
 	$baserule .= '-m policy --pol none --dir out ';
@@ -125,7 +175,7 @@ sub process_one_masq( )
 
     for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = 'MASQUERADE ';
+	my $target = '-j MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -171,7 +221,7 @@ sub process_one_masq( )
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
 		    my $variable = get_interface_address $interface;
-		    $target = "SNAT --to-source $variable";
+		    $target = "-j SNAT --to-source $variable";
 
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
@@ -181,13 +231,13 @@ sub process_one_masq( )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
-		    $target = 'RETURN';
+		    $target = '-j RETURN';
 		    $add_snat_aliases = 0;
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    $target = 'SNAT ';
+			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
@@ -398,9 +448,7 @@ sub setup_netmap() {
 
     while ( read_a_line ) {
 
-	my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
-
-	$net3 = ALLIP if $net3 eq '-';
+	my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
 
 	for my $interface ( split_list $interfacelist, 'interface' ) {
 
@@ -411,15 +459,15 @@ sub setup_netmap() {
 	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
 	    unless ( $interfaceref->{root} ) {
-		$rulein  = match_source_dev( $interface );
-		$ruleout = match_dest_dev( $interface );
+		$rulein  = match_source_dev $interface;
+		$ruleout = match_dest_dev $interface;
 		$interface = $interfaceref->{name};
 	    }
 
 	    if ( $type eq 'DNAT' ) {
-		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein  . "-d $net1 -j NETMAP --to $net2";
 	    } elsif ( $type eq 'SNAT' ) {
-		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
 	    } else {
 		fatal_error "Invalid type ($type)";
 	    }

Shorewall/Perl/Shorewall/Policy.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_9';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
@@ -307,7 +307,6 @@ sub validate_policy()
 		 NFQUEUE_DEFAULT => 'NFQUEUE' );
 
     my $zone;
-    my $firewall = firewall_zone;
     our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
 
     for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
@@ -333,9 +332,7 @@ sub validate_policy()
 	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL );
 	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL ) if zone_type( $zone ) == BPORT;
 
-	my $zoneref = find_zone( $zone );
-
-	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
+	if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1 );
@@ -418,14 +415,13 @@ sub apply_policy_rules() {
 
     for my $chainref ( @policy_chains ) {
 	my $policy      = $chainref->{policy};
-
-	unless ( $policy eq 'NONE' ) {
 	my $loglevel    = $chainref->{loglevel};
 	my $provisional = $chainref->{provisional};
 	my $default     = $chainref->{default};
 	my $name        = $chainref->{name};
 	my $synparms    = $chainref->{synparms};
 
+	if ( $policy ne 'NONE' ) {
 	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
 		if ( $config{OPTIMIZE} & 2 ) {
 		    #
@@ -496,14 +492,7 @@ sub setup_syn_flood_chains() {
 	    my $level = $chainref->{loglevel};
 	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
 	    add_rule $synchainref , "${limit}-j RETURN";
-	    log_rule_limit( $level , 
-			    $synchainref , 
-			    $chainref->{name} , 
-			    'DROP', 
-			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , 
-			    '' , 
-			    'add' , 
-			    '' )
+	    log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
 		if $level ne '';
 	    add_rule $synchainref, '-j DROP';
 	}

Shorewall/Perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -275,7 +275,7 @@ sub add_a_provider( ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
     }
 
-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface, 1 );
+    fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
     fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
 
     my $physical    = get_physical $interface;
@@ -435,12 +435,10 @@ sub add_a_provider( ) {
     }
 
     if ( $mark ne '-' ) {
-	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
+	emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
 
-	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
-
-	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing"
+	emit ( "run_ip rule add fwmark $mark pref $pref table $number",
+	       "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
 	     );
     }
 
@@ -838,132 +836,49 @@ sub lookup_provider( $ ) {
 
 #
 # This function is called by the compiler when it is generating the detect_configuration() function.
-# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
-# ..._IS_USABLE interface variables appropriately for the  optional interfaces
+# The function emits code to set the ..._IS_USABLE interface variables appropriately for the
+# optional interfaces
 #
-# Returns true if there were required or optional interfaces
+# Returns true if there were optional interfaces
 #
-sub handle_optional_interfaces( $ ) {
+sub handle_optional_interfaces() {
 
-    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
+    my $interfaces = find_interfaces_by_option 'optional';
 
     if ( @$interfaces ) {
-	my $require     = $config{REQUIRE_INTERFACE};
-	
-	verify_required_interfaces( shift );
-
-	emit( 'HAVE_INTERFACE=', '' ) if $require;
-	#
-	# Clear the '_IS_USABLE' variables
-	#
-	emit( join( '_', 'SW', uc chain_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
-
-	if ( $wildcards ) {
-	    #
-	    # We must consider all interfaces with an address in $family -- generate a list of such addresses. 
-	    #
-	    emit( '', 
-		  'for interface in $(find_all_interfaces1); do',
-		);
-
-	    push_indent;
-	    emit ( 'case "$interface" in' );
-	    push_indent;
-	} else {
-	    emit '';
-	}
-
-	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
+	for my $interface ( @$interfaces ) {
 	    my $provider = $provider_interfaces{$interface};
 	    my $physical = get_physical $interface;
 	    my $base     = uc chain_base( $physical );
-	    my $providerref = $providers{$provider};
 
-	    emit( "$physical)" ), push_indent if $wildcards;
+	    emit '';
+
+	    if ( $provider ) {
+		#
+		# This interface is associated with a non-shared provider -- get the provider table entry
+		#
+		my $providerref = $providers{$provider};
 
 		if ( $providerref->{gatewaycase} eq 'detect' ) {
 		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 		} else {
 		    emit qq(if interface_is_usable $physical; then);
 		}
-
-	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
+	    } else {
+		#
+		# Not a provider interface
+		#
+		emit qq(if interface_is_usable $physical; then);
+	    }
 
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
+		  'else' ,
+		  "    SW_${base}_IS_USABLE=" ,
 		  'fi' );
-
-	    emit( ';;' ), pop_indent if $wildcards;
 	}
 
-	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
-	    my $physical    = get_physical $interface;
-	    my $base        = uc chain_base( $physical );
-	    my $case        = $physical;
-	    my $wild        = $case =~ s/\+$/*/;
-
-	    if ( $wildcards ) {
-		emit( "$case)" );
-		push_indent;
-		
-		if ( $wild ) {
-		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
-		    push_indent; 
-		    emit ( 'if interface_is_usable $interface; then' );
-		} else {
-		    emit ( "if interface_is_usable $physical; then" );
+	1;
     }
-	    } else {
-		emit ( "if interface_is_usable $physical; then" );
-	    }
-
-	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
-	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
-		   'fi' );
-
-	    if ( $wildcards ) {
-		pop_indent, emit( 'fi' ) if $wild;
-		emit( ';;' );
-		pop_indent;
-	    }
-	}
-
-	if ( $wildcards ) {
-	    emit( '*)' ,
-		  '    ;;'
-		);
-	    pop_indent;
-	    emit( 'esac' );
-	    pop_indent;
-	    emit('done' );
-	}
-
-	if ( $require ) {
-	    emit( '',
-		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
-		  '    case "$COMMAND" in',
-		  '        start|restart|restore|refresh)'
-		);
-
-	    if ( $family == F_IPV4 ) {
-		emit( '            if shorewall_is_started; then' );
-	    } else {
-		emit( '            if shorewall6_is_started; then' );
-	    }
-
-	    emit( '                fatal_error "No network interface available"',
-		  '            else',
-		  '                startup_error "No network interface available"',
-		  '            fi',
-		  '            ;;',
-		  '    esac',
-		  'fi'
-		);
-	}
-
-	return 1;
-    }
-
-    verify_required_interfaces( shift );
 }
 
 #
@@ -1002,14 +917,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
-			$rule2 = '';
 		    }
 
-		    assert ( $rule1 =~ s/^-A // );
+		    $rule1 =~ s/-A tcpre //;
+
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			assert ( $rule2 =~ s/^-A // );
+			$rule2 =~ s/-A tcpre //;
 			add_rule $chainref, $rule2;
 		    }
 		}
@@ -1029,14 +944,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
-			$rule2 = '';
 		    }
 
-		    assert( $rule1 =~ s/-A // );
+		    $rule1 =~ s/-A tcout //;
+
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcout //;
 			add_rule $chainref, $rule2;
 		    }
 		}

Shorewall/Perl/Shorewall/Raw.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_13';
+our $VERSION = '4.3_7';
 
 #
 # Notrack
@@ -50,9 +50,9 @@ sub process_notrack_rule( $$$$$$ ) {
     ( my $zone, $source) = split /:/, $source, 2;
     my $zoneref  = find_zone $zone;
     my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
 
-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
     require_capability 'RAW_TABLE', 'Notrack rules', '';
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
@@ -64,7 +64,7 @@ sub process_notrack_rule( $$$$$$ ) {
 	$source ,
 	$dest ,
 	'' ,
-	'NOTRACK' ,
+	'-j NOTRACK' ,
 	'' ,
 	'NOTRACK' ,
 	'' ;

Shorewall/Perl/Shorewall/Tc.pm

@@ -40,44 +40,37 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
-		    fw       => 1,
-		    fwi      => 0,
+		    fw       => 1
 		  } ,
 	    CT => { chain  => 'tcpost' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1 ,
-		    fwi      => 0,
+		    fw       => 1
 		    } ,
 	    C  => { target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1 ,
-		    fwi      => 1 ,
+		    fw       => 1
 		    } ,
 	    P  => { chain    => 'tcpre' ,
 		    connmark => 0 ,
-		    fw       => 0 ,
-		    fwi      => 0 ,
+		    fw       => 0
 		    } ,
 	    CP => { chain    => 'tcpre' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 0 ,
-		    fwi      => 0 ,
+		    fw       => 0
 		    } ,
 	    F =>  { chain    => 'tcfor' ,
 		    connmark => 0 ,
-		    fw       => 0 ,
-		    fwi      => 0 ,
+		    fw       => 0
 		    } ,
 	    CF => { chain    => 'tcfor' ,
 		    connmark => 1 ,
 		    fw       => 0 ,
-		    fwi      => 0 ,
 		    } ,
 	    );
 
@@ -165,7 +158,6 @@ our %tcclasses;
 our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
-		      tcin       => INPUT_RESTRICT ,
 		      tcout      => OUTPUT_RESTRICT );
 
 our $family;
@@ -226,23 +218,12 @@ sub process_tc_rule( ) {
 	}
     }
 
-    if ( $dest ) {
-	if ( $dest eq $fw ) {
-	    $chain = 'tcin';
-	    $dest  = '';
-	} else {
-	    $chain = 'tcin' if $dest =~ s/^($fw)://;
-	}
-    }
-
     if ( $designator ) {
 	$tcsref = $tcs{$designator};
 
 	if ( $tcsref ) {
 	    if ( $chain eq 'tcout' ) {
 		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
-	    } elsif ( $chain eq 'tcin' ) {
-		fatal_error "Invalid chain designator for dest $fw" unless $tcsref->{fwi};
 	    }
 
 	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
@@ -269,8 +250,6 @@ sub process_tc_rule( ) {
 
     $list = '';
 
-    my $restriction = 0;
-
     unless ( $classid ) {
       MARK:
 	{
@@ -280,7 +259,7 @@ sub process_tc_rule( ) {
 
 		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
 
-		    $target      = $tccmd->{target};
+		    $target      = "$tccmd->{target} ";
 		    my $marktype = $tccmd->{mark};
 
 		    if ( $marktype == NOMARK ) {
@@ -289,19 +268,15 @@ sub process_tc_rule( ) {
 			$mark =~ s/^[|&]//;
 		    }
 
-		    if ( $target eq 'sticky' ) {
+		    if ( $target eq 'sticky ' ) {
 			if ( $chain eq 'tcout' ) {
 			    $target = 'sticko';
 			} else {
 			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
 			}
 
-			$restriction = DESTIFACE_DISALLOW;
-			
-			ensure_mangle_chain($target);
-
 			$sticky++;
-		    } elsif ( $target eq 'IPMARK' ) {
+		    } elsif ( $target eq 'IPMARK ' ) {
 			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
 
 			require_capability 'IPMARK_TARGET', 'IPMARK', 's';
@@ -338,7 +313,7 @@ sub process_tc_rule( ) {
 			}
 
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
-		    } elsif ( $target eq 'TPROXY' ) {
+		    } elsif ( $target eq 'TPROXY ' ) {
 			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
 
 			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
@@ -396,16 +371,14 @@ sub process_tc_rule( ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
 		my $limit = $globals{TC_MASK};
-		unless ( have_capability 'FWMARK_RT_MASK' ) {
 		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
 		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 	    }
 	}
     }
-    }
 
     if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
-				     $restrictions{$chain} | $restriction,
+				     $restrictions{$chain} ,
 				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
 				     do_test( $testval, $globals{TC_MASK} ) .
@@ -416,9 +389,9 @@ sub process_tc_rule( ) {
 				     $source ,
 				     $dest ,
 				     '' ,
-				     $mark ? "$target $mark" : $target,
+				     "-j $target $mark" ,
+				     '' ,
 				     '' ,
-				     $target ,
 				     '' ) )
 	  && $device ) {
 	#
@@ -435,11 +408,11 @@ sub rate_to_kbit( $ ) {
     my $rate = $_[0];
 
     return 0           if $rate eq '-';
-    return $1          if $rate =~ /^((\d+)(\.\d+)?)kbit$/i;
-    return $1 * 1000   if $rate =~ /^((\d+)(\.\d+)?)mbit$/i;
-    return $1 * 8000   if $rate =~ /^((\d+)(\.\d+)?)mbps$/i;
-    return $1 * 8      if $rate =~ /^((\d+)(\.\d+)?)kbps$/i;
-    return ($1/125)    if $rate =~ /^((\d+)(\.\d+)?)(bps)?$/;
+    return $1          if $rate =~ /^(\d+)kbit$/i;
+    return $1 * 1000   if $rate =~ /^(\d+)mbit$/i;
+    return $1 * 8000   if $rate =~ /^(\d+)mbps$/i;
+    return $1 * 8      if $rate =~ /^(\d+)kbps$/i;
+    return int($1/125) if $rate =~ /^(\d+)(bps)?$/;
     fatal_error "Invalid Rate ($rate)";
 }
 
@@ -458,6 +431,8 @@ sub calculate_quantum( $$ ) {
 sub process_flow($) {
     my $flow = shift;
 
+    $flow =~ s/^\(// if $flow =~ s/\)$//;
+
     my @flow = split /,/, $flow;
 
     for ( @flow ) {
@@ -468,7 +443,7 @@ sub process_flow($) {
 }
 
 sub process_simple_device() {
-    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces';
+    my ( $device , $type , $bandwidth ) = split_line 1, 3, 'tcinterfaces';
 
     fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
     fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
@@ -488,21 +463,7 @@ sub process_simple_device() {
 	}
     }
 
-    my $in_burst = '10kb';
-
-    if ( $in_bandwidth =~ /:/ ) {
-	my ( $in_band, $burst ) = split /:/, $in_bandwidth, 2;
-
-	if ( defined $burst && $burst ne '' ) {
-	    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
-	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $in_burst = $burst;
-	}
-
-	$in_bandwidth = rate_to_kbit( $in_band );
-    } else {
-	$in_bandwidth = rate_to_kbit( $in_bandwidth );
-    }
+    $bandwidth = rate_to_kbit( $bandwidth );
 
     emit "if interface_is_up $physical; then";
 
@@ -514,50 +475,10 @@ sub process_simple_device() {
 	 );
 
     emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
-	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
-	 ) if $in_bandwidth;
+	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${bandwidth}kbit burst 10k drop flowid :1\n"
+	 ) if $bandwidth;
 	  
-    if ( $out_part ne '-' ) {
-	my ( $out_bandwidth, $burst, $latency, $peak, $minburst ) = split ':', $out_part;
-
-	fatal_error "Invalid Out-BANDWIDTH ($out_part)" if ( defined $minburst && $minburst =~ /:/ ) || $out_bandwidth eq '';
-
-	$out_bandwidth = rate_to_kbit( $out_bandwidth );
-
-	my $command = "run_tc qdisc add dev $physical root handle $number: tbf rate ${out_bandwidth}kbit";
-
-	if ( defined $burst && $burst ne '' ) {
-	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $command .= " burst $burst";
-	} else {
-	    $command .= ' burst 10kb';
-	}
-
-	if ( defined $latency && $latency ne '' ) {
-	    fatal_error "Invalid latency ($latency)" unless $latency =~ /^\d+(?:\.\d+)?(s|sec|secs|ms|msec|msecs|us|usec|usecs)?$/;
-	    $command .= " latency $latency";
-	} else {
-	    $command .= ' latency 200ms';
-	}
-
-	if ( defined $peak && $peak ne '' ) {
-	    fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $command .= " peakrate $peak";
-	}
-
-	if ( defined $minburst && $minburst ne '' ) {
-	    fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $command .= " minburst $minburst";
-	}
-
-	emit $command;
-
-	my $id = $number; $number = in_hexp( $devnum | 0x100 );
-
-	emit "run_tc qdisc add dev $physical parent $id: handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
-    } else {
     emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
-    }
 
     for ( my $i = 1; $i <= 3; $i++ ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
@@ -1307,26 +1228,11 @@ sub setup_traffic_shaping() {
 		  qq(fi) );
 	}
 
-	my $in_burst = '10kb';
-	my $inband;
-
-	if ( $devref->{in_bandwidth} =~ /:/ ) {
-	    my ( $in_band, $burst ) = split /:/, $devref->{in_bandwidth}, 2;
-
-	    if ( defined $burst && $burst ne '' ) {
-		fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
-		fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
-		$in_burst = $burst;
-	    }
-
-	    $inband = rate_to_kbit( $in_band );
-	} else {
-	    $inband = rate_to_kbit $devref->{in_bandwidth};
-	}
+	my $inband = rate_to_kbit $devref->{in_bandwidth};
 
 	if ( $inband ) {
 	    emit ( "run_tc qdisc add dev $device handle ffff: ingress",
-		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst $in_burst drop flowid :1"
+		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1"
 		   );
 	}
 
@@ -1444,68 +1350,6 @@ sub setup_traffic_shaping() {
     }
 }
 
-#
-# Process a record in the secmarks file
-#
-sub process_secmark_rule() {
-    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' );
-
-    if ( $secmark eq 'COMMENT' ) {
-	process_comment;
-	return;
-    }
-
-    my %chns = ( T => 'tcpost'  ,
-		 P => 'tcpre'   ,
-		 F => 'tcfor'   ,
-		 I => 'tcin'    ,
-		 O => 'tcout'   , );
-
-    my %state = ( N =>  'NEW' ,
-		  E =>  'ESTABLISHED' , 
-		  ER => 'ESTABLISHED,RELATED' );
-
-    my ( $chain , $state, $rest) = split ':', $chainin , 3;
-
-    fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain;
-
-    my $chain1= $chns{$chain};
-    
-    fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
-    fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout';
-
-    if ( ( $state ||= '' ) ne '' ) {
-	my $state1;
-	fatal_error "Invalid STATE ( $state )" unless $state1 = $state{$state};
-	$state = "$globals{STATEMATCH} $state1 ";
-    }
-
-    my $target = $secmark eq 'SAVE'    ? 'CONNSECMARK --save' :
-	         $secmark eq 'RESTORE' ? 'CONNSECMARK --restore' :
-		 "SECMARK --selctx $secmark";
-
-    my $disposition = $target;
-
-    $disposition =~ s/ .*//;
-
-    expand_rule( ensure_mangle_chain( $chain1 ) , 
-		 $restrictions{$chain1} ,
-		 $state .
-		 do_proto( $proto, $dport, $sport ) .
-		 do_user( $user ) .
-		 do_test( $mark, $globals{TC_MASK} ) ,
-		 $source , 
-		 $dest , 
-		 '' , 
-		 $target , 
-		 '' , 
-		 $disposition,
-		 '' );
-
-    progress_message "Secmarks rule \"$currentline\" $done";
-		 
-}
-
 #
 # Process the tcrules file and setup traffic shaping
 #
@@ -1518,7 +1362,6 @@ sub setup_tc() {
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
 	    ensure_mangle_chain 'tcfor';
 	    ensure_mangle_chain 'tcpost';
-	    ensure_mangle_chain 'tcin';
 	}
 
 	my $mark_part = '';
@@ -1540,12 +1383,9 @@ sub setup_tc() {
 	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
 
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : '';
-
-	    add_rule( $mangle_table->{FORWARD},     "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
+	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' ) if have_capability 'MARK';
 	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
 	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
-	    add_jump $mangle_table->{INPUT} ,       'tcin' ,  0;
 	}
     }
 
@@ -1594,7 +1434,7 @@ sub setup_tc() {
 			  mark      => HIGHMARK ,
 			  mask      => '' } ,
 			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
-			  target    => 'MARK --and-mark' ,
+			  target    => 'MARK --and-mark ' ,
 			  mark      => HIGHMARK ,
 			  mask      => '' ,
 			  connmark  => 0
@@ -1616,20 +1456,9 @@ sub setup_tc() {
 	}
     }
 
-    if ( $config{MANGLE_ENABLED} ) {
-	if ( my $fn = open_file 'secmarks' ) {
-
-	    first_entry "$doing $fn...";
-
-	    process_secmark_rule while read_a_line;
-	
-	    clear_comment;
-	}
-
     add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
 
     handle_stickiness( $sticky );
-    }
 }
 
 1;

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
 
-	my $options = $globals{UNTRACKED} ? "-m state --state NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
+	my $options = $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
 
 	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";

Shorewall/Perl/Shorewall/Zones.pm

@@ -11,7 +11,7 @@
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
-#       This program is distributed in the shope that it will be useful,
+#       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
@@ -37,7 +37,6 @@ our @EXPORT = qw( NOTHING
 		  IPSECPROTO
 		  IPSECMODE
 		  FIREWALL
-		  VSERVER
 		  IP
 		  BPORT
 		  IPSEC
@@ -53,11 +52,8 @@ our @EXPORT = qw( NOTHING
 		  all_zones
 		  all_parent_zones
 		  complex_zones
-		  vserver_zones
-		  off_firewall_zones
 		  non_firewall_zones
 		  single_interface
-		  chain_base
 		  validate_interfaces_file
 		  all_interfaces
 		  all_bridges
@@ -71,20 +67,16 @@ our @EXPORT = qw( NOTHING
 		  source_port_to_bridge
 		  interface_is_optional
 		  find_interfaces_by_option
-		  find_interfaces_by_option1
 		  get_interface_option
 		  set_interface_option
-		  verify_required_interfaces
-		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
-		  find_zones_by_option
 		  all_ipsets
 		  have_ipsec
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 
 #
 # IPSEC Option types
@@ -95,6 +87,7 @@ use constant { NOTHING    => 'NOTHING',
 	       IPSECPROTO => 'ah|esp|ipcomp',
 	       IPSECMODE  => 'tunnel|transport'
 	       };
+
 #
 # Zone Table.
 #
@@ -155,29 +148,21 @@ our %reservedName = ( all => 1,
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
-#                                     base        => <shell variable base representing this interface>
 #                                   }
 #                 }
 #
-#    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
-#    the same order as the interfaces are encountered in the configuration files. 
-#
 our @interfaces;
 our %interfaces;
 our @bport_zones;
 our %ipsets;
 our %physical;
-our %basemap;
-our %mapbase;
 our $family;
 our $have_ipsec;
-our $baseseq;
 
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 3,
-	       IPSEC    => 4,
-	       VSERVER  => 5 };
+	       IPSEC    => 4 };
 
 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
@@ -191,14 +176,13 @@ use constant { SIMPLE_IF_OPTION   => 1,
 
 	       IF_OPTION_ZONEONLY => 8,
 	       IF_OPTION_HOST     => 16,
-	       IF_OPTION_VSERVER  => 32,
 	   };
 
 our %validinterfaceoptions;
 
-our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
+our %defaultinterfaceoptions = ( routefilter => 1 );
 
-our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 );
 
 our %validhostoptions;
 
@@ -224,9 +208,6 @@ sub initialize( $ ) {
     @bport_zones = ();
     %ipsets = ();
     %physical = ();
-    %basemap = ();
-    %mapbase = ();
-    $baseseq = 0;
 
     if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -237,13 +218,12 @@ sub initialize( $ ) {
 				  dhcp        => SIMPLE_IF_OPTION,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
-				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
+				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
-				  required    => SIMPLE_IF_OPTION,
-				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
 				  routefilter => NUMERIC_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -251,7 +231,6 @@ sub initialize( $ ) {
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION,
 				  physical    => STRING_IF_OPTION + IF_OPTION_HOST,
-				  wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -268,18 +247,16 @@ sub initialize( $ ) {
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
-				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
+				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
-				    required    => SIMPLE_IF_OPTION,
-				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
 				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
-				    wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -299,7 +276,6 @@ sub initialize( $ ) {
 sub parse_zone_option_list($$)
 {
     my %validoptions = ( mss          => NUMERIC,
-			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
 			 reqid        => NUMERIC,
@@ -309,12 +285,10 @@ sub parse_zone_option_list($$)
 			 "tunnel-src" => NETWORK,
 			 "tunnel-dst" => NETWORK,
 		       );
-
-    use constant { UNRESTRICTED => 1, NOFW => 2 };
     #
     # Hash of options that have their own key in the returned hash.
     #
-    my %key = ( mss => UNRESTRICTED , blacklist => NOFW );
+    my %key = ( mss => 'mss' );
 
     my ( $list, $zonetype ) = @_;
     my %h;
@@ -347,8 +321,7 @@ sub parse_zone_option_list($$)
 	    }
 
 	    if ( $key{$e} ) {
-		fatal_error "Option '$e' not permitted with this zone type " if $key{$e} == NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
-		$h{$e} = $val || 1;
+		$h{$e} = $val;
 	    } else {
 		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
 		$options .= $invert;
@@ -395,7 +368,6 @@ sub process_zone( \$ ) {
 	    fatal_error "Invalid Parent List ($2)" unless $p;
 	    fatal_error "Unknown parent zone ($p)" unless $zones{$p};
 	    fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
-	    fatal_error 'Subzones of a Vserver zone not allowed' if $zones{$p}{type} == VSERVER;
 	    push @{$zones{$p}{children}}, $zone;
 	}
     }
@@ -422,14 +394,11 @@ sub process_zone( \$ ) {
 	$firewall_zone = $zone;
 	$ENV{FW} = $zone;
 	$type = FIREWALL;
-    } elsif ( $type eq 'vserver' ) {
-	fatal_error 'Vserver zones may not be nested' if @parents;
-	$type = VSERVER;
     } elsif ( $type eq '-' ) {
 	$type = IP;
 	$$ip = 1;
     } else {
-	fatal_error "Invalid zone type ($type)";
+	fatal_error "Invalid zone type ($type)" ;
     }
 
     if ( $type eq IPSEC ) {
@@ -439,7 +408,7 @@ sub process_zone( \$ ) {
 	}
     }
 
-    my $zoneref = $zones{$zone} = { type       => $type,
+    $zones{$zone} = { type       => $type,
 		      parents    => \@parents,
 		      bridge     => '',
 		      options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
@@ -454,16 +423,6 @@ sub process_zone( \$ ) {
 		      hosts      => {}
 		    };
 
-    if ( $zoneref->{options}{in_out}{blacklist} ) {
-	for ( qw/in out/ ) {
-	    unless ( $zoneref->{options}{$_}{blacklist} ) {
-		$zoneref->{options}{$_}{blacklist} = 1;
-	    } else {
-		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
-	    }
-	}
-    }
-
     return $zone;
 
 }
@@ -528,9 +487,9 @@ sub zone_report()
     my @translate;
 
     if ( $family == F_IPV4 ) {
-	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
+	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
     } else {
-	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
+	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
     }
 
     for my $zone ( @zones )
@@ -587,9 +546,9 @@ sub dump_zone_contents()
     my @xlate;
 
     if ( $family == F_IPV4 ) {
-	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
+	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
     } else {
-	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
+	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
     }
 
     for my $zone ( @zones )
@@ -666,9 +625,7 @@ sub add_group_to_zone($$$$$)
     my $allip    = 0;
 
     for my $host ( @$networks ) {
-	$interfaceref = $interfaces{$interface};
-
-	$interfaceref->{nets}++;
+	$interfaces{$interface}{nets}++;
 
 	fatal_error "Invalid Host List" unless defined $host and $host ne '';
 
@@ -685,13 +642,6 @@ sub add_group_to_zone($$$$$)
 		if ( $host eq ALLIP ) {
 		    fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
 		    $interfaces{$interface}{zone} = $zone;
-		    #
-		    # Make 'find_hosts_by_option()' work correctly for this zone
-		    #
-		    for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
-			$options->{$_} = $interfaceref->{options}{$_} if $interfaceref->{options}{$_};
-		    }
-
 		    $allip = 1;
 		}
 	    }
@@ -755,30 +705,18 @@ sub all_zones() {
     @zones;
 }
 
-sub off_firewall_zones() {
-   grep ( ! ( $zones{$_}{type} == FIREWALL || $zones{$_}{type} == VSERVER )  ,  @zones );
-}
-
 sub non_firewall_zones() {
    grep ( $zones{$_}{type} != FIREWALL ,  @zones );
 }
 
 sub all_parent_zones() {
-    #
-    # Although the firewall zone is technically a parent zone, we let the caller decide
-    # if it is to be included or not.
-    #
-    grep ( ! @{$zones{$_}{parents}} , off_firewall_zones );
+   grep ( ! @{$zones{$_}{parents}} ,  @zones );
 }
 
 sub complex_zones() {
     grep( $zones{$_}{options}{complex} , @zones );
 }
 
-sub vserver_zones() {
-    grep ( $zones{$_}{type} == VSERVER, @zones );
-}
-
 sub firewall_zone() {
     $firewall_zone;
 }
@@ -790,55 +728,6 @@ sub is_a_bridge( $ ) {
     which 'brctl' && qt( "brctl show | tail -n+2 | grep -q '^$_[0]\[\[:space:\]\]'" );
 } 
 
-#
-# Transform the passed interface name into a legal shell variable name.
-#
-sub chain_base($) {
-    my $chain = $_[0];
-    my $name  = $basemap{$chain};
-    #
-    # Return existing mapping, if any
-    #
-    return $name if $name;
-    #
-    # Remember initial value 
-    #
-    my $key = $chain;
-    #
-    # Handle VLANs and wildcards
-    #
-    $chain =~ s/\+$//;
-    $chain =~ tr/./_/;
-
-    if ( $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
-	#
-	# Must map. Remove all illegal characters
-	#
-	$chain =~ s/[^\w]//g;
-	#
-	# Prefix with if_ if it begins with a digit
-	#
-	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
-	#
-	# Create a new unique name
-	#
-	1 while $mapbase{$name = join ( '_', $chain, ++$baseseq )};
-    } else {
-	#
-	# We'll store the identity mapping if it is unique
-	#
-	$chain = join( '_', $key , ++$baseseq ) while $mapbase{$name = $chain};
-    }
-    #
-    # Store the reverse mapping
-    #
-    $mapbase{$name} = $key;
-    #
-    # Store the mapping
-    #
-    $basemap{$key} = $name;
-}
-
 #
 # Process a record in the interfaces file
 #
@@ -879,8 +768,6 @@ sub process_interface( $$ ) {
 	    } else {
 		$zoneref->{bridge} = $interface;
 	    }
-	    
-	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
 	}
 
 	$bridge = $interface;
@@ -888,8 +775,6 @@ sub process_interface( $$ ) {
     } else {
 	fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
 	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} == BPORT;
-	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} == VSERVER;
-
 	$bridge = $interface;
     }
 
@@ -903,8 +788,6 @@ sub process_interface( $$ ) {
 	$root = $interface;
     }
 
-    fatal_error "Invalid interface name ($interface)" if $interface =~ /\*/;
-
     my $physical = $interface;
     my $broadcasts;
 
@@ -928,12 +811,6 @@ sub process_interface( $$ ) {
 
     my $hostoptionsref = {};
 
-    if ( $options eq 'ignore' ) {
-	fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
-	$options{ignore} = 1;
-	$options = '-';
-    }
-
     if ( $options ne '-' ) {
 
 	my %hostoptions = ( dynamic => 0 );
@@ -945,11 +822,7 @@ sub process_interface( $$ ) {
 
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
 
-	    if ( $zone ) {
-		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
-	    } else { 
-		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
-	    }
+	    fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;
 
 	    my $hostopt = $type & IF_OPTION_HOST;
 
@@ -959,16 +832,8 @@ sub process_interface( $$ ) {
 
 	    if ( $type == SIMPLE_IF_OPTION ) {
 		fatal_error "Option $option does not take a value" if defined $value;
-		if ( $option eq 'blacklist' ) {
-		    if ( $zone ) {
-			$zoneref->{options}{in}{blacklist} = 1;
-		    } else {
-			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
-		    }
-		} else {
 		$options{$option} = 1;
 		$hostoptions{$option} = 1 if $hostopt;
-		}
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
@@ -976,8 +841,8 @@ sub process_interface( $$ ) {
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
+		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
 		if ( $option eq 'arp_ignore' ) {
-		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $wildcard;
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
 			    $options{arp_ignore} = $value;
@@ -1000,6 +865,10 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		#
+		# Remove parentheses from address list if present
+		#
+		$value =~ s/\)$// if $value =~ s/^\(//;
+		#
 		# Add all IP to the front of a list if the list begins with '!'
 		#
 		$value = join ',' , ALLIP , $value if $value =~ /^!/;
@@ -1032,7 +901,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 
 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
+		    fatal_error "Invalid Physical interface name ($value)" unless $value =~ /^[\w.@%-]+\+?$/;
 
 		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
 
@@ -1046,8 +915,6 @@ sub process_interface( $$ ) {
 	    }
 	}
 
-	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};
-
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = "${zone}_" . chain_base $physical;
 	    $netsref = [ "+$ipset" ];
@@ -1078,8 +945,7 @@ sub process_interface( $$ ) {
 						       broadcasts => $broadcasts ,
 						       options    => \%options ,
 						       zone       => '',
-						       physical   => $physical ,
-						       base       => chain_base( $physical )
+						       physical   => $physical
 						     };
 
     if ( $zone ) {
@@ -1088,7 +954,7 @@ sub process_interface( $$ ) {
 	add_group_to_zone( $zone, 
 			   $zoneref->{type}, 
 			   $interface, 
-			   $family == F_IPV4 ? [ IPv4_MULTICAST ] : [ IPv6_MULTICAST ] ,
+			   [ IPv4_MULTICAST ], 
 			   { destonly => 1 } ) if $hostoptionsref->{multicast} && $interfaces{$interface}{zone} ne $zone;
     } 
 
@@ -1135,27 +1001,6 @@ sub validate_interfaces_file( $ ) {
     # Be sure that we have at least one interface
     #
     fatal_error "No network interfaces defined" unless @interfaces;
-
-    if ( vserver_zones ) {
-	#
-	# While the user thinks that vservers are associated with a particular interface, they really are not.
-	# We create an interface to associated them with.
-	#
-	my $interface = '%vserver%';
-
-	$interfaces{$interface} = { name       => $interface ,
-				    bridge     => $interface ,
-				    nets       => 0 ,
-				    number     => $nextinum ,
-				    root       => $interface ,
-				    broadcasts => undef ,
-				    options    => {} ,
-				    zone       => '',
-				    physical   => 'lo',
-				  };
-
-	push @interfaces, $interface;
-    }
 }
 
 #
@@ -1175,35 +1020,28 @@ sub map_physical( $$ ) {
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
-# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in 
-# %interfaces.
+# If the passed name matches a wildcard, an entry for the name is added in %interfaces to speed up validation of other references to that name.
 #
-sub known_interface($;$)
+sub known_interface($)
 {
-    my ( $interface, $cache ) = @_;
+    my $interface = $_[0];
     my $interfaceref = $interfaces{$interface};
 
     return $interfaceref if $interfaceref;
 
-    fatal_error "Invalid interface ($interface)" if $interface =~ /\*/;
-
     for my $i ( @interfaces ) {
 	$interfaceref = $interfaces{$i};
 	my $root = $interfaceref->{root};
 	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
-	    my $physical = map_physical( $interface, $interfaceref );
-	    
-	    my $copyref = { options  => $interfaceref->{options},
+	    #
+	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
+	    #
+	    return $interfaces{$interface} = { options  => $interfaceref->{options}, 
 					       bridge   => $interfaceref->{bridge} , 
 					       name     => $i , 
 					       number   => $interfaceref->{number} ,
-			    physical => $physical ,
-			    base     => chain_base( $physical ) ,
+					       physical => map_physical( $interface, $interfaceref )
 					     };
-
-	    $interfaces{$interface} = $copyref if $cache;
-
-	    return $copyref;
 	}
     }
 
@@ -1313,36 +1151,6 @@ sub find_interfaces_by_option( $ ) {
     \@ints;
 }
 
-#
-# Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
-#
-# - All entries in %interfaces are searched.
-# - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
-#
-sub find_interfaces_by_option1( $ ) {
-    my $option = $_[0];
-    my @ints = ();
-    my $wild = 0;
-
-    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} }
-			keys %interfaces ) {
-	my $interfaceref = $interfaces{$interface};
-
-	next unless defined $interfaceref->{physical};
-
-	my $optionsref = $interfaceref->{options};
-
-	if ( $optionsref && defined $optionsref->{$option} ) {
-	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
-	    push @ints , $interface
-	}
-    }
-
-    return unless defined wantarray;
-
-    wantarray ? ( \@ints, $wild ) : \@ints;
-}
-
 #
 # Return the value of an option for an interface
 #
@@ -1361,293 +1169,6 @@ sub set_interface_option( $$$ ) {
     $interfaces{$interface}{options}{$option} = $value;
 }
 
-#
-# Verify that all required interfaces are available after waiting for any that specify the 'wait' option.
-#
-sub verify_required_interfaces( $ ) {
-
-    my $generate_case = shift;
-
-    my $returnvalue = 0;
-
-    my $interfaces = find_interfaces_by_option 'wait';
-
-    if ( @$interfaces ) {
-	my $first = 1;
-
-	emit( "local waittime\n" );
-
-	emit( 'case "$COMMAND" in' );
-
-	push_indent;
-
-	emit( 'start|restart|restore)' );
-
-	push_indent;
-
-	for my $interface (@$interfaces ) {
-	    my $wait = $interfaces{$interface}{options}{wait};
-
-	    emit q() unless $first-- > 0;
-	    
-	    if ( $wait ) {
-		my $physical = get_physical $interface;
-
-		if ( $physical =~ /\+$/ ) {
-		    my $base = uc chain_base $physical;
-
-		    $physical =~ s/\+$/*/;
-
-		    emit( 'for interface in $(find_all_interfaces); do',
-			  '    case $interface in',
-			  "        $physical)",
-			  "            waittime=$wait",
-			  '            while [ $waittime -gt 0 ]; do',
-			  '                interface_is_usable $interface && break',
-			  '                waittime=$(($waittime - 1))',
-			  '            done',
-			  '            ;;',
-			  '    esac',
-			  'done',
-			  '',
-			);
-		} else {
-		    emit qq(if ! interface_is_usable $physical; then);
-		    emit qq(    waittime=$wait);
-		    emit  '';
-		    emit  q(    while [ $waittime -gt 0 ]; do);
-		    emit qq(        interface_is_usable $physical && break);
-		    emit  q(        sleep 1);
-		    emit   '        waittime=$(($waittime - 1))';
-		    emit  q(    done);
-		    emit  q(fi);
-		}
-
-		$returnvalue = 1;
-	    }
-	}
-
-	emit( ";;\n" );
-	
-	pop_indent;
-	pop_indent;
-
-	emit( "esac\n" );
-
-    }
-
-    $interfaces = find_interfaces_by_option 'required';
-
-    if ( @$interfaces ) {
-
-	if ( $generate_case ) {
-	    emit( 'case "$COMMAND" in' );
-	    push_indent;
-	    emit( 'start|restart|restore|refresh)' );
-	    push_indent;
-	}
-
-	for my $interface (@$interfaces ) {
-	    my $physical = get_physical $interface;
-
-	    if ( $physical =~ /\+$/ ) {
-		my $base = uc chain_base $physical;
-
-		$physical =~ s/\+$/*/;
-
-		emit( "SW_${base}_IS_UP=\n",
-		      'for interface in $(find_all_interfaces); do',
-		      '    case $interface in',
-		      "        $physical)",
-		      "            interface_is_usable \$interface && SW_${base}_IS_UP=Yes && break",
-		      '            ;;',
-		      '    esac',
-		      'done',
-		      '',
-		      "if [ -z \"\$SW_${base}_IS_UP\" ]; then",
-		      "    startup_error \"None of the required interfaces $physical are available\"",
-		      "fi\n"
-		    );
-	    } else {
-		emit qq(if ! interface_is_usable $physical; then);
-		emit qq(    startup_error "Required interface $physical not available");
-		emit qq(fi\n);
-	    }
-	}
-
-	if ( $generate_case ) {
-	    emit( ';;' );
-	    pop_indent;
-	    pop_indent;
-	    emit( 'esac' );
-	}
-
-	$returnvalue = 1;
-    }
-
-    $returnvalue;
-}
-
-#
-# Emit the updown() function
-#
-sub compile_updown() {
-    emit( '',
-	  '#',
-	  '# Handle the "up" and "down" commands',
-	  '#',
-	  'updown() # $1 = interface',
-	  '{',
-	);
-
-    push_indent;
-
-    emit( 'local state',
-	  'state=cleared',
-	  '' );
-
-    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
-    emit '';
-
-    if ( $family == F_IPV4 ) {
-	emit 'if shorewall_is_started; then';
-    } else {
-	emit 'if shorewall6_is_started; then';
-    }
-
-    emit( '    state=started',
-	  'elif [ -f ${VARDIR}/state ]; then',
-	  '    case "$(cat ${VARDIR}/state)" in',
-	  '        Stopped*)',
-	  '            state=stopped',
-	  '            ;;',
-	  '        Cleared*)',
-	  '            ;;',
-	  '        *)',
-	  '            state=unknown',
-	  '            ;;',
-	  '    esac',
-	  'else',
-	  '    state=unknown',
-	  'fi',
-	  ''
-	);
-
-    emit( 'case $1 in' );
-
-    push_indent;
-
-    my $ignore   = find_interfaces_by_option 'ignore';
-    my $required = find_interfaces_by_option 'required';
-    my $optional = find_interfaces_by_option 'optional';
-
-    if ( @$ignore ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$ignore;
-
-	$interfaces =~ s/\+/*/;
-
-	emit( "$interfaces)",
-	      '    progress_message3 "$COMMAND on interface $1 ignored"',
-	      '    exit 0',
-	      '    ;;'
-	    );
-    }
-
-    if ( @$required ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;
-
-	my $wildcard = ( $interfaces =~ s/\+/*/ );
-
-	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then' );
-
-	if ( $wildcard ) {
-	    emit( '        if [ "$state" = started ]; then',
-		  '            COMMAND=restart',
-		  '        else',
-		  '            COMMAND=start',
-		  '        fi' );
-	} else {
-	    emit( '        COMMAND=start' );
-	}
-
-	emit( '        progress_message3 "$g_product attempting $COMMAND"',
-	      '        detect_configuration',
-	      '        define_firewall' );
-
-	if ( $wildcard ) {
-	    emit( '    elif [ "$state" = started ]; then',
-		  '        progress_message3 "$g_product attempting restart"',
-		  '        COMMAND=restart',
-		  '        detect_configuration',
-		  '        define_firewall' );
-	} else {
-	    emit( '    else',
-		  '        COMMAND=stop',
-		  '        progress_message3 "$g_product attempting stop"',
-		  '        detect_configuration',
-		  '        stop_firewall' );
-	}
-
-	emit( '    fi',
-	      '    ;;'
-	    );
-    }
-
-    if ( @$optional ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$optional;
-
-	$interfaces =~ s/\+/*/;
-
-	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then',
-	      '        echo 0 > ${VARDIR}/${1}.state',
-	      '    else',
-	      '        echo 1 > ${VARDIR}/${1}.state',
-	      '    fi',
-	      '',
-	      '    if [ "$state" = started ]; then',
-	      '        COMMAND=restart',
-	      '        progress_message3 "$g_product attempting restart"',
-	      '        detect_configuration',
-	      '        define_firewall',
-	      '    elif [ "$state" = stopped ]; then',
-	      '        COMMAND=start',
-	      '        progress_message3 "$g_product attempting start"',
-	      '        detect_configuration',
-	      '        define_firewall',
-	      '    else',
-	      '        progress_message3 "$COMMAND on interface $1 ignored"',
-	      '    fi',
-	      '    ;;',
-	    );
-    }
-
-    emit( "*)",
-	  '    case $state in',
-	  '        started)',
-	  '            COMMAND=restart',
-	  '            progress_message3 "$g_product attempting restart"',
-	  '            detect_configuration',
-	  '            define_firewall',
-	  '            ;;',
-	  '        *)',
-	  '            progress_message3 "$COMMAND on interface $1 ignored"',
-	  '            ;;',
-	  '    esac',
-	);
-
-    pop_indent;
-
-    emit( 'esac' );
-
-    pop_indent;
-
-    emit( '}',
-	  '',
-	);
-}
-
 #
 # Process a record in the hosts file
 #
@@ -1703,19 +1224,14 @@ sub process_host( ) {
 		$zoneref->{options}{complex} = 1;
 		$ipsec = 1;
 	    } elsif ( $option eq 'norfc1918' ) {
-		warning_message "The 'norfc1918' host option is no longer supported"
-	    } elsif ( $option eq 'blacklist' ) {
-		$zoneref->{options}{in}{blacklist} = 1;
+		warning_message "The 'norfc1918' option is no longer supported"
 	    } elsif ( $validhostoptions{$option}) {
-		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}
 
-	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER; 
-
 	$optionsref = \%options;
     }
 
@@ -1735,7 +1251,6 @@ sub process_host( ) {
     $hosts = join( '', ALLIP , $hosts ) if substr($hosts, 0, 2 ) eq ',!';
 
     if ( $hosts eq 'dynamic' ) {
-	fatal_error "Vserver zones may not be dynamic" if $type == VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
 	my $physical = physical_name $interface;
 	$hosts = "+${zone}_${physical}";
@@ -1743,10 +1258,6 @@ sub process_host( ) {
 	$ipsets{"${zone}_${physical}"} = 1;
 
     }
-    #
-    # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
-    #
-    $interface = '%vserver%' if $type == VSERVER;
 
     add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
 
@@ -1810,21 +1321,6 @@ sub find_hosts_by_option( $ ) {
     \@hosts;
 }
 
-#
-# Returns a reference to a list of zones with the passed in/out option
-#
-
-sub find_zones_by_option( $$ ) {
-    my ($option, $in_out ) = @_;
-    my @zns;
-
-    for my $zone ( @zones ) {
-	push @zns, $zone if $zones{$zone}{options}{$in_out}{$option};
-    }
-
-    \@zns;
-}
-
 sub all_ipsets() {
     sort keys %ipsets;
 }

Shorewall/Perl/prog.footer

@@ -5,7 +5,7 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
+    echo "Usage: $0 [ options ] [ start|stop|clear|reset|refresh|restart|status|version ]"
     echo 
     echo "Options are:"
     echo
@@ -218,7 +218,6 @@ case "$COMMAND" in
 	else
 	    error_message "$g_product is not running"
 	    progress_message3 "Starting $g_product...."
-	    COMMAND=start
 	fi
 
 	detect_configuration
@@ -256,9 +255,7 @@ case "$COMMAND" in
 	progress_message3 "Clearing $g_product...."
 	clear_firewall
 	status=0
-	if [ -n "$SUBSYSLOCK" ]; then
-	    rm -f $SUBSYSLOCK
-	fi
+	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	progress_message3 "done."
 	;;
     status)
@@ -276,7 +273,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|lClear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -286,13 +283,6 @@ case "$COMMAND" in
 	echo "State:$state"
 	echo
 	;;
-    up|down)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	updown $@
-	status=0;
-	;;
     version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION

Shorewall/Perl/prog.footer6

@@ -5,7 +5,7 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
+    echo "Usage: $0 [ options ] [ start|stop|clear|reset|refresh|restart|status|version ]"
     echo 
     echo "Options are:"
     echo
@@ -219,7 +219,6 @@ else
 	    else
 		error_message "$g_product is not running"
 		progress_message3 "Starting $g_product...."
-		COMMAND=start
 	    fi
 
 	    detect_configuration
@@ -257,9 +256,7 @@ else
 	    progress_message3 "Clearing $g_product...."
 	    clear_firewall
 	    status=0
-	    if [ -n "$SUBSYSLOCK" ]; then
-		rm -f $SUBSYSLOCK
-	    fi
+	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
 	    ;;
 	status)
@@ -287,13 +284,6 @@ else
 	    echo "State:$state"
 	    echo
 	    ;;
-	up|down)
-	    [ $# -eq 1 ] && exit 0
-	    shift
-	    [ $# -ne 1 ] && usage 2
-	    updown $1
-	    status=0
-	    ;;
 	version)
 	    [ $# -ne 1 ] && usage 2
 	    echo $SHOREWALL_VERSION

Shorewall/Perl/prog.header

@@ -89,17 +89,35 @@ setpolicy() # $1 = name of chain, $2 = policy
 }
 
 #
-# Generate a list of all network interfaces on the system
+# Set a standard chain to enable established and related connections
 #
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+setcontinue() # $1 = name of chain
+{
+    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 }
 
 #
-# Generate a list of all network interfaces on the system that have an ipv4 address
+# Flush one of the NAT table chains
 #
-find_all_interfaces1() {
-    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+flushnat() # $1 = name of chain
+{
+    run_iptables -t nat -F $1
+}
+
+#
+# Flush one of the Mangle table chains
+#
+flushmangle() # $1 = name of chain
+{
+    run_iptables -t mangle -F $1
+}
+
+#
+# Flush and delete all user-defined chains in the filter table
+#
+deleteallchains() {
+    run_iptables -F
+    run_iptables -X
 }
 
 #
@@ -508,12 +526,11 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    local result
-    
     if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
+	local result
 	result=1
 
 	while read route ; do
@@ -598,9 +615,9 @@ delete_proxyarp() {
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
+    fi
 
     rm -f ${VARDIR}/proxyarp
-    fi
 }
 
 #
@@ -614,7 +631,6 @@ clear_firewall() {
     setpolicy OUTPUT ACCEPT
 
     run_iptables -F
-    qt $IPTABLES -t raw -F
 
     echo 1 > /proc/sys/net/ipv4/ip_forward
 
@@ -640,7 +656,7 @@ fatal_error()
 {
     echo "   ERROR: $@" >&2
 
-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
         timestamp="$(date +'%_b %d %T') "
         echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
     fi
@@ -656,12 +672,6 @@ fatal_error()
 startup_error() # $* = Error Message
 {
     echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
     case $COMMAND in
         start)
 	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
@@ -674,7 +684,7 @@ startup_error() # $* = Error Message
 	    ;;
     esac
 
-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
         timestamp="$(date +'%_b %d %T') "
 
 	case $COMMAND in
@@ -751,6 +761,34 @@ run_tc() {
     fi
 }
 
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
 #
 # Get a list of all configured broadcast addresses on the system
 #

Shorewall/Perl/prog.header6

@@ -89,17 +89,27 @@ setpolicy() # $1 = name of chain, $2 = policy
 }
 
 #
-# Generate a list of all network interfaces on the system
+# Set a standard chain to enable established and related connections
 #
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+setcontinue() # $1 = name of chain
+{
+    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 }
 
 #
-# Generate a list of all network interfaces on the system that have an ipv6 address
+# Flush one of the Mangle table chains
 #
-find_all_interfaces1() {
-    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+flushmangle() # $1 = name of chain
+{
+    run_iptables -t mangle -F $1
+}
+
+#
+# Flush and delete all user-defined chains in the filter table
+#
+deleteallchains() {
+    run_iptables -F
+    run_iptables -X
 }
 
 #
@@ -168,7 +178,7 @@ find_default_interface() {
 # Determine if Interface is up
 #
 interface_is_up() {
-    [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 
 #
@@ -496,12 +506,11 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    local result
-    
     if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
+	local result
 	result=1
 
 	while read route ; do
@@ -584,7 +593,6 @@ clear_firewall() {
     setpolicy OUTPUT ACCEPT
 
     run_iptables -F
-    qt $IP6TABLES -t raw -F
 
     echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 
@@ -618,12 +626,6 @@ fatal_error()
 startup_error() # $* = Error Message
 {
     echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
     case $COMMAND in
         start)
 	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
@@ -713,6 +715,34 @@ run_tc() {
     fi
 }
 
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
 #
 # Run the .iptables_restore_input as a set of discrete iptables commands
 #

Shorewall/changelog.txt

@@ -1,126 +1,3 @@
-Changes in Shorewall 4.4.13.1
-
-1)  Make log messages uniform.
-
-2)  Fix blacklisting in simple configurations.
-
-Changes in Shorewall 4.4.13
-
-1)  Allow zone lists in rules SOURCE and DEST.
-
-2)  Fix exclusion in the blacklist file.
-
-3)  Correct several old exclusion bugs.
-
-4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
-
-5)  Re-implement optional interface handling.
-
-6)  Add secmark config file.
-
-7)  Split in and out blacklisting.
-
-8)  Correct handling of [{src|dst},...] in ipset invocation
-
-9)  Correct SAME.
-
-10) TC Enhancements:
-
-    <burst> in IN-BANDWIDTH columns.
-    OUT-BANDWIDTH column in tcinterfaces.
-
-11) Create dynamic zone ipsets on 'start'.
-
-12) Remove new blacklisting implementation.
-
-13) Implement an alternative blacklisting scheme.
-
-14) Use '-m state' for UNTRACKED.
-
-15) Clear raw table on 'clear'
-
-16) Correct port-range check in tcfilters.
-
-17) Disallow '*' in interface names.
-
-Changes in Shorewall 4.4.12
-
-1)  Fix IPv6 shorecap program.
-
-2)  Eradicate incorrect IPv6 Multicast Network
-
-3)  Add ADD/DEL support.
-
-4)  Allow :random to work with REDIRECT
-
-5)  Add per-ip log rate limiting.
-
-6)  Use new hashlimit match syntax if available.
-
-7)  Add Universal sample.
-
-8)  Add COMPLETE option.
-
-9)  Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
-
-10) Support new set match syntax.
-
-11) Blacklisting by DEST IP.
-
-12) Fix duplicate rule generation with 'any'.
-
-13) Fix port range editing problem.
-
-14) Display the .conf file directory in response to the status command.
-
-15)  Correct AUTOMAKE
-
-Changes in Shorewall 4.4.11
-
-1)  Apply patch from Gabriel.
-
-2)  Fix IPSET match detection when a pathname is specified for IPSET.
-
-3)  Fix start priority of shorewall-init on Debian
-
-4)  Make IPv6 log and connections output readable.
-
-5)  Add REQUIRE_INTERFACE to shorewall*.conf
-
-6)  Avoid run-time warnings when options are not listed in
-    shorewall.conf.
-
-7)  Implement Vserver zones.
-
-8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
-    hosts file.
-
-9)  Add CLEAR_FORWARD_MARK option.
-
-10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
-
-11) Add PERL option.
-
-12) Fix nets= in Shorewall6
-
-Changes in Shorewall 4.4.10
-
-1)  Fix regression with scripts.
-
-2)  Log startup errors.
-
-3)  Implement Shorewall-init.
-
-4)  Add SAFESTOP option to /etc/default/shorewall*
-
-5)  Restore -a functionality to the version command.
-
-6)  Correct Optimization issue
-
-7)  Rename PREFIX to DESTDIR in install scripts
-
-8)  Correct handling of optional/required interfaces with wildcard names.
-
 Changes in Shorewall 4.4.9
 
 1)  Auto-detection of bridges.

Shorewall/configfiles/accounting

@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#####################################################################################################
-#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
+#####################################################################################
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK
 #							PORT(S)		PORT(S)	GROUP

Shorewall/configfiles/blacklist

@@ -7,5 +7,4 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
-
+#ADDRESS/SUBNET		PROTOCOL	PORT

Shorewall/configfiles/masq

@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###############################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP

Shorewall/configfiles/netmap

@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#TYPE	NET1			INTERFACE	NET2		NET3
+#TYPE	NET1			INTERFACE	NET2

Shorewall/configfiles/secmarks

@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Secmarks File
-#
-# For information about entries in this file, type "man shorewall-secmarks"
-#
-############################################################################################################
-#SECMARK			CHAIN:	SOURCE		DEST		PROTO	DEST	SOURCE	USER/	MARK
-#				STATE						PORT(S)	PORT(S) GROUP
-
-
-
-
-								

Shorewall/configfiles/shorewall.conf

@@ -31,7 +31,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -57,8 +59,6 @@ TC=
 
 IPSET=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -194,12 +194,6 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=No
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/configfiles/tcinterfaces

@@ -8,3 +8,4 @@
 #
 ###############################################################################
 #INTERFACE	TYPE		IN-BANDWIDTH
+

Shorewall/default.debian

@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null
 
-#
-# Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF

Shorewall/init.debian.sh

@@ -93,11 +93,7 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   echo -n "Stopping \"Shorewall firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
   $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
   return 0
 }
 

Shorewall/known_problems.txt

@@ -1,11 +1 @@
-1)  On systems running Upstart, shorewall-init cannot reliably start the
-    firewall before interfaces are brought up.
-
-2)  The date/time formatting in the STARTUP_LOG is not uniform.
-
-    Fixed in 4.4.13.1
-
-3)  The blacklisting change in 4.4.13 broke blacklisting in some simple
-    configurations with the effect that blacklisting was not enabled.
-
-    Fixed in 4.4.13.1
+There are no known problems in Shorewall 4.4.9

Shorewall/lib.base

@@ -29,7 +29,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40413
+SHOREWALL_CAPVERSION=40408
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]

Shorewall/lib.cli

@@ -226,18 +226,6 @@ show_classifiers() {
 logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
-    if [ -z "$LOGFILE" ]; then
-	LOGFILE=/var/log/messages
-
-	if [ -n "$(syslog_circular_buffer)" ]; then
-	    g_logread="logread | tac"
-	elif [ -r $LOGFILE ]; then
-	    g_logread="tac $LOGFILE"
-	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-	    exit 2
-	fi
-    fi
 
     host=$(echo $g_hostname | sed 's/\..*$//')
     oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
@@ -374,7 +362,17 @@ save_config() {
 		    ;;
 		*)
 		    validate_restorefile RESTOREFILE
+
+		    if chain_exists dynamic; then
+			if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
+			    echo "   Dynamic Rules Saved"
+			    do_save
+			else
+		            echo "Error Saving the Dynamic Rules" >&2
+			fi
+		    else
 			do_save && rm -f ${VARDIR}/save
+		    fi
 		    ;;
 	    esac
 	fi
@@ -553,20 +551,6 @@ show_command() {
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
-
-	    if [ -z "$LOGFILE" ]; then
-		LOGFILE=/var/log/messages
-		
-		if [ -n "$(syslog_circular_buffer)" ]; then
-		    g_logread="logread | tac"
-		elif [ -r $LOGFILE ]; then
-		    g_logread="tac $LOGFILE"
-		else
-		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		    exit 2
-		fi
-	    fi
-
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
@@ -807,19 +791,6 @@ dump_command() {
 	esac
     done
 
-    if [ -z "$LOGFILE" ]; then
-	LOGFILE=/var/log/messages
-
-	if [ -n "$(syslog_circular_buffer)" ]; then
-	    g_logread="logread | tac"
-	elif [ -r $LOGFILE ]; then
-	    g_logread="tac $LOGFILE"
-	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-	    exit 2
-	fi
-    fi
-
     g_ipt_options="$g_ipt_options $g_ipt_options1"
 
     [ $VERBOSITY -lt 2 ] && VERBOSITY=2
@@ -1066,10 +1037,6 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     chain=$1
     local finished
     finished=$2
-    local which
-    which='-s'
-    local range
-    range='--src-range'
 
     if ! chain_exists dynamic; then
 	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@@ -1081,31 +1048,19 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
 
     while [ $# -gt 0 ]; do
 	case $1 in
-	    from)
-		which='-s'
-		range='--src-range'
-		shift
-		continue
-		;;
-	    to)
-		which='-d'
-		range='--dst-range'
-		shift
-		continue
-		;;
 	    *-*)
-		qt $IPTABLES -D dynamic -m iprange $range $1 -j reject
-		qt $IPTABLES -D dynamic -m iprange $range  $1 -j DROP
-		qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
-		qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop
-		$IPTABLES -A dynamic -m iprange $range $1 -j $chain || break 1
+		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject
+		qt $IPTABLES -D dynamic -m iprange --src-range  $1 -j DROP
+		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
+		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop
+		$IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
 		;;
 	    *)
-		qt $IPTABLES -D dynamic $which $1 -j reject
-		qt $IPTABLES -D dynamic $which $1 -j DROP
-		qt $IPTABLES -D dynamic $which $1 -j logreject
-		qt $IPTABLES -D dynamic $which $1 -j logdrop
-		$IPTABLES -A dynamic $which $1 -j $chain || break 1
+		qt $IPTABLES -D dynamic -s $1 -j reject
+		qt $IPTABLES -D dynamic -s $1 -j DROP
+		qt $IPTABLES -D dynamic -s $1 -j logreject
+		qt $IPTABLES -D dynamic -s $1 -j logdrop
+		$IPTABLES -A dynamic -s $1 -j $chain || break 1
 		;;
 	esac
 
@@ -1395,11 +1350,6 @@ allow_command() {
     [ -n "$g_debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall_is_started ; then
-	local which
-	which='-s'
-	local range
-	range='--src-range'
-
 	if ! chain_exists dynamic; then
 	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	    exit 2
@@ -1409,21 +1359,11 @@ allow_command() {
 	while [ $# -gt 1 ]; do
 	    shift
 	    case $1 in
-		from)
-		    which='-s'
-		    range='--src-range'
-		    continue
-		    ;;
-		to)
-		    which='-d'
-		    range='--dst-range'
-		    continue
-		    ;;
 		*-*)
-		    if  qt $IPTABLES -D dynamic -m iprange $range $1 -j reject    ||\
-			qt $IPTABLES -D dynamic -m iprange $range $1 -j DROP      ||\
-			qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop   ||\
-			qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
+		    if  qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject    ||\
+			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP      ||\
+			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop   ||\
+			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1431,10 +1371,10 @@ allow_command() {
 		    fi
 		    ;;
 		*)
-		    if  qt $IPTABLES -D dynamic $which $1 -j reject    ||\
-			qt $IPTABLES -D dynamic $which $1 -j DROP      ||\
-			qt $IPTABLES -D dynamic $which $1 -j logdrop   ||\
-			qt $IPTABLES -D dynamic $which $1 -j logreject
+		    if  qt $IPTABLES -D dynamic -s $1 -j reject    ||\
+			qt $IPTABLES -D dynamic -s $1 -j DROP      ||\
+			qt $IPTABLES -D dynamic -s $1 -j logdrop   ||\
+			qt $IPTABLES -D dynamic -s $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1519,10 +1459,6 @@ determine_capabilities() {
 	exit 1
     fi
 
-    [ "$IP" = ip -o -z "$IP" ] && IP=$(which ip)
-
-    [ -n "$IP" -a -x "$IP" ] || IP=
-
     [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
 
     [ -n "$TC" -a -x "$TC" ] || TC=
@@ -1542,7 +1478,6 @@ determine_capabilities() {
     RECENT_MATCH=
     OWNER_MATCH=
     IPSET_MATCH=
-    OLD_IPSET_MATCH=
     CONNMARK=
     XCONNMARK=
     CONNMARK_MATCH=
@@ -1575,8 +1510,6 @@ determine_capabilities() {
     LOG_TARGET=Yes
     PERSISTENT_SNAT=
     FLOW_FILTER=
-    FWMARK_RT_MASK=
-    MARK_ANYWHERE=
 
     chain=fooX$$
 
@@ -1686,13 +1619,9 @@ determine_capabilities() {
 	qt ipset -X $chain # Just in case something went wrong the last time
 
 	if qt ipset -N $chain iphash ; then
-	    if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
-		qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
-		IPSET_MATCH=Yes
-	    elif qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
+	    if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
 		qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
-		OLD_IPSET_MATCH=Yes
 	    fi
 	    qt ipset -X $chain
 	fi
@@ -1714,7 +1643,6 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
     qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
     qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
-    qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
 
     qt $IPTABLES -F $chain
     qt $IPTABLES -X $chain
@@ -1722,7 +1650,6 @@ determine_capabilities() {
     qt $IPTABLES -X $chain1
 
     [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
-    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
 
     CAPVERSION=$SHOREWALL_CAPVERSION
     KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@@ -1758,10 +1685,7 @@ report_capabilities() {
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
 	report_capability "Owner Match" $OWNER_MATCH
-	if [ -n "$IPSET_MATCH" ]; then
 	report_capability "Ipset Match" $IPSET_MATCH
-	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
-	fi
 	report_capability "CONNMARK Target" $CONNMARK
 	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
 	report_capability "Connmark Match" $CONNMARK_MATCH
@@ -1793,8 +1717,6 @@ report_capabilities() {
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
-	report_capability "fwmark route mask" $FWMARK_RT_MASK
-	report_capability "Mark in any table" $MARK_ANYWHERE
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1826,7 +1748,6 @@ report_capabilities1() {
     report_capability1 RECENT_MATCH
     report_capability1 OWNER_MATCH
     report_capability1 IPSET_MATCH
-    report_capability1 OLD_IPSET_MATCH
     report_capability1 CONNMARK
     report_capability1 XCONNMARK
     report_capability1 CONNMARK_MATCH
@@ -1858,8 +1779,6 @@ report_capabilities1() {
     report_capability1 PERSISTENT_SNAT
     report_capability1 TPROXY_TARGET
     report_capability1 FLOW_FILTER
-    report_capability1 FWMARK_RT_MASK
-    report_capability1 MARK_ANYWHERE
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION

Shorewall/lib.common

@@ -94,12 +94,7 @@ run_it() {
 	#
 	# 4.4.8 or later -- no additional exports required
 	#
-	if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	    options="$1 -"
-	    shift;
-	else
 	options='-'
-	fi
 
 	[ -n "$g_noroutes" ]   && options=${options}n
 	[ -n "$g_timestamp" ]  && options=${options}t
@@ -514,13 +509,9 @@ find_file()
 #
 # Set the Shorewall state
 #
-set_state () # $1 = state $2 
+set_state () # $1 = state
 {
-    if [ $# -gt 1 ]; then
-	echo "$1 ($(date)) from $2" > ${VARDIR}/state
-    else
     echo "$1 ($(date))" > ${VARDIR}/state
-    fi
 }
 
 #

Shorewall/releasenotes.txt

@@ -1,275 +1,16 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 3 . 1
+                       S H O R E W A L L  4 . 4 . 9
 ----------------------------------------------------------------------------
 
-I.    PROBLEMS CORRECTED IN THIS RELEASE
-II.   KNOWN PROBLEMS REMAINING
-III.  NEW FEATURES IN THIS RELEASE
-IV.   RELEASE 4.4 HIGHLIGHTS
-V.    MIGRATION ISSUES
+I.    RELEASE 4.4 HIGHLIGHTS
+II.   MIGRATION ISSUES
+III.  PROBLEMS CORRECTED IN THIS RELEASE
+IV.   KNOWN PROBLEMS REMAINING
+V.    NEW FEATURES IN THIS RELEASE
 VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES 
 
 ----------------------------------------------------------------------------
-  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
-----------------------------------------------------------------------------
-
-4.4.13.1
-
-1)  Previously, messages to the STARTUP_LOG had inconsistent date formats.
-
-2)  The blacklisting change in 4.4.13 was broken in some simple
-    configurations with the effect that blacklisting was not enabled.
-
-4.4.13
- 
-1)  Under rare circumstances where COMMENT is used to attach comments
-    to rules, OPTIMIZE 8 through 15 could result in invalid
-    iptables-restore (ip6tables-restore) input.
-
-2)  Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
-    could result in invalid iptables-restore (ip6tables-restore) input.
-
-3)  The change in 4.4.12 to detect and use the new ipset match syntax
-    broke the ability to detect the old ipset match capability. Now,
-    both versions of the capability can be correctly detected.
-
-4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
-    if the last optional interface tested was not available.
-
-5)  Exclusion in the blacklist file was correctly validated but was then
-    ignored when generating iptables (ip6tables) rules.
-
-6)  Previously, non-trivial exclusion (more than one excluded
-    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
-    valid but incorrect iptables input. This has been corrected but
-    requires that your iptables/kernel support marking rules in any
-    Netfilter table (CONTINUE in the tcrules file does not require this
-    support).
-
-    This fix implements a new 'Mark in any table' capability; those
-    who utilize a capabilities file should re-generate the file using
-    this release.
-
-7)  Interface handling has been extensively modified in this release
-    to correct a number of problems with the earlier
-    implementation. Among those problems:
-
-    - Invalid shell variable names could be generated in the firewall
-      script. The generated firewall script uses shell variables to
-      track the availability of optional and required interfaces and
-      to record detected gateways, detected addresses, etc.
-
-    - The same shell variable name could be generated by two different
-      interface names.
-
-    - Entries in the interfaces file with a wildcard physical name
-      (physical name ends with "+") and with the 'optional' option were
-      handled strangely.
-
-      o If there were references to specific interfaces that matched
-        the wildcard, those entries were handled as if they had been
-        defined as optional in the interfaces file.
-
-      o If there were no references matching the wildcard, then the
-        'optional' option was effectively ignored. 
-
-    The new implementation:
-
-    - Insures valid shell variable names.
-    
-    - Insures that shell variable names are unique.
-
-    - Handles interface names appearing in the INTERFACE column of the
-      providers file as a special case for 'optional'. If the name
-      matches a wildcard entry in the interfaces file then the
-      usability of the specific interface is tracked individually. 
-
-    - Handles the availabilty of other interfaces matching a wildcard
-      as a group; if there is one useable interface in the group then
-      the wildcard itself is considered usable.
-
-      The following example illustrates this use case:
-
-      /etc/shorewall/interfaces
-
-	net	ppp+	-	optional
-
-      /etc/shorewall/shorewall.conf
-
-	REQUIRE_INTERFACE=Yes
-
-      If there is any usable PPP interface then the firewall will be
-      allowed to start. Previously, the firewall would never be allowed
-      to start.
-
-8)  When a comma-separated list of 'src' and/or 'dst' was specified in
-    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
-    or 'dst' was previously ignored when generating the resulting
-    iptables rule.
-
-9)  Beginning with Shorewall 4.4.9, the SAME target in tcrules has
-    generated invalid iptables (ip6tables) input. That target now
-    generates correct input.
-
-10) Ipsets associated with 'dynamic' zones were being created during
-    'restart' but not during 'start'.
-
-11) To work around an issue in Netfilter/iptables, Shorewall now uses
-    state match rather than conntrack match for UNTRACKED state
-    matching.
-
-12) If the routestopped files contains NOTRACK rules, 'shorewall* clear' 
-    did not clear the raw table.
-
-13) An error message was incorrectly generated if a port range of the
-    form :<port> (e.g., :22) appeared.
-
-14) An error is now generated if '*' appears in an interface name.
-
-----------------------------------------------------------------------------
-           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
-----------------------------------------------------------------------------
-
-1)  On systems running Upstart, shorewall-init cannot reliably start the
-    firewall before interfaces are brought up.
-
-----------------------------------------------------------------------------
-      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
-----------------------------------------------------------------------------
-
-1)  Entries in the rules file (both Shorewall and Shorewall6) may now
-    contain zone lists in the SOURCE and DEST column. A zone list is a
-    comma-separated list of zone names where each name appears in the
-    zones file. A zone list may be optionally followed by a plus sign
-    ("+") to indicate that the rule should apply to intra-zone traffic
-    as well as to inter-zone traffic.
-
-    Zone lists behave like 'all' and 'any' with respect to Optimization
-    1. If the rule matches the applicable policy for a given (source
-    zone, dest zone), then the rule will be suppessed for that pair of
-    zones unless overridden by the '!' suffix on the target in the
-    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
-
-    Additionally, 'any', 'all' and zone lists may be qualified in the
-    same way as a single zone.
-
-    Examples:
-
-	fw,dmz:90.90.191.120/29
-	all:+blacklist
-
-    The 'all' and 'any' keywords now support exclusion in the form of a
-    comma-separated list of excluded zones.
-
-    Examples: 
-
-    	     all!fw         (same as all-).
-	     any+!dmz,loc   (All zones except 'dmz' and 'loc' and
-	     		     include intra-zone rules).
-
-2)  An IPSEC column has been added to the accounting file, allowing you
-    to segregate IPSEC traffic from non-IPSEC traffic. See 'man
-    shorewall-accounting' (man shorewall6-accounting) for details.
-
-    With this change, there are now three trees of accounting chains:
-
-    - The one rooted in the 'accounting' chain.
-    - The one rooted in the 'accipsecin' chain. This tree handles
-      traffic that has been decrypted on the firewall. Rules in this
-      tree cannot specify an interface name in the DEST column.
-    - The one rooted in the 'accipsecout' chain. This tree handles
-      traffic that will be encrypted on the firewall. Rules in this
-      tree cannot specify an interface name in the SOURCE column.
-
-    In reality, when there are bridges defined in the configuration,
-    there is a fourth tree rooted in the 'accountout' chain. That chain
-    handles traffic that originates on the firewall (both IPSEC and
-    non-IPSEC).
-
-    This change also implements a couple of new warnings:
-
-    - WARNING: Adding rule to unreferenced accounting chain <name>
-
-      The first reference to user-defined accounting chain <name> is
-      not a JUMP or COUNT from an already-defined chain.
-
-    - WARNING: Accounting chain <name> has o references
-
-      The named chain contains accounting rules but no JUMP or COUNT
-      specifies that chain as the target.
-
-3)  Shorewall now supports the SECMARK and CONNSECMARK targets for
-    manipulating the SELinux context of packets.
-
-    See the shorewall-secmarks and shorewall6-secmarks manpages for
-    details.
-
-    As part of this change, the tcrules file now accepts $FW in the
-    DEST column for marking packets in the INPUT chain.
-
-4)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
-
-    a) Blacklisting is now based on zones rather than on interfaces and
-       host groups.
-
-    b) Near compatibility with earlier releases is maintained.
-
-    c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
-       column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
-       respectively. The old keywords are still supported.
-
-    d) The 'blacklist' keyword may now appear in the OPTIONS,
-       IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
-
-       i)  In the IN_OPTIONS column, it indicates that packets received
-           on the interface are checked against the 'src' entries in
-           /etc/shorewall/blacklist.
-
-       ii) In the OUT_OPTIONS column, it indicates that packets being
-           sent to the interface are checked against the 'dst' entries.
-
-       iii) Placing 'blacklist' in the OPTIONS column is equivalent to
-           placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
-
-    e) The 'blacklist' option in the OPTIONS column of
-       /etc/shorewall/interfaces or /etc/shorewall/hosts is now
-       equivalent to placing it in the IN_OPTIONS column of the
-       associates record in /etc/shorewall/zones. If no zone is given
-       in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
-       option is ignored with a warning (it was previously ignored
-       silently).
-
-    f) The 'blacklist' option in the /etc/shorewall/interfaces and
-       /etc/shorewall/hosts files is now deprecated but will continue
-       to be supported for several releases. A warning will be added at
-       least one release before support is removed.
-
-5)  There is now an OUT-BANDWIDTH column in
-    /etc/shorewall/tcinterfaces.
-
-    The format of this column is:
-
-    	<rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]]
-
-    These terms are described in tc-tbf(8). Shorewall supplies default
-    values as follows:
-
-    	   <burst>   = 10kb
-	   <latency> = 200ms
-
-    The remaining options are defaulted by tc.
-
-6)  The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and
-    /etc/shorewall/tcinterfaces now accepts an optional burst parameter.
-
-        <rate>[:<burst>]
-
-    The default <burst> is 10kb. A larger <burst> can help make the
-    <rate> more accurate; often for fast lines, the enforced rate is
-    well below the specified <rate>.
-
-----------------------------------------------------------------------------
-             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
+             I.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
 
 1)  Support for Shorewall-shell has been discontinued. Shorewall-perl
@@ -326,14 +67,8 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 
 15) TPROXY support has been added.
 
-16) Explicit support for Linux-vserver has been added. It is now
-    possible to define sub-zones of $FW.
-
-17) A 'Universal' sample configuration is now availale for a
-    'plug-and-play' firewall.
-
 ----------------------------------------------------------------------------
-                   V.  M I G R A T I O N   I S S U E S
+                  I I.  M I G R A T I O N   I S S U E S
 ----------------------------------------------------------------------------
 1)  If you are currently using Shorewall-shell:
 
@@ -479,447 +214,10 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
     where 'iface' is a capitalized interface name (e.g., ETH0) and
     'provider' is the capitalized name of a provider.
 	  
-15) Support for the OPTIONS column in /etc/shorewall/blacklist
-    (/etc/shorewall6/blacklist) has been removed. Blacklisting by
-    destination IP address will be included in a later Shorewall
-    release.
-
 ----------------------------------------------------------------------------
-V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
-      I N   P R I O R  R E L E A S E S
-----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 2
+I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
-1)  Previously, the Shorewall6-lite version of shorecap was using
-    iptables rather than ip6tables, with the result that many capabilities
-    that are only available in IPv4 were being reported as available.
-
-2)  In a number of cases, Shorewall6 generated incorrect rules
-    involving the IPv6 multicast network. The rules specified
-    ff00::/10 where they should have specified ff00::/8. Also, rules
-    instantiated when the firewall was stopped used ff80::/10 rather
-    than fe80::/10 (IPv6 Link Local network).
-
-3)  Previously, using a destination port-range with :random produced a
-    fatal compilation error in REDIRECT rules.
-
-4)  A number of problems associated with Shorewall-init and Upstart
-    have been corrected. 
-
-    If you use Shorewall-init, then when upgrading to this version, be
-    sure to recompile all firewall scripts before you take interfaces
-    down or reboot.
-
-5)  Previously, the Shorewall installer (install.sh) failed to install
-    /usr/share/shorewall/configfiles/Makefile and rather issued the
-    following message:
-
-    	      install-file: command not found 
-
-    This caused the Makefile to be omitted from RPMs as well.
-
-6)  When 'any' was used in the SOURCE column, a duplicate rule was
-    generated in all "fw2*" ("fw-* if ZONE2ZONE="-"). If 'any' was used
-    in the DEST column, then a duplicate rule appeared in all "*2fw"
-    (*-fw) chains.
-
-7)  A port range that omitted the first port number (e.g., ":80") was
-    rejected with the following error:
-
-    	 ERROR: Invalid/Unknown tcp port/service (0) : ......
-
-8)  AUTOMAKE=Yes has been broken for some time. It is now working
-    correctly.
-
-----------------------------------------------------------------------------
-               N E W   F E A T U R E S   I N   4 . 4 . 1 2
-----------------------------------------------------------------------------
-
-1)  Support has been added for ADD and DEL rules in
-    /etc/shorewall/rules. ADD allows either the SOURCE or DESTINATION
-    IP address to be added to an ipset; DEL deletes an address
-    previously added.
-
-2)  Per-ip log rate limiting has been added in the form of the LOGLIMIT
-    option in shorewall.conf. When LOGLIMIT is specified, LOGRATE and
-    LOGBURST are ignored. 
-
-    LOGRATE and LOGBURST are now deprecated.
-
-    LOGLIMIT value format is [{s|d}:]<rate>[/<unit>][:<burst>]
-
-    If the value starts with 's:' then logging is limited per source
-    IP. If the value starts with 'd:', then logging is limited per
-    destination IP. Otherwise, the overall logging rate is limited.
-
-    <unit> is one of sec, min, hour, day.
-
-    If <burst> is not specified, then a value of 5 is assumed.
-
-3)  The sample configurations now include a 'Universal' configuration
-    that will start on any system and protect that system while
-    allowing the system to forward traffic.
-
-    As part of this change, several additional features were added:
-
-    - You may now specify "physical=+" in the interfaces file.
-    - A 'COMPLETE' option is added to shorewall.conf and
-      shorewall6.conf. When you set this option to Yes, you are
-      asserting that the configuration is complete so that your set of
-      zones encompasses any hosts that can send or receive traffic
-      to/from/through the firewall. This causes Shorewall to omit the
-      rules that catch packets in which the source or destination IP
-      address is outside of any of your zones. Default is No.  It is
-      recommended that this option only be set to Yes if:
-
-      o You have defined an interface whose effective physical setting
-        is '+'
-      o That interface is assigned to a zone.
-      o You have no CONTINUE policies or rules.
-
-4)  'icmp' is now accepted as a synonym for 'ipv6-icmp' in IPv6
-    compilations.
-
-5)  Shorewall now detects the presence of a recent ipset iptables
-    module and uses its new syntax. This avoids a warning on iptables
-    1.4.9. This change involves a new capabilities file version so if
-    you use a capabilities file, be sure to regenerate it with 4.4.12
-    shorewall-lite or shorewall6-lite.
-
-6)  Blacklisting can now be done by destination IP address as well as
-    by source address.
-
-    The /etc/shorewall/blacklist and /etc/shorewall6/blacklist files
-    now have an optional OPTIONS column. Initially, this column can
-    contain either 'from' (the default) or 'to'; the latter causes the
-    address(es) in the ADDRESS/SUBNET column to be interpreted as a
-    DESTINATION address rather than a source address.
-
-    Note that static blacklisting is still restricted to traffic
-    ARRIVING on an interface that has the 'blacklist' option set. So to
-    block traffic from your local network to an internet host, you must
-    specify 'blacklist' on your internal interface.
-
-    Similarly, dynamic blacklisting has been enhanced to recognize the
-    'from' and 'to' keywords.
-
-    Example:
-
-	shorewall drop to 1.2.3.4
-
-    This command will silently drop connection requests to1.2.3.4.
-
-    The reciprocal of that command would be:
-
-    	shorewall allow to 1.2.3.4
-
-7)  The status command now displays the directory containing the .conf
-    file (shorewall.conf or shorewall6.conf) when the running
-    configuration was compiled.
-
-    Example:
-
-        gateway:/etc/shorewall# shorewall status
-	Shorewall-4.4.12-RC1 Status at gateway - Thu Aug 12 19:41:51 PDT 2010
-
-	Shorewall is running
-	State:Started (Thu Aug 12 19:41:48 PDT 2010) from /etc/shorewall/
-
-	gateway:/etc/shorewall# 
-
-----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
-----------------------------------------------------------------------------
-
-1)  The IPv6 allowBcast action generated an invalid rule.
-
-2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
-    ipset was used in a configuration file entry, the following
-    fatal compilation error occurred:
-
-    ERROR: ipset names in Shorewall configuration files require Ipset
-    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
-
-    If you applied the workaround given in the "Known Problems", then
-    you should remove /etc/shorewall/capabilities after installing
-    this fix.
-
-3)  The start priority of shorewall-init on Debian and Debian-based
-    distributions was previously too low, making it start too late.
-
-4)  The log output from IPv6 logs was almost unreadable due to display
-    of IPv6 addresses in uncompressed format. A similar problem
-    occurred with 'shorewall6 show connections'. This update makes the
-    displays much clearer at the expense of opening the slight
-    possibility of two '::' sequences being incorrectly shown in the
-    same address.
-
-5)  The new REQUIRE_INTERFACE was inadvertently omitted from
-    shorewall.conf and shorewall6.conf. It has been added.
-
-6)  Under some versions of Perl, a Perl run-time diagnostic was produced
-    when options were omitted from shorewall.conf or shorewall6.conf. 
-
-7) If the following options were specified in /etc/shorewall/interfaces
-   for an interface with '-' in the ZONE column, then these options
-   would be ignored if there was an entry in the hosts file for the
-   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
-   implied when the host list begins with '!').
-
-   	blacklist
-	maclist
-	nosmurfs
-	tcpflags
-
-   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
-
-8) The generated script was missing a closing quote when
-   REQUIRE_INTERFACE=Yes.
-
-9) Previously, if nets= was specified under Shorewall6, this error
-   would result:
-
-   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
-                /etc/shorewall6/interfaces (line 16)
-
-----------------------------------------------------------------------------
-               N E W   F E A T U R E S   I N   4 . 4 . 1 1
-----------------------------------------------------------------------------
-
-1)  Beginning with this release, Shorewall supports a 'vserver'
-    zone type. This zone type is used with Shorewall running on a
-    Linux-vserver host system and allows you to define zones that
-    represent a set of Linux-vserver hosts.
-
-    See http://www.shorewall.net/Vserver.html for details.
-
-2)  A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
-    and shorewall6.conf. 
-
-    Traditionally, Shorewall has cleared the packet mark in the first
-    rule in the mangle FORWARD chain. This behavior is maintained with
-    the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
-    set to No, packet marks set in the PREROUTING chain are retained in
-    the FORWARD chains.
-
-    As part of this change, a new "fwmark route mask" capability has
-    been added. If your version of iproute2 supports this capability,
-    fwmark routing rules may specify a mask to be applied to the mark
-    prior to comparison with the mark value in the rule. The presence
-    of this capability allows Shorewall to relax the restriction that
-    small mark values may not be set in the PREROUTING chain when
-    HIGH_ROUTE_MARKS is in effect. If you take advantage of this
-    capability, be sure that you logically OR mark values in PREROUTING
-    makring rules rather then simply setting them unless you are able
-    to set both the high and low bits in the mark in a single rule.
-
-    As always when a new capability has been introduced, be sure to
-    regenerate your capabilities file(s) after installing this release.
-
-3)  A new column (NET3) has been added to the /etc/shorewall/netmap
-    file. This new column can qualify the INTERFACE column by
-    specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
-    associated with the interface.
-
-4)  To accomodate systems with more than one version of Perl installed,
-    the shorewall.conf and shorewall6.conf files now support a PERL
-    option. If the program specified by that option does not exist or
-    is not executable, Shorewall (and Shorewall6) fall back to
-    /usr/bin/perl.
-
-----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 0
-----------------------------------------------------------------------------
-1)  Startup Errors (those that are detected before the state of the
-    system has been altered), were previously not sent to the
-    STARTUP_LOG.
-
-2)  A regression of sorts occurred in Shorewall 4.4.9. Previously, a
-    Perl extension script could end with a call to add_rule(). Such a
-    script fails under Shorewall 4.4.9 unless the 'trace' option is
-    specified on the run line.
-
-    While this issue has been corrected, users are advised to always
-    end their Perl extension scripts with the following line to insure
-    that the script returns a 'true' value:
-
-    	 1;
-
-3)  Under rare circumstances involving a complex configuration,
-    OPTIMIZE=13 and OPTIMIZE=15 could cause invalid iptables-restore
-    input to be generated.
-
-    Sample error message:
-
-        iptables-restore v1.4.8: Couldn't load target
-        `sys2sys':/usr/local/libexec/xtables/libipt_sys2sys.so:
-	cannot open shared object file: No such file or directory
-
-4)  Previously, if the 'optional' option was given to an interface with
-    a wildcard physical name, specific instances of the interface were
-    never considered usable.
-
-    Example:
-
-    /etc/shorewall/interfaces:
-
-    #ZONE	INTERFACE	BROADCAST	OPTIONS
-    net		ppp+		-		optional
-
-    /etc/shorewall/providers:
-
-    #PROVIDER	NUMBER	MARK	DUPLICATE	INTERFACE	...
-    XYZTEL	1	-	main		ppp0
-
-    The XYZTEL provider was never usable.
-
-    This configuration now works correctly.
-
-----------------------------------------------------------------------------
-               N E W   F E A T U R E S   I N   4 . 4 . 1 0
-----------------------------------------------------------------------------
-
-1)  Shorewall 4.4.10 includes a new 'Shorewall Init' package. This new
-    package provides two related features:
-
-    a)  It allows the firewall to be closed prior to bringing up
-        network devices. This insures that unwanted connections are not
-        allowed between the time that the network comes up and when the
-        firewall is started.
-
-    b)  It integrates with NetworkManager and distribution ifup/ifdown
-        systems to allow for 'event-driven' startup and shutdown.
-
-    The two facilities can be enabled separately.
-
-    When Shorewall-init is first installed, it does nothing until you
-    configure it.
-
-    The configuration file is /etc/default/shorewall-init on
-    Debian-based systems and /etc/sysconfig/shorewall-init otherwise.
-
-    There are two settings in the file:
-
-    	  PRODUCTS    - lists the Shorewall packages that you want to
-    	                integrate with Shorewall-init. Example:
-
-			    PRODUCTS="shorewall shorewall6"
-
-          IFUPDOWN      When set to 1, enables integration with
-                        NetworkManager and the ifup/ifdown scripts.
-
-    To close your firewall before networking starts:
-
-    a)  in the Shorewall-init configuration file, set PRODUCTS to the
-        firewall products installed on your system.
-
-    b)  be sure that your current firewall script(s) (normally in
-        /var/lib/<product>/firewall) is(are) compiled with the 4.4.10
-        compiler.
-
-	Shorewall and Shorewall6 users can execute these commands:
-
-	    shorewall compile
-            shorewall6 compile
-
-        Shorewall-lite and Shorewall6-lite users can execute these
-        commands on the administrative system.
-
-	    shorewall export <firewall-name-or-ip-address>
-	    shorewall6 export <firewall-name-or-ip-address>
-
-    That's all that is required.
-
-    To integrate with NetworkManager and ifup/ifdown, additional steps
-    are required. You probably don't want to enable this feature if you
-    run a link status monitor like swping or LSM.
-
-    a)  In the Shorewall-init configuration file, set IFUPDOWN=1.
-
-    b)  In your Shorewall interfaces file(s), set the 'required' option
-        on any interfaces that must be up in order for the firewall to
-        start. At least one interface must have the 'required' or
-        'optional' option if you perform the next optional step. If
-	'required' is specified on an interface with a wildcard name
-        (the physical name ends with '+'), then at least one interface
-        that matches the name must be in a usable state for the
-        firewall to start successfully.
-
-    c)  (Optional) -- If you have specified at least one 'required'
-        or 'optional interface, you can then disable automatic firewall
-        startup at boot time.
-
-	On Debian-based systems, set startup=0 in /etc/default/<product>.
-
-	On other systems, use your service startup configuration tool
-	(chkconfig, insserv, ...) to disable startup.
-
-    The following actions occur when an interface comes up:
-
-    	FIREWALL      INTERFACE     ACTION
-	STATE
-	----------------------------------
-	Any           Required      start
-        stopped       Optional      start
-        started	         -          restart
-
-    The following actions occur when an interface goes down:
-
-    In the INTERFACE column, '-' indicates neither required nor
-    optional
-
-    	FIREWALL      INTERFACE     ACTION
-	STATE
-	----------------------------------
-	Any           Required      stop
-        stopped       Optional      start
-	started	         -          restart
-
-    For optional interfaces, the /var/lib/<product>/<interface>.state
-    files are maintained to reflect the state of the interface.
-
-    Please note that the action is carried out using the current
-    compiled script; the configuration is not recompiled.
-
-    A new option has been added to shorewall.conf and
-    shorewall6.conf. The REQUIRE_INTERFACE option determines the
-    outcome when an attempt to start/restart/restore/refresh the
-    firewall is made and none of the optional interfaces are available.
-    With REQUIRE_INTERFACE=No (the default), the operation is
-    performed. If REQUIRE_INTERFACE=Yes, then the operation fails and
-    the firewall is placed in the stopped state. This option is
-    suitable for a laptop with both ethernet and wireless
-    interfaces. If either come up, the firewall starts. If neither
-    comes up, the firewall remains in the stopped state. Similarly, if
-    an optional interface goes down and there are no optional
-    interfaces remaining in the up state, then the firewall is stopped.
-
-    Shorewall-init may be installed on Debian-based systems, SuSE-based
-    systems and RedHat-based systems.
-
-    On Debian-based systems, during system shutdown the firewall is
-    opened prior to network shutdown (/etc/init.d/shorewall stop
-    performs a 'clear' operation rather than a 'stop'). This is
-    required by Debian standards. You can change this default behavior
-    by setting SAFESTOP=1 in /etc/default/shorewall
-    (/etc/default/shorewall6, ...).
-
-2)  All of the CLIs now support the -a option of the 'version' command.
-
-    Example:
-
-	gateway:~# shorewall6 version -a
-	4.4.10-RC1
-	shorewall: 4.4.10-RC1
-	shorewall-lite: 4.4.10-RC1
-	shorewall6-lite: 4.4.10-RC1
-	shorewall-init: 4.4.10-RC1
-	gateway:~#
-
-----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 9
-----------------------------------------------------------------------------
 1)  Logical interface names in the EXTERNAL column of
     /etc/shorewall/proxyarp were previously not mapped to their
     corresponding physical interface names. This could cause 'start' or
@@ -995,11 +293,14 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     Use of tunN in the nat and netmap files also produced invalid
     iptables-restore input.
 
-2)  '/sbin/shorewall version -a' now shows the versions of all installed
-    Shorewall packages.
+----------------------------------------------------------------------------
+           I V.  K N O W N   P R O B L E M S   R E M A I N I N G
+----------------------------------------------------------------------------
+
+None.
 
 ----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 9
+         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
 1)  The compiler now auto-detects bridges for the purpose of setting
@@ -1100,7 +401,10 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
     administrative system. Simply install using the tarball installer.
 
 ----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 9
+V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
+      I N   P R I O R  R E L E A S E S
+----------------------------------------------------------------------------
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 8
 ----------------------------------------------------------------------------
 
 1)  A CONTINUE rule specifying a log level would cause the compiler to 

Shorewall/shorewall

@@ -67,7 +67,8 @@ get_config() {
 	# This block is avoided for compile for export and when the user isn't root
 	#
 	if [ "$3" = Yes ]; then
-	    if [ -n "$LOGFILE" ]; then
+	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
+
 	    if [ -n "$(syslog_circular_buffer)" ]; then
 		g_logread="logread | tac"
 	    elif [ -r $LOGFILE ]; then
@@ -77,7 +78,6 @@ get_config() {
 		exit 2
 	    fi
 	fi
-	fi
 
 	if [ -n "$IPTABLES" ]; then
 	    if [ ! -x "$IPTABLES" ]; then
@@ -360,16 +360,7 @@ compiler() {
     run_user_exit params
     set +a
 
-    if [ -n "$PERL" ]; then
-	if [ ! -x "$PERL" ]; then
-	    echo "   WARNING: The program specified in the PERL option does not exist or is not executable; falling back to /usr/bin/perl" >&2
-	    PERL=/usr/bin/perl
-	fi
-    else
-	PERL=/usr/bin/perl
-    fi
-
-    $PERL $debugflags /usr/share/shorewall/compiler.pl $options $@
+    perl $debugflags /usr/share/shorewall/compiler.pl $options $@
 }
 
 #
@@ -486,7 +477,7 @@ start_command() {
 
 	    export RESTOREFILE
 
-	    if ! make -qf ${CONFDIR}/Makefile; then
+	    if make -qf ${CONFDIR}/Makefile; then
 		g_fast=
 		AUTOMAKE=
 	    fi
@@ -1335,7 +1326,7 @@ usage() # $1 = exit status
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   check [ -e ] [ -r ] [ <directory> ]"
-    echo "   clear"
+    echo "   clear [ -f ]"
     echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   drop <address> ..."
@@ -1378,7 +1369,7 @@ usage() # $1 = exit status
     echo "   show vardir"
     echo "   show zones"
     echo "   start [ -f ] [ -n ] [ -p ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
     echo "   status"
     echo "   try <directory> [ <timeout> ]"
     echo "   version [ -a ]"
@@ -1517,7 +1508,6 @@ version_command() {
     finished=0
     local all
     all=
-    local product
 
     while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1552,13 +1542,6 @@ version_command() {
 
     echo $SHOREWALL_VERSION
 
-    if [ -n "$all" ]; then
-	for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
 }
 
 if [ $# -eq 0 ]; then
@@ -1631,17 +1614,17 @@ case "$COMMAND" in
 	get_config
 	[ $# -ne 1 ] && usage 1
 	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $g_debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	mutex_on
+	run_it $g_firewall $g_debugging $nolock $COMMAND
+	mutex_off
 	;;
     reset)
 	get_config
 	shift
-	[ -n "$nolock" ] || mutex_on
+	mutex_on
 	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
-	run_it $g_firewall $g_debugging reset $@
-	[ -n "$nolock" ] || mutex_off
+	run_it $g_firewall $g_debugging $nolock reset $@
+	mutex_off
 	;;
     compile)
 	get_config Yes
@@ -1695,7 +1678,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -1838,7 +1821,6 @@ case "$COMMAND" in
 	if [ -x $g_restorepath ]; then
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
-	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.13
-%define release 1
+%define version 4.4.9
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute perl
-Provides: shoreline_firewall = %{version}-%{release}
 Obsoletes: shorewall-common shorewall-perl shorewall-shell
 
 %description
@@ -29,7 +28,7 @@ a multi-function gateway/ router/server or on a standalone GNU/Linux system.
 %build
 
 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -76,6 +75,7 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall/configfiles
 %attr(0700,root,root) %dir /var/lib/shorewall
 %attr(0644,root,root) %config(noreplace) /etc/shorewall/*
+%attr(0600,root,root) /etc/shorewall/Makefile
 
 %attr(0644,root,root) /etc/logrotate.d/shorewall
 
@@ -103,67 +103,11 @@ fi
 %attr(0644,root,root) /usr/share/shorewall/configfiles/*
 
 %attr(0644,root,root) %{_mandir}/man5/*
-%attr(0644,root,root) %{_mandir}/man8/*
+%attr(0644,root,root) %{_mandir}/man8/shorewall.8.gz
 
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
 * Mon May 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0base
 * Sun May 02 2010 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.1
+VERSION=4.4.9
 
 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then
 fi
 
 if [ -L /usr/share/shorewall/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall/init)
+    FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //')
 else
     FIREWALL=/etc/init.d/shorewall
 fi

Shorewall6-lite/default.debian

@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null
 
-#
-# Set this to 1 to cause '/etc/init.d/shorewall6-lite stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF

Shorewall6-lite/init.debian.sh

@@ -88,11 +88,7 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   echo -n "Stopping \"Shorewall6 Lite firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
   $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
   return 0
 }
 

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.1
+VERSION=4.4.9
 
 usage() # $1 = exit status
 {
@@ -82,16 +82,15 @@ delete_file() # $1 = file to delete
 
 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    run_install $OWNERSHIP -m $3 $1 ${2}
 }
 
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall6-lite"
 fi
 
+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 while [ $# -gt 0 ] ; do
     case "$1" in
 	-h|help|?)
@@ -126,12 +129,11 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 # Determine where to install the firewall script
 #
-INSTALLD='-D'
-T='-T'
+DEBIAN=
 
 case $(uname) in
     CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -139,10 +141,6 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-     Darwin)
-	INSTALLD=
-	T=
-	;;	   
     *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -151,14 +149,14 @@ esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
     
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
     DEBIAN=yes
 elif [ -f /etc/slackware-version ] ; then
@@ -180,183 +178,169 @@ echo "Installing Shorewall6 Lite Version $VERSION"
 #
 # Check for /etc/shorewall6-lite
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall6-lite ]; then
+if [ -z "$PREFIX" -a -d /etc/shorewall6-lite ]; then
     [ -f /etc/shorewall6-lite/shorewall.conf ] && \
 	mv -f /etc/shorewall6-lite/shorewall.conf /etc/shorewall6-lite/shorewall6-lite.conf
 else
-    rm -rf ${DESTDIR}/etc/shorewall6-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall6-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall6-lite
+    rm -rf ${PREFIX}/etc/shorewall6-lite
+    rm -rf ${PREFIX}/usr/share/shorewall6-lite
+    rm -rf ${PREFIX}/var/lib/shorewall6-lite
 fi
 
 #
 # Check for /sbin/shorewall6-lite
 #
-if [ -f ${DESTDIR}/sbin/shorewall6-lite ]; then
+if [ -f ${PREFIX}/sbin/shorewall6-lite ]; then
     first_install=""
 else
     first_install="Yes"
 fi
 
-delete_file ${DESTDIR}/usr/share/shorewall6-lite/xmodules
+delete_file ${PREFIX}/usr/share/shorewall6-lite/xmodules
 
-install_file shorewall6-lite ${DESTDIR}/sbin/shorewall6-lite 0544
+install_file shorewall6-lite ${PREFIX}/sbin/shorewall6-lite 0544 ${PREFIX}/var/lib/shorewall6-lite-${VERSION}.bkout
 
-echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-lite"
+echo "Shorewall6 Lite control program installed in ${PREFIX}/sbin/shorewall6-lite"
 
 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall6-lite 0544
+    install_file init.debian.sh /etc/init.d/shorewall6-lite 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout
 
 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout
 fi
 
-echo  "Shorewall6 Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "Shorewall6 Lite script installed in ${PREFIX}${DEST}/$INIT"
 
 #
 # Create /etc/shorewall6-lite, /usr/share/shorewall6-lite and /var/lib/shorewall6-lite if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall6-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall6-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall6-lite
+mkdir -p ${PREFIX}/etc/shorewall6-lite
+mkdir -p ${PREFIX}/usr/share/shorewall6-lite
+mkdir -p ${PREFIX}/var/lib/shorewall6-lite
 
-chmod 755 ${DESTDIR}/etc/shorewall6-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall6-lite
+chmod 755 ${PREFIX}/etc/shorewall6-lite
+chmod 755 ${PREFIX}/usr/share/shorewall6-lite
 
-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
 fi
 
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf ]; then
-   install_file shorewall6-lite.conf ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf 0744
-   echo "Config file installed as ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf"
+if [ ! -f ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall6-lite.conf ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf
+   echo "Config file installed as ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf"
 fi
 
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall6-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall6-lite/shorewall.conf
 fi
 
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall6-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall6-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall6-lite/Makefile
+echo "Makefile installed as ${PREFIX}/etc/shorewall6-lite/Makefile"
 
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall6-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall6-lite/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall6-lite/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall6-lite/configpath"
 
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall6-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6-lite/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall6-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6-lite/$f"
     fi
 done
 
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall6-lite/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall6-lite/functions
 
-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall6-lite/functions"
+echo "Common functions linked through ${PREFIX}/usr/share/shorewall6-lite/functions"
 
 #
 # Install Shorecap
 #
 
-install_file shorecap ${DESTDIR}/usr/share/shorewall6-lite/shorecap 0755
+install_file shorecap ${PREFIX}/usr/share/shorewall6-lite/shorecap 0755
 
 echo
-echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall6-lite/shorecap"
+echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall6-lite/shorecap"
 
 #
 # Install wait4ifup
 #
 
-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall6-lite/wait4ifup 0755
 
-    echo
-    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup"
-fi
+echo
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall6-lite/wait4ifup"
 
-if [ -f modules ]; then
-    #
-    # Install the Modules file
-    #
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall6-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall6-lite/modules"
-fi
+#
+# Install the Modules file
+#
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall6-lite/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall6-lite/modules"
 
-if [ -d manpages ]; then
-    #
-    # Install the Man Pages
-    #
+#
+# Install the Man Pages
+#
 
-    cd manpages
+cd manpages
 
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
-
-    for f in *.5; do
+for f in *.5; do
     gzip -c $f > $f.gz
-	run_install $INSTALLD -m 644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
-    done
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man5/$f.gz"
+done
 
-    for f in *.8; do
+for f in *.8; do
     gzip -c $f > $f.gz
-	run_install $INSTALLD -m 644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
-    done
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man8/$f.gz"
+done
 
-    cd ..
+cd ..
 
-    echo "Man Pages Installed"
-fi
+echo "Man Pages Installed"
 
-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall6-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall6-lite"
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6-lite"
 fi
 
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall6-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall6-lite/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall6-lite/version
+chmod 644 ${PREFIX}/usr/share/shorewall6-lite/version
 #
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
     rm -f /usr/share/shorewall6-lite/init
     ln -s ${DEST}/${INIT} /usr/share/shorewall6-lite/init
 fi
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
     touch /var/log/shorewall6-lite-init.log
 
     if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
-
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall6-lite
-	    else
 	    ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
-	    fi
-
 	    echo "Shorewall6 Lite will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then

Shorewall6-lite/shorecap

@@ -58,7 +58,7 @@ g_product="Shorewall Lite"
 
 SHOREWALL_VERSION=$(cat /usr/share/shorewall6-lite/version)
 
-[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables)
+[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich iptables)
 
 VERBOSITY=0
 load_kernel_modules No

Shorewall6-lite/shorewall6-lite

@@ -349,7 +349,7 @@ usage() # $1 = exit status
     echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
     echo "where <command> is one of:"
     echo "   allow <address> ..."
-    echo "   clear"
+    echo "   clear [ -f ]"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
     echo "   forget [ <file name> ]"
@@ -366,62 +366,13 @@ usage() # $1 = exit status
     echo "   save [ <file name> ]"
     echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]capabilities|classifiers|config|connections|filters|ip|log [<regex>]|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
     echo "   start [ -f ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
     echo "   status"
     echo "   version [ -a ]"
     echo
     exit $1
 }
 
-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
 #
 # Execution begins here
 #
@@ -615,9 +566,7 @@ case "$COMMAND" in
     stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	run_it $g_firewall $debugging $nolock $COMMAND
 	;;
     restart)
 	shift
@@ -643,7 +592,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -664,8 +613,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
     version)
-	shift
-	version_command $@
+	echo $SHOREWALL_VERSION Lite
 	;;
     logwatch)
 	logwatch_command $@

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.13
-%define release 1
+%define version 4.4.9
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}
 
 %description
 
@@ -32,7 +31,7 @@ administrators to centralize the configuration of Shorewall6-based firewalls.
 %build
 
 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -93,62 +92,6 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
 * Mon May 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0base
 * Sun May 02 2010 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.1
+VERSION=4.4.9
 
 usage() # $1 = exit status
 {
@@ -67,7 +67,7 @@ if qt ip6tables -L shorewall -n && [ ! -f /sbin/shorewall6 ]; then
 fi
 
 if [ -L /usr/share/shorewall6-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall6-lite/init)
+    FIREWALL=$(ls -l /usr/share/shorewall6-lite/init | sed 's/^.*> //')
 else
     FIREWALL=/etc/init.d/shorewall6-lite
 fi

Shorewall6/action.Drop

@@ -28,11 +28,6 @@ Auth(REJECT)
 #
 AllowICMPs	-	-	ipv6-icmp
 #
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #

Shorewall6/action.Reject

@@ -20,16 +20,10 @@
 #
 Auth(REJECT)
 #
-# Drop Multicasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
+# ACCEPT critical ICMP types
 #
 AllowICMPs	-	-	ipv6-icmp
 #
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).

Shorewall6/blacklist

@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
+#ADDRESS/SUBNET		PROTOCOL	PORT

Shorewall6/default.debian

@@ -21,16 +21,4 @@ startup=0
 
 OPTIONS=""
 
-#
-# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
-#
-INITLOG=/dev/null
-
-#
-# Set this to 1 to cause '/etc/init.d/shorewall6 stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF

Shorewall6/init.debian.sh

@@ -93,11 +93,7 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   echo -n "Stopping \"Shorewall6 firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
   $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
   return 0
 }
 

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.1
+VERSION=4.4.9
 
 usage() # $1 = exit status
 {
@@ -85,13 +85,12 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $OWNERSHIP -m $3 $1 ${2}
 }
 
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall6"
 fi
 
+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 DEBIAN=
 CYGWIN=
 MAC=
@@ -113,7 +116,7 @@ INSTALLD='-D'
 
 case $(uname) in
     CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -124,15 +127,15 @@ case $(uname) in
 	SPARSE=Yes
 	;;
     Darwin)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
-	    SPARSE=Yes
 	fi
 
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
 	MAC=Yes
+	SPARSE=Yes
 	INSTALLD=
 	;;	
     *)
@@ -169,7 +172,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 # Determine where to install the firewall script
 #
 
-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
     if [ -z "$CYGWIN" ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
@@ -177,8 +180,8 @@ if [ -n "$DESTDIR" ]; then
 	fi    
     fi
 	
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
    
     CYGWIN=
     MAC=
@@ -218,18 +221,18 @@ echo "Installing Shorewall6 Version $VERSION"
 #
 # Check for /sbin/shorewall6
 #
-if [ -f ${DESTDIR}/sbin/shorewall6 ]; then
+if [ -f ${PREFIX}/sbin/shorewall6 ]; then
     first_install=""
 else
     first_install="Yes"
 fi
 
 if [ -z "$CYGWIN" ]; then
-   install_file shorewall6 ${DESTDIR}/sbin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
-   echo "shorewall6 control program installed in ${DESTDIR}/sbin/shorewall6"
+   install_file shorewall6 ${PREFIX}/sbin/shorewall6 0755 ${PREFIX}/var/lib/shorewall6-${VERSION}.bkout
+   echo "shorewall6 control program installed in ${PREFIX}/sbin/shorewall6"
 else
-   install_file shorewall6 ${DESTDIR}/bin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
-   echo "shorewall6 control program installed in ${DESTDIR}/bin/shorewall6"
+   install_file shorewall6 ${PREFIX}/bin/shorewall6 0755 ${PREFIX}/var/lib/shorewall6-${VERSION}.bkout
+   echo "shorewall6 control program installed in ${PREFIX}/bin/shorewall6"
 fi
 
 
@@ -237,461 +240,451 @@ fi
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.debian.sh /etc/init.d/shorewall6 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$SLACKWARE" ]; then
-    install_file init.slackware.shorewall6.sh ${DESTDIR}${DEST}/rc.shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.slackware.shorewall6.sh ${PREFIX}${DEST}/rc.shorewall6 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$INIT" ]; then
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 fi
 
-[ -n "$INIT" ] && echo  "Shorewall6 script installed in ${DESTDIR}${DEST}/$INIT"
+[ -n "$INIT" ] && echo  "Shorewall6 script installed in ${PREFIX}${DEST}/$INIT"
 
 #
 # Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall6
-mkdir -p ${DESTDIR}/usr/share/shorewall6
-mkdir -p ${DESTDIR}/usr/share/shorewall6/configfiles
-mkdir -p ${DESTDIR}/var/lib/shorewall6
+mkdir -p ${PREFIX}/etc/shorewall6
+mkdir -p ${PREFIX}/usr/share/shorewall6
+mkdir -p ${PREFIX}/usr/share/shorewall6/configfiles
+mkdir -p ${PREFIX}/var/lib/shorewall6
 
-chmod 755 ${DESTDIR}/etc/shorewall6
-chmod 755 ${DESTDIR}/usr/share/shorewall6
-chmod 755 ${DESTDIR}/usr/share/shorewall6/configfiles
+chmod 755 ${PREFIX}/etc/shorewall6
+chmod 755 ${PREFIX}/usr/share/shorewall6
+chmod 755 ${PREFIX}/usr/share/shorewall6/configfiles
 
-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
 fi
 
 #
 # Install the config file
 #
-run_install $OWNERSHIP -m 0644 shorewall6.conf ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
+run_install $OWNERSHIP -m 0644 shorewall6.conf ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf
 
-perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6|;' ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
-perl -p -w -i -e 's|^STARTUP_LOG=.*|STARTUP_LOG=/var/log/shorewall6-lite-init.log|;' ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
+perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6|;' ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf
+perl -p -w -i -e 's|^STARTUP_LOG=.*|STARTUP_LOG=/var/log/shorewall6-lite-init.log|;' ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf
 
-if [ ! -f ${DESTDIR}/etc/shorewall6/shorewall6.conf ]; then
-   run_install $OWNERSHIP -m 0644 shorewall6.conf ${DESTDIR}/etc/shorewall6/shorewall6.conf
+if [ ! -f ${PREFIX}/etc/shorewall6/shorewall6.conf ]; then
+   run_install $OWNERSHIP -m 0644 shorewall6.conf ${PREFIX}/etc/shorewall6/shorewall6.conf
 
    if [ -n "$DEBIAN" ] && mywhich perl; then
        #
        # Make a Debian-like shorewall6.conf
        #
-       perl -p -w -i -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|;' ${DESTDIR}/etc/shorewall6/shorewall6.conf
+       perl -p -w -i -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|;' ${PREFIX}/etc/shorewall6/shorewall6.conf
    fi
 
-   echo "Config file installed as ${DESTDIR}/etc/shorewall6/shorewall6.conf"
+   echo "Config file installed as ${PREFIX}/etc/shorewall6/shorewall6.conf"
 fi
 
 
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall6/shorewall6.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall6/shorewall6.conf
 fi
 #
 # Install the zones file
 #
-run_install $OWNERSHIP -m 0644 zones ${DESTDIR}/usr/share/shorewall6/configfiles/zones
+run_install $OWNERSHIP -m 0644 zones ${PREFIX}/usr/share/shorewall6/configfiles/zones
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/zones ]; then
-    run_install $OWNERSHIP -m 0744 zones ${DESTDIR}/etc/shorewall6/zones
-    echo "Zones file installed as ${DESTDIR}/etc/shorewall6/zones"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/zones ]; then
+    run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall6/zones
+    echo "Zones file installed as ${PREFIX}/etc/shorewall6/zones"
 fi
 
-delete_file ${DESTDIR}/usr/share/shorewall6/compiler
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.accounting
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.actions
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.dynamiczones
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.maclist
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.nat
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.providers
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.proxyarp
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.tc
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.tcrules
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.tunnels
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.header6
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer6
+delete_file ${PREFIX}/usr/share/shorewall6/compiler
+delete_file ${PREFIX}/usr/share/shorewall6/lib.accounting
+delete_file ${PREFIX}/usr/share/shorewall6/lib.actions
+delete_file ${PREFIX}/usr/share/shorewall6/lib.dynamiczones
+delete_file ${PREFIX}/usr/share/shorewall6/lib.maclist
+delete_file ${PREFIX}/usr/share/shorewall6/lib.nat
+delete_file ${PREFIX}/usr/share/shorewall6/lib.providers
+delete_file ${PREFIX}/usr/share/shorewall6/lib.proxyarp
+delete_file ${PREFIX}/usr/share/shorewall6/lib.tc
+delete_file ${PREFIX}/usr/share/shorewall6/lib.tcrules
+delete_file ${PREFIX}/usr/share/shorewall6/lib.tunnels
+delete_file ${PREFIX}/usr/share/shorewall6/prog.header
+delete_file ${PREFIX}/usr/share/shorewall6/prog.footer
 
 #
 # Install wait4ifup
 #
 
-install_file wait4ifup ${DESTDIR}/usr/share/shorewall6/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall6/wait4ifup 0755
 
 echo
-echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6/wait4ifup"
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall6/wait4ifup"
 
 #
 # Install the policy file
 #
-run_install $OWNERSHIP -m 0644 policy ${DESTDIR}/usr/share/shorewall6/configfiles/policy
+run_install $OWNERSHIP -m 0644 policy ${PREFIX}/usr/share/shorewall6/configfiles/policy
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/policy ]; then
-    run_install $OWNERSHIP -m 0600 policy ${DESTDIR}/etc/shorewall6/policy
-    echo "Policy file installed as ${DESTDIR}/etc/shorewall6/policy"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/policy ]; then
+    run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall6/policy
+    echo "Policy file installed as ${PREFIX}/etc/shorewall6/policy"
 fi
 #
 # Install the interfaces file
 #
-run_install $OWNERSHIP -m 0644 interfaces ${DESTDIR}/usr/share/shorewall6/configfiles/interfaces
+run_install $OWNERSHIP -m 0644 interfaces ${PREFIX}/usr/share/shorewall6/configfiles/interfaces
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/interfaces ]; then
-    run_install $OWNERSHIP -m 0600 interfaces ${DESTDIR}/etc/shorewall6/interfaces
-    echo "Interfaces file installed as ${DESTDIR}/etc/shorewall6/interfaces"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/interfaces ]; then
+    run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall6/interfaces
+    echo "Interfaces file installed as ${PREFIX}/etc/shorewall6/interfaces"
 fi
 
 #
 # Install the hosts file
 #
-run_install $OWNERSHIP -m 0644 hosts ${DESTDIR}/usr/share/shorewall6/configfiles/hosts
+run_install $OWNERSHIP -m 0644 hosts ${PREFIX}/usr/share/shorewall6/configfiles/hosts
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/hosts ]; then
-    run_install $OWNERSHIP -m 0600 hosts ${DESTDIR}/etc/shorewall6/hosts
-    echo "Hosts file installed as ${DESTDIR}/etc/shorewall6/hosts"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/hosts ]; then
+    run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall6/hosts
+    echo "Hosts file installed as ${PREFIX}/etc/shorewall6/hosts"
 fi
 #
 # Install the rules file
 #
-run_install $OWNERSHIP -m 0644 rules ${DESTDIR}/usr/share/shorewall6/configfiles/rules
+run_install $OWNERSHIP -m 0644 rules ${PREFIX}/usr/share/shorewall6/configfiles/rules
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/rules ]; then
-    run_install $OWNERSHIP -m 0600 rules ${DESTDIR}/etc/shorewall6/rules
-    echo "Rules file installed as ${DESTDIR}/etc/shorewall6/rules"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/rules ]; then
+    run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall6/rules
+    echo "Rules file installed as ${PREFIX}/etc/shorewall6/rules"
 fi
 #
 # Install the Parameters file
 #
-run_install $OWNERSHIP -m 0644 params ${DESTDIR}/usr/share/shorewall6/configfiles/params
+run_install $OWNERSHIP -m 0644 params ${PREFIX}/usr/share/shorewall6/configfiles/params
 
-if [ -f ${DESTDIR}/etc/shorewall6/params ]; then
-    chmod 0644 ${DESTDIR}/etc/shorewall6/params
+if [ -f ${PREFIX}/etc/shorewall6/params ]; then
+    chmod 0644 ${PREFIX}/etc/shorewall6/params
 else
-    run_install $OWNERSHIP -m 0644 params ${DESTDIR}/etc/shorewall6/params
-    echo "Parameter file installed as ${DESTDIR}/etc/shorewall6/params"
+    run_install $OWNERSHIP -m 0644 params ${PREFIX}/etc/shorewall6/params
+    echo "Parameter file installed as ${PREFIX}/etc/shorewall6/params"
 fi
 #
 # Install the Stopped Routing file
 #
-run_install $OWNERSHIP -m 0644 routestopped ${DESTDIR}/usr/share/shorewall6/configfiles/routestopped
+run_install $OWNERSHIP -m 0644 routestopped ${PREFIX}/usr/share/shorewall6/configfiles/routestopped
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/routestopped ]; then
-    run_install $OWNERSHIP -m 0600 routestopped ${DESTDIR}/etc/shorewall6/routestopped
-    echo "Stopped Routing file installed as ${DESTDIR}/etc/shorewall6/routestopped"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/routestopped ]; then
+    run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall6/routestopped
+    echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall6/routestopped"
 fi
 #
 # Install the Mac List file
 #
-run_install $OWNERSHIP -m 0644 maclist ${DESTDIR}/usr/share/shorewall6/configfiles/maclist
+run_install $OWNERSHIP -m 0644 maclist ${PREFIX}/usr/share/shorewall6/configfiles/maclist
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/maclist ]; then
-    run_install $OWNERSHIP -m 0600 maclist ${DESTDIR}/etc/shorewall6/maclist
-    echo "MAC list file installed as ${DESTDIR}/etc/shorewall6/maclist"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/maclist ]; then
+    run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall6/maclist
+    echo "MAC list file installed as ${PREFIX}/etc/shorewall6/maclist"
 fi
 #
 # Install the Modules file
 #
-run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall6/modules
-echo "Modules file installed as ${DESTDIR}/usr/share/shorewall6/modules"
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall6/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall6/modules"
 
 #
 # Install the Module Helpers file
 #
-run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall6/helpers
-echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall6/helpers"
+run_install $OWNERSHIP -m 0600 helpers ${PREFIX}/usr/share/shorewall6/helpers
+echo "Helper modules file installed as ${PREFIX}/usr/share/shorewall6/helpers"
 
 #
 # Install the TC Rules file
 #
-run_install $OWNERSHIP -m 0644 tcrules ${DESTDIR}/usr/share/shorewall6/configfiles/tcrules
+run_install $OWNERSHIP -m 0644 tcrules ${PREFIX}/usr/share/shorewall6/configfiles/tcrules
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcrules ]; then
-    run_install $OWNERSHIP -m 0600 tcrules ${DESTDIR}/etc/shorewall6/tcrules
-    echo "TC Rules file installed as ${DESTDIR}/etc/shorewall6/tcrules"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcrules ]; then
+    run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall6/tcrules
+    echo "TC Rules file installed as ${PREFIX}/etc/shorewall6/tcrules"
 fi
 
 #
 # Install the TC Interfaces file
 #
-run_install $OWNERSHIP -m 0644 tcinterfaces ${DESTDIR}/usr/share/shorewall6/configfiles/tcinterfaces
+run_install $OWNERSHIP -m 0644 tcinterfaces ${PREFIX}/usr/share/shorewall6/configfiles/tcinterfaces
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcinterfaces ]; then
-    run_install $OWNERSHIP -m 0600 tcinterfaces ${DESTDIR}/etc/shorewall6/tcinterfaces
-    echo "TC Interfaces file installed as ${DESTDIR}/etc/shorewall6/tcinterfaces"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcinterfaces ]; then
+    run_install $OWNERSHIP -m 0600 tcinterfaces ${PREFIX}/etc/shorewall6/tcinterfaces
+    echo "TC Interfaces file installed as ${PREFIX}/etc/shorewall6/tcinterfaces"
 fi
 
 #
 # Install the TC Priority file
 #
-run_install $OWNERSHIP -m 0644 tcpri ${DESTDIR}/usr/share/shorewall6/configfiles/tcpri
+run_install $OWNERSHIP -m 0644 tcpri ${PREFIX}/usr/share/shorewall6/configfiles/tcpri
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcpri ]; then
-    run_install $OWNERSHIP -m 0600 tcpri ${DESTDIR}/etc/shorewall6/tcpri
-    echo "TC Priority file installed as ${DESTDIR}/etc/shorewall6/tcpri"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcpri ]; then
+    run_install $OWNERSHIP -m 0600 tcpri ${PREFIX}/etc/shorewall6/tcpri
+    echo "TC Priority file installed as ${PREFIX}/etc/shorewall6/tcpri"
 fi
 
 #
 # Install the TOS file
 #
-run_install $OWNERSHIP -m 0644 tos ${DESTDIR}/usr/share/shorewall6/configfiles/tos
+run_install $OWNERSHIP -m 0644 tos ${PREFIX}/usr/share/shorewall6/configfiles/tos
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tos ]; then
-    run_install $OWNERSHIP -m 0600 tos ${DESTDIR}/etc/shorewall6/tos
-    echo "TOS file installed as ${DESTDIR}/etc/shorewall6/tos"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tos ]; then
+    run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall6/tos
+    echo "TOS file installed as ${PREFIX}/etc/shorewall6/tos"
 fi
 #
 # Install the Tunnels file
 #
-run_install $OWNERSHIP -m 0644 tunnels ${DESTDIR}/usr/share/shorewall6/configfiles/tunnels
+run_install $OWNERSHIP -m 0644 tunnels ${PREFIX}/usr/share/shorewall6/configfiles/tunnels
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tunnels ]; then
-    run_install $OWNERSHIP -m 0600 tunnels ${DESTDIR}/etc/shorewall6/tunnels
-    echo "Tunnels file installed as ${DESTDIR}/etc/shorewall6/tunnels"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tunnels ]; then
+    run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall6/tunnels
+    echo "Tunnels file installed as ${PREFIX}/etc/shorewall6/tunnels"
 fi
 #
 # Install the blacklist file
 #
-run_install $OWNERSHIP -m 0644 blacklist ${DESTDIR}/usr/share/shorewall6/configfiles/blacklist
+run_install $OWNERSHIP -m 0644 blacklist ${PREFIX}/usr/share/shorewall6/configfiles/blacklist
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blacklist ]; then
-    run_install $OWNERSHIP -m 0600 blacklist ${DESTDIR}/etc/shorewall6/blacklist
-    echo "Blacklist file installed as ${DESTDIR}/etc/shorewall6/blacklist"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/blacklist ]; then
+    run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall6/blacklist
+    echo "Blacklist file installed as ${PREFIX}/etc/shorewall6/blacklist"
 fi
 #
 # Install the Providers file
 #
-run_install $OWNERSHIP -m 0644 providers ${DESTDIR}/usr/share/shorewall6/configfiles/providers
+run_install $OWNERSHIP -m 0644 providers ${PREFIX}/usr/share/shorewall6/configfiles/providers
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/providers ]; then
-    run_install $OWNERSHIP -m 0600 providers ${DESTDIR}/etc/shorewall6/providers
-    echo "Providers file installed as ${DESTDIR}/etc/shorewall6/providers"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/providers ]; then
+    run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall6/providers
+    echo "Providers file installed as ${PREFIX}/etc/shorewall6/providers"
 fi
 
 #
 # Install the Route Rules file
 #
-run_install $OWNERSHIP -m 0644 route_rules ${DESTDIR}/usr/share/shorewall6/configfiles/route_rules
+run_install $OWNERSHIP -m 0644 route_rules ${PREFIX}/usr/share/shorewall6/configfiles/route_rules
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/route_rules ]; then
-    run_install $OWNERSHIP -m 0600 route_rules ${DESTDIR}/etc/shorewall6/route_rules
-    echo "Routing rules file installed as ${DESTDIR}/etc/shorewall6/route_rules"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/route_rules ]; then
+    run_install $OWNERSHIP -m 0600 route_rules ${PREFIX}/etc/shorewall6/route_rules
+    echo "Routing rules file installed as ${PREFIX}/etc/shorewall6/route_rules"
 fi
 
 #
 # Install the tcclasses file
 #
-run_install $OWNERSHIP -m 0644 tcclasses ${DESTDIR}/usr/share/shorewall6/configfiles/tcclasses
+run_install $OWNERSHIP -m 0644 tcclasses ${PREFIX}/usr/share/shorewall6/configfiles/tcclasses
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcclasses ]; then
-    run_install $OWNERSHIP -m 0600 tcclasses ${DESTDIR}/etc/shorewall6/tcclasses
-    echo "TC Classes file installed as ${DESTDIR}/etc/shorewall6/tcclasses"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcclasses ]; then
+    run_install $OWNERSHIP -m 0600 tcclasses ${PREFIX}/etc/shorewall6/tcclasses
+    echo "TC Classes file installed as ${PREFIX}/etc/shorewall6/tcclasses"
 fi
 
 #
 # Install the tcdevices file
 #
-run_install $OWNERSHIP -m 0644 tcdevices ${DESTDIR}/usr/share/shorewall6/configfiles/tcdevices
+run_install $OWNERSHIP -m 0644 tcdevices ${PREFIX}/usr/share/shorewall6/configfiles/tcdevices
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcdevices ]; then
-    run_install $OWNERSHIP -m 0600 tcdevices ${DESTDIR}/etc/shorewall6/tcdevices
-    echo "TC Devices file installed as ${DESTDIR}/etc/shorewall6/tcdevices"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcdevices ]; then
+    run_install $OWNERSHIP -m 0600 tcdevices ${PREFIX}/etc/shorewall6/tcdevices
+    echo "TC Devices file installed as ${PREFIX}/etc/shorewall6/tcdevices"
 fi
 
 #
 # Install the Notrack file
 #
-run_install $OWNERSHIP -m 0644 notrack ${DESTDIR}/usr/share/shorewall6/configfiles/notrack
+run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewall6/configfiles/notrack
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/notrack ]; then
-    run_install $OWNERSHIP -m 0600 notrack ${DESTDIR}/etc/shorewall6/notrack
-    echo "Notrack file installed as ${DESTDIR}/etc/shorewall6/notrack"
-fi
-
-#
-# Install the Secmarks file
-#
-run_install $OWNERSHIP -m 0644 secmarks ${DESTDIR}/usr/share/shorewall6/configfiles/secmarks
-
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/secmarks ]; then
-    run_install $OWNERSHIP -m 0600 secmarks ${DESTDIR}/etc/shorewall6/secmarks
-    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall6/secmarks"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/notrack ]; then
+    run_install $OWNERSHIP -m 0600 notrack ${PREFIX}/etc/shorewall6/notrack
+    echo "Notrack file installed as ${PREFIX}/etc/shorewall6/notrack"
 fi
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall6/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall6/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall6/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall6/configpath"
 #
 # Install the init file
 #
-run_install $OWNERSHIP -m 0644 init ${DESTDIR}/usr/share/shorewall6/configfiles/init
+run_install $OWNERSHIP -m 0644 init ${PREFIX}/usr/share/shorewall6/configfiles/init
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/init ]; then
-    run_install $OWNERSHIP -m 0600 init ${DESTDIR}/etc/shorewall6/init
-    echo "Init file installed as ${DESTDIR}/etc/shorewall6/init"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/init ]; then
+    run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall6/init
+    echo "Init file installed as ${PREFIX}/etc/shorewall6/init"
 fi
 #
 # Install the start file
 #
-run_install $OWNERSHIP -m 0644 start ${DESTDIR}/usr/share/shorewall6/configfiles/start
+run_install $OWNERSHIP -m 0644 start ${PREFIX}/usr/share/shorewall6/configfiles/start
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/start ]; then
-    run_install $OWNERSHIP -m 0600 start ${DESTDIR}/etc/shorewall6/start
-    echo "Start file installed as ${DESTDIR}/etc/shorewall6/start"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/start ]; then
+    run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall6/start
+    echo "Start file installed as ${PREFIX}/etc/shorewall6/start"
 fi
 #
 # Install the stop file
 #
-run_install $OWNERSHIP -m 0644 stop ${DESTDIR}/usr/share/shorewall6/configfiles/stop
+run_install $OWNERSHIP -m 0644 stop ${PREFIX}/usr/share/shorewall6/configfiles/stop
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/stop ]; then
-    run_install $OWNERSHIP -m 0600 stop ${DESTDIR}/etc/shorewall6/stop
-    echo "Stop file installed as ${DESTDIR}/etc/shorewall6/stop"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/stop ]; then
+    run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall6/stop
+    echo "Stop file installed as ${PREFIX}/etc/shorewall6/stop"
 fi
 #
 # Install the stopped file
 #
-run_install $OWNERSHIP -m 0644 stopped ${DESTDIR}/usr/share/shorewall6/configfiles/stopped
+run_install $OWNERSHIP -m 0644 stopped ${PREFIX}/usr/share/shorewall6/configfiles/stopped
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/stopped ]; then
-    run_install $OWNERSHIP -m 0600 stopped ${DESTDIR}/etc/shorewall6/stopped
-    echo "Stopped file installed as ${DESTDIR}/etc/shorewall6/stopped"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/stopped ]; then
+    run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall6/stopped
+    echo "Stopped file installed as ${PREFIX}/etc/shorewall6/stopped"
 fi
 #
 # Install the Accounting file
 #
-run_install $OWNERSHIP -m 0644 accounting ${DESTDIR}/usr/share/shorewall6/configfiles/accounting
+run_install $OWNERSHIP -m 0644 accounting ${PREFIX}/usr/share/shorewall6/configfiles/accounting
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/accounting ]; then
-    run_install $OWNERSHIP -m 0600 accounting ${DESTDIR}/etc/shorewall6/accounting
-    echo "Accounting file installed as ${DESTDIR}/etc/shorewall6/accounting"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/accounting ]; then
+    run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall6/accounting
+    echo "Accounting file installed as ${PREFIX}/etc/shorewall6/accounting"
 fi
 #
 # Install the Started file
 #
-run_install $OWNERSHIP -m 0644 started ${DESTDIR}/usr/share/shorewall6/configfiles/started
+run_install $OWNERSHIP -m 0644 started ${PREFIX}/usr/share/shorewall6/configfiles/started
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/started ]; then
-    run_install $OWNERSHIP -m 0600 started ${DESTDIR}/etc/shorewall6/started
-    echo "Started file installed as ${DESTDIR}/etc/shorewall6/started"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/started ]; then
+    run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall6/started
+    echo "Started file installed as ${PREFIX}/etc/shorewall6/started"
 fi
 #
 # Install the Restored file
 #
-run_install $OWNERSHIP -m 0644 restored ${DESTDIR}/usr/share/shorewall6/configfiles/restored
+run_install $OWNERSHIP -m 0644 restored ${PREFIX}/usr/share/shorewall6/configfiles/restored
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/restored ]; then
-    run_install $OWNERSHIP -m 0600 restored ${DESTDIR}/etc/shorewall6/restored
-    echo "Restored file installed as ${DESTDIR}/etc/shorewall6/restored"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/restored ]; then
+    run_install $OWNERSHIP -m 0600 restored ${PREFIX}/etc/shorewall6/restored
+    echo "Restored file installed as ${PREFIX}/etc/shorewall6/restored"
 fi
 #
 # Install the Clear file
 #
-run_install $OWNERSHIP -m 0644 clear ${DESTDIR}/usr/share/shorewall6/configfiles/clear
+run_install $OWNERSHIP -m 0644 clear ${PREFIX}/usr/share/shorewall6/configfiles/clear
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/clear ]; then
-    run_install $OWNERSHIP -m 0600 clear ${DESTDIR}/etc/shorewall6/clear
-    echo "Clear file installed as ${DESTDIR}/etc/shorewall6/clear"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/clear ]; then
+    run_install $OWNERSHIP -m 0600 clear ${PREFIX}/etc/shorewall6/clear
+    echo "Clear file installed as ${PREFIX}/etc/shorewall6/clear"
 fi
 #
 # Install the Isusable file
 #
-run_install $OWNERSHIP -m 0644 isusable ${DESTDIR}/usr/share/shorewall6/configfiles/isusable
+run_install $OWNERSHIP -m 0644 isusable ${PREFIX}/usr/share/shorewall6/configfiles/isusable
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/isusable ]; then
-    run_install $OWNERSHIP -m 0600 isusable ${DESTDIR}/etc/shorewall6/isusable
-    echo "Isusable file installed as ${DESTDIR}/etc/shorewall/isusable"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/isusable ]; then
+    run_install $OWNERSHIP -m 0600 isusable ${PREFIX}/etc/shorewall6/isusable
+    echo "Isusable file installed as ${PREFIX}/etc/shorewall/isusable"
 fi
 #
 # Install the Refresh file
 #
-run_install $OWNERSHIP -m 0644 refresh ${DESTDIR}/usr/share/shorewall6/configfiles/refresh
+run_install $OWNERSHIP -m 0644 refresh ${PREFIX}/usr/share/shorewall6/configfiles/refresh
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/refresh ]; then
-    run_install $OWNERSHIP -m 0600 refresh ${DESTDIR}/etc/shorewall6/refresh
-    echo "Refresh file installed as ${DESTDIR}/etc/shorewall6/refresh"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/refresh ]; then
+    run_install $OWNERSHIP -m 0600 refresh ${PREFIX}/etc/shorewall6/refresh
+    echo "Refresh file installed as ${PREFIX}/etc/shorewall6/refresh"
 fi
 #
 # Install the Refreshed file
 #
-run_install $OWNERSHIP -m 0644 refreshed ${DESTDIR}/usr/share/shorewall6/configfiles/refreshed
+run_install $OWNERSHIP -m 0644 refreshed ${PREFIX}/usr/share/shorewall6/configfiles/refreshed
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/refreshed ]; then
-    run_install $OWNERSHIP -m 0600 refreshed ${DESTDIR}/etc/shorewall6/refreshed
-    echo "Refreshed file installed as ${DESTDIR}/etc/shorewall6/refreshed"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/refreshed ]; then
+    run_install $OWNERSHIP -m 0600 refreshed ${PREFIX}/etc/shorewall6/refreshed
+    echo "Refreshed file installed as ${PREFIX}/etc/shorewall6/refreshed"
 fi
 #
 # Install the Tcclear file
 #
-run_install $OWNERSHIP -m 0644 tcclear ${DESTDIR}/usr/share/shorewall6/configfiles/tcclear
+run_install $OWNERSHIP -m 0644 tcclear ${PREFIX}/usr/share/shorewall6/configfiles/tcclear
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcclear ]; then
-    run_install $OWNERSHIP -m 0600 tcclear ${DESTDIR}/etc/shorewall6/tcclear
-    echo "Tcclear file installed as ${DESTDIR}/etc/shorewall6/tcclear"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcclear ]; then
+    run_install $OWNERSHIP -m 0600 tcclear ${PREFIX}/etc/shorewall6/tcclear
+    echo "Tcclear file installed as ${PREFIX}/etc/shorewall6/tcclear"
 fi
 #
 # Install the Standard Actions file
 #
-install_file actions.std ${DESTDIR}/usr/share/shorewall6/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}/usr/shared/shorewall6/actions.std"
+install_file actions.std ${PREFIX}/usr/share/shorewall6/actions.std 0644
+echo "Standard actions file installed as ${PREFIX}/usr/shared/shorewall6/actions.std"
 
 #
 # Install the Actions file
 #
-run_install $OWNERSHIP -m 0644 actions ${DESTDIR}/usr/share/shorewall6/configfiles/actions
+run_install $OWNERSHIP -m 0644 actions ${PREFIX}/usr/share/shorewall6/configfiles/actions
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/actions ]; then
-    run_install $OWNERSHIP -m 0644 actions ${DESTDIR}/etc/shorewall6/actions
-    echo "Actions file installed as ${DESTDIR}/etc/shorewall6/actions"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/actions ]; then
+    run_install $OWNERSHIP -m 0644 actions ${PREFIX}/etc/shorewall6/actions
+    echo "Actions file installed as ${PREFIX}/etc/shorewall6/actions"
 fi
 
 #
 # Install the  Makefiles
 #
-run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}/usr/share/shorewall6/configfiles/Makefile
+run_install $OWNERSHIP -m 0644 Makefile-lite ${PREFIX}/usr/share/shorewall6/configfiles/Makefile
 
 if [ -z "$SPARSE" ]; then
-    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall6/Makefile
-    echo "Makefile installed as ${DESTDIR}/etc/shorewall6/Makefile"
+    run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall6/Makefile
+    echo "Makefile installed as ${PREFIX}/etc/shorewall6/Makefile"
 fi
 #
 # Install the Action files
 #
 for f in action.* ; do
-    install_file $f ${DESTDIR}/usr/share/shorewall6/$f 0644
-    echo "Action ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6/$f"
+    install_file $f ${PREFIX}/usr/share/shorewall6/$f 0644
+    echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6/$f"
 done
 
 # Install the Macro files
 #
 for f in macro.* ; do
-    install_file $f ${DESTDIR}/usr/share/shorewall6/$f 0644
-    echo "Macro ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6/$f"
+    install_file $f ${PREFIX}/usr/share/shorewall6/$f 0644
+    echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6/$f"
 done
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall6/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall6/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6/$f"
     fi
 done
 #
 # Symbolically link 'functions' to lib.base
 #
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall6/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall6/functions
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall6/version
-chmod 644 ${DESTDIR}/usr/share/shorewall6/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall6/version
+chmod 644 ${PREFIX}/usr/share/shorewall6/version
 #
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
     rm -f /usr/share/shorewall6/init
     ln -s ${DEST}/${INIT} /usr/share/shorewall6/init
 fi
@@ -702,39 +695,33 @@ fi
 
 cd manpages
 
-[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
+[ -n "$INSTALLD" ] || mkdir -p ${PREFIX}${MANDIR}/man5/ ${PREFIX}${MANDIR}/man8/
 
 for f in *.5; do
     gzip -c $f > $f.gz
-    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
-    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
+    run_install $INSTALLD  -m 0644 $f.gz ${PREFIX}${MANDIR}/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}${MANDIR}/man5/$f.gz"
 done
 
 for f in *.8; do
     gzip -c $f > $f.gz
-    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
-    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
+    run_install $INSTALLD  -m 0644 $f.gz ${PREFIX}${MANDIR}/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}${MANDIR}/man8/$f.gz"
 done
 
 cd ..
 
 echo "Man Pages Installed"
 
-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall6
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall6"
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6"
 fi
 
-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
+if [ -z "$PREFIX" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6
-
-	if [ -x /sbin/insserv ]; then
-	    insserv /etc/init.d/shorewall6
-	else
 	ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
-	fi
-
 	echo "shorewall6 will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall6 to enable"
 	touch /var/log/shorewall6-init.log

Shorewall6/lib.base

@@ -33,7 +33,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40413
+SHOREWALL_CAPVERSION=40408
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]

Shorewall6/lib.cli

@@ -134,18 +134,18 @@ syslog_circular_buffer() {
 packet_log() # $1 = number of messages
 {
     if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
     else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
     fi
 }
 
 search_log() # $1 = IP address to search for
 {
     if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
     else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
     fi
 }    
 
@@ -208,19 +208,6 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
 
-    if [ -z "$LOGFILE" ]; then
-	LOGFILE=/var/log/messages
-
-	if [ -n "$(syslog_circular_buffer)" ]; then
-	    g_logread="logread | tac"
-	elif [ -r $LOGFILE ]; then
-	    g_logread="tac $LOGFILE"
-	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-	    exit 2
-	fi
-    fi
-
     host=$(echo $g_hostname | sed 's/\..*$//')
     oldrejects=$($IP6TABLES -L -v -n | grep 'LOG')
 
@@ -452,7 +439,7 @@ show_command() {
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 	    echo
-	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
+	    grep '^ipv6' /proc/net/nf_conntrack
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
@@ -470,20 +457,6 @@ show_command() {
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
-
-	    if [ -z "$LOGFILE" ]; then
-		LOGFILE=/var/log/messages
-		
-		if [ -n "$(syslog_circular_buffer)" ]; then
-		    g_logread="logread | tac"
-		elif [ -r $LOGFILE ]; then
-		    g_logread="tac $LOGFILE"
-		else
-		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		    exit 2
-		fi
-	    fi
-
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
@@ -694,19 +667,6 @@ dump_command() {
 	esac
     done
 
-    if [ -z "$LOGFILE" ]; then
-	LOGFILE=/var/log/messages
-
-	if [ -n "$(syslog_circular_buffer)" ]; then
-	    g_logread="logread | tac"
-	elif [ -r $LOGFILE ]; then
-	    g_logread="tac $LOGFILE"
-	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-	    exit 2
-	fi
-    fi
-
     g_ipt_options="$g_ipt_options $g_ipt_options1"
 
     [ $VERBOSITY -lt 2 ] && VERBOSITY=2
@@ -787,7 +747,7 @@ dump_command() {
     report_capabilities
 
     echo
-    netstat -6tunap
+    netstat -tunap
 
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -958,10 +918,6 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     chain=$1
     local finished
     finished=$2
-    local which
-    which='-s'
-    local range
-    range='--src-range'
 
     if ! chain_exists dynamic; then
 	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@@ -973,31 +929,19 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
 
     while [ $# -gt 0 ]; do
 	case $1 in
-	    from)
-		which='-s'
-		range='--src-range'
-		shift
-		continue
-		;;
-	    to)
-		which='-d'
-		range='--dst-range'
-		shift
-		continue
-		;;
 	    *-*)
-		qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject
-		qt $IP6TABLES -D dynamic -m iprange $range  $1 -j DROP
-		qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
-		qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop
-		$IP6TABLES -A dynamic -m iprange $range $1 -j $chain || break 1
+		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject
+		qt $IP6TABLES -D dynamic -m iprange --src-range  $1 -j DROP
+		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject
+		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop
+		$IP6TABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
 		;;
 	    *)
-		qt $IP6TABLES -D dynamic $which $1 -j reject
-		qt $IP6TABLES -D dynamic $which $1 -j DROP
-		qt $IP6TABLES -D dynamic $which $1 -j logreject
-		qt $IP6TABLES -D dynamic $which $1 -j logdrop
-		$IP6TABLES -A dynamic $which $1 -j $chain || break 1
+		qt $IP6TABLES -D dynamic -s $1 -j reject
+		qt $IP6TABLES -D dynamic -s $1 -j DROP
+		qt $IP6TABLES -D dynamic -s $1 -j logreject
+		qt $IP6TABLES -D dynamic -s $1 -j logdrop
+		$IP6TABLES -A dynamic -s $1 -j $chain || break 1
 		;;
 	esac
 
@@ -1102,11 +1046,6 @@ allow_command() {
     [ -n "$g_debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall6_is_started ; then
-	local which
-	which='-s'
-	local range
-	range='--src-range'
-
 	if ! chain_exists dynamic; then
 	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	    exit 2
@@ -1116,21 +1055,11 @@ allow_command() {
 	while [ $# -gt 1 ]; do
 	    shift
 	    case $1 in
-		from)
-		    which='-s'
-		    range='--src-range'
-		    continue
-		    ;;
-		to)
-		    which='-d'
-		    range='--dst-range'
-		    continue
-		    ;;
 		*-*)
-		    if  qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject    ||\
-			qt $IP6TABLES -D dynamic -m iprange $range $1 -j DROP      ||\
-			qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop   ||\
-			qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
+		    if  qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject    ||\
+			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j DROP      ||\
+			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop   ||\
+			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1138,10 +1067,10 @@ allow_command() {
 		    fi
 		    ;;
 		*)
-		    if  qt $IP6TABLES -D dynamic $which $1 -j reject    ||\
-			qt $IP6TABLES -D dynamic $which $1 -j DROP      ||\
-			qt $IP6TABLES -D dynamic $which $1 -j logdrop   ||\
-			qt $IP6TABLES -D dynamic $which $1 -j logreject
+		    if  qt $IP6TABLES -D dynamic -s $1 -j reject    ||\
+			qt $IP6TABLES -D dynamic -s $1 -j DROP      ||\
+			qt $IP6TABLES -D dynamic -s $1 -j logdrop   ||\
+			qt $IP6TABLES -D dynamic -s $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1231,7 +1160,6 @@ determine_capabilities() {
     RECENT_MATCH=
     OWNER_MATCH=
     IPSET_MATCH=
-    OLD_IPSET_MATCH=
     CONNMARK=
     XCONNMARK=
     CONNMARK_MATCH=
@@ -1262,8 +1190,6 @@ determine_capabilities() {
     IPMARK_TARGET=
     LOG_TARGET=Yes
     FLOW_FILTER=
-    FWMARK_RT_MASK=
-    MARK_ANYWHERE=
 
     chain=fooX$$
 
@@ -1278,10 +1204,6 @@ determine_capabilities() {
 
     [ -n "$IP" -a -x "$IP" ] || IP=
 
-    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
-
-    [ -n "$TC" -a -x "$TC" ] || TC=
-
     qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
 
     qt $IP6TABLES -F $chain
@@ -1405,15 +1327,13 @@ determine_capabilities() {
     qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
     qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
     qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
-    qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
 
     qt $IP6TABLES -F $chain
     qt $IP6TABLES -X $chain
     qt $IP6TABLES -F $chain1
     qt $IP6TABLES -X $chain1
 
-    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
-    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
+    [ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
 
     CAPVERSION=$SHOREWALL_CAPVERSION
     KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@@ -1448,10 +1368,7 @@ report_capabilities() {
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
 	report_capability "Owner Match" $OWNER_MATCH
-	if [ -n "$IPSET_MATCH" ]; then
 	report_capability "Ipset Match" $IPSET_MATCH
-	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
-	fi
 	report_capability "CONNMARK Target" $CONNMARK
 	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
 	report_capability "Connmark Match" $CONNMARK_MATCH
@@ -1481,8 +1398,6 @@ report_capabilities() {
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
-	report_capability "fwmark route mask" $FWMARK_RT_MASK
-	report_capability "Mark in any table" $MARK_ANYWHERE
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1513,7 +1428,6 @@ report_capabilities1() {
     report_capability1 RECENT_MATCH
     report_capability1 OWNER_MATCH
     report_capability1 IPSET_MATCH
-    report_capability1 OLD_IPSET_MATCH
     report_capability1 CONNMARK
     report_capability1 XCONNMARK
     report_capability1 CONNMARK_MATCH
@@ -1543,8 +1457,6 @@ report_capabilities1() {
     report_capability1 LOG_TARGET
     report_capability1 TPROXY_TARGET
     report_capability1 FLOW_FILTER
-    report_capability1 FWMARK_RT_MASK
-    report_capability1 MARK_ANYWHERE
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION    

Shorewall6/lib.common

@@ -92,12 +92,7 @@ run_it() {
 	#
 	# 4.4.8 or later -- no additional exports required
 	#
-	if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	    options="$1 -"
-	    shift;
-	else
 	options='-'
-	fi
 
 	[ -n "$g_noroutes" ]   && options=${options}n
 	[ -n "$g_timestamp" ]  && options=${options}t
@@ -452,11 +447,7 @@ find_file()
 #
 set_state () # $1 = state
 {
-    if [ $# -gt 1 ]; then
-	echo "$1 ($(date)) from $2" > ${VARDIR}/state
-    else
     echo "$1 ($(date))" > ${VARDIR}/state
-    fi
 }
 
 #

Shorewall6/secmarks

@@ -1,8 +0,0 @@
-#
-# Shorewall6 version 4 - Secmarks File
-#
-# For information about entries in this file, type "man shorewall-secmarks"
-#
-############################################################################################################
-#SECMARK			CHAIN	SOURCE		DEST		PROTO	DEST	SOURCE		MARK
-#										PORT(S)	PORT(S)

Shorewall6/shorewall6

@@ -67,7 +67,8 @@ get_config() {
 	# This block is avoided for compile for export and when the user isn't root
 	#
 	if [ "$3" = Yes ]; then
-	    if [ -n "$LOGFILE" ]; then
+	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
+
 	    if [ -n "$(syslog_circular_buffer)" ]; then
 		g_logread="logread | tac"
 	    elif [ -r $LOGFILE ]; then
@@ -77,7 +78,6 @@ get_config() {
 		exit 2
 	    fi
 	fi
-	fi
 
 	if [ -n "$IP6TABLES" ]; then
 	    if [ ! -x "$IP6TABLES" ]; then
@@ -299,16 +299,7 @@ compiler() {
 	set +a
     fi
 
-    if [ -n "$PERL" ]; then
-	if [ ! -x "$PERL" ]; then
-	    echo "   WARNING: The program specified in the PERL option does not exist or is not executable; falling back to /usr/bin/perl" >&2
-	    PERL=/usr/bin/perl
-	fi
-    else
-	PERL=/usr/bin/perl
-    fi
-
-    $command $PERL $debugflags $pc $options $@
+    $command perl $debugflags $pc $options $@
 }    
 
 #
@@ -419,7 +410,7 @@ start_command() {
 
 	    export RESTOREFILE
 
-	    if ! make -qf ${CONFDIR}/Makefile; then
+	    if make -qf ${CONFDIR}/Makefile; then
 		g_fast=
 		AUTOMAKE=
 	    fi
@@ -1270,7 +1261,7 @@ usage() # $1 = exit status
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   check [ -e ] [ -r ] [ <directory> ]"
-    echo "   clear"
+    echo "   clear [ -f ]"
     echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   drop <address> ..."
@@ -1293,7 +1284,7 @@ usage() # $1 = exit status
     echo "   save [ <file name> ]"
     echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log [<regex>]|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
     echo "   start [ -f ] [ -n ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
     echo "   status"
     echo "   try <directory> [ <timeout> ]"
     echo "   version [ -a ]"
@@ -1467,11 +1458,9 @@ version_command() {
     echo $SHOREWALL_VERSION
 
     if [ -n "$all" ]; then
-	for product in shorewall shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
+	if [ -f /usr/share/shorewall/version ]; then
+	    echo "Shorewall $(cat /usr/share/shorewall/version)"
 	fi
-	done
     fi
 }
 
@@ -1544,17 +1533,17 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 1
 	get_config
 	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $g_debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	mutex_on
+	run_it $g_firewall $g_debugging $nolock $COMMAND
+	mutex_off
 	;;
     reset)
 	get_config
 	shift
-	[ -n "$nolock" ] || mutex_on
+	mutex_on
 	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
-	run_it $g_firewall $g_debugging reset $@
-	[ -n "$nolock" ] || mutex_off
+	run_it $g_firewall $g_debugging $nolock reset $@
+	mutex_off
 	;;
     compile)
 	get_config Yes
@@ -1608,7 +1597,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac

Shorewall6/shorewall6.conf

@@ -32,7 +32,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -54,8 +56,6 @@ TC=
 
 IPSET=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -151,12 +151,6 @@ DYNAMIC_BLACKLIST=Yes
 
 LOAD_HELPERS_ONLY=No
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.13
-%define release 1
+%define version 4.4.9
+%define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute shorewall >= 4.3.5
-Provides: shoreline_firewall = %{version}-%{release}
 
 %description
 
@@ -29,7 +28,7 @@ a multi-function gateway/ router/server or on a standalone GNU/Linux system.
 %build
 
 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -98,62 +97,6 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
 * Mon May 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0base
 * Sun May 02 2010 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.1
+VERSION=4.4.9
 
 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt ip6tables -L shorewall6 -n && [ ! -f /sbin/shorewall6-lite ]; then
 fi
 
 if [ -L /usr/share/shorewall6/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall6/init)
+    FIREWALL=$(ls -l /usr/share/shorewall6/init | sed 's/^.*> //')
 else
     FIREWALL=/etc/init.d/shorewall6
 fi

docs/Accounting.xml

@@ -119,7 +119,8 @@
         (from <filename>/etc/protocols</filename>), a protocol number or
         <quote>ipp2p</quote>. For <quote>ipp2p</quote>, your kernel and
         iptables must have ipp2p match support from <ulink
-        url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
+        url="http://www.netfilter.org">Netfilter
+        Patch_o_matic_ng</ulink>.</para>
       </listitem>
 
       <listitem>
@@ -145,7 +146,7 @@
         only be non-empty if the CHAIN is OUTPUT. The column may
         contain:</para>
 
-        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;]</programlisting>
+        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;][+&lt;program name&gt;]</programlisting>
 
         <para>When this column is non-empty, the rule applies only if the
         program generating the output is running under the effective
@@ -162,6 +163,9 @@
 
           <member>!:kids #program must not be run by a member of the
           <quote>kids</quote> group</member>
+
+          <member>+upnpd #program named upnpd (This feature was removed from
+          Netfilter in kernel version 2.6.14).</member>
         </simplelist>
       </listitem>
 

docs/Build.xml

@@ -72,10 +72,6 @@
         <listitem>
           <para>Shorewall6-lite</para>
         </listitem>
-
-        <listitem>
-          <para>Shorewall-init</para>
-        </listitem>
       </itemizedlist>
 
       <para>There are also several other directories which are described in
@@ -84,18 +80,20 @@
       <section>
         <title>trunk/docs</title>
 
-        <para>The stable release XML documents. Depending on the point in the
-        release cycle, these documents may also apply to the current
-        development version.</para>
+        <para>The development release XML documents. Depending on the point in
+        the release cycle, these documents may also apply to the current
+        stable version. In that case, there is no docs directory in that
+        release's directory in <emphasis
+        role="bold">branches</emphasis>.</para>
       </section>
 
       <section>
         <title>trunk/manpages, trunk/manpages6, trunk/manpages-lite and
         trunk/manpages6-lite</title>
 
-        <para>The stable release XML manpages. Depending on the point in the
-        release cycle, these documents may also apply to the current
-        development version.</para>
+        <para>The development release XML manpages. Depending on the point in
+        the release cycle, these documents may also apply to the current
+        stable version.</para>
       </section>
     </section>
 
@@ -158,8 +156,7 @@
     <section>
       <title>build44</title>
 
-      <para>This is the script that builds Shorewall 4.4 packages from
-      Git.</para>
+      <para>This is the script that builds Shorewall packages from Git.</para>
 
       <para>The script copies content from Git using the <command>git
       archive</command> command. It then uses that content to build the
@@ -168,7 +165,7 @@
 
       <variablelist>
         <varlistentry>
-          <term>rpmbuild</term>
+          <term>rpmbuild (I use rpm version 4.4.2.3-20.3)</term>
 
           <listitem>
             <para>Required to build the RPM packages.</para>
@@ -176,7 +173,7 @@
         </varlistentry>
 
         <varlistentry>
-          <term>xsltproc (libxslt)</term>
+          <term>xsltproc (libxslt -- I use version 1.1.24-19.1)</term>
 
           <listitem>
             <para>Required to convert the XML documents to other
@@ -185,7 +182,8 @@
         </varlistentry>
 
         <varlistentry>
-          <term>Docbook XSL Stylesheets</term>
+          <term>Docbook XSL Stylesheets (I use docbook-xsl-stylesheets version
+          1.74.0-1.35)</term>
 
           <listitem>
             <para>Required to convert the XML documents to other
@@ -194,7 +192,7 @@
         </varlistentry>
 
         <varlistentry>
-          <term>Perl</term>
+          <term>Perl (I use Perl 5.10.0-62.17.1)</term>
 
           <listitem>
             <para>Required to massage some of the config files.</para>
@@ -202,21 +200,25 @@
         </varlistentry>
 
         <varlistentry>
-          <term>xmlto</term>
+          <term>xmlto (I use version 0.0.18-182.27)</term>
 
           <listitem>
-            <para>Required to convert the XML manpages to manpages. Be sure
-            that you have a recent version; I use 0.0.23.</para>
+            <para>Required to convert the XML manpages to manpages. Note that
+            not all versions of xmlto will work (those released by Debian and
+            Ubuntu, for example, do <emphasis>not</emphasis> work). If you
+            find that xmlto fails, install
+            tools<filename>/build/xmlto</filename> in <filename
+            class="directory">/usr/local/bin</filename>.</para>
           </listitem>
         </varlistentry>
       </variablelist>
 
-      <para>You should ensure that you have the latest scripts. The scripts
+      <para>You should ensure that you have the latest script. The scripts
       change periodically as we move through the release cycles.</para>
 
-      <para>The build44 script may need to be modified to fit your particular
-      environment. There are a number of variables that are set near the top
-      of the file:</para>
+      <para>The scripts may need to be modified to fit your particular
+      environment. There are a number of variables that are set near the front
+      of the script:</para>
 
       <variablelist>
         <varlistentry>
@@ -258,7 +260,7 @@
           <term>GIT</term>
 
           <listitem>
-            <para>Shorewall GIT repository.</para>
+            <para>Shorewall GIT repository</para>
           </listitem>
         </varlistentry>
       </variablelist>
@@ -282,8 +284,8 @@
           <term>opt<emphasis>i</emphasis>ons</term>
 
           <listitem>
-            <para>are one or more of the following. If no options are given
-            then all options are assumed</para>
+            <para>are one of the following. If no options are given then all
+            options are assumed</para>
 
             <variablelist>
               <varlistentry>
@@ -310,14 +312,6 @@
                 </listitem>
               </varlistentry>
 
-              <varlistentry>
-                <term>i</term>
-
-                <listitem>
-                  <para>Build the shorewall-init package.</para>
-                </listitem>
-              </varlistentry>
-
               <varlistentry>
                 <term>l</term>
 
@@ -390,7 +384,7 @@
       against 4.2.7:</para>
 
       <blockquote>
-        <para><command>build44 -trc 4.3.7.1 4.3.7</command></para>
+        <para><command>build44 -trSc 4.3.7.1 4.3.7</command></para>
       </blockquote>
     </section>
 
@@ -435,14 +429,6 @@
                 </listitem>
               </varlistentry>
 
-              <varlistentry>
-                <term>i</term>
-
-                <listitem>
-                  <para>Upload the shorewall-init package.</para>
-                </listitem>
-              </varlistentry>
-
               <varlistentry>
                 <term>6</term>
 
@@ -483,55 +469,5 @@
         <para><command>upload44 -c 4.3.7.3</command></para>
       </blockquote>
     </section>
-
-    <section>
-      <title>install.sh files</title>
-
-      <para>Each product includes an install script
-      (<filename>install.sh</filename>) that may be used to install the
-      product on a machine or into a directory.</para>
-
-      <para>By default, the scripts install the corresponding product into
-      "/'; you can direct them to install into an empty existing directory by
-      setting an environmental variable:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>DESTDIR (release 4.4.10 and later)</para>
-        </listitem>
-
-        <listitem>
-          <para>PREFIX (all releases)</para>
-        </listitem>
-      </itemizedlist>
-
-      <para>There are a number of other environmental variables that you can
-      set to cause the directory to be populated for a particular target
-      environment:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>DEBIAN - Debian-based systems (Debian, Ubuntu, etc.)</para>
-        </listitem>
-
-        <listitem>
-          <para>SUSE - SEL and OpenSuSE</para>
-        </listitem>
-
-        <listitem>
-          <para>REDHAT - RHEL, CentOS, Foobar, etc.</para>
-        </listitem>
-
-        <listitem>
-          <para>MAC - Apple MacIntosh (Shorewall and Shorewall6 packages
-          only)</para>
-        </listitem>
-
-        <listitem>
-          <para>CYGWIN - Cygwin under Windows (Shorewall and Shorewall6
-          packages only)</para>
-        </listitem>
-      </itemizedlist>
-    </section>
   </section>
 </article>

docs/CompiledPrograms.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2006-2010</year>
+      <year>2006-2007</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -180,11 +180,12 @@
         disable startup of Shorewall in your init scripts. For ease of
         reference, we call this system the 'administrative system'.</para>
 
-        <para>The administrative system may be a GNU/Linux system, a Windows
-        system running <ulink url="http://www.cygwin.com/">Cygwin</ulink> or
-        an <ulink url="http://www.apple.com/mac/">Apple MacIntosh</ulink>
-        running OS X. Install from a shell prompt <ulink
-        url="Install.htm">using the install.sh script</ulink>.</para>
+        <para>The administrative system may be a Windows system running <ulink
+        url="http://www.cygwin.com/">Cygwin</ulink> or an <ulink
+        url="http://www.apple.com/mac/">Apple MacIntosh</ulink> running OS X.
+        Install from a shell prompt <ulink url="Install.htm">using the
+        install.sh script</ulink> (Mac supported was added in Shorewall
+        4.4.9).</para>
       </listitem>
 
       <listitem>
@@ -241,10 +242,8 @@
         <orderedlist>
           <listitem>
             <para>modify the files in the corresponding export directory
-            appropriately (i.e., <emphasis>just as you would if you were
-            configuring Shorewall on the firewall system itself</emphasis>).
-            It's a good idea to include the IP address of the administrative
-            system in the <ulink
+            appropriately. It's a good idea to include the IP address of the
+            administrative system in the <ulink
             url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
             file</ulink>.</para>
 
@@ -285,29 +284,26 @@
 
           <listitem>
             <programlisting><command>cd &lt;export directory&gt;</command>
-<command>/sbin/shorewall load firewall</command></programlisting>
+<command>/sbin/shorewall load -c firewall</command></programlisting>
 
             <para>The <ulink
             url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
             command compiles a firewall script from the configuration files in
             the current working directory (using <command>shorewall compile
             -e</command>), copies that file to the remote system via scp and
-            starts Shorewall Lite on the remote system via ssh.</para>
+            starts Shorewall Lite on the remote system via ssh. The -c option
+            causes the capabilities of the remote system to be generated and
+            copied to a file named <filename>capabilities</filename> in the
+            export directory. See <link
+            linkend="Shorecap">below</link>.</para>
 
             <para>Example (firewall's DNS name is 'gateway'):</para>
 
-            <para><command>/sbin/shorewall load gateway</command><note>
+            <para><command>/sbin/shorewall load -c gateway</command><note>
                 <para>Although scp and ssh are used by default, you can use
                 other utilities by setting RSH_COMMAND and RCP_COMMAND in
                 <filename>/etc/shorewall/shorewall.conf</filename>.</para>
               </note></para>
-
-            <para>The first time that you issue a <command>load</command>
-            command, Shorewall will use ssh to run
-            <filename>/usr/share/shorewall-lite/shorecap</filename> on the
-            remote firewall to create a capabilities file in the firewall's
-            administrative direction. See <link
-            linkend="Shorecap">below</link>.</para>
           </listitem>
         </orderedlist>
       </listitem>
@@ -461,7 +457,7 @@ clean:
       </simplelist>
     </blockquote>
 
-    <para>You will normally never touch
+    <para>You will normally not need to touch
     <filename>/etc/shorewall-lite/shorewall-lite.conf</filename> unless you
     run Debian or one of its derivatives (see <link
     linkend="Debian">above</link>).</para>
@@ -564,11 +560,11 @@ clean:
           <blockquote>
             <para>Before editing:</para>
 
-            <programlisting>CONFIG_PATH=<emphasis role="bold">/etc/shorewall</emphasis>:/usr/share/shorewall</programlisting>
+            <programlisting>CONFIG_PATH=/etc/shorewall:/usr/share/shorewall</programlisting>
 
             <para>After editing:</para>
 
-            <programlisting>CONFIG_PATH=<emphasis role="bold">/usr/share/shorewall/configfiles</emphasis>:/usr/share/shorewall</programlisting>
+            <programlisting>CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall</programlisting>
           </blockquote>
 
           <para>Changing CONFIG_PATH will ensure that subsequent compilations
@@ -601,21 +597,14 @@ clean:
 
           <blockquote>
             <programlisting><command>cd &lt;export directory&gt;</command>
-<command>/sbin/shorewall load &lt;firewall system&gt;</command>
+<command>/sbin/shorewall load -c &lt;firewall system&gt;</command>
 </programlisting>
 
             <para>Example (firewall's DNS name is 'gateway'):</para>
 
-            <para><command>/sbin/shorewall load gateway</command></para>
+            <para><command>/sbin/shorewall load -c gateway</command></para>
           </blockquote>
 
-          <para>The first time that you issue a <command>load</command>
-          command, Shorewall will use ssh to run
-          <filename>/usr/share/shorewall-lite/shorecap</filename> on the
-          remote firewall to create a capabilities file in the firewall's
-          administrative direction. See <link
-          linkend="Shorecap">below</link>.</para>
-
           <para>The <ulink
           url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
           command compiles a firewall script from the configuration files in
@@ -652,8 +641,7 @@ clean:
 <command>scp capabilities &lt;admin system&gt;:&lt;this system's config dir&gt;</command></programlisting>
 
           <para>Or simply use the -c option the next time that you use the
-          <command>reload</command> command (e.g., <command>shorewall reload
-          -c gateway</command>).</para>
+          <command>reload</command> command.</para>
         </listitem>
       </orderedlist>
     </section>

docs/Documentation_Index.xml

@@ -5,7 +5,7 @@
   <!--/$Id$-->
 
   <articleinfo>
-    <title>Shorewall 4.4 Documentation</title>
+    <title>Shorewall 4.4/4.5 Documentation</title>
 
     <authorgroup>
       <author>
@@ -57,9 +57,11 @@
           <row>
             <entry></entry>
 
-            <entry><ulink url="Vserver.html">Linux-vserver</ulink></entry>
+            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
+            Machine)</ulink></entry>
 
-            <entry></entry>
+            <entry><ulink url="Shorewall-perl.html">Shorewall
+            Perl</ulink></entry>
           </row>
 
           <row>
@@ -68,8 +70,8 @@
             <entry><ulink url="ConnectionRate.html">Limiting Connection
             Rates</ulink></entry>
 
-            <entry><ulink url="Shorewall-perl.html">Shorewall
-            Perl</ulink></entry>
+            <entry><ulink url="shorewall_setup_guide.htm">Shorewall Setup
+            Guide</ulink></entry>
           </row>
 
           <row>
@@ -77,8 +79,7 @@
 
             <entry><ulink url="shorewall_logging.html">Logging</ulink></entry>
 
-            <entry><ulink url="shorewall_setup_guide.htm">Shorewall Setup
-            Guide</ulink></entry>
+            <entry><ulink url="samba.htm">SMB</ulink></entry>
           </row>
 
           <row>
@@ -86,7 +87,9 @@
 
             <entry><ulink url="Macros.html">Macros</ulink></entry>
 
-            <entry><ulink url="samba.htm">SMB</ulink></entry>
+            <entry><ulink url="two-interface.htm#SNAT">SNAT</ulink>
+            (<firstterm>Source Network Address
+            Translation</firstterm>)</entry>
           </row>
 
           <row>
@@ -96,44 +99,44 @@
             <entry><ulink url="MAC_Validation.html">MAC
             Verification</ulink></entry>
 
-            <entry><ulink url="two-interface.htm#SNAT">SNAT</ulink>
-            (<firstterm>Source Network Address
-            Translation</firstterm>)</entry>
-          </row>
-
-          <row>
-            <entry><ulink url="Anatomy.html">Anatomy of
-            Shorewall</ulink></entry>
-
-            <entry><ulink url="Manpages.html">Man Pages</ulink></entry>
-
             <entry><ulink url="SplitDNS.html">Split DNS the Easy
             Way</ulink></entry>
           </row>
 
           <row>
-            <entry><ulink url="traffic_shaping.htm">Bandwidth
-            Control</ulink></entry>
+            <entry><ulink url="Anatomy.html">Anatomy of Shorewall</ulink>
+            (<ulink url="Anatomy_ru.html">Russian</ulink>)</entry>
 
-            <entry><ulink url="ManualChains.html">Manual
-            Chains</ulink></entry>
+            <entry><ulink url="Manpages.html">Man Pages</ulink></entry>
 
             <entry><ulink url="Shorewall_Squid_Usage.html">Squid with
             Shorewall</ulink></entry>
           </row>
 
           <row>
-            <entry><ulink
-            url="blacklisting_support.htm">Blacklisting</ulink></entry>
+            <entry><ulink url="traffic_shaping.htm">Bandwidth Control</ulink>
+            (<ulink url="traffic_shaping_ru.html">Russian</ulink>)</entry>
 
-            <entry><ulink
-            url="two-interface.htm#SNAT">Masquerading</ulink></entry>
+            <entry><ulink url="ManualChains.html">Manual
+            Chains</ulink></entry>
 
             <entry><ulink
             url="starting_and_stopping_shorewall.htm">Starting/stopping the
             Firewall</ulink></entry>
           </row>
 
+          <row>
+            <entry><ulink url="blacklisting_support.htm">Blacklisting</ulink>
+            (<ulink
+            url="blacklisting_support_ru.html">Russian</ulink>)</entry>
+
+            <entry><ulink
+            url="two-interface.htm#SNAT">Masquerading</ulink></entry>
+
+            <entry><ulink url="NAT.htm">Static (one-to-one)
+            NAT</ulink></entry>
+          </row>
+
           <row>
             <entry>Bridge: <ulink
             url="bridge-Shorewall-perl.html">Shorewall-perl</ulink></entry>
@@ -142,8 +145,7 @@
             from a Single Firewall</ulink> (<ulink
             url="MultiISP_ru.html">Russian</ulink>)</entry>
 
-            <entry><ulink url="NAT.htm">Static (one-to-one)
-            NAT</ulink></entry>
+            <entry><ulink url="support.htm">Support</ulink></entry>
           </row>
 
           <row>
@@ -153,7 +155,8 @@
             <entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
             Interface</ulink></entry>
 
-            <entry><ulink url="support.htm">Support</ulink></entry>
+            <entry><ulink url="configuration_file_basics.htm">Tips and
+            Hints</ulink></entry>
           </row>
 
           <row>
@@ -163,8 +166,8 @@
             <entry><ulink url="MyNetwork.html">My Shorewall
             Configuration</ulink></entry>
 
-            <entry><ulink url="configuration_file_basics.htm">Tips and
-            Hints</ulink></entry>
+            <entry><ulink url="Accounting.html">Traffic
+            Accounting</ulink></entry>
           </row>
 
           <row>
@@ -174,8 +177,8 @@
             <entry><ulink url="NetfilterOverview.html">Netfilter
             Overview</ulink></entry>
 
-            <entry><ulink url="Accounting.html">Traffic
-            Accounting</ulink></entry>
+            <entry><ulink url="simple_traffic_shaping.html">Traffic
+            Shaping/QOS - Simple</ulink></entry>
           </row>
 
           <row>
@@ -184,8 +187,9 @@
 
             <entry><ulink url="netmap.html">Network Mapping</ulink></entry>
 
-            <entry><ulink url="simple_traffic_shaping.html">Traffic
-            Shaping/QOS - Simple</ulink></entry>
+            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
+            Complex</ulink> (<ulink
+            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
           </row>
 
           <row>
@@ -195,8 +199,8 @@
             <entry><ulink url="NAT.htm">One-to-one NAT</ulink> (Static
             NAT)</entry>
 
-            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
-            Complex</ulink></entry>
+            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
+            Proxy</ulink></entry>
           </row>
 
           <row>
@@ -205,8 +209,7 @@
             <entry><ulink url="Multiple_Zones.html"><ulink
             url="OPENVPN.html">OpenVPN</ulink></ulink></entry>
 
-            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
-            Proxy</ulink></entry>
+            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
           </row>
 
           <row>
@@ -216,7 +219,8 @@
 
             <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
 
-            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
+            <entry><ulink url="upgrade_issues.htm">Upgrade
+            Issues</ulink></entry>
           </row>
 
           <row>
@@ -225,7 +229,8 @@
             <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
             Shorewall</ulink></entry>
 
-            <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
+            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
           </row>
 
           <row>
@@ -235,8 +240,7 @@
             <entry><ulink url="PacketMarking.html">Packet
             Marking</ulink></entry>
 
-            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
-            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
           </row>
 
           <row>
@@ -247,7 +251,7 @@
             <entry><ulink url="PacketHandling.html">Packet Processing in a
             Shorewall-based Firewall</ulink></entry>
 
-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
           </row>
 
           <row>
@@ -256,7 +260,8 @@
 
             <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
 
-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            Creation</ulink></entry>
           </row>
 
           <row>
@@ -265,8 +270,8 @@
             <entry><ulink url="two-interface.htm#DNAT">Port
             Forwarding</ulink></entry>
 
-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
-            Creation</ulink></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
           </row>
 
           <row>
@@ -275,8 +280,8 @@
 
             <entry><ulink url="ports.htm">Port Information</ulink></entry>
 
-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
           </row>
 
           <row>
@@ -286,8 +291,7 @@
             <entry><ulink url="PortKnocking.html">Port Knocking and Other Uses
             of the 'Recent Match'</ulink></entry>
 
-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry></entry>
           </row>
 
           <row>
@@ -318,8 +322,8 @@
           </row>
 
           <row>
-            <entry><ulink
-            url="Install.htm">Installation/Upgrade</ulink></entry>
+            <entry><ulink url="Install.htm">Installation/Upgrade</ulink>
+            (<ulink url="Install_fr.html">Français</ulink>)</entry>
 
             <entry><ulink url="ReleaseModel.html">Release
             Model</ulink></entry>
@@ -367,8 +371,8 @@
             <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
             Filtering</ulink></entry>
 
-            <entry><ulink url="Shorewall-init.html">Shorewall
-            Init</ulink></entry>
+            <entry><ulink url="Laptop.html">Shorewall on a
+            Laptop</ulink></entry>
 
             <entry></entry>
           </row>
@@ -382,16 +386,6 @@
 
             <entry></entry>
           </row>
-
-          <row>
-            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
-            Machine)</ulink></entry>
-
-            <entry><ulink url="Laptop.html">Shorewall on a
-            Laptop</ulink></entry>
-
-            <entry></entry>
-          </row>
         </tbody>
       </tgroup>
     </informaltable>

docs/FAQ.xml

@@ -20,7 +20,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2010</year>
+      <year>2001-2009</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -506,6 +506,11 @@ net        eth0          detect               <emphasis role="bold">routeback</e
         <para>And in <filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE          SOURCE      ADDRESS          PROTO        PORT
 eth0:66.249.93.111  0.0.0.0/0   206.124.146.176  tcp          993</programlisting></para>
 
+        <para>And finally, in
+        <filename>/etc/shorewall/shorewall.conf</filename> you need:</para>
+
+        <programlisting>IP_FORWARDING=On</programlisting>
+
         <para>Like the hack in FAQ 2, this one results in all forwarded
         connections looking to the server (66.249.93.11) as if they originated
         on your firewall (206.124.146.176).</para>
@@ -687,9 +692,11 @@ eth1:192.168.1.5        eth1            <emphasis role="bold">130.151.100.69</em
           <para>That rule (and the second one in the previous bullet) only
           works of course if you have a static external IP address. If you
           have a dynamic IP address then include this in
-          <filename>/etc/shorewall/params</filename>.</para>
+          <filename>/etc/shorewall/params</filename> (or your
+          <filename>&lt;export directory&gt;/init</filename> file if you are
+          using Shorewall Lite on the firewall system):</para>
 
-          <programlisting><command>ETH0_IP=$(find_first_interface_address eth0)</command>        </programlisting>
+          <programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command>        </programlisting>
 
           <para>and make your DNAT rule:</para>
 
@@ -710,14 +717,6 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
             will return 0.0.0.0 if the interface has no configured IP address;
             the latter terminates the calling program.</para>
           </note>
-
-          <note>
-            <para>If you run Shorewall-lite on your firewall, you must use the
-            following in the firewall's configuration directory
-            <filename>params</filename> file:</para>
-
-            <programlisting><command>ETH0_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</command></programlisting>
-          </note>
         </listitem>
       </itemizedlist>
 
@@ -1188,18 +1187,6 @@ to debug/develop the newnat interface.</programlisting></para>
   <section id="Logging">
     <title>Logging</title>
 
-    <section id="faq91">
-      <title>(FAQ 91) I changed the shorewall.conf file in /etc/shorewall/ to
-      spit out logs to /var/log/shorewall.log and it's not happening after I
-      restart shorewall. LOGFILE=/var/log/shorewall.log &lt;-- that should be
-      the correct line, right? </title>
-
-      <para><emphasis role="bold">Answer</emphasis>: No, that is not correct.
-      The LOGFILE setting tells Shorewall where to find the log; it does not
-      determine where messages are written. See <link linkend="faq6">the next
-      FAQ</link>.</para>
-    </section>
-
     <section id="faq6">
       <title>(FAQ 6) Where are the log messages written and how do I change
       the destination?</title>
@@ -2079,18 +2066,6 @@ shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall
           <para>Be sure to secure the script for execute access.</para>
         </listitem>
       </itemizedlist>
-
-      <variablelist>
-        <varlistentry>
-          <term>Update:</term>
-
-          <listitem>
-            <para>Beginning with Shorewall 4.4.10, there is a new <ulink
-            url="Manpages/shorewall-init.html">Shorewall Init Package</ulink>
-            that is designed to handle this case.</para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
     </section>
 
     <section id="faq87">
@@ -2108,57 +2083,6 @@ shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall
       <filename>/etc/shorewall/params</filename> when processing the <emphasis
       role="bold">restore</emphasis> command.</para>
     </section>
-
-    <section id="faq90">
-      <title>(FAQ 90) Shorewall starts fine but after several minutes, it
-      stops. Why is it doing that?</title>
-
-      <para><emphasis role="bold">Answer:</emphasis> Shorewall uses the
-      presence of a chain named <emphasis>shorewall</emphasis> to indicate
-      whether is started or stopped. That chain is created during execution of
-      a successful <emphasis role="bold">start</emphasis>, <emphasis
-      role="bold">restart</emphasis> or <emphasis
-      role="bold">restore</emphasis> command and is removed during <emphasis
-      role="bold">stop</emphasis> and <emphasis role="bold">clear</emphasis>.
-      If <emphasis role="bold">shorewall status</emphasis> indicates that
-      Shorewall is stopped, then something has deleted that chain. Look at the
-      output of <emphasis role="bold">shorewall status</emphasis>; if it looks
-      like this:</para>
-
-      <blockquote>
-        <programlisting>gateway:~# shorewall status
-Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:21:41 PDT 2010
-
-Shorewall is <emphasis role="bold">stopped</emphasis>
-State:<emphasis role="bold">Started</emphasis> (Tue Jul 20 16:01:49 PDT 2010)
-
-gateway:~# 
-</programlisting>
-      </blockquote>
-
-      <para>then it means that somehing outside of Shorewall has deleted the
-      chain. This usually means that you were running another firewall package
-      before you installed Shorewall and that other package has replaced
-      Shorewall's Netfilter configuration with its own. You must remove (or at
-      least disable) the other firewall package and restart Shorewall.</para>
-
-      <blockquote>
-        <programlisting>gateway:~# shorewall status
-Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:26:29 PDT 2010
-
-Shorewall is <emphasis role="bold">stopped</emphasis>
-State:<emphasis role="bold">Stopped</emphasis> (Wed Jul 21 13:26:26 PDT 2010)
-
-gateway:~# </programlisting>
-      </blockquote>
-
-      <para>then a <emphasis role="bold">shorewall stop</emphasis> command has
-      been executed (if the State shown in the output is <emphasis
-      role="bold">Cleared</emphasis>, then a <emphasis role="bold">shorewall
-      clear</emphasis> command was executed). Most likely, you have installed
-      and configured the <emphasis>shorewall-init</emphasis> package and a
-      required interface has gone down.</para>
-    </section>
   </section>
 
   <section id="MultiISP">
@@ -2393,13 +2317,9 @@ We have an error talking to the kernel
       subzones? I've got a system with Linux-VServers, it's one interface
       (eth0) with multiple IPs</title>
 
-      <para><emphasis role="bold">Answer</emphasis>: Beginning with Shorewall
-      4.4.11 Beta 2, you can <ulink url="Vserver.html">create vserver
-      zones</ulink> that are nested within the firewall zone.</para>
-
-      <para>Prior to 4.4.11 Beta 2, there is no way to create sub-zones of the
-      firewall zone. But you can use shell variables to make vservers easier
-      to deal with.</para>
+      <para><emphasis role="bold">Answer</emphasis>: There is no way to create
+      sub-zones of the firewall zone. But you can use shell variables to make
+      vservers easier to deal with.</para>
 
       <para><filename>/etc/shorewall/params</filename>:</para>
 
@@ -2783,8 +2703,6 @@ Shorewall has detected the following iptables/netfilter capabilities:
    LOG Target: Available
    Persistent SNAT: Available
 gateway:~# </programlisting>
-
-      <para></para>
     </section>
 
     <section id="faq19">
@@ -2814,74 +2732,5 @@ loc                $FW                     ACCEPT           </programlisting>
       <emphasis>inline</emphasis> more with Shorewall, but no HOWTO exists at
       this time.</para>
     </section>
-
-    <section id="faq89">
-      <title>(FAQ 89) How do I connect to the web server in my aDSL modem from
-      my local LAN?</title>
-
-      <para>Answer: Here's what I did:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>My local network is 172.20.1.0/24, so I set the IP address in
-          the modem to 172.20.1.2.</para>
-        </listitem>
-
-        <listitem>
-          <para>The IP address of my firewall's interface to the LAN is
-          172.20.1.254. The logical name of the DSL interface is EXT_IF and my
-          LAN interface is INT_IF.</para>
-
-          <para>I added the following two configuration entries:</para>
-
-          <para><filename>/etc/shorewall/masq:</filename></para>
-
-          <programlisting>#INTERFACE			SOURCE			ADDRESS
-
-COMMENT DSL Modem
-
-EXT_IF:172.20.1.2	     	0.0.0.0/0		172.20.1.254
-</programlisting>
-
-          <para><filename>/etc/shorewall/proxyarp</filename>:</para>
-
-          <programlisting>#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE	PERSISTENT
-172.20.1.2	EXT_IF		INT_IF		no		yes
-</programlisting>
-        </listitem>
-      </itemizedlist>
-
-      <para>If you can't change the IP address of your modem and its current
-      address isn't in your local network, then you need to change this
-      slightly; assuming that the modem IP address is 192.168.1.1:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>Do not include an entry in
-          <filename>/etc/shorewall/proxyarp</filename>.</para>
-        </listitem>
-
-        <listitem>
-          <para>Add an IP address in 192.168.1.0/24 to your external interface
-          using your configuration's network management tools. For
-          Debian-based systems, that means adding this to the interface's
-          stanza in <filename>/etc/network/interfaces</filename>:</para>
-
-          <programlisting>    post-up /sbin/ip addr add 192.168.1.254/24 dev <replaceable>external-interface</replaceable></programlisting>
-        </listitem>
-
-        <listitem>
-          <para>Your entry in <filename>/etc/shorewall/masq</filename> would
-          then be:</para>
-
-          <programlisting>#INTERFACE			SOURCE			ADDRESS
-
-COMMENT DSL Modem
-
-EXT_IF:192.168.1.1	     	0.0.0.0/0		192.168.1.254
-</programlisting>
-        </listitem>
-      </itemizedlist>
-    </section>
   </section>
 </article>

docs/GettingStarted.xml

@@ -22,8 +22,6 @@
 
       <year>2007</year>
 
-      <year>2010</year>
-
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -47,41 +45,33 @@
     </listitem>
   </itemizedlist>
 
-  <para>Now, <ulink url="Install.htm">install Shorewall</ulink>.</para>
-
   <para>Next, read the QuickStart Guide that is appropriate for your
   configuration:</para>
 
-  <para><emphasis role="bold">If you just want to protect a system: (Requires
-  Shorewall 4.4.12-Beta3 or later)</emphasis></para>
-
-  <itemizedlist>
-    <listitem>
-      <para><ulink url="Universal.html">Universal</ulink> configuration --
-      requires no configuration to protect a single system.</para>
-    </listitem>
-  </itemizedlist>
-
   <para><emphasis role="bold">If you have only one public IP
   address:</emphasis></para>
 
   <itemizedlist>
     <listitem>
       <para><ulink url="standalone.htm">Standalone</ulink> Linux System with a
-      single network interface (if you are running Shorewall 4.4.12 Beta 3 or
-      later, use the <ulink url="Universal.html">Universal</ulink>
-      configuration instead).</para>
+      single network interface (<ulink url="standalone_fr.html">Version
+      Française</ulink>) <ulink url="standalone_ru.html">(Russian
+      Version)</ulink> <ulink url="standalone_es.html">Version en
+      Español</ulink></para>
     </listitem>
 
     <listitem>
       <para><ulink url="two-interface.htm">Two-interface</ulink> Linux System
-      acting as a firewall/router for a small local network</para>
+      acting as a firewall/router for a small local network (<ulink
+      url="two-interface_fr.html">Version Française</ulink>) (<ulink
+      url="two-interface_ru.html">Russian Version</ulink>)</para>
     </listitem>
 
     <listitem>
       <para><ulink url="three-interface.htm">Three-interface</ulink> Linux
-      System acting as a firewall/router for a small local network and a
-      DMZ.</para>
+      System acting as a firewall/router for a small local network and a DMZ..
+      (<ulink url="three-interface_fr.html">Version Française</ulink>) (<ulink
+      url="three-interface_ru.html">Russian Version</ulink>)</para>
     </listitem>
   </itemizedlist>
 
@@ -91,10 +81,11 @@
   <itemizedlist>
     <listitem>
       <para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup
-      Guide</ulink> outlines the steps necessary to set up a firewall where
-      there are multiple public IP addresses involved or if you want to learn
-      more about Shorewall than is explained in the single-address guides
-      above.</para>
+      Guide</ulink> (<ulink url="shorewall_setup_guide_fr.htm">Version
+      Française</ulink>) outlines the steps necessary to set up a firewall
+      where there are multiple public IP addresses involved or if you want to
+      learn more about Shorewall than is explained in the single-address
+      guides above.</para>
     </listitem>
   </itemizedlist>
 

docs/LennyToSqueeze.xml

@@ -165,9 +165,9 @@
         not feasible to install Perl on your firewall, then you should
         consider installing Shorewall on another system in your network (may
         be a <trademark>Windows</trademark> system running
-        <trademark>Cygwin</trademark> or an <trademark>Apple</trademark>
-        <trademark>MacIntosh</trademark> running OS X) and installing
-        Shorewall-lite on your firewall.</para>
+        <trademark>Cygwin</trademark> or, beginnins with Shorewall 4.4.9, an
+        <trademark>Apple</trademark> <trademark>MacIntosh</trademark> running
+        OS X) and installing Shorewall-lite on your firewall.</para>
       </footnote>. While the two compilers are highly compatible, there are
     some differences. Those differences are detailed in the following
     sections.</para>

docs/Manpages.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall 4.4 Manpages</title>
+    <title>Shorewall 4.4/4.5 Manpages</title>
 
     <authorgroup>
       <author>
@@ -129,9 +129,6 @@
         <member><ulink url="manpages/shorewall-rules.html">rules</ulink> -
         Specify exceptions to policies, including DNAT and REDIRECT.</member>
 
-        <member><ulink url="manpages/shorewall-secmarks.html">secmarks</ulink>
-        - Attach an SELinux context to a packet.</member>
-
         <member><ulink
         url="manpages/shorewall-tcclasses.html">tcclasses</ulink> - Define htb
         classes for traffic shaping.</member>
@@ -140,11 +137,6 @@
         url="manpages/shorewall-tcdevices.html">tcdevices</ulink> - Specify
         speed of devices for traffic shaping.</member>
 
-        <member><ulink
-        url="manpages/shorewall-tcfilters.html">tcfilters</ulink> - Classify
-        traffic for shaping; often used with an IFB to shape ingress
-        traffic.</member>
-
         <member><ulink
         url="manpages/shorewall-tcinterfaces.html">tcinterfaces</ulink> -
         Specify devices for simplified traffic shaping.</member>
@@ -192,11 +184,6 @@
         <member><ulink url="manpages/shorewall.html">shorewall</ulink> -
         /sbin/shorewall command syntax and semantics.</member>
 
-        <member><ulink
-        url="manpages/shorewall-init.html">shorewall-init</ulink> - Companion
-        package that allows for automatic start/stop of other Shorewall
-        products based on network events.</member>
-
         <member><ulink
         url="manpages/shorewall-lite.html">shorewall-lite</ulink> -
         /sbin/shorewall-lite command syntax and semantics.</member>

docs/Manpages6.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall6 4.4 Manpages</title>
+    <title>Shorewall6 4.4/4.5 Manpages</title>
 
     <authorgroup>
       <author>
@@ -114,10 +114,6 @@
         <member><ulink url="manpages6/shorewall6-rules.html">rules</ulink> -
         Specify exceptions to policies, including DNAT and REDIRECT.</member>
 
-        <member><ulink
-        url="manpages6/shorewall6-secmarks.html">secmarks</ulink> - Attached
-        an SELinux context to a packet.</member>
-
         <member><ulink
         url="manpages6/shorewall6-tcclasses.html">tcclasses</ulink> - Define
         htb classes for traffic shaping.</member>

docs/MultiISP.xml

@@ -1100,40 +1100,6 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
       </section>
     </section>
 
-    <section>
-      <title>Looking at the routing tables</title>
-
-      <para>To look at the various routing tables, you must use the <emphasis
-      role="bold">ip</emphasis> utility. To see the entire routing
-      configuration (including rules), the command is <command>shorewall show
-      routing</command>. To look at an individual provider's table use
-      <command>ip route ls table <replaceable>provider</replaceable></command>
-      where <replaceable>provider</replaceable> can be either the provider
-      name or number.</para>
-
-      <para>Example:</para>
-
-      <programlisting>lillycat:- #<command>ip route ls</command>
-144.77.167.142 dev ppp0  proto kernel  scope link  src 144.177.121.199
-71.190.227.208 dev ppp1  proto kernel  scope link  src 71.24.88.151
-192.168.7.254 dev eth1  scope link  src 192.168.7.1
-192.168.7.253 dev eth1  scope link  src 192.168.7.1
-192.168.7.0/24 dev eth1  proto kernel  scope link  src 192.168.7.1
-192.168.5.0/24 via 192.168.4.2 dev eth0
-192.168.4.0/24 dev eth0  proto kernel  scope link  src 192.168.4.223
-192.168.1.0/24 via 192.168.4.222 dev eth0
-default
-        nexthop dev ppp1 weight 2
-        nexthop dev ppp0 weight 1
-lillycat: #ip <command>route ls provider 1</command>
-144.77.167.142 dev ppp0  proto kernel  scope link  src 144.177.121.199 
-192.168.5.0/24 via 192.168.4.2 dev eth0 
-192.168.4.0/24 dev eth0  proto kernel  scope link  src 192.168.4.223 
-192.168.1.0/24 via 192.168.4.222 dev eth0 
-default dev ppp0  scope link 
-lillycat: #</programlisting>
-    </section>
-
     <section id="USE_DEFAULT_RT">
       <title>USE_DEFAULT_RT</title>
 
@@ -1248,13 +1214,6 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><
           they offer you a place to start.</para>
         </important>
 
-        <important>
-          <para>If you have installed Shorewall-init, you should disable its
-          ifup/ifdown/NetworkManager integration (set IFUPDOWN=0 in the <ulink
-          url="Manpages/shorewall-init.html">Shorewall-init configuration
-          file</ulink>).</para>
-        </important>
-
         <para>The script should be copied to a directory on root's PATH such
         as <filename>/usr/local/sbin/</filename>.</para>
 
@@ -1417,13 +1376,6 @@ fi</programlisting></para>
         more sophisticated monitoring than the simple swping script described
         in the preceding section.</para>
 
-        <important>
-          <para>If you have installed Shorewall-init, you should disable its
-          ifup/ifdown/NetworkManager integration (set IFUPDOWN=0 in the <ulink
-          url="Manpages/shorewall-init.html">Shorewall-init configuration
-          file</ulink>) before installing LSM.</para>
-        </important>
-
         <para>Like many Open Source products, LSM is poorly documented. It's
         main configuration file is normally kept in
         <filename>/etc/lsm/lsm.conf</filename>, but the file's name is passed
@@ -1561,7 +1513,7 @@ connection {
 
 connection {
     name=Comcast
-    checkip=${SW_ETH0_GATEWAY:-71.231.152.1}
+    checkip=${ETH0_GATEWAY:-71.231.152.1}
     device=$COM_IF
     ttl=1
 }
@@ -1577,14 +1529,9 @@ EOF
    /usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>
 
-        <para>eth0 has a dynamic IP address so I need to use the
-        Shorewall-detected gateway address ($SW_ETH1_GATEWAY). I supply a
-        default value to be used in the event that detection fails.</para>
-
-        <note>
-          <para>In Shorewall 4.4.7 and earlier, the variable name is
-          ETH1_GATEWAY.</para>
-        </note>
+        <para>eth3 has a dynamic IP address so I need to use the
+        Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default
+        value to be used in the event that detection fails.</para>
 
         <para><filename>/etc/shorewall/started</filename>:</para>
 

docs/NetfilterOverview.xml

@@ -89,8 +89,8 @@
     Shorewall system itself.</para>
 
     <para>A more elaborate version of this flow is available <ulink
-    url="http://jengelh.medozas.de/images/nf-packet-flow.png">here</ulink> and
-    <ulink url="http://www.docum.org/docum.org/kptd/">this one</ulink>
+    url="http://shorewall.net/pub/shorewall/misc/netfilterflow.pdf">here</ulink>
+    and <ulink url="http://www.docum.org/docum.org/kptd/">this one</ulink>
     contrasts the Netfilter flow with that of ipchains.</para>
 
     <para>In the above diagram are boxes similar to this:</para>