Fix rule generated by MULTICAST=Yes

This reverts commit 966f162c87.

Samples/Universal/interfaces

@@ -1,12 +0,0 @@
-#
-# Shorewall version 4 - Interfaces File
-#
-# For information about entries in this file, type "man shorewall-interfaces"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-interfaces.html
-#
-###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	lo		-		ignore
-net	all		-		dhcp,physical=+,routeback,optional

Samples/Universal/policy

@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Policy File
-#
-# For information about entries in this file, type "man shorewall-policy"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-policy.html
-#
-###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
-#				LEVEL	BURST		MASK
-$FW	net	ACCEPT
-net	all	DROP

Samples/Universal/rules

@@ -1,17 +0,0 @@
-#
-# Shorewall version 4 - Rules File
-#
-# For information on the settings in this file, type "man shorewall-rules"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-rules.html
-#
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
-
-SSH(ACCEPT)	net		$FW
-Ping(ACCEPT)	net		$FW

Samples/Universal/shorewall.conf

@@ -1,207 +0,0 @@
-###############################################################################
-#
-#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
-#
-#  For information about the settings in this file, type "man shorewall.conf"
-#
-#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
-###############################################################################
-#		       S T A R T U P   E N A B L E D
-###############################################################################
-
-STARTUP_ENABLED=Yes
-
-###############################################################################
-#		              V E R B O S I T Y
-###############################################################################
-
-VERBOSITY=1
-
-###############################################################################
-#			       L O G G I N G
-###############################################################################
-
-LOGFILE=
-
-STARTUP_LOG=/var/log/shorewall-init.log
-
-LOG_VERBOSITY=2
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGTAGONLY=No
-
-LOGLIMIT=
-
-LOGALLNEW=
-
-BLACKLIST_LOGLEVEL=
-
-MACLIST_LOG_LEVEL=info
-
-TCP_FLAGS_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
-
-LOG_MARTIANS=Yes
-
-###############################################################################
-#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
-###############################################################################
-
-IPTABLES=
-
-IP=
-
-TC=
-
-IPSET=
-
-PERL=/usr/bin/perl
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-SHOREWALL_SHELL=/bin/sh
-
-SUBSYSLOCK=
-
-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
-RESTOREFILE=
-
-IPSECFILE=zones
-
-LOCKFILE=
-
-###############################################################################
-#		D E F A U L T   A C T I O N S / M A C R O S
-###############################################################################
-
-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
-ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT="none"
-
-###############################################################################
-#                        R S H / R C P  C O M M A N D S
-###############################################################################
-
-RSH_COMMAND='ssh ${root}@${system} ${command}'
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
-
-###############################################################################
-#			F I R E W A L L	  O P T I O N S
-###############################################################################
-
-IP_FORWARDING=On
-
-ADD_IP_ALIASES=No
-
-ADD_SNAT_ALIASES=No
-
-RETAIN_ALIASES=No
-
-TC_ENABLED=Internal
-
-TC_EXPERT=No
-
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-ROUTE_FILTER=No
-
-DETECT_DNAT_IPADDRS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-DISABLE_IPV6=No
-
-DYNAMIC_ZONES=No
-
-NULL_ROUTE_RFC1918=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-SAVE_IPSETS=No
-
-MAPOLDACTIONS=No
-
-FASTACCEPT=Yes
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-USE_ACTIONS=Yes
-
-OPTIMIZE=15
-
-EXPORTPARAMS=Yes
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=No
-
-DELETE_THEN_ADD=Yes
-
-MULTICAST=No
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
-
-USE_DEFAULT_RT=No
-
-RESTORE_DEFAULT_ROUTE=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=Yes
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=Yes
-
-###############################################################################
-#			P A C K E T   D I S P O S I T I O N
-###############################################################################
-
-BLACKLIST_DISPOSITION=DROP
-
-MACLIST_DISPOSITION=REJECT
-
-TCP_FLAGS_DISPOSITION=DROP
-
-#LAST LINE -- DO NOT REMOVE

Samples/Universal/zones

@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - Zones File
-#
-# For information about this file, type "man shorewall-zones"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-zones.html
-#
-###############################################################################
-#ZONE	TYPE		OPTIONS		IN			OUT
-#					OPTIONS			OPTIONS
-fw	firewall
-net	ip
-

Samples/one-interface/interfaces

@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
+#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs

Samples/one-interface/policy

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
+#
+# See http://shorewall.net/Documentation.htm#Policy for additional information.
+#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 $FW		net		ACCEPT

Samples/one-interface/rules

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/one-interface/shorewall.conf

@@ -34,15 +34,17 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -68,8 +70,6 @@ TC=
 
 IPSET=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -107,9 +107,9 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 
-IP_FORWARDING=Off
+IP_FORWARDING=On
 
-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes
 
 ADD_SNAT_ALIASES=No
 
@@ -119,8 +119,6 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -137,10 +135,14 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=ko
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=
 
 DISABLE_IPV6=No
 
+BRIDGING=No
+
 DYNAMIC_ZONES=No
 
 PKTTYPE=Yes
@@ -161,6 +163,8 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
+USE_ACTIONS=Yes
+
 OPTIMIZE=1
 
 EXPORTPARAMS=No
@@ -187,24 +191,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/one-interface/zones

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/three-interfaces/interfaces

@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
+#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians

Samples/three-interfaces/masq

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
+#
+# For additional information, see http://shorewall.net/Documentation.htm#Masq
+#
 ##############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\

Samples/three-interfaces/policy

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
+#
+# See http://shorewall.net/Documentation.htm#Policy for additional information.
+#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 

Samples/three-interfaces/routestopped

@@ -10,6 +10,11 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
+#
+# See http://shorewall.net/Documentation.htm#Routestopped and
+# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
 ##############################################################################
 #INTERFACE	HOST(S)
 eth1		-

Samples/three-interfaces/rules

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
+#
+# For additional information, see http://shorewall.net/Documentation.htm#Rules
+#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/three-interfaces/shorewall.conf

@@ -34,15 +34,17 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -68,8 +70,6 @@ TC=
 
 IPSET=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -109,7 +109,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes
 
 ADD_SNAT_ALIASES=No
 
@@ -119,8 +119,6 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -137,10 +135,14 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=ko
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=
 
 DISABLE_IPV6=No
 
+BRIDGING=No
+
 DYNAMIC_ZONES=No
 
 PKTTYPE=Yes
@@ -161,6 +163,8 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
+USE_ACTIONS=Yes
+
 OPTIMIZE=1
 
 EXPORTPARAMS=No
@@ -187,24 +191,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/zones

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/two-interfaces/interfaces

@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
+#
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
+#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians

Samples/two-interfaces/masq

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
+#
+# For additional information, see http://shorewall.net/Documentation.htm#Masq
+#
 ###############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\

Samples/two-interfaces/policy

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
+#
+# See http://shorewall.net/Documentation.htm#Policy for additional information.
+#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 

Samples/two-interfaces/routestopped

@@ -10,6 +10,11 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
+#
+# See http://shorewall.net/Documentation.htm#Routestopped and
+# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
 ##############################################################################
 #INTERFACE	HOST(S)                  OPTIONS
 eth1		-

Samples/two-interfaces/rules

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Rules
+#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/two-interfaces/shorewall.conf

@@ -41,15 +41,17 @@ SHOREWALL_COMPILER=
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -75,8 +77,6 @@ TC=
 
 IPSET=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -116,7 +116,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes
 
 ADD_SNAT_ALIASES=No
 
@@ -126,8 +126,6 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -144,10 +142,14 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=ko
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=
 
 DISABLE_IPV6=No
 
+BRIDGING=No
+
 DYNAMIC_ZONES=No
 
 PKTTYPE=Yes
@@ -168,6 +170,8 @@ IMPLICIT_CONTINUE=No
 
 HIGH_ROUTE_MARKS=No
 
+USE_ACTIONS=Yes
+
 OPTIMIZE=1
 
 EXPORTPARAMS=No
@@ -194,24 +198,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/zones

@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
+#
+# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples6/Universal/interfaces

@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Interfaces File
-#
-# For information about entries in this file, type "man shorewall-interfaces"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-interfaces.html
-#
-###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
--	lo		-		ignore
-net	all		-		dhcp,physical=+,routeback
-

Samples6/Universal/policy

@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - Policy File
-#
-# For information about entries in this file, type "man shorewall-policy"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-policy.html
-#
-###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
-#				LEVEL	BURST		MASK
-fw	net	ACCEPT
-net	all	DROP
-

Samples6/Universal/rules

@@ -1,17 +0,0 @@
-#
-# Shorewall version 4 - Rules File
-#
-# For information on the settings in this file, type "man shorewall-rules"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-rules.html
-#
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
-
-SSH(ACCEPT)	net		$FW
-Ping(ACCEPT)	net		$FW

Samples6/Universal/shorewall6.conf

@@ -1,168 +0,0 @@
-###############################################################################
-#
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
-#
-#  For information about the settings in this file, type "man shorewall6.conf"
-#
-#  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
-###############################################################################
-#		       S T A R T U P   E N A B L E D
-###############################################################################
-
-STARTUP_ENABLED=Yes
-
-###############################################################################
-#		              V E R B O S I T Y
-###############################################################################
-
-VERBOSITY=1
-
-###############################################################################
-#			       L O G G I N G
-###############################################################################
-
-LOGFILE=
-
-STARTUP_LOG=/var/log/shorewall6-init.log
-
-LOG_VERBOSITY=2
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGTAGONLY=No
-
-LOGLIMIT=
-
-LOGALLNEW=
-
-BLACKLIST_LOGLEVEL=
-
-TCP_FLAGS_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
-
-###############################################################################
-#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
-###############################################################################
-
-IP6TABLES=
-
-IP=
-
-TC=
-
-IPSET=
-
-PERL=/usr/bin/perl
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-SHOREWALL_SHELL=/bin/sh
-
-SUBSYSLOCK=
-
-MODULESDIR=
-
-CONFIG_PATH=/usr/share/shorewall6:/usr/share/shorewall
-
-RESTOREFILE=
-
-LOCKFILE=
-
-###############################################################################
-#		D E F A U L T   A C T I O N S / M A C R O S
-###############################################################################
-
-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
-ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT="none"
-
-###############################################################################
-#                        R S H / R C P  C O M M A N D S
-###############################################################################
-
-RSH_COMMAND='ssh ${root}@${system} ${command}'
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
-
-###############################################################################
-#			F I R E W A L L	  O P T I O N S
-###############################################################################
-
-IP_FORWARDING=Off
-
-TC_ENABLED=No
-
-TC_EXPERT=No
-
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-FASTACCEPT=Yes
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-OPTIMIZE=15
-
-EXPORTPARAMS=Yes
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=Yes
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-DYNAMIC_BLACKLIST=Yes
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=Yes
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=Yes
-
-###############################################################################
-#			P A C K E T   D I S P O S I T I O N
-###############################################################################
-
-BLACKLIST_DISPOSITION=DROP
-
-TCP_FLAGS_DISPOSITION=DROP
-
-#LAST LINE -- DO NOT REMOVE

Samples6/Universal/zones

@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - Zones File
-#
-# For information about this file, type "man shorewall-zones"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-zones.html
-#
-###############################################################################
-#ZONE	TYPE		OPTIONS		IN			OUT
-#					OPTIONS			OPTIONS
-fw	firewall
-net	ip
-

Samples6/one-interface/shorewall6.conf

@@ -32,15 +32,17 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall6-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -99,8 +99,6 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -113,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=ko
+MODULE_SUFFIX=
 
 FASTACCEPT=No
 
@@ -141,25 +139,7 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=No
-
-##############################################################################
+###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 

Samples6/three-interfaces/interfaces

@@ -12,6 +12,6 @@
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,forward=1
-loc     eth1            detect          tcpflags,forward=1
-dmz     eth2            detect		tcpflags,forward=1
+net     eth0            detect          tcpflags
+loc     eth1            detect          tcpflags
+dmz     eth2            detect

Samples6/three-interfaces/shorewall6.conf

@@ -32,15 +32,17 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall6-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -99,8 +99,6 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -113,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=ko
+MODULE_SUFFIX=
 
 FASTACCEPT=No
 
@@ -141,24 +139,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/interfaces

@@ -12,5 +12,5 @@
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,forward=1
-loc     eth1            detect          tcpflags,forward=1
+net     eth0            detect          tcpflags
+loc     eth1            detect          tcpflags

Samples6/two-interfaces/shorewall6.conf

@@ -1,6 +1,6 @@
 ###############################################################################
 #
-# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
+# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -32,15 +32,17 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=/var/log/shorewall6-init.log
+STARTUP_LOG=
 
-LOG_VERBOSITY=2
+LOG_VERBOSITY=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=
 
 LOGALLNEW=
 
@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -99,8 +99,6 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -113,7 +111,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=ko
+MODULE_SUFFIX=
 
 FASTACCEPT=No
 
@@ -141,24 +139,6 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-init/README.txt

@@ -1 +0,0 @@
-This is the Shorewall-init stable 4.4 branch of Git.

Shorewall-init/ifupdown.sh

@@ -1,196 +0,0 @@
-#!/bin/sh
-#
-# ifupdown script for Shorewall-based products
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-
-Debian_SuSE_ppp() {
-    NEWPRODUCTS=
-    INTERFACE="$1"
-
-    case $0 in
-	/etc/ppp/ip-*)
-	    #
-	    # IPv4
-	    #
-	    for product in $PRODUCTS; do
-		case $product in
-		    shorewall|shorewall-lite)
-			NEWPRODUCTS="$NEWPRODUCTS $product";
-			;;
-		esac
-	    done
-	    ;;
-	/etc/ppp/ipv6-*)
-	    #
-	    # IPv6
-	    #
-	    for product in $PRODUCTS; do
-		case $product in
-		    shorewall6|shorewall6-lite)
-			NEWPRODUCTS="$NEWPRODUCTS $product";
-			;;
-		esac
-	    done
-	    ;;
-	*)
-	    exit 0
-	    ;;
-    esac
-
-    PRODUCTS="$NEWPRODUCTS"
-
-    case $0 in
-	*up/*)
-	    COMMAND=up
-	    ;;
-	*)
-	    COMMAND=down
-	    ;;
-    esac
-}
-
-IFUPDOWN=0
-PRODUCTS=
-
-if [ -f /etc/default/shorewall-init ]; then
-    . /etc/default/shorewall-init
-elif [ -f /etc/sysconfig/shorewall-init ]; then
-    . /etc/sysconfig/shorewall-init
-fi
-
-[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
-
-if [ -f /etc/debian_version ]; then
-    case $0 in
-	/etc/ppp*)
-	    #
-	    # Debian ppp
-	    #
-	    Debian_SuSE_ppp
-	    ;;
-	
-	*)
-            #
-            # Debian ifupdown system
-            #
-	    INTERFACE="$IFACE"
-
-	    if [ "$MODE" = start ]; then
-		COMMAND=up
-	    elif [ "$MODE" = stop ]; then
-		COMMAND=down
-	    else
-		exit 0
-	    fi
-
-	    case "$PHASE" in
-		pre-*)
-		    exit 0
-		    ;;
-	    esac
-	    ;;
-    esac
-elif [ -f /etc/SuSE-release ]; then
-    case $0 in
-	/etc/ppp*)
-	    #
-	    # SUSE ppp
-	    #
-	    Debian_SuSE_ppp
-	    ;;
-	
-	*)
-            #
-            # SuSE ifupdown system
-            #
-	    INTERFACE="$2"
-
-	    case $0 in
-		*if-up.d*)
-		    COMMAND=up
-		    ;;
-		*if-down.d*)
-		    COMMAND=down
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
-	    ;;
-    esac
-else
-    #
-    # Assume RedHat/Fedora/CentOS/Foobar/...
-    #
-    case $0 in
-	/etc/ppp*)
-	    INTERFACE="$1"
-
-	    case $0 in
-		*ip-up.local)
-		    COMMAND=up
-		    ;;
-		*ip-down.local)
-		    COMMAND=down
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
-	    ;;
-	*)
-	    #
-	    # RedHat ifup/down system
-	    #
-	    INTERFACE="$1"
-    
-	    case $0 in 
-		*ifup*)
-		    COMMAND=up
-		    ;;
-		*ifdown*)
-		    COMMAND=down
-		    ;;
-		*dispatcher.d*)
-		    COMMAND="$2"
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
-	    ;;
-    esac
-fi
-
-for PRODUCT in $PRODUCTS; do
-    VARDIR=/var/lib/$PRODUCT
-    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
-    if [ -x $VARDIR/firewall ]; then
-	  ( . /usr/share/$PRODUCT/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
-	    mutex_off
-	  )
-    fi
-done
-
-exit 0

Shorewall-init/init.debian.sh

@@ -1,146 +0,0 @@
-#!/bin/sh
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-### BEGIN INIT INFO
-# Provides:          shorewall-init
-# Required-Start:    $local_fs
-# X-Start-Before:    $network
-# Required-Stop:     $local_fs
-# X-Stop-After:      $network
-# Default-Start:     S
-# Default-Stop:      0 6
-# Short-Description: Initialize the firewall at boot time
-# Description:       Place the firewall in a safe state at boot time prior to
-#                    bringing up the network
-### END INIT INFO
-
-export VERBOSITY=0
-
-if [ "$(id -u)" != "0" ]
-then
-  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
-fi
-
-echo_notdone () {
-  echo "not done."
-  exit 1
-}
-
-not_configured () {
-	echo "#### WARNING ####"
-	echo "the firewall won't be initialized unless it is configured"
-	if [ "$1" != "stop" ]
-	then
-		echo ""
-		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-init/README.Debian.gz."
-	fi
-	echo "#################"
-	exit 0
-}
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/default/shorewall-init" ]
-then
-	. /etc/default/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		not_configured
-	fi
-else
-	not_configured
-fi
-
-# Initialize the firewall
-shorewall_start () {
-  local product
-  local VARDIR
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  #
-	  # Run in a sub-shell to avoid name collisions
-	  #
-	  ( 
-	      . /usr/share/$product/lib.base
-	      #
-	      # Get mutex so the firewall state is stable
-	      #
-	      mutex_on
-	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/firewall stop || echo_notdone
-	      fi
-	      mutex_off
-	  )
-      fi
-  done
-
-  echo "done."
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local product
-  local VARDIR
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  ( . /usr/share/$product/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall clear || echo_notdone
-	    mutex_off
-	  )
-      fi
-  done
-
-  echo "done."
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  reload|force-reload)
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop|reload|force-reload}"
-     exit 1
-esac
-
-exit 0

Shorewall-init/init.sh

@@ -1,104 +0,0 @@
-#! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# chkconfig: - 09 91
-#
-### BEGIN INIT INFO
-# Provides: shorewall-init
-# Required-start: $local_fs
-# Required-stop:  $local_fs
-# Default-Start:  2 3 5
-# Default-Stop:
-# Short-Description: Initialize the firewall at boot time
-# Description:       Place the firewall in a safe state at boot time
-#                    prior to bringing up the network.  
-### END INIT INFO
-
-if [ "$(id -u)" != "0" ]
-then
-  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
-fi
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/sysconfig/shorewall-init" ]
-then
-	. /etc/sysconfig/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		exit 0
-	fi
-else
-	exit 0
-fi
-
-# Initialize the firewall
-shorewall_start () {
-  local PRODUCT
-  local VARDIR
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
-	  fi
-      fi
-  done
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local PRODUCT
-  local VARDIR
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
-      fi
-  done
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
-     exit 1
-esac
-
-exit 0

Shorewall-init/install.sh

@@ -1,360 +0,0 @@
-#!/bin/sh
-#
-# Script to install Shoreline Firewall Init
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
-#     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-
-VERSION=4.4.16.1
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    echo "       $ME -v"
-    echo "       $ME -h"
-    exit $1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
-install_file() # $1 = source $2 = target $3 = mode
-{
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
-}
-
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
-#
-# Parse the run line
-#
-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
-# ARGS is "yes" if we've already parsed an argument
-#
-ARGS=""
-
-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="shorewall-init"
-fi
-
-while [ $# -gt 0 ] ; do
-    case "$1" in
-	-h|help|?)
-	    usage 0
-	    ;;
-        -v)
-	    echo "Shorewall Init Installer Version $VERSION"
-	    exit 0
-	    ;;
-	*)
-	    usage 1
-	    ;;
-    esac
-    shift
-    ARGS="yes"
-done
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-#
-# Determine where to install the firewall script
-#
-
-case $(uname) in
-    Darwin)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
-	T=
-	;;	
-    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
-	;;
-esac
-
-OWNERSHIP="-o $OWNER -g $GROUP"
-
-if [ -n "$DESTDIR" ]; then
-    if [ `id -u` != 0 ] ; then
-	echo "Not setting file owner/group permissions, not running as root."
-	OWNERSHIP=""
-    fi
-    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-elif [ -f /etc/debian_version ]; then
-    DEBIAN=yes
-elif [ -f /etc/SuSE-release ]; then
-    SUSE=Yes
-elif [ -f /etc/slackware-version ] ; then
-    echo "Shorewall-init is currently not supported on Slackware" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="rc.firewall"
-elif [ -f /etc/arch-release ] ; then
-    echo "Shorewall-init is currently not supported on Arch Linux" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="shorewall-init"
-#   ARCHLINUX=yes
-elif [ -d /etc/sysconfig/network-scripts/ ]; then
-    #
-    # Assume RedHat-based
-    #
-    REDHAT=Yes
-else
-    echo "Unknown distribution: Shorewall-init support is not available" >&2
-    exit 1
-fi
-
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
-echo "Installing Shorewall Init Version $VERSION"
-
-#
-# Check for /usr/share/shorewall-init/version
-#
-if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
-    first_install=""
-else
-    first_install="Yes"
-fi
-
-#
-# Install the Init Script
-#
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-#elif [ -n "$ARCHLINUX" ]; then
-#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
-fi
-
-echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
-
-#
-# Create /usr/share/shorewall-init if needed
-#
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-chmod 755 ${DESTDIR}/usr/share/shorewall-init
-
-#
-# Create the version file
-#
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
-
-#
-# Remove and create the symbolic link to the init script
-#
-if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-init/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
-fi
-
-if [ -n "$DEBIAN" ]; then
-    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
-    fi
-
-    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
-	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}/etc/default
-	fi
-
-	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
-    fi
-else
-    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}/etc/sysconfig
-
-	if [ -z "$RPM" ]; then
-	    if [ -n "$SUSE" ]; then
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
-	    else
-		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
-	    fi
-	fi
-    fi
-
-    if [ -d ${DESTDIR}/etc/sysconfig -a ! -f ${DESTDIR}/etc/sysconfig/shorewall-init ]; then
-	install_file sysconfig ${DESTDIR}/etc/sysconfig/shorewall-init 0644
-    fi 
-fi
-
-#
-# Install the ifupdown script
-#
-
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-
-install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544
-
-if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
-fi
-
-if [ -n "$DEBIAN" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
-elif [ -n "$SUSE" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
-elif [ -n "$REDHAT" ]; then
-    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
-	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
-    else
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
-    fi
-fi
-
-if [ -z "$DESTDIR" ]; then
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    
-	    update-rc.d shorewall-init defaults
-
-	    echo "Shorewall Init will start automatically at boot"
-	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall-init ; then
-		    echo "Shorewall Init will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add shorewall-init ; then
-		    echo "Shorewall Init will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-init
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add shorewall-init default; then
-		    echo "Shorewall Init will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
-		cant_autostart
-	    fi
-
-	fi
-    fi
-else
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    if [ -n "${DESTDIR}" ]; then
-		mkdir -p ${DESTDIR}/etc/rcS.d
-	    fi
-
-	    ln -sf ../init.d/shorewall-init ${DESTDIR}/etc/rcS.d/S38shorewall-init
-	    echo "Shorewall Init will start automatically at boot"
-	fi
-    fi
-fi
-
-if [ -f ${DESTDIR}/etc/ppp ]; then
-    if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
-	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	    mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-	    cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
-	done
-    elif [ -n "$REDHAT" ]; then
-	#
-	# Must use the dreaded ip_xxx.local file
-	#
-	for file in ip-up.local ip-down.local; do
-	    FILE=${DESTDIR}/etc/ppp/$file
-	    if [ -f $FILE ]; then
-		if fgrep -q Shorewall-based $FILE ; then
-		    cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown $FILE
-		else
-		    echo "$FILE already exists -- ppp devices will not be handled"
-		    break
-		fi
-	    else
-		cp -fp ${DESTDIR}/usr/share/shorewall-init/ifupdown $FILE
-	    fi
-	done
-    fi
-fi
-
-#
-#  Report Success
-#
-echo "shorewall Init Version $VERSION Installed"

Shorewall-init/shorewall-init.spec

@@ -1,216 +0,0 @@
-%define name shorewall-init
-%define version 4.4.16
-%define release 1
-
-Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: shoreline_firewall >= 4.4.10
-
-%description
-
-The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
-(iptables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-
-Shorewall Init is a companion product to Shorewall that allows for tigher
-control of connections during boot and that integrates Shorewall with
-ifup/ifdown and NetworkManager.
-
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post
-
-if [ $1 -eq 1 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv /etc/rc.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --add shorewall-init;
-    fi
-fi
-
-if [ -f /etc/SuSE-release ]; then
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
-    if [ -d /etc/ppp ]; then
-	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	    mkdir -p /etc/ppp/$directory
-	    cp -pf /usr/share/shorewall-init/ifupdown /etc/ppp/$directory/shorewall
-	done
-    fi
-else
-    if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then
-	if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then
-	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
-	else
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-	fi
-    else
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-    fi
-
-    if [ -d /etc/ppp ]; then
-	if [ -f /etc/ppp/ip-up.local -o -f /etc/ppp/ip-down.local ]; then
-	    if ! grep -q Shorewall-based /etc/ppp/ip-up.local || ! grep -q Shorewall-based /etc/ppp//ip-down.local; then
-		echo "WARNING: /etc/ppp/ip-up.local and/or /etc/ppp/ip-down.local already exist; ppp devices will not be handled" >&2
-	    fi
-	else
-	    cp -pf /usr/share/shorewall-init/ifupdown /etc/ppp/ip-up.local
-	    cp -pf /usr/share/shorewall-init/ifupdown /etc/ppp/ip-down.local
-	fi
-    fi
-
-    if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
-	cp -pf /usr/share/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
-    fi
-fi
-
-%preun
-
-if [ $1 -eq 0 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv -r /etc/init.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --del shorewall-init
-    fi
-
-    [ -f /sbin/ifup-local ]   && grep -q Shorewall /sbin/ifup-local   && rm -f /sbin/ifup-local
-    [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local
-
-    [ -f /etc/ppp/ip-up.local ]   && grep -q Shorewall-based /etc/ppp/ip-up.local   && rm -f /etc/ppp/ip-up.local
-    [ -f /etc/ppp/ip-down.local ] && grep -q Shorewall-based /etc/ppp/ip-down.local && rm -f /etc/ppp/ip-down.local
-
-    rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
-
-%attr(0544,root,root) /etc/init.d/shorewall-init
-%attr(0755,root,root) %dir /usr/share/shorewall-init
-
-%attr(0644,root,root) /usr/share/shorewall-init/version
-%attr(0544,root,root) /usr/share/shorewall-init/ifupdown
-
-%doc COPYING changelog.txt releasenotes.txt
-
-%changelog
-* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-1
-* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0base
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0RC1
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta8
-* Sun Dec 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta7
-* Mon Dec 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta6
-* Fri Dec 10 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta5
-* Sat Dec 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta4
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta3
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta2
-* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta1
-* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0base
-* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0RC1
-* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0Beta2
-* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0Beta1
-* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0base
-* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0RC1
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta4
-* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta3
-* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta2
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Tue May 18 2010 Tom Eastep tom@shorewall.net
-- Initial version
-
-
-

Shorewall-init/sysconfig

@@ -1,12 +0,0 @@
-# List the Shorewall products that Shorewall-init is to
-# initialize (space-separated list).
-#
-# Sample: PRODUCTS="shorewall shorewall6"
-#
-PRODUCTS=""
-
-#
-# Set this to 1 if you want Shorewall-init to react to 
-# ifup/ifdown and NetworkManager events
-#
-IFUPDOWN=0

Shorewall-init/uninstall.sh

@@ -1,109 +0,0 @@
-#!/bin/sh
-#
-# Script to back uninstall Shoreline Firewall
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.sourceforge.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#    Usage:
-#
-#       You may only use this script to uninstall the version
-#       shown below. Simply run this script to remove Shorewall Firewall
-
-VERSION=4.4.16.1
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    exit $1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
-if [ -f /usr/share/shorewall-init/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall-init/version)"
-    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
-	echo "         and this is the $VERSION uninstaller."
-	VERSION="$INSTALLED_VERSION"
-    fi
-else
-    echo "WARNING: Shorewall Init Version $VERSION is not installed"
-    VERSION=""
-fi
-
-echo "Uninstalling Shorewall Init $VERSION"
-
-INITSCRIPT=/etc/init.d/shorewall-init
-
-if [ -n "$INITSCRIPT" ]; then
-    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-        insserv -r $INITSCRIPT
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-	chkconfig --del $(basename $INITSCRIPT)
-    else
-	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
-    fi
-
-    remove_file $INITSCRIPT
-fi
-
-[ "$(readlink -m -q /sbin/ifup-local)"   = /usr/share/shorewall-init ] && remove_file /sbin/ifup-local
-[ "$(readlink -m -q /sbin/ifdown-local)" = /usr/share/shorewall-init ] && remove_file /sbin/ifdown-local
-
-remove_file /etc/default/shorewall-init
-remove_file /etc/sysconfig/shorewall-init
-
-remove_file /etc/NetworkManager/dispatcher.d/01-shorewall
-
-remove_file /etc/network/if-up.d/shorewall
-remove_file /etc/network/if-down.d/shorewall
-
-remove_file /etc/sysconfig/network/if-up.d/shorewall
-remove_file /etc/sysconfig/network/if-down.d/shorewall
-
-if [ -d /etc/ppp ]; then
-    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	remove_file /etc/ppp/$directory/shorewall
-    done
-
-    for file in if-up.local if-down.local; do
-	if fgrep -q Shorewall-based /etc/ppp/$FILE; then
-	    remove_file /etc/ppp/$FILE
-	fi
-    done
-fi
-
-rm -rf /usr/share/shorewall-init
-
-echo "Shorewall Init Uninstalled"
-
-

Shorewall-lite/README.txt

@@ -1 +1 @@
-This is the Shorewall-lite stable 4.4 branch of Git.
+This is the Shorewall-lite development 4.3 branch of SVN.

Shorewall-lite/default.debian

@@ -21,16 +21,4 @@ startup=0
 
 OPTIONS=""
 
-#
-# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
-#
-INITLOG=/dev/null
-
-#
-# Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF

Shorewall-lite/fallback.sh

@@ -0,0 +1,104 @@
+#!/bin/sh
+#
+# Script to back out the installation of Shorewall Lite and to restore the previous version of
+# the program
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#    Usage:
+#
+#       You may only use this script to back out the installation of the version
+#       shown below. Simply run this script to revert to your prior version of
+#       Shoreline Firewall.
+
+VERSION=4.4.0.3
+
+usage() # $1 = exit status
+{
+    echo "usage: $(basename $0)"
+    exit $1
+}
+
+restore_directory() # $1 = directory to restore
+{
+    if [ -d ${1}-${VERSION}.bkout ]; then
+	if mv -f $1 ${1}-${VERSION} && mv ${1}-${VERSION}.bkout $1; then
+	    echo
+	    echo "$1 restored"
+	    rm -rf ${1}-${VERSION}
+	else
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+	fi
+    fi
+}
+
+restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
+{
+    if [ -n "$2" ]; then
+	local file
+	file=$(basename $1)
+
+	if [ -f $2/$file ]; then
+	    if mv -f $2/$file $1 ; then
+		echo
+		echo "$1 restored"
+		return
+	    fi
+
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+        fi
+    fi
+
+    if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then
+	if (mv -f ${1}-${VERSION}.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+        fi
+    fi
+}
+
+if [ ! -f /usr/share/shorewall-lite-${VERSION}.bkout/version ]; then
+    echo "Shorewall Version $VERSION is not installed"
+    exit 1
+fi
+
+echo "Backing Out Installation of Shorewall $VERSION"
+
+if [ -L /usr/share/shorewall-lite/init ]; then
+    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
+    restore_file $FIREWALL /usr/share/shorewall-lite-${VERSION}.bkout
+else
+    restore_file /etc/init.d/shorewall /usr/share/shorewall-lite-${VERSION}.bkout
+fi
+
+restore_file /sbin/shorewall /var/lib/shorewall-lite-${VERSION}.bkout
+
+restore_directory /etc/shorewall-lite
+restore_directory /usr/share/shorewall-lite
+restore_directory /var/lib/shorewall-lite
+
+echo "Shorewall Lite Restored to Version $(cat /usr/share/shorewall-lite/version)"
+
+

Shorewall-lite/init.debian.sh

@@ -2,8 +2,8 @@
 
 ### BEGIN INIT INFO
 # Provides:          shorewall-lite
-# Required-Start:    $network $remote_fs
-# Required-Stop:     $network $remote_fs
+# Required-Start:    $network
+# Required-Stop:     $network
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -15,14 +15,17 @@
 
 SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
-test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
+# Note, set INITLOG to /dev/null if you do not want to
+# keep logs of the firewall (not recommended)
+INITLOG=/var/log/shorewall-lite-init.log
 
-[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
 export SHOREWALL_INIT_SCRIPT
+
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n "$INITLOG" || {
+test -n $INITLOG || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
@@ -41,7 +44,6 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
   fi
 
-  exit 1
 }
 
 not_configured () {
@@ -87,11 +89,7 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   echo -n "Stopping \"Shorewall firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
-      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
+  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
   return 0
 }
 

Shorewall-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.16.1
+VERSION=4.4.0.3
 
 usage() # $1 = exit status
 {
@@ -82,16 +82,15 @@ delete_file() # $1 = file to delete
 
 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    run_install $OWNERSHIP -m $3 $1 ${2}
 }
 
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall-lite"
 fi
 
+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 while [ $# -gt 0 ] ; do
     case "$1" in
 	-h|help|?)
@@ -128,12 +131,10 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 DEBIAN=
 CYGWIN=
-INSTALLD='-D'
-T='-T'
 
 case $(uname) in
     CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -141,10 +142,6 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-    Darwin)
-	INSTALLD=
-	T=
-	;;	   
     *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -153,14 +150,14 @@ esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
     
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
     DEBIAN=yes
 elif [ -f /etc/slackware-version ] ; then
@@ -182,211 +179,173 @@ echo "Installing Shorewall Lite Version $VERSION"
 #
 # Check for /etc/shorewall-lite
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
+if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then
+    first_install=""
     [ -f /etc/shorewall-lite/shorewall.conf ] && \
 	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
-else
-    rm -rf ${DESTDIR}/etc/shorewall-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall-lite
-fi
-
-#
-# Check for /sbin/shorewall-lite
-#
-if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
-    first_install=""
 else
     first_install="Yes"
+    rm -rf ${PREFIX}/etc/shorewall-lite
+    rm -rf ${PREFIX}/usr/share/shorewall-lite
+    rm -rf ${PREFIX}/var/lib/shorewall-lite
 fi
 
-delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
+delete_file ${PREFIX}/usr/share/shorewall-lite/xmodules
 
-install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
+install_file shorewall-lite ${PREFIX}/sbin/shorewall-lite 0544 ${PREFIX}/var/lib/shorewall-lite-${VERSION}.bkout
 
-echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
+echo "Shorewall Lite control program installed in ${PREFIX}/sbin/shorewall-lite"
 
 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh /etc/init.d/shorewall-lite 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 
 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 fi
 
-echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "Shorewall Lite script installed in ${PREFIX}${DEST}/$INIT"
 
 #
 # Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall-lite
+mkdir -p ${PREFIX}/etc/shorewall-lite
+mkdir -p ${PREFIX}/usr/share/shorewall-lite
+mkdir -p ${PREFIX}/var/lib/shorewall-lite
 
-chmod 755 ${DESTDIR}/etc/shorewall-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall-lite
-
-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
-fi
+chmod 755 ${PREFIX}/etc/shorewall-lite
+chmod 755 ${PREFIX}/usr/share/shorewall-lite
 
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
-   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
-   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
+if [ ! -f ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf
+   echo "Config file installed as ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf"
 fi
 
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall-lite/shorewall.conf
 fi
 
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall-lite/Makefile
+echo "Makefile installed as ${PREFIX}/etc/shorewall-lite/Makefile"
 
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall-lite/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall-lite/configpath"
 
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall-lite/$f"
     fi
 done
 
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall-lite/functions
 
-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
+echo "Common functions linked through ${PREFIX}/usr/share/shorewall-lite/functions"
 
 #
 # Install Shorecap
 #
 
-install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755
+install_file shorecap ${PREFIX}/usr/share/shorewall-lite/shorecap 0755
 
 echo
-echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap"
+echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall-lite/shorecap"
 
 #
 # Install wait4ifup
 #
 
-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall-lite/wait4ifup 0755
 
-    echo
-    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup"
-fi
+echo
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall-lite/wait4ifup"
 
 #
 # Install the Modules file
 #
-
-if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
-fi
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall-lite/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall-lite/modules"
 
 #
 # Install the Man Pages
 #
 
-if [ -d manpages ]; then
-    cd manpages
+cd manpages
 
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
+for f in *.5; do
+    gzip -c $f > $f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man5/$f.gz"
+done
 
-    for f in *.5; do
-	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
-    done
+for f in *.8; do
+    gzip -c $f > $f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man8/$f.gz"
+done
 
-    for f in *.8; do
-	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
-    done
-
-    cd ..
-
-    echo "Man Pages Installed"
-fi
-
-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
-fi
+cd ..
 
+echo "Man Pages Installed"
 
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall-lite/version
+chmod 644 ${PREFIX}/usr/share/shorewall-lite/version
 #
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
     rm -f /usr/share/shorewall-lite/init
     ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
 fi
 
-if [ -z "$DESTDIR" ]; then
-    touch /var/log/shorewall-lite-init.log
-
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
-
-	    update-rc.d shorewall-lite defaults
-
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-lite
+if [ -z "$PREFIX" -a -n "$first_install" ]; then
+    if [ -n "$DEBIAN" ]; then
+	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
+	ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+	echo "Shorewall Lite will start automatically at boot"
+	touch /var/log/shorewall-init.log
+    else
+	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if insserv /etc/init.d/shorewall-lite ; then
+		echo "Shorewall Lite will start automatically at boot"
 	    else
-		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
-	    fi
-
-	    echo "Shorewall Lite will start automatically at boot"
-	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall-lite ; then
-		    echo "Shorewall Lite will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add shorewall-lite ; then
-		    echo "Shorewall Lite will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-lite
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add shorewall-lite default; then
-		    echo "Shorewall Lite will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
+	elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+	    if chkconfig --add shorewall-lite ; then
+		echo "Shorewall Lite will start automatically in run levels as follows:"
+		chkconfig --list shorewall-lite
+	    else
+		cant_autostart
+	    fi
+	elif [ -x /sbin/rc-update ]; then
+	    if rc-update add shorewall-lite default; then
+		echo "Shorewall Lite will start automatically at boot"
+	    else
+		cant_autostart
+	    fi
+	elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+	    cant_autostart
 	fi
     fi
 fi

Shorewall-lite/logrotate

@@ -1,5 +0,0 @@
-/var/log/shorewall-lite-init.log {
-  missingok
-  notifempty
-  create 0600 root root
-}

Shorewall-lite/shorecap

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
@@ -48,19 +48,18 @@
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-g_product="Shorewall Lite"
+PRODUCT="Shorewall Lite"
 
 . /usr/share/shorewall-lite/lib.base
-. /usr/share/shorewall-lite/lib.cli
 . /usr/share/shorewall-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-SHOREWALL_VERSION=$(cat /usr/share/shorewall-lite/version)
+VERSION=$(cat /usr/share/shorewall-lite/version)
 
 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
 
-VERBOSITY=0
+VERBOSE=0
 load_kernel_modules No
 determine_capabilities
 report_capabilities1

Shorewall-lite/shorewall-lite

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -94,9 +94,9 @@ get_config() {
     [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	g_logread="logread | tac"
-    elif [ -r $LOGFILE ]; then
-	g_logread="tac $LOGFILE"
+	LOGREAD="logread | tac"
+    elif [ -f $LOGFILE ]; then
+	LOGREAD="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	exit 2
@@ -113,6 +113,12 @@ get_config() {
 
     [ -n "$FW" ] || FW=fw
 
+    [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
+
+    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
+
+    export LOGFORMAT
+
     if [ -n "$IPTABLES" ]; then
 	if [ ! -x "$IPTABLES" ]; then
 	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
@@ -126,6 +132,8 @@ get_config() {
 	fi
     fi
 
+    export IPTABLES
+
     if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
 	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
@@ -137,26 +145,15 @@ get_config() {
 
     validate_restorefile RESTOREFILE
 
+    export RESTOREFILE
+
     [ -n "${VERBOSITY:=2}" ]
 
-    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
+    [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
 
-    if [ $VERBOSITY -lt -1 ]; then
-	VERBOSITY=-1
-    elif [ $VERBOSITY -gt 2 ]; then
-	VERBOSITY=2
-    fi
+    export VERBOSE
 
-    g_hostname=$(hostname 2> /dev/null)
-
-    IP=$(mywhich ip 2> /dev/null)
-    if [ -z "$IP" ] ; then
-	echo "   ERROR: Can't find ip executable" >&2
-	exit 2
-    fi
-
-    IPSET=ipset
-    TC=tc
+    [ -n "${HOSTNAME:=$(hostname)}" ]
 
 }
 
@@ -164,28 +161,19 @@ get_config() {
 # Verify that we have a compiled firewall script
 #
 verify_firewall_script() {
-    if [ ! -f $g_firewall ]; then
+    if [ ! -f $FIREWALL ]; then
 	echo "   ERROR: Shorewall Lite is not properly installed" >&2
-	if [ -L $g_firewall ]; then
-	    echo "          $g_firewall is a symbolic link to a" >&2
+	if [ -L $FIREWALL ]; then
+	    echo "          $FIREWALL is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
-	    echo "          The file $g_firewall does not exist" >&2
+	    echo "          The file $FIREWALL does not exist" >&2
 	fi
 	
 	exit 2
     fi
 }
 
-#
-# Fatal error
-#
-startup_error() {
-    echo "   ERROR: $@" >&2
-    kill $$
-    exit 1
-}
-
 #
 # Start Command Executor
 #
@@ -199,7 +187,7 @@ start_command() {
 	[ -n "$nolock" ] || mutex_on
 
 	if [ -x ${LITEDIR}/firewall ]; then
-	    run_it ${LITEDIR}/firewall $debugging start
+	    ${LITEDIR}/firewall $debugging start
 	    rc=$?
 	else
 	    error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -231,12 +219,12 @@ start_command() {
 			    option=
 			    ;;
 			f*)
-			    g_fast=Yes
+			    FAST=Yes
 			    option=${option#f}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
+			    PURGE=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -260,21 +248,36 @@ start_command() {
 	    ;;
     esac
 
-    if [ -n "$g_fast" ]; then
+    export NOROUTES
+
+    if [ -n "$FAST" ]; then
 	if qt mywhich make; then
-	    export RESTOREFILE
-	    make -qf ${CONFDIR}/Makefile || g_fast=
+	    #
+	    # RESTOREFILE is exported by get_config()
+	    #
+	    make -qf ${CONFDIR}/Makefile || FAST=
 	fi
 
-	if [ -n "$g_fast" ]; then
+	if [ -n "$FAST" ]; then
 
-	    g_restorepath=${VARDIR}/$RESTOREFILE
+	    RESTOREPATH=${VARDIR}/$RESTOREFILE
+
+	    if [ -x $RESTOREPATH ]; then
+		if [ -x ${RESTOREPATH}-ipsets ]; then
+		    echo Restoring Ipsets...
+		    #
+		    # We must purge iptables to be sure that there are no
+		    # references to ipsets
+		    #
+		    iptables -F
+		    iptables -X
+		    $SHOREWALL_SHELL ${RESTOREPATH}-ipsets
+		fi
 
-	    if [ -x $g_restorepath ]; then
 		echo Restoring Shorewall Lite...
-		run_it $g_restorepath restore
+		$SHOREWALL_SHELL $RESTOREPATH restore
 		date > ${VARDIR}/restarted
-		progress_message3 Shorewall Lite restored from $g_restorepath
+		progress_message3 Shorewall Lite restored from $RESTOREPATH
 	    else
 		do_it
 	    fi
@@ -310,12 +313,12 @@ restart_command() {
 			    option=
 			    ;;
 			n*)
-			    g_noroutes=Yes
+			    NOROUTES=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
+			    PURGE=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -339,10 +342,12 @@ restart_command() {
 	    ;;
     esac
 
+    export NOROUTES
+
     [ -n "$nolock" ] || mutex_on
 
     if [ -x ${LITEDIR}/firewall ]; then
-	run_it ${LITEDIR}/firewall $debugging restart
+	$SHOREWALL_SHELL ${LITEDIR}/firewall $debugging restart
 	rc=$?
     else
 	error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -361,14 +366,13 @@ usage() # $1 = exit status
 {
     echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
     echo "where <command> is one of:"
-    echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   clear"
-    echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
     echo "   forget [ <file name> ]"
     echo "   help"
+    echo "   hits [ -t ]"
     echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
     echo "   ipdecimal { <address> | <integer> }"
     echo "   iprange <address>-<address>"
@@ -377,7 +381,7 @@ usage() # $1 = exit status
     echo "   logwatch [<refresh interval>]"
     echo "   reject <address> ..."
     echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
     echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
@@ -385,71 +389,23 @@ usage() # $1 = exit status
     echo "   show classifiers"
     echo "   show config"
     echo "   show connections"
-    echo "   show filters"
+    echo "   show dynamic <zone>"
+    echo "   show filter"
     echo "   show ip"
-    echo "   show [ -m ] log [<regex>]"
-    echo "   show [ -x ] mangle|nat|raw|routing"
-    echo "   show policies"
-    echo "   show tc [ device ]"
+    echo "   show [ -m ] log"
+    echo "   show [ -x ] mangle|nat|raw"
+    echo "   show routing"
+    echo "   show tc"
     echo "   show vardir"
     echo "   show zones"
-    echo "   start [ -f ] [ -p ] [ <directory> ]"
+    echo "   start [ -n ] [ -p ]"
     echo "   stop"
     echo "   status"
-    echo "   version [ -a ]"
+    echo "   version"
     echo
     exit $1
 }
 
-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
 #
 # Execution begins here
 #
@@ -467,20 +423,14 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
     shift
 fi
 
-g_ipt_options="-nv"
-g_fast=
-g_verbose_offset=0
-g_use_verbosity=
-g_noroutes=
-g_timestamp=
-g_recovering=
-g_logread=
-
-#
-# Make sure that these variables are cleared
-#
-VERBOSE=
-VERBOSITY=
+IPT_OPTIONS="-nv"
+FAST=
+VERBOSE_OFFSET=0
+USE_VERBOSITY=
+NOROUTES=
+EXPORT=
+export TIMESTAMP=
+noroutes=
 
 finished=0
 
@@ -499,48 +449,48 @@ while [ $finished -eq 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    x*)
-			g_ipt_options="-xnv"
+			IPT_OPTIONS="-xnv"
 			option=${option#x}
 			;;
 		    q*)
-			g_verbose_offset=$(($g_verbose_offset - 1 ))
+			VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 ))
 			option=${option#q}
 			;;
 		    f*)
-			g_fast=Yes
+			FAST=Yes
 			option=${option#f}
 			;;
 		    v*)
 			option=${option#v}
 			case $option in 
 			    -1*)
-				g_use_verbosity=-1
+				USE_VERBOSITY=-1
 				option=${option#-1}
 				;;
 			    0*)
-				g_use_verbosity=0
+				USE_VERBOSITY=0
 				option=${option#0}
 				;;
 			    1*)
-				g_use_verbosity=1
+				USE_VERBOSITY=1
 				option=${option#1}
 				;;
 			    2*)
-				g_use_verbosity=2
+				USE_VERBOSITY=2
 				option=${option#2}
 				;;
 			    *)
-				g_verbose_offset=$(($g_verbose_offset + 1 ))
-				g_use_verbosity=
+				VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
+				USE_VERBOSITY=
 				;;
 			esac
 			;;
 		    n*)
-			g_noroutes=Yes
+			NOROUTES=Yes
 			option=${option#n}
 			;;
 		    t*)
-			g_timestamp=Yes
+			TIMESTAMP=Yes
 			option=${option#t}
 			;;
 		    -)
@@ -565,11 +515,12 @@ if [ $# -eq 0 ]; then
 fi
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+export PATH
 MUTEX_TIMEOUT=
 
 SHAREDIR=/usr/share/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-g_product="Shorewall Lite"
+export PRODUCT="Shorewall Lite"
 
 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
 
@@ -577,10 +528,17 @@ g_product="Shorewall Lite"
 
 [ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"
 
-version_file=$SHAREDIR/version
+LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
+VERSION_FILE=$SHAREDIR/version
+HELP=$SHAREDIR/help
 
-for library in base cli; do
-    . ${SHAREDIR}/lib.$library
+for library in $LIBRARIES; do
+    if [ -f $library ]; then
+	. $library
+    else
+	echo "Installation error: $library does not exist!" >&2
+	exit 2
+    fi
 done
 
 ensure_config_path
@@ -600,6 +558,7 @@ else
 fi
 
 ensure_config_path
+export CONFIG_PATH
 
 LITEDIR=${VARDIR}
 
@@ -607,17 +566,17 @@ LITEDIR=${VARDIR}
 
 get_config
 
-g_firewall=$LITEDIR/firewall
+FIREWALL=$LITEDIR/firewall
 
-if [ -f $version_file ]; then
-    SHOREWALL_VERSION=$(cat $version_file)
+if [ -f $VERSION_FILE ]; then
+    version=$(cat $VERSION_FILE)
 else
     echo "   ERROR: Shorewall Lite is not properly installed" >&2
-    echo "          The file $version_file does not exist" >&2
+    echo "          The file $VERSION_FILE does not exist" >&2
     exit 1
 fi
 
-banner="Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname -"
+banner="Shorewall Lite $version Status at $HOSTNAME -"
 
 case $(echo -e) in
     -e*)
@@ -646,12 +605,15 @@ case "$COMMAND" in
 	shift
 	start_command $@
 	;;
-    stop|reset|clear)
+    stop|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	export NOROUTES
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
+	;;
+    reset)
+	verify_firewall_script
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
 	;;
     restart)
 	shift
@@ -664,7 +626,7 @@ case "$COMMAND" in
     status)
 	[ $# -eq 1 ] || usage 1
 	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
-	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
+	echo "Shorewall Lite $version Status at $HOSTNAME - $(date)"
 	echo
 	if shorewall_is_started ; then
 	    echo "Shorewall Lite is running"
@@ -677,7 +639,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -698,8 +660,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
     version)
-	shift
-	version_command $@
+	echo $version Lite
 	;;
     logwatch)
 	logwatch_command $@
@@ -768,7 +729,7 @@ case "$COMMAND" in
 	    ;;
 	esac
 
-	g_restorepath=${VARDIR}/$RESTOREFILE
+	RESTOREPATH=${VARDIR}/$RESTOREFILE
 
 	[ "$nolock" ] || mutex_on
 
@@ -790,15 +751,20 @@ case "$COMMAND" in
 	esac
 
 
-	g_restorepath=${VARDIR}/$RESTOREFILE
+	RESTOREPATH=${VARDIR}/$RESTOREFILE
 
-	if [ -x $g_restorepath ]; then
-	    rm -f $g_restorepath
-	    rm -f ${g_restorepath}-iptables
-	    rm -f ${g_restorepath}-ipsets
-	    echo "    $g_restorepath removed"
-	elif [ -f $g_restorepath ]; then
-	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
+	if [ -x $RESTOREPATH ]; then
+
+	    if [ -x ${RESTOREPATH}-ipsets ]; then
+		rm -f ${RESTOREPATH}-ipsets
+		echo "    ${RESTOREPATH}-ipsets removed"
+	    fi
+
+	    rm -f $RESTOREPATH
+	    rm -f ${RESTOREPATH}-iptables
+	    echo "    $RESTOREPATH removed"
+	elif [ -f $RESTOREPATH ]; then
+	    echo "   $RESTOREPATH exists and is not a saved Shorewall configuration"
 	fi
 	rm -f ${VARDIR}/save
 	;;

Shorewall-lite/shorewall-lite.conf

@@ -4,11 +4,12 @@
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.
 #
-#  For information about the settings in this file, type
-#  "man shorewall-lite.conf"
+#  This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#  This file should be placed in /etc/shorewall-lite
+#
+#  (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
-#  Manpage also online at
-#  http://www.shorewall.net/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################
@@ -21,7 +22,6 @@
 ###############################################################################
 #		              V E R B O S I T Y
 ###############################################################################
-
 VERBOSITY=
 
 ###############################################################################
@@ -30,6 +30,8 @@ VERBOSITY=
 
 LOGFILE=
 
+LOGFORMAT=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.16
-%define release 1
+%define version 4.4.0
+%define release 3
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}
 
 %description
 
@@ -32,7 +31,7 @@ administrators to centralize the configuration of Shorewall-based firewalls.
 %build
 
 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -80,8 +79,6 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall-lite
 %attr(0700,root,root) %dir /var/lib/shorewall-lite
 
-%attr(0644,root,root) /etc/logrotate.d/shorewall-lite
-
 %attr(0755,root,root) /sbin/shorewall-lite
 
 %attr(0644,root,root) /usr/share/shorewall-lite/version
@@ -89,7 +86,6 @@ fi
 %attr(-   ,root,root) /usr/share/shorewall-lite/functions
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.base
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.cli
-%attr(0644,root,root) /usr/share/shorewall-lite/lib.common
 %attr(0644,root,root) /usr/share/shorewall-lite/modules
 %attr(0544,root,root) /usr/share/shorewall-lite/shorecap
 %attr(0755,root,root) /usr/share/shorewall-lite/wait4ifup
@@ -102,160 +98,12 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Fri Jan 14 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-1
-* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0base
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0RC1
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta8
-* Sun Dec 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta7
-* Mon Dec 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta6
-* Fri Dec 10 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta5
-* Sat Dec 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta4
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta3
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta2
-* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta1
-* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0base
-* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0RC1
-* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0Beta2
-* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0Beta1
-* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0base
-* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0RC1
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta4
-* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta3
-* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta2
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta1
-* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0base
-* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0RC2
-* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0RC1
-* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta2
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta1
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta2
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0base
-* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
+* Sat Aug 29 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-3
+* Fri Aug 28 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-2
+* Thu Aug 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-1
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.16.1
+VERSION=4.4.0.3
 
 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
 fi
 
 if [ -L /usr/share/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall-lite/init)
+    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
 else
     FIREWALL=/etc/init.d/shorewall-lite
 fi
@@ -106,7 +106,6 @@ rm -rf /var/lib/shorewall-lite
 rm -rf /var/lib/shorewall-lite-*.bkout
 rm -rf /usr/share/shorewall-lite
 rm -rf /usr/share/shorewall-lite-*.bkout
-rm -f  /etc/logrotate.d/shorewall-lite
 
 echo "Shorewall Uninstalled"
 

Shorewall/Contrib/swping

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V4.2
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #
@@ -224,7 +224,7 @@ while : ; do
 	# One of the interfaces changed state -- restart Shorewall
 	#
 	echo $if1_state > $VARDIR/${IF1}.status
-	echo $if2_state > $VARDIR/${IF2}.status
+	echo $if2_state > $VARDIR/${IF2}.status 
 	eval $COMMAND
 	state_changed=
     fi

Shorewall/Contrib/swping.init

@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V4.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -32,7 +32,7 @@
 ### BEGIN INIT INFO
 # Provides:	  swping
 # Required-Start: shorewall
-# Should-Start:
+# Should-Start: 
 # Required-Stop:
 # Default-Start:  2 3 5
 # Default-Stop:	  0 1 6
@@ -87,7 +87,7 @@ case "$command" in
 	    echo "swping is running"
 	    exit 0
 	else
-	    echo "swping is stopped"
+	    echo "swping is stopped" 
 	    exit 3
 	fi
 	;;

Shorewall/Macros/macro.BGP

@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.BGP
 #
-#	This macro handles BGP4 traffic.
+#       This macro handles BGP4 traffic.
 #
 ###############################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
-PARAM	-	-	tcp	179	# BGP4
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                               PORT(S) PORT(S) LIMIT   GROUP
+PARAM   -       -       tcp     179     				# BGP4

Shorewall/Macros/macro.BitTorrent

@@ -5,7 +5,7 @@
 #
 #	This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
 #
-#	If you are running BitTorrent 3.2 or later, you should use the
+#	If you are running BitTorrent 3.2 or later, you should use the 
 #	BitTorrent32 macro.
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/

Shorewall/Macros/macro.Citrix

@@ -3,12 +3,11 @@
 #
 # /usr/share/shorewall/macro.Citrix
 #
-#	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
-#	ICA Session Reliability)
+# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a. ICA Session Reliability)
 #
 ####################################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
-PARAM	-	-	tcp	1494	# ICA
-PARAM	-	-	udp	1604	# ICA Browser
-PARAM	-	-	tcp	2598	# CGP Session Reliabilty
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                               PORT(S) PORT(S) LIMIT   GROUP
+PARAM   -       -       tcp     1494 				   # ICA
+PARAM   -       -       udp     1604    			   # ICA Browser
+PARAM   -       -       tcp     2598    			   # CGP Session Reliabilty

Shorewall/Macros/macro.DHCPfwd

@@ -1,12 +0,0 @@
-#
-# Shorewall version 4 - DHCPfwd Macro
-#
-# /usr/share/shorewall/macro.DHCPfwd
-#
-#	This macro (bidirectional) handles forwarded DHCP traffic
-#
-###############################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
-PARAM	-	-	udp	67:68	67:68	# DHCP
-PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP

Shorewall/Macros/macro.HKP

@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - HKP Macro
-#
-# /usr/share/shorewall/macro.HKP
-#
-#	This macro handles OpenPGP HTTP keyserver protocol traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	11371

Shorewall/Macros/macro.ICPV2

@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - ICPV2 Macro
-#
-# /usr/share/shorewall/macro.ICPV2
-#
-#	This macro handles Internet Cache Protocol V2 (Squid) traffic
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	3130

Shorewall/Macros/macro.IPPserver

@@ -15,7 +15,7 @@
 #	Example for a two-interface firewall which acts as a print
 #	server for loc:
 #		IPPserver/ACCEPT loc $FW
-#
+#	
 #	NOTE: If you want both to serve requests for local printers and
 #	listen to requests for remote printers (i.e. your CUPS server is
 #	also a client), you need to apply the rule twice, e.g.

Shorewall/Macros/macro.JAP

@@ -13,5 +13,5 @@
 PARAM	-	-	tcp	8080 # HTTP port
 PARAM	-	-	tcp	6544 # HTTP port
 PARAM	-	-	tcp	6543 # InfoService port
-HTTPS(PARAM)
-SSH(PARAM)
+HTTPS/PARAM
+SSH/PARAM

Shorewall/Macros/macro.Munin

@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - Munin Macro
-#
-# /usr/share/shorewall/macro.Munin
-#
-#	This macro handles Munin networked resource monitoring traffic
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	4949

Shorewall/Macros/macro.OSPF

@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.OSPF
 #
-#	This macro handles OSPF multicast traffic
+#       This macro handles OSPF multicast traffic
 #
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	89	# OSPF
+#######################################################################################################
+#ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/   ORIGINAL
+#                                               PORT(S) PORT(S) DEST            LIMIT   GROUP   DEST
+PARAM           -               -       89      -                                                       # OSPF

Shorewall/Macros/macro.Razor

@@ -3,7 +3,7 @@
 #
 # /usr/share/shorewall/macro.Razor
 #
-#	This macro handles traffic for the Razor Antispam System
+# This macro handles traffic for the Razor Antispam System
 #
 ###############################################################################
 #ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  RATE    USER/

Shorewall/Macros/macro.Squid

@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - Squid Macro
-#
-# /usr/share/shorewall/macro.Squid
-#
-#	This macro handles Squid web proxy traffic
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	3128

Shorewall/Macros/macro.mDNS

@@ -1,15 +1,12 @@
 #
 # Shorewall version 4 - Multicast DNS Macro
 #
-# /usr/share/shorewall/macro.mDNS
+# /usr/share/shorewall/macro.DNS
 #
 #	This macro handles multicast DNS traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
-#						PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	224.0.0.251		udp	5353
-PARAM	-	-			udp	32768:	5353
-PARAM	-	224.0.0.251		2
-PARAM	DEST	SOURCE:224.0.0.251	udp	5353
-PARAM	DEST	SOURCE:224.0.0.251	2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	5353
+PARAM	DEST	SOURCE	udp	5353

Shorewall/Macros/macro.template

@@ -15,7 +15,295 @@
 #	- All entries in a macro undergo substitution when the macro is
 #	  invoked in the rules file.
 #
-# Columns are the same as in /etc/shorewall/rules.
+#	- Macros used in action bodies may not invoke other macros.
+#
+# The columns in the file are the same as those in the action.template file but
+# have different restrictions:
+#
+# Columns are:
+#
+#	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
+#			LOG, QUEUE, PARAM or an <action> name.
+#
+#				ACCEPT	 -- allow the connection request
+#				ACCEPT+	 -- like ACCEPT but also excludes the
+#					    connection from any subsequent
+#					    DNAT[-] or REDIRECT[-] rules
+#				NONAT	 -- Excludes the connection from any
+#					    subsequent DNAT[-] or REDIRECT[-]
+#					    rules but doesn't generate a rule
+#					    to accept the traffic.
+#				DROP	 -- ignore the request
+#				REJECT	 -- disallow the request and return an
+#					    icmp-unreachable or an RST packet.
+#				DNAT	 -- Forward the request to another
+#					    system (and optionally another
+#					    port).
+#				DNAT-	 -- Advanced users only.
+#					    Like DNAT but only generates the
+#					    DNAT iptables rule and not
+#					    the companion ACCEPT rule.
+#				SAME	 -- Similar to DNAT except that the
+#					    port may not be remapped and when
+#					    multiple server addresses are
+#					    listed, all requests from a given
+#					    remote system go to the same
+#					    server.
+#				SAME-	 -- Advanced users only.
+#					    Like SAME but only generates the
+#					    NAT iptables rule and not
+#					    the companion ACCEPT rule.
+#				REDIRECT -- Redirect the request to a local
+#					    port on the firewall.
+#				REDIRECT-
+#					 -- Advanced users only.
+#					    Like REDIRET but only generates the
+#					    REDIRECT iptables rule and not
+#					    the companion ACCEPT rule.
+#
+#				CONTINUE -- (For experts only). Do not process
+#					    any of the following rules for this
+#					    (source zone,destination zone). If
+#					    The source and/or destination IP
+#					    address falls into a zone defined
+#					    later in /etc/shorewall/zones, this
+#					    connection request will be passed
+#					    to the rules defined for that
+#					    (those) zone(s).
+#				LOG	 -- Simply log the packet and continue.
+#				QUEUE	 -- Queue the packet to a user-space
+#					    application such as ftwall
+#					    (http://p2pwall.sf.net).
+#				PARAM	 -- If you code PARAM as the action in
+#					    a macro then when you invoke the
+#					    macro, you can include the name of
+#					    the macro followed by a slash ("/")
+#					    and an ACTION (either builtin or
+#					    user-defined. All instances of
+#					    PARAM in the body of the macro will
+#					    be replaced with the ACTION.
+#				<action> -- The name of an action defined in
+#					    /usr/share/shorewall/actions.std or
+#					    in /etc/shorewall/actions.
+#
+#			The ACTION may optionally be followed
+#			by ":" and a syslog log level (e.g, REJECT:info or
+#			DNAT:debug). This causes the packet to be
+#			logged at the specified level.
+#
+#			You may also specify ULOG (must be in upper case) as a
+#			log level.This will log to the ULOG target for routing
+#			to a separate log through use of ulogd
+#			(http://www.gnumonks.org/projects/ulogd).
+#
+#			Actions specifying logging may be followed by a
+#			log tag (a string of alphanumeric characters)
+#			are appended to the string generated by the
+#			LOGPREFIX (in /etc/shorewall/shorewall.conf).
+#
+#			Example: ACCEPT:info:ftp would include 'ftp '
+#			at the end of the log prefix generated by the
+#			LOGPREFIX setting.
+#
+#	SOURCE		Source hosts to which the rule applies. May be a zone
+#			defined in /etc/shorewall/zones, $FW to indicate the
+#			firewall itself, "all", "all+" or "none" If the ACTION
+#			is DNAT	or REDIRECT, sub-zones of the specified zone
+#			may be excluded from the rule by following the zone
+#			name with "!' and a comma-separated list of sub-zone
+#			names.
+#
+#			When "none" is used either in the SOURCE or DEST
+#			column, the rule is ignored.
+#
+#			When "all" is used either in the SOURCE or DEST column
+#			intra-zone traffic is not affected. When "all+" is
+#			used, intra-zone traffic is affected.
+#
+#			Except when "all[+]" is specified, clients may be
+#			further restricted to a list of subnets and/or hosts by
+#			appending ":" and a comma-separated list of subnets
+#			and/or hosts. Hosts may be specified by IP or MAC
+#			address; mac addresses must begin with "~" and must use
+#			"-" as a separator.
+#
+#			Hosts may be specified as an IP address range using the
+#			syntax <low address>-<high address>. This requires that
+#			your kernel and iptables contain iprange match support.
+#			If you kernel and iptables have ipset match support
+#			then you may give the name of an ipset prefaced by "+".
+#			The ipset name may be optionally followed by a number
+#			from 1 to 6 enclosed in square brackets ([]) to
+#			indicate the number of levels of source bindings to be
+#			matched.
+#
+#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
+#
+#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
+#						Internet
+#
+#			loc:192.168.1.1,192.168.1.2
+#						Hosts 192.168.1.1 and
+#						192.168.1.2 in the local zone.
+#			loc:~00-A0-C9-15-39-78	Host in the local zone with
+#						MAC address 00:A0:C9:15:39:78.
+#
+#			net:192.0.2.11-192.0.2.17
+#						Hosts 192.0.2.11-192.0.2.17 in
+#						the net zone.
+#
+#			Alternatively, clients may be specified by interface
+#			by appending ":" to the zone name followed by the
+#			interface name. For example, loc:eth1 specifies a
+#			client that communicates with the firewall system
+#			through eth1. This may be optionally followed by
+#			another colon (":") and an IP/MAC/subnet address
+#			as described above (e.g., loc:eth1:192.168.1.5).
+#
+#	DEST		Location of Server. May be a zone defined in
+#			/etc/shorewall/zones, $FW to indicate the firewall
+#			itself, "all". "all+" or "none".
+#
+#			When "none" is used either in the SOURCE or DEST
+#			column, the rule is ignored.
+#
+#			When "all" is used either in the SOURCE or DEST column
+#			intra-zone traffic is not affected. When "all+" is
+#			used, intra-zone traffic is affected.
+#
+#			Except when "all[+]" is specified, the server may be
+#			further restricted to a particular subnet, host or
+#			interface by appending ":" and the subnet, host or
+#			interface. See above.
+#
+#				Restrictions:
+#
+#				1. MAC addresses are not allowed.
+#				2. In DNAT rules, only IP addresses are
+#				   allowed; no FQDNs or subnet addresses
+#				   are permitted.
+#				3. You may not specify both an interface and
+#				   an address.
+#
+#			Like in the SOURCE column, you may specify a range of
+#			up to 256 IP addresses using the syntax
+#			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
+#			the connections will be assigned to addresses in the
+#			range in a round-robin fashion.
+#
+#			If you kernel and iptables have ipset match support
+#			then you may give the name of an ipset prefaced by "+".
+#			The ipset name may be optionally followed by a number
+#			from 1 to 6 enclosed in square brackets ([]) to
+#			indicate the number of levels of destination bindings
+#			to be matched. Only one of the SOURCE and DEST columns
+#			may specify an ipset name.
+#
+#			The port that the server is listening on may be
+#			included and separated from the server's IP address by
+#			":". If omitted, the firewall will not modifiy the
+#			destination port. A destination port may only be
+#			included if the ACTION is DNAT or REDIRECT.
+#
+#			Example: loc:192.168.1.3:3128 specifies a local
+#			server at IP address 192.168.1.3 and listening on port
+#			3128. The port number MUST be specified as an integer
+#			and not as a name from /etc/services.
+#
+#			if the ACTION is REDIRECT, this column needs only to
+#			contain the port number on the firewall that the
+#			request should be redirected to.
+#
+#	PROTO		Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
+#			"ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all".
+#                       "ipp2p*" requires ipp2p match support in your kernel
+#                       and iptables.
+#
+#			"tcp:syn" implies "tcp" plus the SYN flag must be
+#			set and the RST,ACK and FIN flags must be reset.
+#
+#	DEST PORT(S)	Destination Ports. A comma-separated list of Port
+#			names (from /etc/services), port numbers or port
+#			ranges; if the protocol is "icmp", this column is
+#			interpreted as the destination icmp-type(s).
+#
+#			If the protocol is ipp2p*, this column is interpreted
+#			as an ipp2p option without the leading "--" (example
+#			"bit" for bit-torrent). If no port is given, "ipp2p" is
+#			assumed.
+#
+#			A port range is expressed as <low port>:<high port>.
+#
+#			This column is ignored if PROTOCOL = all but must be
+#			entered if any of the following ields are supplied.
+#			In that case, it is suggested that this field contain
+#			 "-"
+#
+#			If your kernel contains multi-port match support, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the CLIENT PORT(S) list below:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
+#	SOURCE PORT(S)	(Optional) Port(s) used by the client. If omitted,
+#			any source port is acceptable. Specified as a comma-
+#			separated list of port names, port numbers or port
+#			ranges.
+#
+#			If you don't want to restrict client ports but need to
+#			specify an ORIGINAL DEST in the next column, then
+#			place "-" in this column.
+#
+#			If your kernel contains multi-port match support, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the DEST PORT(S) list above:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
+#       ORIGINAL        Original destination IP address. Must be omitted (
+#       DEST            or '-') if the macro is to be used from within
+#                       an action. See 'man shorewall-rules'.
+#
+#	RATE LIMIT	You may rate-limit the rule by placing a value in
+#			this colume:
+#
+#				<rate>/<interval>[:<burst>]
+#
+#			where <rate> is the number of connections per
+#			<interval> ("sec" or "min") and <burst> is the
+#			largest burst permitted. If no <burst> is given,
+#			a value of 5 is assumed. There may be no
+#			no whitespace embedded in the specification.
+#
+#				Example: 10/sec:20
+#
+#	USER/GROUP	This column may only be non-empty if the SOURCE is
+#			the firewall itself.
+#
+#			The column may contain:
+#
+#	[!][<user name or number>][:<group name or number>][+<program name>]
+#
+#			When this column is non-empty, the rule applies only
+#			if the program generating the output is running under
+#			the effective <user> and/or <group> specified (or is
+#			NOT running under that id if "!" is given).
+#
+#			Examples:
+#
+#				joe	#program must be run by joe
+#				:kids	#program must be run by a member of
+#					#the 'kids' group
+#				!:kids	#program must not be run by a member
+#					#of the 'kids' group
+#				+upnpd	#program named upnpd (This feature was
+#					#removed from Netfilter in kernel
+#					#version 2.6.14).
+#
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:
@@ -74,6 +362,6 @@
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#######################################################################################################
+#ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/	ORIGINAL
+#						PORT(S)	PORT(S)	DEST		LIMIT	GROUP   DEST

Shorewall/Makefile

@@ -14,8 +14,4 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
 	fi
 
-clean:
-	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
-.PHONY: clean
-
 # EOF

Shorewall/Makefile-lite

@@ -23,10 +23,10 @@
 # to the name of the remote firewall corresponding to the directory.
 #
 #	To make the 'firewall' script, type "make".
-#
+# 
 #	Once the script is compiling correctly, you can install it by
 #	typing "make install".
-#
+#  
 ################################################################################
 #                             V A R I A B L E S
 #
@@ -55,7 +55,7 @@ all: firewall
 #
 # Only generate the capabilities file if it doesn't already exist
 #
-capabilities:
+capabilities: 
 	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
 	scp root@$(HOST):$(LITEDIR)/capabilities .
 #
@@ -78,5 +78,5 @@ save:
 #
 # Remove generated files
 #
-clean:
+clean: 
 	rm -f capabilities firewall firewall.conf reload

Shorewall/Perl/.includepath

@@ -1,3 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<includepath />
-

Shorewall/Perl/.project

@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<projectDescription>
-	<name>Shorewall</name>
-	<comment></comment>
-	<projects>
-	</projects>
-	<buildSpec>
-		<buildCommand>
-			<name>org.epic.perleditor.perlbuilder</name>
-			<arguments>
-			</arguments>
-		</buildCommand>
-	</buildSpec>
-	<natures>
-		<nature>org.epic.perleditor.perlnature</nature>
-	</natures>
-</projectDescription>

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,16 +35,27 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.14';
+our $VERSION = '4.3_7';
 
 #
-# Called by the compiler to [re-]initialize this module's state
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function or when compiling
+#                       for IPv6.
 #
+
 sub initialize() {
     our $jumpchainref;
     $jumpchainref = undef;
 }
 
+INIT {
+    initialize;
+}
+
 #
 # Accounting
 #
@@ -52,7 +63,7 @@ sub process_accounting_rule( ) {
 
     our $jumpchainref;
 
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File';
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
 
     if ( $action eq 'COMMENT' ) {
 	process_comment;
@@ -61,16 +72,6 @@ sub process_accounting_rule( ) {
 
     our $disposition = '';
 
-    sub reserved_chain_name($) {
-	$_[0] =~ /^acc(?:ount(?:ing|out)|ipsecin|ipsecout)$/;
-    }
-
-    sub ipsec_chain_name($) {
-	if ( $_[0] =~ /^accipsec(in|out)$/ ) {
-	    $1;
-	}
-    }
-
     sub check_chain( $ ) {
 	my $chainref = shift;
 	fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy};
@@ -82,11 +83,10 @@ sub process_accounting_rule( ) {
 
     sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
-	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
-	$jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
+	$jumpchainref = ensure_accounting_chain( $jumpchain );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
-	$jumpchain;
+	"-j $jumpchain";
     }
 
     my $target = '';
@@ -95,24 +95,21 @@ sub process_accounting_rule( ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, 0xFF );
     my $rule2 = 0;
-    my $jump  = 0;
 
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
-	    $target = 'RETURN';
+	    $target = '-j RETURN';
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 	    if ( $cmd ) {
 		if ( $cmd eq 'COUNT' ) {
-		    $rule2 = 1;
-		} elsif ( $cmd eq 'JUMP' ) {
-		    $jump = 1;
-		} else {
+		    $rule2=1;
+		} elsif ( $cmd ne 'JUMP' ) {
 		    accounting_error;
 		}
-	    }
+	    } 
 
 	    $target = jump_to_chain $action;
 	}
@@ -151,31 +148,7 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
     }
 
-    my $chainref = $filter_table->{$chain};
-    my $dir;
-
-    if ( ! $chainref ) {
-	$chainref = ensure_accounting_chain $chain, 0;
-	$dir      = ipsec_chain_name( $chain );
-
-	if ( $ipsec ne '-' ) {
-	    if ( $dir ) {
-		$rule .= do_ipsec( $dir, $ipsec );
-		$chainref->{ipsec} = $dir;
-	    } else {
-		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
-	    }
-	} else {
-	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
-	    $chainref->{ipsec} = $dir;
-	}
-    } elsif ( $ipsec ne '-' ) {
-	$dir = $chainref->{ipsec};
-	fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
-	$rule .= do_ipsec( $dir , $ipsec );
-    }
-
-    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
+    my $chainref = ensure_accounting_chain $chain;
 
     expand_rule
 	$chainref ,
@@ -189,22 +162,6 @@ sub process_accounting_rule( ) {
 	$disposition ,
 	'' ;
 
-    if ( $rule2 || $jump ) {
-	if ( $chainref->{ipsec} ) {
-	    if ( $jumpchainref->{ipsec} ) {
-		fatal_error "IPSEC in/out mismatch on chains $chain and $jumpchainref->{name}";
-	    } else {
-		fatal_error "$jumpchainref->{name} is not an IPSEC chain" if keys %{$jumpchainref->{references}} > 1;
-		$jumpchainref->{ipsec} = $chainref->{ipsec};
-	    }
-	} elsif ( $jumpchainref->{ipsec} ) {
-	    fatal_error "Jump from a non-IPSEC chain to an IPSEC chain not allowed";
-	} else {
-	    $jumpchainref->{ipsec} = $chainref->{ipsec};
-	}
-
-    }
-
     if ( $rule2 ) {
 	expand_rule
 	    $jumpchainref ,
@@ -224,46 +181,33 @@ sub process_accounting_rule( ) {
 
 sub setup_accounting() {
 
-    if ( my $fn = open_file 'accounting' ) {
+    my $fn = open_file 'accounting';
 
-	first_entry "$doing $fn...";
+    first_entry "$doing $fn...";
 
-	my $nonEmpty = 0;
+    my $nonEmpty = 0;
 
-	$nonEmpty |= process_accounting_rule while read_a_line;
+    $nonEmpty |= process_accounting_rule while read_a_line;
 
-	clear_comment;
+    fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting};
 
-	if ( have_bridges ) {
-	    if ( $filter_table->{accounting} ) {
-		for my $chain ( qw/INPUT FORWARD/ ) {
-		    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
-		}
-	    }
+    clear_comment;
 
-	    if ( $filter_table->{accountout} ) {
-		add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
-	    }
-	} elsif ( $filter_table->{accounting} ) {
-	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
-	    }
-	}
-
-	if ( $filter_table->{accipsecin} ) {
+    if ( have_bridges ) {
+	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD/ ) {
-		add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
 	    }
 	}
 
-	if ( $filter_table->{accipsecout} ) {
-	    for my $chain ( qw/FORWARD OUTPUT/ ) {
-		add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
-	    }
+	if ( $filter_table->{accountout} ) {
+	    insert_rule1 $filter_table->{OUTPUT}, 0, '-j accountout';
 	}
-
-	for ( accounting_chainrefs ) {
-	    warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
+    } else {
+	if ( $filter_table->{accounting} ) {
+	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
+		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
+	    }
 	}
     }
 }

Shorewall/Perl/Shorewall/Actions.pm

@@ -0,0 +1,900 @@
+#
+# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Actions.pm
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   This module contains the code for dealing with actions (built-in,
+#   standard and user-defined) and Macros.
+#
+package Shorewall::Actions;
+require Exporter;
+use Shorewall::Config qw(:DEFAULT :internal);
+use Shorewall::Zones;
+use Shorewall::Chains qw(:DEFAULT :internal);
+
+use strict;
+
+our @ISA = qw(Exporter);
+our @EXPORT = qw( merge_levels
+		  isolate_basic_target
+		  get_target_param
+		  add_requiredby
+		  createactionchain
+		  find_logactionchain
+		  process_actions1
+		  process_actions2
+		  process_actions3
+
+		  find_macro
+		  split_action
+		  substitute_param
+		  merge_macro_source_dest
+		  merge_macro_column
+
+		  %usedactions
+		  %default_actions
+		  %actions
+
+		  %macros
+		  $macro_commands
+		  );
+our @EXPORT_OK = qw( initialize );
+our $VERSION = '4.3_7';
+
+#
+#  Used Actions. Each action that is actually used has an entry with value 1.
+#
+our %usedactions;
+#
+# Default actions for each policy.
+#
+our %default_actions;
+
+#  Action Table
+#
+#     %actions{ <action1> =>  { requires => { <requisite1> = 1,
+#                                             <requisite2> = 1,
+#                                             ...
+#                                           } ,
+#                               actchain => <action chain number> # Used for generating unique chain names for each <level>:<tag> pair.
+#
+our %actions;
+#
+# Contains an entry for each used <action>:<level>[:<tag>] that maps to the associated chain.
+#
+our %logactionchains;
+
+our %macros;
+
+our $family;
+
+#
+# Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
+#
+our $macro_commands = { COMMENT => 0, FORMAT => 2 };
+
+#
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function or when compiling
+#                       for IPv6.
+#
+
+sub initialize( $ ) {
+
+    $family          = shift;
+    %usedactions     = ();
+    %default_actions = ( DROP     => 'none' ,
+			 REJECT   => 'none' ,
+			 ACCEPT   => 'none' ,
+			 QUEUE    => 'none' );
+    %actions         = ();
+    %logactionchains = ();
+    %macros          = ();
+}
+
+INIT {
+    initialize( F_IPV4 );
+}
+
+#
+# This function determines the logging for a subordinate action or a rule within a superior action
+#
+sub merge_levels ($$) {
+    my ( $superior, $subordinate ) = @_;
+
+    my @supparts = split /:/, $superior;
+    my @subparts = split /:/, $subordinate;
+
+    my $subparts = @subparts;
+
+    my $target   = $subparts[0];
+
+    push @subparts, '' while @subparts < 3;   #Avoid undefined values
+
+    my $level = $supparts[1];
+    my $tag   = $supparts[2];
+
+    if ( @supparts == 3 ) {
+	return "$target:none!:$tag"   if $level eq 'none!';
+	return "$target:$level:$tag"  if $level =~ /!$/;
+	return $subordinate           if $subparts >= 2;
+	return "$target:$level:$tag";
+    }
+
+    if ( @supparts == 2 ) {
+	return "$target:none!"        if $level eq 'none!';
+	return "$target:$level"       if ($level =~ /!$/) || ($subparts < 2);
+    }
+
+    $subordinate;
+}
+
+#
+# Try to find a macro file -- RETURNS false if the file doesn't exist or MACRO if it does.
+# If the file exists, the macro is entered into the 'targets' table and the fully-qualified
+# name of the file is stored in the 'macro' table.
+#
+sub find_macro( $ )
+{
+    my $macro = $_[0];
+    my $macrofile = find_file "macro.$macro";
+
+    if ( -f $macrofile ) {
+	$macros{$macro} = $macrofile;
+	$targets{$macro} = MACRO;
+    } else {
+	0;
+    }
+}
+
+#
+# Return ( action, level[:tag] ) from passed full action
+#
+sub split_action ( $ ) {
+    my $action = $_[0];
+    my @a = split( /:/ , $action, 4 );
+    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
+    ( shift @a, join ":", @a );
+}
+
+#
+# This function substitutes the second argument for the first part of the first argument up to the first colon (":")
+#
+# Example:
+#
+#         substitute_param DNAT PARAM:info:FTP
+#
+#         produces "DNAT:info:FTP"
+#
+sub substitute_param( $$ ) {
+    my ( $param, $action ) = @_;
+
+    if ( $action =~ /:/ ) {
+	my $logpart = (split_action $action)[1];
+	$logpart =~ s!/$!!;
+	return "$param:$logpart";
+    }
+
+    $param;
+}
+
+#
+# Combine fields from a macro body with one from the macro invocation
+#
+sub merge_macro_source_dest( $$ ) {
+    my ( $body, $invocation ) = @_;
+
+    if ( $invocation ) {
+	if ( $body ) {
+	    return $body if $invocation eq '-';
+	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/;
+	    return "$invocation:$body";
+	}
+
+	return $invocation;
+    }
+
+    $body || '';
+}
+
+sub merge_macro_column( $$ ) {
+    my ( $body, $invocation ) = @_;
+
+    if ( defined $invocation && $invocation ne '' && $invocation ne '-' ) {
+	$invocation;
+    } else {
+	$body;
+    }
+}
+
+#
+# Get Macro Name -- strips away trailing /*, :* and (*) from the first column in a rule, macro or action.
+#
+sub isolate_basic_target( $ ) {
+    my $target = ( split '[/:]', $_[0])[0]; 
+
+    $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
+}
+
+#
+# Split the passed target into the basic target and parameter
+#
+sub get_target_param( $ ) {
+    my ( $target, $param ) = split '/', $_[0];
+
+    unless ( defined $param ) {
+	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
+    }
+
+    ( $target, $param );
+}
+
+#
+# Define an Action
+#
+sub new_action( $ ) {
+
+    my $action = $_[0];
+
+    $actions{$action} = { actchain => '', requires => {} };
+}
+
+#
+# Record a 'requires' relationship between a pair of actions.
+#
+sub add_requiredby ( $$ ) {
+    my ($requiredby , $requires ) = @_;
+    $actions{$requires}{requires}{$requiredby} = 1;
+}
+
+#
+# Create and record a log action chain -- Log action chains have names
+# that are formed from the action name by prepending a "%" and appending
+# a 1- or 2-digit sequence number. In the functions that follow,
+# the CHAIN, LEVEL and TAG variable serves as arguments to the user's
+# exit. We call the exit corresponding to the name of the action but we
+# set CHAIN to the name of the iptables chain where rules are to be added.
+# Similarly, LEVEL and TAG contain the log level and log tag respectively.
+#
+# The maximum length of a chain name is 30 characters -- since the log
+# action chain name is 2-3 characters longer than the base chain name,
+# this function truncates the original chain name where necessary before
+# it adds the leading "%" and trailing sequence number.
+#
+sub createlogactionchain( $$ ) {
+    my ( $action, $level ) = @_;
+    my $chain = $action;
+    my $actionref = $actions{$action};
+    my $chainref;
+
+    my ($lev, $tag) = split ':', $level;
+
+    validate_level $lev;
+
+    $actionref = new_action $action unless $actionref;
+
+    $chain = substr $chain, 0, 28 if ( length $chain ) > 28;
+
+  CHECKDUP:
+    {
+	$actionref->{actchain}++ while $chain_table{filter}{'%' . $chain . $actionref->{actchain}};
+	$chain = substr( $chain, 0, 27 ), redo CHECKDUP if ( $actionref->{actchain} || 0 ) >= 10 and length $chain == 28;
+    }
+
+    $logactionchains{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
+
+    fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
+
+    unless ( $targets{$action} & STANDARD ) {
+
+	my $file = find_file $chain;
+
+	if ( -f $file ) {
+	    progress_message "Processing $file...";
+
+	    ( $level, my $tag ) = split /:/, $level;
+
+	    $tag = $tag || '';
+
+	    unless ( my $return = eval `cat $file` ) {
+		fatal_error "Couldn't parse $file: $@" if $@;
+		fatal_error "Couldn't do $file: $!"    unless defined $return;
+		fatal_error "Couldn't run $file"       unless $return;
+	    }
+	}
+    }
+}
+
+sub createsimpleactionchain( $ ) {
+    my $action  = shift;
+    my $chainref = new_standard_chain $action;
+
+    $logactionchains{"$action:none"} = $chainref;
+
+    unless ( $targets{$action} & STANDARD ) {
+
+	my $file = find_file $action;
+
+	if ( -f $file ) {
+	    progress_message "Processing $file...";
+
+	    my ( $level, $tag ) = ( '', '' );
+
+	    unless ( my $return = eval `cat $file` ) {
+		fatal_error "Couldn't parse $file: $@" if $@;
+		fatal_error "Couldn't do $file: $!"    unless defined $return;
+		fatal_error "Couldn't run $file"       unless $return;
+	    }
+	}
+    }
+}
+
+#
+# Create an action chain and run it's associated user exit
+#
+sub createactionchain( $ ) {
+    my ( $action , $level ) = split_action $_[0];
+
+    my $chainref;
+
+    if ( defined $level && $level ne '' ) {
+	if ( $level eq 'none' ) {
+	    createsimpleactionchain $action;
+	} else {
+	    createlogactionchain $action , $level;
+	}
+    } else {
+	createsimpleactionchain $action;
+    }
+}
+
+#
+# Find the chain that handles the passed action. If the chain cannot be found,
+# a fatal error is generated and the function does not return.
+#
+sub find_logactionchain( $ ) {
+    my $fullaction = $_[0];
+    my ( $action, $level ) = split_action $fullaction;
+
+    $level = 'none' unless $level;
+
+    fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"};
+}
+
+#
+# Scans a macro file invoked from an action file ensuring that all targets mentioned in the file are known and that none are actions.
+#
+sub process_macro1 ( $$ ) {
+    my ( $action, $macrofile ) = @_;
+
+    progress_message "   ..Expanding Macro $macrofile...";
+
+    push_open( $macrofile );
+
+    while ( read_a_line ) {
+	my ( $mtarget, $msource,  $mdest,  $mproto,  $mports,  $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+
+	next if $mtarget eq 'COMMENT' || $mtarget eq 'FORMAT';
+
+	$mtarget =~ s/:.*$//;
+
+	$mtarget = (split '/' , $mtarget)[0];
+
+	my $targettype = $targets{$mtarget};
+
+	$targettype = 0 unless defined $targettype;
+
+	fatal_error "Invalid target ($mtarget)"
+	    unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ | CHAIN ) );
+    }
+
+    progress_message "   ..End Macro $macrofile";
+
+    pop_open;
+}
+
+#
+# The functions process_actions1-3() implement the three phases of action processing.
+#
+# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
+# and ${CONFDIR}/actions are scanned (in that order) and for each action:
+#
+#      a) The related action definition file is located and scanned.
+#      b) Forward and unresolved action references are trapped as errors.
+#      c) A dependency graph is created using the 'requires' field in the 'actions' table.
+#
+# As the rules file is scanned, each action[:level[:tag]] is merged onto the 'usedactions' hash. When an <action>
+# is merged into the hash, its action chain is created. Where logging is specified, a chain with the name
+# %<action>n is used where the <action> name is truncated on the right where necessary to ensure that the total
+# length of the chain name does not exceed 30 characters.
+#
+# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of
+# %usedactions is generated; again, as new actions are merged into the hash, their action chains are created.
+#
+# The final phase (process_actions3) traverses the keys of %usedactions populating each chain appropriately
+# by reading the related action definition file and creating rules. Note that a given action definition file is
+# processed once for each unique [:level[:tag]] applied to an invocation of the action.
+#
+
+sub process_action1 ( $$ ) {
+    my ( $action, $wholetarget ) = @_;
+
+    my ( $target, $level ) = split_action $wholetarget;
+
+    $level = 'none' unless $level;
+
+    my $targettype = $targets{$target};
+
+    if ( defined $targettype ) {
+	return if ( $targettype == STANDARD ) || ( $targettype & ( MACRO | LOGRULE |  NFQ | CHAIN ) );
+
+	fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD;
+
+	fatal_error "An action may not invoke itself" if $target eq $action;
+
+	add_requiredby $wholetarget, $action if $targettype & ACTION;
+    } elsif ( $target eq 'COMMENT' ) {
+	fatal_error "Invalid TARGET ($wholetarget)" unless $wholetarget eq $target;
+    } else {
+	( $target, my $param ) = get_target_param $target;
+
+	return if $target eq 'NFQUEUE';
+
+	if ( defined $param ) {
+	    my $paramtype = $targets{$param} || 0;
+
+	    fatal_error "Parameter value not allowed in action files ($param)" if $paramtype & NATRULE;
+	}
+
+	fatal_error "Invalid or missing ACTION ($wholetarget)" unless defined $target;
+
+	if ( find_macro $target ) {
+	    process_macro1( $action, $macros{$target} );
+	} else {
+	    fatal_error "Invalid TARGET ($target)";
+	}
+    }
+}
+
+sub process_actions1() {
+
+    progress_message2 "Preprocessing Action Files...";
+
+    for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
+	new_action $act;
+    }
+
+    for my $file ( qw/actions.std actions/ ) {
+	open_file $file;
+
+	while ( read_a_line ) {
+	    my ( $action ) = split_line 1, 1, 'action file';
+
+	    if ( $action =~ /:/ ) {
+		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
+		$action =~ s/:.*$//;
+	    }
+
+	    next unless $action;
+
+	    if ( $targets{$action} ) {
+		warning_message "Duplicate Action Name ($action) Ignored" unless $targets{$action} & ACTION;
+		next;
+	    }
+
+	    $targets{$action} = ACTION;
+
+	    fatal_error "Invalid Action Name ($action)" unless "\L$action" =~ /^[a-z]\w*$/;
+
+	    new_action $action;
+
+	    my $actionfile = find_file "action.$action";
+
+	    fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
+
+	    progress_message2 "   Pre-processing $actionfile...";
+
+	    push_open( $actionfile );
+
+	    while ( read_a_line ) {
+
+		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 1, 8, 'action file';
+
+		process_action1( $action, $wholetarget );
+
+	    }
+
+	    pop_open;
+	}
+    }
+}
+
+sub process_actions2 () {
+    progress_message2 'Generating Transitive Closure of Used-action List...';
+
+    my $changed = 1;
+
+    while ( $changed ) {
+	$changed = 0;
+	for my $target (keys %usedactions) {
+	    my ($action, $level) = split_action $target;
+	    my $actionref = $actions{$action};
+	    fatal_error "Null Action Reference in process_actions2" unless $actionref;
+	    for my $action1 ( keys %{$actionref->{requires}} ) {
+		my $action2 = merge_levels $target, $action1;
+		unless ( $usedactions{ $action2 } ) {
+		    $usedactions{ $action2 } = 1;
+		    createactionchain $action2;
+		    $changed = 1;
+		}
+	    }
+	}
+    }
+}
+
+#
+# This function is called to process each rule generated from an action file.
+#
+sub process_action( $$$$$$$$$$ ) {
+    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+
+    my ( $action , $level ) = split_action $target;
+
+    if ( $action eq 'REJECT' ) {
+	$action = 'reject';
+    } elsif ( $action eq 'CONTINUE' ) {
+	$action = 'RETURN';
+    } elsif ( $action =~ /^NFQUEUE/ ) {
+	( $action, my $param ) = get_target_param $action;
+	$param = 1 unless defined $param;
+	$action = "NFQUEUE --queue-num $param";
+    } elsif ( $action eq 'COUNT' ) {
+	$action = '';
+    }
+
+    expand_rule ( $chainref ,
+		  NO_RESTRICT ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
+		  $source ,
+		  $dest ,
+		  '', #Original Dest
+		  $action ? "-j $action" : '',
+		  $level ,
+		  $action ,
+		  '' );
+}
+
+#
+# Expand Macro in action files.
+#
+sub process_macro3( $$$$$$$$$$$ ) {
+    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+
+    my $nocomment = no_comment;
+
+    my $format = 1;
+
+    macro_comment $macro;
+
+    my $fn = $macros{$macro};
+
+    progress_message "..Expanding Macro $fn...";
+
+    push_open $fn;
+
+    while ( read_a_line ) {
+
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
+
+	if ( $format == 1 ) {
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
+	} else {
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+	}
+
+	if ( $mtarget eq 'COMMENT' ) {
+	    process_comment unless $nocomment;
+	    next;
+	}
+
+	if ( $mtarget eq 'FORMAT' ) {
+	    fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/;
+	    $format = $msource;
+	    next;
+	}
+
+	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
+
+	if ( $mtarget =~ /^PARAM:?/ ) {
+	    fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
+	    $mtarget = substitute_param $param,  $mtarget;
+	}
+
+	fatal_error "Macros used within Actions may not specify an ORIGINAL DEST " if $morigdest ne '-';
+
+	if ( $msource ) {
+	    if ( ( $msource eq '-' ) || ( $msource eq 'SOURCE' ) ) {
+		$msource = $source || '';
+	    } elsif ( $msource eq 'DEST' ) {
+		$msource = $dest || '';
+	    } else {
+		$msource = merge_macro_source_dest $msource, $source;
+	    }
+	} else {
+	    $msource = '';
+	}
+
+	$msource = '' if $msource eq '-';
+
+	if ( $mdest ) {
+	    if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
+		$mdest = $dest || '';
+	    } elsif ( $mdest eq 'SOURCE' ) {
+		$mdest = $source || '';
+	    } else {
+		$mdest = merge_macro_source_dest $mdest, $dest;
+	    }
+	} else {
+	    $mdest = '';
+	}
+
+	$mdest   = '' if $mdest eq '-';
+
+	$mproto  = merge_macro_column $mproto,  $proto;
+	$mports  = merge_macro_column $mports,  $ports;
+	$msports = merge_macro_column $msports, $sports;
+	$mrate   = merge_macro_column $mrate,   $rate;
+	$muser   = merge_macro_column $muser,   $user;
+
+	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
+    }
+
+    pop_open;
+
+    progress_message '..End Macro';
+
+    clear_comment unless $nocomment;
+}
+
+#
+# Generate chain for non-builtin action invocation
+#
+sub process_action3( $$$$$ ) {
+    my ( $chainref, $wholeaction, $action, $level, $tag ) = @_;
+    my $actionfile = find_file "action.$action";
+
+    fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
+
+    progress_message2 "Processing $actionfile for chain $chainref->{name}...";
+
+    open_file $actionfile;
+
+    while ( read_a_line ) {
+
+	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file';
+
+	if ( $target eq 'COMMENT' ) {
+	    process_comment;
+	    next;
+	}
+
+	my $target2 = merge_levels $wholeaction, $target;
+
+	my ( $action2 , $level2 ) = split_action $target2;
+
+	( $action2 , my $param ) = get_target_param $action2;
+
+	my $action2type = $targets{$action2} || 0; 
+
+	unless ( $action2type == STANDARD ) {
+	    if ( $action2type & ACTION ) {
+		$target2 = (find_logactionchain ( $target = $target2 ))->{name};
+	    } else {
+		assert( $action2type & ( MACRO | LOGRULE | NFQ | CHAIN ) );
+	    }
+	}
+
+	if ( $action2type == MACRO ) {
+	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
+	} else {
+	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
+	}
+    }
+
+    clear_comment;
+}
+
+#
+# The following small functions generate rules for the builtin actions of the same name
+#
+sub dropBcast( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    if ( $capabilities{ADDRTYPE} ) {
+	if ( $level ne '' ) {
+	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
+	}
+
+	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
+    } else {
+	if ( $family == F_IPV4 ) {
+	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+	} else {
+	    add_commands $chainref, 'for address in $ALL_ACASTS; do';
+	}
+
+	incr_cmd_level $chainref;
+	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
+	add_rule $chainref, '-d $address -j DROP';
+	decr_cmd_level $chainref;
+	add_commands $chainref, 'done';
+
+	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+    }
+
+
+    if ( $family == F_IPV4 ) {
+	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
+    } else {
+	add_rule $chainref, '-d ff00::/10 -j DROP';
+    }
+}
+
+sub allowBcast( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    if ( $family == F_IPV4 && $capabilities{ADDRTYPE} ) {
+	if ( $level ne '' ) {
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
+	}
+
+	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
+	add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
+    } else {
+	if ( $family == F_IPV4 ) {
+	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+	} else {
+	    add_commands $chainref, 'for address in $ALL_MACASTS; do';
+	}
+
+	incr_cmd_level $chainref;
+	log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
+	add_rule $chainref, '-d $address -j ACCEPT';
+	decr_cmd_level $chainref;
+	add_commands $chainref, 'done';
+
+	if ( $family == F_IPV4 ) {
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
+	} else {
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
+	    add_rule $chainref, '-d ff00:/10 -j ACCEPT';
+	}
+    }
+}
+
+sub dropNotSyn ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
+    add_rule $chainref , '-p tcp ! --syn -j DROP';
+}
+
+sub rejNotSyn ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
+    add_rule $chainref , '-p tcp ! --syn -j REJECT --reject-with tcp-reset';
+}
+
+sub dropInvalid ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
+    add_rule $chainref , '-m state --state INVALID -j DROP';
+}
+
+sub allowInvalid ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
+    add_rule $chainref , '-m state --state INVALID -j ACCEPT';
+}
+
+sub forwardUPnP ( $$$ ) {
+}
+
+sub allowinUPnP ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    if ( $level ne '' ) {
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
+    }
+
+    add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
+    add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
+}
+
+sub Limit( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    my @tag = split /,/, $tag;
+
+    fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' unless @tag == 3;
+
+    my $set   = $tag[0];
+
+    for ( @tag[1,2] ) {
+	fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
+    }
+
+    my $count = $tag[1] + 1;
+
+    require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
+
+    add_rule $chainref, "-m recent --name $set --set";
+
+    if ( $level ne '' ) {
+	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
+	log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
+	add_rule $xchainref, '-j DROP';
+	add_rule $chainref,  "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
+    } else {
+	add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
+    }
+
+    add_rule $chainref, '-j ACCEPT';
+}
+
+sub process_actions3 () {
+    my %builtinops = ( 'dropBcast'      => \&dropBcast,
+		       'allowBcast'     => \&allowBcast,
+		       'dropNotSyn'     => \&dropNotSyn,
+		       'rejNotSyn'      => \&rejNotSyn,
+		       'dropInvalid'    => \&dropInvalid, 
+		       'allowInvalid'   => \&allowInvalid,
+		       'allowinUPnP'    => \&allowinUPnP, 
+		       'forwardUPnP'    => \&forwardUPnP, 
+		       'Limit'          => \&Limit, );
+
+    for my $wholeaction ( keys %usedactions ) {
+	my $chainref = find_logactionchain $wholeaction;
+	my ( $action, $level, $tag ) = split /:/, $wholeaction;
+
+	$level = '' unless defined $level;
+	$tag   = '' unless defined $tag;
+
+	if ( $targets{$action} & BUILTIN ) {
+	    $level = '' if $level =~ /none!?/;
+	    $builtinops{$action}->($chainref, $level, $tag);
+	} else {
+	    process_action3 $chainref, $wholeaction, $action, $level, $tag;
+	}
+    }
+}
+
+1;

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -32,29 +32,31 @@ use Shorewall::Nat;
 use Shorewall::Providers;
 use Shorewall::Tc;
 use Shorewall::Tunnels;
+use Shorewall::Actions;
 use Shorewall::Accounting;
 use Shorewall::Rules;
 use Shorewall::Proc;
 use Shorewall::Proxyarp;
 use Shorewall::IPAddrs;
 use Shorewall::Raw;
-use Shorewall::Misc;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( compiler );
+our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_16';
+our $VERSION = '4.4_0';
 
 our $export;
 
 our $test;
 
-our $family;
+our $reused = 0;
+
+our $family = F_IPV4;
 
 #
-# Initilize the package-globals in the other modules
+# Reinitilize the package-globals in the other modules
 #
-sub initialize_package_globals() {
+sub reinitialize() {
     Shorewall::Config::initialize($family);
     Shorewall::Chains::initialize ($family);
     Shorewall::Zones::initialize ($family);
@@ -62,54 +64,42 @@ sub initialize_package_globals() {
     Shorewall::Nat::initialize;
     Shorewall::Providers::initialize($family);
     Shorewall::Tc::initialize($family);
+    Shorewall::Actions::initialize( $family );
     Shorewall::Accounting::initialize;
     Shorewall::Rules::initialize($family);
     Shorewall::Proxyarp::initialize($family);
     Shorewall::IPAddrs::initialize($family);
-    Shorewall::Misc::initialize($family);
 }
 
 #
 # First stage of script generation.
 #
-#    Copy prog.header and lib.common to the generated script.
+#    Copy prog.header to the generated script.
 #    Generate the various user-exit jacket functions.
 #
-#    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the output script file.
-#
-sub generate_script_1( $ ) {
+sub generate_script_1() {
 
-    my $script = shift;
+    my $date = localtime;
 
-    if ( $script ) {
-	if ( $test ) {
-	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
+    if ( $test ) {
+	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
+    } else {
+	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
+	if ( $family == F_IPV4 ) {
+	    copy $globals{SHAREDIRPL} . 'prog.header';
 	} else {
-	    my $date = localtime;
-
-	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-
-	    if ( $family == F_IPV4 ) {
-		copy $globals{SHAREDIRPL} . 'prog.header';
-	    } else {
-		copy $globals{SHAREDIRPL} . 'prog.header6';
-	    }
-
-	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
+	    copy $globals{SHAREDIRPL} . 'prog.header6';
 	}
-
     }
 
-    my $lib = find_file 'lib.private';
-
-    copy2( $lib, $debug ) if -f $lib;
-
     emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
+    my $lib = find_file 'lib.private';
+
+    copy1 $lib, emit "\n" if -f $lib;
 
     for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
 	emit "\nrun_${exit}_exit() {";
@@ -141,7 +131,7 @@ EOF
 #    Generate the 'initialize()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the output script file.
+#          than those related to writing to the object file.
 
 sub generate_script_2() {
 
@@ -166,24 +156,24 @@ sub generate_script_2() {
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
 		   'CONFDIR=/etc/shorewall-lite',
-		   'g_product="Shorewall Lite"'
+		   'PRODUCT="Shorewall Lite"'
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall',
 		   'CONFDIR=/etc/shorewall',
-		   'g_product=\'Shorewall\'',
+		   'PRODUCT=\'Shorewall\'',
 		 );
 	}
     } else {
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
 		   'CONFDIR=/etc/shorewall6-lite',
-		   'g_product="Shorewall6 Lite"'
+		   'PRODUCT="Shorewall6 Lite"'
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6',
 		   'CONFDIR=/etc/shorewall6',
-		   'g_product=\'Shorewall6\'',
+		   'PRODUCT=\'Shorewall6\'',
 		 );
 	}
     }
@@ -215,15 +205,17 @@ sub generate_script_2() {
     my @dont_load = split_list $config{DONT_LOAD}, 'module';
 
     emit ( '[ -n "${COMMAND:=restart}" ]',
-	   '[ -n "${VERBOSITY:=0}" ]',
-	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );
+	   '[ -n "${VERBOSE:=0}" ]',
+	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
+	   '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' );
 
-    emit ( qq(SHOREWALL_VERSION="$globals{VERSION}") ) unless $test;
+    emit ( qq(VERSION="$globals{VERSION}") ) unless $test;
 
     emit ( qq(PATH="$config{PATH}") ,
 	   'TERMINATOR=fatal_error' ,
 	   qq(DONT_LOAD="@dont_load") ,
 	   qq(STARTUP_LOG="$config{STARTUP_LOG}") ,
+	   "LOG_VERBOSE=$config{LOG_VERBOSITY}" ,
 	   ''
 	   );
 
@@ -232,7 +224,7 @@ sub generate_script_2() {
     append_file 'params' if $config{EXPORTPARAMS};
 
     emit ( '',
-	   "g_stopping=",
+	   "STOPPING=",
 	   '',
 	   '#',
 	   '# The library requires that ${VARDIR} exist',
@@ -240,24 +232,14 @@ sub generate_script_2() {
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
 	   );
 
-    pop_indent;
-
-    emit "\n}\n"; # End of initialize()
-
-    emit( '' ,
-	  '#' ,
-	  '# Set global variables holding detected IP information' ,
-	  '#' ,
-	  'detect_configuration()',
-	  '{' );
-
     my $global_variables = have_global_variables;
 
-    push_indent;
-
     if ( $global_variables ) {
-
-	emit( 'case $COMMAND in' );
+	emit( '' ,
+	      '#' ,
+	      '# Set global variables holding detected IP information' ,
+	      '#' ,
+	      'case $COMMAND in' );
 
 	push_indent;
 
@@ -266,25 +248,25 @@ sub generate_script_2() {
 	} else {
 	    emit( 'start|restart|refresh|restore)' );
 	}
-
+	 
 	push_indent;
 
 	set_global_variables(1);
 
-	handle_optional_interfaces(0);
+	handle_optional_interfaces;
 
 	emit ';;';
-
+    
 	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 	    pop_indent;
-
+	
 	    emit 'restore)';
 
 	    push_indent;
 
 	    set_global_variables(0);
 
-	    handle_optional_interfaces(0);
+	    handle_optional_interfaces;
 
 	    emit ';;';
 	}
@@ -293,16 +275,15 @@ sub generate_script_2() {
 	pop_indent;
 
 	emit ( 'esac' ) ,
-    } else {
-	emit( 'true' ) unless handle_optional_interfaces(1);
     }
 
     pop_indent;
 
-    emit "\n}\n"; # End of detect_configuration()
+    emit "\n}\n"; # End of initialize()
 
 }
 
+#
 # Final stage of script generation.
 #
 #    Generate code for loading the various files in /var/lib/shorewall[6][-lite]
@@ -312,7 +293,7 @@ sub generate_script_2() {
 #    Generate the 'define_firewall()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the output script file.
+#          than those related to writing to the object file.
 #
 sub generate_script_3($) {
 
@@ -334,9 +315,9 @@ sub generate_script_3($) {
     save_progress_message 'Initializing...';
 
     if ( $export ) {
-	my $fn = find_file $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules';
+	my $fn = find_file 'modules';
 
-	if ( -f $fn && ! $fn =~ "^$globals{SHAREDIR}/" ) {
+	if ( $fn ne "$globals{SHAREDIR}/modules" && -f $fn ) {
 	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
@@ -353,25 +334,62 @@ sub generate_script_3($) {
     }
 
     if ( $family == F_IPV4 ) {
-	load_ipsets;
+	my @ipsets = all_ipsets;
+
+	if ( @ipsets ) {
+	    emit ( '',
+		   'case $IPSET in',
+		   '    */*)',
+		   '        [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
+		   '        ;;',
+		   '    *)',
+		   '        IPSET="$(mywhich $IPSET)"',
+		   '        [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' ,
+		   '        ;;',
+		   'esac',
+		   '',
+		   'if [ "$COMMAND" = start ]; then' ,
+		   '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		   '        $IPSET -F' ,
+		   '        $IPSET -X' ,
+		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
+		   '    fi' ,
+		   '' );
+
+	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+	    emit ( '' ,
+		   'elif [ "$COMMAND" = restart ]; then' ,
+		   '' );
+
+	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+	    emit ( '' , 
+		   '    if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
+		   '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
+		   '    fi' );
+	    emit ( 'fi',
+		   '' );
+	}
 
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	       '   run_refresh_exit' ,
-	       'else' ,
+	       '   run_refresh_exit' );
+
+	emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+	emit ( 'else' ,
 	       '    run_init_exit',
 	       'fi',
 	       '' );
 
-	save_dynamic_chains;
-
 	mark_firewall_not_started;
-
+		       	       
 	emit ('',
 	       'delete_proxyarp',
 	       ''
 	     );
 
-	if ( have_capability( 'NAT_ENABLED' ) ) {
+	if ( $capabilities{NAT_ENABLED} ) {
 	    emit(  'if [ -f ${VARDIR}/nat ]; then',
 		   '    while read external interface; do',
 		   '        del_ip_addr $external $interface',
@@ -384,15 +402,23 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};
 
     } else {
-	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
+	emit ( '#',
+	       '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
+	       '#',
+	       'qt1 $IP6TABLES -N foox1234',
+	       'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
+	       'result=$?',
+	       'qt1 $IP6TABLES -F foox1234',
+	       'qt1 $IP6TABLES -X foox1234',
+	       '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
 	       '' );
-	save_dynamic_chains;
-	mark_firewall_not_started;
 
-	emit ('',
-	       'delete_proxyndp',
+	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
+		   '',
+	       'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
 	       ''
 	     );
+
     }
 
     emit qq(delete_tc1\n) if $config{CLEAR_TC};
@@ -401,12 +427,7 @@ sub generate_script_3($) {
 
     emit( 'setup_routing_and_traffic_shaping', '' );
 
-    if ( $family == F_IPV4 ) {
-	emit 'cat > ${VARDIR}/proxyarp << __EOF__';
-    } else {
-	emit 'cat > ${VARDIR}/proxyndp << __EOF__';
-    } 
-
+    emit 'cat > ${VARDIR}/proxyarp << __EOF__';
     dump_proxy_arp;
     emit_unindented '__EOF__';
 
@@ -419,10 +440,6 @@ sub generate_script_3($) {
     dump_zone_contents;
     emit_unindented '__EOF__';
 
-    emit 'cat > ${VARDIR}/policies << __EOF__';
-    save_policies;
-    emit_unindented '__EOF__';
-
     pop_indent;
 
     emit "fi\n";
@@ -450,38 +467,31 @@ EOF
     pop_indent;
     setup_forwarding( $family , 1 );
     push_indent;
-
-    my $config_dir = $globals{CONFIGDIR};
-
-    emit<<"EOF";
-    set_state Started $config_dir
+    emit<<'EOF';
+    set_state "Started"
     run_restored_exit
 else
-    if [ \$COMMAND = refresh ]; then
+    if [ $COMMAND = refresh ]; then
         chainlist_reload
 EOF
     setup_forwarding( $family , 0 );
-
-    emit<<"EOF";
+    emit<<'EOF';
         run_refreshed_exit
         do_iptables -N shorewall
-        set_state Started $config_dir
+        set_state "Started"
     else
         setup_netfilter
+        restore_dynamic_rules
         conditionally_flush_conntrack
 EOF
     setup_forwarding( $family , 0 );
-
-    emit<<"EOF";
+    emit<<'EOF';
         run_start_exit
         do_iptables -N shorewall
-        set_state Started $config_dir
+        set_state "Started"
         run_started_exit
     fi
 
-EOF
-
-    emit<<'EOF';
     [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
 fi
 
@@ -489,16 +499,16 @@ date > ${VARDIR}/restarted
 
 case $COMMAND in
     start)
-        logger -p kern.info "$g_product started"
+        logger -p kern.info "$PRODUCT started"
         ;;
     restart)
-        logger -p kern.info "$g_product restarted"
+        logger -p kern.info "$PRODUCT restarted"
         ;;
     refresh)
-        logger -p kern.info "$g_product refreshed"
+        logger -p kern.info "$PRODUCT refreshed"
         ;;
     restore)
-        logger -p kern.info "$g_product restored"
+        logger -p kern.info "$PRODUCT restored"
         ;;
 esac
 EOF
@@ -516,14 +526,14 @@ EOF
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0 );
+    my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) = 
+       ( '',          '',         -1,          '',          0,      '',       '',   -1 );
 
     $export = 0;
     $test   = 0;
 
     sub validate_boolean( $ ) {
-	 my $val = numeric_value( shift );
+	 my $val = numeric_value( shift ); 
 	 defined($val) && ($val >= 0) && ($val < 2);
      }
 
@@ -537,8 +547,7 @@ sub compiler {
 	defined($val) && ($val == F_IPV4 || $val == F_IPV6);
     }
 
-    my %parms = ( object        => { store => \$scriptfilename },    #Deprecated
-		  script        => { store => \$scriptfilename },
+    my %parms = ( object        => { store => \$objectfile },
 		  directory     => { store => \$directory  },
 		  family        => { store => \$family    ,    validate => \&validate_family    } ,
 		  verbosity     => { store => \$verbosity ,    validate => \&validate_verbosity } ,
@@ -549,7 +558,6 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
-		  preview       => { store => \$preview },
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -564,19 +572,14 @@ sub compiler {
 	${$ref->{store}} = $val;
     }
 
-    #
-    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
-    #
-    initialize_package_globals;
+    reinitialize if $reused++ || $family == F_IPV6;
 
     if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
 	set_shorewall_dir( $directory );
     }
 
-    $verbosity = 1 if $debug && $verbosity < 1;
-
-    set_verbosity( $verbosity );
+    set_verbose( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
     set_debug( $debug );
@@ -585,25 +588,21 @@ sub compiler {
     #
     get_configuration( $export );
 
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
+    report_capabilities;
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
     require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
     require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 
-    if ( $scriptfilename ) {
-	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_script( $scriptfilename , $export );
-    } else {
-	set_command( 'check', 'Checking', 'Checked' );
-    }
-    #
-    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
-    # shorewall.conf has been processed and the capabilities have been determined.
-    #
+    set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
+
     initialize_chain_table;
 
+    unless ( $command eq 'check' ) {
+	create_temp_object( $objectfile , $export );
+    }
+
     #
     # Allow user to load Perl modules
     #
@@ -635,22 +634,18 @@ sub compiler {
     #
     validate_policy;
     #
-    # Process default actions
-    #
-    process_actions2;
-    #
     #                                       N O T R A C K
     #                           (Produces no output to the compiled script)
     #
     setup_notrack;
 
-    enable_script;
-
-    if ( $scriptfilename || $debug ) {
+    enable_object;
+    
+    unless ( $command eq 'check' ) {
 	#
-	# Place Header in the script
+	# Place Header in the object
 	#
-	generate_script_1( $scriptfilename );
+	generate_script_1;
 	#
 	#                               C O M M O N _ R U L E S
 	#           (Writes the setup_common_rules() function to the compiled script)
@@ -662,13 +657,13 @@ sub compiler {
 	    );
 
 	push_indent;
-    }
+    } 
     #
-    # Do all of the zone-independent stuff (mostly /proc)
+    # Do all of the zone-independent stuff
     #
     add_common_rules;
     #
-    # More /proc
+    # /proc stuff
     #
     if ( $family == F_IPV4 ) {
 	setup_arp_filtering;
@@ -682,24 +677,25 @@ sub compiler {
     #
     setup_proxy_arp;
     #
-    # Handle MSS settings in the zones file
+    # Handle MSS setings in the zones file
     #
     setup_zone_mss;
 
-    if ( $scriptfilename || $debug ) {
+    unless ( $command eq 'check' ) {
 	emit 'return 0';
 	pop_indent;
 	emit '}';
     }
 
-    disable_script;
+    disable_object;
     #
     #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
     #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
     #
-    enable_script;
+    enable_object;
+    
+    unless ( $command eq 'check' ) {
 
-    if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -717,12 +713,12 @@ sub compiler {
     #
     setup_tc;
 
-    if ( $scriptfilename || $debug ) {
+    unless ( $command eq 'check' ) {
 	pop_indent;
 	emit "}\n";
     }
 
-    disable_script;
+    disable_object;
     #
     #                                       N E T F I L T E R
     #       (Produces no output to the compiled script -- rules are stored in the chain table)
@@ -733,11 +729,11 @@ sub compiler {
 	#
 	# ECN
 	#
-	setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+	setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
 	#
 	# Setup Masquerading/SNAT
 	#
-	setup_masq;
+	setup_masq; 
 	#
 	# Setup Nat
 	#
@@ -761,6 +757,11 @@ sub compiler {
     #
     setup_tunnels;
     #
+    # Post-rules action processing.
+    #
+    process_actions2;
+    process_actions3;
+    #
     # MACLIST Filtration again
     #
     setup_mac_lists 2;
@@ -771,30 +772,24 @@ sub compiler {
     #
     # Accounting.
     #
-    setup_accounting if $config{ACCOUNTING};
+    setup_accounting;
 
-    if ( $scriptfilename ) {
+    if ( $command eq 'check' ) {
+	if ( $family == F_IPV4 ) {
+	    progress_message3 "Shorewall configuration verified";
+	} else {
+	    progress_message3 "Shorewall6 configuration verified";
+	}
+    } else {
 	#
-	# Compiling a script - generate the zone by zone matrix
+	# Generate the zone x zone matrix
 	#
 	generate_matrix;
 
-	if ( $config{OPTIMIZE} & 0xD ) {
-	    progress_message2 'Optimizing Ruleset...';
-	    #
-	    # Optimize Policy Chains
-	    #
-	    optimize_policy_chains if $config{OPTIMIZE} & 2;
-	    #
-	    # More Optimization
-	    #
-	    optimize_ruleset if $config{OPTIMIZE} & 0xC;
-	}
-
-	enable_script;
+	enable_object;
 	#
-	#                             I N I T I A L I Z E
-	#           (Writes the initialize() function to the compiled script)
+	#                                    I N I T I A L I Z E
+	#                  (Writes the initialize() function to the compiled script)
 	#
 	generate_script_2;
 	#
@@ -802,24 +797,17 @@ sub compiler {
 	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
+	#                               S T O P _ F I R E W A L L
+	#             (Writes the stop_firewall() function to the compiled script)
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
 	#
 	Shorewall::Chains::initialize( $family );
 	initialize_chain_table;
+	compile_stop_firewall( $test ); 
 	#
-	#                           S T O P _ F I R E W A L L
-	#         (Writes the stop_firewall() function to the compiled script)
-	#
-	compile_stop_firewall( $test, $export );
-	#
-	#                               U P D O W N
-	#               (Writes the updown() function to the compiled script)
-	#
-	compile_updown;
-	#
-	# Copy the footer to the script
+	# Copy the footer to the object
 	#
 	unless ( $test ) {
 	    if ( $family == F_IPV4 ) {
@@ -828,67 +816,16 @@ sub compiler {
 		copy $globals{SHAREDIRPL} . 'prog.footer6';
 	    }
 	}
-
-	disable_script;
+	
+	disable_object;
 	#
-	# Close, rename and secure the script
+	# Close, rename and secure the object
 	#
-	finalize_script ( $export );
+	finalize_object ( $export );
 	#
 	# And generate the auxilary config file
 	#
-	enable_script, generate_aux_config if $export;
-    } else {
-	#
-	# Just checking the configuration
-	#
-	if ( $preview || $debug ) {
-	    #
-	    # User wishes to preview the ruleset or we are tracing -- generate the rule matrix
-	    #
-	    generate_matrix;
-
-	    if ( $config{OPTIMIZE} & 6 ) {
-		progress_message2 'Optimizing Ruleset...';
-		#
-		# Optimize Policy Chains
-		#
-		optimize_policy_chains if $config{OPTIMIZE} & 2;
-		#
-		# Ruleset Optimization
-		#
-		optimize_ruleset if $config{OPTIMIZE} & 4;
-	    }
-
-	    enable_script if $debug;
-
-	    generate_script_2 if $debug;
-
-	    preview_netfilter_load if $preview;
-	}
-	#
-	# Re-initialize the chain table so that process_routestopped() has the same
-	# environment that it would when called by compile_stop_firewall().
-	#
-	Shorewall::Chains::initialize( $family );
-	initialize_chain_table;
-
-	if ( $debug ) {
-	    compile_stop_firewall( $test, $export );
-	    disable_script;
-	} else {
-	    #
-	    # compile_stop_firewall() also validates the routestopped file. Since we don't
-	    # call that function during normal 'check', we must validate routestopped here.
-	    #
-	    process_routestopped;
-	}
-
-	if ( $family == F_IPV4 ) {
-	    progress_message3 "Shorewall configuration verified";
-	} else {
-	    progress_message3 "Shorewall6 configuration verified";
-	}
+	enable_object, generate_aux_config if $export;
     }
 
     close_log if $log;

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -21,12 +21,12 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   This module provides interfaces for dealing with IPv4 addresses, protocol names, and
-#   port names. It also exports functions for validating protocol- and port- (service)
+#   port names. It also exports functions for validating protocol- and port- (service) 
 #   related constructs.
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 F_IPV4 F_IPV6 );
 use Socket;
 
 use strict;
@@ -34,10 +34,10 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( ALLIPv4
                   ALLIPv6
-	          IPv4_MULTICAST
 	          IPv6_MULTICAST
 	          IPv6_LINKLOCAL
 	          IPv6_SITELOCAL
+	          IPv6_LINKLOCAL
 	          IPv6_LOOPBACK
 	          IPv6_LINK_ALLNODES
 	          IPv6_LINK_ALLRTRS
@@ -47,7 +47,6 @@ our @EXPORT = qw( ALLIPv4
 		  ALL
 		  TCP
 		  UDP
-		  UDPLITE
 		  ICMP
 		  DCCP
 		  IPv6_ICMP
@@ -73,46 +72,52 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_14';
+our $VERSION = '4.3_7';
 
 #
 # Some IPv4/6 useful stuff
 #
 our @allipv4 = ( '0.0.0.0/0' );
 our @allipv6 = ( '::/0' );
-our $allip;
-our @allip;
-our $valid_address;
-our $validate_address;
-our $validate_net;
-our $validate_range;
-our $validate_host;
 our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
-	       IPv4_MULTICAST      => '224.0.0.0/4' ,
-	       IPv6_MULTICAST      => 'ff00::/8' ,
-	       IPv6_LINKLOCAL      => 'fe80::/10' ,
-	       IPv6_SITELOCAL      => 'feC0::/10' ,
+	       IPv6_MULTICAST      => 'FF00::/10' ,
+	       IPv6_LINKLOCAL      => 'FF80::/10' ,
+	       IPv6_SITELOCAL      => 'FFC0::/10' ,
+	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
-	       IPv6_LINK_ALLNODES  => 'ff01::1' ,
-	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
-	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
-	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
-	       ICMP                => 1,
-	       TCP                 => 6,
+	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
+	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
+	       IPv6_SITE_ALLNODES  => 'FF02::1' ,
+	       IPv6_SITE_ALLRTRS   => 'FF02::2' ,
+	       ICMP                => 1, 
+	       TCP                 => 6, 
 	       UDP                 => 17,
 	       DCCP                => 33,
 	       IPv6_ICMP           => 58,
-	       SCTP                => 132,
-	       UDPLITE             => 136 };
+	       SCTP                => 132 };
 
 our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
 #
-# Note: initialize() is declared at the bottom of the file
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
+sub initialize( $ ) {
+    $family = shift;
+}
+
+INIT {
+    initialize( F_IPV4 );
+}
+
 sub vlsm_to_mask( $ ) {
     my $vlsm = $_[0];
 
@@ -124,8 +129,8 @@ sub valid_4address( $ ) {
 
     my @address = split /\./, $address;
     return 0 unless @address == 4;
-    for ( @address ) {
-	return 0 unless /^\d+$/ && $_ < 256;
+    for my $a ( @address ) {
+	return 0 unless $a =~ /^\d+$/ && $a < 256;
     }
 
     1;
@@ -158,8 +163,8 @@ sub decodeaddr( $ ) {
 
     my $result = shift @address;
 
-    for ( @address ) {
-	$result = ( $result << 8 ) | $_;
+    for my $a ( @address ) {
+	$result = ( $result << 8 ) | $a;
     }
 
     $result;
@@ -184,16 +189,7 @@ sub validate_4net( $$ ) {
     $net = '' unless defined $net;
 
     fatal_error "Missing address" if $net eq '';
-
-    if ( $net =~ /\+(\[?)/ ) {
-	if ( $1 ) {
-	    fatal_error "An ipset list ($net) is not allowed in this context";
-	} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
-	    fatal_error "An ipset name ($net) is not allowed in this context";
-	} else {
-	    fatal_error "Invalid ipset name ($net)";
-	}
-    }
+    fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
 
     if ( defined $vlsm ) {
         fatal_error "Invalid VLSM ($vlsm)"            unless $vlsm =~ /^\d+$/ && $vlsm <= 32;
@@ -211,7 +207,7 @@ sub validate_4net( $$ ) {
 	    ( decodeaddr( $net ) , $vlsm );
 	} else {
 	    "$net/$vlsm";
-	}
+	}	    
     }
 }
 
@@ -298,17 +294,7 @@ sub resolve_proto( $ ) {
     my $proto = $_[0];
     my $number;
 
-    if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
-	$number = numeric_value ( $proto );
-	defined $number && $number <= 65535 ? $number : undef;
-    } else {
-	#
-	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
-	#
-	$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
-
-	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
-    }
+    $proto =~ /^(\d+)$/ ? $proto <= 65535 ? $proto : undef : defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
 }
 
 sub proto_name( $ ) {
@@ -322,19 +308,16 @@ sub validate_port( $$ ) {
 
     my $value;
 
-    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
-	$port = numeric_value $port;
-	return $port if defined $port && $port && $port <= 65535;
+    if ( $port =~ /^(\d+)$/ ) {
+	return $port if $port <= 65535;
     } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
     }
 
-    return $value if defined $value;
+    fatal_error "Invalid/Unknown $proto port/service ($port)" unless defined $value;
 
-    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
-
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+    $value;
 }
 
 sub validate_portpair( $$ ) {
@@ -347,7 +330,7 @@ sub validate_portpair( $$ ) {
 
     my @ports = split /:/, $portpair, 2;
 
-    $_ = validate_port( $proto, $_) for ( grep $_, @ports );
+    $_ = validate_port( $proto, $_) for ( @ports );
 
     if ( @ports == 2 ) {
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
@@ -415,6 +398,7 @@ my %icmp_types = ( any                          => 'any',
 		   'address-mask-reply'         => 18 );
 
 sub validate_icmp( $ ) {
+    fatal_error "IPv4 ICMP not allowed in an IPv6 Rule" unless $family == F_IPV4;
 
     my $type = $_[0];
 
@@ -454,14 +438,14 @@ sub expand_port_range( $$ ) {
 	#
 	# Validate the ports
 	#
-	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
+	( $first , $last ) = ( validate_port( $proto, $first ) , validate_port( $proto, $last ) );
 
 	$last++; #Increment last address for limit testing.
 	#
 	# Break the range into groups:
 	#
 	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
-	#      - Otherwise, find the largest power of two P that divides the first address such that
+	#      - Otherwise, find the largest power of two P that divides the first address such that 
 	#        the remaining range has less than or equal to P ports. The next group is
 	#        ( <first> , ~( P-1 ) ).
 	#
@@ -487,8 +471,8 @@ sub expand_port_range( $$ ) {
 
     } else {
 	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
-    }
-}
+    } 
+}   
 
 sub valid_6address( $ ) {
     my $address = $_[0];
@@ -500,7 +484,6 @@ sub valid_6address( $ ) {
 	return 0 unless valid_4address pop @address;
 	$max = 6;
 	$address = join ':', @address;
-	return 1 if @address eq ':';
     } else {
 	$max = 8;
     }
@@ -509,16 +492,16 @@ sub valid_6address( $ ) {
     return 0 unless ( @address == $max ) || $address =~ /::/;
     return 0 if $address =~ /:::/ || $address =~ /::.*::/;
 
-    unless ( $address =~ /^::/ ) {
-	return 0 if $address =~ /^:/;
-    }
-
-    unless ( $address =~ /::$/  ) {
-	return 0 if $address =~ /:$/;
+    if ( $address =~ /^:/ ) {
+	unless ( $address eq '::' ) {
+	    return 0 if $address =~ /:$/ || $address =~ /^:.*::/;
+	}
+    } elsif ( $address =~ /:$/ ) {
+	return 0 if $address =~ /::.*:$/;
     }
 
     for my $a ( @address ) {
-	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 );
+	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 );
     }
 
     1;
@@ -549,15 +532,7 @@ sub validate_6net( $$ ) {
     my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
     my $allow_name = $_[1];
 
-    if ( $net =~ /\+(\[?)/ ) {
-	if ( $1 ) {
-	    fatal_error "An ipset list ($net) is not allowed in this context";
-	} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
-	    fatal_error "An ipset name ($net) is not allowed in this context";
-	} else {
-	    fatal_error "Invalid ipset name ($net)";
-	}
-    }
+    fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
 
     if ( defined $vlsm ) {
         fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
@@ -575,27 +550,13 @@ sub validate_6net( $$ ) {
 sub normalize_6addr( $ ) {
     my $addr = shift;
 
-    if ( $addr eq '::' ) {
-	'0:0:0:0:0:0:0:0';
-    } else {
-	#
-	# Suppress leading zeros
-	#
-	$addr =~ s/^0+//;
-	$addr =~ s/:0+/:/g;
-	$addr =~ s/^:/0:/;
-	$addr =~ s/:$/:0/;
-
-	$addr =~ s/::/:0::/ while $addr =~ tr/:/:/ < 7;
-	#
-	# Note: "s/::/:0:/g" doesn't work here
-	#
-	1 while $addr =~ s/::/:0:/;
-
-	$addr =~ s/^0+:/0:/;
-
-	$addr;
+    while ( $addr =~ tr/:/:/ < 6 ) {
+	$addr =~ s/::/:0::/;
     }
+
+    $addr =~ s/::/:0:/;
+
+    $addr;
 }
 
 sub validate_6range( $$ ) {
@@ -619,7 +580,7 @@ sub validate_6range( $$ ) {
 }
 
 sub validate_6host( $$ ) {
-    my ( $host, $allow_name )  = @_;
+    my ( $host, $allow_name )  = $_[0];
 
     if ( $host =~ /^(.*:.*)-(.*:.*)$/ ) {
 	validate_6range $1, $2;
@@ -653,6 +614,7 @@ my %ipv6_icmp_types = ( any                          => 'any',
 
 
 sub validate_icmp6( $ ) {
+    fatal_error "IPv6 ICMP not allowed in an IPv4 Rule" unless $family == F_IPV6;
     my $type = $_[0];
 
     my $value = $ipv6_icmp_types{$type};
@@ -667,63 +629,31 @@ sub validate_icmp6( $ ) {
 }
 
 sub ALLIP() {
-    $allip;
+    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
 }
 
 sub allip() {
-    @allip;
-}
+    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
+}    
 
 sub valid_address ( $ ) {
-    $valid_address->(@_);
+    $family == F_IPV4 ? valid_4address( $_[0] ) :  valid_6address( $_[0] );
 }
 
 sub validate_address ( $$ ) {
-    $validate_address->(@_);
+    $family == F_IPV4 ? validate_4address( $_[0], $_[1] ) :  validate_6address( $_[0], $_[1] );
 }
 
 sub validate_net ( $$ ) {
-    $validate_net->(@_);
+    $family == F_IPV4 ? validate_4net( $_[0], $_[1] ) :  validate_6net( $_[0], $_[1] );
 }
 
-sub validate_range ($$ ) {
-    $validate_range->(@_);
+sub validate_range ($$ ) { 
+    $family == F_IPV4 ? validate_4range( $_[0], $_[1] ) :  validate_6range( $_[0], $_[1] );
 }
 
-sub validate_host ($$ ) {
-    $validate_host->(@_);
-}
-
-#
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
-#
-sub initialize( $ ) {
-    $family = shift;
-
-    if ( $family == F_IPV4 ) {
-	$allip            = ALLIPv4;
-	@allip            = @allipv4;
-	$valid_address    = \&valid_4address;
-	$validate_address = \&validate_4address;
-	$validate_net     = \&validate_4net;
-	$validate_range   = \&validate_4range;
-	$validate_host    = \&validate_4host;
-    } else {
-	$allip            = ALLIPv6;
-	@allip            = @allipv6;
-	$valid_address    = \&valid_6address;
-	$validate_address = \&validate_6address;
-	$validate_net     = \&validate_6net;
-	$validate_range   = \&validate_6range;
-	$validate_host    = \&validate_6host;
-    }
+sub validate_host ($$ ) { 
+    $family == F_IPV4 ? validate_4host( $_[0], $_[1] ) :  validate_6host( $_[0], $_[1] );
 }
 
 1;

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -29,6 +29,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
+use Shorewall::IPAddrs;
 use Shorewall::Providers qw( lookup_provider );
 
 use strict;
@@ -36,19 +37,79 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_14';
+our $VERSION = '4.3_7';
 
 our @addresses_to_add;
 our %addresses_to_add;
 
 #
-# Called by the compiler
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize() {
     @addresses_to_add = ();
     %addresses_to_add = ();
 }
 
+INIT {
+    initialize;
+}
+
+#
+# Handle IPSEC Options in a masq record
+#
+sub do_ipsec_options($)
+{
+    my %validoptions = ( strict       => NOTHING,
+			 next         => NOTHING,
+			 reqid        => NUMERIC,
+			 spi          => NUMERIC,
+			 proto        => IPSECPROTO,
+			 mode         => IPSECMODE,
+			 "tunnel-src" => NETWORK,
+			 "tunnel-dst" => NETWORK,
+		       );
+    my $list=$_[0];
+    my $options = '-m policy --pol ipsec --dir out ';
+    my $fmt;
+
+    for my $e ( split_list $list, 'option' ) {
+	my $val    = undef;
+	my $invert = '';
+
+	if ( $e =~ /([\w-]+)!=(.+)/ ) {
+	    $val    = $2;
+	    $e      = $1;
+	    $invert = '! ';
+	} elsif ( $e =~ /([\w-]+)=(.+)/ ) {
+	    $val = $2;
+	    $e   = $1;
+	}
+
+	$fmt = $validoptions{$e};
+
+	fatal_error "Invalid Option ($e)" unless $fmt;
+
+	if ( $fmt eq NOTHING ) {
+	    fatal_error "Option \"$e\" does not take a value" if defined $val;
+	} else {
+	    fatal_error "Missing value for option \"$e\""        unless defined $val;
+	    fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
+	}
+
+	$options .= $invert;
+	$options .= "--$e ";
+	$options .= "$val " if defined $val;
+    }
+
+    $options;
+}
+
 #
 # Process a single rule from the the masq file
 #
@@ -100,16 +161,16 @@ sub process_one_masq( )
     # Handle IPSEC options, if any
     #
     if ( $ipsec ne '-' ) {
-	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
+	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless $globals{ORIGINAL_POLICY_MATCH};
 
 	if ( $ipsec =~ /^yes$/i ) {
-	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
+	    $baserule .= '-m policy --pol ipsec --dir out ';
 	} elsif ( $ipsec =~ /^no$/i ) {
-	    $baserule .= do_ipsec_options 'out', 'none', '';
+	    $baserule .= '-m policy --pol none --dir out ';
 	} else {
-	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
+	    $baserule .= do_ipsec_options $ipsec;
 	}
-    } elsif ( have_ipsec ) {
+    } elsif ( $capabilities{POLICY_MATCH} ) {
 	$baserule .= '-m policy --pol none --dir out ';
     }
 
@@ -117,15 +178,16 @@ sub process_one_masq( )
     # Handle Protocol and Ports
     #
     $baserule .= do_proto $proto, $ports, '';
+
     #
     # Handle Mark
     #
-    $baserule .= do_test( $mark, $globals{TC_MASK} ) if $mark ne '-';
-    $baserule .= do_user( $user )                    if $user ne '-';
+    $baserule .= do_test( $mark, 0xFF) if $mark ne '-';
+    $baserule .= do_user( $user )      if $user ne '-';
 
     for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = 'MASQUERADE ';
+	my $target = '-j MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -145,7 +207,7 @@ sub process_one_masq( )
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
 	unless ( $interfaceref->{root} ) {
-	    $rule .= match_dest_dev( $interface );
+	    $rule .= "-o $interface ";
 	    $interface = $interfaceref->{name};
 	}
 
@@ -154,7 +216,6 @@ sub process_one_masq( )
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
-	my $persistent    = '';
 	#
 	# Parse the ADDRESSES column
 	#
@@ -162,16 +223,13 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
-		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
-		$addresses =~ s/:random$//     and $randomize  = '--random ';
-
-		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;
+		$addresses =~ s/:random$// and $randomize = '--random ';
 
 		if ( $addresses =~ /^SAME/ ) {
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
 		    my $variable = get_interface_address $interface;
-		    $target = "SNAT --to-source $variable";
+		    $target = "-j SNAT --to-source $variable";
 
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
@@ -181,19 +239,15 @@ sub process_one_masq( )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
-		    $target = 'RETURN';
+		    $target = '-j RETURN';
 		    $add_snat_aliases = 0;
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    $target = 'SNAT ';
+			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
-			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
-				validate_range( $1, $2 );
-			    } else {
-				validate_address $ipaddr, 0;
-			    }
+			    validate_address $ipaddr, 0;
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
@@ -208,7 +262,6 @@ sub process_one_masq( )
 	    }
 
 	    $target .= $randomize;
-	    $target .= $persistent;
 	} else {
 	    $add_snat_aliases = 0;
 	}
@@ -240,6 +293,7 @@ sub process_one_masq( )
 		next if $addrs eq 'detect';
 		for my $addr ( ip_range_explicit $addrs ) {
 		    unless ( $addresses_to_add{$addr} ) {
+			emit "del_ip_addr $addr $interface" unless $config{RETAIN_ALIASES};
 			$addresses_to_add{$addr} = 1;
 			if ( defined $alias ) {
 			    push @addresses_to_add, $addr, "$interface:$alias";
@@ -262,14 +316,14 @@ sub process_one_masq( )
 #
 sub setup_masq()
 {
-    if ( my $fn = open_file 'masq' ) {
+    my $fn = open_file 'masq';
 
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
 
-	process_one_masq while read_a_line;
+    process_one_masq while read_a_line;
+
+    clear_comment;
 
-	clear_comment;
-    }
 }
 
 #
@@ -317,12 +371,12 @@ sub do_one_nat( $$$$$ )
     fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
     unless ( $interfaceref->{root} ) {
-	$rulein  = match_source_dev $interface;
-	$ruleout = match_dest_dev $interface;
+	$rulein  = "-i $interface ";
+	$ruleout = "-o $interface ";
 	$interface = $interfaceref->{name};
     }
 
-    if ( have_ipsec ) {
+    if ( $capabilities{POLICY_MATCH} ) {
 	$policyin = ' -m policy --pol none --dir in';
 	$policyout =  '-m policy --pol none --dir out';
     }
@@ -352,6 +406,7 @@ sub do_one_nat( $$$$$ )
 	    push @addresses_to_add, ( $external , $fullinterface );
 	}
     }
+
 }
 
 #
@@ -359,32 +414,32 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {
 
-    if ( my $fn = open_file 'nat' ) {
+    my $fn = open_file 'nat';
 
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
 
-	while ( read_a_line ) {
+    while ( read_a_line ) {
 
-	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
+	my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
 
-	    if ( $external eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		( $interfacelist, my $digit ) = split /:/, $interfacelist;
+	if ( $external eq 'COMMENT' ) {
+	    process_comment;
+	} else {
+	    ( $interfacelist, my $digit ) = split /:/, $interfacelist;
 
-		$digit = defined $digit ? ":$digit" : '';
+	    $digit = defined $digit ? ":$digit" : '';
 
-		for my $interface ( split_list $interfacelist , 'interface' ) {
-		    fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
-		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
-		}
-
-		progress_message "   NAT entry \"$currentline\" $done";
+	    for my $interface ( split_list $interfacelist , 'interface' ) {
+		fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
+		do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
 	    }
+
+	    progress_message "   NAT entry \"$currentline\" $done";
 	}
 
-	clear_comment;
     }
+
+    clear_comment;
 }
 
 #
@@ -392,56 +447,50 @@ sub setup_nat() {
 #
 sub setup_netmap() {
 
-    if ( my $fn = open_file 'netmap' ) {
+    my $fn = open_file 'netmap';
 
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
 
-	while ( read_a_line ) {
+    while ( read_a_line ) {
 
-	    my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
+	my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
 
-	    $net3 = ALLIP if $net3 eq '-';
+	for my $interface ( split_list $interfacelist, 'interface' ) {
 
-	    for my $interface ( split_list $interfacelist, 'interface' ) {
+	    my $rulein = '';
+	    my $ruleout = '';
+	    my $iface = $interface;
 
-		my $rulein = '';
-		my $ruleout = '';
-		my $iface = $interface;
+	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
 
-		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
-
-		unless ( $interfaceref->{root} ) {
-		    $rulein  = match_source_dev( $interface );
-		    $ruleout = match_dest_dev( $interface );
-		    $interface = $interfaceref->{name};
-		}
-
-		if ( $type eq 'DNAT' ) {
-		    add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
-		} elsif ( $type eq 'SNAT' ) {
-		    add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
-		} else {
-		    fatal_error "Invalid type ($type)";
-		}
-
-		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
+	    unless ( $interfaceref->{root} ) {
+		$rulein  = "-i $interface ";
+		$ruleout = "-o $interface ";
+		$interface = $interfaceref->{name};
 	    }
-	}
 
-	clear_comment;
+	    if ( $type eq 'DNAT' ) {
+		add_rule ensure_chain( 'nat' , input_chain $interface )  , $rulein  . "-d $net1 -j NETMAP --to $net2";
+	    } elsif ( $type eq 'SNAT' ) {
+		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
+	    } else {
+		fatal_error "Invalid type ($type)";
+	    }
+
+	    progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
+	}
     }
 
 }
 
 sub add_addresses () {
     if ( @addresses_to_add ) {
-	my @addrs = @addresses_to_add;
 	my $arg = '';
 	my $addresses = 0;
 
-	while ( @addrs ) {
-	    my $addr      = shift @addrs;
-	    my $interface = shift @addrs;
+	while ( @addresses_to_add ) {
+	    my $addr      = shift @addresses_to_add;
+	    my $interface = shift @addresses_to_add;
 	    $arg = "$arg $addr $interface";
 	    unless ( $config{RETAIN_ALIASES} ) {
 		emit '' unless $addresses++;

Shorewall/Perl/Shorewall/Policy.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -27,51 +27,34 @@ require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw( :DEFAULT :internal) ;
+use Shorewall::Actions;
 
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains policy_actions );
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_16';
+our $VERSION = '4.3_7';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
 our @policy_chains;
 
-our %policy_actions;
+#
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
+#
 
-our %default_actions;
-#
-# Called by the compiler
-#
 sub initialize() {
-    @policy_chains  = ();
-    %policy_actions = ();
-    %default_actions  = ( DROP     => 'none' ,
-		 	  REJECT   => 'none' ,
-			  ACCEPT   => 'none' ,
-			  QUEUE    => 'none' );
+    @policy_chains = ();
 }
 
-#
-# Return a list of actions used by the policies
-#
-sub policy_actions() {
-    keys %policy_actions;
-}
-
-#
-# Split the passed target into the basic target and parameter
-#
-sub get_target_param( $ ) {
-    my ( $target, $param ) = split '/', $_[0];
-
-    unless ( defined $param ) {
-	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
-    }
-
-    ( $target, $param );
+INIT {
+    initialize;
 }
 
 #
@@ -93,11 +76,11 @@ sub convert_to_policy_chain($$$$$)
 #
 sub new_policy_chain($$$$)
 {
-    my ($source, $dest, $policy, $provisional) = @_;
+    my ($source, $dest, $policy, $optional) = @_;
 
-    my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
+    my $chainref = new_chain( 'filter', "${source}2${dest}" );
 
-    convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional );
+    convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
 
     $chainref;
 }
@@ -142,22 +125,22 @@ sub set_policy_chain($$$$$)
 #
 # Process the policy file
 #
-use constant { PROVISIONAL => 1 };
+use constant { OPTIONAL => 1 };
 
 sub add_or_modify_policy_chain( $$ ) {
     my ( $zone, $zone1 ) = @_;
-    my $chain    = rules_chain( ${zone}, ${zone1} );
+    my $chain    = "${zone}2${zone1}";
     my $chainref = $filter_table->{$chain};
 
     if ( $chainref ) {
 	unless( $chainref->{is_policy} ) {
-	    convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', PROVISIONAL );
+	    convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
 	    push @policy_chains, $chainref;
 	}
     } else {
-	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', PROVISIONAL );
+	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
     }
-}
+}    
 
 sub print_policy($$$$) {
     my ( $source, $dest, $policy , $chain ) = @_;
@@ -170,12 +153,6 @@ sub print_policy($$$$) {
     }
 }
 
-sub use_action( $ ) {
-    my $action = shift;
-
-    $policy_actions{$action} = 1;
-}
-
 sub process_a_policy() {
 
     our %validpolicies;
@@ -192,7 +169,7 @@ sub process_a_policy() {
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
     my $serverwild = ( "\L$server" eq 'all' );
-
+    
     fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
 
     my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 );
@@ -202,15 +179,18 @@ sub process_a_policy() {
     fatal_error "Invalid default action ($default:$remainder)" if defined $remainder;
 
     ( $policy , my $queue ) = get_target_param $policy;
-    
+
     if ( $default ) {
 	if ( "\L$default" eq 'none' ) {
 	    $default = 'none';
 	} else {
 	    my $defaulttype = $targets{$default} || 0;
-	    
+
 	    if ( $defaulttype & ACTION ) {
-		use_action( $default );
+		unless ( $usedactions{$default} ) {
+		    $usedactions{$default} = 1;
+		    createactionchain $default;
+		}
 	    } else {
 		fatal_error "Unknown Default Action ($default)";
 	    }
@@ -223,7 +203,7 @@ sub process_a_policy() {
 
     if ( defined $queue ) {
 	fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
-	require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
+	require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' ); 
 	my $queuenum = numeric_value( $queue );
 	fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
 	$policy = "NFQUEUE --queue-num $queuenum";
@@ -241,7 +221,7 @@ sub process_a_policy() {
 	}
     }
 
-    my $chain = rules_chain( ${client}, ${server} );
+    my $chain = "${client}2${server}";
     my $chainref;
 
     if ( defined $filter_table->{$chain} ) {
@@ -264,7 +244,7 @@ sub process_a_policy() {
 	$chainref = new_policy_chain $client, $server, $policy, 0;
 	push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
     }
-
+    
     $chainref->{loglevel}  = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
 
     if ( $synparams ne '' || $connlimit ne '' ) {
@@ -276,48 +256,33 @@ sub process_a_policy() {
 	$chainref->{synchain}  = $chain
     }
 
-    $chainref->{default} = $default if $default;
+    $chainref->{default}   = $default if $default;
 
     if ( $clientwild ) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
+		    set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
+		set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
+	    set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
 	    print_policy $client, $zone, $policy, $chain;
 	}
-
+	
     } else {
 	print_policy $client, $server, $policy, $chain;
     }
 }
 
-sub save_policies() {
-    for my $zone1 ( all_zones ) {
-	for my $zone2 ( all_zones ) {
-	    my $chainref  = $filter_table->{ rules_chain( $zone1, $zone2 ) };
-	    my $policyref = $filter_table->{ $chainref->{policychain} };
-
-	    if ( $policyref->{referenced} ) {
-		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy} . ' using chain ' . $policyref->{name};
-	    } elsif ( $zone1 ne $zone2 ) {
-		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy};
-	    }
-	}
-    }
-}
-
 sub validate_policy()
 {
     our %validpolicies = (
@@ -337,32 +302,31 @@ sub validate_policy()
 		 NFQUEUE_DEFAULT => 'NFQUEUE' );
 
     my $zone;
-    my $firewall = firewall_zone;
     our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
 
-    for my $option qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) {
+    for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
 	my $action = $config{$option};
 	next if $action eq 'none';
 	my $actiontype = $targets{$action};
-												 
+
 	if ( defined $actiontype ) {
 	    fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION;
 	} else {
 	    fatal_error "Default Action $option=$action not found";
 	}
 
-	use_action( $action );
+	unless ( $usedactions{$action} ) {
+	    $usedactions{$action} = 1;
+	    createactionchain $action;
+	}
 
 	$default_actions{$map{$option}} = $action;
     }
 
     for $zone ( all_zones ) {
-	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL );
-	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL ) if zone_type( $zone ) == BPORT;
+	push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );
 
-	my $zoneref = find_zone( $zone );
-
-	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
+	if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1 );
@@ -372,16 +336,15 @@ sub validate_policy()
 	}
     }
 
-    if ( my $fn = open_file 'policy' ) {
-	first_entry "$doing $fn...";
-	process_a_policy while read_a_line;
-    } else {
-	fatal_error q(The 'policy' file does not exist or has zero size);
-    }
+    my $fn = open_file 'policy';
+
+    first_entry "$doing $fn...";
+
+    process_a_policy while read_a_line;
 
     for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{rules_chain( ${zone}, ${zone1} )}{policy};
+	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
 	}
     }
 }
@@ -394,7 +357,7 @@ sub policy_rules( $$$$$ ) {
 
     unless ( $target eq 'NONE' ) {
 	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
-	add_jump $chainref, $default, 0 if $default && $default ne 'none';
+	add_rule $chainref, "-j $default" if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 
@@ -446,29 +409,17 @@ sub apply_policy_rules() {
 
     for my $chainref ( @policy_chains ) {
 	my $policy      = $chainref->{policy};
+	my $loglevel    = $chainref->{loglevel};
+	my $provisional = $chainref->{provisional};
+	my $default     = $chainref->{default};
+	my $name        = $chainref->{name};
 
-	unless ( $policy eq 'NONE' ) {
-	    my $loglevel    = $chainref->{loglevel};
-	    my $provisional = $chainref->{provisional};
-	    my $default     = $chainref->{default};
-	    my $name        = $chainref->{name};
-	    my $synparms    = $chainref->{synparms};
-
-	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
-		if ( $config{OPTIMIZE} & 2 ) {
-		    #
-		    # This policy chain is empty and the only thing that we would put in it is
-		    # the policy-related stuff. Don't create it if all we are going to put in it
-		    # is a single jump. Generate_matrix() will just use the policy target when
-		    # needed.
-		    #
-		    ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
-		} else {
-		    ensure_filter_chain $name, 1;
-		}
+	if ( $policy ne 'NONE' ) {
+	    if ( ! $chainref->{referenced} && ( ! $provisional && $policy ne 'CONTINUE' ) ) {
+		ensure_filter_chain $name, 1;
 	    }
 
-	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
+	    if ( $name =~ /^all2|2all$/ ) {
 		run_user_exit $chainref;
 		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
@@ -477,7 +428,7 @@ sub apply_policy_rules() {
 
     for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
+	    my $chainref = $filter_table->{"${zone}2${zone1}"};
 
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
@@ -499,11 +450,11 @@ sub apply_policy_rules() {
 sub complete_standard_chain ( $$$$ ) {
     my ( $stdchainref, $zone, $zone2, $default ) = @_;
 
-    add_rule $stdchainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" unless $config{FASTACCEPT};
+    add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT};
 
     run_user_exit $stdchainref;
 
-    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
+    my $ruleschainref = $filter_table->{"${zone}2${zone2}"} || $filter_table->{all2all};
     my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
     my $policychainref;
 
@@ -518,47 +469,17 @@ sub complete_standard_chain ( $$$$ ) {
 # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
 #
 sub setup_syn_flood_chains() {
-    my @zones = ( non_firewall_zones );
     for my $chainref ( @policy_chains ) {
 	my $limit = $chainref->{synparams};
 	if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
 	    my $level = $chainref->{loglevel};
-	    my $synchainref = @zones > 1 ? 
-		    new_chain 'filter' , syn_flood_chain $chainref :
-		    new_chain( 'filter' , '@' . $chainref->{name} );
+	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
 	    add_rule $synchainref , "${limit}-j RETURN";
-	    log_rule_limit( $level ,
-			    $synchainref ,
-			    $chainref->{name} ,
-			    'DROP',
-			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' ,
-			    '' ,
-			    'add' ,
-			    '' )
+	    log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
 		if $level ne '';
 	    add_rule $synchainref, '-j DROP';
 	}
     }
 }
 
-#
-# Optimize Policy chains with ACCEPT policy
-#
-sub optimize_policy_chains() {
-    for my $chainref ( grep $_->{policy} eq 'ACCEPT', @policy_chains ) {
-	optimize_chain ( $chainref );
-    }
-    #
-    # Often, fw->all has an ACCEPT policy. This code allows optimization in that case
-    #
-    my $outputrules = $filter_table->{OUTPUT}{rules};
-
-    if ( @{$outputrules} && $outputrules->[-1] =~ /-j ACCEPT/ ) {
-	optimize_chain( $filter_table->{OUTPUT} );
-    }
-
-    progress_message '  Policy chains optimized';
-    progress_message '';
-}
-
 1;

Shorewall/Perl/Shorewall/Proc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -41,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_7';
+our $VERSION = '4.3_12';
 
 #
 # ARP Filtering
@@ -56,35 +56,27 @@ sub setup_arp_filtering() {
 	save_progress_message "Setting up ARP filtering...";
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'arp_filter';
-	    my $optional = interface_is_optional $interface;
-
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
+	    my $value = get_interface_option $interface, 'arp_filter';
 
 	    emit ( '',
 		   "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
 	    emit   "fi\n";
 	}
 
 	for my $interface ( @$interfaces1 ) {
-	    my $value = get_interface_option $interface, 'arp_ignore';
-	    my $optional = interface_is_optional $interface;
-
-	    $interface = get_physical $interface;
-
 	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
+	    my $value = get_interface_option $interface, 'arp_ignore';
 
 	    assert( defined $value );
 
 	    emit ( "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
 	    emit   "fi\n";
 	}
     }
@@ -96,18 +88,16 @@ sub setup_arp_filtering() {
 sub setup_route_filtering() {
 
     my $interfaces = find_interfaces_by_option 'routefilter';
-    my $config     = $config{ROUTE_FILTER};
 
-    if ( @$interfaces || $config ) {
+    if ( @$interfaces || $config{ROUTE_FILTER} ) {
 
 	progress_message2 "$doing Kernel Route Filtering...";
 
 	save_progress_message "Setting up Route Filtering...";
 
-	my $val = '';
 
-	if ( $config{ROUTE_FILTER} ne '' ) {
-	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;
+	if ( $config{ROUTE_FILTER} ) {
+	    my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
 
 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
 		   "    [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
@@ -116,29 +106,25 @@ sub setup_route_filtering() {
 	}
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'routefilter';
-	    my $optional = interface_is_optional $interface;
-
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
+	    my $value = get_interface_option $interface, 'routefilter';
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
 
-	if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
-	    emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
-	} elsif ( $val ne '' ) {
-	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
+	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
+
+	if ( $config{ROUTE_FILTER} eq 'on' ) {
+	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
+	} elsif (  $config{ROUTE_FILTER} eq 'off' ) {
+	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
 	}
 
-	emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';
-
-	emit "[ -n \"\$g_noroutes\" ] || \$IP -4 route flush cache";
+	emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
     }
 }
 
@@ -167,18 +153,14 @@ sub setup_martian_logging() {
 	}
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'logmartians';
-	    my $optional = interface_is_optional $interface;
-
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
+	    my $value = get_interface_option $interface, 'logmartians';
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless $optional;
+		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
     }
@@ -198,17 +180,13 @@ sub setup_source_routing( $ ) {
 	save_progress_message 'Setting up Accept Source Routing...';
 
 	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, 'sourceroute';
-	    my $optional = interface_is_optional $interface;
-
-	    $interface = get_physical $interface;
-
 	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";
+	    my $value = get_interface_option $interface, 'sourceroute';
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
     }
@@ -249,17 +227,13 @@ sub setup_forwarding( $$ ) {
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 
 	    for my $interface ( @$interfaces ) {
-		my $value = get_interface_option $interface, 'forward';
-		my $optional = interface_is_optional $interface;
-
-		$interface = get_physical $interface;
-
 		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
+		my $value = get_interface_option $interface, 'forward';
 
 		emit ( "if [ -f $file ]; then" ,
 		       "    echo $value > $file" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
+		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless interface_is_optional( $interface);
 		emit   "fi\n";
 	    }
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -18,10 +18,10 @@
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MAS 02110-1301 USA.
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   This module deals with the /etc/shorewall/providers,
-#   /etc/shorewall/route_rules and /etc/shorewall/routes files.
+#   This module deals with the /etc/shorewall/providers and
+#   /etc/shorewall/route_rules files.
 #
 package Shorewall::Providers;
 require Exporter;
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_16';
+our $VERSION = '4.4_0';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -59,20 +59,17 @@ our @providers;
 
 our $family;
 
-our $lastmark;
-
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize( $ ) {
     $family = shift;
 
@@ -92,13 +89,17 @@ sub initialize( $ ) {
     @providers = ();
 }
 
+INIT {
+    initialize( F_IPV4 );
+}
+
 #
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask = in_hex( $globals{PROVIDER_MASK} );
+    my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
 
-    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
+    require_capability( $_ , 'the provider \'track\' option' , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
     add_rule $mangle_table->{$_} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
 
@@ -110,23 +111,33 @@ sub setup_route_marking() {
 
     for my $providerref ( @routemarked_providers ) {
 	my $interface = $providerref->{interface};
-	my $physical  = $providerref->{physical};
 	my $mark      = $providerref->{mark};
+	my $base      = uc chain_base $interface;
+
+	if ( $providerref->{optional} ) {
+	    if ( $providerref->{shared} ) {
+		add_commands( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) );
+	    } else {
+		add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
+	    }
+		
+	    incr_cmd_level( $chainref );
+	}
 
 	unless ( $marked_interfaces{$interface} ) {
-	    add_jump $mangle_table->{PREROUTING} , $chainref,  0, "-i $physical -m mark --mark 0/$mask ";
-	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark  $mark/$mask ";
+	    add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
+	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $interface -m mark --mark  $mark/$mask ";
 	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
 	}
 
 	if ( $providerref->{shared} ) {
-	    add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-	    add_rule $chainref, match_source_dev( $interface ) . "-m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
-	    decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
+	    add_rule $chainref, " -i $interface -m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
 	} else {
-	    add_rule $chainref, match_source_dev( $interface ) . "-j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}";
 	}
+
+	decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
     }
 
     add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask";
@@ -134,15 +145,11 @@ sub setup_route_marking() {
 
 sub copy_table( $$$ ) {
     my ( $duplicate, $number, $realm ) = @_;
-    #
-    # Hack to work around problem in iproute
-    #
-    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
 
     if ( $realm ) {
 	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
     } else {
-	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | while read net route; do" )
     }
 
     emit ( '    case $net in',
@@ -158,23 +165,11 @@ sub copy_table( $$$ ) {
 
 sub copy_and_edit_table( $$$$ ) {
     my ( $duplicate, $number, $copy, $realm) = @_;
-    #
-    # Hack to work around problem in iproute
-    #
-    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
-    #
-    # Map physical names in $copy to logical names
-    #
-    $copy = join( '|' , map( physical_name($_) , split( ',' , $copy ) ) );
-    #
-    # Shell and iptables use a different wildcard character
-    #
-    $copy =~ s/\+/*/;
 
     if ( $realm ) {
-	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
     } else {
-	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | while read net route; do" )
     }
 
     emit (  '    case $net in',
@@ -277,11 +272,10 @@ sub add_a_provider( ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
     }
 
-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
-    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
-
-    my $physical    = get_physical $interface;
-    my $base        = uc chain_base $physical;
+    fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
+    
+    my $provider    = chain_base $table;
+    my $base        = uc chain_base $interface;
     my $gatewaycase = '';
 
     if ( $gateway eq 'detect' ) {
@@ -297,15 +291,40 @@ sub add_a_provider( ) {
 	$gateway = '';
     }
 
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
+    my $val = 0;
+    my $pref;
+
+    if ( $mark ne '-' ) {
+
+	$val = numeric_value $mark;
+
+	fatal_error "Invalid Mark Value ($mark)" unless defined $val;
+
+	verify_mark $mark;
+
+	if ( $val < 65535 ) {
+	    if ( $config{HIGH_ROUTE_MARKS} ) {
+		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes" if $config{WIDE_TC_MARKS};
+		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $val < 256;
+	    }
+	} else {
+	    fatal_error "Invalid Mark Value ($mark)" unless $config{HIGH_ROUTE_MARKS} && $config{WIDE_TC_MARKS};
+	}
+
+	for my $providerref ( values %providers  ) {
+	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
+	}
+
+	$pref = 10000 + $number - 1;
+
+    }
+
+    my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
 		$track = 1;
-	    } elsif ( $option eq 'notrack' ) {
-		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
 		$balance = $1;
@@ -339,43 +358,12 @@ sub add_a_provider( ) {
 		} else {
 		    $default = -1;
 		}
-	    } elsif ( $option eq 'local' ) {
-		$local = 1;
-		$track = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0 if$config{USE_DEFAULT_RT};
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}
     }
 
-    my $val = 0;
-    my $pref;
-
-    $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
-
-    if ( $mark ne '-' ) {
-
-	$val = numeric_value $mark;
-
-	fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
-
-	verify_mark $mark;
-
-	fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val;
-
-	fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS};
-
-	for my $providerref ( values %providers  ) {
-	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
-	}
-
-	$pref = 10000 + $number - 1;
-
-	$lastmark = $val;
-
-    }
-
     unless ( $loose ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
@@ -387,7 +375,6 @@ sub add_a_provider( ) {
 			   number      => $number ,
 			   mark        => $val ? in_hex($val) : $val ,
 			   interface   => $interface ,
-			   physical    => $physical ,
 			   optional    => $optional ,
 			   gateway     => $gateway ,
 			   gatewaycase => $gatewaycase ,
@@ -411,38 +398,30 @@ sub add_a_provider( ) {
     my $realm = '';
 
     fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
-
+    
     if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+	start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
     } else {
 	if ( $optional ) {
-	    start_provider( $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
+	    start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
+	    start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
+	    start_provider( $table, $number, "if interface_is_usable $interface; then" );
 	}
-
+	
 	$provider_interfaces{$interface} = $table;
 
-	if ( $gatewaycase eq 'none' ) {
-	    if ( $local ) {
-		emit "run_ip route add local 0.0.0.0/0 dev $physical table $number";
-	    } else {
-		emit "run_ip route add default dev $physical table $number";
-	    }
-	}
+	emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
     }
 
     if ( $mark ne '-' ) {
-	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
+	emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
 
-	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
-
-	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing"
+	emit ( "run_ip rule add fwmark $mark pref $pref table $number",
+	       "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
 	     );
     }
 
@@ -454,7 +433,8 @@ sub add_a_provider( ) {
 	    if ( $copy eq 'none' ) {
 		$copy = $interface;
 	    } else {
-		$copy = "$interface,$copy";
+		$copy =~ tr/,/|/;
+		$copy = "$interface|$copy";
 	    }
 
 	    copy_and_edit_table( $duplicate, $number ,$copy , $realm);
@@ -466,33 +446,28 @@ sub add_a_provider( ) {
 
     if ( $gateway ) {
 	$address = get_interface_address $interface unless $address;
-	emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
-	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
+	emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm";
+	emit "run_ip route add default via $gateway src $address dev $interface ${mtu}table $number $realm";
     }
 
-    balance_default_route $balance , $gateway, $physical, $realm if $balance;
+    balance_default_route $balance , $gateway, $interface, $realm if $balance;
 
     if ( $default > 0 ) {
-	balance_fallback_route $default , $gateway, $physical, $realm;
+	balance_fallback_route $default , $gateway, $interface, $realm;
     } elsif ( $default ) {
 	emit '';
 	if ( $gateway ) {
-	    emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
-	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
+	    emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	} else {
-	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
-	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
+	    emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	}
     }
 
-    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
-	fatal_error "'track' not valid with 'local'"          if $track;
-	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
-	fatal_error "MARK required with 'local'"              unless $mark;
-    } elsif ( $loose ) {
+    if ( $loose ) {
 	if ( $config{DELETE_THEN_ADD} ) {
-	    emit ( "\nfind_interface_addresses $physical | while read address; do",
+	    emit ( "\nfind_interface_addresses $interface | while read address; do",
 		   "    qt \$IP -$family rule del from \$address",
 		   'done'
 		 );
@@ -506,7 +481,7 @@ sub add_a_provider( ) {
 
 	emit "\nrulenum=0\n";
 
-	emit  ( "find_interface_addresses $physical | while read address; do" );
+	emit  ( "find_interface_addresses $interface | while read address; do" );
 	emit  (	"    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	emit  (	"    run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
 		"    echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
@@ -522,15 +497,15 @@ sub add_a_provider( ) {
 
     if ( $optional ) {
 	if ( $shared ) {
-	    emit ( "    error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );	    
+	    emit ( "    error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" );
 	} else {
-	    emit ( "    error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Added\"" );
+	    emit ( "    error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
 	}
     } else {
 	if ( $shared ) {
 	    emit( "    fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" );
 	} else {
-	    emit( "    fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Added\"" );
+	    emit( "    fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" );
 	}
     }
 
@@ -541,32 +516,9 @@ sub add_a_provider( ) {
     progress_message "   Provider \"$currentline\" $done";
 }
 
-#
-# Begin an 'if' statement testing whether the passed interface is available
-#
-sub start_new_if( $ ) {
-    our $current_if = shift;
-
-    emit ( '', qq(if [ -n "\$SW_${current_if}_IS_USABLE" ]; then) );
-    push_indent;
-}
-
-#
-# Complete any current 'if' statement in the output script
-#
-sub finish_current_if() {
-    if ( our $current_if ) {
-	pop_indent;
-	emit ( "fi\n" );
-	$current_if = '';
-    }
-}
-
 sub add_an_rtrule( ) {
     my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
 
-    our $current_if;
-
     unless ( $providers{$provider} ) {
 	my $found = 0;
 
@@ -588,7 +540,7 @@ sub add_an_rtrule( ) {
     fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
 
     if ( $dest eq '-' ) {
-	$dest = 'to ' . ALLIP;
+	$dest = 'to ' . ALLIP; 
     } else {
 	validate_net( $dest, 0 );
 	$dest = "to $dest";
@@ -601,7 +553,6 @@ sub add_an_rtrule( ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
 	    validate_net ( $source, 0 );
-	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
 	    validate_net ( $source, 0 );
@@ -609,10 +560,9 @@ sub add_an_rtrule( ) {
 	} else {
 	    $source = "iif $source";
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
 	validate_net ($source, 0);
-	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
     } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
 	validate_net ( $source, 0 );
@@ -625,94 +575,39 @@ sub add_an_rtrule( ) {
 
     $priority = "priority $priority";
 
-    finish_current_if, emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
+    emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
 
     my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
 
     if ( $optional ) {
-	my $base = uc chain_base( $providers{$provider}{physical} );
-	finish_current_if if $base ne $current_if;
-	start_new_if( $base ) unless $current_if;
-    } else {
-	finish_current_if;
+	my $base = uc chain_base( $providers{$provider}{interface} );
+	emit ( '', "if [ -n \$${base}_IS_USABLE ]; then" );
+	push_indent;
     }
 
     emit ( "run_ip rule add $source $dest $priority table $number",
 	   "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
 
+    pop_indent, emit ( "fi\n" ) if $optional;
+
     progress_message "   Routing rule \"$currentline\" $done";
 }
 
-sub add_a_route( ) {
-    my ( $provider, $dest, $gateway, $device ) = split_line 2, 4, 'routes file';
-
-    our $current_if;
-
-    unless ( $providers{$provider} ) {
-	my $found = 0;
-
-	if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) {
-	    my $provider_number = numeric_value $provider;
-
-	    for ( keys %providers ) {
-		if ( $providers{$_}{number} == $provider_number ) {
-		    $provider = $_;
-		    fatal_error "You may not add routes to the $provider table" if $provider_number == LOCAL_TABLE || $provider_number == UNSPEC_TABLE;
-		    $found = 1;
-		    last;
-		}
-	    }
-	}
-
-	fatal_error "Unknown provider ($provider)" unless $found;
-    }
-
-    validate_net ( $dest, 1 );
-
-    validate_address ( $gateway, 1 ) if $gateway ne '-';
-
-    my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
-
-    my $physical = $device eq '-' ? $providers{$provider}{physical} : physical_name( $device );
-    
-    if ( $providers{$provider}{optional} ) {
-	my $base = uc chain_base( $physical );
-	finish_current_if if $base ne $current_if;
-	start_new_if ( $base ) unless $current_if;
-    } else {
-	finish_current_if;
-    }
-
-    if ( $gateway ne '-' ) {
-	if ( $device ne '-' ) {
-	    emit qq(run_ip route add $dest via $gateway dev $physical table $number);
-	    emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE;
-	} else {
-	    emit qq(run_ip route add $dest via $gateway table $number);
-	    emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE; 
-	}
-    } else {
-	fatal_error "You must specify a device for this route" unless $physical;
-	emit qq(run_ip route add $dest dev $physical table $number);
-	emit qq(echo "\$IP -$family route del $dest dev $physical table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE;
-    }
-
-    progress_message "   Route \"$currentline\" $done";
-}
-
+#
+# This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business,
+# it makes sense to keep all of the routing code together
+#
 sub setup_null_routing() {
     save_progress_message "Null Routing the RFC 1918 subnets";
     for ( rfc1918_networks ) {
-	emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
-	      qq(    run_ip route replace unreachable $_),
-	      qq(    echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_routing),
-	      qq(fi\n) );
-    }
+	emit( qq(run_ip route replace unreachable $_) );
+	emit( qq(echo "qt \$IP -$family route del unreachable $_" >> \${VARDIR}/undo_routing) );
+    } 
 }
 
 sub start_providers() {
     require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' );
-
+    
     emit  ( '#',
 	    '# Undo any changes made since the last time that we [re]started -- this will not restore the default route',
 	    '#',
@@ -724,7 +619,7 @@ sub start_providers() {
 	       '# Save current routing table database so that it can be restored later',
 	       '#',
 	       'cp /etc/iproute2/rt_tables ${VARDIR}/' );
-
+	
     }
 
     emit  ( '#',
@@ -735,9 +630,9 @@ sub start_providers() {
 	    '# Initialize the file that holds \'undo\' commands',
 	    '#',
 	    '> ${VARDIR}/undo_routing' );
-
+    
     save_progress_message 'Adding Providers...';
-
+    
     emit 'DEFAULT_ROUTE=';
     emit 'FALLBACK_ROUTE=';
     emit '';
@@ -768,7 +663,7 @@ sub finish_providers() {
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
-
+	
 	emit(   'fi',
 		'' );
     } else {
@@ -812,67 +707,47 @@ sub finish_providers() {
 sub setup_providers() {
     my $providers = 0;
 
-    $lastmark = 0;
+    my $fn = open_file 'providers';
 
-    if ( my $fn = open_file 'providers' ) {
+    first_entry sub() {
+	emit "\nif [ -z \"\$NOROUTES\" ]; then";
+	push_indent;
+	progress_message2 "$doing $fn...";
+	start_providers; };
 
-	first_entry sub() {
-	    progress_message2 "$doing $fn...";
-	    emit "\nif [ -z \"\$g_noroutes\" ]; then";
-	    push_indent;
-	    start_providers; };
- 
-	add_a_provider, $providers++ while read_a_line;
-    }
+    add_a_provider, $providers++ while read_a_line;
 
     if ( $providers ) {
 	finish_providers;
 
-	my $fn = open_file 'routes';
+	my $fn = open_file 'route_rules';
 
 	if ( $fn ) {
-	    our $current_if = '';
 
 	    first_entry "$doing $fn...";
 
 	    emit '';
-
-	    add_a_route while read_a_line;
-
-	    finish_current_if;
-	}
-
-	$fn = open_file 'route_rules';
-
-	if ( $fn ) {
-	    our $current_if = '';
-
-	    first_entry "$doing $fn...";
-
-	    emit '';
-
+	    
 	    add_an_rtrule while read_a_line;
-
-	    finish_current_if;
 	}
 
 	setup_null_routing if $config{NULL_ROUTE_RFC1918};
 	emit "\nrun_ip route flush cache";
 	#
-	# This completes the if-block begun in the first_entry closure above
+	# This completes the if block begun in the first_entry closure
 	#
 	pop_indent;
 	emit "fi\n";
 
 	setup_route_marking if @routemarked_interfaces;
     } else {
-	emit "\nif [ -z \"\$g_noroutes\" ]; then";
+	emit "\nif [ -z \"\$NOROUTES\" ]; then";
 
 	push_indent;
-
+	
 	emit "\nundo_routing";
 	emit 'restore_default_route';
-
+	
 	if ( $config{NULL_ROUTE_RFC1918} ) {
 	    emit  ( '#',
 		    '# Initialize the file that holds \'undo\' commands',
@@ -909,133 +784,45 @@ sub lookup_provider( $ ) {
 }
 
 #
-# This function is called by the compiler when it is generating the detect_configuration() function.
-# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
-# ..._IS_USABLE interface variables appropriately for the  optional interfaces
+# This function is called by the compiler when it is generating the initialize() function.
+# The function emits code to set the ..._IS_USABLE interface variables appropriately for the
+# optional interfaces
 #
-# Returns true if there were required or optional interfaces
-#
-sub handle_optional_interfaces( $ ) {
+sub handle_optional_interfaces() {
 
-    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
+    my $interfaces = find_interfaces_by_option 'optional';
 
     if ( @$interfaces ) {
-	my $require     = $config{REQUIRE_INTERFACE};
+	for my $interface ( @$interfaces ) {
+	    my $base  = uc chain_base( $interface );
+	    my $provider = $provider_interfaces{$interface};
 
-	verify_required_interfaces( shift );
-
-	emit( 'HAVE_INTERFACE=', '' ) if $require;
-	#
-	# Clear the '_IS_USABLE' variables
-	#
-	emit( join( '_', 'SW', uc chain_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
-
-	if ( $wildcards ) {
-	    #
-	    # We must consider all interfaces with an address in $family -- generate a list of such addresses.
-	    #
-	    emit( '',
-		  'for interface in $(find_all_interfaces1); do',
-		);
-
-	    push_indent;
-	    emit ( 'case "$interface" in' );
-	    push_indent;
-	} else {
 	    emit '';
-	}
 
-	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
-	    my $provider    = $provider_interfaces{$interface};
-	    my $physical    = get_physical $interface;
-	    my $base        = uc chain_base( $physical );
-	    my $providerref = $providers{$provider};
+	    if ( $provider ) {
+		#
+		# This interface is associated with a non-shared provider -- get the provider table entry
+		#
+		my $providerref = $providers{$provider};
 
-	    emit( "$physical)" ), push_indent if $wildcards;
-
-	    if ( $providerref->{gatewaycase} eq 'detect' ) {
-		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
-	    } else {
-		emit qq(if interface_is_usable $physical; then);
-	    }
-
-	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
-
-	    emit( "    SW_${base}_IS_USABLE=Yes" ,
-		  'fi' );
-
-	    emit( ';;' ), pop_indent if $wildcards;
-	}
-
-	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
-	    my $physical    = get_physical $interface;
-	    my $base        = uc chain_base( $physical );
-	    my $case        = $physical;
-	    my $wild        = $case =~ s/\+$/*/;
-
-	    if ( $wildcards ) {
-		emit( "$case)" );
-		push_indent;
-
-		if ( $wild ) {
-		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
-		    push_indent;
-		    emit ( 'if interface_is_usable $interface; then' );
+		if ( $providerref->{gatewaycase} eq 'detect' ) {
+		    emit qq(if interface_is_usable $interface && [ -n "$providerref->{gateway}" ]; then);
 		} else {
-		    emit ( "if interface_is_usable $physical; then" );
+		    emit qq(if interface_is_usable $interface; then);
 		}
 	    } else {
-		emit ( "if interface_is_usable $physical; then" );
+		#
+		# Not a provider interface
+		#
+		emit qq(if interface_is_usable $interface; then);
 	    }
 
-	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
-	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
-		   'fi' );
-
-	    if ( $wildcards ) {
-		pop_indent, emit( 'fi' ) if $wild;
-		emit( ';;' );
-		pop_indent;
-	    }
+	    emit( "    ${base}_IS_USABLE=Yes" ,
+		  'else' ,
+		  "    ${base}_IS_USABLE=" ,
+		  'fi' );
 	}
-
-	if ( $wildcards ) {
-	    emit( '*)' ,
-		  '    ;;'
-		);
-	    pop_indent;
-	    emit( 'esac' );
-	    pop_indent;
-	    emit('done' );
-	}
-
-	if ( $require ) {
-	    emit( '',
-		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
-		  '    case "$COMMAND" in',
-		  '        start|restart|restore|refresh)'
-		);
-
-	    if ( $family == F_IPV4 ) {
-		emit( '            if shorewall_is_started; then' );
-	    } else {
-		emit( '            if shorewall6_is_started; then' );
-	    }
-
-	    emit( '                fatal_error "No network interface available"',
-		  '            else',
-		  '                startup_error "No network interface available"',
-		  '            fi',
-		  '            ;;',
-		  '    esac',
-		  'fi'
-		);
-	}
-
-	return 1;
     }
-
-    verify_required_interfaces( shift );
 }
 
 #
@@ -1044,7 +831,7 @@ sub handle_optional_interfaces( $ ) {
 #
 sub handle_stickiness( $ ) {
     my $havesticky   = shift;
-    my $mask         = in_hex( $globals{PROVIDER_MASK} );
+    my $mask         = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
     my $setstickyref = $mangle_table->{setsticky};
     my $setstickoref = $mangle_table->{setsticko};
     my $tcpreref     = $mangle_table->{tcpre};
@@ -1054,18 +841,22 @@ sub handle_stickiness( $ ) {
 
     if ( $havesticky ) {
 	fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
+	
 
 	for my $providerref ( @routemarked_providers ) {
-	    my $interface = $providerref->{physical};
+	    my $interface = $providerref->{interface};
 	    my $base      = uc chain_base $interface;
 	    my $mark      = $providerref->{mark};
-
+	
 	    for ( grep /-j sticky/, @{$tcpreref->{rules}} ) {
 		my $stickyref = ensure_mangle_chain 'sticky';
 		my ( $rule1, $rule2 );
 		my $list = sprintf "sticky%03d" , $sticky++;
-
+		
 		for my $chainref ( $stickyref, $setstickyref ) {
+
+		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
+
 		    if ( $chainref->{name} eq 'sticky' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
@@ -1074,16 +865,19 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
-			$rule2 = '';
 		    }
+		
+		    $rule1 =~ s/-A //;
 
-		    assert ( $rule1 =~ s/^-A // );
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
-			assert ( $rule2 =~ s/^-A // );
+			$rule2 =~ s/-A //;
 			add_rule $chainref, $rule2;
 		    }
+
+		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
+		    
 		}
 	    }
 
@@ -1093,6 +887,8 @@ sub handle_stickiness( $ ) {
 		my $stickoref = ensure_mangle_chain 'sticko';
 
 		for my $chainref ( $stickoref, $setstickoref ) {
+		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
+
 		    if ( $chainref->{name} eq 'sticko' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
@@ -1101,25 +897,26 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
-			$rule2 = '';
 		    }
+		
+		    $rule1 =~ s/-A //;
 
-		    assert( $rule1 =~ s/-A // );
 		    add_rule $chainref, $rule1;
 
 		    if ( $rule2 ) {
 			$rule2 =~ s/-A //;
 			add_rule $chainref, $rule2;
 		    }
+
+		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
 		}
 	    }
 	}
     }
 
     if ( @routemarked_providers ) {
-	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
-	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
+	purge_jump $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
+	purge_jump $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};	
     }
 }
-
 1;

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -35,31 +35,32 @@ our @EXPORT = qw(
 		  );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_16';
+our $VERSION = '4.3_7';
 
 our @proxyarp;
 
 our $family;
 
 #
-# Rather than initializing globals in an INIT block or during declaration,
-# we initialize them in a function. This is done for two reasons:
-#
-#   1. Proper initialization depends on the address family which isn't
-#      known until the compiler has started.
-#
-#   2. The compiler can run multiple times in the same process so it has to be
-#      able to re-initialize its dependent modules' state.
+# Initialize globals -- we take this novel approach to globals initialization to allow
+#                       the compiler to run multiple times in the same process. The
+#                       initialize() function does globals initialization for this
+#                       module and is called from an INIT block below. The function is
+#                       also called by Shorewall::Compiler::compiler at the beginning of
+#                       the second and subsequent calls to that function.
 #
+
 sub initialize( $ ) {
     $family = shift;
     @proxyarp = ();
 }
 
-sub setup_one_proxy_arp( $$$$$$$ ) {
-    my ( $address, $interface, $physical, $external, $extphy, $haveroute, $persistent) = @_;
+INIT {
+    initialize( F_IPV4 );
+}
 
-    my $proto = $family == F_IPV4 ? 'ARP' : 'NDP';
+sub setup_one_proxy_arp( $$$$$ ) {
+    my ( $address, $interface, $external, $haveroute, $persistent) = @_;
 
     if ( "\L$haveroute" eq 'no' || $haveroute eq '-' ) {
 	$haveroute = '';
@@ -78,101 +79,94 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
     }
 
     unless ( $haveroute ) {
-	fatal_error "HAVEROUTE=No requires an INTERFACE" if $interface eq '-';
-
-	if ( $family == F_IPV4 ) {
-	    emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/32 dev $physical";
-	} else {
-	    emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/128 dev $physical";
-	}
-
+	emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface";
 	$haveroute = 1 if $persistent;
     }
 
-    emit ( "run_ip neigh add proxy $address nud permanent dev $extphy" ,
-	   qq(progress_message "   Host $address connected to $interface added to $proto on $extphy"\n) );
+    emit ( "if ! arp -i $external -Ds $address $external pub; then",
+	   "    fatal_error \"Command 'arp -i $external -Ds $address $external pub' failed\"" ,
+	   'fi' ,
+	   '',
+	   "progress_message \"   Host $address connected to $interface added to ARP on $external\"\n" );
 
     push @proxyarp, "$address $interface $external $haveroute";
 
-    progress_message "   Host $address connected to $interface added to $proto on $external";
+    progress_message "   Host $address connected to $interface added to ARP on $external";
 }
 
 #
-# Setup Proxy ARP/NDP
+# Setup Proxy ARP
 #
 sub setup_proxy_arp() {
-    my $proto      = $family == F_IPV4 ? 'arp' : 'ndp';   # Protocol
-    my $file_opt   = 'proxy' . $proto;                    # Name of config file and of the interface option
-    my $proc_file  = 'proxy_' . $proto;                   # Name of the corresponding file in /proc
+    if ( $family == F_IPV4 ) {
 
-    my $interfaces= find_interfaces_by_option $file_opt;
-    my $fn = open_file $file_opt;
+	my $interfaces= find_interfaces_by_option 'proxyarp';
+	my $fn = open_file 'proxyarp';
 
-    if ( @$interfaces || $fn ) {
+	if ( @$interfaces || $fn ) {
 
-	my $first_entry = 1;
+	    my $first_entry = 1;
 
-	save_progress_message 'Setting up Proxy ' . uc($proto) . '...';
+	    save_progress_message "Setting up Proxy ARP...";
 
-	my ( %set, %reset );
+	    my ( %set, %reset );
 
-	while ( read_a_line ) {
+	    while ( read_a_line ) {
 
-	    my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, 'proxyarp file';
+		my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, 'proxyarp file';
 
-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		$first_entry = 0;
-	    }
+		if ( $first_entry ) {
+		    progress_message2 "$doing $fn...";
+		    $first_entry = 0;
+		}
 
-	    fatal_error "Unknown interface ($external)" unless known_interface $external;
-	    fatal_error "Wildcard interface ($external) not allowed" if $external =~ /\+$/;
-	    $reset{$external} = 1 unless $set{$external};
-
-	    my $extphy   = get_physical $external;
-	    my $physical = '-';
-
-	    if ( $interface ne '-' ) {
-		fatal_error "Unknown interface ($interface)" unless known_interface $interface;
-		fatal_error "Wildcard interface ($interface) not allowed" if $interface =~ /\+$/;
-		$physical = physical_name $interface;
 		$set{$interface}  = 1;
+		$reset{$external} = 1 unless $set{$external};
+
+		setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent );
 	    }
 
-	    setup_one_proxy_arp( $address, $interface, $physical, $external, $extphy, $haveroute, $persistent );
-	}
+	    emit '';
 
-	emit '';
+	    for my $interface ( keys %reset ) {
+		unless ( $set{interface} ) {
+		    emit  ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
+			    "    echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+		    emit    "fi\n";
+		}
+	    }
 
-	for my $interface ( keys %reset ) {
-	    unless ( $set{interface} ) {
-		my $physical = get_physical $interface;
-		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
-			"    echo 0 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
+	    for my $interface ( keys %set ) {
+		emit  ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
+			"    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+		emit  ( 'else' ,
+			"    error_message \"    WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface );
 		emit    "fi\n";
 	    }
+
+	    for my $interface ( @$interfaces ) {
+		my $value = get_interface_option $interface, 'proxyarp';
+		emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
+		       "    echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+		emit ( 'else' ,
+		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
+		emit   "fi\n";
+	    }
 	}
+    } else {
+	my $interfaces= find_interfaces_by_option 'proxyndp';
 
-	for my $interface ( keys %set ) {
-	    my $physical = get_physical $interface;
-	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
-		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
-	    emit  ( 'else' ,
-		    "    error_message \"    WARNING: Cannot set the '$file_opt' option for interface $physical\"" ) unless interface_is_optional( $interface );
-	    emit    "fi\n";
-	}
+	if ( @$interfaces ) {
+	    save_progress_message "Setting up Proxy NDP...";
 
-	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, $file_opt;
-	    my $optional = interface_is_optional $interface;
-
-	    $interface = get_physical $interface;
-
-	    emit ( "if [ -f /proc/sys/net/ipv$family/conf/$interface/$proc_file ] ; then" ,
-		   "    echo $value > /proc/sys/net/ipv$family/conf/$interface/$proc_file" );
-	    emit ( 'else' ,
-		   "    error_message \"WARNING: Unable to set/reset the '$file_opt' option on $interface\"" ) unless $optional;
-	    emit   "fi\n";
+	    for my $interface ( @$interfaces ) {
+		my $value = get_interface_option $interface, 'proxyndp';
+		emit ( "if [ -f /proc/sys/net/ipv6/conf/$interface/proxy_ndp ] ; then" ,
+		   "    echo $value > /proc/sys/net/ipv6/conf/$interface/proxy_ndp" );
+		emit ( 'else' ,
+		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless interface_is_optional( $interface );
+		emit   "fi\n";
+	    }
 	}
     }
 }

Shorewall/Perl/Shorewall/Raw.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_14';
+our $VERSION = '4.3_7';
 
 #
 # Notrack
@@ -47,12 +47,12 @@ sub process_notrack_rule( $$$$$$ ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    ( my $zone, $source) = split /:/, $source, 2;
+    ( my $zone, $source) = split /:/, $source, 2;  
     my $zoneref  = find_zone $zone;
     my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
 
-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
     require_capability 'RAW_TABLE', 'Notrack rules', '';
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
@@ -64,7 +64,7 @@ sub process_notrack_rule( $$$$$$ ) {
 	$source ,
 	$dest ,
 	'' ,
-	'NOTRACK' ,
+	'-j NOTRACK' ,
 	'' ,
 	'NOTRACK' ,
 	'' ;
@@ -76,25 +76,24 @@ sub process_notrack_rule( $$$$$$ ) {
 
 sub setup_notrack() {
 
-    if ( my $fn = open_file 'notrack' ) {
+    my $fn = open_file 'notrack';
 
-	first_entry "$doing $fn...";
+    first_entry "$doing $fn...";
 
-	my $nonEmpty = 0;
+    my $nonEmpty = 0;
 
-	while ( read_a_line ) {
+    while ( read_a_line ) {
 
-	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
+	my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
 
-	    if ( $source eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
-	    }
+	if ( $source eq 'COMMENT' ) {
+	    process_comment;
+	} else {
+	    process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
 	}
-
-	clear_comment;
     }
+
+    clear_comment;
 }
 
 1;

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_14';
+our $VERSION = '4.3_7';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
 
-	my $options = $globals{UNTRACKED} ? "-m state --state NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
+	my $options = $globals{UNTRACKED} ? '-m state --state NEW,UNTRACKED -j ACCEPT' : '-m state --state NEW -j ACCEPT';
 
 	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";
@@ -83,10 +83,10 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
-		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
+		$inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
+		$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
 
-		unless ( have_ipsec ) {
+		unless ( $capabilities{POLICY_MATCH} ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 		    add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
 
@@ -239,8 +239,8 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
 
-	my $inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
-	my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
+	my $inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
+	my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
 
 	$gateway = ALLIP if $gateway eq '-';
 
@@ -277,23 +277,22 @@ sub setup_tunnels() {
     #
     # Setup_Tunnels() Starts Here
     #
-    if ( my $fn = open_file 'tunnels' ) {
+    my $fn = open_file 'tunnels';
 
-	first_entry "$doing $fn...";
+    first_entry "$doing $fn...";
 
-	while ( read_a_line ) {
+    while ( read_a_line ) {
 
-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
+	my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
 
-	    if ( $kind eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
-	    }
+	if ( $kind eq 'COMMENT' ) {
+	    process_comment;
+	} else {
+	    setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
 	}
-
-	clear_comment;
     }
+
+    clear_comment;
 }
 
 1;

Shorewall/Perl/compiler.pl

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -36,7 +36,6 @@
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
-#         --preview                   # Preview the ruleset.
 #
 use strict;
 use FindBin;
@@ -45,6 +44,7 @@ use Shorewall::Compiler;
 use Getopt::Long;
 
 sub usage( $ ) {
+    my $returnval = shift @_;
 
     print STDERR 'usage: compiler.pl [ <option> ... ] [ <filename> ]
 
@@ -58,11 +58,10 @@ sub usage( $ ) {
     [ --log=<filename> ]
     [ --log-verbose={-1|0-2} ]
     [ --test ]
-    [ --preview ]
     [ --family={4|6} ]
 ';
 
-    exit shift @_;
+    $returnval;
 }
 
 #
@@ -79,7 +78,6 @@ my $log_verbose   = 0;
 my $help          = 0;
 my $test          = 0;
 my $family        = 4; # F_IPV4
-my $preview       = 0;
 
 Getopt::Long::Configure ('bundling');
 
@@ -100,7 +98,6 @@ my $result = GetOptions('h'               => \$help,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
 			'test'            => \$test,
-			'preview'         => \$preview,
 			'f=i'             => \$family,
 			'family=i'        => \$family,
 		       );
@@ -108,15 +105,14 @@ my $result = GetOptions('h'               => \$help,
 usage(1) unless $result && @ARGV < 2;
 usage(0) if $help;
 
-compiler( script          => $ARGV[0] || '',
-	  directory       => $shorewall_dir,
-	  verbosity       => $verbose,
+compiler( object          => defined $ARGV[0] ? $ARGV[0] : '', 
+	  directory       => $shorewall_dir, 
+	  verbosity       => $verbose, 
 	  timestamp       => $timestamp,
-	  debug           => $debug,
+	  debug           => $debug, 
 	  export          => $export,
 	  chains          => $chains,
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
-	  preview         => $preview,
 	  family          => $family );

Shorewall/Perl/getparams

@@ -1,35 +0,0 @@
-#!/bin/sh
-#
-#     The Shoreline Firewall Packet Filtering Firewall Param File Helper - V4.4
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-. /usr/share/shorewall/lib.base
-. /usr/share/shorewall/lib.cli
-
-CONFIG_PATH="$2"
-
-set -a
-
-. $1 >&2 # Avoid spurious output on STDOUT
-
-set +a
-
-export -p

Shorewall/Perl/prog.footer

@@ -1,20 +1,288 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
 ###############################################################################
+#
+# Clear Proxy Arp
+#
+delete_proxyarp() {
+    if [ -f ${VARDIR}/proxyarp ]; then
+	while read address interface external haveroute; do
+	    qt arp -i $external -d $address pub
+	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyarp
+    fi
+
+    rm -f ${VARDIR}/proxyarp
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    if [ -n "$DISABLE_IPV6" ]; then
+	if [ -x $IPTABLES ]; then
+    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
+	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
+	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
+	fi
+    fi
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -4 $@; then
+	error_message "ERROR: Command \"$IP -4 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
+#
+# Get a list of all configured broadcast addresses on the system
+#
+get_all_bcasts()
+{
+    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset 
+    #
+    qt1 $IPTABLES -t mangle -F
+    qt1 $IPTABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IPTABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t raw    -F
+    qt1 $IPTABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IPTABLES -t raw -P $chain ACCEPT
+    done
+
+    run_iptables -t nat -F
+    run_iptables -t nat -X
+
+    for chain in PREROUTING POSTROUTING OUTPUT; do
+	qt1 $IPTABLES -t nat -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t filter -F
+    qt1 $IPTABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IPTABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 #
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
-    echo
-    echo "Options are:"
-    echo
-    echo "   -v and -q        Standard Shorewall verbosity controls"
-    echo "   -n               Don't unpdate routing configuration"
-    echo "   -p               Purge Conntrack Table"
-    echo "   -t               Timestamp progress Messages"
-    echo "   -V <verbosity>   Set verbosity explicitly"
-    echo "   -R <file>        Override RESTOREFILE setting"
+    echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
     exit $1
 }
 ################################################################################
@@ -23,7 +291,7 @@ usage() {
 #
 # Start trace if first arg is "debug" or "trace"
 #
-if [ $# -gt 1 ]; then
+if [ $# -gt 1 ]; then 
     if [ "x$1" = "xtrace" ]; then
 	set -x
 	shift
@@ -32,23 +300,10 @@ if [ $# -gt 1 ]; then
 	shift
     fi
 fi
-#
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall-lite installations
-#
-[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
-#
-# Map other old exported variables
-#
-g_purge=$PURGE
-g_noroutes=$NOROUTES
-g_timestamp=$TIMESTAMP
-g_recovering=$RECOVERING
 
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then
-    touch $STARTUP_LOG
-    chmod 0600 $STARTUP_LOG
     if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
@@ -71,78 +326,17 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
+			VERBOSE=$(($VERBOSE + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
+			VERBOSE=$(($VERBOSE - 1 ))
 			option=${option#q}
 			;;
 		    n*)
-			g_noroutes=Yes
+			NOROUTES=Yes
 			option=${option#n}
 			;;
-		    t*)
-			g_timestamp=Yes
-			option=${option#t}
-			;;
-		    p*)
-			g_purge=Yes
-			option=${option#p}
-			;;
-		    r*)
-			g_recovering=Yes
-			option=${option#r}
-			;;
-		    V*)
-			option=${option#V}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				-1|0|1|2)
-				    VERBOSITY=$option
-				    option=
-				    ;;
-				*)
-				    startup_error "Invalid -V option value ($option)"
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -V option value"
-			fi
-			;;
-		    R*)
-			option=${option#R}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				*/*)
-	    			    startup_error "-R must specify a simple file name: $option"
-				    ;;
-				.safe|.try|NONE)
-				    ;;
-				.*)
-				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
-				    exit 2
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -R option value"
-			fi
-
-			RESTOREFILE=$option
-			option=
-			;;
 		    *)
 			usage 1
 			;;
@@ -158,15 +352,16 @@ done
 
 COMMAND="$1"
 
+[ -n "${PRODUCT:=Shorewall}" ]
+
 case "$COMMAND" in
     start)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    error_message "$g_product is already Running"
+	    error_message "$PRODUCT is already Running"
 	    status=0
 	else
-	    progress_message3 "Starting $g_product...."
-	    detect_configuration
+	    progress_message3 "Starting $PRODUCT...."
 	    define_firewall
 	    status=$?
 	    [ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
@@ -175,8 +370,7 @@ case "$COMMAND" in
 	;;
     stop)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Stopping $g_product...."
-	detect_configuration
+	progress_message3 "Stopping $PRODUCT...."
 	stop_firewall
 	status=0
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -184,7 +378,7 @@ case "$COMMAND" in
 	;;
     reset)
 	if ! shorewall_is_started ; then
-	    error_message "$g_product is not running"
+	    error_message "$PRODUCT is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
 	    $IPTABLES -Z
@@ -192,7 +386,7 @@ case "$COMMAND" in
 	    $IPTABLES -t mangle -Z
 	    date > ${VARDIR}/restarted
 	    status=0
-	    progress_message3 "$g_product Counters Reset"
+	    progress_message3 "$PRODUCT Counters Reset"
 	else
 	    shift
 	    status=0
@@ -214,14 +408,12 @@ case "$COMMAND" in
     restart)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    progress_message3 "Restarting $g_product...."
+	    progress_message3 "Restarting $PRODUCT...."
 	else
-	    error_message "$g_product is not running"
-	    progress_message3 "Starting $g_product...."
-	    COMMAND=start
+	    error_message "$PRODUCT is not running"
+	    progress_message3 "Starting $PRODUCT...."
 	fi
 
-	detect_configuration
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -232,19 +424,17 @@ case "$COMMAND" in
     refresh)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    progress_message3 "Refreshing $g_product...."
-	    detect_configuration
+	    progress_message3 "Refreshing $PRODUCT...."
 	    define_firewall
 	    status=$?
 	    progress_message3 "done."
 	else
-	    echo "$g_product is not running" >&2
+	    echo "$PRODUCT is not running" >&2
 	    status=2
 	fi
 	;;
     restore)
 	[ $# -ne 1 ] && usage 2
-	detect_configuration
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -253,30 +443,28 @@ case "$COMMAND" in
 	;;
     clear)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Clearing $g_product...."
+	progress_message3 "Clearing $PRODUCT...."
 	clear_firewall
 	status=0
-	if [ -n "$SUBSYSLOCK" ]; then
-	    rm -f $SUBSYSLOCK
-	fi
+	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	progress_message3 "done."
 	;;
     status)
 	[ $# -ne 1 ] && usage 2
-	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
+	echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
 	echo
 	if shorewall_is_started; then
-	    echo "$g_product is running"
+	    echo "$PRODUCT is running"
 	    status=0
 	else
-	    echo "$g_product is stopped"
+	    echo "$PRODUCT is stopped"
 	    status=4
 	fi
 
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|lClear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -286,16 +474,9 @@ case "$COMMAND" in
 	echo "State:$state"
 	echo
 	;;
-    up|down)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	updown $@
-	status=0;
-	;;
     version)
 	[ $# -ne 1 ] && usage 2
-	echo $SHOREWALL_VERSION
+	echo $VERSION
 	status=0
 	;;
     help)

Shorewall/Perl/prog.footer6

@@ -1,42 +1,258 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer6
 ###############################################################################
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -6 $@; then
+	error_message "ERROR: Command \"$IP -6 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset 
+    #
+    qt1 $IP6TABLES -t mangle -F
+    qt1 $IP6TABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t raw    -F
+    qt1 $IP6TABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IP6TABLES -t raw -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t filter -F
+    qt1 $IP6TABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IP6TABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 #
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
-    echo
-    echo "Options are:"
-    echo
-    echo "   -v and -q        Standard Shorewall verbosity controls"
-    echo "   -n               Don't unpdate routing configuration"
-    echo "   -p               Purge Conntrack Table"
-    echo "   -t               Timestamp progress Messages"
-    echo "   -V <verbosity>   Set verbosity explicitly"
-    echo "   -R <file>        Override RESTOREFILE setting"
+    echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
     exit $1
 }
-
-checkkernelversion() {
-    local kernel
-
-    kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-
-    if [ $kernel -lt 20624 ]; then
-	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	return 1
-    else
-	return 0
-    fi
-}
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
 #
 # Start trace if first arg is "debug" or "trace"
 #
-if [ $# -gt 1 ]; then
+if [ $# -gt 1 ]; then 
     if [ "x$1" = "xtrace" ]; then
 	set -x
 	shift
@@ -45,23 +261,10 @@ if [ $# -gt 1 ]; then
 	shift
     fi
 fi
-#
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall6-lite installations
-#
-[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
-#
-# Map other old exported variables
-#
-g_purge=$PURGE
-g_noroutes=$NOROUTES
-g_timestamp=$TIMESTAMP
-g_recovering=$RECOVERING
 
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then
-    touch $STARTUP_LOG
-    chmod 0600 $STARTUP_LOG
     if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
@@ -84,77 +287,19 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
+			VERBOSE=$(($VERBOSE + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
+			VERBOSE=$(($VERBOSE - 1 ))
 			option=${option#q}
 			;;
 		    n*)
-			g_noroutes=Yes
+			NOROUTES=Yes
 			option=${option#n}
 			;;
-		    t*)
-			g_timestamp=Yes
-			option=${option#t}
-			;;
-		    p*)
-			g_purge=Yes
-			option=${option#p}
-			;;
-		    r*)
-			g_recovering=Yes
-			option=${option#r}
-			;;
-		    V*)
-			option=${option#V}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				-1|0|1|2)
-				    VERBOSITY=$option
-				    option=
-				    ;;
-				*)
-				    startup_error "Invalid -V option value ($option)"
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -V option value"
-			fi
-			;;
-		    R*)
-			option=${option#R}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				*/*)
-	    			    startup_error "-R must specify a simple file name: $option"
-				    ;;
-				.safe|.try|NONE)
-				    ;;
-				.*)
-				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
-				    exit 2
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -R option value"
-			fi
-
-			RESTOREFILE=$option
-			option=
+		    *)
+			usage 1
 			;;
 		esac
 	    done
@@ -168,46 +313,45 @@ done
 
 COMMAND="$1"
 
+[ -n "${PRODUCT:=Shorewall6}" ]
 
-case "$COMMAND" in
-    start)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    error_message "$g_product is already Running"
-	    status=0
-	else
-	    progress_message3 "Starting $g_product...."
-	    if checkkernelversion; then
-		detect_configuration
+kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
+if [ $kernel -lt 20624 ]; then
+    error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later"
+    status=2
+else 
+    case "$COMMAND" in
+	start)
+	    [ $# -ne 1 ] && usage 2
+	    if shorewall6_is_started; then
+		error_message "$PRODUCT is already Running"
+		status=0
+	    else
+		progress_message3 "Starting $PRODUCT...."
 		define_firewall
 		status=$?
 		[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
 		progress_message3 "done."
 	    fi
-	fi
-	;;
-    stop)
-	[ $# -ne 1 ] && usage 2
-	if checkkernelversion; then
-	    progress_message3 "Stopping $g_product...."
-	    detect_configuration
+	    ;;
+	stop)
+	    [ $# -ne 1 ] && usage 2
+	    progress_message3 "Stopping $PRODUCT...."
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
-	fi
-	;;
-    reset)
-	if ! shorewall6_is_started ; then
-	    error_message "$g_product is not running"
-	    status=2
-	elif checkkernelversion; then
-	    if [ $# -eq 1 ]; then
+	    ;;
+	reset)
+	    if ! shorewall6_is_started ; then
+		error_message "$PRODUCT is not running"
+		status=2
+	    elif [ $# -eq 1 ]; then
 		$IP6TABLES -Z
 		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
-		progress_message3 "$g_product Counters Reset"
+		progress_message3 "$PRODUCT Counters Reset"
 	    else
 		shift
 		status=0
@@ -225,110 +369,89 @@ case "$COMMAND" in
 		    fi
 		done
 	    fi
-	fi
-	;;
-    restart)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    progress_message3 "Restarting $g_product...."
-	else
-	    error_message "$g_product is not running"
-	    progress_message3 "Starting $g_product...."
-	    COMMAND=start
-	fi
+	    ;;
+	restart)
+	    [ $# -ne 1 ] && usage 2
+	    if shorewall6_is_started; then
+		progress_message3 "Restarting $PRODUCT...."
+	    else
+		error_message "$PRODUCT is not running"
+		progress_message3 "Starting $PRODUCT...."
+	    fi
 
-	if checkkernelversion; then
-	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
  		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
             fi
 	    progress_message3 "done."
-	fi
-	;;
-    refresh)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    progress_message3 "Refreshing $g_product...."
-	    if checkkernelversion; then
-		detect_configuration
+	    ;;
+	refresh)
+	    [ $# -ne 1 ] && usage 2
+	    if shorewall6_is_started; then
+		progress_message3 "Refreshing $PRODUCT...."
 		define_firewall
 		status=$?
 		progress_message3 "done."
+	    else
+		echo "$PRODUCT is not running" >&2
+		status=2
 	    fi
-	else
-	    echo "$g_product is not running" >&2
-	    status=2
-	fi
-	;;
-    restore)
-	[ $# -ne 1 ] && usage 2
-	if checkkernelversion; then
-	    detect_configuration
+	    ;;
+	restore)
+	    [ $# -ne 1 ] && usage 2
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
  		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
             fi
-	fi
-	;;
-    clear)
-	[ $# -ne 1 ] && usage 2
-	progress_message3 "Clearing $g_product...."
-	if checkkernelversion; then
+	    ;;
+	clear)
+	    [ $# -ne 1 ] && usage 2
+	    progress_message3 "Clearing $PRODUCT...."
 	    clear_firewall
 	    status=0
-	    if [ -n "$SUBSYSLOCK" ]; then
-		rm -f $SUBSYSLOCK
-	    fi
+	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
-	fi
-	;;
-    status)
-	[ $# -ne 1 ] && usage 2
-	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
-	echo
-	if shorewall6_is_started; then
-	    echo "$g_product is running"
-	    status=0
-	else
-	    echo "$g_product is stopped"
-	    status=4
-	fi
+	    ;;
+	status)
+	    [ $# -ne 1 ] && usage 2
+	    echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
+	    echo
+	    if shorewall6_is_started; then
+		echo "$PRODUCT is running"
+		status=0
+	    else
+		echo "$PRODUCT is stopped"
+		status=4
+	    fi
 
-	if [ -f ${VARDIR}/state ]; then
-	    state="$(cat ${VARDIR}/state)"
-	    case $state in
-		Stopped*|Clear*)
-		    status=3
-		    ;;
-	    esac
-	else
-	    state=Unknown
-	fi
-	echo "State:$state"
-	echo
-	;;
-    up|down)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	updown $1
-	status=0
-	;;
-    version)
-	[ $# -ne 1 ] && usage 2
-	echo $SHOREWALL_VERSION
-	status=0
-	;;
-    help)
-	[ $# -ne 1 ] && usage 2
-	usage 0
-	;;
-    *)
-	usage 2
-	;;
-esac
+	    if [ -f ${VARDIR}/state ]; then
+		state="$(cat ${VARDIR}/state)"
+		case $state in
+		    Stopped*|Clear*)
+			status=3
+			;;
+		esac
+	    else
+		state=Unknown
+	    fi
+	    echo "State:$state"
+	    echo
+	    ;;
+	version)
+	    [ $# -ne 1 ] && usage 2
+	    echo $VERSION
+	    status=0
+	    ;;
+	help)
+	    [ $# -ne 1 ] && usage 2
+	    usage 0
+	    ;;
+	*)
+	    usage 2
+	    ;;
+    esac
+fi
 
 exit $status

Shorewall/Perl/prog.header

@@ -1,18 +1,11 @@
-#!/bin/sh
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
 #	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
-#           -t                            Timestamp progress messages
-#           -p                            Purge conntrack table
-#           -r                            Recover from failed start/restart
-#           -V <verbosity>                Set verbosity level explicitly
-#           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
@@ -29,6 +22,14 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header
 ################################################################################
+#
+# Message to stderr
+#
+error_message() # $* = Error Message
+{
+   echo "   $@" >&2
+}
+
 #
 # Conditionally produce message
 #
@@ -37,12 +38,12 @@ progress_message() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 1 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSITY -gt 1 ]; then
+    if [ $LOG_VERBOSE -gt 1 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -53,12 +54,12 @@ progress_message2() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSITY -gt 0 ]; then
+    if [ $LOG_VERBOSE -gt 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -69,17 +70,93 @@ progress_message3() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -ge 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSE -ge 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
 }
 
+#
+# Split a colon-separated list into a space-separated list
+#
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    echo $*
+    IFS=$ifs
+}
+
+#
+# Search a list looking for a match -- returns zero if a match found
+# 1 otherwise
+#
+list_search() # $1 = element to search for , $2-$n = list
+{
+    local e
+    e=$1
+
+    while [ $# -gt 1 ]; do
+	shift
+	[ "x$e" = "x$1" ] && return 0
+    done
+
+    return 1
+}
+
+#
+# Suppress all output for a command
+#
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+qt1()
+{
+    local status
+
+    while [ 1 ]; do
+	"$@" >/dev/null 2>&1
+	status=$?
+	[ $status -ne 4 ] && return $status
+    done
+}
+
+#
+# Determine if Shorewall is "running"
+#
+shorewall_is_started() {
+    qt1 $IPTABLES -L shorewall -n
+}
+
+#
+# Echos the fully-qualified name of the calling shell program
+#
+my_pathname() {
+    cd $(dirname $0)
+    echo $PWD/$(basename $0)
+}
+
+#
+# Source a user exit file if it exists
+#
+run_user_exit() # $1 = file name
+{
+    local user_exit
+    user_exit=$(find_file $1)
+
+    if [ -f $user_exit ]; then
+	progress_message "Processing $user_exit ..."
+	. $user_exit
+    fi
+}
+
 #
 # Set a standard chain's policy
 #
@@ -89,17 +166,272 @@ setpolicy() # $1 = name of chain, $2 = policy
 }
 
 #
-# Generate a list of all network interfaces on the system
+# Set a standard chain to enable established and related connections
 #
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+setcontinue() # $1 = name of chain
+{
+    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 }
 
 #
-# Generate a list of all network interfaces on the system that have an ipv4 address
+# Flush one of the NAT table chains
 #
-find_all_interfaces1() {
-    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+flushnat() # $1 = name of chain
+{
+    run_iptables -t nat -F $1
+}
+
+#
+# Flush one of the Mangle table chains
+#
+flushmangle() # $1 = name of chain
+{
+    run_iptables -t mangle -F $1
+}
+
+#
+# Flush and delete all user-defined chains in the filter table
+#
+deleteallchains() {
+    run_iptables -F
+    run_iptables -X
+}
+
+#
+# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
+#                         a space-separated list of directories to search for
+#                         the module and that 'moduleloader' contains the
+#                         module loader command.
+#
+loadmodule() # $1 = module name, $2 - * arguments
+{
+    local modulename
+    modulename=$1
+    local modulefile
+    local suffix
+
+    if ! list_search $modulename $DONT_LOAD $MODULES; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
+    fi
+}
+
+#
+# Reload the Modules
+#
+reload_kernel_modules() {
+
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local uname
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && \
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+
+    MODULES=$(lsmod | cut -d ' ' -f1)
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    [ -n "$moduledirectories" ] && while read command; do
+	eval $command
+    done
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+# Load kernel modules required for Shorewall
+#
+load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
+{
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local savemoduleinfo
+    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
+    local uname
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && \
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    modules=$(find_file modules)
+
+    if [ -f $modules -a -n "$moduledirectories" ]; then
+	MODULES=$(lsmod | cut -d ' ' -f1)
+	progress_message "Loading Modules..."
+	. $modules
+	if [ $savemoduleinfo = Yes ]; then
+	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    cp -f $modules ${VARDIR}/.modules
+	fi
+    elif [ $savemoduleinfo = Yes ]; then
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	> ${VARDIR}/.modulesdir
+	> ${VARDIR}/.modules
+    fi
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+#  Note: The following set of IP address manipulation functions have anomalous
+#        behavior when the shell only supports 32-bit signed arithmetic and
+#        the IP address is 128.0.0.0 or 128.0.0.1.
+#
+
+LEFTSHIFT='<<'
+
+#
+# Convert an IP address in dot quad format to an integer
+#
+decodeaddr() {
+    local x
+    local temp
+    temp=0
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
+    done
+
+    echo $temp
+
+    IFS=$ifs
+}
+
+#
+# convert an integer to dot quad format
+#
+encodeaddr() {
+    addr=$1
+    local x
+    local y
+    y=$(($addr & 255))
+
+    for x in 1 2 3 ; do
+	addr=$(($addr >> 8))
+	y=$(($addr & 255)).$y
+    done
+
+    echo $y
+}
+
+#
+# Netmask from CIDR
+#
+ip_netmask() {
+    local vlsm
+    vlsm=${1#*/}
+
+    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
+}
+
+#
+# Network address from CIDR
+#
+ip_network() {
+    local decodedaddr
+    decodedaddr=$(decodeaddr ${1%/*})
+    local netmask
+    netmask=$(ip_netmask $1)
+
+    echo $(encodeaddr $(($decodedaddr & $netmask)))
+}
+
+#
+# The following hack is supplied to compensate for the fact that many of
+# the popular light-weight Bourne shell derivatives don't support XOR ("^").
+#
+ip_broadcast() {
+    local x
+    x=$(( 32 - ${1#*/} ))
+
+    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
+}
+
+#
+# Calculate broadcast address from CIDR
+#
+broadcastaddress() {
+    local decodedaddr
+    decodedaddr=$(decodeaddr ${1%/*})
+    local netmask
+    netmask=$(ip_netmask $1)
+    local broadcast
+    broadcast=$(ip_broadcast $1)
+
+    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
+}
+
+#
+# Test for network membership
+#
+in_network() # $1 = IP address, $2 = CIDR network
+{
+    local netmask
+    netmask=$(ip_netmask $2)
+    #
+    # Use string comparison to work around a broken BusyBox ash in OpenWRT
+    #
+    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
+}
+
+#
+# Query NetFilter about the existence of a filter chain
+#
+chain_exists() # $1 = chain name
+{
+    qt1 $IPTABLES -L $1 -n
 }
 
 #
@@ -202,6 +534,32 @@ find_interface_by_address() {
     [ -n "$dev" ] && echo $dev
 }
 
+#
+# Find the interface with the passed MAC address
+#
+
+find_interface_by_mac() {
+    local mac
+    mac=$1
+    local first
+    local second
+    local rest
+    local dev
+
+    $IP link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
 #
 # Determine if Interface is up
 #
@@ -209,12 +567,45 @@ interface_is_up() {
     [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 
+#
+# Find interface address--returns the first IP address assigned to the passed
+# device
+#
+find_first_interface_address() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    #
+    # If there wasn't one, bail out now
+    #
+    [ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+}
+
+find_first_interface_address_if_any() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
+}
+
 #
 # Determine if interface is usable from a Netfilter prespective
 #
 interface_is_usable() # $1 = interface
 {
-    [ "$1" = lo ] && return 0
     interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
 }
 
@@ -267,6 +658,71 @@ get_interface_bcasts() # $1 = interface
     $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 
+#
+# Internal version of 'which'
+#
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+#
+# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
+#
+find_file()
+{
+    local saveifs
+    saveifs=
+    local directory
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	*)
+	    for directory in $(split $CONFIG_PATH); do
+		if [ -f $directory/$1 ]; then
+		    echo $directory/$1
+		    return
+		fi
+	    done
+
+	    echo ${CONFDIR}/$1
+	    ;;
+    esac
+}
+
+#
+# Set the Shorewall state
+#
+set_state () # $1 = state
+{
+    echo "$1 ($(date))" > ${VARDIR}/state
+}
+
+#
+# Perform variable substitution on the passed argument and echo the result
+#
+expand() # $@ = contents of variable which may be the name of another variable
+{
+    eval echo \"$@\"
+}
+
+#
+# Function for including one file into another
+#
+INCLUDE() {
+    . $(find_file $(expand $@))
+}
+
 #
 # Delete IP address
 #
@@ -419,6 +875,16 @@ disable_ipv6() {
     fi
 }
 
+# Function to truncate a string -- It uses 'cut -b -<n>'
+# rather than ${v:first:last} because light-weight shells like ash and
+# dash do not support that form of expansion.
+#
+
+truncate() # $1 = length
+{
+    cut -b -${1}
+}
+
 #
 # Clear the current traffic shaping configuration
 #
@@ -484,7 +950,7 @@ get_device_mtu1() # $1 = device
 #
 undo_routing() {
 
-    if [ -z "$g_noroutes"  ]; then
+    if [ -z "$NOROUTES"  ]; then
 	#
 	# Restore rt_tables database
 	#
@@ -508,12 +974,11 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    local result
-
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
+    if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
+	local result
 	result=1
 
 	while read route ; do
@@ -552,6 +1017,25 @@ restore_default_route() {
     return $result
 }
 
+#
+# Determine how to do "echo -e"
+#
+
+find_echo() {
+    local result
+
+    result=$(echo "a\tb")
+    [ ${#result} -eq 3 ] && { echo echo; return; }
+
+    result=$(echo -e "a\tb")
+    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
+
+    result=$(mywhich echo)
+    [ -n "$result" ] && { echo "$result -e"; return; }
+
+    echo echo
+}
+
 #
 # Determine the MAC address of the passed IP through the passed interface
 #
@@ -574,11 +1058,11 @@ find_mac() # $1 = IP address, $2 = interface
 }
 
 #
-# Flush the conntrack table if $g_purge is non-empty
+# Flush the conntrack table if $PURGE is non-empty
 #
 conditionally_flush_conntrack() {
 
-    if [ -n "$g_purge" ]; then
+    if [ -n "$PURGE" ]; then
 	if [ -n $(mywhich conntrack) ]; then
             conntrack -F
 	else
@@ -587,262 +1071,6 @@ conditionally_flush_conntrack() {
     fi
 }
 
-#
-# Clear Proxy Arp
-#
-delete_proxyarp() {
-    if [ -f ${VARDIR}/proxyarp ]; then
-	while read address interface external haveroute; do
-	    qt $IP -4 neigh del proxy $address dev $external
-	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address/32 dev $interface
-	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyarp
-
-	rm -f ${VARDIR}/proxyarp
-    fi
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-    qt $IPTABLES -t raw -F
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
-    if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IP6TABLES ]; then
-    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
-	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
-	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
-	fi
-    fi
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$g_product Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -4 $@; then
-	error_message "ERROR: Command \"$IP -4 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Get a list of all configured broadcast addresses on the system
-#
-get_all_bcasts()
-{
-    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IPTABLES -t mangle -F
-    qt1 $IPTABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t raw    -F
-    qt1 $IPTABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
-
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t filter -F
-    qt1 $IPTABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IPTABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################

Shorewall/Perl/prog.header6

@@ -1,18 +1,11 @@
-#!/bin/sh
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2010- Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
 #	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
-#           -t                            Timestamp progress messages
-#           -p                            Purge conntrack table
-#           -r                            Recover from failed start/restart
-#           -V <verbosity>                Set verbosity level explicitly
-#           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
@@ -29,6 +22,14 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
+#
+# Message to stderr
+#
+error_message() # $* = Error Message
+{
+   echo "   $@" >&2
+}
+
 #
 # Conditionally produce message
 #
@@ -37,12 +38,12 @@ progress_message() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 1 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSITY -gt 1 ]; then
+    if [ $LOG_VERBOSE -gt 1 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -53,12 +54,12 @@ progress_message2() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSITY -gt 0 ]; then
+    if [ $LOG_VERBOSE -gt 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -69,17 +70,117 @@ progress_message3() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -ge 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSE -ge 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
 }
 
+#
+# Split a colon-separated list into a space-separated list
+#
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    echo $*
+    IFS=$ifs
+}
+
+#
+# Undo the effect of 'split()'
+#
+join()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o:}$f"
+    done
+
+    echo $o
+}
+
+#
+# Return the number of elements in a list
+#
+list_count() # $* = list
+{
+    return $#
+}
+
+#
+# Search a list looking for a match -- returns zero if a match found
+# 1 otherwise
+#
+list_search() # $1 = element to search for , $2-$n = list
+{
+    local e
+    e=$1
+
+    while [ $# -gt 1 ]; do
+	shift
+	[ "x$e" = "x$1" ] && return 0
+    done
+
+    return 1
+}
+
+#
+# Suppress all output for a command
+#
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+qt1()
+{
+    local status
+
+    while [ 1 ]; do
+	"$@" >/dev/null 2>&1
+	status=$?
+	[ $status -ne 4 ] && return $status
+    done
+}
+
+#
+# Determine if Shorewall is "running"
+#
+shorewall6_is_started() {
+    qt1 $IP6TABLES -L shorewall -n
+}
+
+#
+# Echos the fully-qualified name of the calling shell program
+#
+my_pathname() {
+    cd $(dirname $0)
+    echo $PWD/$(basename $0)
+}
+
+#
+# Source a user exit file if it exists
+#
+run_user_exit() # $1 = file name
+{
+    local user_exit
+    user_exit=$(find_file $1)
+
+    if [ -f $user_exit ]; then
+	progress_message "Processing $user_exit ..."
+	. $user_exit
+    fi
+}
+
 #
 # Set a standard chain's policy
 #
@@ -89,17 +190,152 @@ setpolicy() # $1 = name of chain, $2 = policy
 }
 
 #
-# Generate a list of all network interfaces on the system
+# Set a standard chain to enable established and related connections
 #
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+setcontinue() # $1 = name of chain
+{
+    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 }
 
 #
-# Generate a list of all network interfaces on the system that have an ipv6 address
+# Flush one of the Mangle table chains
 #
-find_all_interfaces1() {
-    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+flushmangle() # $1 = name of chain
+{
+    run_iptables -t mangle -F $1
+}
+
+#
+# Flush and delete all user-defined chains in the filter table
+#
+deleteallchains() {
+    run_iptables -F
+    run_iptables -X
+}
+
+#
+# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
+#                         a space-separated list of directories to search for
+#                         the module and that 'moduleloader' contains the
+#                         module loader command.
+#
+loadmodule() # $1 = module name, $2 - * arguments
+{
+    local modulename
+    modulename=$1
+    local modulefile
+    local suffix
+
+    if ! list_search $modulename $DONT_LOAD $MODULES; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
+    fi
+}
+
+#
+# Reload the Modules
+#
+reload_kernel_modules() {
+
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+    MODULES=$(lsmod | cut -d ' ' -f1)
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    [ -n "$moduledirectories" ] && while read command; do
+	eval $command
+    done
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+# Load kernel modules required for Shorewall6
+#
+load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
+{
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local savemoduleinfo
+    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && \
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    modules=$(find_file modules)
+
+    if [ -f $modules -a -n "$moduledirectories" ]; then
+	MODULES=$(lsmod | cut -d ' ' -f1)
+	progress_message "Loading Modules..."
+	. $modules
+	if [ $savemoduleinfo = Yes ]; then
+	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    cp -f $modules ${VARDIR}/.modules
+	fi
+    elif [ $savemoduleinfo = Yes ]; then
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	> ${VARDIR}/.modulesdir
+	> ${VARDIR}/.modules
+    fi
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+# Query NetFilter about the existence of a filter chain
+#
+chain_exists() # $1 = chain name
+{
+    qt1 $IP6TABLES -L $1 -n
 }
 
 #
@@ -164,11 +400,71 @@ find_default_interface() {
     done
 }
 
+#
+# Find the interface with the passed MAC address
+#
+
+find_interface_by_mac() {
+    local mac
+    mac=$1
+    local first
+    local second
+    local rest
+    local dev
+
+    $IP link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
 #
 # Determine if Interface is up
 #
 interface_is_up() {
-    [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+}
+
+#
+# Find interface address--returns the first IP address assigned to the passed
+# device
+#
+find_first_interface_address() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
+    #
+    # If there wasn't one, bail out now
+    #
+    [ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1"
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+}
+
+find_first_interface_address_if_any() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    [ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo ::
 }
 
 #
@@ -176,7 +472,6 @@ interface_is_up() {
 #
 interface_is_usable() # $1 = interface
 {
-    [ "$1" = lo ] && return 0
     interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
 }
 
@@ -283,7 +578,7 @@ convert_to_anycast() {
     local l
 
     while read address; do
-	case $address in
+	case $address in 
 	    2*|3*)
 		vlsm=${address#*/}
 		vlsm=${vlsm:=128}
@@ -331,7 +626,7 @@ convert_to_anycast() {
 			badress=$address
 		    fi
 		    #
-		    # Note: at this point $address and $badress are the same except possibly for
+		    # Note: at this point $address and $badress are the same except possibly for 
 		    #       the contents of the last half-word
 		    #
 		    list_count $(split $address)
@@ -368,7 +663,7 @@ convert_to_anycast() {
 
 #
 # Generate a list of anycast addresses for a given interface
-#
+# 
 
 get_interface_acasts() # $1 = interface
 {
@@ -386,6 +681,71 @@ get_all_acasts()
     find_interface_full_addresses | convert_to_anycast | sort -u
 }
 
+#
+# Internal version of 'which'
+#
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+#
+# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
+#
+find_file()
+{
+    local saveifs
+    saveifs=
+    local directory
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	*)
+	    for directory in $(split $CONFIG_PATH); do
+		if [ -f $directory/$1 ]; then
+		    echo $directory/$1
+		    return
+		fi
+	    done
+
+	    echo ${CONFDIR}/$1
+	    ;;
+    esac
+}
+
+#
+# Set the Shorewall state
+#
+set_state () # $1 = state
+{
+    echo "$1 ($(date))" > ${VARDIR}/state
+}
+
+#
+# Perform variable substitution on the passed argument and echo the result
+#
+expand() # $@ = contents of variable which may be the name of another variable
+{
+    eval echo \"$@\"
+}
+
+#
+# Function for including one file into another
+#
+INCLUDE() {
+    . $(find_file $(expand $@))
+}
+
 #
 # Detect the gateway through an interface
 #
@@ -411,6 +771,20 @@ detect_gateway() # $1 = interface
     [ -n "$gateway" ] && echo $gateway
 }
 
+# Function to truncate a string -- It uses 'cut -b -<n>'
+# rather than ${v:first:last} because light-weight shells like ash and
+# dash do not support that form of expansion.
+#
+
+truncate() # $1 = length
+{
+    cut -b -${1}
+}
+
+#
+# Clear the current traffic shaping configuration
+#
+
 delete_tc1()
 {
     clear_one_tc() {
@@ -472,7 +846,7 @@ get_device_mtu1() # $1 = device
 #
 undo_routing() {
 
-    if [ -z "$g_noroutes"  ]; then
+    if [ -z "$NOROUTES"  ]; then
 	#
 	# Restore rt_tables database
 	#
@@ -496,12 +870,11 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    local result
-
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
+    if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
+	local result
 	result=1
 
 	while read route ; do
@@ -560,11 +933,11 @@ find_echo() {
 }
 
 #
-# Flush the conntrack table if $g_purge is non-empty
+# Flush the conntrack table if $PURGE is non-empty
 #
 conditionally_flush_conntrack() {
 
-    if [ -n "$g_purge" ]; then
+    if [ -n "$PURGE" ]; then
 	if [ -n $(which conntrack) ]; then
             conntrack -F
 	else
@@ -573,239 +946,6 @@ conditionally_flush_conntrack() {
     fi
 }
 
-#
-# Clear Proxy NDP
-#
-delete_proxyndp() {
-    if [ -f ${VARDIR}/proxyndp ]; then
-	while read address interface external haveroute; do
-	    qt $IP -6 neigh del proxy $address dev $external
-	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
-	    f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyndp
-
-	rm -f ${VARDIR}/proxyndp
-    fi
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-    qt $IP6TABLES -t raw -F
-
-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$g_product Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -6 $@; then
-	error_message "ERROR: Command \"$IP -6 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IP6TABLES -t mangle -F
-    qt1 $IP6TABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t raw    -F
-    qt1 $IP6TABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t filter -F
-    qt1 $IP6TABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IP6TABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################

Shorewall/action.template

@@ -16,11 +16,184 @@
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
-# Columns are the same as in /etc/shorewall/rules.
+# Columns are:
 #
-#######################################################################################################
-#                                         DO NOT REMOVE THE FOLLOWING LINE
-FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#
+#	TARGET		ACCEPT, DROP, REJECT, LOG, QUEUE, CONTINUE, a <macro>
+#			or a previously-defined <action>
+#
+#				ACCEPT	 -- allow the connection request
+#				DROP	 -- ignore the request
+#				REJECT	 -- disallow the request and return an
+#					    icmp-unreachable or an RST packet.
+#				LOG	 -- Simply log the packet and continue.
+#				QUEUE	 -- Queue the packet to a user-space
+#					    application such as p2pwall.
+#				CONTINUE -- Stop processing this action and
+#					    return to the point where the
+#					    action was invoked.
+#				<action> -- An <action> defined in
+#					    /etc/shorewall/actions.
+#					    The <action> must appear in that
+#					    file BEFORE the one being defined
+#					    in this file.
+#				<macro>	 -- The name of a macro defined in a
+#					    file named macro.<macro-name>. If
+#					    the macro accepts an action
+#					    parameter (Look at the macro
+#					    source to see if it has PARAM in
+#					    the TARGET column) then the macro
+#					    name is followed by "/" and the
+#					    action (ACCEPT, DROP, REJECT, ...)
+#					    to be substituted for the
+#					    parameter. Example: FTP/ACCEPT.
+#
+#			The TARGET may optionally be followed
+#			by ":" and a syslog log level (e.g, REJECT:info or
+#			ACCEPT:debugging). This causes the packet to be
+#			logged at the specified level.
+#
+#			The special log level 'none' does not result in logging
+#			but rather exempts the rule from being overridden by a
+#			non-forcing log level when the action is invoked.
+#
+#			You may also specify ULOG (must be in upper case) as a
+#			log level.This will log to the ULOG target for routing
+#			to a separate log through use of ulogd
+#			(http://www.gnumonks.org/projects/ulogd).
+#
+#			Actions specifying logging may be followed by a
+#			log tag (a string of alphanumeric characters)
+#			are appended to the string generated by the
+#			LOGPREFIX (in /etc/shorewall/shorewall.conf).
+#
+#			Example: ACCEPT:info:ftp would include 'ftp '
+#			at the end of the log prefix generated by the
+#			LOGPREFIX setting.
+#
+#	SOURCE		Source hosts to which the rule applies.
+#			A comma-separated list of subnets
+#			and/or hosts. Hosts may be specified by IP or MAC
+#			address; mac addresses must begin with "~" and must use
+#			"-" as a separator.
+#
+#			192.168.2.2		Host 192.168.2.2
+#
+#			155.186.235.0/24	Subnet 155.186.235.0/24
+#
+#			10.0.0.4-10.0.0.9	Range of IP addresses; your
+#						kernel and iptables must have
+#						iprange match support.
+#
+#			+remote			The name of an ipset prefaced
+#						by "+". Your kernel and
+#						iptables must have set match
+#						support
+#
+#			+remote[4]		The name of the ipset may
+#						followed by a number of
+#						levels of ipset bindings
+#						enclosed in square brackets.
+#
+#			192.168.1.1,192.168.1.2
+#						Hosts 192.168.1.1 and
+#						192.168.1.2.
+#			~00-A0-C9-15-39-78	Host with
+#						MAC address 00:A0:C9:15:39:78.
+#
+#			Alternatively, clients may be specified by interface
+#			name. For example, eth1 specifies a
+#			client that communicates with the firewall system
+#			through eth1. This may be optionally followed by
+#			another colon (":") and an IP/MAC/subnet address
+#			as described above (e.g., eth1:192.168.1.5).
+#
+#	DEST		Location of destination host. Same as above with
+#			the exception that MAC addresses are not allowed and
+#			that you cannot specify an ipset name in both the
+#			SOURCE and DEST columns.
+#
+#	PROTO		Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
+#			"ipp2p", "ipp2p:udp", "ipp2p:all", a number, or "all".
+#                       "ipp2p*" requires ipp2p match support in your kernel
+#                       and iptables.
+#
+#			"tcp:syn" implies "tcp" plus the SYN flag must be
+#			set and the RST, ACK and FIN flags must be reset.
+#
+#	DEST PORT(S)	Destination Ports. A comma-separated list of Port
+#			names (from /etc/services), port numbers or port
+#			ranges; if the protocol is "icmp", this column is
+#			interpreted as the destination icmp-type(s).
+#
+#			A port range is expressed as <low port>:<high port>.
+#
+#			This column is ignored if PROTOCOL = all but must be
+#			entered if any of the following fields are supplied.
+#			In that case, it is suggested that this field contain
+#			 "-"
+#
+#			If your kernel contains multi-port match support, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the CLIENT PORT(S) list below:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
+#	SOURCE PORT(S)	(Optional) Port(s) used by the client. If omitted,
+#			any source port is acceptable. Specified as a comma-
+#			separated list of port names, port numbers or port
+#			ranges.
+#
+#			If you don't want to restrict client ports but need to
+#			specify an ADDRESS in the next column, then place "-"
+#			in this column.
+#
+#			If your kernel contains multi-port match support, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the DEST PORT(S) list above:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
+#	RATE LIMIT	You may rate-limit the rule by placing a value in
+#			this column:
+#
+#				<rate>/<interval>[:<burst>]
+#
+#			where <rate> is the number of connections per
+#			<interval> ("sec" or "min") and <burst> is the
+#			largest burst permitted. If no <burst> is given,
+#			a value of 5 is assumed. There may be no
+#			no whitespace embedded in the specification.
+#
+#				Example: 10/sec:20
+#
+#	USER/GROUP	This column may only be non-empty if the SOURCE is
+#			the firewall itself.
+#
+#			The column may contain:
+#
+#	[!][<user name or number>][:<group name or number>][+<program name>]
+#
+#			When this column is non-empty, the rule applies only
+#			if the program generating the output is running under
+#			the effective <user> and/or <group> specified (or is
+#			NOT running under that id if "!" is given).
+#
+#			Examples:
+#
+#				joe	#program must be run by joe
+#				:kids	#program must be run by a member of
+#					#the 'kids' group
+#				!:kids	#program must not be run by a member
+#					#of the 'kids' group
+#				+upnpd	#program named upnpd (This feature was
+#					#removed from Netfilter in kernel
+#					#version 2.6.14).
+#
+###############################################################################
+#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP

Shorewall/changelog.txt

@@ -1,549 +1,22 @@
-Changes in Shorewall 4.4.16.1
+Changes in Shorewall 4.4.0.3
 
-1)  Fix empty variable handling where /bin/sh is bash
+1) Fix rule generated by MULTICAST=Yes
 
-Changes in Shorewall 4.4.16 RC 1
+Changes in Shorewall 4.4.0.2
 
-1) Fix logging for jump to nat chain.
+1)  Fix MULTICAST=Yes and ACCEPT policy.
 
-2) Minor code refactoring.
+2)  Allow extension of zone definition with nets=.
 
-Changes in Shorewall 4.4.16 Beta 8
+3)  Don't allow nets= in a multi-zone interface definition.
 
-1)  Complete parameterized actions.
+Changes in Shorewall 4.4.0.1
 
-2)  Fix issue in expand_rule().
+1)  Updated release versions.
 
-3)  Eliminate Actions module.
+2)  Fix log level in rules at the end of INPUT and OUTPUT
 
-4)  Eliminate process_actions3().
-
-5)  Validate BLACKLIST_DISPOSITION.
-
-Changes in Shorewall 4.4.16 Beta 7
-
-1)  Parameterized actions.
-
-Changes in Shorewall 4.4.16 Beta 6
-
-1)  Don't let root match wildcard.
-
-2)  Fix use of wildcard names in the notrack file.
-
-3)  Fix use of wildcard names in the proxyarp file
-
-4)  Prevent perl runtime warnings with cached interface entries.
-
-Changes in Shorewall 4.4.16 Beta 5
-
-1)  Fix broken logical naming with Proxy ARP.
-
-2)  Add support for proxyndp.
-
-3)  Move mid-level rule processing to the Actions module.
-
-4)  Implement format-2 actions.
-
-5)  Allow DNAT and REDIRECT in actions.
-
-6)  Remove kludgy restrictions regarding Macros and Actions.
-
-Changes in Shorewall 4.4.16 Beta 4
-
-1)  Only issue get_params() warnings under 'trace'
-
-2)  Add ppp support to Shorewall-init
-
-Changes in Shorewall 4.4.16 Beta 3
-
-1)  Integrate bug catcher into 'trace' and correct handling of
-    getparams on old (RHEL 5) shells.
-
-Changes in Shorewall 4.4.16 Beta 2
-
-1)  Install bug catcher.
-
-Changes in Shorewall 4.4.16 Beta 1
-
-1)  Handle multi-line ENV values
-
-2)  Fix for absent params file.
-
-Changes in Shorewall 4.4.15
-
-1)  Add macros from Tuomo Soini.
-
-2)  Corrected macro.JAP.
-
-3)  Added fatal_error() functions to the -lite CLIs.
-
-RC 1
-
-1)  Another Perl 5.12 warning.
-
-2)  Avoid anomalous behavior regarding syn flood chains.
-
-3)  Add HEADERS column for IPv6
-
-Beta 2
-
-1)  Tweaks to IPv6 tcfilters
-
-2)  Add support for explicit provider routes
-
-3)  Fix shared TC tcfilters handling.
-
-Beta 1
-
-1)  Handle exported VERBOSE.
-
-2)  Modernize handling of the params file.
-
-3)  Fix NULL_ROUTE_RFC1918
-
-4)  Fix problem of appending incorrect files.
-
-5)  Implement shared TC.
-
-Changes in Shorewall 4.4.14
-
-1)  Support ipset lists.
-
-2)  Use conntrack in 'shorewall connections'
-
-3)  Clean up Shorewall6 error messages when running on a kernel <
-    2.6.24
-
-4)  Clean up ipset related error reporting out of validate_net().
-
-5)  Dramatically reduce the amount of CPU time spent in optimization.
-
-6)  Add 'scfilter' script.
-
-7)  Fix -lite init scripts.
-
-8)  Clamp VERBOSITY to valid range.
-
-9)  Delete obsolete options from shorewall.conf.
-
-10) Change value of FORWARD_CLEAR_MARK in *.conf.
-
-11) Use update-rc.d to install init symlinks.
-
-12) Fix split_list().
-
-13) Fix 10+ TC Interfaces.
-
-14) Insure that VERBOSITY=0 when interrogating compiled script's version
-
-Changes in Shorewall 4.4.13
-
-1)  Allow zone lists in rules SOURCE and DEST.
-
-2)  Fix exclusion in the blacklist file.
-
-3)  Correct several old exclusion bugs.
-
-4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
-
-5)  Re-implement optional interface handling.
-
-6)  Add secmark config file.
-
-7)  Split in and out blacklisting.
-
-8)  Correct handling of [{src|dst},...] in ipset invocation
-
-9)  Correct SAME.
-
-10) TC Enhancements:
-
-    <burst> in IN-BANDWIDTH columns.
-    OUT-BANDWIDTH column in tcinterfaces.
-
-11) Create dynamic zone ipsets on 'start'.
-
-12) Remove new blacklisting implementation.
-
-13) Implement an alternative blacklisting scheme.
-
-14) Use '-m state' for UNTRACKED.
-
-15) Clear raw table on 'clear'
-
-16) Correct port-range check in tcfilters.
-
-17) Disallow '*' in interface names.
-
-Changes in Shorewall 4.4.12
-
-1)  Fix IPv6 shorecap program.
-
-2)  Eradicate incorrect IPv6 Multicast Network
-
-3)  Add ADD/DEL support.
-
-4)  Allow :random to work with REDIRECT
-
-5)  Add per-ip log rate limiting.
-
-6)  Use new hashlimit match syntax if available.
-
-7)  Add Universal sample.
-
-8)  Add COMPLETE option.
-
-9)  Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
-
-10) Support new set match syntax.
-
-11) Blacklisting by DEST IP.
-
-12) Fix duplicate rule generation with 'any'.
-
-13) Fix port range editing problem.
-
-14) Display the .conf file directory in response to the status command.
-
-15)  Correct AUTOMAKE
-
-Changes in Shorewall 4.4.11
-
-1)  Apply patch from Gabriel.
-
-2)  Fix IPSET match detection when a pathname is specified for IPSET.
-
-3)  Fix start priority of shorewall-init on Debian
-
-4)  Make IPv6 log and connections output readable.
-
-5)  Add REQUIRE_INTERFACE to shorewall*.conf
-
-6)  Avoid run-time warnings when options are not listed in
-    shorewall.conf.
-
-7)  Implement Vserver zones.
-
-8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
-    hosts file.
-
-9)  Add CLEAR_FORWARD_MARK option.
-
-10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
-
-11) Add PERL option.
-
-12) Fix nets= in Shorewall6
-
-Changes in Shorewall 4.4.10
-
-1)  Fix regression with scripts.
-
-2)  Log startup errors.
-
-3)  Implement Shorewall-init.
-
-4)  Add SAFESTOP option to /etc/default/shorewall*
-
-5)  Restore -a functionality to the version command.
-
-6)  Correct Optimization issue
-
-7)  Rename PREFIX to DESTDIR in install scripts
-
-8)  Correct handling of optional/required interfaces with wildcard names.
-
-Changes in Shorewall 4.4.9
-
-1)  Auto-detection of bridges.
-
-2)  Correct handling of a logical interface name in the EXTERNAL column
-    of proxyarp.
-
-3)  More robust 'trace'.
-
-4)  Added IPv6 mDNS macro.
-
-5)  Fix find_first_interface_address() error reporting.
-
-6)  Fix propagation of zero-valued config variables.
-
-7)  Fix OPTIMIZE 4 bug.
-
-8)  Deallocate unused rules.
-
-9)  Keep rule arrays compressed during optimization.
-
-10) Remove remaining fallback scripts.
-
-11) Rationalize startup logs.
-
-12) Optimize 8.
-
-13) Don't create output chains for BPORT zones.
-
-14) Implement 'show log ip-addr' in /sbin/shorewall and
-    /sbin/shorewall-lite/
-
-15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2.
-
-16) Change chain policy on OUTPUT chain with lone ACCEPT rule.
-
-17) Set IP before sourcing the params file.
-
-18) Fix rare optimization bug.
-
-19) Allow definition of an addressless bridge without a zone.
-
-20) In the routestopped file, assume 'routeback' if the interface has
-    'routeback'.
-
-21) Make Shorewall and Shorewall6 installable on OS X.
-
-Changes in Shorewall 4.4.8
-
-1)  Correct handling of RATE LIMIT on NAT rules.
-
-2)  Don't create a logging chain for rules with '-j RETURN'.
-
-3)  Avoid duplicate SFQ class numbers.
-
-4)  Fix low per-IP rate limits.
-
-5)  Fix Debian init script exit status
-
-6)  Fix NFQUEUE(queue-num) in policy
-
-7)  Implement -s option in install.sh
-
-8)  Add HKP Macro
-
-9)  Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE
-
-10) Eliminate up-cased variable names that aren't documented options.
-
-11) Don't show 'OLD' capabilities if they are not available.
-
-12) Attempt to flag use of '-' as a port-range separator.
-
-13) Add undocumented OPTIMIZE=-1 setting.
-
-14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES
-    default optimizations.
-
-15) Add support for UDPLITE
-
-16) Distinguish between 'Started' and 'Restored' in ${VARDIR}/state
-
-17) Issue warnings when 'blacklist' but no blacklist file entries.
-
-18) Don't optimize 'blacklst'.
-
-Changes in Shorewall 4.4.7
-
-1)  Backport optimization changes from 4.5.
-
-2)  Backport two new options from 4.5.
-
-3)  Backport TPROXY from 4.5
-
-4)  Add TC_PRIOMAP to shorewall*.conf
-
-5)  Implement LOAD_HELPERS_ONLY
-
-6)  Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes
-
-7)  Fix case where MARK target is unavailable.
-
-8)  Change default to ADD_IP_ALIASES=No
-
-9)  Correct defects in generate_matrix().
-
-10) Fix and optimize 'nosmurfs'.
-
-11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC.
-
-Changes in Shorewall 4.4.6
-
-1)  Fix for rp_filter and kernel 2.6.31.
-
-2)  Add a hack to work around a bug in Lenny + xtables-addons
-
-3)  Re-enable SAVE_IPSETS
-
-4)  Allow both <...> and [...] for IPv6 Addresses.
-
-5)  Port mark geometry change from 4.5.
-
-6)  Add Macro patch from Tuomo Soini
-
-7)  Add 'show macro' command.
-
-8)  Add -r option to check.
-
-9)  Port simplified TC from 4.5.
-
-Changes in Shorewall 4.4.5
-
-1)  Fix 15-port limit removal change.
-
-2)  Fix handling of interfaces with the 'bridge' option.
-
-3)  Generate error for port number 0
-
-4)  Allow zone::serverport in rules DEST column.
-
-5)  Fix 'show policies' in Shorewall6.
-
-6)  Auto-load tc modules.
-
-7)  Allow LOGFILE=/dev/null
-
-8)  Fix shorewall6-lite/shorecap
-
-9) Fix MODULE_SUFFIX.
-
-10) Fix ENHANCED_REJECT detection for IPv4.
-
-11) Fix DONT_LOAD vs 'reload -c'
-
-12) Fix handling of SOURCE and DEST vs macros.
-
-13) Remove silly logic in expand_rule().
-
-14) Add current and limit to Conntrack Table Heading.
-
-Changes in Shorewall 4.4.4
-
-1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
-
-2)  Fix access to uninitialized variable.
-
-3)  Add logrotate scripts.
-
-4)  Allow long port lists in /etc/shorewall/routestopped.
-
-5)  Implement 'physical' interface option.
-
-6)  Implement ZONE2ZONE option.
-
-7)  Suppress duplicate COMMENT warnings.
-
-8)  Implement 'show policies' command.
-
-9)  Fix route_rule suppression for down provider.
-
-10) Suppress redundant tests for provider availability in route rules
-    processing.
-
-11) Implement the '-l' option to the 'show' command.
-
-12) Fix class number assignment when WIDE_TC_MARKS=Yes
-
-13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
-
-Changes in Shorewall 4.4.3
-
-1)  Move Debian INITLOG initialization to /etc/default/shorewall
-
-2)  Fix 'routeback' in /etc/shorewall/routestopped.
-
-3)  Rename 'object' to 'script' in compiler and config modules.
-
-4)  Correct RETAIN_ALIASES=No.
-
-5)  Fix detection of IP config.
-
-6)  Fix nested zones.
-
-7)  Move all function declarations from prog.footer to prog.header
-
-8)  Remove superfluous variables from generated script
-
-9)  Make 'track' the default.
-
-10)  Add TRACK_PROVIDERS option.
-
-11)  Fix IPv6 address parsing bug.
-
-12)  Add hack to work around iproute IPv6 bug in route handling
-
-13)  Correct messages issued when an optional provider is not usable.
-
-14)  Fix optional interfaces.
-
-15)  Add 'limit' option to tcclasses.
-
-Changes in Shorewall 4.4.2
-
-1)  BUGFIX: Correct detection of Persistent SNAT support
-
-2)  BUGFIX: Fix chain table initialization
-
-3)  BUGFIX: Validate routestopped file on 'check'
-
-4)  Let the Actions module add the builtin actions to
-    %Shorewall::Chains::targets. Much better modularization that way.
-
-5)  Some changes to make Lenny->Squeeze less painful.
-
-6)  Allow comments at the end of continued lines.
-
-7)  Call process_routestopped() during 'check' rather than
-    'compile_stop_firewall()'.
-
-8)  Don't look for an extension script for built-in actions.
-
-9)  Apply Jesse Shrieve's patch for SNAT range.
-
-10) Add -<family> to 'ip route del default' command.
-
-11) Add three new columns to macro body.
-
-12) Change 'wait4ifup' so that it requires no PATH
-
-13) Allow extension scripts for accounting chains.
-
-14) Allow per-ip LIMIT to work on ancient iptables releases.
-
-15) Add 'MARK' column to action body.
-
-Changes in Shorewall 4.4.1
-
-1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
-
-2)  Deleted superfluous export from Chains.pm.
-
-3)  Added support for --persistent.
-
-4)  Don't do module initialization in an INIT block.
-
-5)  Minor performance improvements.
-
-6)  Add 'clean' target to Makefile.
-
-7)  Redefine 'full' for sub-classes.
-
-8)  Fix log level in rules at the end of INPUT and OUTPUT chains.
-
-9)  Fix nested ipsec zones.
-
-10) Change one-interface sample to IP_FORWARDING=Off.
-
-11) Allow multicast to non-dynamic zones defined with nets=.
-
-12) Allow zones with nets= to be extended by /etc/shorewall/hosts
-    entries.
-
-13) Don't allow nets= in a multi-zone interface definition.
-
-14) Fix rule generated by MULTICAST=Yes
-
-15) Fix silly hole in zones file parsing.
-
-16) Tighen up zone membership checking.
-
-17) Combine portlist-spitting routines into a single function.
+3)  Correct handling of nested IPSEC chains.
 
 Changes in Shorewall 4.4.0
 
@@ -557,7 +30,7 @@ Changes in Shorewall 4.4.0
 
 5)  Fix 'upnpclient' with required interfaces.
 
-6)  Fix provider number in masq file.
+5)  Fix provider number in 
 
 Changes in Shorewall 4.4.0-RC2
 
@@ -763,8 +236,10 @@ Changes in Shorewall 4.3.5
 
 1)  Remove support for shorewall-shell.
 
-2)  Combine shorewall-common and shorewall-perl to produce shorewall.
+2)  Combine shorewall-common and shorewall-perl to product shorewall.
 
 3)  Add nets= OPTION in interfaces file.
 
+4)  Add SAME MARK/CLASSIFY target
+
 

Shorewall/configfiles/accounting

@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#################################################################################################################
-#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
+#####################################################################################
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK
 #							PORT(S)		PORT(S)	GROUP

Shorewall/configfiles/blacklist

@@ -7,5 +7,4 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
-
+#ADDRESS/SUBNET		PROTOCOL	PORT