Add IP_FORWARDING=On to FAQ 1g

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/Universal/interfaces

@@ -1,12 +0,0 @@
-#
-# Shorewall version 4 - Interfaces File
-#
-# For information about entries in this file, type "man shorewall-interfaces"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-interfaces.html
-#
-###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	lo		-		ignore
-net	all		-		dhcp,physical=+,routeback,optional

Samples/Universal/policy

@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Policy File
-#
-# For information about entries in this file, type "man shorewall-policy"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-policy.html
-#
-###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
-#				LEVEL	BURST		MASK
-$FW	net	ACCEPT
-net	all	DROP

Samples/Universal/rules

@@ -1,17 +0,0 @@
-#
-# Shorewall version 4 - Rules File
-#
-# For information on the settings in this file, type "man shorewall-rules"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-rules.html
-#
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
-
-SSH(ACCEPT)	net		$FW
-Ping(ACCEPT)	net		$FW

Samples/Universal/shorewall.conf

@@ -1,213 +0,0 @@
-###############################################################################
-#
-#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
-#
-#  For information about the settings in this file, type "man shorewall.conf"
-#
-#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
-###############################################################################
-#		       S T A R T U P   E N A B L E D
-###############################################################################
-
-STARTUP_ENABLED=Yes
-
-###############################################################################
-#		              V E R B O S I T Y
-###############################################################################
-
-VERBOSITY=1
-
-###############################################################################
-#			       L O G G I N G
-###############################################################################
-
-LOGFILE=
-
-STARTUP_LOG=/var/log/shorewall-init.log
-
-LOG_VERBOSITY=2
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGTAGONLY=No
-
-LOGLIMIT=
-
-LOGALLNEW=
-
-BLACKLIST_LOGLEVEL=
-
-MACLIST_LOG_LEVEL=info
-
-TCP_FLAGS_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
-
-LOG_MARTIANS=Yes
-
-###############################################################################
-#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
-###############################################################################
-
-IPTABLES=
-
-IP=
-
-TC=
-
-IPSET=
-
-PERL=/usr/bin/perl
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-SHOREWALL_SHELL=/bin/sh
-
-SUBSYSLOCK=
-
-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
-RESTOREFILE=
-
-IPSECFILE=zones
-
-LOCKFILE=
-
-###############################################################################
-#		D E F A U L T   A C T I O N S / M A C R O S
-###############################################################################
-
-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
-ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT="none"
-
-###############################################################################
-#                        R S H / R C P  C O M M A N D S
-###############################################################################
-
-RSH_COMMAND='ssh ${root}@${system} ${command}'
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
-
-###############################################################################
-#			F I R E W A L L	  O P T I O N S
-###############################################################################
-
-IP_FORWARDING=On
-
-ADD_IP_ALIASES=No
-
-ADD_SNAT_ALIASES=No
-
-RETAIN_ALIASES=No
-
-TC_ENABLED=Internal
-
-TC_EXPERT=No
-
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-ROUTE_FILTER=No
-
-DETECT_DNAT_IPADDRS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-DELAYBLACKLISTLOAD=No
-
-MODULE_SUFFIX=ko
-
-DISABLE_IPV6=No
-
-BRIDGING=No
-
-DYNAMIC_ZONES=No
-
-PKTTYPE=Yes
-
-NULL_ROUTE_RFC1918=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-SAVE_IPSETS=No
-
-MAPOLDACTIONS=No
-
-FASTACCEPT=Yes
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-USE_ACTIONS=Yes
-
-OPTIMIZE=15
-
-EXPORTPARAMS=Yes
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=No
-
-DELETE_THEN_ADD=Yes
-
-MULTICAST=No
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
-
-USE_DEFAULT_RT=No
-
-RESTORE_DEFAULT_ROUTE=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=Yes
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=Yes
-
-###############################################################################
-#			P A C K E T   D I S P O S I T I O N
-###############################################################################
-
-BLACKLIST_DISPOSITION=DROP
-
-MACLIST_DISPOSITION=REJECT
-
-TCP_FLAGS_DISPOSITION=DROP
-
-#LAST LINE -- DO NOT REMOVE

Samples/Universal/zones

@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - Zones File
-#
-# For information about this file, type "man shorewall-zones"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-zones.html
-#
-###############################################################################
-#ZONE	TYPE		OPTIONS		IN			OUT
-#					OPTIONS			OPTIONS
-fw	firewall
-net	ip
-

Samples/one-interface/shorewall.conf

@@ -42,7 +42,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -68,8 +70,6 @@ TC=
 
 IPSET=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -205,12 +205,6 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/shorewall.conf

@@ -42,7 +42,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -68,8 +70,6 @@ TC=
 
 IPSET=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -205,12 +205,6 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/shorewall.conf

@@ -49,7 +49,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -75,8 +77,6 @@ TC=
 
 IPSET=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -212,12 +212,6 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/Universal/interfaces

@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Interfaces File
-#
-# For information about entries in this file, type "man shorewall-interfaces"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-interfaces.html
-#
-###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	lo		-		ignore
-net	all		-		dhcp,physical=+,routeback
-

Samples6/Universal/policy

@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - Policy File
-#
-# For information about entries in this file, type "man shorewall-policy"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-policy.html
-#
-###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
-#				LEVEL	BURST		MASK
-fw	net	ACCEPT
-net	all	DROP
-

Samples6/Universal/rules

@@ -1,17 +0,0 @@
-#
-# Shorewall version 4 - Rules File
-#
-# For information on the settings in this file, type "man shorewall-rules"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-rules.html
-#
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
-
-SSH(ACCEPT)	net		$FW
-Ping(ACCEPT)	net		$FW

Samples6/Universal/shorewall6.conf

@@ -1,168 +0,0 @@
-###############################################################################
-#
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
-#
-#  For information about the settings in this file, type "man shorewall6.conf"
-#
-#  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
-###############################################################################
-#		       S T A R T U P   E N A B L E D
-###############################################################################
-
-STARTUP_ENABLED=Yes
-
-###############################################################################
-#		              V E R B O S I T Y
-###############################################################################
-
-VERBOSITY=1
-
-###############################################################################
-#			       L O G G I N G
-###############################################################################
-
-LOGFILE=
-
-STARTUP_LOG=/var/log/shorewall6-init.log
-
-LOG_VERBOSITY=2
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGTAGONLY=No
-
-LOGLIMIT=
-
-LOGALLNEW=
-
-BLACKLIST_LOGLEVEL=
-
-TCP_FLAGS_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
-
-###############################################################################
-#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
-###############################################################################
-
-IP6TABLES=
-
-IP=
-
-TC=
-
-IPSET=
-
-PERL=/usr/bin/perl
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-SHOREWALL_SHELL=/bin/sh
-
-SUBSYSLOCK=
-
-MODULESDIR=
-
-CONFIG_PATH=/usr/share/shorewall6:/usr/share/shorewall
-
-RESTOREFILE=
-
-LOCKFILE=
-
-###############################################################################
-#		D E F A U L T   A C T I O N S / M A C R O S
-###############################################################################
-
-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
-ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT="none"
-
-###############################################################################
-#                        R S H / R C P  C O M M A N D S
-###############################################################################
-
-RSH_COMMAND='ssh ${root}@${system} ${command}'
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
-
-###############################################################################
-#			F I R E W A L L	  O P T I O N S
-###############################################################################
-
-IP_FORWARDING=Off
-
-TC_ENABLED=No
-
-TC_EXPERT=No
-
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-FASTACCEPT=Yes
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-OPTIMIZE=15
-
-EXPORTPARAMS=Yes
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=Yes
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-DYNAMIC_BLACKLIST=Yes
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=Yes
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=Yes
-
-###############################################################################
-#			P A C K E T   D I S P O S I T I O N
-###############################################################################
-
-BLACKLIST_DISPOSITION=DROP
-
-TCP_FLAGS_DISPOSITION=DROP
-
-#LAST LINE -- DO NOT REMOVE

Samples6/Universal/zones

@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - Zones File
-#
-# For information about this file, type "man shorewall-zones"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-zones.html
-#
-###############################################################################
-#ZONE	TYPE		OPTIONS		IN			OUT
-#					OPTIONS			OPTIONS
-fw	firewall
-net	ip
-

Samples6/one-interface/shorewall6.conf

@@ -40,7 +40,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -153,12 +153,6 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/three-interfaces/shorewall6.conf

@@ -40,7 +40,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -153,12 +153,6 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/shorewall6.conf

@@ -1,6 +1,6 @@
 ###############################################################################
 #
-# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
+# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -40,7 +40,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -153,12 +153,6 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-init/COPYING

@@ -1,340 +0,0 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-			    Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-			    NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) 19yy  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) 19yy name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
-Public License instead of this License.

Shorewall-init/README.txt

@@ -1 +0,0 @@
-This is the Shorewall-init stable 4.4 branch of Git.

Shorewall-init/ifupdown.sh

@@ -1,104 +0,0 @@
-#!/bin/sh
-#
-# ifupdown script for Shorewall-based products
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-
-IFUPDOWN=0
-PRODUCTS=
-
-if [ -f /etc/default/shorewall-init ]; then
-    . /etc/default/shorewall-init
-elif [ -f /etc/sysconfig/shorewall-init ]; then
-    . /etc/sysconfig/shorewall-init
-fi
-
-[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
-
-if [ -f /etc/debian_version ]; then
-    #
-    # Debian ifupdown system
-    #
-    if [ "$MODE" = start ]; then
-	COMMAND=up
-    elif [ "$MODE" = stop ]; then
-	COMMAND=down
-    else
-	exit 0
-    fi
-
-    case "$PHASE" in
-	pre-*)
-	    exit 0
-	    ;;
-    esac
-elif [ -f /etc/SuSE-release ]; then
-    #
-    # SuSE ifupdown system
-    #
-    IFACE="$2"
-
-    case $0 in
-	*if-up.d*)
-	    COMMAND=up
-	    ;;
-	*if-down.d*)
-	    COMMAND=down
-	    ;;
-	*)
-	    exit 0
-	    ;;
-    esac
-else
-    #
-    # Assume RedHat/Fedora/CentOS/Foobar/...
-    #
-    IFACE="$1"
-    
-    case $0 in 
-	*ifup*)
-	    COMMAND=up
-	    ;;
-	*ifdown*)
-	    COMMAND=down
-	    ;;
-	*dispatcher.d*)
-	    COMMAND="$2"
-	    ;;
-	*)
-	    exit 0
-	    ;;
-    esac
-fi
-
-for PRODUCT in $PRODUCTS; do
-    VARDIR=/var/lib/$PRODUCT
-    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
-    if [ -x $VARDIR/firewall ]; then
-	  ( . /usr/share/$PRODUCT/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall -V0 $COMMAND $IFACE || echo_notdone
-	    mutex_off
-	  )
-    fi
-done
-
-exit 0

Shorewall-init/init.debian.sh

@@ -1,146 +0,0 @@
-#!/bin/sh
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-### BEGIN INIT INFO
-# Provides:          shorewall-init
-# Required-Start:    $local_fs
-# X-Start-Before:    $network
-# Required-Stop:     $local_fs
-# X-Stop-After:      $network
-# Default-Start:     S
-# Default-Stop:      0 6
-# Short-Description: Initialize the firewall at boot time
-# Description:       Place the firewall in a safe state at boot time prior to
-#                    bringing up the network
-### END INIT INFO
-
-export VERBOSITY=0
-
-if [ "$(id -u)" != "0" ]
-then
-  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
-fi
-
-echo_notdone () {
-  echo "not done."
-  exit 1
-}
-
-not_configured () {
-	echo "#### WARNING ####"
-	echo "the firewall won't be initialized unless it is configured"
-	if [ "$1" != "stop" ]
-	then
-		echo ""
-		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-init/README.Debian.gz."
-	fi
-	echo "#################"
-	exit 0
-}
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/default/shorewall-init" ]
-then
-	. /etc/default/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		not_configured
-	fi
-else
-	not_configured
-fi
-
-# Initialize the firewall
-shorewall_start () {
-  local product
-  local VARDIR
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  #
-	  # Run in a sub-shell to avoid name collisions
-	  #
-	  ( 
-	      . /usr/share/$product/lib.base
-	      #
-	      # Get mutex so the firewall state is stable
-	      #
-	      mutex_on
-	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/firewall stop || echo_notdone
-	      fi
-	      mutex_off
-	  )
-      fi
-  done
-
-  echo "done."
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local product
-  local VARDIR
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  ( . /usr/share/$product/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall clear || echo_notdone
-	    mutex_off
-	  )
-      fi
-  done
-
-  echo "done."
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  reload|force-reload)
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop|reload|force-reload}"
-     exit 1
-esac
-
-exit 0

Shorewall-init/init.sh

@@ -1,104 +0,0 @@
-#! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# chkconfig: - 09 91
-#
-### BEGIN INIT INFO
-# Provides: shorewall-init
-# Required-start: $local_fs
-# Required-stop:  $local_fs
-# Default-Start:  2 3 5
-# Default-Stop:
-# Short-Description: Initialize the firewall at boot time
-# Description:       Place the firewall in a safe state at boot time
-#                    prior to bringing up the network.  
-### END INIT INFO
-
-if [ "$(id -u)" != "0" ]
-then
-  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
-fi
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/sysconfig/shorewall-init" ]
-then
-	. /etc/sysconfig/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		exit 0
-	fi
-else
-	exit 0
-fi
-
-# Initialize the firewall
-shorewall_start () {
-  local PRODUCT
-  local VARDIR
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
-	  fi
-      fi
-  done
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local PRODUCT
-  local VARDIR
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
-      fi
-  done
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
-     exit 1
-esac
-
-exit 0

Shorewall-init/install.sh

@@ -1,336 +0,0 @@
-#!/bin/sh
-#
-# Script to install Shoreline Firewall Init
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
-#     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-
-VERSION=4.4.13.2
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    echo "       $ME -v"
-    echo "       $ME -h"
-    exit $1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
-install_file() # $1 = source $2 = target $3 = mode
-{
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
-}
-
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
-#
-# Parse the run line
-#
-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
-# ARGS is "yes" if we've already parsed an argument
-#
-ARGS=""
-
-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="shorewall-init"
-fi
-
-while [ $# -gt 0 ] ; do
-    case "$1" in
-	-h|help|?)
-	    usage 0
-	    ;;
-        -v)
-	    echo "Shorewall Init Installer Version $VERSION"
-	    exit 0
-	    ;;
-	*)
-	    usage 1
-	    ;;
-    esac
-    shift
-    ARGS="yes"
-done
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-#
-# Determine where to install the firewall script
-#
-
-case $(uname) in
-    Darwin)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
-	T=
-	;;	
-    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
-	;;
-esac
-
-OWNERSHIP="-o $OWNER -g $GROUP"
-
-if [ -n "$DESTDIR" ]; then
-    if [ `id -u` != 0 ] ; then
-	echo "Not setting file owner/group permissions, not running as root."
-	OWNERSHIP=""
-    fi
-    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-elif [ -f /etc/debian_version ]; then
-    DEBIAN=yes
-elif [ -f /etc/SuSE-release ]; then
-    SUSE=Yes
-elif [ -f /etc/slackware-version ] ; then
-    echo "Shorewall-init is currently not supported on Slackware" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="rc.firewall"
-elif [ -f /etc/arch-release ] ; then
-    echo "Shorewall-init is currently not supported on Arch Linux" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="shorewall-init"
-#   ARCHLINUX=yes
-elif [ -d /etc/sysconfig/network-scripts/ ]; then
-    #
-    # Assume RedHat-based
-    #
-    REDHAT=Yes
-else
-    echo "Unknown distribution: Shorewall-init support is not available" >&2
-    exit 1
-fi
-
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
-echo "Installing Shorewall Init Version $VERSION"
-
-#
-# Check for /usr/share/shorewall-init/version
-#
-if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
-    first_install=""
-else
-    first_install="Yes"
-fi
-
-#
-# Install the Init Script
-#
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-#elif [ -n "$ARCHLINUX" ]; then
-#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
-fi
-
-echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
-
-#
-# Create /usr/share/shorewall-init if needed
-#
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-chmod 755 ${DESTDIR}/usr/share/shorewall-init
-
-#
-# Create the version file
-#
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
-
-#
-# Remove and create the symbolic link to the init script
-#
-if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-init/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
-fi
-
-if [ -n "$DEBIAN" ]; then
-    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
-    fi
-
-    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
-	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}/etc/default
-	fi
-
-	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
-    fi
-else
-    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}/etc/sysconfig
-
-	if [ -z "$RPM" ]; then
-	    if [ -n "$SUSE" ]; then
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
-	    else
-		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
-	    fi
-	fi
-    fi
-
-    if [ -d ${DESTDIR}/etc/sysconfig -a ! -f ${DESTDIR}/etc/sysconfig/shorewall-init ]; then
-	install_file sysconfig ${DESTDIR}/etc/sysconfig/shorewall-init 0644
-    fi 
-fi
-
-#
-# Install the ifupdown script
-#
-
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-
-install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544
-
-if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
-fi
-
-if [ -n "$DEBIAN" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
-elif [ -n "$SUSE" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
-elif [ -n "$REDHAT" ]; then
-    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
-	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
-    else
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
-    fi
-fi
-
-if [ -z "$DESTDIR" ]; then
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-init
-	    else
-		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
-	    fi
-
-	    echo "Shorewall Init will start automatically at boot"
-	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall-init ; then
-		    echo "Shorewall Init will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add shorewall-init ; then
-		    echo "Shorewall Init will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-init
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add shorewall-init default; then
-		    echo "Shorewall Init will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
-		cant_autostart
-	    fi
-	fi
-    fi
-else
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    if [ -n "${DESTDIR}" ]; then
-		mkdir -p ${DESTDIR}/etc/rcS.d
-	    fi
-
-	    ln -sf ../init.d/shorewall-init ${DESTDIR}/etc/rcS.d/S38shorewall-init
-	    echo "Shorewall Init will start automatically at boot"
-	fi
-    fi
-fi
-
-#
-#  Report Success
-#
-echo "shorewall Init Version $VERSION Installed"

Shorewall-init/shorewall-init.spec

@@ -1,160 +0,0 @@
-%define name shorewall-init
-%define version 4.4.13
-%define release 2
-
-Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: shoreline_firewall >= 4.4.10
-
-%description
-
-The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
-(iptables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-
-Shorewall Init is a companion product to Shorewall that allows for tigher
-control of connections during boot and that integrates Shorewall with
-ifup/ifdown and NetworkManager.
-
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post
-
-if [ $1 -eq 1 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv /etc/rc.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --add shorewall-init;
-    fi
-fi
-
-if [ -f /etc/SuSE-release ]; then
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
-else
-    if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then
-	if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then
-	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
-	else
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-	fi
-    else
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-    fi
-
-    if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
-	cp -pf /usr/share/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
-    fi
-fi
-
-%preun
-
-if [ $1 -eq 0 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv -r /etc/init.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --del shorewall-init
-    fi
-
-    [ -f /sbin/ifup-local ]   && grep -q Shorewall /sbin/ifup-local   && rm -f /sbin/ifup-local
-    [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local
-
-    rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
-
-%attr(0544,root,root) /etc/init.d/shorewall-init
-%attr(0755,root,root) %dir /usr/share/shorewall-init
-
-%attr(0644,root,root) /usr/share/shorewall-init/version
-%attr(0544,root,root) /usr/share/shorewall-init/ifupdown
-
-%doc COPYING changelog.txt releasenotes.txt
-
-%changelog
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-2
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Tue May 18 2010 Tom Eastep tom@shorewall.net
-- Initial version
-
-
-

Shorewall-init/sysconfig

@@ -1,12 +0,0 @@
-# List the Shorewall products that Shorewall-init is to
-# initialize (space-separated list).
-#
-# Sample: PRODUCTS="shorewall shorewall6"
-#
-PRODUCTS=""
-
-#
-# Set this to 1 if you want Shorewall-init to react to 
-# ifup/ifdown and NetworkManager events
-#
-IFUPDOWN=0

Shorewall-init/uninstall.sh

@@ -1,97 +0,0 @@
-#!/bin/sh
-#
-# Script to back uninstall Shoreline Firewall
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.sourceforge.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#    Usage:
-#
-#       You may only use this script to uninstall the version
-#       shown below. Simply run this script to remove Shorewall Firewall
-
-VERSION=4.4.13.2
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    exit $1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
-if [ -f /usr/share/shorewall-init/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall-init/version)"
-    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
-	echo "         and this is the $VERSION uninstaller."
-	VERSION="$INSTALLED_VERSION"
-    fi
-else
-    echo "WARNING: Shorewall Init Version $VERSION is not installed"
-    VERSION=""
-fi
-
-echo "Uninstalling Shorewall Init $VERSION"
-
-INITSCRIPT=/etc/init.d/shorewall-init
-
-if [ -n "$INITSCRIPT" ]; then
-    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-        insserv -r $INITSCRIPT
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-	chkconfig --del $(basename $INITSCRIPT)
-    else
-	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
-    fi
-
-    remove_file $INITSCRIPT
-fi
-
-[ "$(readlink -m -q /sbin/ifup-local)"   = /usr/share/shorewall-init ] && remove_file /sbin/ifup-local
-[ "$(readlink -m -q /sbin/ifdown-local)" = /usr/share/shorewall-init ] && remove_file /sbin/ifdown-local
-
-remove_file /etc/default/shorewall-init
-remove_file /etc/sysconfig/shorewall-init
-
-remove_file /etc/NetworkManager/dispatcher.d/01-shorewall
-
-remove_file /etc/network/if-up.d/shorewall
-remove_file /etc/network/if-down.d/shorewall
-
-remove_file /etc/sysconfig/network/if-up.d/shorewall
-remove_file /etc/sysconfig/network/if-down.d/shorewall
-
-rm -rf /usr/share/shorewall-init
-
-echo "Shorewall Init Uninstalled"
-
-

Shorewall-lite/default.debian

@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null
 
-#
-# Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF

Shorewall-lite/init.debian.sh

@@ -17,9 +17,10 @@ SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
 
-[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
 export SHOREWALL_INIT_SCRIPT
+
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {
@@ -87,11 +88,7 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   echo -n "Stopping \"Shorewall firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
-      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
+  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.2
+VERSION=4.4.9
 
 usage() # $1 = exit status
 {
@@ -82,16 +82,15 @@ delete_file() # $1 = file to delete
 
 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    run_install $OWNERSHIP -m $3 $1 ${2}
 }
 
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall-lite"
 fi
 
+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 while [ $# -gt 0 ] ; do
     case "$1" in
 	-h|help|?)
@@ -128,12 +131,10 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 DEBIAN=
 CYGWIN=
-INSTALLD='-D'
-T='-T'
 
 case $(uname) in
     CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -141,10 +142,6 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-    Darwin)
-	INSTALLD=
-	T=
-	;;	   
     *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -153,14 +150,14 @@ esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
     
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
     DEBIAN=yes
 elif [ -f /etc/slackware-version ] ; then
@@ -182,185 +179,170 @@ echo "Installing Shorewall Lite Version $VERSION"
 #
 # Check for /etc/shorewall-lite
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
+if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then
     [ -f /etc/shorewall-lite/shorewall.conf ] && \
 	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
 else
-    rm -rf ${DESTDIR}/etc/shorewall-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall-lite
+    rm -rf ${PREFIX}/etc/shorewall-lite
+    rm -rf ${PREFIX}/usr/share/shorewall-lite
+    rm -rf ${PREFIX}/var/lib/shorewall-lite
 fi
 
 #
 # Check for /sbin/shorewall-lite
 #
-if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
+if [ -f ${PREFIX}/sbin/shorewall-lite ]; then
     first_install=""
 else
     first_install="Yes"
 fi
 
-delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
+delete_file ${PREFIX}/usr/share/shorewall-lite/xmodules
 
-install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
+install_file shorewall-lite ${PREFIX}/sbin/shorewall-lite 0544 ${PREFIX}/var/lib/shorewall-lite-${VERSION}.bkout
 
-echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
+echo "Shorewall Lite control program installed in ${PREFIX}/sbin/shorewall-lite"
 
 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh /etc/init.d/shorewall-lite 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 
 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 fi
 
-echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "Shorewall Lite script installed in ${PREFIX}${DEST}/$INIT"
 
 #
 # Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall-lite
+mkdir -p ${PREFIX}/etc/shorewall-lite
+mkdir -p ${PREFIX}/usr/share/shorewall-lite
+mkdir -p ${PREFIX}/var/lib/shorewall-lite
 
-chmod 755 ${DESTDIR}/etc/shorewall-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall-lite
+chmod 755 ${PREFIX}/etc/shorewall-lite
+chmod 755 ${PREFIX}/usr/share/shorewall-lite
 
-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
 fi
 
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
-   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
-   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
+if [ ! -f ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf
+   echo "Config file installed as ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf"
 fi
 
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall-lite/shorewall.conf
 fi
 
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall-lite/Makefile
+echo "Makefile installed as ${PREFIX}/etc/shorewall-lite/Makefile"
 
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall-lite/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall-lite/configpath"
 
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall-lite/$f"
     fi
 done
 
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall-lite/functions
 
-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
+echo "Common functions linked through ${PREFIX}/usr/share/shorewall-lite/functions"
 
 #
 # Install Shorecap
 #
 
-install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755
+install_file shorecap ${PREFIX}/usr/share/shorewall-lite/shorecap 0755
 
 echo
-echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap"
+echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall-lite/shorecap"
 
 #
 # Install wait4ifup
 #
 
-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall-lite/wait4ifup 0755
 
-    echo
-    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup"
-fi
+echo
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall-lite/wait4ifup"
 
 #
 # Install the Modules file
 #
-
-if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
-fi
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall-lite/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall-lite/modules"
 
 #
 # Install the Man Pages
 #
 
-if [ -d manpages ]; then
-    cd manpages
+cd manpages
 
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
+for f in *.5; do
+    gzip -c $f > $f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man5/$f.gz"
+done
 
-    for f in *.5; do
-	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
-    done
+for f in *.8; do
+    gzip -c $f > $f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man8/$f.gz"
+done
 
-    for f in *.8; do
-	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
-    done
+cd ..
 
-    cd ..
+echo "Man Pages Installed"
 
-    echo "Man Pages Installed"
-fi
-
-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall-lite"
 fi
 
 
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall-lite/version
+chmod 644 ${PREFIX}/usr/share/shorewall-lite/version
 #
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
     rm -f /usr/share/shorewall-lite/init
     ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
 fi
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
     touch /var/log/shorewall-lite-init.log
 
     if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
-
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-lite
-	    else
-		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
-	    fi
-
+	    ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
 	    echo "Shorewall Lite will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then

Shorewall-lite/shorewall-lite

@@ -145,12 +145,6 @@ get_config() {
 
     [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
 
-    if [ $VERBOSITY -lt -1 ]; then
-	VERBOSITY=-1
-    elif [ $VERBOSITY -gt 2 ]; then
-	VERBOSITY=2
-    fi
-
     g_hostname=$(hostname 2> /dev/null)
 
     IP=$(mywhich ip 2> /dev/null)
@@ -358,7 +352,7 @@ usage() # $1 = exit status
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    echo "   clear"
+    echo "   clear [ -f ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
@@ -389,62 +383,13 @@ usage() # $1 = exit status
     echo "   show vardir"
     echo "   show zones"
     echo "   start [ -f ] [ -p ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
     echo "   status"
     echo "   version [ -a ]"
     echo
     exit $1
 }
 
-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
 #
 # Execution begins here
 #
@@ -634,12 +579,14 @@ case "$COMMAND" in
 	shift
 	start_command $@
 	;;
-    stop|reset|clear)
+    stop|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	run_it $g_firewall $debugging $nolock $COMMAND
+	;;
+    reset)
+	verify_firewall_script
+	run_it $SHOREWALL_SHELL $g_firewall $debugging $nolock $@
 	;;
     restart)
 	shift
@@ -665,7 +612,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -686,8 +633,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
     version)
-	shift
-	version_command $@
+	echo $SHOREWALL_VERSION Lite
 	;;
     logwatch)
 	logwatch_command $@
@@ -781,9 +727,14 @@ case "$COMMAND" in
 	g_restorepath=${VARDIR}/$RESTOREFILE
 
 	if [ -x $g_restorepath ]; then
+
+	    if [ -x ${g_restorepath}-ipsets ]; then
+		rm -f ${g_restorepath}-ipsets
+		echo "    ${g_restorepath}-ipsets removed"
+	    fi
+
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
-	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.13
-%define release 2
+%define version 4.4.9
+%define release 0base
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}
 
 %description
 
@@ -32,7 +31,7 @@ administrators to centralize the configuration of Shorewall-based firewalls.
 %build
 
 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -102,64 +101,6 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-2
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
 * Mon May 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0base
 * Sun May 02 2010 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.2
+VERSION=4.4.9
 
 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
 fi
 
 if [ -L /usr/share/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall-lite/init)
+    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
 else
     FIREWALL=/etc/init.d/shorewall-lite
 fi

Shorewall/Makefile-lite

@@ -23,10 +23,10 @@
 # to the name of the remote firewall corresponding to the directory.
 #
 #	To make the 'firewall' script, type "make".
-#
+# 
 #	Once the script is compiling correctly, you can install it by
 #	typing "make install".
-#
+#  
 ################################################################################
 #                             V A R I A B L E S
 #
@@ -55,7 +55,7 @@ all: firewall
 #
 # Only generate the capabilities file if it doesn't already exist
 #
-capabilities:
+capabilities: 
 	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
 	scp root@$(HOST):$(LITEDIR)/capabilities .
 #
@@ -78,5 +78,5 @@ save:
 #
 # Remove generated files
 #
-clean:
+clean: 
 	rm -f capabilities firewall firewall.conf reload

Shorewall/Perl/Shorewall/Accounting.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.13';
+our $VERSION = '4.4.7';
 
 #
 # Called by the compiler to [re-]initialize this module's state
@@ -52,7 +52,7 @@ sub process_accounting_rule( ) {
 
     our $jumpchainref;
 
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
 
     if ( $action eq 'COMMENT' ) {
 	process_comment;
@@ -61,16 +61,6 @@ sub process_accounting_rule( ) {
 
     our $disposition = '';
 
-    sub reserved_chain_name($) {
-	$_[0] =~ /^acc(?:ount(?:ing|out)|ipsecin|ipsecout)$/;
-    }
-
-    sub ipsec_chain_name($) {
-	if ( $_[0] =~ /^accipsec(in|out)$/ ) {
-	    $1;
-	}
-    }
-
     sub check_chain( $ ) {
 	my $chainref = shift;
 	fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy};
@@ -82,11 +72,10 @@ sub process_accounting_rule( ) {
 
     sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
-	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
-	$jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
+	$jumpchainref = ensure_accounting_chain( $jumpchain );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
-	$jumpchain;
+	"-j $jumpchain";
     }
 
     my $target = '';
@@ -97,19 +86,16 @@ sub process_accounting_rule( ) {
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
     my $rule2 = 0;
-    my $jump  = 0;
-    
+
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
-	    $target = 'RETURN';
+	    $target = '-j RETURN';
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 	    if ( $cmd ) {
 		if ( $cmd eq 'COUNT' ) {
-		    $rule2 = 1;
-		} elsif ( $cmd eq 'JUMP' ) {
-		    $jump = 1;
-		} else {
+		    $rule2=1;
+		} elsif ( $cmd ne 'JUMP' ) {
 		    accounting_error;
 		}
 	    }
@@ -151,31 +137,7 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
     }
 
-    my $chainref = $filter_table->{$chain};
-    my $dir;
-
-    if ( ! $chainref ) {
-	$chainref = ensure_accounting_chain $chain, 0;
-	$dir      = ipsec_chain_name( $chain );
-
-	if ( $ipsec ne '-' ) {
-	    if ( $dir ) {
-		$rule .= do_ipsec( $dir, $ipsec );
-		$chainref->{ipsec} = $dir;
-	    } else {
-		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
-	    }
-	} else {
-	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );	    
-	    $chainref->{ipsec} = $dir;
-	}
-    } elsif ( $ipsec ne '-' ) {
-	$dir = $chainref->{ipsec};
-	fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
-	$rule .= do_ipsec( $dir , $ipsec );
-    }
-
-    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
+    my $chainref = ensure_accounting_chain $chain;
 
     expand_rule
 	$chainref ,
@@ -189,22 +151,6 @@ sub process_accounting_rule( ) {
 	$disposition ,
 	'' ;
 
-    if ( $rule2 || $jump ) {
-	if ( $chainref->{ipsec} ) {
-	    if ( $jumpchainref->{ipsec} ) {
-		fatal_error "IPSEC in/out mismatch on chains $chain and $jumpchainref->{name}";
-	    } else {
-		fatal_error "$jumpchainref->{name} is not an IPSEC chain" if keys %{$jumpchainref->{references}} > 1;
-		$jumpchainref->{ipsec} = $chainref->{ipsec};
-	    }
-	} elsif ( $jumpchainref->{ipsec} ) {
-	    fatal_error "Jump from a non-IPSEC chain to an IPSEC chain not allowed";
-	} else {
-	    $jumpchainref->{ipsec} = $chainref->{ipsec};
-	}
-
-    }
-
     if ( $rule2 ) {
 	expand_rule
 	    $jumpchainref ,
@@ -232,6 +178,8 @@ sub setup_accounting() {
 
     $nonEmpty |= process_accounting_rule while read_a_line;
 
+    fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting};
+
     clear_comment;
 
     if ( have_bridges ) {
@@ -244,28 +192,13 @@ sub setup_accounting() {
 	if ( $filter_table->{accountout} ) {
 	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 	}
-    } elsif ( $filter_table->{accounting} ) {
-	for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-	    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+    } else {
+	if ( $filter_table->{accounting} ) {
+	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+	    }
 	}
     }
-
-    if ( $filter_table->{accipsecin} ) {
-	for my $chain ( qw/INPUT FORWARD/ ) {
-	    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
-	}
-    }
-
-    if ( $filter_table->{accipsecout} ) {
-	for my $chain ( qw/FORWARD OUTPUT/ ) {
-	    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
-	}
-    }
-
-    for ( accounting_chainrefs ) {
-	warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
-    }
-
 }
 
 1;

Shorewall/Perl/Shorewall/Actions.pm

@@ -28,7 +28,6 @@ require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
-use Shorewall::IPAddrs;
 
 use strict;
 
@@ -58,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -179,27 +178,9 @@ sub find_macro( $ )
 #
 sub split_action ( $ ) {
     my $action = $_[0];
-
-    my $target = '';
-    my $max    = 3;
-    #
-    # The following rather grim RE, when matched, breaks the action into two parts:
-    #
-    #    basicaction(param)
-    #    logging part (may be empty)
-    #
-    # The param may contain one or more ':' characters
-    #
-    if ( $action =~ /^([^(:]+\(.*?\))(:(.*))?$/ ) {
-	$target = $1;
-	$action = $2 ? $3 : '';
-	$max    = 2;
-    }
-	
     my @a = split( /:/ , $action, 4 );
-    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
-    $target = shift @a unless $target;
-    ( $target, join ":", @a );
+    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
+    ( shift @a, join ":", @a );
 }
 
 #
@@ -636,7 +617,7 @@ sub process_action( $$$$$$$$$$$ ) {
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
-		  $action ,
+		  $action ? "-j $action" : '',
 		  $level ,
 		  $action ,
 		  '' );
@@ -795,8 +776,8 @@ sub dropBcast( $$$ ) {
 	    if ( $family == F_IPV4 ) {
 		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	    } else {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
-	    }
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d ff00::/10 -j DROP ';
+	    }		
 	}
 
 	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
@@ -820,7 +801,7 @@ sub dropBcast( $$$ ) {
     if ( $family == F_IPV4 ) {
 	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
     } else {
-	add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' );
+	add_rule $chainref, '-d ff00::/10 -j DROP';
     }
 }
 
@@ -852,8 +833,8 @@ sub allowBcast( $$$ ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
 	} else {
-	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
-	    add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' );
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
+	    add_rule $chainref, '-d ff00:/10 -j ACCEPT';
 	}
     }
 }
@@ -887,8 +868,7 @@ sub allowInvalid ( $$$ ) {
 }
 
 sub forwardUPnP ( $$$ ) {
-    my $chainref = dont_optimize 'forwardUPnP';
-    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
+    dont_optimize 'forwardUPnP';
 }
 
 sub allowinUPnP ( $$$ ) {

Shorewall/Perl/Shorewall/Compiler.pm

@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_9';
 
 our $export;
 
@@ -87,22 +87,22 @@ sub generate_script_1( $ ) {
 	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
 	    my $date = localtime;
-
+	    
 	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-
+	    
 	    if ( $family == F_IPV4 ) {
 		copy $globals{SHAREDIRPL} . 'prog.header';
 	    } else {
 		copy $globals{SHAREDIRPL} . 'prog.header6';
 	    }
-
+	    
 	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
 	}
-
+	
     }
 
     my $lib = find_file 'lib.private';
-
+	
     copy2( $lib, $debug ) if -f $lib;
 
     emit <<'EOF';
@@ -256,7 +256,7 @@ sub generate_script_2() {
     push_indent;
 
     if ( $global_variables ) {
-
+	
 	emit( 'case $COMMAND in' );
 
 	push_indent;
@@ -271,7 +271,7 @@ sub generate_script_2() {
 
 	set_global_variables(1);
 
-	handle_optional_interfaces(0);
+	handle_optional_interfaces;
 
 	emit ';;';
 
@@ -284,7 +284,7 @@ sub generate_script_2() {
 
 	    set_global_variables(0);
 
-	    handle_optional_interfaces(0);
+	    handle_optional_interfaces;
 
 	    emit ';;';
 	}
@@ -294,15 +294,16 @@ sub generate_script_2() {
 
 	emit ( 'esac' ) ,
     } else {
-	emit( 'true' ) unless handle_optional_interfaces(1);
+	emit( 'true' ) unless handle_optional_interfaces;
     }
 
     pop_indent;
 
     emit "\n}\n"; # End of detect_configuration()
-
+    
 }
 
+#
 # Final stage of script generation.
 #
 #    Generate code for loading the various files in /var/lib/shorewall[6][-lite]
@@ -353,17 +354,80 @@ sub generate_script_3($) {
     }
 
     if ( $family == F_IPV4 ) {
-	load_ipsets;
+	my @ipsets = all_ipsets;
+
+	if ( @ipsets || $config{SAVE_IPSETS} ) {
+	    emit ( '',
+		   'local hack',
+		   '',
+		   'case $IPSET in',
+		   '    */*)',
+		   '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
+		   '        ;;',
+		   '    *)',
+		   '        IPSET="$(mywhich $IPSET)"',
+		   '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
+		   '        ;;',
+		   'esac',
+		   '',
+		   'if [ "$COMMAND" = start ]; then' ,
+		   '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		   '        $IPSET -F' ,
+		   '        $IPSET -X' ,
+		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
+		   '    fi' ,
+		   'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
+		   '    if [ -f $(my_pathname)-ipsets ]; then' ,
+		   '        if chain_exists shorewall; then' ,
+		   '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
+		   '        else' ,
+		   '            $IPSET -F' ,
+		   '            $IPSET -X' ,
+		   '            $IPSET -R < $(my_pathname)-ipsets' ,
+		   '        fi' ,
+		   '    fi' ,
+		 );
+
+	    if ( @ipsets ) {
+		emit '';
+
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+		emit ( '' ,
+		       'elif [ "$COMMAND" = restart ]; then' ,
+		       '' );
+
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+		emit ( '' ,
+		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
+		       '        #',
+		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
+		       '        #',
+		       '        hack=\'| grep -v /31\'' ,
+		       '    else' ,
+		       '        hack=' ,
+		       '    fi' ,
+		       '',
+		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
+		       '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
+		       '    fi' );
+	    }
+
+	    emit ( 'fi',
+		   '' );
+	}
 
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	       '   run_refresh_exit' ,
-	       'else' ,
+	       '   run_refresh_exit' );
+
+	emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+	emit ( 'else' ,
 	       '    run_init_exit',
 	       'fi',
 	       '' );
 
-	save_dynamic_chains;
-
 	mark_firewall_not_started;
 
 	emit ('',
@@ -384,9 +448,8 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};
 
     } else {
-	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
+	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
 	       '' );
-	save_dynamic_chains;
 	mark_firewall_not_started;
 	emit '';
     }
@@ -442,37 +505,33 @@ EOF
     setup_forwarding( $family , 1 );
     push_indent;
 
-    my $config_dir = $globals{CONFIGDIR};
-
-    emit<<"EOF";
-    set_state Started $config_dir 
+    emit<<'EOF';
+    set_state "Started"
     run_restored_exit
 else
-    if [ \$COMMAND = refresh ]; then
+    if [ $COMMAND = refresh ]; then
         chainlist_reload
 EOF
     setup_forwarding( $family , 0 );
 
-    emit<<"EOF";
+    emit<<'EOF';
         run_refreshed_exit
         do_iptables -N shorewall
-        set_state Started $config_dir
+        set_state "Started"
     else
         setup_netfilter
+        restore_dynamic_rules
         conditionally_flush_conntrack
 EOF
     setup_forwarding( $family , 0 );
 
-    emit<<"EOF";
+    emit<<'EOF';
         run_start_exit
         do_iptables -N shorewall
-        set_state Started $config_dir
+        set_state "Started"
         run_started_exit
     fi
 
-EOF
-
-    emit<<'EOF';
     [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
 fi
 
@@ -806,11 +865,6 @@ sub compiler {
 	#
 	compile_stop_firewall( $test, $export );
 	#
-	#                               U P D O W N
-	#               (Writes the updown() function to the compiled script)
-	#
-	compile_updown;
-	#
 	# Copy the footer to the script
 	#
 	unless ( $test ) {

Shorewall/Perl/Shorewall/Config.pm

@@ -114,7 +114,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 				       $product
 				       $Product
-				       $toolname
 				       $command
 				       $doing
 				       $done
@@ -132,7 +131,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -219,7 +218,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 RECENT_MATCH    => 'Recent Match',
 		 OWNER_MATCH     => 'Owner Match',
 		 IPSET_MATCH     => 'Ipset Match',
-		 OLD_IPSET_MATCH => 'Old Ipset Match',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
@@ -251,8 +249,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 TPROXY_TARGET   => 'TPROXY Target',
 		 FLOW_FILTER     => 'Flow Classifier',
-		 FWMARK_RT_MASK  => 'fwmark route mask',
-		 MARK_ANYWHERE   => 'Mark in any table',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -292,7 +288,6 @@ our $sillyname;               # Name of temporary filter chains for testing capa
 our $sillyname1;
 our $iptables;                # Path to iptables/ip6tables
 our $tc;                      # Path to tc
-our $ip;                      # Path to ip
 
 use constant { MIN_VERBOSITY => -1,
 	       MAX_VERBOSITY => 2 ,
@@ -340,15 +335,14 @@ sub initialize( $ ) {
     #
     %globals  =   ( SHAREDIR => '/usr/share/shorewall' ,
 		    SHAREDIRPL => '/usr/share/shorewall/' ,
-		    CONFDIR =>  '/etc/shorewall',     # Run-time configuration directory
-		    CONFIGDIR => '',                  # Compile-time configuration directory (location of $product.conf)
+		    CONFDIR =>  '/etc/shorewall',
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.13.2",
-		    CAPVERSION => 40413 ,
+		    VERSION => "4.4.9",
+		    CAPVERSION => 40408 ,
 		  );
 
     #
@@ -366,7 +360,6 @@ sub initialize( $ ) {
 	      LOGFILE => undef,
 	      LOGFORMAT => undef,
 	      LOGTAGONLY => undef,
-	      LOGLIMIT => undef,
 	      LOGRATE => undef,
 	      LOGBURST => undef,
 	      LOGALLNEW => undef,
@@ -385,7 +378,6 @@ sub initialize( $ ) {
 	      IP => undef,
 	      TC => undef,
 	      IPSET => undef,
-	      PERL => undef,
 	      #
 	      #PATH is inherited
 	      #
@@ -468,9 +460,6 @@ sub initialize( $ ) {
 	      OPTIMIZE_ACCOUNTING => undef,
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
-	      REQUIRE_INTERFACE => undef,
-	      FORWARD_CLEAR_MARK => undef,
-	      COMPLETE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -515,7 +504,6 @@ sub initialize( $ ) {
 	      LOGFILE => undef,
 	      LOGFORMAT => undef,
 	      LOGTAGONLY => undef,
-	      LOGLIMIT => undef,
 	      LOGRATE => undef,
 	      LOGBURST => undef,
 	      LOGALLNEW => undef,
@@ -531,7 +519,6 @@ sub initialize( $ ) {
 	      IP => undef,
 	      TC => undef,
 	      IPSET => undef,
-	      PERL => undef,
 	      #
 	      #PATH is inherited
 	      #
@@ -593,9 +580,6 @@ sub initialize( $ ) {
 	      OPTIMIZE_ACCOUNTING => undef,
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
-	      REQUIRE_INTERFACE => undef,
-	      FORWARD_CLEAR_MARK => undef,
-	      COMPLETE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -645,7 +629,6 @@ sub initialize( $ ) {
 	       RECENT_MATCH => undef,
 	       OWNER_MATCH => undef,
 	       IPSET_MATCH => undef,
-	       OLD_IPSET_MATCH => undef,
 	       CONNMARK => undef,
 	       XCONNMARK => undef,
 	       CONNMARK_MATCH => undef,
@@ -677,8 +660,6 @@ sub initialize( $ ) {
 	       PERSISTENT_SNAT => undef,
 	       OLD_HL_MATCH => undef,
 	       FLOW_FILTER => undef,
-	       FWMARK_RT_MASK => undef,
-	       MARK_ANYWHERE => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -1093,7 +1074,7 @@ sub progress_message2 {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1114,7 +1095,7 @@ sub progress_message3 {
 
 	@localtime = localtime unless $havelocaltime;
 
-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
     }
 }
@@ -1198,7 +1179,7 @@ sub copy1( $ ) {
 		    print $script $here_documents if $here_documents;
 		    print $script "\n";
 		}
-
+		
 		if ( $debug ) {
 		    print "GS-----> $here_documents" if $here_documents;
 		    print "GS----->\n";
@@ -1298,7 +1279,7 @@ EOF
 			s/^(\s*)/$indent1$1$indent2/;
 			s/        /\t/ if $indent2;
 		    }
-
+		    
 		    if ( $script ) {
 			print $script $_;
 			print $script "\n";
@@ -1312,9 +1293,9 @@ EOF
 		    $lastlineblank = 0;
 		}
 	    }
-
+	    
 	    close IF;
-
+	
 	    unless ( $lastlineblank ) {
 		print $script "\n" if $script;
 		print "GS----->\n" if $trace;
@@ -1479,12 +1460,10 @@ sub split_list1( $$ ) {
 		fatal_error "Invalid $type list ($list)" if $count > 1;
 		push @list2 , $_;
 	    } else {
-		s/\(//;
 		$element = $_;
 	    }
 	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" unless $element && $count == 1;
-	    s/\)//;
 	    push @list2, join ',', $element, $_;
 	    $element = '';
 	} elsif ( $element ) {
@@ -1576,12 +1555,7 @@ sub open_file( $ ) {
 
     assert( ! defined $currentfile );
 
-    if ( -f $fname && -s _ ) {
-	$first_entry = 0;
-	do_open_file $fname;;
-    } else {
-	'';
-    }
+    -f $fname && -s _ ? do_open_file $fname : '';
 }
 
 #
@@ -1788,9 +1762,7 @@ sub embedded_perl( $ ) {
 #   - Handle INCLUDE <filename>
 #
 
-sub read_a_line(;$) {
-    my $embedded_enabled = defined $_[0] ? shift : 1;
-
+sub read_a_line() {
     while ( $currentfile ) {
 
 	$currentline = '';
@@ -1836,59 +1808,53 @@ sub read_a_line(;$) {
 	    #
 	    # Must check for shell/perl before doing variable expansion
 	    #
-	    if ( $embedded_enabled ) {
-		if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
-		    embedded_shell( $1 );
-		    next;
-		}
-
-		if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
-		    embedded_perl( $1 );
-		    next;
-		}
-	    } 
-
-	    my $count = 0;
-	    #
-	    # Expand Shell Variables using %ENV
-	    #
-	    #                            $1      $2      $3           -     $4
-	    while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
-		my $val = $ENV{$3};
-
-		unless ( defined $val ) {
-		    fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3};
-		    $val = '';
-		}
-
-		$currentline = join( '', $1 , $val , $4 );
-		fatal_error "Variable Expansion Loop" if ++$count > 100;
-	    }
-
-	    if ( $currentline =~ /^\s*INCLUDE\s/ ) {
-
-		my @line = split ' ', $currentline;
-
-		fatal_error "Invalid INCLUDE command"    if @line != 2;
-		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
-
-		my $filename = find_file $line[1];
-
-		fatal_error "INCLUDE file $filename not found" unless -f $filename;
-		fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
-
-		if ( -s _ ) {
-		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
-		    $currentfile = undef;
-		    do_open_file $filename;
-		} else {
-		    $currentlinenumber = 0;
-		}
-
-		$currentline = '';
+	    if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
+		embedded_shell( $1 );
+	    } elsif ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
+		embedded_perl( $1 );
 	    } else {
-		print "IN===> $currentline\n" if $debug;
-		return 1;
+		my $count = 0;
+		#
+		# Expand Shell Variables using %ENV
+		#
+		#                            $1      $2      $3           -     $4
+		while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
+		    my $val = $ENV{$3};
+
+		    unless ( defined $val ) {
+			fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3};
+			$val = '';
+		    }
+
+		    $currentline = join( '', $1 , $val , $4 );
+		    fatal_error "Variable Expansion Loop" if ++$count > 100;
+		}
+
+		if ( $currentline =~ /^\s*INCLUDE\s/ ) {
+
+		    my @line = split ' ', $currentline;
+
+		    fatal_error "Invalid INCLUDE command"    if @line != 2;
+		    fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
+
+		    my $filename = find_file $line[1];
+
+		    fatal_error "INCLUDE file $filename not found" unless -f $filename;
+		    fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
+
+		    if ( -s _ ) {
+			push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+			$currentfile = undef;
+			do_open_file $filename;
+		    } else {
+			$currentlinenumber = 0;
+		    }
+
+		    $currentline = '';
+		} else {
+		    print "IN===> $currentline\n" if $debug;
+		    return 1;
+		}
 	    }
 	}
 
@@ -1931,11 +1897,9 @@ sub default ( $$ ) {
 sub default_yes_no ( $$ ) {
     my ( $var, $val ) = @_;
 
-    my $curval = $config{$var};
+    my $curval = "\L$config{$var}";
 
     if ( defined $curval && $curval ne '' ) {
-	$curval = lc $curval;
-
 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
 	} else {
@@ -1958,7 +1922,7 @@ sub numeric_option( $$$ ) {
     my $value = $config{$option};
 
     my $val = $default;
-
+    
     if ( defined $value && $value ne '' ) {
 	$val = numeric_value $value;
 	fatal_error "Invalid value ($value) for '$option'" unless defined $val && $val <= 32;
@@ -1971,7 +1935,7 @@ sub numeric_option( $$$ ) {
 
 sub make_mask( $ ) {
     0xffffffff >> ( 32 - $_[0] );
-}
+}   
 
 my @suffixes = qw(group range threshold nlgroup cprange qthreshold);
 
@@ -2217,14 +2181,14 @@ sub Persistent_Snat() {
 	$result = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
 	qt1( "$iptables -t nat -F $sillyname" );
 	qt1( "$iptables -t nat -X $sillyname" );
-
+	
     }
 
     $result;
 }
 
 sub Mangle_Enabled() {
-    if ( qt1( "$iptables -t mangle -L -n" ) ) {
+    if ( qt1( "$iptables -t mangle -L -n" ) ) { 
 	system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
     }
 }
@@ -2334,11 +2298,7 @@ sub Comments() {
 }
 
 sub Hashlimit_Match() {
-    if ( qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" ) ) {
-	! ( $capabilities{OLD_HL_MATCH} = 0 );
-    } else {
-	have_capability 'OLD_HL_MATCH';
-    }
+    have_capability 'OLD_HL_MATCH' || qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
 }
 
 sub Old_Hashlimit_Match() {
@@ -2385,11 +2345,11 @@ sub Raw_Table() {
     qt1( "$iptables -t raw -L -n" );
 }
 
-sub Old_IPSet_Match() {
+sub IPSet_Match() {
     my $ipset  = $config{IPSET} || 'ipset';
     my $result = 0;
 
-    $ipset = which $ipset unless $ipset =~ '/';
+    $ipset = which $ipset unless $ipset =~ '//';
 
     if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
@@ -2397,31 +2357,7 @@ sub Old_IPSet_Match() {
 	if ( qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
 		qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
-		$result = $capabilities{IPSET_MATCH} = 1;
-	    }
-
-	    qt( "$ipset -X $sillyname" );
-	}
-    }
-
-    $result;
-}
-
-sub IPSet_Match() {
-    my $ipset  = $config{IPSET} || 'ipset';
-    my $result = 0;
-
-    $ipset = which $ipset unless $ipset =~ '/';
-
-    if ( $ipset && -x $ipset ) {
-	qt( "$ipset -X $sillyname" );
-
-	if ( qt( "$ipset -N $sillyname iphash" ) ) {
-	    if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
-		qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
-		$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
-	    } else {
-		$result = have_capability 'OLD_IPSET_MATCH';
+		$result = 1;
 	    }
 
 	    qt( "$ipset -X $sillyname" );
@@ -2479,14 +2415,6 @@ sub Flow_Filter() {
     $tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
 }
 
-sub Fwmark_Rt_Mask() {
-    $ip && system( "$ip rule add help 2>&1 | grep -q /MASK" ) == 0;
-}
-
-sub Mark_Anywhere() {
-    qt1( "$iptables -A $sillyname -j MARK --set-mark 5" );
-}
-
 our %detect_capability =
     ( ADDRTYPE => \&Addrtype,
       CLASSIFY_TARGET => \&Classify_Target,
@@ -2498,7 +2426,6 @@ our %detect_capability =
       ENHANCED_REJECT => \&Enhanced_Reject,
       EXMARK => \&Exmark,
       FLOW_FILTER => \&Flow_Filter,
-      FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
       GOTO_TARGET => \&Goto_Target,
       HASHLIMIT_MATCH => \&Hashlimit_Match,
       HELPER_MATCH => \&Helper_Match,
@@ -2506,7 +2433,6 @@ our %detect_capability =
       IPP2P_MATCH => \&Ipp2p_Match,
       IPRANGE_MATCH => \&IPRange_Match,
       IPSET_MATCH => \&IPSet_Match,
-      OLD_IPSET_MATCH => \&Old_IPSet_Match,
       KLUDGEFREE => \&Kludgefree,
       LENGTH_MATCH => \&Length_Match,
       LOGMARK_TARGET => \&Logmark_Target,
@@ -2514,7 +2440,6 @@ our %detect_capability =
       MANGLE_ENABLED => \&Mangle_Enabled,
       MANGLE_FORWARD => \&Mangle_Forward,
       MARK => \&Mark,
-      MARK_ANYWHERE => \&Mark_Anywhere,
       MULTIPORT => \&Multiport,
       NAT_ENABLED => \&Nat_Enabled,
       NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
@@ -2557,7 +2482,7 @@ sub have_capability( $ ) {
 
     $capabilities{ $capability } = detect_capability( $capability ) unless defined $capabilities{ $capability };
 
-    $capabilities{ $capability };
+    $capabilities{ $capability }; 
 }
 
 #
@@ -2578,11 +2503,11 @@ sub determine_capabilities() {
     qt1( "$iptables -N $sillyname1" );
 
     fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
-	unless
+	unless 
 	    qt1( "$iptables -A $sillyname -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT") ||
 	    qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");;
-
-
+	    
+  
     unless ( $config{ LOAD_HELPERS_ONLY } ) {
 	#
 	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
@@ -2591,7 +2516,7 @@ sub determine_capabilities() {
 	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
 	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
 	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
-
+	
 	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
 	    $capabilities{NEW_CONNTRACK_MATCH} = detect_capability( 'NEW_CONNTRACK_MATCH' );
 	    $capabilities{OLD_CONNTRACK_MATCH} = detect_capability( 'OLD_CONNTRACK_MATCH' );
@@ -2604,7 +2529,7 @@ sub determine_capabilities() {
 	     $capabilities{KLUDGEFREE}  = Kludgefree1;
 	}
 
-	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' );
+	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' ); 
 	$capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' );
 
 	if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) {
@@ -2658,8 +2583,6 @@ sub determine_capabilities() {
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
 	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
-	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
-	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 
 
 	qt1( "$iptables -F $sillyname" );
@@ -2737,15 +2660,12 @@ sub process_shorewall_conf() {
     my $file = find_file "$product.conf";
 
     if ( -f $file ) {
-	$globals{CONFIGDIR} =  $file;
-	$globals{CONFIGDIR} =~ s/$product.conf//;
-
 	if ( -r _ ) {
 	    open_file $file;
 
 	    first_entry "Processing $file...";
 
-	    while ( read_a_line(0) ) {
+	    while ( read_a_line ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);
 		    unless ( exists $config{$var} ) {
@@ -2820,18 +2740,12 @@ sub get_capabilities( $ ) {
 
 	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
 
-	$tc = $config{TC} || which 'tc';
+	$tc = $config{TC};
 
 	if ( $tc ) {
 	    fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
 	}
 
-	$ip = $config{IP} || which 'ip';
-
-	if ( $ip ) {
-	    fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
-	}
-
 	load_kernel_modules;
 
 	if ( open_file 'capabilities' ) {
@@ -2904,60 +2818,7 @@ sub get_configuration( $ ) {
 
     $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
 
-    if ( my $rate = $config{LOGLIMIT} ) {
-	my $limit;
-
-	if ( $rate =~ /^[sd]:/ ) {
-	    require_capability 'HASHLIMIT_MATCH', 'Per-ip log rate limiting' , 's';
-
-	    $limit = "-m hashlimit ";
-
-	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
-	    my $units;
-
-	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
-		fatal_error "Invalid rate ($1)" unless $2;
-		fatal_error "Invalid burst value ($5)" unless $5;
-
-		$limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
-		$units = $4;
-	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
-		fatal_error "Invalid rate ($1)" unless $2;
-		$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
-		$units = $4;
-	    } else {
-		fatal_error "Invalid rate ($rate)";
-	    }
-
-	    $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
-
-	    if ( $units && $units ne 'sec' ) {
-		my $expire = 60000; # 1 minute in milliseconds
-		
-		if ( $units ne 'min' ) {
-		    $expire *= 60; #At least an hour
-		    $expire *= 24 if $units eq 'day';
-		}
-		
-		$limit .= "--hashlimit-htable-expire $expire ";
-	    }
-	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
-	    fatal_error "Invalid rate ($1)" unless $2;
-	    fatal_error "Invalid burst value ($5)" unless $5;
-	    $limit = "-m limit --limit $1 --limit-burst $5 ";
-	} elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
-	    fatal_error "Invalid rate (${1}${2})" unless $1;
-	    $limit = "-m limit --limit $rate ";
-	} else {
-	    fatal_error "Invalid rate ($rate)";
-	}
-
-	$globals{LOGLIMIT} = $limit;
-
-	warning_message "LOGRATE Ignored when LOGLIMIT is specified"  if $config{LOGRATE};
-	warning_message "LOGBURST Ignored when LOGLIMIT is specified" if $config{LOGBURST};
-
-    } elsif ( $config{LOGRATE} || $config{LOGBURST} ) {
+    if ( $config{LOGRATE} || $config{LOGBURST} ) {
 	if ( defined $config{LOGRATE} ) {
 	    fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
 	}
@@ -2974,7 +2835,7 @@ sub get_configuration( $ ) {
     }
 
     check_trivalue ( 'IP_FORWARDING', 'on' );
-
+    
     my $val;
 
     if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
@@ -2993,7 +2854,7 @@ sub get_configuration( $ ) {
     }
 
     if ( $family == F_IPV6 ) {
-	$val = $config{ROUTE_FILTER};
+	$val = $config{ROUTE_FILTER};	
 	fatal_error "ROUTE_FILTER=$val is not supported in IPv6" if $val && $val ne 'off';
     }
 
@@ -3076,7 +2937,7 @@ sub get_configuration( $ ) {
     default_yes_no 'AUTO_COMMENT'               , 'Yes';
     default_yes_no 'MULTICAST'                  , '';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
-    default_yes_no 'MANGLE_ENABLED'             , have_capability 'MANGLE_ENABLED' ? 'Yes' : '';
+    default_yes_no 'MANGLE_ENABLED'             , 'Yes';
     default_yes_no 'NULL_ROUTE_RFC1918'         , '';
     default_yes_no 'USE_DEFAULT_RT'             , '';
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
@@ -3086,25 +2947,15 @@ sub get_configuration( $ ) {
     default_yes_no 'ACCOUNTING'                 , 'Yes';
     default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
     default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
-    default_yes_no 'REQUIRE_INTERFACE'          , '';
-    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability 'MARK' ? 'Yes' : '';
-    default_yes_no 'COMPLETE'                   , '';
-
-    require_capability 'MARK' , 'FOREWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
 
     numeric_option 'TC_BITS',          $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
     numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
     numeric_option 'PROVIDER_BITS' ,   8, 0;
     numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
-
+    
     if ( $config{PROVIDER_OFFSET} ) {
 	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
-	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 31' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
-	$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
-    } elsif ( $config{MASK_BITS} >= $config{PROVIDER_BITS} ) {
-	$globals{EXCLUSION_MASK} = 1 << $config{MASK_BITS};
-    } else {
-	$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
+	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 32;
     }
 
     $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
@@ -3112,12 +2963,6 @@ sub get_configuration( $ ) {
     $globals{PROVIDER_MIN}           = 1 << $config{PROVIDER_OFFSET};
     $globals{PROVIDER_MASK}          = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
 
-    if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
-	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
-    } else {
-	$globals{USER_MASK} = 0;
-    }
-
     if ( defined ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
     } else {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -73,7 +73,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_7';
 
 #
 # Some IPv4/6 useful stuff
@@ -87,19 +87,18 @@ our $validate_address;
 our $validate_net;
 our $validate_range;
 our $validate_host;
-our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
-	       IPv6_MULTICAST      => 'ff00::/8' ,
-	       IPv6_LINKLOCAL      => 'fe80::/10' ,
-	       IPv6_SITELOCAL      => 'feC0::/10' ,
+	       IPv6_MULTICAST      => 'FF00::/10' ,
+	       IPv6_LINKLOCAL      => 'FF80::/10' ,
+	       IPv6_SITELOCAL      => 'FFC0::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
-	       IPv6_LINK_ALLNODES  => 'ff01::1' ,
-	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
-	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
-	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
+	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
+	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
+	       IPv6_SITE_ALLNODES  => 'FF02::1' ,
+	       IPv6_SITE_ALLRTRS   => 'FF02::2' ,
 	       ICMP                => 1,
 	       TCP                 => 6,
 	       UDP                 => 17,
@@ -124,8 +123,8 @@ sub valid_4address( $ ) {
 
     my @address = split /\./, $address;
     return 0 unless @address == 4;
-    for ( @address ) {
-	return 0 unless /^\d+$/ && $_ < 256;
+    for my $a ( @address ) {
+	return 0 unless $a =~ /^\d+$/ && $a < 256;
     }
 
     1;
@@ -158,8 +157,8 @@ sub decodeaddr( $ ) {
 
     my $result = shift @address;
 
-    for ( @address ) {
-	$result = ( $result << 8 ) | $_;
+    for my $a ( @address ) {
+	$result = ( $result << 8 ) | $a;
     }
 
     $result;
@@ -293,11 +292,6 @@ sub resolve_proto( $ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 65535 ? $number : undef;
     } else {
-	#
-	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
-	#
-	$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
-	
 	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
     }
 }
@@ -338,7 +332,7 @@ sub validate_portpair( $$ ) {
 
     my @ports = split /:/, $portpair, 2;
 
-    $_ = validate_port( $proto, $_) for ( grep $_, @ports );
+    $_ = validate_port( $proto, $_) for ( @ports );
 
     if ( @ports == 2 ) {
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
@@ -445,7 +439,7 @@ sub expand_port_range( $$ ) {
 	#
 	# Validate the ports
 	#
-	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
+	( $first , $last ) = ( validate_port( $proto, $first ) , validate_port( $proto, $last ) );
 
 	$last++; #Increment last address for limit testing.
 	#
@@ -507,7 +501,7 @@ sub valid_6address( $ ) {
     unless ( $address =~ /::$/  ) {
 	return 0 if $address =~ /:$/;
     }
-
+		 
     for my $a ( @address ) {
 	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 );
     }
@@ -576,7 +570,7 @@ sub normalize_6addr( $ ) {
 	1 while $addr =~ s/::/:0:/;
 
 	$addr =~ s/^0+:/0:/;
-
+	
 	$addr;
     }
 }
@@ -688,7 +682,7 @@ sub validate_host ($$ ) {
 #      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
-    $family = shift;
+    my $family = shift;
 
     if ( $family == F_IPV4 ) {
 	$allip            = ALLIPv4;

Shorewall/Perl/Shorewall/Nat.pm

@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -49,6 +49,56 @@ sub initialize() {
     %addresses_to_add = ();
 }
 
+#
+# Handle IPSEC Options in a masq record
+#
+sub do_ipsec_options($)
+{
+    my %validoptions = ( strict       => NOTHING,
+			 next         => NOTHING,
+			 reqid        => NUMERIC,
+			 spi          => NUMERIC,
+			 proto        => IPSECPROTO,
+			 mode         => IPSECMODE,
+			 "tunnel-src" => NETWORK,
+			 "tunnel-dst" => NETWORK,
+		       );
+    my $list=$_[0];
+    my $options = '-m policy --pol ipsec --dir out ';
+    my $fmt;
+
+    for my $e ( split_list $list, 'option' ) {
+	my $val    = undef;
+	my $invert = '';
+
+	if ( $e =~ /([\w-]+)!=(.+)/ ) {
+	    $val    = $2;
+	    $e      = $1;
+	    $invert = '! ';
+	} elsif ( $e =~ /([\w-]+)=(.+)/ ) {
+	    $val = $2;
+	    $e   = $1;
+	}
+
+	$fmt = $validoptions{$e};
+
+	fatal_error "Invalid Option ($e)" unless $fmt;
+
+	if ( $fmt eq NOTHING ) {
+	    fatal_error "Option \"$e\" does not take a value" if defined $val;
+	} else {
+	    fatal_error "Missing value for option \"$e\""        unless defined $val;
+	    fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
+	}
+
+	$options .= $invert;
+	$options .= "--$e ";
+	$options .= "$val " if defined $val;
+    }
+
+    $options;
+}
+
 #
 # Process a single rule from the the masq file
 #
@@ -103,11 +153,11 @@ sub process_one_masq( )
 	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
 
 	if ( $ipsec =~ /^yes$/i ) {
-	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
+	    $baserule .= '-m policy --pol ipsec --dir out ';
 	} elsif ( $ipsec =~ /^no$/i ) {
-	    $baserule .= do_ipsec_options 'out', 'none', '';
+	    $baserule .= '-m policy --pol none --dir out ';
 	} else {
-	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
+	    $baserule .= do_ipsec_options $ipsec;
 	}
     } elsif ( have_ipsec ) {
 	$baserule .= '-m policy --pol none --dir out ';
@@ -125,7 +175,7 @@ sub process_one_masq( )
 
     for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = 'MASQUERADE ';
+	my $target = '-j MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -171,7 +221,7 @@ sub process_one_masq( )
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
 		    my $variable = get_interface_address $interface;
-		    $target = "SNAT --to-source $variable";
+		    $target = "-j SNAT --to-source $variable";
 
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
@@ -181,13 +231,13 @@ sub process_one_masq( )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
-		    $target = 'RETURN';
+		    $target = '-j RETURN';
 		    $add_snat_aliases = 0;
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    $target = 'SNAT ';
+			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
@@ -398,9 +448,7 @@ sub setup_netmap() {
 
     while ( read_a_line ) {
 
-	my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
-
-	$net3 = ALLIP if $net3 eq '-';
+	my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
 
 	for my $interface ( split_list $interfacelist, 'interface' ) {
 
@@ -411,15 +459,15 @@ sub setup_netmap() {
 	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
 	    unless ( $interfaceref->{root} ) {
-		$rulein  = match_source_dev( $interface );
-		$ruleout = match_dest_dev( $interface );
+		$rulein  = match_source_dev $interface;
+		$ruleout = match_dest_dev $interface;
 		$interface = $interfaceref->{name};
 	    }
 
 	    if ( $type eq 'DNAT' ) {
-		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein  . "-d $net1 -j NETMAP --to $net2";
 	    } elsif ( $type eq 'SNAT' ) {
-		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
 	    } else {
 		fatal_error "Invalid type ($type)";
 	    }

Shorewall/Perl/Shorewall/Policy.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_9';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
@@ -246,7 +246,7 @@ sub process_a_policy() {
 	$chainref->{synchain}  = $chain
     }
 
-    $chainref->{default} = $default if $default;
+    $chainref->{default}   = $default if $default;
 
     if ( $clientwild ) {
 	if ( $serverwild ) {
@@ -286,7 +286,7 @@ sub save_policies() {
 	    }
 	}
     }
-}
+}	    
 
 sub validate_policy()
 {
@@ -307,7 +307,6 @@ sub validate_policy()
 		 NFQUEUE_DEFAULT => 'NFQUEUE' );
 
     my $zone;
-    my $firewall = firewall_zone;
     our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
 
     for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
@@ -333,15 +332,13 @@ sub validate_policy()
 	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL );
 	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL ) if zone_type( $zone ) == BPORT;
 
-	my $zoneref = find_zone( $zone );
-
-	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
+	if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1 );
 		    add_or_modify_policy_chain( $zone1, $zone );
 		}
-	    }		
+	    }
 	}
     }
 
@@ -418,14 +415,13 @@ sub apply_policy_rules() {
 
     for my $chainref ( @policy_chains ) {
 	my $policy      = $chainref->{policy};
+	my $loglevel    = $chainref->{loglevel};
+	my $provisional = $chainref->{provisional};
+	my $default     = $chainref->{default};
+	my $name        = $chainref->{name};
+	my $synparms    = $chainref->{synparms};
 
-	unless ( $policy eq 'NONE' ) {
-	    my $loglevel    = $chainref->{loglevel};
-	    my $provisional = $chainref->{provisional};
-	    my $default     = $chainref->{default};
-	    my $name        = $chainref->{name};
-	    my $synparms    = $chainref->{synparms};
-
+	if ( $policy ne 'NONE' ) {
 	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
 		if ( $config{OPTIMIZE} & 2 ) {
 		    #
@@ -496,14 +492,7 @@ sub setup_syn_flood_chains() {
 	    my $level = $chainref->{loglevel};
 	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
 	    add_rule $synchainref , "${limit}-j RETURN";
-	    log_rule_limit( $level , 
-			    $synchainref , 
-			    $chainref->{name} , 
-			    'DROP', 
-			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , 
-			    '' , 
-			    'add' , 
-			    '' )
+	    log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
 		if $level ne '';
 	    add_rule $synchainref, '-j DROP';
 	}

Shorewall/Perl/Shorewall/Proc.pm

@@ -58,7 +58,7 @@ sub setup_arp_filtering() {
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'arp_filter';
 	    my $optional = interface_is_optional $interface;
-
+                           
 	    $interface = get_physical $interface;
 
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
@@ -74,7 +74,7 @@ sub setup_arp_filtering() {
 	for my $interface ( @$interfaces1 ) {
 	    my $value = get_interface_option $interface, 'arp_ignore';
 	    my $optional = interface_is_optional $interface;
-
+                           
 	    $interface = get_physical $interface;
 
 	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
@@ -118,7 +118,7 @@ sub setup_route_filtering() {
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'routefilter';
 	    my $optional = interface_is_optional $interface;
-
+                           
 	    $interface = get_physical $interface;
 
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
@@ -169,7 +169,7 @@ sub setup_martian_logging() {
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'logmartians';
 	    my $optional = interface_is_optional $interface;
-
+                           
 	    $interface = get_physical $interface;
 
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";

Shorewall/Perl/Shorewall/Providers.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -158,7 +158,7 @@ sub copy_and_edit_table( $$$$ ) {
     my ( $duplicate, $number, $copy, $realm) = @_;
     #
     # Hack to work around problem in iproute
-    #
+    #    
     my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
     #
     # Map physical names in $copy to logical names
@@ -275,7 +275,7 @@ sub add_a_provider( ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
     }
 
-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface, 1 );
+    fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
     fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
 
     my $physical    = get_physical $interface;
@@ -295,7 +295,7 @@ sub add_a_provider( ) {
 	$gateway = '';
     }
 
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) =
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) = 
 	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
 
     unless ( $options eq '-' ) {
@@ -340,7 +340,7 @@ sub add_a_provider( ) {
 	    } elsif ( $option eq 'local' ) {
 		$local = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0 if$config{USE_DEFAULT_RT};
+		$default_balance = 0 if$config{USE_DEFAULT_RT}; 
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
@@ -435,12 +435,10 @@ sub add_a_provider( ) {
     }
 
     if ( $mark ne '-' ) {
-	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
+	emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
 
-	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
-
-	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing"
+	emit ( "run_ip rule add fwmark $mark pref $pref table $number",
+	       "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
 	     );
     }
 
@@ -548,7 +546,7 @@ sub start_new_if( $ ) {
     emit ( '', qq(if [ -n "\$SW_${current_if}_IS_USABLE" ]; then) );
     push_indent;
 }
-
+  
 #
 # Complete any current 'if' statement in the output script
 #
@@ -838,132 +836,49 @@ sub lookup_provider( $ ) {
 
 #
 # This function is called by the compiler when it is generating the detect_configuration() function.
-# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
-# ..._IS_USABLE interface variables appropriately for the  optional interfaces
+# The function emits code to set the ..._IS_USABLE interface variables appropriately for the
+# optional interfaces
 #
-# Returns true if there were required or optional interfaces
+# Returns true if there were optional interfaces
 #
-sub handle_optional_interfaces( $ ) {
+sub handle_optional_interfaces() {
 
-    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
+    my $interfaces = find_interfaces_by_option 'optional';
 
     if ( @$interfaces ) {
-	my $require     = $config{REQUIRE_INTERFACE};
-	
-	verify_required_interfaces( shift );
+	for my $interface ( @$interfaces ) {
+	    my $provider = $provider_interfaces{$interface};
+	    my $physical = get_physical $interface;
+	    my $base     = uc chain_base( $physical );
 
-	emit( 'HAVE_INTERFACE=', '' ) if $require;
-	#
-	# Clear the '_IS_USABLE' variables
-	#
-	emit( join( '_', 'SW', uc chain_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
-
-	if ( $wildcards ) {
-	    #
-	    # We must consider all interfaces with an address in $family -- generate a list of such addresses. 
-	    #
-	    emit( '', 
-		  'for interface in $(find_all_interfaces1); do',
-		);
-
-	    push_indent;
-	    emit ( 'case "$interface" in' );
-	    push_indent;
-	} else {
 	    emit '';
-	}
 
-	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
-	    my $provider    = $provider_interfaces{$interface};
-	    my $physical    = get_physical $interface;
-	    my $base        = uc chain_base( $physical );
-	    my $providerref = $providers{$provider};
+	    if ( $provider ) {
+		#
+		# This interface is associated with a non-shared provider -- get the provider table entry
+		#
+		my $providerref = $providers{$provider};
 
-	    emit( "$physical)" ), push_indent if $wildcards;
-
-	    if ( $providerref->{gatewaycase} eq 'detect' ) {
-		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
+		if ( $providerref->{gatewaycase} eq 'detect' ) {
+		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
+		} else {
+		    emit qq(if interface_is_usable $physical; then);
+		}
 	    } else {
+		#
+		# Not a provider interface
+		#
 		emit qq(if interface_is_usable $physical; then);
 	    }
 
-	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
-
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
+		  'else' ,
+		  "    SW_${base}_IS_USABLE=" ,
 		  'fi' );
-
-	    emit( ';;' ), pop_indent if $wildcards;
 	}
 
-	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
-	    my $physical    = get_physical $interface;
-	    my $base        = uc chain_base( $physical );
-	    my $case        = $physical;
-	    my $wild        = $case =~ s/\+$/*/;
-
-	    if ( $wildcards ) {
-		emit( "$case)" );
-		push_indent;
-		
-		if ( $wild ) {
-		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
-		    push_indent; 
-		    emit ( 'if interface_is_usable $interface; then' );
-		} else {
-		    emit ( "if interface_is_usable $physical; then" );
-		}
-	    } else {
-		emit ( "if interface_is_usable $physical; then" );
-	    }
-
-	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
-	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
-		   'fi' );
-
-	    if ( $wildcards ) {
-		pop_indent, emit( 'fi' ) if $wild;
-		emit( ';;' );
-		pop_indent;
-	    }
-	}
-
-	if ( $wildcards ) {
-	    emit( '*)' ,
-		  '    ;;'
-		);
-	    pop_indent;
-	    emit( 'esac' );
-	    pop_indent;
-	    emit('done' );
-	}
-
-	if ( $require ) {
-	    emit( '',
-		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
-		  '    case "$COMMAND" in',
-		  '        start|restart|restore|refresh)'
-		);
-
-	    if ( $family == F_IPV4 ) {
-		emit( '            if shorewall_is_started; then' );
-	    } else {
-		emit( '            if shorewall6_is_started; then' );
-	    }
-
-	    emit( '                fatal_error "No network interface available"',
-		  '            else',
-		  '                startup_error "No network interface available"',
-		  '            fi',
-		  '            ;;',
-		  '    esac',
-		  'fi'
-		);
-	}
-
-	return 1;
+	1;
     }
-
-    verify_required_interfaces( shift );
 }
 
 #
@@ -1002,14 +917,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
-			$rule2 = '';
 		    }
 
-		    assert ( $rule1 =~ s/^-A // );
+		    $rule1 =~ s/-A tcpre //;
+
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			assert ( $rule2 =~ s/^-A // );
+			$rule2 =~ s/-A tcpre //;
 			add_rule $chainref, $rule2;
 		    }
 		}
@@ -1029,14 +944,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
-			$rule2 = '';
 		    }
 
-		    assert( $rule1 =~ s/-A // );
+		    $rule1 =~ s/-A tcout //;
+
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcout //;
 			add_rule $chainref, $rule2;
 		    }
 		}

Shorewall/Perl/Shorewall/Raw.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_13';
+our $VERSION = '4.3_7';
 
 #
 # Notrack
@@ -50,9 +50,9 @@ sub process_notrack_rule( $$$$$$ ) {
     ( my $zone, $source) = split /:/, $source, 2;
     my $zoneref  = find_zone $zone;
     my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
 
-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
     require_capability 'RAW_TABLE', 'Notrack rules', '';
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
@@ -64,7 +64,7 @@ sub process_notrack_rule( $$$$$$ ) {
 	$source ,
 	$dest ,
 	'' ,
-	'NOTRACK' ,
+	'-j NOTRACK' ,
 	'' ,
 	'NOTRACK' ,
 	'' ;

Shorewall/Perl/Shorewall/Tc.pm

@@ -40,44 +40,37 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
-		    fw       => 1,
-		    fwi      => 0,
+		    fw       => 1
 		  } ,
 	    CT => { chain  => 'tcpost' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1 ,
-		    fwi      => 0,
+		    fw       => 1
 		    } ,
 	    C  => { target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1 ,
-		    fwi      => 1 ,
+		    fw       => 1
 		    } ,
 	    P  => { chain    => 'tcpre' ,
 		    connmark => 0 ,
-		    fw       => 0 ,
-		    fwi      => 0 ,
+		    fw       => 0
 		    } ,
 	    CP => { chain    => 'tcpre' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 0 ,
-		    fwi      => 0 ,
+		    fw       => 0
 		    } ,
 	    F =>  { chain    => 'tcfor' ,
 		    connmark => 0 ,
-		    fw       => 0 ,
-		    fwi      => 0 ,
+		    fw       => 0
 		    } ,
 	    CF => { chain    => 'tcfor' ,
 		    connmark => 1 ,
 		    fw       => 0 ,
-		    fwi      => 0 ,
 		    } ,
 	    );
 
@@ -165,7 +158,6 @@ our %tcclasses;
 our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
-		      tcin       => INPUT_RESTRICT ,
 		      tcout      => OUTPUT_RESTRICT );
 
 our $family;
@@ -226,23 +218,12 @@ sub process_tc_rule( ) {
 	}
     }
 
-    if ( $dest ) {
-	if ( $dest eq $fw ) {
-	    $chain = 'tcin';
-	    $dest  = '';
-	} else {
-	    $chain = 'tcin' if $dest =~ s/^($fw)://;
-	}
-    }
-
     if ( $designator ) {
 	$tcsref = $tcs{$designator};
 
 	if ( $tcsref ) {
 	    if ( $chain eq 'tcout' ) {
 		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
-	    } elsif ( $chain eq 'tcin' ) {
-		fatal_error "Invalid chain designator for dest $fw" unless $tcsref->{fwi};
 	    }
 
 	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
@@ -269,8 +250,6 @@ sub process_tc_rule( ) {
 
     $list = '';
 
-    my $restriction = 0;
-
     unless ( $classid ) {
       MARK:
 	{
@@ -280,7 +259,7 @@ sub process_tc_rule( ) {
 
 		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
 
-		    $target      = $tccmd->{target};
+		    $target      = "$tccmd->{target} ";
 		    my $marktype = $tccmd->{mark};
 
 		    if ( $marktype == NOMARK ) {
@@ -289,19 +268,15 @@ sub process_tc_rule( ) {
 			$mark =~ s/^[|&]//;
 		    }
 
-		    if ( $target eq 'sticky' ) {
+		    if ( $target eq 'sticky ' ) {
 			if ( $chain eq 'tcout' ) {
 			    $target = 'sticko';
 			} else {
 			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
 			}
 
-			$restriction = DESTIFACE_DISALLOW;
-			
-			ensure_mangle_chain($target);
-
 			$sticky++;
-		    } elsif ( $target eq 'IPMARK' ) {
+		    } elsif ( $target eq 'IPMARK ' ) {
 			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
 
 			require_capability 'IPMARK_TARGET', 'IPMARK', 's';
@@ -338,11 +313,11 @@ sub process_tc_rule( ) {
 			}
 
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
-		    } elsif ( $target eq 'TPROXY' ) {
+		    } elsif ( $target eq 'TPROXY ' ) {
 			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
 
 			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
-
+			
 			$chain = 'tcpre';
 
 			$cmd =~ /TPROXY\((.+?)\)$/;
@@ -362,15 +337,15 @@ sub process_tc_rule( ) {
 			}
 
 			$target .= "--on-port $port";
-
+			
 			if ( defined $ip && $ip ne '' ) {
 			    validate_address $ip, 1;
 			    $target .= " --on-ip $ip";
 			}
 
-			$target .= ' --tproxy-mark';
+			$target .= ' --tproxy-mark';	
 		    }
-
+			
 
 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
@@ -396,16 +371,14 @@ sub process_tc_rule( ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
 		my $limit = $globals{TC_MASK};
-		unless ( have_capability 'FWMARK_RT_MASK' ) {
-		    fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
-			if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
-		}
+		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 	    }
 	}
     }
 
     if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
-				     $restrictions{$chain} | $restriction,
+				     $restrictions{$chain} ,
 				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
 				     do_test( $testval, $globals{TC_MASK} ) .
@@ -416,9 +389,9 @@ sub process_tc_rule( ) {
 				     $source ,
 				     $dest ,
 				     '' ,
-				     $mark ? "$target $mark" : $target,
+				     "-j $target $mark" ,
+				     '' ,
 				     '' ,
-				     $target ,
 				     '' ) )
 	  && $device ) {
 	#
@@ -435,11 +408,11 @@ sub rate_to_kbit( $ ) {
     my $rate = $_[0];
 
     return 0           if $rate eq '-';
-    return $1          if $rate =~ /^((\d+)(\.\d+)?)kbit$/i;
-    return $1 * 1000   if $rate =~ /^((\d+)(\.\d+)?)mbit$/i;
-    return $1 * 8000   if $rate =~ /^((\d+)(\.\d+)?)mbps$/i;
-    return $1 * 8      if $rate =~ /^((\d+)(\.\d+)?)kbps$/i;
-    return ($1/125)    if $rate =~ /^((\d+)(\.\d+)?)(bps)?$/;
+    return $1          if $rate =~ /^(\d+)kbit$/i;
+    return $1 * 1000   if $rate =~ /^(\d+)mbit$/i;
+    return $1 * 8000   if $rate =~ /^(\d+)mbps$/i;
+    return $1 * 8      if $rate =~ /^(\d+)kbps$/i;
+    return int($1/125) if $rate =~ /^(\d+)(bps)?$/;
     fatal_error "Invalid Rate ($rate)";
 }
 
@@ -458,6 +431,8 @@ sub calculate_quantum( $$ ) {
 sub process_flow($) {
     my $flow = shift;
 
+    $flow =~ s/^\(// if $flow =~ s/\)$//;
+
     my @flow = split /,/, $flow;
 
     for ( @flow ) {
@@ -468,7 +443,7 @@ sub process_flow($) {
 }
 
 sub process_simple_device() {
-    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces';
+    my ( $device , $type , $bandwidth ) = split_line 1, 3, 'tcinterfaces';
 
     fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
     fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
@@ -488,21 +463,7 @@ sub process_simple_device() {
 	}
     }
 
-    my $in_burst = '10kb';
-
-    if ( $in_bandwidth =~ /:/ ) {
-	my ( $in_band, $burst ) = split /:/, $in_bandwidth, 2;
-
-	if ( defined $burst && $burst ne '' ) {
-	    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
-	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $in_burst = $burst;
-	}
-
-	$in_bandwidth = rate_to_kbit( $in_band );
-    } else {
-	$in_bandwidth = rate_to_kbit( $in_bandwidth );
-    }
+    $bandwidth = rate_to_kbit( $bandwidth );
 
     emit "if interface_is_up $physical; then";
 
@@ -510,54 +471,14 @@ sub process_simple_device() {
 
     emit ( "${dev}_exists=Yes",
 	   "qt \$TC qdisc del dev $physical root",
-	   "qt \$TC qdisc del dev $physical ingress\n"
+	   "qt \$TC qdisc del dev $physical ingress\n"	   
 	 );
 
     emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
-	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
-	 ) if $in_bandwidth;
-
-    if ( $out_part ne '-' ) {
-	my ( $out_bandwidth, $burst, $latency, $peak, $minburst ) = split ':', $out_part;
-
-	fatal_error "Invalid Out-BANDWIDTH ($out_part)" if ( defined $minburst && $minburst =~ /:/ ) || $out_bandwidth eq '';
-
-	$out_bandwidth = rate_to_kbit( $out_bandwidth );
-
-	my $command = "run_tc qdisc add dev $physical root handle $number: tbf rate ${out_bandwidth}kbit";
-
-	if ( defined $burst && $burst ne '' ) {
-	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $command .= " burst $burst";
-	} else {
-	    $command .= ' burst 10kb';
-	}
-
-	if ( defined $latency && $latency ne '' ) {
-	    fatal_error "Invalid latency ($latency)" unless $latency =~ /^\d+(?:\.\d+)?(s|sec|secs|ms|msec|msecs|us|usec|usecs)?$/;
-	    $command .= " latency $latency";
-	} else {
-	    $command .= ' latency 200ms';
-	}
-
-	if ( defined $peak && $peak ne '' ) {
-	    fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $command .= " peakrate $peak";
-	}
-
-	if ( defined $minburst && $minburst ne '' ) {
-	    fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $command .= " minburst $minburst";
-	}
-
-	emit $command;
-
-	my $id = $number; $number = in_hexp( $devnum | 0x100 );
-
-	emit "run_tc qdisc add dev $physical parent $id: handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
-    } else {
-	emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
-    }
+	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${bandwidth}kbit burst 10k drop flowid :1\n"
+	 ) if $bandwidth;
+	  
+    emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
 
     for ( my $i = 1; $i <= 3; $i++ ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
@@ -567,7 +488,7 @@ sub process_simple_device() {
     }
 
     save_progress_message_short qq("   TC Device $physical defined.");
-
+    
     pop_indent;
     emit 'else';
     push_indent;
@@ -576,9 +497,9 @@ sub process_simple_device() {
     emit "${dev}_exists=";
     pop_indent;
     emit "fi\n";
-
+ 
     progress_message "  Simple tcdevice \"$currentline\" $done.";
-}
+}    
 
 sub validate_tc_device( ) {
     my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
@@ -1173,14 +1094,14 @@ sub process_tc_priority() {
 		  1 );
     } else {
 	my $postref = $mangle_table->{tcpost};
-
+	
 	if ( $address ne '-' ) {
 	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
 	    add_rule( $postref ,
 		      join( '', match_source_net( $address) , $rule ) ,
 		      1 );
 	} else {
-	    add_rule( $postref ,
+	    add_rule( $postref , 
 		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
 		      1 );
 
@@ -1192,7 +1113,7 @@ sub process_tc_priority() {
 		    $ipp2p = 1;
 		}
 
-		add_rule( $postref ,
+		add_rule( $postref , 
 			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
 			  1 )
 		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
@@ -1218,8 +1139,8 @@ sub setup_simple_traffic_shaping() {
     my $fn1 = open_file 'tcpri';
 
     if ( $fn1 ) {
-	first_entry
-	    sub {
+	first_entry 
+	    sub { 
 		progress_message2 "$doing $fn1...";
 		warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces;
 	    };
@@ -1307,26 +1228,11 @@ sub setup_traffic_shaping() {
 		  qq(fi) );
 	}
 
-	my $in_burst = '10kb';
-	my $inband;
-
-	if ( $devref->{in_bandwidth} =~ /:/ ) {
-	    my ( $in_band, $burst ) = split /:/, $devref->{in_bandwidth}, 2;
-
-	    if ( defined $burst && $burst ne '' ) {
-		fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
-		fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
-		$in_burst = $burst;
-	    }
-
-	    $inband = rate_to_kbit( $in_band );
-	} else {
-	    $inband = rate_to_kbit $devref->{in_bandwidth};
-	}
+	my $inband = rate_to_kbit $devref->{in_bandwidth};
 
 	if ( $inband ) {
 	    emit ( "run_tc qdisc add dev $device handle ffff: ingress",
-		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst $in_burst drop flowid :1"
+		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1"
 		   );
 	}
 
@@ -1444,68 +1350,6 @@ sub setup_traffic_shaping() {
     }
 }
 
-#
-# Process a record in the secmarks file
-#
-sub process_secmark_rule() {
-    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' );
-
-    if ( $secmark eq 'COMMENT' ) {
-	process_comment;
-	return;
-    }
-
-    my %chns = ( T => 'tcpost'  ,
-		 P => 'tcpre'   ,
-		 F => 'tcfor'   ,
-		 I => 'tcin'    ,
-		 O => 'tcout'   , );
-
-    my %state = ( N =>  'NEW' ,
-		  E =>  'ESTABLISHED' , 
-		  ER => 'ESTABLISHED,RELATED' );
-
-    my ( $chain , $state, $rest) = split ':', $chainin , 3;
-
-    fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain;
-
-    my $chain1= $chns{$chain};
-    
-    fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
-    fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout';
-
-    if ( ( $state ||= '' ) ne '' ) {
-	my $state1;
-	fatal_error "Invalid STATE ( $state )" unless $state1 = $state{$state};
-	$state = "$globals{STATEMATCH} $state1 ";
-    }
-
-    my $target = $secmark eq 'SAVE'    ? 'CONNSECMARK --save' :
-	         $secmark eq 'RESTORE' ? 'CONNSECMARK --restore' :
-		 "SECMARK --selctx $secmark";
-
-    my $disposition = $target;
-
-    $disposition =~ s/ .*//;
-
-    expand_rule( ensure_mangle_chain( $chain1 ) , 
-		 $restrictions{$chain1} ,
-		 $state .
-		 do_proto( $proto, $dport, $sport ) .
-		 do_user( $user ) .
-		 do_test( $mark, $globals{TC_MASK} ) ,
-		 $source , 
-		 $dest , 
-		 '' , 
-		 $target , 
-		 '' , 
-		 $disposition,
-		 '' );
-
-    progress_message "Secmarks rule \"$currentline\" $done";
-		 
-}
-
 #
 # Process the tcrules file and setup traffic shaping
 #
@@ -1518,7 +1362,6 @@ sub setup_tc() {
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
 	    ensure_mangle_chain 'tcfor';
 	    ensure_mangle_chain 'tcpost';
-	    ensure_mangle_chain 'tcin';
 	}
 
 	my $mark_part = '';
@@ -1540,12 +1383,9 @@ sub setup_tc() {
 	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
 
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : '';
-
-	    add_rule( $mangle_table->{FORWARD},     "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
+	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' ) if have_capability 'MARK';
 	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
 	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
-	    add_jump $mangle_table->{INPUT} ,       'tcin' ,  0;
 	}
     }
 
@@ -1594,7 +1434,7 @@ sub setup_tc() {
 			  mark      => HIGHMARK ,
 			  mask      => '' } ,
 			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
-			  target    => 'MARK --and-mark' ,
+			  target    => 'MARK --and-mark ' ,
 			  mark      => HIGHMARK ,
 			  mask      => '' ,
 			  connmark  => 0
@@ -1616,20 +1456,9 @@ sub setup_tc() {
 	}
     }
 
-    if ( $config{MANGLE_ENABLED} ) {
-	if ( my $fn = open_file 'secmarks' ) {
+    add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
 
-	    first_entry "$doing $fn...";
-
-	    process_secmark_rule while read_a_line;
-	
-	    clear_comment;
-	}
-
-	add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
-
-	handle_stickiness( $sticky );
-    }
+    handle_stickiness( $sticky );
 }
 
 1;

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
 
-	my $options = $globals{UNTRACKED} ? "-m state --state NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
+	my $options = $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
 
 	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";

Shorewall/Perl/prog.footer

@@ -5,8 +5,8 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
-    echo
+    echo "Usage: $0 [ options ] [ start|stop|clear|reset|refresh|restart|status|version ]"
+    echo 
     echo "Options are:"
     echo
     echo "   -v and -q        Standard Shorewall verbosity controls"
@@ -85,7 +85,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 		    t*)
 			g_timestamp=Yes
 			option=${option#t}
-			;;
+			;;			
 		    p*)
 			g_purge=Yes
 			option=${option#p}
@@ -126,7 +126,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 
 			if [ -n "$option" ]; then
 			    case $option in
-				*/*)
+				*/*)		    
 	    			    startup_error "-R must specify a simple file name: $option"
 				    ;;
 				.safe|.try|NONE)
@@ -218,7 +218,6 @@ case "$COMMAND" in
 	else
 	    error_message "$g_product is not running"
 	    progress_message3 "Starting $g_product...."
-	    COMMAND=start
 	fi
 
 	detect_configuration
@@ -256,9 +255,7 @@ case "$COMMAND" in
 	progress_message3 "Clearing $g_product...."
 	clear_firewall
 	status=0
-	if [ -n "$SUBSYSLOCK" ]; then
-	    rm -f $SUBSYSLOCK
-	fi
+	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	progress_message3 "done."
 	;;
     status)
@@ -276,7 +273,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|lClear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -286,13 +283,6 @@ case "$COMMAND" in
 	echo "State:$state"
 	echo
 	;;
-    up|down)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	updown $@
-	status=0;
-	;;
     version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION

Shorewall/Perl/prog.footer6

@@ -5,8 +5,8 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
-    echo
+    echo "Usage: $0 [ options ] [ start|stop|clear|reset|refresh|restart|status|version ]"
+    echo 
     echo "Options are:"
     echo
     echo "   -v and -q        Standard Shorewall verbosity controls"
@@ -85,7 +85,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 		    t*)
 			g_timestamp=Yes
 			option=${option#t}
-			;;
+			;;			
 		    p*)
 			g_purge=Yes
 			option=${option#p}
@@ -126,7 +126,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 
 			if [ -n "$option" ]; then
 			    case $option in
-				*/*)
+				*/*)		    
 	    			    startup_error "-R must specify a simple file name: $option"
 				    ;;
 				.safe|.try|NONE)
@@ -184,7 +184,7 @@ else
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
 	    ;;
- 	reset)
+	reset)
 	    if ! shorewall6_is_started ; then
 		error_message "$g_product is not running"
 		status=2
@@ -219,7 +219,6 @@ else
 	    else
 		error_message "$g_product is not running"
 		progress_message3 "Starting $g_product...."
-		COMMAND=start
 	    fi
 
 	    detect_configuration
@@ -257,9 +256,7 @@ else
 	    progress_message3 "Clearing $g_product...."
 	    clear_firewall
 	    status=0
-	    if [ -n "$SUBSYSLOCK" ]; then
-		rm -f $SUBSYSLOCK
-	    fi
+	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
 	    ;;
 	status)
@@ -287,13 +284,6 @@ else
 	    echo "State:$state"
 	    echo
 	    ;;
-	up|down)
-	    [ $# -eq 1 ] && exit 0
-	    shift
-	    [ $# -ne 1 ] && usage 2
-	    updown $1
-	    status=0
-	    ;;
 	version)
 	    [ $# -ne 1 ] && usage 2
 	    echo $SHOREWALL_VERSION

Shorewall/Perl/prog.header

@@ -89,17 +89,35 @@ setpolicy() # $1 = name of chain, $2 = policy
 }
 
 #
-# Generate a list of all network interfaces on the system
+# Set a standard chain to enable established and related connections
 #
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+setcontinue() # $1 = name of chain
+{
+    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 }
 
 #
-# Generate a list of all network interfaces on the system that have an ipv4 address
+# Flush one of the NAT table chains
 #
-find_all_interfaces1() {
-    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+flushnat() # $1 = name of chain
+{
+    run_iptables -t nat -F $1
+}
+
+#
+# Flush one of the Mangle table chains
+#
+flushmangle() # $1 = name of chain
+{
+    run_iptables -t mangle -F $1
+}
+
+#
+# Flush and delete all user-defined chains in the filter table
+#
+deleteallchains() {
+    run_iptables -F
+    run_iptables -X
 }
 
 #
@@ -508,12 +526,11 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    local result
-    
     if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
+	local result
 	result=1
 
 	while read route ; do
@@ -598,9 +615,9 @@ delete_proxyarp() {
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
-
-	rm -f ${VARDIR}/proxyarp
     fi
+
+    rm -f ${VARDIR}/proxyarp
 }
 
 #
@@ -614,7 +631,6 @@ clear_firewall() {
     setpolicy OUTPUT ACCEPT
 
     run_iptables -F
-    qt $IPTABLES -t raw -F
 
     echo 1 > /proc/sys/net/ipv4/ip_forward
 
@@ -640,7 +656,7 @@ fatal_error()
 {
     echo "   ERROR: $@" >&2
 
-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
         timestamp="$(date +'%_b %d %T') "
         echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
     fi
@@ -656,12 +672,6 @@ fatal_error()
 startup_error() # $* = Error Message
 {
     echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
     case $COMMAND in
         start)
 	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
@@ -674,7 +684,7 @@ startup_error() # $* = Error Message
 	    ;;
     esac
 
-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
         timestamp="$(date +'%_b %d %T') "
 
 	case $COMMAND in
@@ -751,6 +761,34 @@ run_tc() {
     fi
 }
 
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
 #
 # Get a list of all configured broadcast addresses on the system
 #

Shorewall/Perl/prog.header6

@@ -89,17 +89,27 @@ setpolicy() # $1 = name of chain, $2 = policy
 }
 
 #
-# Generate a list of all network interfaces on the system
+# Set a standard chain to enable established and related connections
 #
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+setcontinue() # $1 = name of chain
+{
+    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 }
 
 #
-# Generate a list of all network interfaces on the system that have an ipv6 address
+# Flush one of the Mangle table chains
 #
-find_all_interfaces1() {
-    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+flushmangle() # $1 = name of chain
+{
+    run_iptables -t mangle -F $1
+}
+
+#
+# Flush and delete all user-defined chains in the filter table
+#
+deleteallchains() {
+    run_iptables -F
+    run_iptables -X
 }
 
 #
@@ -168,7 +178,7 @@ find_default_interface() {
 # Determine if Interface is up
 #
 interface_is_up() {
-    [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 
 #
@@ -496,12 +506,11 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    local result
-    
     if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
+	local result
 	result=1
 
 	while read route ; do
@@ -584,7 +593,6 @@ clear_firewall() {
     setpolicy OUTPUT ACCEPT
 
     run_iptables -F
-    qt $IP6TABLES -t raw -F
 
     echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 
@@ -618,12 +626,6 @@ fatal_error()
 startup_error() # $* = Error Message
 {
     echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
     case $COMMAND in
         start)
 	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
@@ -713,6 +715,34 @@ run_tc() {
     fi
 }
 
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
 #
 # Run the .iptables_restore_input as a set of discrete iptables commands
 #

Shorewall/changelog.txt

@@ -1,132 +1,3 @@
-Changes in Shorewall 4.4.13.2
-
-1) Fix Debian -lite init scripts.
-
-2) Clamp VERBOSITY to valid range.
-
-Changes in Shorewall 4.4.13.1
-
-1)  Make log messages uniform.
-
-2)  Fix blacklisting in simple configurations.
-
-Changes in Shorewall 4.4.13
-
-1)  Allow zone lists in rules SOURCE and DEST.
-
-2)  Fix exclusion in the blacklist file.
-
-3)  Correct several old exclusion bugs.
-
-4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
-
-5)  Re-implement optional interface handling.
-
-6)  Add secmark config file.
-
-7)  Split in and out blacklisting.
-
-8)  Correct handling of [{src|dst},...] in ipset invocation
-
-9)  Correct SAME.
-
-10) TC Enhancements:
-
-    <burst> in IN-BANDWIDTH columns.
-    OUT-BANDWIDTH column in tcinterfaces.
-
-11) Create dynamic zone ipsets on 'start'.
-
-12) Remove new blacklisting implementation.
-
-13) Implement an alternative blacklisting scheme.
-
-14) Use '-m state' for UNTRACKED.
-
-15) Clear raw table on 'clear'
-
-16) Correct port-range check in tcfilters.
-
-17) Disallow '*' in interface names.
-
-Changes in Shorewall 4.4.12
-
-1)  Fix IPv6 shorecap program.
-
-2)  Eradicate incorrect IPv6 Multicast Network
-
-3)  Add ADD/DEL support.
-
-4)  Allow :random to work with REDIRECT
-
-5)  Add per-ip log rate limiting.
-
-6)  Use new hashlimit match syntax if available.
-
-7)  Add Universal sample.
-
-8)  Add COMPLETE option.
-
-9)  Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
-
-10) Support new set match syntax.
-
-11) Blacklisting by DEST IP.
-
-12) Fix duplicate rule generation with 'any'.
-
-13) Fix port range editing problem.
-
-14) Display the .conf file directory in response to the status command.
-
-15)  Correct AUTOMAKE
-
-Changes in Shorewall 4.4.11
-
-1)  Apply patch from Gabriel.
-
-2)  Fix IPSET match detection when a pathname is specified for IPSET.
-
-3)  Fix start priority of shorewall-init on Debian
-
-4)  Make IPv6 log and connections output readable.
-
-5)  Add REQUIRE_INTERFACE to shorewall*.conf
-
-6)  Avoid run-time warnings when options are not listed in
-    shorewall.conf.
-
-7)  Implement Vserver zones.
-
-8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
-    hosts file.
-
-9)  Add CLEAR_FORWARD_MARK option.
-
-10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
-
-11) Add PERL option.
-
-12) Fix nets= in Shorewall6
-
-Changes in Shorewall 4.4.10
-
-1)  Fix regression with scripts.
-
-2)  Log startup errors.
-
-3)  Implement Shorewall-init.
-
-4)  Add SAFESTOP option to /etc/default/shorewall*
-
-5)  Restore -a functionality to the version command.
-
-6)  Correct Optimization issue
-
-7)  Rename PREFIX to DESTDIR in install scripts
-
-8)  Correct handling of optional/required interfaces with wildcard names.
-
 Changes in Shorewall 4.4.9
 
 1)  Auto-detection of bridges.

Shorewall/configfiles/accounting

@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#####################################################################################################
-#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
+#####################################################################################
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK
 #							PORT(S)		PORT(S)	GROUP

Shorewall/configfiles/blacklist

@@ -7,5 +7,4 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
-
+#ADDRESS/SUBNET		PROTOCOL	PORT

Shorewall/configfiles/masq

@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###############################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP

Shorewall/configfiles/netmap

@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#TYPE	NET1			INTERFACE	NET2		NET3
+#TYPE	NET1			INTERFACE	NET2

Shorewall/configfiles/secmarks

@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Secmarks File
-#
-# For information about entries in this file, type "man shorewall-secmarks"
-#
-############################################################################################################
-#SECMARK			CHAIN:	SOURCE		DEST		PROTO	DEST	SOURCE	USER/	MARK
-#				STATE						PORT(S)	PORT(S) GROUP
-
-
-
-
-								

Shorewall/configfiles/shorewall.conf

@@ -31,7 +31,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -57,8 +59,6 @@ TC=
 
 IPSET=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -194,12 +194,6 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=No
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/configfiles/tcinterfaces

@@ -8,3 +8,4 @@
 #
 ###############################################################################
 #INTERFACE	TYPE		IN-BANDWIDTH
+

Shorewall/default.debian

@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null
 
-#
-# Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF

Shorewall/init.debian.sh

@@ -20,7 +20,7 @@ test -n ${INITLOG:=/var/log/shorewall-init.log}
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {
-	echo "INITLOG cannot be empty, please configure $0" ;
+	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
 
@@ -32,9 +32,9 @@ fi
 
 echo_notdone () {
 
-  if [ "$INITLOG" = "/dev/null" ] ; then
+  if [ "$INITLOG" = "/dev/null" ] ; then 
 	  echo "not done."
-  else
+  else 
 	  echo "not done (check $INITLOG)."
   fi
 
@@ -71,7 +71,7 @@ fi
 
 export SHOREWALL_INIT_SCRIPT
 
-# wait for an unconfigured interface
+# wait for an unconfigured interface 
 wait_for_pppd () {
 	if [ "$wait_interface" != "" ]
 	then
@@ -93,11 +93,7 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   echo -n "Stopping \"Shorewall firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
-      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
+  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 
@@ -124,7 +120,7 @@ case "$1" in
      ;;
   refresh)
      shorewall_refresh
-     ;;
+  	  ;;
   force-reload|restart)
      shorewall_restart
      ;;

Shorewall/init.slackware.firewall.sh

@@ -45,7 +45,7 @@ status() {
 
 export SHOREWALL_INIT_SCRIPT=1
 
-case $1 in
+case $1 in 
 	'start')
 	start
 	;;

Shorewall/known_problems.txt

@@ -1,37 +1 @@
-1)  On systems running Upstart, shorewall-init cannot reliably start the
-    firewall before interfaces are brought up.
-
-2)  The date/time formatting in the STARTUP_LOG is not uniform.
-
-    Fixed in 4.4.13.1
-
-3)  The blacklisting change in 4.4.13 broke blacklisting in some simple
-    configurations with the effect that blacklisting was not enabled.
-
-    Fixed in 4.4.13.1
-
-    The issue may also be worked around is follows.
-
-    If you currently have an entry similar to this in
-    /etc/shorewall/interfaces:
-
-       #ZONE         INTERFACE BROADCAST        OPTIONS
-       net 	     eth0      detect		blacklist,...
-
-    then remove the 'blacklist' option from that entry and change the
-    'net' entry in /etc/shorewall/zones as follows:
-
-       #ZONE       TYPE       OPTIONS       IN_OPTIONS
-       net         ipv4       -             blacklist
-
-4)  The Debian init scripts for Shorewall-lite and Shorewall6-lite
-    contain a syntax error.
-
-    Fixed in 4.4.13.2.
-
-5)  If the -v or -q option is passed to /sbin/shorewall-lite or
-    /sbin/shorewall6-lite on a command that involves the compiled
-    script, then the command will fail if the effective verbosity is
-    > 2 or < -1.
-
-    Fixed in 4.4.13.2.
+There are no known problems in Shorewall 4.4.9

Shorewall/lib.base

@@ -29,7 +29,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40413
+SHOREWALL_CAPVERSION=40408
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -185,7 +185,7 @@ valid_address() {
 		;;
 	esac
     done
-
+    
     IFS=$ifs
 
     return 0
@@ -381,7 +381,7 @@ find_echo() {
     result=$(which echo)
     [ -n "$result" ] && { echo "$result -e"; return; }
 
-    echo echo
+    echo echo 
 }
 
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:

Shorewall/lib.cli

@@ -166,7 +166,7 @@ search_log() # $1 = IP address to search for
     else
 	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
     fi
-}
+}    
 
 #
 # Show traffic control information
@@ -226,18 +226,6 @@ show_classifiers() {
 logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
-    if [ -z "$LOGFILE" ]; then
-	LOGFILE=/var/log/messages
-
-	if [ -n "$(syslog_circular_buffer)" ]; then
-	    g_logread="logread | tac"
-	elif [ -r $LOGFILE ]; then
-	    g_logread="tac $LOGFILE"
-	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-	    exit 2
-	fi
-    fi
 
     host=$(echo $g_hostname | sed 's/\..*$//')
     oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
@@ -310,7 +298,7 @@ do_save() {
 	status=1
     fi
 
-    case ${SAVE_IPSETS:=No} in
+    case ${SAVE_IPSETS:=No} in 
 	[Yy]es)
 	    case ${IPSET:=ipset} in
 		*/*)
@@ -357,7 +345,7 @@ save_config() {
 
     local result
     result=1
-
+    
     iptables_save=${IPTABLES}-save
 
     [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
@@ -374,7 +362,17 @@ save_config() {
 		    ;;
 		*)
 		    validate_restorefile RESTOREFILE
-		    do_save && rm -f ${VARDIR}/save
+
+		    if chain_exists dynamic; then
+			if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
+			    echo "   Dynamic Rules Saved"
+			    do_save
+			else
+		            echo "Error Saving the Dynamic Rules" >&2
+			fi
+		    else
+			do_save && rm -f ${VARDIR}/save
+		    fi
 		    ;;
 	    esac
 	fi
@@ -497,7 +495,7 @@ show_command() {
 				    fatal_error "Invalid table name ($s)"
 				    ;;
 			    esac
-
+			    
 			    option=
 			    shift
 			    ;;
@@ -553,20 +551,6 @@ show_command() {
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
-
-	    if [ -z "$LOGFILE" ]; then
-		LOGFILE=/var/log/messages
-		
-		if [ -n "$(syslog_circular_buffer)" ]; then
-		    g_logread="logread | tac"
-		elif [ -r $LOGFILE ]; then
-		    g_logread="tac $LOGFILE"
-		else
-		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		    exit 2
-		fi
-	    fi
-
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
@@ -729,7 +713,7 @@ show_command() {
 			;;
 		esac
 	    fi
-
+	    
 
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
@@ -745,7 +729,7 @@ show_command() {
 			exit 1
 		    fi
 		done
-
+		
 		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
 		echo
 		show_reset
@@ -807,19 +791,6 @@ dump_command() {
 	esac
     done
 
-    if [ -z "$LOGFILE" ]; then
-	LOGFILE=/var/log/messages
-
-	if [ -n "$(syslog_circular_buffer)" ]; then
-	    g_logread="logread | tac"
-	elif [ -r $LOGFILE ]; then
-	    g_logread="tac $LOGFILE"
-	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-	    exit 2
-	fi
-    fi
-
     g_ipt_options="$g_ipt_options $g_ipt_options1"
 
     [ $VERBOSITY -lt 2 ] && VERBOSITY=2
@@ -829,7 +800,7 @@ dump_command() {
     clear_term
     echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
     echo
-
+    
     show_reset
     host=$(echo $g_hostname | sed 's/\..*$//')
     $IPTABLES -L $g_ipt_options
@@ -873,7 +844,7 @@ dump_command() {
 	heading "PFKEY SPD"
 	setkey -DP
 	heading "PFKEY SAD"
-	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys
+	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys 
     fi
 
     heading "/proc"
@@ -1066,10 +1037,6 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     chain=$1
     local finished
     finished=$2
-    local which
-    which='-s'
-    local range
-    range='--src-range'
 
     if ! chain_exists dynamic; then
 	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@@ -1081,31 +1048,19 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
 
     while [ $# -gt 0 ]; do
 	case $1 in
-	    from)
-		which='-s'
-		range='--src-range'
-		shift
-		continue
-		;;
-	    to)
-		which='-d'
-		range='--dst-range'
-		shift
-		continue
-		;;
 	    *-*)
-		qt $IPTABLES -D dynamic -m iprange $range $1 -j reject
-		qt $IPTABLES -D dynamic -m iprange $range  $1 -j DROP
-		qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
-		qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop
-		$IPTABLES -A dynamic -m iprange $range $1 -j $chain || break 1
+		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject
+		qt $IPTABLES -D dynamic -m iprange --src-range  $1 -j DROP
+		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
+		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop
+		$IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
 		;;
 	    *)
-		qt $IPTABLES -D dynamic $which $1 -j reject
-		qt $IPTABLES -D dynamic $which $1 -j DROP
-		qt $IPTABLES -D dynamic $which $1 -j logreject
-		qt $IPTABLES -D dynamic $which $1 -j logdrop
-		$IPTABLES -A dynamic $which $1 -j $chain || break 1
+		qt $IPTABLES -D dynamic -s $1 -j reject
+		qt $IPTABLES -D dynamic -s $1 -j DROP
+		qt $IPTABLES -D dynamic -s $1 -j logreject
+		qt $IPTABLES -D dynamic -s $1 -j logdrop
+		$IPTABLES -A dynamic -s $1 -j $chain || break 1
 		;;
 	esac
 
@@ -1228,7 +1183,7 @@ add_command() {
 	if ! qt $IPSET -L $ipset -n; then
 	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
 	fi
-
+	
 	host=${host#*:}
 
 	if $IPSET -A $ipset $host; then
@@ -1237,7 +1192,7 @@ add_command() {
 	    fatal_error "Unable to add $interface:$host to zone $zone"
 	fi
     done
-
+	
 }
 
 #
@@ -1287,7 +1242,7 @@ delete_command() {
 	if ! qt $IPSET -L $ipset -n; then
 	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
 	fi
-
+	
 	host=${hostent#*:}
 
 	if $IPSET -D $ipset $host; then
@@ -1296,7 +1251,7 @@ delete_command() {
 	    echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
 	fi
     done
-
+	
 }
 
 #
@@ -1395,11 +1350,6 @@ allow_command() {
     [ -n "$g_debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall_is_started ; then
-	local which
-	which='-s'
-	local range
-	range='--src-range'
-
 	if ! chain_exists dynamic; then
 	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	    exit 2
@@ -1409,21 +1359,11 @@ allow_command() {
 	while [ $# -gt 1 ]; do
 	    shift
 	    case $1 in
-		from)
-		    which='-s'
-		    range='--src-range'
-		    continue
-		    ;;
-		to)
-		    which='-d'
-		    range='--dst-range'
-		    continue
-		    ;;
 		*-*)
-		    if  qt $IPTABLES -D dynamic -m iprange $range $1 -j reject    ||\
-			qt $IPTABLES -D dynamic -m iprange $range $1 -j DROP      ||\
-			qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop   ||\
-			qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
+		    if  qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject    ||\
+			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP      ||\
+			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop   ||\
+			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1431,10 +1371,10 @@ allow_command() {
 		    fi
 		    ;;
 		*)
-		    if  qt $IPTABLES -D dynamic $which $1 -j reject    ||\
-			qt $IPTABLES -D dynamic $which $1 -j DROP      ||\
-			qt $IPTABLES -D dynamic $which $1 -j logdrop   ||\
-			qt $IPTABLES -D dynamic $which $1 -j logreject
+		    if  qt $IPTABLES -D dynamic -s $1 -j reject    ||\
+			qt $IPTABLES -D dynamic -s $1 -j DROP      ||\
+			qt $IPTABLES -D dynamic -s $1 -j logdrop   ||\
+			qt $IPTABLES -D dynamic -s $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1463,9 +1403,9 @@ logwatch_command() {
 	case $option in
 	    -*)
 		option=${option#-}
-
+		
 		[ -z "$option" ] && usage 1
-
+		
 		while [ -n "$option" ]; do
 		    case $option in
 			v*)
@@ -1496,7 +1436,7 @@ logwatch_command() {
 		;;
 	esac
     done
-
+    
     [ -n "$g_debugging" ] && set -x
 
     if [ $# -eq 1 ]; then
@@ -1519,10 +1459,6 @@ determine_capabilities() {
 	exit 1
     fi
 
-    [ "$IP" = ip -o -z "$IP" ] && IP=$(which ip)
-
-    [ -n "$IP" -a -x "$IP" ] || IP=
-
     [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
 
     [ -n "$TC" -a -x "$TC" ] || TC=
@@ -1542,7 +1478,6 @@ determine_capabilities() {
     RECENT_MATCH=
     OWNER_MATCH=
     IPSET_MATCH=
-    OLD_IPSET_MATCH=
     CONNMARK=
     XCONNMARK=
     CONNMARK_MATCH=
@@ -1575,8 +1510,6 @@ determine_capabilities() {
     LOG_TARGET=Yes
     PERSISTENT_SNAT=
     FLOW_FILTER=
-    FWMARK_RT_MASK=
-    MARK_ANYWHERE=
 
     chain=fooX$$
 
@@ -1686,13 +1619,9 @@ determine_capabilities() {
 	qt ipset -X $chain # Just in case something went wrong the last time
 
 	if qt ipset -N $chain iphash ; then
-	    if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
-		qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
-		IPSET_MATCH=Yes
-	    elif qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
+	    if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
 		qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
-		OLD_IPSET_MATCH=Yes
 	    fi
 	    qt ipset -X $chain
 	fi
@@ -1705,7 +1634,7 @@ determine_capabilities() {
     if [ -z "$HASHLIMIT_MATCH" ]; then
 	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
-    fi
+    fi	
     qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
     qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
     qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -1714,7 +1643,6 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
     qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
     qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
-    qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
 
     qt $IPTABLES -F $chain
     qt $IPTABLES -X $chain
@@ -1722,7 +1650,6 @@ determine_capabilities() {
     qt $IPTABLES -X $chain1
 
     [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
-    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
 
     CAPVERSION=$SHOREWALL_CAPVERSION
     KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@@ -1758,10 +1685,7 @@ report_capabilities() {
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
 	report_capability "Owner Match" $OWNER_MATCH
-	if [ -n "$IPSET_MATCH" ]; then
-	    report_capability "Ipset Match" $IPSET_MATCH
-	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
-	fi
+	report_capability "Ipset Match" $IPSET_MATCH
 	report_capability "CONNMARK Target" $CONNMARK
 	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
 	report_capability "Connmark Match" $CONNMARK_MATCH
@@ -1793,8 +1717,6 @@ report_capabilities() {
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
-	report_capability "fwmark route mask" $FWMARK_RT_MASK
-	report_capability "Mark in any table" $MARK_ANYWHERE
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1826,7 +1748,6 @@ report_capabilities1() {
     report_capability1 RECENT_MATCH
     report_capability1 OWNER_MATCH
     report_capability1 IPSET_MATCH
-    report_capability1 OLD_IPSET_MATCH
     report_capability1 CONNMARK
     report_capability1 XCONNMARK
     report_capability1 CONNMARK_MATCH
@@ -1858,9 +1779,7 @@ report_capabilities1() {
     report_capability1 PERSISTENT_SNAT
     report_capability1 TPROXY_TARGET
     report_capability1 FLOW_FILTER
-    report_capability1 FWMARK_RT_MASK
-    report_capability1 MARK_ANYWHERE
-
+    
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION
 }

Shorewall/lib.common

@@ -45,17 +45,17 @@ get_script_version() { # $1 = script
 	temp=$(echo $temp)
 	IFS=$ifs
 	digits=0
-
+	
 	for temp in $temp; do
 	    version=${version}$(printf '%02d' $temp)
 	    digits=$(($digits + 1))
 	    [ $digits -eq 3 ] && break
 	done
     fi
-
+    
     echo $version
 }
-
+ 
 #
 # Do required exports or create the required option string and run the passed script using
 # $SHOREWALL_SHELL
@@ -66,7 +66,7 @@ run_it() {
     local version
 
     export VARDIR
-
+	
     script=$1
     shift
 
@@ -82,7 +82,7 @@ run_it() {
 	export PURGE=$g_purge
 	export TIMESTAMP=$g_timestamp
 	export RECOVERING=$g_recovering
-
+ 
 	if [ "$g_product" != Shorewall ]; then
 	    #
 	    # Shorewall Lite
@@ -94,12 +94,7 @@ run_it() {
 	#
 	# 4.4.8 or later -- no additional exports required
 	#
-	if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	    options="$1 -"
-	    shift;
-	else
-	    options='-'
-	fi
+	options='-'
 
 	[ -n "$g_noroutes" ]   && options=${options}n
 	[ -n "$g_timestamp" ]  && options=${options}t
@@ -110,7 +105,7 @@ run_it() {
 
 	[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
     fi
-
+	
     $SHOREWALL_SHELL $script $options $@
 }
 
@@ -514,13 +509,9 @@ find_file()
 #
 # Set the Shorewall state
 #
-set_state () # $1 = state $2 
+set_state () # $1 = state
 {
-    if [ $# -gt 1 ]; then
-	echo "$1 ($(date)) from $2" > ${VARDIR}/state
-    else
-	echo "$1 ($(date))" > ${VARDIR}/state
-    fi
+    echo "$1 ($(date))" > ${VARDIR}/state
 }
 
 #

Shorewall/shorewall

@@ -32,7 +32,7 @@
 #     $1 = Yes: read the params file
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
-#
+#     
 get_config() {
     local prog
 
@@ -47,7 +47,7 @@ get_config() {
     fi
 
     config=$(find_file shorewall.conf)
-
+    
     if [ -f $config ]; then
 	if [ -r $config ]; then
 	    . $config
@@ -61,21 +61,21 @@ get_config() {
     fi
 
     ensure_config_path
-
+    
     if [ -z "$g_export" -a "$(id -u)" = 0 ]; then
 	#
 	# This block is avoided for compile for export and when the user isn't root
 	#
 	if [ "$3" = Yes ]; then
-	    if [ -n "$LOGFILE" ]; then
-		if [ -n "$(syslog_circular_buffer)" ]; then
-		    g_logread="logread | tac"
-		elif [ -r $LOGFILE ]; then
-		    g_logread="tac $LOGFILE"
-		else
-		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		    exit 2
-		fi
+	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
+
+	    if [ -n "$(syslog_circular_buffer)" ]; then
+		g_logread="logread | tac"
+	    elif [ -r $LOGFILE ]; then
+		g_logread="tac $LOGFILE"
+	    else
+		echo "LOGFILE ($LOGFILE) does not exist!" >&2
+		exit 2
 	    fi
 	fi
 
@@ -109,7 +109,7 @@ get_config() {
 		    IP=$prog
 		    ;;
 	    esac
-	else
+	else 
 	    IP='ip'
 	fi
 
@@ -130,7 +130,7 @@ get_config() {
 		    IPSET=$prog
 		    ;;
 	    esac
-	else
+	else 
 	    IPSET='ipset'
 	fi
 
@@ -151,7 +151,7 @@ get_config() {
 		    TC=$prog
 		    ;;
 	    esac
-	else
+	else 
 	    TC='tc'
 	fi
 	#
@@ -196,7 +196,7 @@ get_config() {
 		;;
 	esac
 
-	[ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s'
+	[ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s' 
 
 	[ -n "$LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
 
@@ -222,7 +222,7 @@ get_config() {
     else
 	STARTUP_LOG=
 	LOG_VERBOSITY=-1
-    fi
+    fi   
 
     if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
@@ -313,7 +313,7 @@ startup_error() {
 # Run the compiler
 #
 compiler() {
-
+   
     if [ $(id -u) -ne 0 ]; then
 	if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then
 	    startup_error "Ordinary users may not compile the /etc/shorewall configuration"
@@ -338,10 +338,10 @@ compiler() {
     [ -n "$g_profile" ] && debugflags='-wd:DProf'
 
     # Perl compiler only takes the output file as a argument
-
+	    
     [ "$1" = debug -o "$1" = trace ]  && shift;
     [ "$1" = nolock ] && shift;
-    shift
+    shift 
 
     options="--verbose=$VERBOSITY"
     [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
@@ -356,20 +356,11 @@ compiler() {
     #
     # Run the appropriate params file
     #
-    set -a;
+    set -a; 
     run_user_exit params
     set +a
 
-    if [ -n "$PERL" ]; then
-	if [ ! -x "$PERL" ]; then
-	    echo "   WARNING: The program specified in the PERL option does not exist or is not executable; falling back to /usr/bin/perl" >&2
-	    PERL=/usr/bin/perl
-	fi
-    else
-	PERL=/usr/bin/perl
-    fi
-
-    $PERL $debugflags /usr/share/shorewall/compiler.pl $options $@
+    perl $debugflags /usr/share/shorewall/compiler.pl $options $@
 }
 
 #
@@ -486,7 +477,7 @@ start_command() {
 
 	    export RESTOREFILE
 
-	    if ! make -qf ${CONFDIR}/Makefile; then
+	    if make -qf ${CONFDIR}/Makefile; then
 		g_fast=
 		AUTOMAKE=
 	    fi
@@ -546,7 +537,7 @@ compile_command() {
 			t*)
 			    g_test=Yes
 			    option=${option#t}
-			    ;;
+			    ;;			    
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -764,7 +755,7 @@ restart_command() {
 	fi
     fi
 
-    if [ -z "$g_fast" ]; then
+    if [ -z "$g_fast" ]; then  
 	progress_message3 "Compiling..."
 
 	if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
@@ -783,7 +774,7 @@ restart_command() {
 	rc=$?
 	[ -n "$nolock" ] || mutex_off
     fi
-
+    
     return $rc
 }
 
@@ -967,7 +958,7 @@ safe_commands() {
 	    else
 		${VARDIR}/.$command clear
 	    fi
-
+	    
 	    [ -n "$nolock" ] || mutex_off
 
 	    echo "New configuration has been rejected and the old one restored"
@@ -998,7 +989,7 @@ try_command() {
 		echo "Directory $1 does not exist" >&2 && exit 2
 	    fi
 	fi
-
+	
 	SHOREWALL_DIR=$(resolve_file $1)
     }
 
@@ -1041,7 +1032,7 @@ try_command() {
 	2)
 	    handle_directory $1
 	    timeout=$2
-	    case $timeout in
+	    case $timeout in 
 		*[!0-9]*)
                     echo "   ERROR: Invalid timeout ($timeout)" >&2;
 		    exit 1
@@ -1093,12 +1084,12 @@ try_command() {
 
     if ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
 	sleep $timeout
-
+	    
 	if [ "$command" = "restart" ]; then
 	    ${VARDIR}/.try restore
 	else
 	    ${VARDIR}/.$command clear
-	fi
+	fi	    
     fi
 
     [ -n "$nolock" ] || mutex_off
@@ -1115,7 +1106,7 @@ rsh_command() {
 rcp_command() {
     files="$1"
     destination=$2
-
+    
     eval $RCP_COMMAND
 }
 
@@ -1256,12 +1247,12 @@ reload_command() # $* = original arguments less the command.
 export_command() # $* = original arguments less the command.
 {
     local verbose
-    verbose=$(make_verbose)
+    verbose=$(make_verbose) 
     local file
-    file=
+    file= 
     local finished
-    finished=0
-    local directory
+    finished=0 
+    local directory 
     local target
 
     while [ $finished -eq 0 -a $# -gt 0 ]; do
@@ -1335,7 +1326,7 @@ usage() # $1 = exit status
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   check [ -e ] [ -r ] [ <directory> ]"
-    echo "   clear"
+    echo "   clear [ -f ]"
     echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   drop <address> ..."
@@ -1378,7 +1369,7 @@ usage() # $1 = exit status
     echo "   show vardir"
     echo "   show zones"
     echo "   start [ -f ] [ -n ] [ -p ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
     echo "   status"
     echo "   try <directory> [ <timeout> ]"
     echo "   version [ -a ]"
@@ -1464,7 +1455,7 @@ while [ $finished -eq 0 ]; do
 			;;
 		    v*)
 			option=${option#v}
-			case $option in
+			case $option in 
 			    -1*)
 				g_use_verbosity=-1
 				option=${option#-1}
@@ -1517,7 +1508,6 @@ version_command() {
     finished=0
     local all
     all=
-    local product
 
     while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1552,13 +1542,6 @@ version_command() {
 
     echo $SHOREWALL_VERSION
 
-    if [ -n "$all" ]; then
-	for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
 }
 
 if [ $# -eq 0 ]; then
@@ -1579,7 +1562,7 @@ g_timestamp=
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 
 if [ ! -f ${VARDIR}/firewall ]; then
-    [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall
+    [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall 
 fi
 
 g_firewall=${VARDIR}/firewall
@@ -1631,17 +1614,17 @@ case "$COMMAND" in
 	get_config
 	[ $# -ne 1 ] && usage 1
 	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $g_debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	mutex_on
+	run_it $g_firewall $g_debugging $nolock $COMMAND
+	mutex_off
 	;;
     reset)
 	get_config
 	shift
-	[ -n "$nolock" ] || mutex_on
+	mutex_on
 	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
-	run_it $g_firewall $g_debugging reset $@
-	[ -n "$nolock" ] || mutex_off
+	run_it $g_firewall $g_debugging $nolock reset $@
+	mutex_off
 	;;
     compile)
 	get_config Yes
@@ -1695,7 +1678,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -1838,7 +1821,6 @@ case "$COMMAND" in
 	if [ -x $g_restorepath ]; then
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
-	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
@@ -1930,7 +1912,7 @@ case "$COMMAND" in
 	else
 	    fatal_error "Shorewall is not started"
 	fi
-	;;
+	;;	
      noiptrace)
 	get_config
 	shift
@@ -1940,7 +1922,7 @@ case "$COMMAND" in
 	else
 	    fatal_error "Shorewall is not started"
 	fi
-	;;
+	;;	
     *)
 	usage 1
 	;;

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.13
-%define release 2
+%define version 4.4.9
+%define release 0base
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute perl
-Provides: shoreline_firewall = %{version}-%{release}
 Obsoletes: shorewall-common shorewall-perl shorewall-shell
 
 %description
@@ -29,7 +28,7 @@ a multi-function gateway/ router/server or on a standalone GNU/Linux system.
 %build
 
 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -76,6 +75,7 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall/configfiles
 %attr(0700,root,root) %dir /var/lib/shorewall
 %attr(0644,root,root) %config(noreplace) /etc/shorewall/*
+%attr(0600,root,root) /etc/shorewall/Makefile
 
 %attr(0644,root,root) /etc/logrotate.d/shorewall
 
@@ -103,69 +103,11 @@ fi
 %attr(0644,root,root) /usr/share/shorewall/configfiles/*
 
 %attr(0644,root,root) %{_mandir}/man5/*
-%attr(0644,root,root) %{_mandir}/man8/*
+%attr(0644,root,root) %{_mandir}/man8/shorewall.8.gz
 
-%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
+%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-2
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
 * Mon May 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0base
 * Sun May 02 2010 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.2
+VERSION=4.4.9
 
 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then
 fi
 
 if [ -L /usr/share/shorewall/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall/init)
+    FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //')
 else
     FIREWALL=/etc/init.d/shorewall
 fi

Shorewall/wait4ifup

@@ -33,7 +33,7 @@
 #
 
 interface_is_up() {
-    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ]
+    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] 
 }
 
 case $# in
@@ -57,4 +57,4 @@ done
 
 exit 1
 
-
+    

Shorewall6-lite/default.debian

@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null
 
-#
-# Set this to 1 to cause '/etc/init.d/shorewall6-lite stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF

Shorewall6-lite/init.debian.sh

@@ -17,7 +17,7 @@ SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}
 
-[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
 export SHOREWALL_INIT_SCRIPT
 
@@ -88,11 +88,7 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   echo -n "Stopping \"Shorewall6 Lite firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
-      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
+  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.2
+VERSION=4.4.9
 
 usage() # $1 = exit status
 {
@@ -82,16 +82,15 @@ delete_file() # $1 = file to delete
 
 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    run_install $OWNERSHIP -m $3 $1 ${2}
 }
 
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall6-lite"
 fi
 
+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 while [ $# -gt 0 ] ; do
     case "$1" in
 	-h|help|?)
@@ -126,12 +129,11 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 # Determine where to install the firewall script
 #
-INSTALLD='-D'
-T='-T'
+DEBIAN=
 
 case $(uname) in
     CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -139,10 +141,6 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-     Darwin)
-	INSTALLD=
-	T=
-	;;	   
     *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -151,14 +149,14 @@ esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
     
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
     DEBIAN=yes
 elif [ -f /etc/slackware-version ] ; then
@@ -180,183 +178,169 @@ echo "Installing Shorewall6 Lite Version $VERSION"
 #
 # Check for /etc/shorewall6-lite
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall6-lite ]; then
+if [ -z "$PREFIX" -a -d /etc/shorewall6-lite ]; then
     [ -f /etc/shorewall6-lite/shorewall.conf ] && \
 	mv -f /etc/shorewall6-lite/shorewall.conf /etc/shorewall6-lite/shorewall6-lite.conf
 else
-    rm -rf ${DESTDIR}/etc/shorewall6-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall6-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall6-lite
+    rm -rf ${PREFIX}/etc/shorewall6-lite
+    rm -rf ${PREFIX}/usr/share/shorewall6-lite
+    rm -rf ${PREFIX}/var/lib/shorewall6-lite
 fi
 
 #
 # Check for /sbin/shorewall6-lite
 #
-if [ -f ${DESTDIR}/sbin/shorewall6-lite ]; then
+if [ -f ${PREFIX}/sbin/shorewall6-lite ]; then
     first_install=""
 else
     first_install="Yes"
 fi
 
-delete_file ${DESTDIR}/usr/share/shorewall6-lite/xmodules
+delete_file ${PREFIX}/usr/share/shorewall6-lite/xmodules
 
-install_file shorewall6-lite ${DESTDIR}/sbin/shorewall6-lite 0544
+install_file shorewall6-lite ${PREFIX}/sbin/shorewall6-lite 0544 ${PREFIX}/var/lib/shorewall6-lite-${VERSION}.bkout
 
-echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-lite"
+echo "Shorewall6 Lite control program installed in ${PREFIX}/sbin/shorewall6-lite"
 
 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall6-lite 0544
+    install_file init.debian.sh /etc/init.d/shorewall6-lite 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout
 
 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout
 fi
 
-echo  "Shorewall6 Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "Shorewall6 Lite script installed in ${PREFIX}${DEST}/$INIT"
 
 #
 # Create /etc/shorewall6-lite, /usr/share/shorewall6-lite and /var/lib/shorewall6-lite if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall6-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall6-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall6-lite
+mkdir -p ${PREFIX}/etc/shorewall6-lite
+mkdir -p ${PREFIX}/usr/share/shorewall6-lite
+mkdir -p ${PREFIX}/var/lib/shorewall6-lite
 
-chmod 755 ${DESTDIR}/etc/shorewall6-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall6-lite
+chmod 755 ${PREFIX}/etc/shorewall6-lite
+chmod 755 ${PREFIX}/usr/share/shorewall6-lite
 
-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
 fi
 
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf ]; then
-   install_file shorewall6-lite.conf ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf 0744
-   echo "Config file installed as ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf"
+if [ ! -f ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall6-lite.conf ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf
+   echo "Config file installed as ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf"
 fi
 
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall6-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall6-lite/shorewall.conf
 fi
 
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall6-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall6-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall6-lite/Makefile
+echo "Makefile installed as ${PREFIX}/etc/shorewall6-lite/Makefile"
 
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall6-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall6-lite/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall6-lite/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall6-lite/configpath"
 
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall6-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6-lite/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall6-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6-lite/$f"
     fi
 done
 
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall6-lite/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall6-lite/functions
 
-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall6-lite/functions"
+echo "Common functions linked through ${PREFIX}/usr/share/shorewall6-lite/functions"
 
 #
 # Install Shorecap
 #
 
-install_file shorecap ${DESTDIR}/usr/share/shorewall6-lite/shorecap 0755
+install_file shorecap ${PREFIX}/usr/share/shorewall6-lite/shorecap 0755
 
 echo
-echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall6-lite/shorecap"
+echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall6-lite/shorecap"
 
 #
 # Install wait4ifup
 #
 
-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall6-lite/wait4ifup 0755
 
-    echo
-    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup"
-fi
+echo
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall6-lite/wait4ifup"
 
-if [ -f modules ]; then
-    #
-    # Install the Modules file
-    #
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall6-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall6-lite/modules"
-fi
+#
+# Install the Modules file
+#
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall6-lite/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall6-lite/modules"
 
-if [ -d manpages ]; then
-    #
-    # Install the Man Pages
-    #
+#
+# Install the Man Pages
+#
 
-    cd manpages
+cd manpages
 
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
+for f in *.5; do
+    gzip -c $f > $f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man5/$f.gz"
+done
 
-    for f in *.5; do
-	gzip -c $f > $f.gz
-	run_install $INSTALLD -m 644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
-    done
+for f in *.8; do
+    gzip -c $f > $f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man8/$f.gz"
+done
 
-    for f in *.8; do
-	gzip -c $f > $f.gz
-	run_install $INSTALLD -m 644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
-    done
-    
-    cd ..
+cd ..
 
-    echo "Man Pages Installed"
-fi
+echo "Man Pages Installed"
 
-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall6-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall6-lite"
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6-lite"
 fi
 
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall6-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall6-lite/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall6-lite/version
+chmod 644 ${PREFIX}/usr/share/shorewall6-lite/version
 #
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
     rm -f /usr/share/shorewall6-lite/init
     ln -s ${DEST}/${INIT} /usr/share/shorewall6-lite/init
 fi
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
     touch /var/log/shorewall6-lite-init.log
 
     if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
-
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall6-lite
-	    else
-		ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
-	    fi
-
+	    ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
 	    echo "Shorewall6 Lite will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then

Shorewall6-lite/shorecap

@@ -58,7 +58,7 @@ g_product="Shorewall Lite"
 
 SHOREWALL_VERSION=$(cat /usr/share/shorewall6-lite/version)
 
-[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables)
+[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich iptables)
 
 VERBOSITY=0
 load_kernel_modules No

Shorewall6-lite/shorewall6-lite

@@ -145,12 +145,6 @@ get_config() {
 
     [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
 
-    if [ $VERBOSITY -lt -1 ]; then
-	VERBOSITY=-1
-    elif [ $VERBOSITY -gt 2 ]; then
-	VERBOSITY=2
-    fi
-
     g_hostname=$(hostname 2> /dev/null)
 
     IP=$(mywhich ip 2> /dev/null)
@@ -355,7 +349,7 @@ usage() # $1 = exit status
     echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
     echo "where <command> is one of:"
     echo "   allow <address> ..."
-    echo "   clear"
+    echo "   clear [ -f ]"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
     echo "   forget [ <file name> ]"
@@ -372,62 +366,13 @@ usage() # $1 = exit status
     echo "   save [ <file name> ]"
     echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]capabilities|classifiers|config|connections|filters|ip|log [<regex>]|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
     echo "   start [ -f ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
     echo "   status"
     echo "   version [ -a ]"
     echo
     exit $1
 }
 
-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
 #
 # Execution begins here
 #
@@ -621,9 +566,7 @@ case "$COMMAND" in
     stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	run_it $g_firewall $debugging $nolock $COMMAND
 	;;
     restart)
 	shift
@@ -649,7 +592,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -670,8 +613,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
     version)
-	shift
-	version_command $@
+	echo $SHOREWALL_VERSION Lite
 	;;
     logwatch)
 	logwatch_command $@

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.13
-%define release 2
+%define version 4.4.9
+%define release 0base
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}
 
 %description
 
@@ -32,7 +31,7 @@ administrators to centralize the configuration of Shorewall6-based firewalls.
 %build
 
 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -93,64 +92,6 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-2
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
 * Mon May 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0base
 * Sun May 02 2010 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.2
+VERSION=4.4.9
 
 usage() # $1 = exit status
 {
@@ -67,7 +67,7 @@ if qt ip6tables -L shorewall -n && [ ! -f /sbin/shorewall6 ]; then
 fi
 
 if [ -L /usr/share/shorewall6-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall6-lite/init)
+    FIREWALL=$(ls -l /usr/share/shorewall6-lite/init | sed 's/^.*> //')
 else
     FIREWALL=/etc/init.d/shorewall6-lite
 fi

Shorewall6/action.Drop

@@ -28,11 +28,6 @@ Auth(REJECT)
 #
 AllowICMPs	-	-	ipv6-icmp
 #
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #

Shorewall6/action.Reject

@@ -20,16 +20,10 @@
 #
 Auth(REJECT)
 #
-# Drop Multicasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
+# ACCEPT critical ICMP types
 #
 AllowICMPs	-	-	ipv6-icmp
 #
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).

Shorewall6/blacklist

@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
+#ADDRESS/SUBNET		PROTOCOL	PORT

Shorewall6/default.debian

@@ -21,16 +21,4 @@ startup=0
 
 OPTIONS=""
 
-#
-# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
-#
-INITLOG=/dev/null
-
-#
-# Set this to 1 to cause '/etc/init.d/shorewall6 stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF

Shorewall6/init.debian.sh

@@ -93,11 +93,7 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
   echo -n "Stopping \"Shorewall6 firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
-      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
+  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.13.2
+VERSION=4.4.9
 
 usage() # $1 = exit status
 {
@@ -85,13 +85,12 @@ install_file() # $1 = source $2 = target $3 = mode
     run_install $OWNERSHIP -m $3 $1 ${2}
 }
 
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall6"
 fi
 
+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 DEBIAN=
 CYGWIN=
 MAC=
@@ -113,7 +116,7 @@ INSTALLD='-D'
 
 case $(uname) in
     CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -124,15 +127,15 @@ case $(uname) in
 	SPARSE=Yes
 	;;
     Darwin)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
-	    SPARSE=Yes
 	fi
 
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
 	MAC=Yes
+	SPARSE=Yes
 	INSTALLD=
 	;;	
     *)
@@ -169,7 +172,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 # Determine where to install the firewall script
 #
 
-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
     if [ -z "$CYGWIN" ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
@@ -177,8 +180,8 @@ if [ -n "$DESTDIR" ]; then
 	fi    
     fi
 	
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
    
     CYGWIN=
     MAC=
@@ -218,18 +221,18 @@ echo "Installing Shorewall6 Version $VERSION"
 #
 # Check for /sbin/shorewall6
 #
-if [ -f ${DESTDIR}/sbin/shorewall6 ]; then
+if [ -f ${PREFIX}/sbin/shorewall6 ]; then
     first_install=""
 else
     first_install="Yes"
 fi
 
 if [ -z "$CYGWIN" ]; then
-   install_file shorewall6 ${DESTDIR}/sbin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
-   echo "shorewall6 control program installed in ${DESTDIR}/sbin/shorewall6"
+   install_file shorewall6 ${PREFIX}/sbin/shorewall6 0755 ${PREFIX}/var/lib/shorewall6-${VERSION}.bkout
+   echo "shorewall6 control program installed in ${PREFIX}/sbin/shorewall6"
 else
-   install_file shorewall6 ${DESTDIR}/bin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
-   echo "shorewall6 control program installed in ${DESTDIR}/bin/shorewall6"
+   install_file shorewall6 ${PREFIX}/bin/shorewall6 0755 ${PREFIX}/var/lib/shorewall6-${VERSION}.bkout
+   echo "shorewall6 control program installed in ${PREFIX}/bin/shorewall6"
 fi
 
 
@@ -237,461 +240,451 @@ fi
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.debian.sh /etc/init.d/shorewall6 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$SLACKWARE" ]; then
-    install_file init.slackware.shorewall6.sh ${DESTDIR}${DEST}/rc.shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.slackware.shorewall6.sh ${PREFIX}${DEST}/rc.shorewall6 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$INIT" ]; then
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 fi
 
-[ -n "$INIT" ] && echo  "Shorewall6 script installed in ${DESTDIR}${DEST}/$INIT"
+[ -n "$INIT" ] && echo  "Shorewall6 script installed in ${PREFIX}${DEST}/$INIT"
 
 #
 # Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall6
-mkdir -p ${DESTDIR}/usr/share/shorewall6
-mkdir -p ${DESTDIR}/usr/share/shorewall6/configfiles
-mkdir -p ${DESTDIR}/var/lib/shorewall6
+mkdir -p ${PREFIX}/etc/shorewall6
+mkdir -p ${PREFIX}/usr/share/shorewall6
+mkdir -p ${PREFIX}/usr/share/shorewall6/configfiles
+mkdir -p ${PREFIX}/var/lib/shorewall6
 
-chmod 755 ${DESTDIR}/etc/shorewall6
-chmod 755 ${DESTDIR}/usr/share/shorewall6
-chmod 755 ${DESTDIR}/usr/share/shorewall6/configfiles
+chmod 755 ${PREFIX}/etc/shorewall6
+chmod 755 ${PREFIX}/usr/share/shorewall6
+chmod 755 ${PREFIX}/usr/share/shorewall6/configfiles
 
-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
 fi
 
 #
 # Install the config file
 #
-run_install $OWNERSHIP -m 0644 shorewall6.conf ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
+run_install $OWNERSHIP -m 0644 shorewall6.conf ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf
 
-perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6|;' ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
-perl -p -w -i -e 's|^STARTUP_LOG=.*|STARTUP_LOG=/var/log/shorewall6-lite-init.log|;' ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
+perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6|;' ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf
+perl -p -w -i -e 's|^STARTUP_LOG=.*|STARTUP_LOG=/var/log/shorewall6-lite-init.log|;' ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf
 
-if [ ! -f ${DESTDIR}/etc/shorewall6/shorewall6.conf ]; then
-   run_install $OWNERSHIP -m 0644 shorewall6.conf ${DESTDIR}/etc/shorewall6/shorewall6.conf
+if [ ! -f ${PREFIX}/etc/shorewall6/shorewall6.conf ]; then
+   run_install $OWNERSHIP -m 0644 shorewall6.conf ${PREFIX}/etc/shorewall6/shorewall6.conf
 
    if [ -n "$DEBIAN" ] && mywhich perl; then
        #
        # Make a Debian-like shorewall6.conf
        #
-       perl -p -w -i -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|;' ${DESTDIR}/etc/shorewall6/shorewall6.conf
+       perl -p -w -i -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|;' ${PREFIX}/etc/shorewall6/shorewall6.conf
    fi
 
-   echo "Config file installed as ${DESTDIR}/etc/shorewall6/shorewall6.conf"
+   echo "Config file installed as ${PREFIX}/etc/shorewall6/shorewall6.conf"
 fi
 
 
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall6/shorewall6.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall6/shorewall6.conf
 fi
 #
 # Install the zones file
 #
-run_install $OWNERSHIP -m 0644 zones ${DESTDIR}/usr/share/shorewall6/configfiles/zones
+run_install $OWNERSHIP -m 0644 zones ${PREFIX}/usr/share/shorewall6/configfiles/zones
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/zones ]; then
-    run_install $OWNERSHIP -m 0744 zones ${DESTDIR}/etc/shorewall6/zones
-    echo "Zones file installed as ${DESTDIR}/etc/shorewall6/zones"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/zones ]; then
+    run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall6/zones
+    echo "Zones file installed as ${PREFIX}/etc/shorewall6/zones"
 fi
 
-delete_file ${DESTDIR}/usr/share/shorewall6/compiler
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.accounting
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.actions
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.dynamiczones
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.maclist
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.nat
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.providers
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.proxyarp
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.tc
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.tcrules
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.tunnels
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.header6
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer6
+delete_file ${PREFIX}/usr/share/shorewall6/compiler
+delete_file ${PREFIX}/usr/share/shorewall6/lib.accounting
+delete_file ${PREFIX}/usr/share/shorewall6/lib.actions
+delete_file ${PREFIX}/usr/share/shorewall6/lib.dynamiczones
+delete_file ${PREFIX}/usr/share/shorewall6/lib.maclist
+delete_file ${PREFIX}/usr/share/shorewall6/lib.nat
+delete_file ${PREFIX}/usr/share/shorewall6/lib.providers
+delete_file ${PREFIX}/usr/share/shorewall6/lib.proxyarp
+delete_file ${PREFIX}/usr/share/shorewall6/lib.tc
+delete_file ${PREFIX}/usr/share/shorewall6/lib.tcrules
+delete_file ${PREFIX}/usr/share/shorewall6/lib.tunnels
+delete_file ${PREFIX}/usr/share/shorewall6/prog.header
+delete_file ${PREFIX}/usr/share/shorewall6/prog.footer
 
 #
 # Install wait4ifup
 #
 
-install_file wait4ifup ${DESTDIR}/usr/share/shorewall6/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall6/wait4ifup 0755
 
 echo
-echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6/wait4ifup"
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall6/wait4ifup"
 
 #
 # Install the policy file
 #
-run_install $OWNERSHIP -m 0644 policy ${DESTDIR}/usr/share/shorewall6/configfiles/policy
+run_install $OWNERSHIP -m 0644 policy ${PREFIX}/usr/share/shorewall6/configfiles/policy
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/policy ]; then
-    run_install $OWNERSHIP -m 0600 policy ${DESTDIR}/etc/shorewall6/policy
-    echo "Policy file installed as ${DESTDIR}/etc/shorewall6/policy"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/policy ]; then
+    run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall6/policy
+    echo "Policy file installed as ${PREFIX}/etc/shorewall6/policy"
 fi
 #
 # Install the interfaces file
 #
-run_install $OWNERSHIP -m 0644 interfaces ${DESTDIR}/usr/share/shorewall6/configfiles/interfaces
+run_install $OWNERSHIP -m 0644 interfaces ${PREFIX}/usr/share/shorewall6/configfiles/interfaces
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/interfaces ]; then
-    run_install $OWNERSHIP -m 0600 interfaces ${DESTDIR}/etc/shorewall6/interfaces
-    echo "Interfaces file installed as ${DESTDIR}/etc/shorewall6/interfaces"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/interfaces ]; then
+    run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall6/interfaces
+    echo "Interfaces file installed as ${PREFIX}/etc/shorewall6/interfaces"
 fi
 
 #
 # Install the hosts file
 #
-run_install $OWNERSHIP -m 0644 hosts ${DESTDIR}/usr/share/shorewall6/configfiles/hosts
+run_install $OWNERSHIP -m 0644 hosts ${PREFIX}/usr/share/shorewall6/configfiles/hosts
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/hosts ]; then
-    run_install $OWNERSHIP -m 0600 hosts ${DESTDIR}/etc/shorewall6/hosts
-    echo "Hosts file installed as ${DESTDIR}/etc/shorewall6/hosts"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/hosts ]; then
+    run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall6/hosts
+    echo "Hosts file installed as ${PREFIX}/etc/shorewall6/hosts"
 fi
 #
 # Install the rules file
 #
-run_install $OWNERSHIP -m 0644 rules ${DESTDIR}/usr/share/shorewall6/configfiles/rules
+run_install $OWNERSHIP -m 0644 rules ${PREFIX}/usr/share/shorewall6/configfiles/rules
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/rules ]; then
-    run_install $OWNERSHIP -m 0600 rules ${DESTDIR}/etc/shorewall6/rules
-    echo "Rules file installed as ${DESTDIR}/etc/shorewall6/rules"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/rules ]; then
+    run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall6/rules
+    echo "Rules file installed as ${PREFIX}/etc/shorewall6/rules"
 fi
 #
 # Install the Parameters file
 #
-run_install $OWNERSHIP -m 0644 params ${DESTDIR}/usr/share/shorewall6/configfiles/params
+run_install $OWNERSHIP -m 0644 params ${PREFIX}/usr/share/shorewall6/configfiles/params
 
-if [ -f ${DESTDIR}/etc/shorewall6/params ]; then
-    chmod 0644 ${DESTDIR}/etc/shorewall6/params
+if [ -f ${PREFIX}/etc/shorewall6/params ]; then
+    chmod 0644 ${PREFIX}/etc/shorewall6/params
 else
-    run_install $OWNERSHIP -m 0644 params ${DESTDIR}/etc/shorewall6/params
-    echo "Parameter file installed as ${DESTDIR}/etc/shorewall6/params"
+    run_install $OWNERSHIP -m 0644 params ${PREFIX}/etc/shorewall6/params
+    echo "Parameter file installed as ${PREFIX}/etc/shorewall6/params"
 fi
 #
 # Install the Stopped Routing file
 #
-run_install $OWNERSHIP -m 0644 routestopped ${DESTDIR}/usr/share/shorewall6/configfiles/routestopped
+run_install $OWNERSHIP -m 0644 routestopped ${PREFIX}/usr/share/shorewall6/configfiles/routestopped
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/routestopped ]; then
-    run_install $OWNERSHIP -m 0600 routestopped ${DESTDIR}/etc/shorewall6/routestopped
-    echo "Stopped Routing file installed as ${DESTDIR}/etc/shorewall6/routestopped"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/routestopped ]; then
+    run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall6/routestopped
+    echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall6/routestopped"
 fi
 #
 # Install the Mac List file
 #
-run_install $OWNERSHIP -m 0644 maclist ${DESTDIR}/usr/share/shorewall6/configfiles/maclist
+run_install $OWNERSHIP -m 0644 maclist ${PREFIX}/usr/share/shorewall6/configfiles/maclist
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/maclist ]; then
-    run_install $OWNERSHIP -m 0600 maclist ${DESTDIR}/etc/shorewall6/maclist
-    echo "MAC list file installed as ${DESTDIR}/etc/shorewall6/maclist"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/maclist ]; then
+    run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall6/maclist
+    echo "MAC list file installed as ${PREFIX}/etc/shorewall6/maclist"
 fi
 #
 # Install the Modules file
 #
-run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall6/modules
-echo "Modules file installed as ${DESTDIR}/usr/share/shorewall6/modules"
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall6/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall6/modules"
 
 #
 # Install the Module Helpers file
 #
-run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall6/helpers
-echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall6/helpers"
+run_install $OWNERSHIP -m 0600 helpers ${PREFIX}/usr/share/shorewall6/helpers
+echo "Helper modules file installed as ${PREFIX}/usr/share/shorewall6/helpers"
 
 #
 # Install the TC Rules file
 #
-run_install $OWNERSHIP -m 0644 tcrules ${DESTDIR}/usr/share/shorewall6/configfiles/tcrules
+run_install $OWNERSHIP -m 0644 tcrules ${PREFIX}/usr/share/shorewall6/configfiles/tcrules
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcrules ]; then
-    run_install $OWNERSHIP -m 0600 tcrules ${DESTDIR}/etc/shorewall6/tcrules
-    echo "TC Rules file installed as ${DESTDIR}/etc/shorewall6/tcrules"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcrules ]; then
+    run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall6/tcrules
+    echo "TC Rules file installed as ${PREFIX}/etc/shorewall6/tcrules"
 fi
 
 #
 # Install the TC Interfaces file
 #
-run_install $OWNERSHIP -m 0644 tcinterfaces ${DESTDIR}/usr/share/shorewall6/configfiles/tcinterfaces
+run_install $OWNERSHIP -m 0644 tcinterfaces ${PREFIX}/usr/share/shorewall6/configfiles/tcinterfaces
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcinterfaces ]; then
-    run_install $OWNERSHIP -m 0600 tcinterfaces ${DESTDIR}/etc/shorewall6/tcinterfaces
-    echo "TC Interfaces file installed as ${DESTDIR}/etc/shorewall6/tcinterfaces"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcinterfaces ]; then
+    run_install $OWNERSHIP -m 0600 tcinterfaces ${PREFIX}/etc/shorewall6/tcinterfaces
+    echo "TC Interfaces file installed as ${PREFIX}/etc/shorewall6/tcinterfaces"
 fi
 
 #
 # Install the TC Priority file
 #
-run_install $OWNERSHIP -m 0644 tcpri ${DESTDIR}/usr/share/shorewall6/configfiles/tcpri
+run_install $OWNERSHIP -m 0644 tcpri ${PREFIX}/usr/share/shorewall6/configfiles/tcpri
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcpri ]; then
-    run_install $OWNERSHIP -m 0600 tcpri ${DESTDIR}/etc/shorewall6/tcpri
-    echo "TC Priority file installed as ${DESTDIR}/etc/shorewall6/tcpri"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcpri ]; then
+    run_install $OWNERSHIP -m 0600 tcpri ${PREFIX}/etc/shorewall6/tcpri
+    echo "TC Priority file installed as ${PREFIX}/etc/shorewall6/tcpri"
 fi
 
 #
 # Install the TOS file
 #
-run_install $OWNERSHIP -m 0644 tos ${DESTDIR}/usr/share/shorewall6/configfiles/tos
+run_install $OWNERSHIP -m 0644 tos ${PREFIX}/usr/share/shorewall6/configfiles/tos
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tos ]; then
-    run_install $OWNERSHIP -m 0600 tos ${DESTDIR}/etc/shorewall6/tos
-    echo "TOS file installed as ${DESTDIR}/etc/shorewall6/tos"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tos ]; then
+    run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall6/tos
+    echo "TOS file installed as ${PREFIX}/etc/shorewall6/tos"
 fi
 #
 # Install the Tunnels file
 #
-run_install $OWNERSHIP -m 0644 tunnels ${DESTDIR}/usr/share/shorewall6/configfiles/tunnels
+run_install $OWNERSHIP -m 0644 tunnels ${PREFIX}/usr/share/shorewall6/configfiles/tunnels
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tunnels ]; then
-    run_install $OWNERSHIP -m 0600 tunnels ${DESTDIR}/etc/shorewall6/tunnels
-    echo "Tunnels file installed as ${DESTDIR}/etc/shorewall6/tunnels"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tunnels ]; then
+    run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall6/tunnels
+    echo "Tunnels file installed as ${PREFIX}/etc/shorewall6/tunnels"
 fi
 #
 # Install the blacklist file
 #
-run_install $OWNERSHIP -m 0644 blacklist ${DESTDIR}/usr/share/shorewall6/configfiles/blacklist
+run_install $OWNERSHIP -m 0644 blacklist ${PREFIX}/usr/share/shorewall6/configfiles/blacklist
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blacklist ]; then
-    run_install $OWNERSHIP -m 0600 blacklist ${DESTDIR}/etc/shorewall6/blacklist
-    echo "Blacklist file installed as ${DESTDIR}/etc/shorewall6/blacklist"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/blacklist ]; then
+    run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall6/blacklist
+    echo "Blacklist file installed as ${PREFIX}/etc/shorewall6/blacklist"
 fi
 #
 # Install the Providers file
 #
-run_install $OWNERSHIP -m 0644 providers ${DESTDIR}/usr/share/shorewall6/configfiles/providers
+run_install $OWNERSHIP -m 0644 providers ${PREFIX}/usr/share/shorewall6/configfiles/providers
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/providers ]; then
-    run_install $OWNERSHIP -m 0600 providers ${DESTDIR}/etc/shorewall6/providers
-    echo "Providers file installed as ${DESTDIR}/etc/shorewall6/providers"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/providers ]; then
+    run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall6/providers
+    echo "Providers file installed as ${PREFIX}/etc/shorewall6/providers"
 fi
 
 #
 # Install the Route Rules file
 #
-run_install $OWNERSHIP -m 0644 route_rules ${DESTDIR}/usr/share/shorewall6/configfiles/route_rules
+run_install $OWNERSHIP -m 0644 route_rules ${PREFIX}/usr/share/shorewall6/configfiles/route_rules
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/route_rules ]; then
-    run_install $OWNERSHIP -m 0600 route_rules ${DESTDIR}/etc/shorewall6/route_rules
-    echo "Routing rules file installed as ${DESTDIR}/etc/shorewall6/route_rules"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/route_rules ]; then
+    run_install $OWNERSHIP -m 0600 route_rules ${PREFIX}/etc/shorewall6/route_rules
+    echo "Routing rules file installed as ${PREFIX}/etc/shorewall6/route_rules"
 fi
 
 #
 # Install the tcclasses file
 #
-run_install $OWNERSHIP -m 0644 tcclasses ${DESTDIR}/usr/share/shorewall6/configfiles/tcclasses
+run_install $OWNERSHIP -m 0644 tcclasses ${PREFIX}/usr/share/shorewall6/configfiles/tcclasses
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcclasses ]; then
-    run_install $OWNERSHIP -m 0600 tcclasses ${DESTDIR}/etc/shorewall6/tcclasses
-    echo "TC Classes file installed as ${DESTDIR}/etc/shorewall6/tcclasses"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcclasses ]; then
+    run_install $OWNERSHIP -m 0600 tcclasses ${PREFIX}/etc/shorewall6/tcclasses
+    echo "TC Classes file installed as ${PREFIX}/etc/shorewall6/tcclasses"
 fi
 
 #
 # Install the tcdevices file
 #
-run_install $OWNERSHIP -m 0644 tcdevices ${DESTDIR}/usr/share/shorewall6/configfiles/tcdevices
+run_install $OWNERSHIP -m 0644 tcdevices ${PREFIX}/usr/share/shorewall6/configfiles/tcdevices
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcdevices ]; then
-    run_install $OWNERSHIP -m 0600 tcdevices ${DESTDIR}/etc/shorewall6/tcdevices
-    echo "TC Devices file installed as ${DESTDIR}/etc/shorewall6/tcdevices"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcdevices ]; then
+    run_install $OWNERSHIP -m 0600 tcdevices ${PREFIX}/etc/shorewall6/tcdevices
+    echo "TC Devices file installed as ${PREFIX}/etc/shorewall6/tcdevices"
 fi
 
 #
 # Install the Notrack file
 #
-run_install $OWNERSHIP -m 0644 notrack ${DESTDIR}/usr/share/shorewall6/configfiles/notrack
+run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewall6/configfiles/notrack
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/notrack ]; then
-    run_install $OWNERSHIP -m 0600 notrack ${DESTDIR}/etc/shorewall6/notrack
-    echo "Notrack file installed as ${DESTDIR}/etc/shorewall6/notrack"
-fi
-
-#
-# Install the Secmarks file
-#
-run_install $OWNERSHIP -m 0644 secmarks ${DESTDIR}/usr/share/shorewall6/configfiles/secmarks
-
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/secmarks ]; then
-    run_install $OWNERSHIP -m 0600 secmarks ${DESTDIR}/etc/shorewall6/secmarks
-    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall6/secmarks"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/notrack ]; then
+    run_install $OWNERSHIP -m 0600 notrack ${PREFIX}/etc/shorewall6/notrack
+    echo "Notrack file installed as ${PREFIX}/etc/shorewall6/notrack"
 fi
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall6/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall6/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall6/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall6/configpath"
 #
 # Install the init file
 #
-run_install $OWNERSHIP -m 0644 init ${DESTDIR}/usr/share/shorewall6/configfiles/init
+run_install $OWNERSHIP -m 0644 init ${PREFIX}/usr/share/shorewall6/configfiles/init
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/init ]; then
-    run_install $OWNERSHIP -m 0600 init ${DESTDIR}/etc/shorewall6/init
-    echo "Init file installed as ${DESTDIR}/etc/shorewall6/init"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/init ]; then
+    run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall6/init
+    echo "Init file installed as ${PREFIX}/etc/shorewall6/init"
 fi
 #
 # Install the start file
 #
-run_install $OWNERSHIP -m 0644 start ${DESTDIR}/usr/share/shorewall6/configfiles/start
+run_install $OWNERSHIP -m 0644 start ${PREFIX}/usr/share/shorewall6/configfiles/start
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/start ]; then
-    run_install $OWNERSHIP -m 0600 start ${DESTDIR}/etc/shorewall6/start
-    echo "Start file installed as ${DESTDIR}/etc/shorewall6/start"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/start ]; then
+    run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall6/start
+    echo "Start file installed as ${PREFIX}/etc/shorewall6/start"
 fi
 #
 # Install the stop file
 #
-run_install $OWNERSHIP -m 0644 stop ${DESTDIR}/usr/share/shorewall6/configfiles/stop
+run_install $OWNERSHIP -m 0644 stop ${PREFIX}/usr/share/shorewall6/configfiles/stop
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/stop ]; then
-    run_install $OWNERSHIP -m 0600 stop ${DESTDIR}/etc/shorewall6/stop
-    echo "Stop file installed as ${DESTDIR}/etc/shorewall6/stop"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/stop ]; then
+    run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall6/stop
+    echo "Stop file installed as ${PREFIX}/etc/shorewall6/stop"
 fi
 #
 # Install the stopped file
 #
-run_install $OWNERSHIP -m 0644 stopped ${DESTDIR}/usr/share/shorewall6/configfiles/stopped
+run_install $OWNERSHIP -m 0644 stopped ${PREFIX}/usr/share/shorewall6/configfiles/stopped
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/stopped ]; then
-    run_install $OWNERSHIP -m 0600 stopped ${DESTDIR}/etc/shorewall6/stopped
-    echo "Stopped file installed as ${DESTDIR}/etc/shorewall6/stopped"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/stopped ]; then
+    run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall6/stopped
+    echo "Stopped file installed as ${PREFIX}/etc/shorewall6/stopped"
 fi
 #
 # Install the Accounting file
 #
-run_install $OWNERSHIP -m 0644 accounting ${DESTDIR}/usr/share/shorewall6/configfiles/accounting
+run_install $OWNERSHIP -m 0644 accounting ${PREFIX}/usr/share/shorewall6/configfiles/accounting
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/accounting ]; then
-    run_install $OWNERSHIP -m 0600 accounting ${DESTDIR}/etc/shorewall6/accounting
-    echo "Accounting file installed as ${DESTDIR}/etc/shorewall6/accounting"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/accounting ]; then
+    run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall6/accounting
+    echo "Accounting file installed as ${PREFIX}/etc/shorewall6/accounting"
 fi
 #
 # Install the Started file
 #
-run_install $OWNERSHIP -m 0644 started ${DESTDIR}/usr/share/shorewall6/configfiles/started
+run_install $OWNERSHIP -m 0644 started ${PREFIX}/usr/share/shorewall6/configfiles/started
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/started ]; then
-    run_install $OWNERSHIP -m 0600 started ${DESTDIR}/etc/shorewall6/started
-    echo "Started file installed as ${DESTDIR}/etc/shorewall6/started"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/started ]; then
+    run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall6/started
+    echo "Started file installed as ${PREFIX}/etc/shorewall6/started"
 fi
 #
 # Install the Restored file
 #
-run_install $OWNERSHIP -m 0644 restored ${DESTDIR}/usr/share/shorewall6/configfiles/restored
+run_install $OWNERSHIP -m 0644 restored ${PREFIX}/usr/share/shorewall6/configfiles/restored
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/restored ]; then
-    run_install $OWNERSHIP -m 0600 restored ${DESTDIR}/etc/shorewall6/restored
-    echo "Restored file installed as ${DESTDIR}/etc/shorewall6/restored"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/restored ]; then
+    run_install $OWNERSHIP -m 0600 restored ${PREFIX}/etc/shorewall6/restored
+    echo "Restored file installed as ${PREFIX}/etc/shorewall6/restored"
 fi
 #
 # Install the Clear file
 #
-run_install $OWNERSHIP -m 0644 clear ${DESTDIR}/usr/share/shorewall6/configfiles/clear
+run_install $OWNERSHIP -m 0644 clear ${PREFIX}/usr/share/shorewall6/configfiles/clear
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/clear ]; then
-    run_install $OWNERSHIP -m 0600 clear ${DESTDIR}/etc/shorewall6/clear
-    echo "Clear file installed as ${DESTDIR}/etc/shorewall6/clear"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/clear ]; then
+    run_install $OWNERSHIP -m 0600 clear ${PREFIX}/etc/shorewall6/clear
+    echo "Clear file installed as ${PREFIX}/etc/shorewall6/clear"
 fi
 #
 # Install the Isusable file
 #
-run_install $OWNERSHIP -m 0644 isusable ${DESTDIR}/usr/share/shorewall6/configfiles/isusable
+run_install $OWNERSHIP -m 0644 isusable ${PREFIX}/usr/share/shorewall6/configfiles/isusable
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/isusable ]; then
-    run_install $OWNERSHIP -m 0600 isusable ${DESTDIR}/etc/shorewall6/isusable
-    echo "Isusable file installed as ${DESTDIR}/etc/shorewall/isusable"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/isusable ]; then
+    run_install $OWNERSHIP -m 0600 isusable ${PREFIX}/etc/shorewall6/isusable
+    echo "Isusable file installed as ${PREFIX}/etc/shorewall/isusable"
 fi
 #
 # Install the Refresh file
 #
-run_install $OWNERSHIP -m 0644 refresh ${DESTDIR}/usr/share/shorewall6/configfiles/refresh
+run_install $OWNERSHIP -m 0644 refresh ${PREFIX}/usr/share/shorewall6/configfiles/refresh
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/refresh ]; then
-    run_install $OWNERSHIP -m 0600 refresh ${DESTDIR}/etc/shorewall6/refresh
-    echo "Refresh file installed as ${DESTDIR}/etc/shorewall6/refresh"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/refresh ]; then
+    run_install $OWNERSHIP -m 0600 refresh ${PREFIX}/etc/shorewall6/refresh
+    echo "Refresh file installed as ${PREFIX}/etc/shorewall6/refresh"
 fi
 #
 # Install the Refreshed file
 #
-run_install $OWNERSHIP -m 0644 refreshed ${DESTDIR}/usr/share/shorewall6/configfiles/refreshed
+run_install $OWNERSHIP -m 0644 refreshed ${PREFIX}/usr/share/shorewall6/configfiles/refreshed
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/refreshed ]; then
-    run_install $OWNERSHIP -m 0600 refreshed ${DESTDIR}/etc/shorewall6/refreshed
-    echo "Refreshed file installed as ${DESTDIR}/etc/shorewall6/refreshed"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/refreshed ]; then
+    run_install $OWNERSHIP -m 0600 refreshed ${PREFIX}/etc/shorewall6/refreshed
+    echo "Refreshed file installed as ${PREFIX}/etc/shorewall6/refreshed"
 fi
 #
 # Install the Tcclear file
 #
-run_install $OWNERSHIP -m 0644 tcclear ${DESTDIR}/usr/share/shorewall6/configfiles/tcclear
+run_install $OWNERSHIP -m 0644 tcclear ${PREFIX}/usr/share/shorewall6/configfiles/tcclear
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcclear ]; then
-    run_install $OWNERSHIP -m 0600 tcclear ${DESTDIR}/etc/shorewall6/tcclear
-    echo "Tcclear file installed as ${DESTDIR}/etc/shorewall6/tcclear"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcclear ]; then
+    run_install $OWNERSHIP -m 0600 tcclear ${PREFIX}/etc/shorewall6/tcclear
+    echo "Tcclear file installed as ${PREFIX}/etc/shorewall6/tcclear"
 fi
 #
 # Install the Standard Actions file
 #
-install_file actions.std ${DESTDIR}/usr/share/shorewall6/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}/usr/shared/shorewall6/actions.std"
+install_file actions.std ${PREFIX}/usr/share/shorewall6/actions.std 0644
+echo "Standard actions file installed as ${PREFIX}/usr/shared/shorewall6/actions.std"
 
 #
 # Install the Actions file
 #
-run_install $OWNERSHIP -m 0644 actions ${DESTDIR}/usr/share/shorewall6/configfiles/actions
+run_install $OWNERSHIP -m 0644 actions ${PREFIX}/usr/share/shorewall6/configfiles/actions
 
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/actions ]; then
-    run_install $OWNERSHIP -m 0644 actions ${DESTDIR}/etc/shorewall6/actions
-    echo "Actions file installed as ${DESTDIR}/etc/shorewall6/actions"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/actions ]; then
+    run_install $OWNERSHIP -m 0644 actions ${PREFIX}/etc/shorewall6/actions
+    echo "Actions file installed as ${PREFIX}/etc/shorewall6/actions"
 fi
 
 #
 # Install the  Makefiles
 #
-run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}/usr/share/shorewall6/configfiles/Makefile
+run_install $OWNERSHIP -m 0644 Makefile-lite ${PREFIX}/usr/share/shorewall6/configfiles/Makefile
 
 if [ -z "$SPARSE" ]; then
-    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall6/Makefile
-    echo "Makefile installed as ${DESTDIR}/etc/shorewall6/Makefile"
+    run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall6/Makefile
+    echo "Makefile installed as ${PREFIX}/etc/shorewall6/Makefile"
 fi
 #
 # Install the Action files
 #
 for f in action.* ; do
-    install_file $f ${DESTDIR}/usr/share/shorewall6/$f 0644
-    echo "Action ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6/$f"
+    install_file $f ${PREFIX}/usr/share/shorewall6/$f 0644
+    echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6/$f"
 done
 
 # Install the Macro files
 #
 for f in macro.* ; do
-    install_file $f ${DESTDIR}/usr/share/shorewall6/$f 0644
-    echo "Macro ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6/$f"
+    install_file $f ${PREFIX}/usr/share/shorewall6/$f 0644
+    echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6/$f"
 done
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall6/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall6/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6/$f"
     fi
 done
 #
 # Symbolically link 'functions' to lib.base
 #
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall6/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall6/functions
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall6/version
-chmod 644 ${DESTDIR}/usr/share/shorewall6/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall6/version
+chmod 644 ${PREFIX}/usr/share/shorewall6/version
 #
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
     rm -f /usr/share/shorewall6/init
     ln -s ${DEST}/${INIT} /usr/share/shorewall6/init
 fi
@@ -702,39 +695,33 @@ fi
 
 cd manpages
 
-[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
+[ -n "$INSTALLD" ] || mkdir -p ${PREFIX}${MANDIR}/man5/ ${PREFIX}${MANDIR}/man8/
 
 for f in *.5; do
     gzip -c $f > $f.gz
-    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
-    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
+    run_install $INSTALLD  -m 0644 $f.gz ${PREFIX}${MANDIR}/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}${MANDIR}/man5/$f.gz"
 done
 
 for f in *.8; do
     gzip -c $f > $f.gz
-    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
-    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
+    run_install $INSTALLD  -m 0644 $f.gz ${PREFIX}${MANDIR}/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}${MANDIR}/man8/$f.gz"
 done
 
 cd ..
 
 echo "Man Pages Installed"
 
-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall6
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall6"
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6"
 fi
 
-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
+if [ -z "$PREFIX" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6
-
-	if [ -x /sbin/insserv ]; then
-	    insserv /etc/init.d/shorewall6
-	else
-	    ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
-	fi
-
+	ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
 	echo "shorewall6 will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall6 to enable"
 	touch /var/log/shorewall6-init.log

Shorewall6/lib.base

@@ -33,7 +33,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40413
+SHOREWALL_CAPVERSION=40408
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]

Shorewall6/lib.cli

@@ -134,18 +134,18 @@ syslog_circular_buffer() {
 packet_log() # $1 = number of messages
 {
     if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
     else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
     fi
 }
 
 search_log() # $1 = IP address to search for
 {
     if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
     else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
     fi
 }    
 
@@ -208,19 +208,6 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
 
-    if [ -z "$LOGFILE" ]; then
-	LOGFILE=/var/log/messages
-
-	if [ -n "$(syslog_circular_buffer)" ]; then
-	    g_logread="logread | tac"
-	elif [ -r $LOGFILE ]; then
-	    g_logread="tac $LOGFILE"
-	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-	    exit 2
-	fi
-    fi
-
     host=$(echo $g_hostname | sed 's/\..*$//')
     oldrejects=$($IP6TABLES -L -v -n | grep 'LOG')
 
@@ -452,7 +439,7 @@ show_command() {
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 	    echo
-	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
+	    grep '^ipv6' /proc/net/nf_conntrack
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
@@ -470,20 +457,6 @@ show_command() {
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
-
-	    if [ -z "$LOGFILE" ]; then
-		LOGFILE=/var/log/messages
-		
-		if [ -n "$(syslog_circular_buffer)" ]; then
-		    g_logread="logread | tac"
-		elif [ -r $LOGFILE ]; then
-		    g_logread="tac $LOGFILE"
-		else
-		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		    exit 2
-		fi
-	    fi
-
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
@@ -694,19 +667,6 @@ dump_command() {
 	esac
     done
 
-    if [ -z "$LOGFILE" ]; then
-	LOGFILE=/var/log/messages
-
-	if [ -n "$(syslog_circular_buffer)" ]; then
-	    g_logread="logread | tac"
-	elif [ -r $LOGFILE ]; then
-	    g_logread="tac $LOGFILE"
-	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-	    exit 2
-	fi
-    fi
-
     g_ipt_options="$g_ipt_options $g_ipt_options1"
 
     [ $VERBOSITY -lt 2 ] && VERBOSITY=2
@@ -787,7 +747,7 @@ dump_command() {
     report_capabilities
 
     echo
-    netstat -6tunap
+    netstat -tunap
 
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -958,10 +918,6 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
     chain=$1
     local finished
     finished=$2
-    local which
-    which='-s'
-    local range
-    range='--src-range'
 
     if ! chain_exists dynamic; then
 	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@@ -973,31 +929,19 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
 
     while [ $# -gt 0 ]; do
 	case $1 in
-	    from)
-		which='-s'
-		range='--src-range'
-		shift
-		continue
-		;;
-	    to)
-		which='-d'
-		range='--dst-range'
-		shift
-		continue
-		;;
 	    *-*)
-		qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject
-		qt $IP6TABLES -D dynamic -m iprange $range  $1 -j DROP
-		qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
-		qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop
-		$IP6TABLES -A dynamic -m iprange $range $1 -j $chain || break 1
+		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject
+		qt $IP6TABLES -D dynamic -m iprange --src-range  $1 -j DROP
+		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject
+		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop
+		$IP6TABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
 		;;
 	    *)
-		qt $IP6TABLES -D dynamic $which $1 -j reject
-		qt $IP6TABLES -D dynamic $which $1 -j DROP
-		qt $IP6TABLES -D dynamic $which $1 -j logreject
-		qt $IP6TABLES -D dynamic $which $1 -j logdrop
-		$IP6TABLES -A dynamic $which $1 -j $chain || break 1
+		qt $IP6TABLES -D dynamic -s $1 -j reject
+		qt $IP6TABLES -D dynamic -s $1 -j DROP
+		qt $IP6TABLES -D dynamic -s $1 -j logreject
+		qt $IP6TABLES -D dynamic -s $1 -j logdrop
+		$IP6TABLES -A dynamic -s $1 -j $chain || break 1
 		;;
 	esac
 
@@ -1102,11 +1046,6 @@ allow_command() {
     [ -n "$g_debugging" ] && set -x
     [ $# -eq 1 ] && usage 1
     if shorewall6_is_started ; then
-	local which
-	which='-s'
-	local range
-	range='--src-range'
-
 	if ! chain_exists dynamic; then
 	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	    exit 2
@@ -1116,21 +1055,11 @@ allow_command() {
 	while [ $# -gt 1 ]; do
 	    shift
 	    case $1 in
-		from)
-		    which='-s'
-		    range='--src-range'
-		    continue
-		    ;;
-		to)
-		    which='-d'
-		    range='--dst-range'
-		    continue
-		    ;;
 		*-*)
-		    if  qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject    ||\
-			qt $IP6TABLES -D dynamic -m iprange $range $1 -j DROP      ||\
-			qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop   ||\
-			qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
+		    if  qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject    ||\
+			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j DROP      ||\
+			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop   ||\
+			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1138,10 +1067,10 @@ allow_command() {
 		    fi
 		    ;;
 		*)
-		    if  qt $IP6TABLES -D dynamic $which $1 -j reject    ||\
-			qt $IP6TABLES -D dynamic $which $1 -j DROP      ||\
-			qt $IP6TABLES -D dynamic $which $1 -j logdrop   ||\
-			qt $IP6TABLES -D dynamic $which $1 -j logreject
+		    if  qt $IP6TABLES -D dynamic -s $1 -j reject    ||\
+			qt $IP6TABLES -D dynamic -s $1 -j DROP      ||\
+			qt $IP6TABLES -D dynamic -s $1 -j logdrop   ||\
+			qt $IP6TABLES -D dynamic -s $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1231,7 +1160,6 @@ determine_capabilities() {
     RECENT_MATCH=
     OWNER_MATCH=
     IPSET_MATCH=
-    OLD_IPSET_MATCH=
     CONNMARK=
     XCONNMARK=
     CONNMARK_MATCH=
@@ -1262,8 +1190,6 @@ determine_capabilities() {
     IPMARK_TARGET=
     LOG_TARGET=Yes
     FLOW_FILTER=
-    FWMARK_RT_MASK=
-    MARK_ANYWHERE=
 
     chain=fooX$$
 
@@ -1278,10 +1204,6 @@ determine_capabilities() {
 
     [ -n "$IP" -a -x "$IP" ] || IP=
 
-    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
-
-    [ -n "$TC" -a -x "$TC" ] || TC=
-
     qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
 
     qt $IP6TABLES -F $chain
@@ -1405,15 +1327,13 @@ determine_capabilities() {
     qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
     qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
     qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
-    qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
 
     qt $IP6TABLES -F $chain
     qt $IP6TABLES -X $chain
     qt $IP6TABLES -F $chain1
     qt $IP6TABLES -X $chain1
 
-    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
-    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
+    [ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
 
     CAPVERSION=$SHOREWALL_CAPVERSION
     KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@@ -1448,10 +1368,7 @@ report_capabilities() {
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
 	report_capability "Owner Match" $OWNER_MATCH
-	if [ -n "$IPSET_MATCH" ]; then
-	    report_capability "Ipset Match" $IPSET_MATCH
-	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
-	fi
+	report_capability "Ipset Match" $IPSET_MATCH
 	report_capability "CONNMARK Target" $CONNMARK
 	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
 	report_capability "Connmark Match" $CONNMARK_MATCH
@@ -1481,8 +1398,6 @@ report_capabilities() {
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
-	report_capability "fwmark route mask" $FWMARK_RT_MASK
-	report_capability "Mark in any table" $MARK_ANYWHERE
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1513,7 +1428,6 @@ report_capabilities1() {
     report_capability1 RECENT_MATCH
     report_capability1 OWNER_MATCH
     report_capability1 IPSET_MATCH
-    report_capability1 OLD_IPSET_MATCH
     report_capability1 CONNMARK
     report_capability1 XCONNMARK
     report_capability1 CONNMARK_MATCH
@@ -1543,8 +1457,6 @@ report_capabilities1() {
     report_capability1 LOG_TARGET
     report_capability1 TPROXY_TARGET
     report_capability1 FLOW_FILTER
-    report_capability1 FWMARK_RT_MASK
-    report_capability1 MARK_ANYWHERE
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION    

Shorewall6/lib.common

@@ -92,12 +92,7 @@ run_it() {
 	#
 	# 4.4.8 or later -- no additional exports required
 	#
-	if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	    options="$1 -"
-	    shift;
-	else
-	    options='-'
-	fi
+	options='-'
 
 	[ -n "$g_noroutes" ]   && options=${options}n
 	[ -n "$g_timestamp" ]  && options=${options}t
@@ -452,11 +447,7 @@ find_file()
 #
 set_state () # $1 = state
 {
-    if [ $# -gt 1 ]; then
-	echo "$1 ($(date)) from $2" > ${VARDIR}/state
-    else
-	echo "$1 ($(date))" > ${VARDIR}/state
-    fi
+    echo "$1 ($(date))" > ${VARDIR}/state
 }
 
 #

Shorewall6/secmarks

@@ -1,8 +0,0 @@
-#
-# Shorewall6 version 4 - Secmarks File
-#
-# For information about entries in this file, type "man shorewall-secmarks"
-#
-############################################################################################################
-#SECMARK			CHAIN	SOURCE		DEST		PROTO	DEST	SOURCE		MARK
-#										PORT(S)	PORT(S)

Shorewall6/shorewall6

@@ -67,15 +67,15 @@ get_config() {
 	# This block is avoided for compile for export and when the user isn't root
 	#
 	if [ "$3" = Yes ]; then
-	    if [ -n "$LOGFILE" ]; then
-		if [ -n "$(syslog_circular_buffer)" ]; then
-		    g_logread="logread | tac"
-		elif [ -r $LOGFILE ]; then
-		    g_logread="tac $LOGFILE"
-		else
-		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		    exit 2
-		fi
+	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
+
+	    if [ -n "$(syslog_circular_buffer)" ]; then
+		g_logread="logread | tac"
+	    elif [ -r $LOGFILE ]; then
+		g_logread="tac $LOGFILE"
+	    else
+		echo "LOGFILE ($LOGFILE) does not exist!" >&2
+		exit 2
 	    fi
 	fi
 
@@ -299,16 +299,7 @@ compiler() {
 	set +a
     fi
 
-    if [ -n "$PERL" ]; then
-	if [ ! -x "$PERL" ]; then
-	    echo "   WARNING: The program specified in the PERL option does not exist or is not executable; falling back to /usr/bin/perl" >&2
-	    PERL=/usr/bin/perl
-	fi
-    else
-	PERL=/usr/bin/perl
-    fi
-
-    $command $PERL $debugflags $pc $options $@
+    $command perl $debugflags $pc $options $@
 }    
 
 #
@@ -419,7 +410,7 @@ start_command() {
 
 	    export RESTOREFILE
 
-	    if ! make -qf ${CONFDIR}/Makefile; then
+	    if make -qf ${CONFDIR}/Makefile; then
 		g_fast=
 		AUTOMAKE=
 	    fi
@@ -1270,7 +1261,7 @@ usage() # $1 = exit status
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   check [ -e ] [ -r ] [ <directory> ]"
-    echo "   clear"
+    echo "   clear [ -f ]"
     echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   drop <address> ..."
@@ -1293,7 +1284,7 @@ usage() # $1 = exit status
     echo "   save [ <file name> ]"
     echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log [<regex>]|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
     echo "   start [ -f ] [ -n ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
     echo "   status"
     echo "   try <directory> [ <timeout> ]"
     echo "   version [ -a ]"
@@ -1467,11 +1458,9 @@ version_command() {
     echo $SHOREWALL_VERSION
 
     if [ -n "$all" ]; then
-	for product in shorewall shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
+	if [ -f /usr/share/shorewall/version ]; then
+	    echo "Shorewall $(cat /usr/share/shorewall/version)"
+	fi
     fi
 }
 
@@ -1544,17 +1533,17 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 1
 	get_config
 	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $g_debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	mutex_on
+	run_it $g_firewall $g_debugging $nolock $COMMAND
+	mutex_off
 	;;
     reset)
 	get_config
 	shift
-	[ -n "$nolock" ] || mutex_on
+	mutex_on
 	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
-	run_it $g_firewall $g_debugging reset $@
-	[ -n "$nolock" ] || mutex_off
+	run_it $g_firewall $g_debugging $nolock reset $@
+	mutex_off
 	;;
     compile)
 	get_config Yes
@@ -1608,7 +1597,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac

Shorewall6/shorewall6.conf

@@ -32,7 +32,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -54,8 +56,6 @@ TC=
 
 IPSET=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -151,12 +151,6 @@ DYNAMIC_BLACKLIST=Yes
 
 LOAD_HELPERS_ONLY=No
 
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.13
-%define release 2
+%define version 4.4.9
+%define release 0base
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute shorewall >= 4.3.5
-Provides: shoreline_firewall = %{version}-%{release}
 
 %description
 
@@ -29,7 +28,7 @@ a multi-function gateway/ router/server or on a standalone GNU/Linux system.
 %build
 
 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -98,64 +97,6 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-2
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0base
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
 * Mon May 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0base
 * Sun May 02 2010 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.13.2
+VERSION=4.4.9
 
 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt ip6tables -L shorewall6 -n && [ ! -f /sbin/shorewall6-lite ]; then
 fi
 
 if [ -L /usr/share/shorewall6/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall6/init)
+    FIREWALL=$(ls -l /usr/share/shorewall6/init | sed 's/^.*> //')
 else
     FIREWALL=/etc/init.d/shorewall6
 fi

docs/Accounting.xml

@@ -119,7 +119,8 @@
         (from <filename>/etc/protocols</filename>), a protocol number or
         <quote>ipp2p</quote>. For <quote>ipp2p</quote>, your kernel and
         iptables must have ipp2p match support from <ulink
-        url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
+        url="http://www.netfilter.org">Netfilter
+        Patch_o_matic_ng</ulink>.</para>
       </listitem>
 
       <listitem>
@@ -145,7 +146,7 @@
         only be non-empty if the CHAIN is OUTPUT. The column may
         contain:</para>
 
-        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;]</programlisting>
+        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;][+&lt;program name&gt;]</programlisting>
 
         <para>When this column is non-empty, the rule applies only if the
         program generating the output is running under the effective
@@ -162,6 +163,9 @@
 
           <member>!:kids #program must not be run by a member of the
           <quote>kids</quote> group</member>
+
+          <member>+upnpd #program named upnpd (This feature was removed from
+          Netfilter in kernel version 2.6.14).</member>
         </simplelist>
       </listitem>
 

docs/Build.xml

@@ -72,10 +72,6 @@
         <listitem>
           <para>Shorewall6-lite</para>
         </listitem>
-
-        <listitem>
-          <para>Shorewall-init</para>
-        </listitem>
       </itemizedlist>
 
       <para>There are also several other directories which are described in
@@ -84,18 +80,20 @@
       <section>
         <title>trunk/docs</title>
 
-        <para>The stable release XML documents. Depending on the point in the
-        release cycle, these documents may also apply to the current
-        development version.</para>
+        <para>The development release XML documents. Depending on the point in
+        the release cycle, these documents may also apply to the current
+        stable version. In that case, there is no docs directory in that
+        release's directory in <emphasis
+        role="bold">branches</emphasis>.</para>
       </section>
 
       <section>
         <title>trunk/manpages, trunk/manpages6, trunk/manpages-lite and
         trunk/manpages6-lite</title>
 
-        <para>The stable release XML manpages. Depending on the point in the
-        release cycle, these documents may also apply to the current
-        development version.</para>
+        <para>The development release XML manpages. Depending on the point in
+        the release cycle, these documents may also apply to the current
+        stable version.</para>
       </section>
     </section>
 
@@ -158,8 +156,7 @@
     <section>
       <title>build44</title>
 
-      <para>This is the script that builds Shorewall 4.4 packages from
-      Git.</para>
+      <para>This is the script that builds Shorewall packages from Git.</para>
 
       <para>The script copies content from Git using the <command>git
       archive</command> command. It then uses that content to build the
@@ -168,7 +165,7 @@
 
       <variablelist>
         <varlistentry>
-          <term>rpmbuild</term>
+          <term>rpmbuild (I use rpm version 4.4.2.3-20.3)</term>
 
           <listitem>
             <para>Required to build the RPM packages.</para>
@@ -176,7 +173,7 @@
         </varlistentry>
 
         <varlistentry>
-          <term>xsltproc (libxslt)</term>
+          <term>xsltproc (libxslt -- I use version 1.1.24-19.1)</term>
 
           <listitem>
             <para>Required to convert the XML documents to other
@@ -185,7 +182,8 @@
         </varlistentry>
 
         <varlistentry>
-          <term>Docbook XSL Stylesheets</term>
+          <term>Docbook XSL Stylesheets (I use docbook-xsl-stylesheets version
+          1.74.0-1.35)</term>
 
           <listitem>
             <para>Required to convert the XML documents to other
@@ -194,7 +192,7 @@
         </varlistentry>
 
         <varlistentry>
-          <term>Perl</term>
+          <term>Perl (I use Perl 5.10.0-62.17.1)</term>
 
           <listitem>
             <para>Required to massage some of the config files.</para>
@@ -202,21 +200,25 @@
         </varlistentry>
 
         <varlistentry>
-          <term>xmlto</term>
+          <term>xmlto (I use version 0.0.18-182.27)</term>
 
           <listitem>
-            <para>Required to convert the XML manpages to manpages. Be sure
-            that you have a recent version; I use 0.0.23.</para>
+            <para>Required to convert the XML manpages to manpages. Note that
+            not all versions of xmlto will work (those released by Debian and
+            Ubuntu, for example, do <emphasis>not</emphasis> work). If you
+            find that xmlto fails, install
+            tools<filename>/build/xmlto</filename> in <filename
+            class="directory">/usr/local/bin</filename>.</para>
           </listitem>
         </varlistentry>
       </variablelist>
 
-      <para>You should ensure that you have the latest scripts. The scripts
+      <para>You should ensure that you have the latest script. The scripts
       change periodically as we move through the release cycles.</para>
 
-      <para>The build44 script may need to be modified to fit your particular
-      environment. There are a number of variables that are set near the top
-      of the file:</para>
+      <para>The scripts may need to be modified to fit your particular
+      environment. There are a number of variables that are set near the front
+      of the script:</para>
 
       <variablelist>
         <varlistentry>
@@ -258,7 +260,7 @@
           <term>GIT</term>
 
           <listitem>
-            <para>Shorewall GIT repository.</para>
+            <para>Shorewall GIT repository</para>
           </listitem>
         </varlistentry>
       </variablelist>
@@ -282,8 +284,8 @@
           <term>opt<emphasis>i</emphasis>ons</term>
 
           <listitem>
-            <para>are one or more of the following. If no options are given
-            then all options are assumed</para>
+            <para>are one of the following. If no options are given then all
+            options are assumed</para>
 
             <variablelist>
               <varlistentry>
@@ -310,14 +312,6 @@
                 </listitem>
               </varlistentry>
 
-              <varlistentry>
-                <term>i</term>
-
-                <listitem>
-                  <para>Build the shorewall-init package.</para>
-                </listitem>
-              </varlistentry>
-
               <varlistentry>
                 <term>l</term>
 
@@ -390,7 +384,7 @@
       against 4.2.7:</para>
 
       <blockquote>
-        <para><command>build44 -trc 4.3.7.1 4.3.7</command></para>
+        <para><command>build44 -trSc 4.3.7.1 4.3.7</command></para>
       </blockquote>
     </section>
 
@@ -435,14 +429,6 @@
                 </listitem>
               </varlistentry>
 
-              <varlistentry>
-                <term>i</term>
-
-                <listitem>
-                  <para>Upload the shorewall-init package.</para>
-                </listitem>
-              </varlistentry>
-
               <varlistentry>
                 <term>6</term>
 
@@ -483,55 +469,5 @@
         <para><command>upload44 -c 4.3.7.3</command></para>
       </blockquote>
     </section>
-
-    <section>
-      <title>install.sh files</title>
-
-      <para>Each product includes an install script
-      (<filename>install.sh</filename>) that may be used to install the
-      product on a machine or into a directory.</para>
-
-      <para>By default, the scripts install the corresponding product into
-      "/'; you can direct them to install into an empty existing directory by
-      setting an environmental variable:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>DESTDIR (release 4.4.10 and later)</para>
-        </listitem>
-
-        <listitem>
-          <para>PREFIX (all releases)</para>
-        </listitem>
-      </itemizedlist>
-
-      <para>There are a number of other environmental variables that you can
-      set to cause the directory to be populated for a particular target
-      environment:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>DEBIAN - Debian-based systems (Debian, Ubuntu, etc.)</para>
-        </listitem>
-
-        <listitem>
-          <para>SUSE - SEL and OpenSuSE</para>
-        </listitem>
-
-        <listitem>
-          <para>REDHAT - RHEL, CentOS, Foobar, etc.</para>
-        </listitem>
-
-        <listitem>
-          <para>MAC - Apple MacIntosh (Shorewall and Shorewall6 packages
-          only)</para>
-        </listitem>
-
-        <listitem>
-          <para>CYGWIN - Cygwin under Windows (Shorewall and Shorewall6
-          packages only)</para>
-        </listitem>
-      </itemizedlist>
-    </section>
   </section>
 </article>

docs/CompiledPrograms.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2006-2010</year>
+      <year>2006-2007</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -180,11 +180,12 @@
         disable startup of Shorewall in your init scripts. For ease of
         reference, we call this system the 'administrative system'.</para>
 
-        <para>The administrative system may be a GNU/Linux system, a Windows
-        system running <ulink url="http://www.cygwin.com/">Cygwin</ulink> or
-        an <ulink url="http://www.apple.com/mac/">Apple MacIntosh</ulink>
-        running OS X. Install from a shell prompt <ulink
-        url="Install.htm">using the install.sh script</ulink>.</para>
+        <para>The administrative system may be a Windows system running <ulink
+        url="http://www.cygwin.com/">Cygwin</ulink> or an <ulink
+        url="http://www.apple.com/mac/">Apple MacIntosh</ulink> running OS X.
+        Install from a shell prompt <ulink url="Install.htm">using the
+        install.sh script</ulink> (Mac supported was added in Shorewall
+        4.4.9).</para>
       </listitem>
 
       <listitem>
@@ -241,10 +242,8 @@
         <orderedlist>
           <listitem>
             <para>modify the files in the corresponding export directory
-            appropriately (i.e., <emphasis>just as you would if you were
-            configuring Shorewall on the firewall system itself</emphasis>).
-            It's a good idea to include the IP address of the administrative
-            system in the <ulink
+            appropriately. It's a good idea to include the IP address of the
+            administrative system in the <ulink
             url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
             file</ulink>.</para>
 
@@ -285,29 +284,26 @@
 
           <listitem>
             <programlisting><command>cd &lt;export directory&gt;</command>
-<command>/sbin/shorewall load firewall</command></programlisting>
+<command>/sbin/shorewall load -c firewall</command></programlisting>
 
             <para>The <ulink
             url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
             command compiles a firewall script from the configuration files in
             the current working directory (using <command>shorewall compile
             -e</command>), copies that file to the remote system via scp and
-            starts Shorewall Lite on the remote system via ssh.</para>
+            starts Shorewall Lite on the remote system via ssh. The -c option
+            causes the capabilities of the remote system to be generated and
+            copied to a file named <filename>capabilities</filename> in the
+            export directory. See <link
+            linkend="Shorecap">below</link>.</para>
 
             <para>Example (firewall's DNS name is 'gateway'):</para>
 
-            <para><command>/sbin/shorewall load gateway</command><note>
+            <para><command>/sbin/shorewall load -c gateway</command><note>
                 <para>Although scp and ssh are used by default, you can use
                 other utilities by setting RSH_COMMAND and RCP_COMMAND in
                 <filename>/etc/shorewall/shorewall.conf</filename>.</para>
               </note></para>
-
-            <para>The first time that you issue a <command>load</command>
-            command, Shorewall will use ssh to run
-            <filename>/usr/share/shorewall-lite/shorecap</filename> on the
-            remote firewall to create a capabilities file in the firewall's
-            administrative direction. See <link
-            linkend="Shorecap">below</link>.</para>
           </listitem>
         </orderedlist>
       </listitem>
@@ -461,7 +457,7 @@ clean:
       </simplelist>
     </blockquote>
 
-    <para>You will normally never touch
+    <para>You will normally not need to touch
     <filename>/etc/shorewall-lite/shorewall-lite.conf</filename> unless you
     run Debian or one of its derivatives (see <link
     linkend="Debian">above</link>).</para>
@@ -564,11 +560,11 @@ clean:
           <blockquote>
             <para>Before editing:</para>
 
-            <programlisting>CONFIG_PATH=<emphasis role="bold">/etc/shorewall</emphasis>:/usr/share/shorewall</programlisting>
+            <programlisting>CONFIG_PATH=/etc/shorewall:/usr/share/shorewall</programlisting>
 
             <para>After editing:</para>
 
-            <programlisting>CONFIG_PATH=<emphasis role="bold">/usr/share/shorewall/configfiles</emphasis>:/usr/share/shorewall</programlisting>
+            <programlisting>CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall</programlisting>
           </blockquote>
 
           <para>Changing CONFIG_PATH will ensure that subsequent compilations
@@ -601,21 +597,14 @@ clean:
 
           <blockquote>
             <programlisting><command>cd &lt;export directory&gt;</command>
-<command>/sbin/shorewall load &lt;firewall system&gt;</command>
+<command>/sbin/shorewall load -c &lt;firewall system&gt;</command>
 </programlisting>
 
             <para>Example (firewall's DNS name is 'gateway'):</para>
 
-            <para><command>/sbin/shorewall load gateway</command></para>
+            <para><command>/sbin/shorewall load -c gateway</command></para>
           </blockquote>
 
-          <para>The first time that you issue a <command>load</command>
-          command, Shorewall will use ssh to run
-          <filename>/usr/share/shorewall-lite/shorecap</filename> on the
-          remote firewall to create a capabilities file in the firewall's
-          administrative direction. See <link
-          linkend="Shorecap">below</link>.</para>
-
           <para>The <ulink
           url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
           command compiles a firewall script from the configuration files in
@@ -652,8 +641,7 @@ clean:
 <command>scp capabilities &lt;admin system&gt;:&lt;this system's config dir&gt;</command></programlisting>
 
           <para>Or simply use the -c option the next time that you use the
-          <command>reload</command> command (e.g., <command>shorewall reload
-          -c gateway</command>).</para>
+          <command>reload</command> command.</para>
         </listitem>
       </orderedlist>
     </section>

docs/Documentation_Index.xml

@@ -5,7 +5,7 @@
   <!--/$Id$-->
 
   <articleinfo>
-    <title>Shorewall 4.4 Documentation</title>
+    <title>Shorewall 4.4/4.5 Documentation</title>
 
     <authorgroup>
       <author>
@@ -57,9 +57,11 @@
           <row>
             <entry></entry>
 
-            <entry><ulink url="Vserver.html">Linux-vserver</ulink></entry>
+            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
+            Machine)</ulink></entry>
 
-            <entry></entry>
+            <entry><ulink url="Shorewall-perl.html">Shorewall
+            Perl</ulink></entry>
           </row>
 
           <row>
@@ -68,8 +70,8 @@
             <entry><ulink url="ConnectionRate.html">Limiting Connection
             Rates</ulink></entry>
 
-            <entry><ulink url="Shorewall-perl.html">Shorewall
-            Perl</ulink></entry>
+            <entry><ulink url="shorewall_setup_guide.htm">Shorewall Setup
+            Guide</ulink></entry>
           </row>
 
           <row>
@@ -77,8 +79,7 @@
 
             <entry><ulink url="shorewall_logging.html">Logging</ulink></entry>
 
-            <entry><ulink url="shorewall_setup_guide.htm">Shorewall Setup
-            Guide</ulink></entry>
+            <entry><ulink url="samba.htm">SMB</ulink></entry>
           </row>
 
           <row>
@@ -86,7 +87,9 @@
 
             <entry><ulink url="Macros.html">Macros</ulink></entry>
 
-            <entry><ulink url="samba.htm">SMB</ulink></entry>
+            <entry><ulink url="two-interface.htm#SNAT">SNAT</ulink>
+            (<firstterm>Source Network Address
+            Translation</firstterm>)</entry>
           </row>
 
           <row>
@@ -96,44 +99,44 @@
             <entry><ulink url="MAC_Validation.html">MAC
             Verification</ulink></entry>
 
-            <entry><ulink url="two-interface.htm#SNAT">SNAT</ulink>
-            (<firstterm>Source Network Address
-            Translation</firstterm>)</entry>
-          </row>
-
-          <row>
-            <entry><ulink url="Anatomy.html">Anatomy of
-            Shorewall</ulink></entry>
-
-            <entry><ulink url="Manpages.html">Man Pages</ulink></entry>
-
             <entry><ulink url="SplitDNS.html">Split DNS the Easy
             Way</ulink></entry>
           </row>
 
           <row>
-            <entry><ulink url="traffic_shaping.htm">Bandwidth
-            Control</ulink></entry>
+            <entry><ulink url="Anatomy.html">Anatomy of Shorewall</ulink>
+            (<ulink url="Anatomy_ru.html">Russian</ulink>)</entry>
 
-            <entry><ulink url="ManualChains.html">Manual
-            Chains</ulink></entry>
+            <entry><ulink url="Manpages.html">Man Pages</ulink></entry>
 
             <entry><ulink url="Shorewall_Squid_Usage.html">Squid with
             Shorewall</ulink></entry>
           </row>
 
           <row>
-            <entry><ulink
-            url="blacklisting_support.htm">Blacklisting</ulink></entry>
+            <entry><ulink url="traffic_shaping.htm">Bandwidth Control</ulink>
+            (<ulink url="traffic_shaping_ru.html">Russian</ulink>)</entry>
 
-            <entry><ulink
-            url="two-interface.htm#SNAT">Masquerading</ulink></entry>
+            <entry><ulink url="ManualChains.html">Manual
+            Chains</ulink></entry>
 
             <entry><ulink
             url="starting_and_stopping_shorewall.htm">Starting/stopping the
             Firewall</ulink></entry>
           </row>
 
+          <row>
+            <entry><ulink url="blacklisting_support.htm">Blacklisting</ulink>
+            (<ulink
+            url="blacklisting_support_ru.html">Russian</ulink>)</entry>
+
+            <entry><ulink
+            url="two-interface.htm#SNAT">Masquerading</ulink></entry>
+
+            <entry><ulink url="NAT.htm">Static (one-to-one)
+            NAT</ulink></entry>
+          </row>
+
           <row>
             <entry>Bridge: <ulink
             url="bridge-Shorewall-perl.html">Shorewall-perl</ulink></entry>
@@ -142,8 +145,7 @@
             from a Single Firewall</ulink> (<ulink
             url="MultiISP_ru.html">Russian</ulink>)</entry>
 
-            <entry><ulink url="NAT.htm">Static (one-to-one)
-            NAT</ulink></entry>
+            <entry><ulink url="support.htm">Support</ulink></entry>
           </row>
 
           <row>
@@ -153,7 +155,8 @@
             <entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
             Interface</ulink></entry>
 
-            <entry><ulink url="support.htm">Support</ulink></entry>
+            <entry><ulink url="configuration_file_basics.htm">Tips and
+            Hints</ulink></entry>
           </row>
 
           <row>
@@ -163,8 +166,8 @@
             <entry><ulink url="MyNetwork.html">My Shorewall
             Configuration</ulink></entry>
 
-            <entry><ulink url="configuration_file_basics.htm">Tips and
-            Hints</ulink></entry>
+            <entry><ulink url="Accounting.html">Traffic
+            Accounting</ulink></entry>
           </row>
 
           <row>
@@ -174,8 +177,8 @@
             <entry><ulink url="NetfilterOverview.html">Netfilter
             Overview</ulink></entry>
 
-            <entry><ulink url="Accounting.html">Traffic
-            Accounting</ulink></entry>
+            <entry><ulink url="simple_traffic_shaping.html">Traffic
+            Shaping/QOS - Simple</ulink></entry>
           </row>
 
           <row>
@@ -184,8 +187,9 @@
 
             <entry><ulink url="netmap.html">Network Mapping</ulink></entry>
 
-            <entry><ulink url="simple_traffic_shaping.html">Traffic
-            Shaping/QOS - Simple</ulink></entry>
+            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
+            Complex</ulink> (<ulink
+            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
           </row>
 
           <row>
@@ -195,8 +199,8 @@
             <entry><ulink url="NAT.htm">One-to-one NAT</ulink> (Static
             NAT)</entry>
 
-            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
-            Complex</ulink></entry>
+            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
+            Proxy</ulink></entry>
           </row>
 
           <row>
@@ -205,8 +209,7 @@
             <entry><ulink url="Multiple_Zones.html"><ulink
             url="OPENVPN.html">OpenVPN</ulink></ulink></entry>
 
-            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
-            Proxy</ulink></entry>
+            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
           </row>
 
           <row>
@@ -216,7 +219,8 @@
 
             <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
 
-            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
+            <entry><ulink url="upgrade_issues.htm">Upgrade
+            Issues</ulink></entry>
           </row>
 
           <row>
@@ -225,7 +229,8 @@
             <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
             Shorewall</ulink></entry>
 
-            <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
+            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
           </row>
 
           <row>
@@ -235,8 +240,7 @@
             <entry><ulink url="PacketMarking.html">Packet
             Marking</ulink></entry>
 
-            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
-            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
           </row>
 
           <row>
@@ -247,7 +251,7 @@
             <entry><ulink url="PacketHandling.html">Packet Processing in a
             Shorewall-based Firewall</ulink></entry>
 
-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
           </row>
 
           <row>
@@ -256,7 +260,8 @@
 
             <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
 
-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            Creation</ulink></entry>
           </row>
 
           <row>
@@ -265,8 +270,8 @@
             <entry><ulink url="two-interface.htm#DNAT">Port
             Forwarding</ulink></entry>
 
-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
-            Creation</ulink></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
           </row>
 
           <row>
@@ -275,8 +280,8 @@
 
             <entry><ulink url="ports.htm">Port Information</ulink></entry>
 
-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
           </row>
 
           <row>
@@ -286,8 +291,7 @@
             <entry><ulink url="PortKnocking.html">Port Knocking and Other Uses
             of the 'Recent Match'</ulink></entry>
 
-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry></entry>
           </row>
 
           <row>
@@ -318,8 +322,8 @@
           </row>
 
           <row>
-            <entry><ulink
-            url="Install.htm">Installation/Upgrade</ulink></entry>
+            <entry><ulink url="Install.htm">Installation/Upgrade</ulink>
+            (<ulink url="Install_fr.html">Français</ulink>)</entry>
 
             <entry><ulink url="ReleaseModel.html">Release
             Model</ulink></entry>
@@ -367,8 +371,8 @@
             <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
             Filtering</ulink></entry>
 
-            <entry><ulink url="Shorewall-init.html">Shorewall
-            Init</ulink></entry>
+            <entry><ulink url="Laptop.html">Shorewall on a
+            Laptop</ulink></entry>
 
             <entry></entry>
           </row>
@@ -382,16 +386,6 @@
 
             <entry></entry>
           </row>
-
-          <row>
-            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
-            Machine)</ulink></entry>
-
-            <entry><ulink url="Laptop.html">Shorewall on a
-            Laptop</ulink></entry>
-
-            <entry></entry>
-          </row>
         </tbody>
       </tgroup>
     </informaltable>

docs/FAQ.xml

@@ -20,7 +20,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2010</year>
+      <year>2001-2009</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -506,6 +506,11 @@ net        eth0          detect               <emphasis role="bold">routeback</e
         <para>And in <filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE          SOURCE      ADDRESS          PROTO        PORT
 eth0:66.249.93.111  0.0.0.0/0   206.124.146.176  tcp          993</programlisting></para>
 
+        <para>And finally, in
+        <filename>/etc/shorewall/shorewall.conf</filename> you need:</para>
+
+        <programlisting>IP_FORWARDING=On</programlisting>
+
         <para>Like the hack in FAQ 2, this one results in all forwarded
         connections looking to the server (66.249.93.11) as if they originated
         on your firewall (206.124.146.176).</para>
@@ -687,9 +692,11 @@ eth1:192.168.1.5        eth1            <emphasis role="bold">130.151.100.69</em
           <para>That rule (and the second one in the previous bullet) only
           works of course if you have a static external IP address. If you
           have a dynamic IP address then include this in
-          <filename>/etc/shorewall/params</filename>.</para>
+          <filename>/etc/shorewall/params</filename> (or your
+          <filename>&lt;export directory&gt;/init</filename> file if you are
+          using Shorewall Lite on the firewall system):</para>
 
-          <programlisting><command>ETH0_IP=$(find_first_interface_address eth0)</command>        </programlisting>
+          <programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command>        </programlisting>
 
           <para>and make your DNAT rule:</para>
 
@@ -710,14 +717,6 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
             will return 0.0.0.0 if the interface has no configured IP address;
             the latter terminates the calling program.</para>
           </note>
-
-          <note>
-            <para>If you run Shorewall-lite on your firewall, you must use the
-            following in the firewall's configuration directory
-            <filename>params</filename> file:</para>
-
-            <programlisting><command>ETH0_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</command></programlisting>
-          </note>
         </listitem>
       </itemizedlist>
 
@@ -1188,18 +1187,6 @@ to debug/develop the newnat interface.</programlisting></para>
   <section id="Logging">
     <title>Logging</title>
 
-    <section id="faq91">
-      <title>(FAQ 91) I changed the shorewall.conf file in /etc/shorewall/ to
-      spit out logs to /var/log/shorewall.log and it's not happening after I
-      restart shorewall. LOGFILE=/var/log/shorewall.log &lt;-- that should be
-      the correct line, right? </title>
-
-      <para><emphasis role="bold">Answer</emphasis>: No, that is not correct.
-      The LOGFILE setting tells Shorewall where to find the log; it does not
-      determine where messages are written. See <link linkend="faq6">the next
-      FAQ</link>.</para>
-    </section>
-
     <section id="faq6">
       <title>(FAQ 6) Where are the log messages written and how do I change
       the destination?</title>
@@ -2079,18 +2066,6 @@ shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall
           <para>Be sure to secure the script for execute access.</para>
         </listitem>
       </itemizedlist>
-
-      <variablelist>
-        <varlistentry>
-          <term>Update:</term>
-
-          <listitem>
-            <para>Beginning with Shorewall 4.4.10, there is a new <ulink
-            url="Manpages/shorewall-init.html">Shorewall Init Package</ulink>
-            that is designed to handle this case.</para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
     </section>
 
     <section id="faq87">
@@ -2108,57 +2083,6 @@ shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall
       <filename>/etc/shorewall/params</filename> when processing the <emphasis
       role="bold">restore</emphasis> command.</para>
     </section>
-
-    <section id="faq90">
-      <title>(FAQ 90) Shorewall starts fine but after several minutes, it
-      stops. Why is it doing that?</title>
-
-      <para><emphasis role="bold">Answer:</emphasis> Shorewall uses the
-      presence of a chain named <emphasis>shorewall</emphasis> to indicate
-      whether is started or stopped. That chain is created during execution of
-      a successful <emphasis role="bold">start</emphasis>, <emphasis
-      role="bold">restart</emphasis> or <emphasis
-      role="bold">restore</emphasis> command and is removed during <emphasis
-      role="bold">stop</emphasis> and <emphasis role="bold">clear</emphasis>.
-      If <emphasis role="bold">shorewall status</emphasis> indicates that
-      Shorewall is stopped, then something has deleted that chain. Look at the
-      output of <emphasis role="bold">shorewall status</emphasis>; if it looks
-      like this:</para>
-
-      <blockquote>
-        <programlisting>gateway:~# shorewall status
-Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:21:41 PDT 2010
-
-Shorewall is <emphasis role="bold">stopped</emphasis>
-State:<emphasis role="bold">Started</emphasis> (Tue Jul 20 16:01:49 PDT 2010)
-
-gateway:~# 
-</programlisting>
-      </blockquote>
-
-      <para>then it means that somehing outside of Shorewall has deleted the
-      chain. This usually means that you were running another firewall package
-      before you installed Shorewall and that other package has replaced
-      Shorewall's Netfilter configuration with its own. You must remove (or at
-      least disable) the other firewall package and restart Shorewall.</para>
-
-      <blockquote>
-        <programlisting>gateway:~# shorewall status
-Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:26:29 PDT 2010
-
-Shorewall is <emphasis role="bold">stopped</emphasis>
-State:<emphasis role="bold">Stopped</emphasis> (Wed Jul 21 13:26:26 PDT 2010)
-
-gateway:~# </programlisting>
-      </blockquote>
-
-      <para>then a <emphasis role="bold">shorewall stop</emphasis> command has
-      been executed (if the State shown in the output is <emphasis
-      role="bold">Cleared</emphasis>, then a <emphasis role="bold">shorewall
-      clear</emphasis> command was executed). Most likely, you have installed
-      and configured the <emphasis>shorewall-init</emphasis> package and a
-      required interface has gone down.</para>
-    </section>
   </section>
 
   <section id="MultiISP">
@@ -2393,13 +2317,9 @@ We have an error talking to the kernel
       subzones? I've got a system with Linux-VServers, it's one interface
       (eth0) with multiple IPs</title>
 
-      <para><emphasis role="bold">Answer</emphasis>: Beginning with Shorewall
-      4.4.11 Beta 2, you can <ulink url="Vserver.html">create vserver
-      zones</ulink> that are nested within the firewall zone.</para>
-
-      <para>Prior to 4.4.11 Beta 2, there is no way to create sub-zones of the
-      firewall zone. But you can use shell variables to make vservers easier
-      to deal with.</para>
+      <para><emphasis role="bold">Answer</emphasis>: There is no way to create
+      sub-zones of the firewall zone. But you can use shell variables to make
+      vservers easier to deal with.</para>
 
       <para><filename>/etc/shorewall/params</filename>:</para>
 
@@ -2783,8 +2703,6 @@ Shorewall has detected the following iptables/netfilter capabilities:
    LOG Target: Available
    Persistent SNAT: Available
 gateway:~# </programlisting>
-
-      <para></para>
     </section>
 
     <section id="faq19">
@@ -2814,74 +2732,5 @@ loc                $FW                     ACCEPT           </programlisting>
       <emphasis>inline</emphasis> more with Shorewall, but no HOWTO exists at
       this time.</para>
     </section>
-
-    <section id="faq89">
-      <title>(FAQ 89) How do I connect to the web server in my aDSL modem from
-      my local LAN?</title>
-
-      <para>Answer: Here's what I did:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>My local network is 172.20.1.0/24, so I set the IP address in
-          the modem to 172.20.1.2.</para>
-        </listitem>
-
-        <listitem>
-          <para>The IP address of my firewall's interface to the LAN is
-          172.20.1.254. The logical name of the DSL interface is EXT_IF and my
-          LAN interface is INT_IF.</para>
-
-          <para>I added the following two configuration entries:</para>
-
-          <para><filename>/etc/shorewall/masq:</filename></para>
-
-          <programlisting>#INTERFACE			SOURCE			ADDRESS
-
-COMMENT DSL Modem
-
-EXT_IF:172.20.1.2	     	0.0.0.0/0		172.20.1.254
-</programlisting>
-
-          <para><filename>/etc/shorewall/proxyarp</filename>:</para>
-
-          <programlisting>#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE	PERSISTENT
-172.20.1.2	EXT_IF		INT_IF		no		yes
-</programlisting>
-        </listitem>
-      </itemizedlist>
-
-      <para>If you can't change the IP address of your modem and its current
-      address isn't in your local network, then you need to change this
-      slightly; assuming that the modem IP address is 192.168.1.1:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>Do not include an entry in
-          <filename>/etc/shorewall/proxyarp</filename>.</para>
-        </listitem>
-
-        <listitem>
-          <para>Add an IP address in 192.168.1.0/24 to your external interface
-          using your configuration's network management tools. For
-          Debian-based systems, that means adding this to the interface's
-          stanza in <filename>/etc/network/interfaces</filename>:</para>
-
-          <programlisting>    post-up /sbin/ip addr add 192.168.1.254/24 dev <replaceable>external-interface</replaceable></programlisting>
-        </listitem>
-
-        <listitem>
-          <para>Your entry in <filename>/etc/shorewall/masq</filename> would
-          then be:</para>
-
-          <programlisting>#INTERFACE			SOURCE			ADDRESS
-
-COMMENT DSL Modem
-
-EXT_IF:192.168.1.1	     	0.0.0.0/0		192.168.1.254
-</programlisting>
-        </listitem>
-      </itemizedlist>
-    </section>
   </section>
 </article>

docs/GettingStarted.xml

@@ -22,8 +22,6 @@
 
       <year>2007</year>
 
-      <year>2010</year>
-
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -47,41 +45,33 @@
     </listitem>
   </itemizedlist>
 
-  <para>Now, <ulink url="Install.htm">install Shorewall</ulink>.</para>
-
   <para>Next, read the QuickStart Guide that is appropriate for your
   configuration:</para>
 
-  <para><emphasis role="bold">If you just want to protect a system: (Requires
-  Shorewall 4.4.12-Beta3 or later)</emphasis></para>
-
-  <itemizedlist>
-    <listitem>
-      <para><ulink url="Universal.html">Universal</ulink> configuration --
-      requires no configuration to protect a single system.</para>
-    </listitem>
-  </itemizedlist>
-
   <para><emphasis role="bold">If you have only one public IP
   address:</emphasis></para>
 
   <itemizedlist>
     <listitem>
       <para><ulink url="standalone.htm">Standalone</ulink> Linux System with a
-      single network interface (if you are running Shorewall 4.4.12 Beta 3 or
-      later, use the <ulink url="Universal.html">Universal</ulink>
-      configuration instead).</para>
+      single network interface (<ulink url="standalone_fr.html">Version
+      Française</ulink>) <ulink url="standalone_ru.html">(Russian
+      Version)</ulink> <ulink url="standalone_es.html">Version en
+      Español</ulink></para>
     </listitem>
 
     <listitem>
       <para><ulink url="two-interface.htm">Two-interface</ulink> Linux System
-      acting as a firewall/router for a small local network</para>
+      acting as a firewall/router for a small local network (<ulink
+      url="two-interface_fr.html">Version Française</ulink>) (<ulink
+      url="two-interface_ru.html">Russian Version</ulink>)</para>
     </listitem>
 
     <listitem>
       <para><ulink url="three-interface.htm">Three-interface</ulink> Linux
-      System acting as a firewall/router for a small local network and a
-      DMZ.</para>
+      System acting as a firewall/router for a small local network and a DMZ..
+      (<ulink url="three-interface_fr.html">Version Française</ulink>) (<ulink
+      url="three-interface_ru.html">Russian Version</ulink>)</para>
     </listitem>
   </itemizedlist>
 
@@ -91,10 +81,11 @@
   <itemizedlist>
     <listitem>
       <para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup
-      Guide</ulink> outlines the steps necessary to set up a firewall where
-      there are multiple public IP addresses involved or if you want to learn
-      more about Shorewall than is explained in the single-address guides
-      above.</para>
+      Guide</ulink> (<ulink url="shorewall_setup_guide_fr.htm">Version
+      Française</ulink>) outlines the steps necessary to set up a firewall
+      where there are multiple public IP addresses involved or if you want to
+      learn more about Shorewall than is explained in the single-address
+      guides above.</para>
     </listitem>
   </itemizedlist>
 

docs/LennyToSqueeze.xml

@@ -165,9 +165,9 @@
         not feasible to install Perl on your firewall, then you should
         consider installing Shorewall on another system in your network (may
         be a <trademark>Windows</trademark> system running
-        <trademark>Cygwin</trademark> or an <trademark>Apple</trademark>
-        <trademark>MacIntosh</trademark> running OS X) and installing
-        Shorewall-lite on your firewall.</para>
+        <trademark>Cygwin</trademark> or, beginnins with Shorewall 4.4.9, an
+        <trademark>Apple</trademark> <trademark>MacIntosh</trademark> running
+        OS X) and installing Shorewall-lite on your firewall.</para>
       </footnote>. While the two compilers are highly compatible, there are
     some differences. Those differences are detailed in the following
     sections.</para>