Re-implement exclusion in CONTINUE/NONAT/ACCEPT+ rules

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/Universal/interfaces

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Interfaces File
+#
+# For information about entries in this file, type "man shorewall-interfaces"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-interfaces.html
+#
+###############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	lo		-		ignore
+net	all		-		dhcp,physical=+,routeback,optional

Samples/Universal/policy

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Policy File
+#
+# For information about entries in this file, type "man shorewall-policy"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-policy.html
+#
+###############################################################################
+#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#				LEVEL	BURST		MASK
+$FW	net	ACCEPT
+net	all	DROP

Samples/Universal/rules

@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - Rules File
+#
+# For information on the settings in this file, type "man shorewall-rules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-rules.html
+#
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+SSH(ACCEPT)	net		$FW
+Ping(ACCEPT)	net		$FW

Samples/Universal/shorewall.conf

@@ -0,0 +1,213 @@
+###############################################################################
+#
+#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
+#
+#  For information about the settings in this file, type "man shorewall.conf"
+#
+#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
+###############################################################################
+#		       S T A R T U P   E N A B L E D
+###############################################################################
+
+STARTUP_ENABLED=Yes
+
+###############################################################################
+#		              V E R B O S I T Y
+###############################################################################
+
+VERBOSITY=1
+
+###############################################################################
+#			       L O G G I N G
+###############################################################################
+
+LOGFILE=
+
+STARTUP_LOG=/var/log/shorewall-init.log
+
+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGLIMIT=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
+MACLIST_LOG_LEVEL=info
+
+TCP_FLAGS_LOG_LEVEL=info
+
+SMURF_LOG_LEVEL=info
+
+LOG_MARTIANS=Yes
+
+###############################################################################
+#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
+###############################################################################
+
+IPTABLES=
+
+IP=
+
+TC=
+
+IPSET=
+
+PERL=/usr/bin/perl
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+SHOREWALL_SHELL=/bin/sh
+
+SUBSYSLOCK=
+
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
+RESTOREFILE=
+
+IPSECFILE=zones
+
+LOCKFILE=
+
+###############################################################################
+#		D E F A U L T   A C T I O N S / M A C R O S
+###############################################################################
+
+DROP_DEFAULT="Drop"
+REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
+
+###############################################################################
+#                        R S H / R C P  C O M M A N D S
+###############################################################################
+
+RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+
+###############################################################################
+#			F I R E W A L L	  O P T I O N S
+###############################################################################
+
+IP_FORWARDING=On
+
+ADD_IP_ALIASES=No
+
+ADD_SNAT_ALIASES=No
+
+RETAIN_ALIASES=No
+
+TC_ENABLED=Internal
+
+TC_EXPERT=No
+
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+ROUTE_FILTER=No
+
+DETECT_DNAT_IPADDRS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=ko
+
+DISABLE_IPV6=No
+
+BRIDGING=No
+
+DYNAMIC_ZONES=No
+
+PKTTYPE=Yes
+
+NULL_ROUTE_RFC1918=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+SAVE_IPSETS=No
+
+MAPOLDACTIONS=No
+
+FASTACCEPT=Yes
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+USE_ACTIONS=Yes
+
+OPTIMIZE=15
+
+EXPORTPARAMS=Yes
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=No
+
+DELETE_THEN_ADD=Yes
+
+MULTICAST=No
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+USE_DEFAULT_RT=No
+
+RESTORE_DEFAULT_ROUTE=Yes
+
+AUTOMAKE=No
+
+WIDE_TC_MARKS=Yes
+
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=Yes
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=Yes
+
+###############################################################################
+#			P A C K E T   D I S P O S I T I O N
+###############################################################################
+
+BLACKLIST_DISPOSITION=DROP
+
+MACLIST_DISPOSITION=REJECT
+
+TCP_FLAGS_DISPOSITION=DROP
+
+#LAST LINE -- DO NOT REMOVE

Samples/Universal/zones

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Zones File
+#
+# For information about this file, type "man shorewall-zones"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-zones.html
+#
+###############################################################################
+#ZONE	TYPE		OPTIONS		IN			OUT
+#					OPTIONS			OPTIONS
+fw	firewall
+net	ip
+

Samples/one-interface/interfaces

@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs

Samples/one-interface/policy

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 $FW		net		ACCEPT

Samples/one-interface/rules

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/one-interface/shorewall.conf

@@ -34,17 +34,15 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -70,6 +68,8 @@ TC=
 
 IPSET=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -109,7 +109,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=Off
 
-ADD_IP_ALIASES=Yes
+ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
@@ -119,6 +119,8 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -137,7 +139,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -191,6 +193,24 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/one-interface/zones

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/three-interfaces/interfaces

@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians

Samples/three-interfaces/masq

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Masq
-#
 ##############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\

Samples/three-interfaces/policy

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 

Samples/three-interfaces/routestopped

@@ -10,11 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
-#
-# See http://shorewall.net/Documentation.htm#Routestopped and
-# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
 ##############################################################################
 #INTERFACE	HOST(S)
 eth1		-

Samples/three-interfaces/rules

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Rules
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/three-interfaces/shorewall.conf

@@ -34,17 +34,15 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -70,6 +68,8 @@ TC=
 
 IPSET=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -109,7 +109,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=Yes
+ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
@@ -119,6 +119,8 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -137,7 +139,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -191,6 +193,24 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/zones

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples/two-interfaces/interfaces

@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians

Samples/two-interfaces/masq

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Masq
-#
 ###############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\

Samples/two-interfaces/policy

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 

Samples/two-interfaces/routestopped

@@ -10,11 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
-#
-# See http://shorewall.net/Documentation.htm#Routestopped and
-# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
 ##############################################################################
 #INTERFACE	HOST(S)                  OPTIONS
 eth1		-

Samples/two-interfaces/rules

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Rules
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP

Samples/two-interfaces/shorewall.conf

@@ -41,17 +41,15 @@ SHOREWALL_COMPILER=
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -77,6 +75,8 @@ TC=
 
 IPSET=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -116,7 +116,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=Yes
+ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
@@ -126,6 +126,8 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -144,7 +146,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -198,6 +200,24 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/zones

@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS

Samples6/Universal/interfaces

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Interfaces File
+#
+# For information about entries in this file, type "man shorewall-interfaces"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-interfaces.html
+#
+###############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	lo		-		ignore
+net	all		-		dhcp,physical=+,routeback
+

Samples6/Universal/policy

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Policy File
+#
+# For information about entries in this file, type "man shorewall-policy"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-policy.html
+#
+###############################################################################
+#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
+#				LEVEL	BURST		MASK
+fw	net	ACCEPT
+net	all	DROP
+

Samples6/Universal/rules

@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - Rules File
+#
+# For information on the settings in this file, type "man shorewall-rules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-rules.html
+#
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+SSH(ACCEPT)	net		$FW
+Ping(ACCEPT)	net		$FW

Samples6/Universal/shorewall6.conf

@@ -0,0 +1,168 @@
+###############################################################################
+#
+#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+#
+#  For information about the settings in this file, type "man shorewall6.conf"
+#
+#  Manpage also online at
+#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+###############################################################################
+#		       S T A R T U P   E N A B L E D
+###############################################################################
+
+STARTUP_ENABLED=Yes
+
+###############################################################################
+#		              V E R B O S I T Y
+###############################################################################
+
+VERBOSITY=1
+
+###############################################################################
+#			       L O G G I N G
+###############################################################################
+
+LOGFILE=
+
+STARTUP_LOG=/var/log/shorewall6-init.log
+
+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGLIMIT=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
+TCP_FLAGS_LOG_LEVEL=info
+
+SMURF_LOG_LEVEL=info
+
+###############################################################################
+#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
+###############################################################################
+
+IP6TABLES=
+
+IP=
+
+TC=
+
+IPSET=
+
+PERL=/usr/bin/perl
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+SHOREWALL_SHELL=/bin/sh
+
+SUBSYSLOCK=
+
+MODULESDIR=
+
+CONFIG_PATH=/usr/share/shorewall6:/usr/share/shorewall
+
+RESTOREFILE=
+
+LOCKFILE=
+
+###############################################################################
+#		D E F A U L T   A C T I O N S / M A C R O S
+###############################################################################
+
+DROP_DEFAULT="Drop"
+REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"
+
+###############################################################################
+#                        R S H / R C P  C O M M A N D S
+###############################################################################
+
+RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+
+###############################################################################
+#			F I R E W A L L	  O P T I O N S
+###############################################################################
+
+IP_FORWARDING=Off
+
+TC_ENABLED=No
+
+TC_EXPERT=No
+
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+MODULE_SUFFIX=ko
+
+FASTACCEPT=Yes
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+OPTIMIZE=15
+
+EXPORTPARAMS=Yes
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=Yes
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+AUTOMAKE=No
+
+WIDE_TC_MARKS=Yes
+
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=Yes
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=Yes
+
+###############################################################################
+#			P A C K E T   D I S P O S I T I O N
+###############################################################################
+
+BLACKLIST_DISPOSITION=DROP
+
+TCP_FLAGS_DISPOSITION=DROP
+
+#LAST LINE -- DO NOT REMOVE

Samples6/Universal/zones

@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Zones File
+#
+# For information about this file, type "man shorewall-zones"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-zones.html
+#
+###############################################################################
+#ZONE	TYPE		OPTIONS		IN			OUT
+#					OPTIONS			OPTIONS
+fw	firewall
+net	ip
+

Samples6/one-interface/shorewall6.conf

@@ -32,17 +32,15 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -58,6 +56,8 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -99,6 +99,8 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -111,7 +113,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -139,7 +141,25 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
-###############################################################################
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
+##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 

Samples6/three-interfaces/interfaces

@@ -12,6 +12,6 @@
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags
-loc     eth1            detect          tcpflags
-dmz     eth2            detect
+net     eth0            detect          tcpflags,forward=1
+loc     eth1            detect          tcpflags,forward=1
+dmz     eth2            detect		tcpflags,forward=1

Samples6/three-interfaces/shorewall6.conf

@@ -32,17 +32,15 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -58,6 +56,8 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -99,6 +99,8 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -111,7 +113,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -139,6 +141,24 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/interfaces

@@ -12,5 +12,5 @@
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags
-loc     eth1            detect          tcpflags
+net     eth0            detect          tcpflags,forward=1
+loc     eth1            detect          tcpflags,forward=1

Samples6/two-interfaces/shorewall6.conf

@@ -1,6 +1,6 @@
 ###############################################################################
 #
-# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
+# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -32,17 +32,15 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -58,6 +56,8 @@ SMURF_LOG_LEVEL=info
 
 IP6TABLES=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -99,6 +99,8 @@ TC_ENABLED=No
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -111,7 +113,7 @@ ADMINISABSENTMINDED=Yes
 
 BLACKLISTNEWONLY=Yes
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 FASTACCEPT=No
 
@@ -139,6 +141,24 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=Yes
 
+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-init/COPYING

@@ -0,0 +1,340 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) 19yy  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) 19yy name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.

Shorewall-init/README.txt

@@ -0,0 +1 @@
+This is the Shorewall-init stable 4.4 branch of Git.

Shorewall-init/ifupdown.sh

@@ -0,0 +1,104 @@
+#!/bin/sh
+#
+# ifupdown script for Shorewall-based products
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+IFUPDOWN=0
+PRODUCTS=
+
+if [ -f /etc/default/shorewall-init ]; then
+    . /etc/default/shorewall-init
+elif [ -f /etc/sysconfig/shorewall-init ]; then
+    . /etc/sysconfig/shorewall-init
+fi
+
+[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
+
+if [ -f /etc/debian_version ]; then
+    #
+    # Debian ifupdown system
+    #
+    if [ "$MODE" = start ]; then
+	COMMAND=up
+    elif [ "$MODE" = stop ]; then
+	COMMAND=down
+    else
+	exit 0
+    fi
+
+    case "$PHASE" in
+	pre-*)
+	    exit 0
+	    ;;
+    esac
+elif [ -f /etc/SuSE-release ]; then
+    #
+    # SuSE ifupdown system
+    #
+    IFACE="$2"
+
+    case $0 in
+	*if-up.d*)
+	    COMMAND=up
+	    ;;
+	*if-down.d*)
+	    COMMAND=down
+	    ;;
+	*)
+	    exit 0
+	    ;;
+    esac
+else
+    #
+    # Assume RedHat/Fedora/CentOS/Foobar/...
+    #
+    IFACE="$1"
+    
+    case $0 in 
+	*ifup*)
+	    COMMAND=up
+	    ;;
+	*ifdown*)
+	    COMMAND=down
+	    ;;
+	*dispatcher.d*)
+	    COMMAND="$2"
+	    ;;
+	*)
+	    exit 0
+	    ;;
+    esac
+fi
+
+for PRODUCT in $PRODUCTS; do
+    VARDIR=/var/lib/$PRODUCT
+    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
+    if [ -x $VARDIR/firewall ]; then
+	  ( . /usr/share/$PRODUCT/lib.base
+	    mutex_on
+	    ${VARDIR}/firewall -V0 $COMMAND $IFACE || echo_notdone
+	    mutex_off
+	  )
+    fi
+done
+
+exit 0

Shorewall-init/init.debian.sh

@@ -0,0 +1,146 @@
+#!/bin/sh
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+### BEGIN INIT INFO
+# Provides:          shorewall-init
+# Required-Start:    $local_fs
+# X-Start-Before:    $network
+# Required-Stop:     $local_fs
+# X-Stop-After:      $network
+# Default-Start:     S
+# Default-Stop:      0 6
+# Short-Description: Initialize the firewall at boot time
+# Description:       Place the firewall in a safe state at boot time prior to
+#                    bringing up the network
+### END INIT INFO
+
+export VERBOSITY=0
+
+if [ "$(id -u)" != "0" ]
+then
+  echo "You must be root to start, stop or restart \"Shorewall \"."
+  exit 1
+fi
+
+echo_notdone () {
+  echo "not done."
+  exit 1
+}
+
+not_configured () {
+	echo "#### WARNING ####"
+	echo "the firewall won't be initialized unless it is configured"
+	if [ "$1" != "stop" ]
+	then
+		echo ""
+		echo "Please read about Debian specific customization in"
+		echo "/usr/share/doc/shorewall-init/README.Debian.gz."
+	fi
+	echo "#################"
+	exit 0
+}
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/default/shorewall-init" ]
+then
+	. /etc/default/shorewall-init
+	if [ -z "$PRODUCTS" ]
+	then
+		not_configured
+	fi
+else
+	not_configured
+fi
+
+# Initialize the firewall
+shorewall_start () {
+  local product
+  local VARDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for product in $PRODUCTS; do
+      VARDIR=/var/lib/$product
+      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
+      if [ -x ${VARDIR}/firewall ]; then
+	  #
+	  # Run in a sub-shell to avoid name collisions
+	  #
+	  ( 
+	      . /usr/share/$product/lib.base
+	      #
+	      # Get mutex so the firewall state is stable
+	      #
+	      mutex_on
+	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
+		  ${VARDIR}/firewall stop || echo_notdone
+	      fi
+	      mutex_off
+	  )
+      fi
+  done
+
+  echo "done."
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local product
+  local VARDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for product in $PRODUCTS; do
+      VARDIR=/var/lib/$product
+      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
+      if [ -x ${VARDIR}/firewall ]; then
+	  ( . /usr/share/$product/lib.base
+	    mutex_on
+	    ${VARDIR}/firewall clear || echo_notdone
+	    mutex_off
+	  )
+      fi
+  done
+
+  echo "done."
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  reload|force-reload)
+     ;;
+  *)
+     echo "Usage: /etc/init.d/shorewall-init {start|stop|reload|force-reload}"
+     exit 1
+esac
+
+exit 0

Shorewall-init/init.sh

@@ -0,0 +1,104 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# chkconfig: - 09 91
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-start: $local_fs
+# Required-stop:  $local_fs
+# Default-Start:  2 3 5
+# Default-Stop:
+# Short-Description: Initialize the firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.  
+### END INIT INFO
+
+if [ "$(id -u)" != "0" ]
+then
+  echo "You must be root to start, stop or restart \"Shorewall \"."
+  exit 1
+fi
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]
+then
+	. /etc/sysconfig/shorewall-init
+	if [ -z "$PRODUCTS" ]
+	then
+		exit 0
+	fi
+else
+	exit 0
+fi
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	      ${VARDIR}/firewall stop || echo_notdone
+	  fi
+      fi
+  done
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  ${VARDIR}/firewall clear || exit 1
+      fi
+  done
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+     exit 1
+esac
+
+exit 0

Shorewall-init/install.sh

@@ -0,0 +1,336 @@
+#!/bin/sh
+#
+# Script to install Shoreline Firewall Init
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+VERSION=4.4.13-Beta2
+
+usage() # $1 = exit status
+{
+    ME=$(basename $0)
+    echo "usage: $ME"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    exit $1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+run_install()
+{
+    if ! install $*; then
+	echo
+	echo "ERROR: Failed to install $*" >&2
+	exit 1
+    fi
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
+install_file() # $1 = source $2 = target $3 = mode
+{
+    run_install $T $OWNERSHIP -m $3 $1 ${2}
+}
+
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+
+#
+# Parse the run line
+#
+# DEST is the SysVInit script directory
+# INIT is the name of the script in the $DEST directory
+# ARGS is "yes" if we've already parsed an argument
+#
+ARGS=""
+
+if [ -z "$DEST" ] ; then
+	DEST="/etc/init.d"
+fi
+
+if [ -z "$INIT" ] ; then
+	INIT="shorewall-init"
+fi
+
+while [ $# -gt 0 ] ; do
+    case "$1" in
+	-h|help|?)
+	    usage 0
+	    ;;
+        -v)
+	    echo "Shorewall Init Installer Version $VERSION"
+	    exit 0
+	    ;;
+	*)
+	    usage 1
+	    ;;
+    esac
+    shift
+    ARGS="yes"
+done
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+#
+# Determine where to install the firewall script
+#
+
+case $(uname) in
+    Darwin)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
+	T=
+	;;	
+    *)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=root
+	;;
+esac
+
+OWNERSHIP="-o $OWNER -g $GROUP"
+
+if [ -n "$DESTDIR" ]; then
+    if [ `id -u` != 0 ] ; then
+	echo "Not setting file owner/group permissions, not running as root."
+	OWNERSHIP=""
+    fi
+    
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+elif [ -f /etc/debian_version ]; then
+    DEBIAN=yes
+elif [ -f /etc/SuSE-release ]; then
+    SUSE=Yes
+elif [ -f /etc/slackware-version ] ; then
+    echo "Shorewall-init is currently not supported on Slackware" >&2
+    exit 1
+#   DEST="/etc/rc.d"
+#   INIT="rc.firewall"
+elif [ -f /etc/arch-release ] ; then
+    echo "Shorewall-init is currently not supported on Arch Linux" >&2
+    exit 1
+#   DEST="/etc/rc.d"
+#   INIT="shorewall-init"
+#   ARCHLINUX=yes
+elif [ -d /etc/sysconfig/network-scripts/ ]; then
+    #
+    # Assume RedHat-based
+    #
+    REDHAT=Yes
+else
+    echo "Unknown distribution: Shorewall-init support is not available" >&2
+    exit 1
+fi
+
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
+echo "Installing Shorewall Init Version $VERSION"
+
+#
+# Check for /usr/share/shorewall-init/version
+#
+if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
+    first_install=""
+else
+    first_install="Yes"
+fi
+
+#
+# Install the Init Script
+#
+if [ -n "$DEBIAN" ]; then
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
+#elif [ -n "$ARCHLINUX" ]; then
+#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+else
+    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+fi
+
+echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
+
+#
+# Create /usr/share/shorewall-init if needed
+#
+mkdir -p ${DESTDIR}/usr/share/shorewall-init
+chmod 755 ${DESTDIR}/usr/share/shorewall-init
+
+#
+# Create the version file
+#
+echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
+chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
+
+#
+# Remove and create the symbolic link to the init script
+#
+if [ -z "$DESTDIR" ]; then
+    rm -f /usr/share/shorewall-init/init
+    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
+fi
+
+if [ -n "$DEBIAN" ]; then
+    if [ -n "${DESTDIR}" ]; then
+	mkdir -p ${DESTDIR}/etc/network/if-up.d/
+	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
+    fi
+
+    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
+	if [ -n "${DESTDIR}" ]; then
+	    mkdir ${DESTDIR}/etc/default
+	fi
+
+	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+    fi
+else
+    if [ -n "$DESTDIR" ]; then
+	mkdir -p ${DESTDIR}/etc/sysconfig
+
+	if [ -z "$RPM" ]; then
+	    if [ -n "$SUSE" ]; then
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
+	    else
+		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
+	    fi
+	fi
+    fi
+
+    if [ -d ${DESTDIR}/etc/sysconfig -a ! -f ${DESTDIR}/etc/sysconfig/shorewall-init ]; then
+	install_file sysconfig ${DESTDIR}/etc/sysconfig/shorewall-init 0644
+    fi 
+fi
+
+#
+# Install the ifupdown script
+#
+
+mkdir -p ${DESTDIR}/usr/share/shorewall-init
+
+install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544
+
+if [ -d ${DESTDIR}/etc/NetworkManager ]; then
+    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+fi
+
+if [ -n "$DEBIAN" ]; then
+    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+elif [ -n "$SUSE" ]; then
+    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
+    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
+elif [ -n "$REDHAT" ]; then
+    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
+	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
+    else
+	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
+	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
+    fi
+fi
+
+if [ -z "$DESTDIR" ]; then
+    if [ -n "$first_install" ]; then
+	if [ -n "$DEBIAN" ]; then
+	    if [ -x /sbin/insserv ]; then
+		insserv /etc/init.d/shorewall-init
+	    else
+		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
+	    fi
+
+	    echo "Shorewall Init will start automatically at boot"
+	else
+	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+		if insserv /etc/init.d/shorewall-init ; then
+		    echo "Shorewall Init will start automatically at boot"
+		else
+		    cant_autostart
+		fi
+	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+		if chkconfig --add shorewall-init ; then
+		    echo "Shorewall Init will start automatically in run levels as follows:"
+		    chkconfig --list shorewall-init
+		else
+		    cant_autostart
+		fi
+	    elif [ -x /sbin/rc-update ]; then
+		if rc-update add shorewall-init default; then
+		    echo "Shorewall Init will start automatically at boot"
+		else
+		    cant_autostart
+		fi
+	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+		cant_autostart
+	    fi
+	fi
+    fi
+else
+    if [ -n "$first_install" ]; then
+	if [ -n "$DEBIAN" ]; then
+	    if [ -n "${DESTDIR}" ]; then
+		mkdir -p ${DESTDIR}/etc/rcS.d
+	    fi
+
+	    ln -sf ../init.d/shorewall-init ${DESTDIR}/etc/rcS.d/S38shorewall-init
+	    echo "Shorewall Init will start automatically at boot"
+	fi
+    fi
+fi
+
+#
+#  Report Success
+#
+echo "shorewall Init Version $VERSION Installed"

Shorewall-init/shorewall-init.spec

@@ -0,0 +1,144 @@
+%define name shorewall-init
+%define version 4.4.13
+%define release 0Beta2
+
+Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
+Name: %{name}
+Version: %{version}
+Release: %{release}
+License: GPLv2
+Packager: Tom Eastep <teastep@shorewall.net>
+Group: Networking/Utilities
+Source: %{name}-%{version}.tgz
+URL: http://www.shorewall.net/
+BuildArch: noarch
+BuildRoot: %{_tmppath}/%{name}-%{version}-root
+Requires: shoreline_firewall >= 4.4.10
+
+%description
+
+The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
+(iptables) based firewall that can be used on a dedicated firewall system,
+a multi-function gateway/ router/server or on a standalone GNU/Linux system.
+
+Shorewall Init is a companion product to Shorewall that allows for tigher
+control of connections during boot and that integrates Shorewall with
+ifup/ifdown and NetworkManager.
+
+%prep
+
+%setup
+
+%build
+
+%install
+export DESTDIR=$RPM_BUILD_ROOT ; \
+export OWNER=`id -n -u` ; \
+export GROUP=`id -n -g` ;\
+./install.sh
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+
+if [ $1 -eq 1 ]; then
+    if [ -x /sbin/insserv ]; then
+	/sbin/insserv /etc/rc.d/shorewall-init
+    elif [ -x /sbin/chkconfig ]; then
+	/sbin/chkconfig --add shorewall-init;
+    fi
+fi
+
+if [ -f /etc/SuSE-release ]; then
+    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
+    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
+else
+    if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then
+	if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then
+	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
+	else
+	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
+	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
+	fi
+    else
+	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
+	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
+    fi
+
+    if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
+	cp -pf /usr/share/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
+    fi
+fi
+
+%preun
+
+if [ $1 -eq 0 ]; then
+    if [ -x /sbin/insserv ]; then
+	/sbin/insserv -r /etc/init.d/shorewall-init
+    elif [ -x /sbin/chkconfig ]; then
+	/sbin/chkconfig --del shorewall-init
+    fi
+
+    [ -f /sbin/ifup-local ]   && grep -q Shorewall /sbin/ifup-local   && rm -f /sbin/ifup-local
+    [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local
+
+    rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
+fi
+
+%files
+%defattr(0644,root,root,0755)
+%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
+
+%attr(0544,root,root) /etc/init.d/shorewall-init
+%attr(0755,root,root) %dir /usr/share/shorewall-init
+
+%attr(0644,root,root) /usr/share/shorewall-init/version
+%attr(0544,root,root) /usr/share/shorewall-init/ifupdown
+
+%doc COPYING changelog.txt releasenotes.txt
+
+%changelog
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
+* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0base
+* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0RC1
+* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta3
+* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta2
+* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta1
+* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0base
+* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC2
+* Thu May 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC1
+* Wed May 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta4
+* Tue May 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta3
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Tue May 18 2010 Tom Eastep tom@shorewall.net
+- Initial version
+
+
+

Shorewall-init/sysconfig

@@ -0,0 +1,12 @@
+# List the Shorewall products that Shorewall-init is to
+# initialize (space-separated list).
+#
+# Sample: PRODUCTS="shorewall shorewall6"
+#
+PRODUCTS=""
+
+#
+# Set this to 1 if you want Shorewall-init to react to 
+# ifup/ifdown and NetworkManager events
+#
+IFUPDOWN=0

Shorewall-init/uninstall.sh

@@ -0,0 +1,97 @@
+#!/bin/sh
+#
+# Script to back uninstall Shoreline Firewall
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.sourceforge.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#    Usage:
+#
+#       You may only use this script to uninstall the version
+#       shown below. Simply run this script to remove Shorewall Firewall
+
+VERSION=4.4.13-Beta2
+
+usage() # $1 = exit status
+{
+    ME=$(basename $0)
+    echo "usage: $ME"
+    exit $1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
+if [ -f /usr/share/shorewall-init/version ]; then
+    INSTALLED_VERSION="$(cat /usr/share/shorewall-init/version)"
+    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
+	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
+	echo "         and this is the $VERSION uninstaller."
+	VERSION="$INSTALLED_VERSION"
+    fi
+else
+    echo "WARNING: Shorewall Init Version $VERSION is not installed"
+    VERSION=""
+fi
+
+echo "Uninstalling Shorewall Init $VERSION"
+
+INITSCRIPT=/etc/init.d/shorewall-init
+
+if [ -n "$INITSCRIPT" ]; then
+    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+        insserv -r $INITSCRIPT
+    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+	chkconfig --del $(basename $INITSCRIPT)
+    else
+	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
+    fi
+
+    remove_file $INITSCRIPT
+fi
+
+[ "$(readlink -m -q /sbin/ifup-local)"   = /usr/share/shorewall-init ] && remove_file /sbin/ifup-local
+[ "$(readlink -m -q /sbin/ifdown-local)" = /usr/share/shorewall-init ] && remove_file /sbin/ifdown-local
+
+remove_file /etc/default/shorewall-init
+remove_file /etc/sysconfig/shorewall-init
+
+remove_file /etc/NetworkManager/dispatcher.d/01-shorewall
+
+remove_file /etc/network/if-up.d/shorewall
+remove_file /etc/network/if-down.d/shorewall
+
+remove_file /etc/sysconfig/network/if-up.d/shorewall
+remove_file /etc/sysconfig/network/if-down.d/shorewall
+
+rm -rf /usr/share/shorewall-init
+
+echo "Shorewall Init Uninstalled"
+
+

Shorewall-lite/README.txt

@@ -1 +1 @@
-This is the Shorewall-lite development 4.3 branch of SVN.
+This is the Shorewall-lite stable 4.4 branch of Git.

Shorewall-lite/default.debian

@@ -21,4 +21,16 @@ startup=0
 
 OPTIONS=""
 
+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
+#
+# Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
+# a safe state rather than to open it
+#
+
+SAFESTOP=0
+
 # EOF

Shorewall-lite/fallback.sh

@@ -1,104 +0,0 @@
-#!/bin/sh
-#
-# Script to back out the installation of Shorewall Lite and to restore the previous version of
-# the program
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#    Usage:
-#
-#       You may only use this script to back out the installation of the version
-#       shown below. Simply run this script to revert to your prior version of
-#       Shoreline Firewall.
-
-VERSION=4.4.2.5
-
-usage() # $1 = exit status
-{
-    echo "usage: $(basename $0)"
-    exit $1
-}
-
-restore_directory() # $1 = directory to restore
-{
-    if [ -d ${1}-${VERSION}.bkout ]; then
-	if mv -f $1 ${1}-${VERSION} && mv ${1}-${VERSION}.bkout $1; then
-	    echo
-	    echo "$1 restored"
-	    rm -rf ${1}-${VERSION}
-	else
-	    echo "ERROR: Could not restore $1"
-	    exit 1
-	fi
-    fi
-}
-
-restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
-{
-    if [ -n "$2" ]; then
-	local file
-	file=$(basename $1)
-
-	if [ -f $2/$file ]; then
-	    if mv -f $2/$file $1 ; then
-		echo
-		echo "$1 restored"
-		return
-	    fi
-
-	    echo "ERROR: Could not restore $1"
-	    exit 1
-        fi
-    fi
-
-    if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then
-	if (mv -f ${1}-${VERSION}.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    echo "ERROR: Could not restore $1"
-	    exit 1
-        fi
-    fi
-}
-
-if [ ! -f /usr/share/shorewall-lite-${VERSION}.bkout/version ]; then
-    echo "Shorewall Version $VERSION is not installed"
-    exit 1
-fi
-
-echo "Backing Out Installation of Shorewall $VERSION"
-
-if [ -L /usr/share/shorewall-lite/init ]; then
-    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
-    restore_file $FIREWALL /usr/share/shorewall-lite-${VERSION}.bkout
-else
-    restore_file /etc/init.d/shorewall /usr/share/shorewall-lite-${VERSION}.bkout
-fi
-
-restore_file /sbin/shorewall /var/lib/shorewall-lite-${VERSION}.bkout
-
-restore_directory /etc/shorewall-lite
-restore_directory /usr/share/shorewall-lite
-restore_directory /var/lib/shorewall-lite
-
-echo "Shorewall Lite Restored to Version $(cat /usr/share/shorewall-lite/version)"
-
-

Shorewall-lite/init.debian.sh

@@ -2,8 +2,8 @@
 
 ### BEGIN INIT INFO
 # Provides:          shorewall-lite
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -15,9 +15,7 @@
 
 SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
-# Note, set INITLOG to /dev/null if you do not want to
-# keep logs of the firewall (not recommended)
-INITLOG=/var/log/shorewall-lite-init.log
+test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
 
 [ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 
@@ -25,7 +23,7 @@ export SHOREWALL_INIT_SCRIPT
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
@@ -44,6 +42,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
   fi
 
+  exit 1
 }
 
 not_configured () {
@@ -89,7 +88,11 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   echo -n "Stopping \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  if [ "$SAFESTOP" = 1 ]; then
+      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  else
+      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  fi
   return 0
 }
 

Shorewall-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.2.5
+VERSION=4.4.13-Beta2
 
 usage() # $1 = exit status
 {
@@ -82,15 +82,16 @@ delete_file() # $1 = file to delete
 
 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $OWNERSHIP -m $3 $1 ${2}
+    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
-# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -103,10 +104,6 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall-lite"
 fi
 
-if [ -z "$RUNLEVELS" ] ; then
-	RUNLEVELS=""
-fi
-
 while [ $# -gt 0 ] ; do
     case "$1" in
 	-h|help|?)
@@ -131,10 +128,12 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 DEBIAN=
 CYGWIN=
+INSTALLD='-D'
+T='-T'
 
 case $(uname) in
     CYGWIN*)
-	if [ -z "$PREFIX" ]; then
+	if [ -z "$DESTDIR" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -142,6 +141,10 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
+    Darwin)
+	INSTALLD=
+	T=
+	;;	   
     *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -150,14 +153,14 @@ esac
 
 OWNERSHIP="-o $OWNER -g $GROUP"
 
-if [ -n "$PREFIX" ]; then
+if [ -n "$DESTDIR" ]; then
     if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
     fi
     
-    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
-    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
+    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
     DEBIAN=yes
 elif [ -f /etc/slackware-version ] ; then
@@ -179,173 +182,209 @@ echo "Installing Shorewall Lite Version $VERSION"
 #
 # Check for /etc/shorewall-lite
 #
-if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then
-    first_install=""
+if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
     [ -f /etc/shorewall-lite/shorewall.conf ] && \
 	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
 else
-    first_install="Yes"
-    rm -rf ${PREFIX}/etc/shorewall-lite
-    rm -rf ${PREFIX}/usr/share/shorewall-lite
-    rm -rf ${PREFIX}/var/lib/shorewall-lite
+    rm -rf ${DESTDIR}/etc/shorewall-lite
+    rm -rf ${DESTDIR}/usr/share/shorewall-lite
+    rm -rf ${DESTDIR}/var/lib/shorewall-lite
 fi
 
-delete_file ${PREFIX}/usr/share/shorewall-lite/xmodules
+#
+# Check for /sbin/shorewall-lite
+#
+if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
+    first_install=""
+else
+    first_install="Yes"
+fi
 
-install_file shorewall-lite ${PREFIX}/sbin/shorewall-lite 0544 ${PREFIX}/var/lib/shorewall-lite-${VERSION}.bkout
+delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
 
-echo "Shorewall Lite control program installed in ${PREFIX}/sbin/shorewall-lite"
+install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
+
+echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
 
 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall-lite 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
+    install_file init.debian.sh /etc/init.d/shorewall-lite 0544
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
+    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 
 else
-    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
+    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
 fi
 
-echo  "Shorewall Lite script installed in ${PREFIX}${DEST}/$INIT"
+echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
 
 #
 # Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
 #
-mkdir -p ${PREFIX}/etc/shorewall-lite
-mkdir -p ${PREFIX}/usr/share/shorewall-lite
-mkdir -p ${PREFIX}/var/lib/shorewall-lite
+mkdir -p ${DESTDIR}/etc/shorewall-lite
+mkdir -p ${DESTDIR}/usr/share/shorewall-lite
+mkdir -p ${DESTDIR}/var/lib/shorewall-lite
 
-chmod 755 ${PREFIX}/etc/shorewall-lite
-chmod 755 ${PREFIX}/usr/share/shorewall-lite
+chmod 755 ${DESTDIR}/etc/shorewall-lite
+chmod 755 ${DESTDIR}/usr/share/shorewall-lite
+
+if [ -n "$DESTDIR" ]; then
+    mkdir -p ${DESTDIR}/etc/logrotate.d
+    chmod 755 ${DESTDIR}/etc/logrotate.d
+fi
 
 #
 # Install the config file
 #
-if [ ! -f ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf ]; then
-   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf
-   echo "Config file installed as ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf"
+if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
+   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
 fi
 
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
 fi
 
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall-lite/Makefile
-echo "Makefile installed as ${PREFIX}/etc/shorewall-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
+echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
 
 #
 # Install the default config path file
 #
-install_file configpath ${PREFIX}/usr/share/shorewall-lite/configpath 0644
-echo "Default config path file installed as ${PREFIX}/usr/share/shorewall-lite/configpath"
+install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
+echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
 
 #
 # Install the libraries
 #
 for f in lib.* ; do
     if [ -f $f ]; then
-	install_file $f ${PREFIX}/usr/share/shorewall-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall-lite/$f"
+	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
     fi
 done
 
-ln -sf lib.base ${PREFIX}/usr/share/shorewall-lite/functions
+ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
 
-echo "Common functions linked through ${PREFIX}/usr/share/shorewall-lite/functions"
+echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
 
 #
 # Install Shorecap
 #
 
-install_file shorecap ${PREFIX}/usr/share/shorewall-lite/shorecap 0755
+install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755
 
 echo
-echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall-lite/shorecap"
+echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap"
 
 #
 # Install wait4ifup
 #
 
-install_file wait4ifup ${PREFIX}/usr/share/shorewall-lite/wait4ifup 0755
+if [ -f wait4ifup ]; then
+    install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755
 
-echo
-echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall-lite/wait4ifup"
+    echo
+    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup"
+fi
 
 #
 # Install the Modules file
 #
-run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall-lite/modules
-echo "Modules file installed as ${PREFIX}/usr/share/shorewall-lite/modules"
+
+if [ -f modules ]; then
+    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
+    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
+fi
 
 #
 # Install the Man Pages
 #
 
-cd manpages
+if [ -d manpages ]; then
+    cd manpages
 
-for f in *.5; do
-    gzip -c $f > $f.gz
-    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
-    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man5/$f.gz"
-done
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
 
-for f in *.8; do
-    gzip -c $f > $f.gz
-    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
-    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man8/$f.gz"
-done
+    for f in *.5; do
+	gzip -c $f > $f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
+    done
 
-cd ..
+    for f in *.8; do
+	gzip -c $f > $f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
+    done
+
+    cd ..
+
+    echo "Man Pages Installed"
+fi
+
+if [ -d ${DESTDIR}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
+    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
+fi
 
-echo "Man Pages Installed"
 
 #
 # Create the version file
 #
-echo "$VERSION" > ${PREFIX}/usr/share/shorewall-lite/version
-chmod 644 ${PREFIX}/usr/share/shorewall-lite/version
+echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
+chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
 #
 # Remove and create the symbolic link to the init script
 #
 
-if [ -z "$PREFIX" ]; then
+if [ -z "$DESTDIR" ]; then
     rm -f /usr/share/shorewall-lite/init
     ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
 fi
 
-if [ -z "$PREFIX" -a -n "$first_install" ]; then
-    if [ -n "$DEBIAN" ]; then
-	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
-	ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
-	echo "Shorewall Lite will start automatically at boot"
-	touch /var/log/shorewall-init.log
-    else
-	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-	    if insserv /etc/init.d/shorewall-lite ; then
-		echo "Shorewall Lite will start automatically at boot"
+if [ -z "$DESTDIR" ]; then
+    touch /var/log/shorewall-lite-init.log
+
+    if [ -n "$first_install" ]; then
+	if [ -n "$DEBIAN" ]; then
+	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
+
+	    if [ -x /sbin/insserv ]; then
+		insserv /etc/init.d/shorewall-lite
 	    else
+		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+	    fi
+
+	    echo "Shorewall Lite will start automatically at boot"
+	else
+	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+		if insserv /etc/init.d/shorewall-lite ; then
+		    echo "Shorewall Lite will start automatically at boot"
+		else
+		    cant_autostart
+		fi
+	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+		if chkconfig --add shorewall-lite ; then
+		    echo "Shorewall Lite will start automatically in run levels as follows:"
+		    chkconfig --list shorewall-lite
+		else
+		    cant_autostart
+		fi
+	    elif [ -x /sbin/rc-update ]; then
+		if rc-update add shorewall-lite default; then
+		    echo "Shorewall Lite will start automatically at boot"
+		else
+		    cant_autostart
+		fi
+	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
-	elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-	    if chkconfig --add shorewall-lite ; then
-		echo "Shorewall Lite will start automatically in run levels as follows:"
-		chkconfig --list shorewall-lite
-	    else
-		cant_autostart
-	    fi
-	elif [ -x /sbin/rc-update ]; then
-	    if rc-update add shorewall-lite default; then
-		echo "Shorewall Lite will start automatically at boot"
-	    else
-		cant_autostart
-	    fi
-	elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
-	    cant_autostart
 	fi
     fi
 fi

Shorewall-lite/logrotate

@@ -0,0 +1,5 @@
+/var/log/shorewall-lite-init.log {
+  missingok
+  notifempty
+  create 0600 root root
+}

Shorewall-lite/shorecap

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
@@ -48,18 +48,19 @@
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-PRODUCT="Shorewall Lite"
+g_product="Shorewall Lite"
 
 . /usr/share/shorewall-lite/lib.base
+. /usr/share/shorewall-lite/lib.cli
 . /usr/share/shorewall-lite/configpath
 
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
-VERSION=$(cat /usr/share/shorewall-lite/version)
+SHOREWALL_VERSION=$(cat /usr/share/shorewall-lite/version)
 
 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
 
-VERBOSE=0
+VERBOSITY=0
 load_kernel_modules No
 determine_capabilities
 report_capabilities1

Shorewall-lite/shorewall-lite

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -95,7 +95,7 @@ get_config() {
 
     if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -f $LOGFILE ]; then
+    elif [ -r $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
     else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -117,8 +117,6 @@ get_config() {
 
     [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
 
-    export LOGFORMAT
-
     if [ -n "$IPTABLES" ]; then
 	if [ ! -x "$IPTABLES" ]; then
 	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
@@ -132,8 +130,6 @@ get_config() {
 	fi
     fi
 
-    export IPTABLES
-
     if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
 	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
@@ -145,15 +141,20 @@ get_config() {
 
     validate_restorefile RESTOREFILE
 
-    export RESTOREFILE
-
     [ -n "${VERBOSITY:=2}" ]
 
-    [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
+    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
 
-    export VERBOSE
+    g_hostname=$(hostname 2> /dev/null)
 
-    [ -n "${HOSTNAME:=$(hostname)}" ]
+    IP=$(mywhich ip 2> /dev/null)
+    if [ -z "$IP" ] ; then
+	echo "   ERROR: Can't find ip executable" >&2
+	exit 2
+    fi
+
+    IPSET=ipset
+    TC=tc
 
 }
 
@@ -161,13 +162,13 @@ get_config() {
 # Verify that we have a compiled firewall script
 #
 verify_firewall_script() {
-    if [ ! -f $FIREWALL ]; then
+    if [ ! -f $g_firewall ]; then
 	echo "   ERROR: Shorewall Lite is not properly installed" >&2
-	if [ -L $FIREWALL ]; then
-	    echo "          $FIREWALL is a symbolic link to a" >&2
+	if [ -L $g_firewall ]; then
+	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
-	    echo "          The file $FIREWALL does not exist" >&2
+	    echo "          The file $g_firewall does not exist" >&2
 	fi
 	
 	exit 2
@@ -187,7 +188,7 @@ start_command() {
 	[ -n "$nolock" ] || mutex_on
 
 	if [ -x ${LITEDIR}/firewall ]; then
-	    ${LITEDIR}/firewall $debugging start
+	    run_it ${LITEDIR}/firewall $debugging start
 	    rc=$?
 	else
 	    error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -219,12 +220,12 @@ start_command() {
 			    option=
 			    ;;
 			f*)
-			    FAST=Yes
+			    g_fast=Yes
 			    option=${option#f}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    PURGE=Yes
+			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -248,36 +249,21 @@ start_command() {
 	    ;;
     esac
 
-    export NOROUTES
-
-    if [ -n "$FAST" ]; then
+    if [ -n "$g_fast" ]; then
 	if qt mywhich make; then
-	    #
-	    # RESTOREFILE is exported by get_config()
-	    #
-	    make -qf ${CONFDIR}/Makefile || FAST=
+	    export RESTOREFILE
+	    make -qf ${CONFDIR}/Makefile || g_fast=
 	fi
 
-	if [ -n "$FAST" ]; then
+	if [ -n "$g_fast" ]; then
 
-	    RESTOREPATH=${VARDIR}/$RESTOREFILE
-
-	    if [ -x $RESTOREPATH ]; then
-		if [ -x ${RESTOREPATH}-ipsets ]; then
-		    echo Restoring Ipsets...
-		    #
-		    # We must purge iptables to be sure that there are no
-		    # references to ipsets
-		    #
-		    iptables -F
-		    iptables -X
-		    $SHOREWALL_SHELL ${RESTOREPATH}-ipsets
-		fi
+	    g_restorepath=${VARDIR}/$RESTOREFILE
 
+	    if [ -x $g_restorepath ]; then
 		echo Restoring Shorewall Lite...
-		$SHOREWALL_SHELL $RESTOREPATH restore
+		run_it $g_restorepath restore
 		date > ${VARDIR}/restarted
-		progress_message3 Shorewall Lite restored from $RESTOREPATH
+		progress_message3 Shorewall Lite restored from $g_restorepath
 	    else
 		do_it
 	    fi
@@ -313,12 +299,12 @@ restart_command() {
 			    option=
 			    ;;
 			n*)
-			    NOROUTES=Yes
+			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    PURGE=Yes
+			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -342,12 +328,10 @@ restart_command() {
 	    ;;
     esac
 
-    export NOROUTES
-
     [ -n "$nolock" ] || mutex_on
 
     if [ -x ${LITEDIR}/firewall ]; then
-	$SHOREWALL_SHELL ${LITEDIR}/firewall $debugging restart
+	run_it ${LITEDIR}/firewall $debugging restart
 	rc=$?
     else
 	error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -366,13 +350,14 @@ usage() # $1 = exit status
 {
     echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
     echo "where <command> is one of:"
+    echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   clear"
+    echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   drop <address> ..."
     echo "   dump [ -x ]"
     echo "   forget [ <file name> ]"
     echo "   help"
-    echo "   hits [ -t ]"
     echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
     echo "   ipdecimal { <address> | <integer> }"
     echo "   iprange <address>-<address>"
@@ -381,7 +366,7 @@ usage() # $1 = exit status
     echo "   logwatch [<refresh interval>]"
     echo "   reject <address> ..."
     echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ]"
+    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
     echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
@@ -389,23 +374,71 @@ usage() # $1 = exit status
     echo "   show classifiers"
     echo "   show config"
     echo "   show connections"
-    echo "   show dynamic <zone>"
-    echo "   show filter"
+    echo "   show filters"
     echo "   show ip"
-    echo "   show [ -m ] log"
-    echo "   show [ -x ] mangle|nat|raw"
-    echo "   show routing"
-    echo "   show tc"
+    echo "   show [ -m ] log [<regex>]"
+    echo "   show [ -x ] mangle|nat|raw|routing"
+    echo "   show policies"
+    echo "   show tc [ device ]"
     echo "   show vardir"
     echo "   show zones"
-    echo "   start [ -n ] [ -p ]"
+    echo "   start [ -f ] [ -p ] [ <directory> ]"
     echo "   stop"
     echo "   status"
-    echo "   version"
+    echo "   version [ -a ]"
     echo
     exit $1
 }
 
+version_command() {
+    local finished
+    finished=0
+    local all
+    all=
+    local product
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			a*)
+			    all=Yes
+			    option=${option#a}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    [ $# -gt 0 ] && usage 1
+
+    echo $SHOREWALL_VERSION
+    
+    if [ -n "$all" ]; then
+	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
+	    if [ -f /usr/share/$product/version ]; then
+		echo "$product: $(cat /usr/share/$product/version)"
+	    fi
+	done
+    fi
+}
+
 #
 # Execution begins here
 #
@@ -423,14 +456,13 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
     shift
 fi
 
-IPT_OPTIONS="-nv"
-FAST=
-VERBOSE_OFFSET=0
-USE_VERBOSITY=
-NOROUTES=
-EXPORT=
-export TIMESTAMP=
-noroutes=
+g_ipt_options="-nv"
+g_fast=
+g_verbose_offset=0
+g_use_verbosity=
+g_noroutes=
+g_timestamp=
+g_recovering=
 
 finished=0
 
@@ -449,48 +481,48 @@ while [ $finished -eq 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    x*)
-			IPT_OPTIONS="-xnv"
+			g_ipt_options="-xnv"
 			option=${option#x}
 			;;
 		    q*)
-			VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 ))
+			g_verbose_offset=$(($g_verbose_offset - 1 ))
 			option=${option#q}
 			;;
 		    f*)
-			FAST=Yes
+			g_fast=Yes
 			option=${option#f}
 			;;
 		    v*)
 			option=${option#v}
 			case $option in 
 			    -1*)
-				USE_VERBOSITY=-1
+				g_use_verbosity=-1
 				option=${option#-1}
 				;;
 			    0*)
-				USE_VERBOSITY=0
+				g_use_verbosity=0
 				option=${option#0}
 				;;
 			    1*)
-				USE_VERBOSITY=1
+				g_use_verbosity=1
 				option=${option#1}
 				;;
 			    2*)
-				USE_VERBOSITY=2
+				g_use_verbosity=2
 				option=${option#2}
 				;;
 			    *)
-				VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
-				USE_VERBOSITY=
+				g_verbose_offset=$(($g_verbose_offset + 1 ))
+				g_use_verbosity=
 				;;
 			esac
 			;;
 		    n*)
-			NOROUTES=Yes
+			g_noroutes=Yes
 			option=${option#n}
 			;;
 		    t*)
-			TIMESTAMP=Yes
+			g_timestamp=Yes
 			option=${option#t}
 			;;
 		    -)
@@ -515,12 +547,11 @@ if [ $# -eq 0 ]; then
 fi
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-export PATH
 MUTEX_TIMEOUT=
 
 SHAREDIR=/usr/share/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-export PRODUCT="Shorewall Lite"
+g_product="Shorewall Lite"
 
 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
 
@@ -528,17 +559,10 @@ export PRODUCT="Shorewall Lite"
 
 [ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"
 
-LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
-VERSION_FILE=$SHAREDIR/version
-HELP=$SHAREDIR/help
+version_file=$SHAREDIR/version
 
-for library in $LIBRARIES; do
-    if [ -f $library ]; then
-	. $library
-    else
-	echo "Installation error: $library does not exist!" >&2
-	exit 2
-    fi
+for library in base cli; do
+    . ${SHAREDIR}/lib.$library
 done
 
 ensure_config_path
@@ -558,7 +582,6 @@ else
 fi
 
 ensure_config_path
-export CONFIG_PATH
 
 LITEDIR=${VARDIR}
 
@@ -566,17 +589,17 @@ LITEDIR=${VARDIR}
 
 get_config
 
-FIREWALL=$LITEDIR/firewall
+g_firewall=$LITEDIR/firewall
 
-if [ -f $VERSION_FILE ]; then
-    version=$(cat $VERSION_FILE)
+if [ -f $version_file ]; then
+    SHOREWALL_VERSION=$(cat $version_file)
 else
     echo "   ERROR: Shorewall Lite is not properly installed" >&2
-    echo "          The file $VERSION_FILE does not exist" >&2
+    echo "          The file $version_file does not exist" >&2
     exit 1
 fi
 
-banner="Shorewall Lite $version Status at $HOSTNAME -"
+banner="Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname -"
 
 case $(echo -e) in
     -e*)
@@ -605,15 +628,12 @@ case "$COMMAND" in
 	shift
 	start_command $@
 	;;
-    stop|clear)
+    stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	export NOROUTES
-	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
-	;;
-    reset)
-	verify_firewall_script
-	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
+	[ -n "$nolock" ] || mutex_on
+	run_it $g_firewall $debugging $COMMAND
+	[ -n "$nolock" ] || mutex_off
 	;;
     restart)
 	shift
@@ -626,7 +646,7 @@ case "$COMMAND" in
     status)
 	[ $# -eq 1 ] || usage 1
 	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
-	echo "Shorewall Lite $version Status at $HOSTNAME - $(date)"
+	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
 	echo
 	if shorewall_is_started ; then
 	    echo "Shorewall Lite is running"
@@ -639,7 +659,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Clear*)
+		Stopped*|Closed*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -660,7 +680,8 @@ case "$COMMAND" in
 	hits_command $@
 	;;
     version)
-	echo $version Lite
+	shift
+	version_command $@
 	;;
     logwatch)
 	logwatch_command $@
@@ -729,7 +750,7 @@ case "$COMMAND" in
 	    ;;
 	esac
 
-	RESTOREPATH=${VARDIR}/$RESTOREFILE
+	g_restorepath=${VARDIR}/$RESTOREFILE
 
 	[ "$nolock" ] || mutex_on
 
@@ -751,20 +772,15 @@ case "$COMMAND" in
 	esac
 
 
-	RESTOREPATH=${VARDIR}/$RESTOREFILE
+	g_restorepath=${VARDIR}/$RESTOREFILE
 
-	if [ -x $RESTOREPATH ]; then
-
-	    if [ -x ${RESTOREPATH}-ipsets ]; then
-		rm -f ${RESTOREPATH}-ipsets
-		echo "    ${RESTOREPATH}-ipsets removed"
-	    fi
-
-	    rm -f $RESTOREPATH
-	    rm -f ${RESTOREPATH}-iptables
-	    echo "    $RESTOREPATH removed"
-	elif [ -f $RESTOREPATH ]; then
-	    echo "   $RESTOREPATH exists and is not a saved Shorewall configuration"
+	if [ -x $g_restorepath ]; then
+	    rm -f $g_restorepath
+	    rm -f ${g_restorepath}-iptables
+	    rm -f ${g_restorepath}-ipsets
+	    echo "    $g_restorepath removed"
+	elif [ -f $g_restorepath ]; then
+	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
 	fi
 	rm -f ${VARDIR}/save
 	;;

Shorewall-lite/shorewall-lite.conf

@@ -4,12 +4,11 @@
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.
 #
-#  This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#  This file should be placed in /etc/shorewall-lite
-#
-#  (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
+#  For information about the settings in this file, type
+#  "man shorewall-lite.conf"
 #
+#  Manpage also online at
+#  http://www.shorewall.net/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.2
-%define release 5
+%define version 4.4.13
+%define release 0Beta2
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -14,6 +14,7 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
+Provides: shoreline_firewall = %{version}-%{release}
 
 %description
 
@@ -31,7 +32,7 @@ administrators to centralize the configuration of Shorewall-based firewalls.
 %build
 
 %install
-export PREFIX=$RPM_BUILD_ROOT ; \
+export DESTDIR=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -79,6 +80,8 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall-lite
 %attr(0700,root,root) %dir /var/lib/shorewall-lite
 
+%attr(0644,root,root) /etc/logrotate.d/shorewall-lite
+
 %attr(0755,root,root) /sbin/shorewall-lite
 
 %attr(0644,root,root) /usr/share/shorewall-lite/version
@@ -86,6 +89,7 @@ fi
 %attr(-   ,root,root) /usr/share/shorewall-lite/functions
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.base
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.cli
+%attr(0644,root,root) /usr/share/shorewall-lite/lib.common
 %attr(0644,root,root) /usr/share/shorewall-lite/modules
 %attr(0544,root,root) /usr/share/shorewall-lite/shorecap
 %attr(0755,root,root) /usr/share/shorewall-lite/wait4ifup
@@ -98,16 +102,102 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Oct 24 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-5
-* Fri Oct 23 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-4
-* Tue Oct 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-3
-* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-2
-* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-1
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
+* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0base
+* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0RC1
+* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta3
+* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta2
+* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta1
+* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0base
+* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC2
+* Thu May 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC1
+* Wed May 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta4
+* Tue May 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta3
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Thu May 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta1
+* Mon May 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0base
+* Sun May 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0RC2
+* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0RC1
+* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta5
+* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta4
+* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta3
+* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta2
+* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta1
+* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0base
+* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC2
+* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC1
+* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta2
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta1
+* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0base
+* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC2
+* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC1
+* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta4
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta3
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta2
+* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta1
+* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0base
+* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0Beta1
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-0base
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
 * Sun Sep 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Sep 04 2009 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.2.5
+VERSION=4.4.13-Beta2
 
 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
 fi
 
 if [ -L /usr/share/shorewall-lite/init ]; then
-    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
+    FIREWALL=$(readlink -m -q /usr/share/shorewall-lite/init)
 else
     FIREWALL=/etc/init.d/shorewall-lite
 fi
@@ -106,6 +106,7 @@ rm -rf /var/lib/shorewall-lite
 rm -rf /var/lib/shorewall-lite-*.bkout
 rm -rf /usr/share/shorewall-lite
 rm -rf /usr/share/shorewall-lite-*.bkout
+rm -f  /etc/logrotate.d/shorewall-lite
 
 echo "Shorewall Uninstalled"
 

Shorewall/Contrib/swping

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V4.2
+#     Shorewall WAN Interface monitor - V4.4
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #

Shorewall/Contrib/swping.init

@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V4.2
+#     Shorewall WAN Interface monitor - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Macros/macro.BGP

@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.BGP
 #
-#       This macro handles BGP4 traffic.
+#	This macro handles BGP4 traffic.
 #
 ###############################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
-PARAM   -       -       tcp     179     				# BGP4
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S) PORT(S) LIMIT	GROUP
+PARAM	-	-	tcp	179	# BGP4

Shorewall/Macros/macro.Citrix

@@ -3,11 +3,12 @@
 #
 # /usr/share/shorewall/macro.Citrix
 #
-# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a. ICA Session Reliability)
+#	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
+#	ICA Session Reliability)
 #
 ####################################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
-PARAM   -       -       tcp     1494 				   # ICA
-PARAM   -       -       udp     1604    			   # ICA Browser
-PARAM   -       -       tcp     2598    			   # CGP Session Reliabilty
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S) PORT(S) LIMIT	GROUP
+PARAM	-	-	tcp	1494	# ICA
+PARAM	-	-	udp	1604	# ICA Browser
+PARAM	-	-	tcp	2598	# CGP Session Reliabilty

Shorewall/Macros/macro.DHCPfwd

@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - DHCPfwd Macro
+#
+# /usr/share/shorewall/macro.DHCPfwd
+#
+#	This macro (bidirectional) handles forwarded DHCP traffic
+#
+###############################################################################
+#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S) PORT(S) LIMIT	GROUP
+PARAM	-	-	udp	67:68	67:68	# DHCP
+PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP

Shorewall/Macros/macro.HKP

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - HKP Macro
+#
+# /usr/share/shorewall/macro.HKP
+#
+#	This macro handles OpenPGP HTTP keyserver protocol traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	11371

Shorewall/Macros/macro.OSPF

@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.OSPF
 #
-#       This macro handles OSPF multicast traffic
+#	This macro handles OSPF multicast traffic
 #
-#######################################################################################################
-#ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/   ORIGINAL
-#                                               PORT(S) PORT(S) DEST            LIMIT   GROUP   DEST
-PARAM           -               -       89      -                                                       # OSPF
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	89	# OSPF

Shorewall/Macros/macro.Razor

@@ -3,7 +3,7 @@
 #
 # /usr/share/shorewall/macro.Razor
 #
-# This macro handles traffic for the Razor Antispam System
+#	This macro handles traffic for the Razor Antispam System
 #
 ###############################################################################
 #ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  RATE    USER/

Shorewall/Macros/macro.mDNS

@@ -1,12 +1,15 @@
 #
 # Shorewall version 4 - Multicast DNS Macro
 #
-# /usr/share/shorewall/macro.DNS
+# /usr/share/shorewall/macro.mDNS
 #
 #	This macro handles multicast DNS traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	5353
-PARAM	DEST	SOURCE	udp	5353
+#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
+#						PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	224.0.0.251		udp	5353
+PARAM	-	-			udp	32768:	5353
+PARAM	-	224.0.0.251		2
+PARAM	DEST	SOURCE:224.0.0.251	udp	5353
+PARAM	DEST	SOURCE:224.0.0.251	2

Shorewall/Makefile-lite

@@ -23,10 +23,10 @@
 # to the name of the remote firewall corresponding to the directory.
 #
 #	To make the 'firewall' script, type "make".
-# 
+#
 #	Once the script is compiling correctly, you can install it by
 #	typing "make install".
-#  
+#
 ################################################################################
 #                             V A R I A B L E S
 #
@@ -55,7 +55,7 @@ all: firewall
 #
 # Only generate the capabilities file if it doesn't already exist
 #
-capabilities: 
+capabilities:
 	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
 	scp root@$(HOST):$(LITEDIR)/capabilities .
 #
@@ -78,5 +78,5 @@ save:
 #
 # Remove generated files
 #
-clean: 
+clean:
 	rm -f capabilities firewall firewall.conf reload

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4.13';
 
 #
 # Called by the compiler to [re-]initialize this module's state
@@ -52,7 +52,7 @@ sub process_accounting_rule( ) {
 
     our $jumpchainref;
 
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
 
     if ( $action eq 'COMMENT' ) {
 	process_comment;
@@ -61,6 +61,16 @@ sub process_accounting_rule( ) {
 
     our $disposition = '';
 
+    sub reserved_chain_name($) {
+	$_[0] =~ /^acc(?:ount(?:ing|out)|ipsecin|ipsecout)$/;
+    }
+
+    sub ipsec_chain_name($) {
+	if ( $_[0] =~ /^accipsec(in|out)$/ ) {
+	    $1;
+	}
+    }
+
     sub check_chain( $ ) {
 	my $chainref = shift;
 	fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy};
@@ -72,10 +82,11 @@ sub process_accounting_rule( ) {
 
     sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
-	$jumpchainref = ensure_accounting_chain( $jumpchain );
+	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
+	$jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
-	"-j $jumpchain";
+	$jumpchain;
     }
 
     my $target = '';
@@ -84,18 +95,21 @@ sub process_accounting_rule( ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, 0xFF );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
     my $rule2 = 0;
-
+    my $jump  = 0;
+    
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
-	    $target = '-j RETURN';
+	    $target = 'RETURN';
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 	    if ( $cmd ) {
 		if ( $cmd eq 'COUNT' ) {
-		    $rule2=1;
-		} elsif ( $cmd ne 'JUMP' ) {
+		    $rule2 = 1;
+		} elsif ( $cmd eq 'JUMP' ) {
+		    $jump = 1;
+		} else {
 		    accounting_error;
 		}
 	    }
@@ -137,7 +151,31 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
     }
 
-    my $chainref = ensure_accounting_chain $chain;
+    my $chainref = $filter_table->{$chain};
+    my $dir;
+
+    if ( ! $chainref ) {
+	$chainref = ensure_accounting_chain $chain, 0;
+	$dir      = ipsec_chain_name( $chain );
+
+	if ( $ipsec ne '-' ) {
+	    if ( $dir ) {
+		$rule .= do_ipsec( $dir, $ipsec );
+		$chainref->{ipsec} = $dir;
+	    } else {
+		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
+	    }
+	} else {
+	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );	    
+	    $chainref->{ipsec} = $dir;
+	}
+    } elsif ( $ipsec ne '-' ) {
+	$dir = $chainref->{ipsec};
+	fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
+	$rule .= do_ipsec( $dir , $ipsec );
+    }
+
+    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
 
     expand_rule
 	$chainref ,
@@ -151,6 +189,22 @@ sub process_accounting_rule( ) {
 	$disposition ,
 	'' ;
 
+    if ( $rule2 || $jump ) {
+	if ( $chainref->{ipsec} ) {
+	    if ( $jumpchainref->{ipsec} ) {
+		fatal_error "IPSEC in/out mismatch on chains $chain and $jumpchainref->{name}";
+	    } else {
+		fatal_error "$jumpchainref->{name} is not an IPSEC chain" if keys %{$jumpchainref->{references}} > 1;
+		$jumpchainref->{ipsec} = $chainref->{ipsec};
+	    }
+	} elsif ( $jumpchainref->{ipsec} ) {
+	    fatal_error "Jump from a non-IPSEC chain to an IPSEC chain not allowed";
+	} else {
+	    $jumpchainref->{ipsec} = $chainref->{ipsec};
+	}
+
+    }
+
     if ( $rule2 ) {
 	expand_rule
 	    $jumpchainref ,
@@ -178,27 +232,40 @@ sub setup_accounting() {
 
     $nonEmpty |= process_accounting_rule while read_a_line;
 
-    fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting};
-
     clear_comment;
 
     if ( have_bridges ) {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD/ ) {
-		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
 
 	if ( $filter_table->{accountout} ) {
-	    insert_rule1 $filter_table->{OUTPUT}, 0, '-j accountout';
+	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 	}
-    } else {
-	if ( $filter_table->{accounting} ) {
-	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
-	    }
+    } elsif ( $filter_table->{accounting} ) {
+	for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
+	    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	}
     }
+
+    if ( $filter_table->{accipsecin} ) {
+	for my $chain ( qw/INPUT FORWARD/ ) {
+	    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+	}
+    }
+
+    if ( $filter_table->{accipsecout} ) {
+	for my $chain ( qw/FORWARD OUTPUT/ ) {
+	    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
+	}
+    }
+
+    for ( accounting_chainrefs ) {
+	warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
+    }
+
 }
 
 1;

Shorewall/Perl/Shorewall/Actions.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -28,6 +28,7 @@ require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
+use Shorewall::IPAddrs;
 
 use strict;
 
@@ -57,7 +58,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_2';
+our $VERSION = '4.4_13';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -178,9 +179,27 @@ sub find_macro( $ )
 #
 sub split_action ( $ ) {
     my $action = $_[0];
+
+    my $target = '';
+    my $max    = 3;
+    #
+    # The following rather grim RE, when matched, breaks the action into two parts:
+    #
+    #    basicaction(param)
+    #    logging part (may be empty)
+    #
+    # The param may contain one or more ':' characters
+    #
+    if ( $action =~ /^([^(:]+\(.*?\))(:(.*))?$/ ) {
+	$target = $1;
+	$action = $2 ? $3 : '';
+	$max    = 2;
+    }
+	
     my @a = split( /:/ , $action, 4 );
-    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
-    ( shift @a, join ":", @a );
+    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
+    $target = shift @a unless $target;
+    ( $target, join ":", @a );
 }
 
 #
@@ -213,7 +232,7 @@ sub merge_macro_source_dest( $$ ) {
     if ( $invocation ) {
 	if ( $body ) {
 	    return $body if $invocation eq '-';
-	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/;
+	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~<|~\[/;
 	    return "$invocation:$body";
 	}
 
@@ -305,10 +324,10 @@ sub map_old_actions( $ ) {
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
 # a 1- or 2-digit sequence number. In the functions that follow,
-# the CHAIN, LEVEL and TAG variable serves as arguments to the user's
+# the $chain, $level and $tag variable serves as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
-# set CHAIN to the name of the iptables chain where rules are to be added.
-# Similarly, LEVEL and TAG contain the log level and log tag respectively.
+# set $chain to the name of the iptables chain where rules are to be added.
+# Similarly, $level and $tag contain the log level and log tag respectively.
 #
 # The maximum length of a chain name is 30 characters -- since the log
 # action chain name is 2-3 characters longer than the base chain name,
@@ -341,6 +360,8 @@ sub createlogactionchain( $$ ) {
 
     unless ( $targets{$action} & BUILTIN ) {
 
+	dont_optimize $chainref;
+
 	my $file = find_file $chain;
 
 	if ( -f $file ) {
@@ -367,6 +388,8 @@ sub createsimpleactionchain( $ ) {
 
     unless ( $targets{$action} & BUILTIN ) {
 
+	dont_optimize $chainref;
+
 	my $file = find_file $action;
 
 	if ( -f $file ) {
@@ -384,7 +407,7 @@ sub createsimpleactionchain( $ ) {
 }
 
 #
-# Create an action chain and run it's associated user exit
+# Create an action chain and run its associated user exit
 #
 sub createactionchain( $ ) {
     my ( $action , $level ) = split_action $_[0];
@@ -574,7 +597,7 @@ sub process_actions2 () {
 	for my $target (keys %usedactions) {
 	    my ($action, $level) = split_action $target;
 	    my $actionref = $actions{$action};
-	    fatal_error "Null Action Reference in process_actions2" unless $actionref;
+	    assert( $actionref );
 	    for my $action1 ( keys %{$actionref->{requires}} ) {
 		my $action2 = merge_levels $target, $action1;
 		unless ( $usedactions{ $action2 } ) {
@@ -609,11 +632,11 @@ sub process_action( $$$$$$$$$$$ ) {
 
     expand_rule ( $chainref ,
 		  NO_RESTRICT ,
-		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, 0xFF ) ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, $globals{TC_MASK} ) ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
-		  $action ? "-j $action" : '',
+		  $action ,
 		  $level ,
 		  $action ,
 		  '' );
@@ -766,10 +789,14 @@ sub process_action3( $$$$$ ) {
 sub dropBcast( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    if ( $capabilities{ADDRTYPE} ) {
+    if ( have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
+	    if ( $family == F_IPV4 ) {
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
+	    } else {
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
+	    }
 	}
 
 	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
@@ -793,14 +820,14 @@ sub dropBcast( $$$ ) {
     if ( $family == F_IPV4 ) {
 	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
     } else {
-	add_rule $chainref, '-d ff00::/10 -j DROP';
+	add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' );
     }
 }
 
 sub allowBcast( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    if ( $family == F_IPV4 && $capabilities{ADDRTYPE} ) {
+    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
@@ -825,8 +852,8 @@ sub allowBcast( $$$ ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
 	} else {
-	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
-	    add_rule $chainref, '-d ff00:/10 -j ACCEPT';
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
+	    add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' );
 	}
     }
 }
@@ -834,44 +861,46 @@ sub allowBcast( $$$ ) {
 sub dropNotSyn ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
-    add_rule $chainref , '-p tcp ! --syn -j DROP';
+    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+    add_rule $chainref , '-p 6 ! --syn -j DROP';
 }
 
 sub rejNotSyn ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
-    add_rule $chainref , '-p tcp ! --syn -j REJECT --reject-with tcp-reset';
+    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+    add_rule $chainref , '-p 6 ! --syn -j REJECT --reject-with tcp-reset';
 }
 
 sub dropInvalid ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
-    add_rule $chainref , '-m state --state INVALID -j DROP';
+    log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
+    add_rule $chainref , "$globals{STATEMATCH} INVALID -j DROP";
 }
 
 sub allowInvalid ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
-    log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
-    add_rule $chainref , '-m state --state INVALID -j ACCEPT';
+    log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
+    add_rule $chainref , "$globals{STATEMATCH} INVALID -j ACCEPT";
 }
 
 sub forwardUPnP ( $$$ ) {
+    my $chainref = dont_optimize 'forwardUPnP';
+    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 }
 
 sub allowinUPnP ( $$$ ) {
     my ($chainref, $level, $tag) = @_;
 
     if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
     }
 
-    add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
-    add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
+    add_rule $chainref, '-p 17 --dport 1900 -j ACCEPT';
+    add_rule $chainref, '-p 6 --dport 49152 -j ACCEPT';
 }
 
 sub Limit( $$$ ) {
@@ -897,7 +926,7 @@ sub Limit( $$$ ) {
 	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
 	log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
 	add_rule $xchainref, '-j DROP';
-	add_rule $chainref,  "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
+	add_jump $chainref,  $xchainref, 0, "-m recent --name $set --update --seconds $tag[2] --hitcount $count ";
     } else {
 	add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
     }

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -41,9 +41,9 @@ use Shorewall::IPAddrs;
 use Shorewall::Raw;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
+our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_2';
+our $VERSION = '4.4_12';
 
 our $export;
 
@@ -72,32 +72,44 @@ sub initialize_package_globals() {
 #
 # First stage of script generation.
 #
-#    Copy prog.header to the generated script.
+#    Copy prog.header and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
-sub generate_script_1() {
+#    Note: This function is not called when $command eq 'check'. So it must have no side effects other
+#          than those related to writing to the output script file.
+#
+sub generate_script_1( $ ) {
 
-    if ( $test ) {
-	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
-    } else {
-	my $date = localtime;
+    my $script = shift;
 
-	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-	if ( $family == F_IPV4 ) {
-	    copy $globals{SHAREDIRPL} . 'prog.header';
+    if ( $script ) {
+	if ( $test ) {
+	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
-	    copy $globals{SHAREDIRPL} . 'prog.header6';
+	    my $date = localtime;
+
+	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
+
+	    if ( $family == F_IPV4 ) {
+		copy $globals{SHAREDIRPL} . 'prog.header';
+	    } else {
+		copy $globals{SHAREDIRPL} . 'prog.header6';
+	    }
+
+	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
 	}
+
     }
 
+    my $lib = find_file 'lib.private';
+
+    copy2( $lib, $debug ) if -f $lib;
+
     emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
-    my $lib = find_file 'lib.private';
-
-    copy1 $lib, emit "\n" if -f $lib;
 
     for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
 	emit "\nrun_${exit}_exit() {";
@@ -129,7 +141,7 @@ EOF
 #    Generate the 'initialize()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the object file.
+#          than those related to writing to the output script file.
 
 sub generate_script_2() {
 
@@ -154,24 +166,24 @@ sub generate_script_2() {
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
 		   'CONFDIR=/etc/shorewall-lite',
-		   'PRODUCT="Shorewall Lite"'
+		   'g_product="Shorewall Lite"'
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall',
 		   'CONFDIR=/etc/shorewall',
-		   'PRODUCT=\'Shorewall\'',
+		   'g_product=\'Shorewall\'',
 		 );
 	}
     } else {
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
 		   'CONFDIR=/etc/shorewall6-lite',
-		   'PRODUCT="Shorewall6 Lite"'
+		   'g_product="Shorewall6 Lite"'
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6',
 		   'CONFDIR=/etc/shorewall6',
-		   'PRODUCT=\'Shorewall6\'',
+		   'g_product=\'Shorewall6\'',
 		 );
 	}
     }
@@ -203,17 +215,15 @@ sub generate_script_2() {
     my @dont_load = split_list $config{DONT_LOAD}, 'module';
 
     emit ( '[ -n "${COMMAND:=restart}" ]',
-	   '[ -n "${VERBOSE:=0}" ]',
-	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
-	   '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' );
+	   '[ -n "${VERBOSITY:=0}" ]',
+	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );
 
-    emit ( qq(VERSION="$globals{VERSION}") ) unless $test;
+    emit ( qq(SHOREWALL_VERSION="$globals{VERSION}") ) unless $test;
 
     emit ( qq(PATH="$config{PATH}") ,
 	   'TERMINATOR=fatal_error' ,
 	   qq(DONT_LOAD="@dont_load") ,
 	   qq(STARTUP_LOG="$config{STARTUP_LOG}") ,
-	   "LOG_VERBOSE=$config{LOG_VERBOSITY}" ,
 	   ''
 	   );
 
@@ -222,7 +232,7 @@ sub generate_script_2() {
     append_file 'params' if $config{EXPORTPARAMS};
 
     emit ( '',
-	   "STOPPING=",
+	   "g_stopping=",
 	   '',
 	   '#',
 	   '# The library requires that ${VARDIR} exist',
@@ -246,7 +256,7 @@ sub generate_script_2() {
     push_indent;
 
     if ( $global_variables ) {
-	
+
 	emit( 'case $COMMAND in' );
 
 	push_indent;
@@ -261,7 +271,7 @@ sub generate_script_2() {
 
 	set_global_variables(1);
 
-	handle_optional_interfaces;
+	handle_optional_interfaces(0);
 
 	emit ';;';
 
@@ -274,7 +284,7 @@ sub generate_script_2() {
 
 	    set_global_variables(0);
 
-	    handle_optional_interfaces;
+	    handle_optional_interfaces(0);
 
 	    emit ';;';
 	}
@@ -284,16 +294,15 @@ sub generate_script_2() {
 
 	emit ( 'esac' ) ,
     } else {
-	emit( 'true' ) unless handle_optional_interfaces;
+	emit( 'true' ) unless handle_optional_interfaces(1);
     }
 
     pop_indent;
 
     emit "\n}\n"; # End of detect_configuration()
-    
+
 }
 
-#
 # Final stage of script generation.
 #
 #    Generate code for loading the various files in /var/lib/shorewall[6][-lite]
@@ -303,7 +312,7 @@ sub generate_script_2() {
 #    Generate the 'define_firewall()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the object file.
+#          than those related to writing to the output script file.
 #
 sub generate_script_3($) {
 
@@ -325,9 +334,9 @@ sub generate_script_3($) {
     save_progress_message 'Initializing...';
 
     if ( $export ) {
-	my $fn = find_file 'modules';
+	my $fn = find_file $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules';
 
-	if ( $fn ne "$globals{SHAREDIR}/modules" && -f $fn ) {
+	if ( -f $fn && ! $fn =~ "^$globals{SHAREDIR}/" ) {
 	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
@@ -344,54 +353,17 @@ sub generate_script_3($) {
     }
 
     if ( $family == F_IPV4 ) {
-	my @ipsets = all_ipsets;
-
-	if ( @ipsets ) {
-	    emit ( '',
-		   'case $IPSET in',
-		   '    */*)',
-		   '        [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
-		   '        ;;',
-		   '    *)',
-		   '        IPSET="$(mywhich $IPSET)"',
-		   '        [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' ,
-		   '        ;;',
-		   'esac',
-		   '',
-		   'if [ "$COMMAND" = start ]; then' ,
-		   '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		   '        $IPSET -F' ,
-		   '        $IPSET -X' ,
-		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
-		   '    fi' ,
-		   '' );
-
-	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-	    emit ( '' ,
-		   'elif [ "$COMMAND" = restart ]; then' ,
-		   '' );
-
-	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-	    emit ( '' ,
-		   '    if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
-		   '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		   '    fi' );
-	    emit ( 'fi',
-		   '' );
-	}
+	load_ipsets;
 
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	       '   run_refresh_exit' );
-
-	emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-	emit ( 'else' ,
+	       '   run_refresh_exit' ,
+	       'else' ,
 	       '    run_init_exit',
 	       'fi',
 	       '' );
 
+	save_dynamic_chains;
+
 	mark_firewall_not_started;
 
 	emit ('',
@@ -399,7 +371,7 @@ sub generate_script_3($) {
 	       ''
 	     );
 
-	if ( $capabilities{NAT_ENABLED} ) {
+	if ( have_capability( 'NAT_ENABLED' ) ) {
 	    emit(  'if [ -f ${VARDIR}/nat ]; then',
 		   '    while read external interface; do',
 		   '        del_ip_addr $external $interface',
@@ -412,23 +384,11 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};
 
     } else {
-	emit ( '#',
-	       '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
-	       '#',
-	       'qt1 $IP6TABLES -N foox1234',
-	       'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
-	       'result=$?',
-	       'qt1 $IP6TABLES -F foox1234',
-	       'qt1 $IP6TABLES -X foox1234',
-	       '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
-	       '' );
-
 	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
-		   '',
-	       'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
-	       ''
-	     );
-
+	       '' );
+	save_dynamic_chains;
+	mark_firewall_not_started;
+	emit '';
     }
 
     emit qq(delete_tc1\n) if $config{CLEAR_TC};
@@ -450,6 +410,10 @@ sub generate_script_3($) {
     dump_zone_contents;
     emit_unindented '__EOF__';
 
+    emit 'cat > ${VARDIR}/policies << __EOF__';
+    save_policies;
+    emit_unindented '__EOF__';
+
     pop_indent;
 
     emit "fi\n";
@@ -477,31 +441,38 @@ EOF
     pop_indent;
     setup_forwarding( $family , 1 );
     push_indent;
-    emit<<'EOF';
-    set_state "Started"
+
+    my $config_dir = $globals{CONFIGDIR};
+
+    emit<<"EOF";
+    set_state Started $config_dir 
     run_restored_exit
 else
-    if [ $COMMAND = refresh ]; then
+    if [ \$COMMAND = refresh ]; then
         chainlist_reload
 EOF
     setup_forwarding( $family , 0 );
-    emit<<'EOF';
+
+    emit<<"EOF";
         run_refreshed_exit
         do_iptables -N shorewall
-        set_state "Started"
+        set_state Started $config_dir
     else
         setup_netfilter
-        restore_dynamic_rules
         conditionally_flush_conntrack
 EOF
     setup_forwarding( $family , 0 );
-    emit<<'EOF';
+
+    emit<<"EOF";
         run_start_exit
         do_iptables -N shorewall
-        set_state "Started"
+        set_state Started $config_dir
         run_started_exit
     fi
 
+EOF
+
+    emit<<'EOF';
     [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
 fi
 
@@ -509,16 +480,16 @@ date > ${VARDIR}/restarted
 
 case $COMMAND in
     start)
-        logger -p kern.info "$PRODUCT started"
+        logger -p kern.info "$g_product started"
         ;;
     restart)
-        logger -p kern.info "$PRODUCT restarted"
+        logger -p kern.info "$g_product restarted"
         ;;
     refresh)
-        logger -p kern.info "$PRODUCT refreshed"
+        logger -p kern.info "$g_product refreshed"
         ;;
     restore)
-        logger -p kern.info "$PRODUCT restored"
+        logger -p kern.info "$g_product restored"
         ;;
 esac
 EOF
@@ -536,8 +507,8 @@ EOF
 #
 sub compiler {
 
-    my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
-       ( '',          '',         -1,          '',          0,      '',       '',   -1 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0 );
 
     $export = 0;
     $test   = 0;
@@ -557,7 +528,8 @@ sub compiler {
 	defined($val) && ($val == F_IPV4 || $val == F_IPV6);
     }
 
-    my %parms = ( object        => { store => \$objectfile },
+    my %parms = ( object        => { store => \$scriptfilename },    #Deprecated
+		  script        => { store => \$scriptfilename },
 		  directory     => { store => \$directory  },
 		  family        => { store => \$family    ,    validate => \&validate_family    } ,
 		  verbosity     => { store => \$verbosity ,    validate => \&validate_verbosity } ,
@@ -568,6 +540,7 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
+		  preview       => { store => \$preview },
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -592,6 +565,8 @@ sub compiler {
 	set_shorewall_dir( $directory );
     }
 
+    $verbosity = 1 if $debug && $verbosity < 1;
+
     set_verbosity( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
@@ -601,16 +576,16 @@ sub compiler {
     #
     get_configuration( $export );
 
-    report_capabilities;
+    report_capabilities unless $config{LOAD_HELPERS_ONLY};
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
     require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
     require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 
-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_object( $objectfile , $export );
+	create_temp_script( $scriptfilename , $export );
     } else {
 	set_command( 'check', 'Checking', 'Checked' );
     }
@@ -656,13 +631,13 @@ sub compiler {
     #
     setup_notrack;
 
-    enable_object;
+    enable_script;
 
-    if ( $objectfile ) {
+    if ( $scriptfilename || $debug ) {
 	#
-	# Place Header in the object
+	# Place Header in the script
 	#
-	generate_script_1;
+	generate_script_1( $scriptfilename );
 	#
 	#                               C O M M O N _ R U L E S
 	#           (Writes the setup_common_rules() function to the compiled script)
@@ -676,11 +651,11 @@ sub compiler {
 	push_indent;
     }
     #
-    # Do all of the zone-independent stuff
+    # Do all of the zone-independent stuff (mostly /proc)
     #
     add_common_rules;
     #
-    # /proc stuff
+    # More /proc
     #
     if ( $family == F_IPV4 ) {
 	setup_arp_filtering;
@@ -694,24 +669,24 @@ sub compiler {
     #
     setup_proxy_arp;
     #
-    # Handle MSS setings in the zones file
+    # Handle MSS settings in the zones file
     #
     setup_zone_mss;
 
-    if ( $objectfile ) {
+    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
 	emit '}';
     }
 
-    disable_object;
+    disable_script;
     #
     #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
     #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
     #
-    enable_object;
+    enable_script;
 
-    if ( $objectfile ) {
+    if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -729,12 +704,12 @@ sub compiler {
     #
     setup_tc;
 
-    if ( $objectfile ) {
+    if ( $scriptfilename || $debug ) {
 	pop_indent;
 	emit "}\n";
     }
 
-    disable_object;
+    disable_script;
     #
     #                                       N E T F I L T E R
     #       (Produces no output to the compiled script -- rules are stored in the chain table)
@@ -745,7 +720,7 @@ sub compiler {
 	#
 	# ECN
 	#
-	setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
+	setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
 	#
 	# Setup Masquerading/SNAT
 	#
@@ -788,15 +763,27 @@ sub compiler {
     #
     # Accounting.
     #
-    setup_accounting;
+    setup_accounting if $config{ACCOUNTING};
 
-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	#
-	# Generate the zone by zone matrix
+	# Compiling a script - generate the zone by zone matrix
 	#
 	generate_matrix;
 
-	enable_object;
+	if ( $config{OPTIMIZE} & 0xD ) {
+	    progress_message2 'Optimizing Ruleset...';
+	    #
+	    # Optimize Policy Chains
+	    #
+	    optimize_policy_chains if $config{OPTIMIZE} & 2;
+	    #
+	    # More Optimization
+	    #
+	    optimize_ruleset if $config{OPTIMIZE} & 0xC;
+	}
+
+	enable_script;
 	#
 	#                             I N I T I A L I Z E
 	#           (Writes the initialize() function to the compiled script)
@@ -817,9 +804,14 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test );
+	compile_stop_firewall( $test, $export );
 	#
-	# Copy the footer to the object
+	#                               U P D O W N
+	#               (Writes the updown() function to the compiled script)
+	#
+	compile_updown;
+	#
+	# Copy the footer to the script
 	#
 	unless ( $test ) {
 	    if ( $family == F_IPV4 ) {
@@ -829,27 +821,60 @@ sub compiler {
 	    }
 	}
 
-	disable_object;
+	disable_script;
 	#
-	# Close, rename and secure the object
+	# Close, rename and secure the script
 	#
-	finalize_object ( $export );
+	finalize_script ( $export );
 	#
 	# And generate the auxilary config file
 	#
-	enable_object, generate_aux_config if $export;
+	enable_script, generate_aux_config if $export;
     } else {
+	#
+	# Just checking the configuration
+	#
+	if ( $preview || $debug ) {
+	    #
+	    # User wishes to preview the ruleset or we are tracing -- generate the rule matrix
+	    #
+	    generate_matrix;
+
+	    if ( $config{OPTIMIZE} & 6 ) {
+		progress_message2 'Optimizing Ruleset...';
+		#
+		# Optimize Policy Chains
+		#
+		optimize_policy_chains if $config{OPTIMIZE} & 2;
+		#
+		# Ruleset Optimization
+		#
+		optimize_ruleset if $config{OPTIMIZE} & 4;
+	    }
+
+	    enable_script if $debug;
+
+	    generate_script_2 if $debug;
+
+	    preview_netfilter_load if $preview;
+	}
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
 	# environment that it would when called by compile_stop_firewall().
 	#
 	Shorewall::Chains::initialize( $family );
 	initialize_chain_table;
-	#
-	# compile_stop_firewall() also validates the routestopped file. Since we don't
-	# call that function during 'check', we must validate routestopped here.
-	#
-	process_routestopped;
+
+	if ( $debug ) {
+	    compile_stop_firewall( $test, $export );
+	    disable_script;
+	} else {
+	    #
+	    # compile_stop_firewall() also validates the routestopped file. Since we don't
+	    # call that function during normal 'check', we must validate routestopped here.
+	    #
+	    process_routestopped;
+	}
 
 	if ( $family == F_IPV4 ) {
 	    progress_message3 "Shorewall configuration verified";

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,7 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
 use Socket;
 
 use strict;
@@ -47,6 +47,7 @@ our @EXPORT = qw( ALLIPv4
 		  ALL
 		  TCP
 		  UDP
+		  UDPLITE
 		  ICMP
 		  DCCP
 		  IPv6_ICMP
@@ -72,7 +73,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_12';
 
 #
 # Some IPv4/6 useful stuff
@@ -86,28 +87,29 @@ our $validate_address;
 our $validate_net;
 our $validate_range;
 our $validate_host;
+our $family;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
-	       IPv6_MULTICAST      => 'FF00::/10' ,
-	       IPv6_LINKLOCAL      => 'FF80::/10' ,
-	       IPv6_SITELOCAL      => 'FFC0::/10' ,
+	       IPv6_MULTICAST      => 'ff00::/8' ,
+	       IPv6_LINKLOCAL      => 'fe80::/10' ,
+	       IPv6_SITELOCAL      => 'feC0::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
-	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
-	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
-	       IPv6_SITE_ALLNODES  => 'FF02::1' ,
-	       IPv6_SITE_ALLRTRS   => 'FF02::2' ,
+	       IPv6_LINK_ALLNODES  => 'ff01::1' ,
+	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
+	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
+	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
 	       ICMP                => 1,
 	       TCP                 => 6,
 	       UDP                 => 17,
 	       DCCP                => 33,
 	       IPv6_ICMP           => 58,
-	       SCTP                => 132 };
+	       SCTP                => 132,
+	       UDPLITE             => 136 };
 
 our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 
-
 #
 # Note: initialize() is declared at the bottom of the file
 #
@@ -122,8 +124,8 @@ sub valid_4address( $ ) {
 
     my @address = split /\./, $address;
     return 0 unless @address == 4;
-    for my $a ( @address ) {
-	return 0 unless $a =~ /^\d+$/ && $a < 256;
+    for ( @address ) {
+	return 0 unless /^\d+$/ && $_ < 256;
     }
 
     1;
@@ -156,8 +158,8 @@ sub decodeaddr( $ ) {
 
     my $result = shift @address;
 
-    for my $a ( @address ) {
-	$result = ( $result << 8 ) | $a;
+    for ( @address ) {
+	$result = ( $result << 8 ) | $_;
     }
 
     $result;
@@ -287,7 +289,17 @@ sub resolve_proto( $ ) {
     my $proto = $_[0];
     my $number;
 
-    $proto =~ /^(\d+)$/ ? $proto <= 65535 ? $proto : undef : defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
+    if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
+	$number = numeric_value ( $proto );
+	defined $number && $number <= 65535 ? $number : undef;
+    } else {
+	#
+	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
+	#
+	$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
+	
+	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
+    }
 }
 
 sub proto_name( $ ) {
@@ -301,16 +313,19 @@ sub validate_port( $$ ) {
 
     my $value;
 
-    if ( $port =~ /^(\d+)$/ ) {
-	return $port if $port <= 65535;
+    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
+	$port = numeric_value $port;
+	return $port if defined $port && $port && $port <= 65535;
     } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
     }
 
-    fatal_error "Invalid/Unknown $proto port/service ($port)" unless defined $value;
+    return $value if defined $value;
 
-    $value;
+    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
+
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
 }
 
 sub validate_portpair( $$ ) {
@@ -323,7 +338,7 @@ sub validate_portpair( $$ ) {
 
     my @ports = split /:/, $portpair, 2;
 
-    $_ = validate_port( $proto, $_) for ( @ports );
+    $_ = validate_port( $proto, $_) for ( grep $_, @ports );
 
     if ( @ports == 2 ) {
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
@@ -476,6 +491,7 @@ sub valid_6address( $ ) {
 	return 0 unless valid_4address pop @address;
 	$max = 6;
 	$address = join ':', @address;
+	return 1 if @address eq ':';
     } else {
 	$max = 8;
     }
@@ -484,16 +500,16 @@ sub valid_6address( $ ) {
     return 0 unless ( @address == $max ) || $address =~ /::/;
     return 0 if $address =~ /:::/ || $address =~ /::.*::/;
 
-    if ( $address =~ /^:/ ) {
-	unless ( $address eq '::' ) {
-	    return 0 if $address =~ /:$/ || $address =~ /^:.*::/;
-	}
-    } elsif ( $address =~ /:$/ ) {
-	return 0 if $address =~ /::.*:$/;
+    unless ( $address =~ /^::/ ) {
+	return 0 if $address =~ /^:/;
+    }
+
+    unless ( $address =~ /::$/  ) {
+	return 0 if $address =~ /:$/;
     }
 
     for my $a ( @address ) {
-	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 );
+	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 );
     }
 
     1;
@@ -542,13 +558,27 @@ sub validate_6net( $$ ) {
 sub normalize_6addr( $ ) {
     my $addr = shift;
 
-    while ( $addr =~ tr/:/:/ < 6 ) {
-	$addr =~ s/::/:0::/;
+    if ( $addr eq '::' ) {
+	'0:0:0:0:0:0:0:0';
+    } else {
+	#
+	# Suppress leading zeros
+	#
+	$addr =~ s/^0+//;
+	$addr =~ s/:0+/:/g;
+	$addr =~ s/^:/0:/;
+	$addr =~ s/:$/:0/;
+
+	$addr =~ s/::/:0::/ while $addr =~ tr/:/:/ < 7;
+	#
+	# Note: "s/::/:0:/g" doesn't work here
+	#
+	1 while $addr =~ s/::/:0:/;
+
+	$addr =~ s/^0+:/0:/;
+
+	$addr;
     }
-
-    $addr =~ s/::/:0:/;
-
-    $addr;
 }
 
 sub validate_6range( $$ ) {
@@ -572,7 +602,7 @@ sub validate_6range( $$ ) {
 }
 
 sub validate_6host( $$ ) {
-    my ( $host, $allow_name )  = $_[0];
+    my ( $host, $allow_name )  = @_;
 
     if ( $host =~ /^(.*:.*)-(.*:.*)$/ ) {
 	validate_6range $1, $2;
@@ -658,7 +688,7 @@ sub validate_host ($$ ) {
 #      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
-    my $family = shift;
+    $family = shift;
 
     if ( $family == F_IPV4 ) {
 	$allip            = ALLIPv4;

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_2';
+our $VERSION = '4.4_13';
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -49,56 +49,6 @@ sub initialize() {
     %addresses_to_add = ();
 }
 
-#
-# Handle IPSEC Options in a masq record
-#
-sub do_ipsec_options($)
-{
-    my %validoptions = ( strict       => NOTHING,
-			 next         => NOTHING,
-			 reqid        => NUMERIC,
-			 spi          => NUMERIC,
-			 proto        => IPSECPROTO,
-			 mode         => IPSECMODE,
-			 "tunnel-src" => NETWORK,
-			 "tunnel-dst" => NETWORK,
-		       );
-    my $list=$_[0];
-    my $options = '-m policy --pol ipsec --dir out ';
-    my $fmt;
-
-    for my $e ( split_list $list, 'option' ) {
-	my $val    = undef;
-	my $invert = '';
-
-	if ( $e =~ /([\w-]+)!=(.+)/ ) {
-	    $val    = $2;
-	    $e      = $1;
-	    $invert = '! ';
-	} elsif ( $e =~ /([\w-]+)=(.+)/ ) {
-	    $val = $2;
-	    $e   = $1;
-	}
-
-	$fmt = $validoptions{$e};
-
-	fatal_error "Invalid Option ($e)" unless $fmt;
-
-	if ( $fmt eq NOTHING ) {
-	    fatal_error "Option \"$e\" does not take a value" if defined $val;
-	} else {
-	    fatal_error "Missing value for option \"$e\""        unless defined $val;
-	    fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
-	}
-
-	$options .= $invert;
-	$options .= "--$e ";
-	$options .= "$val " if defined $val;
-    }
-
-    $options;
-}
-
 #
 # Process a single rule from the the masq file
 #
@@ -150,16 +100,16 @@ sub process_one_masq( )
     # Handle IPSEC options, if any
     #
     if ( $ipsec ne '-' ) {
-	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless $globals{ORIGINAL_POLICY_MATCH};
+	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
 
 	if ( $ipsec =~ /^yes$/i ) {
-	    $baserule .= '-m policy --pol ipsec --dir out ';
+	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
 	} elsif ( $ipsec =~ /^no$/i ) {
-	    $baserule .= '-m policy --pol none --dir out ';
+	    $baserule .= do_ipsec_options 'out', 'none', '';
 	} else {
-	    $baserule .= do_ipsec_options $ipsec;
+	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
 	}
-    } elsif ( $capabilities{POLICY_MATCH} ) {
+    } elsif ( have_ipsec ) {
 	$baserule .= '-m policy --pol none --dir out ';
     }
 
@@ -170,12 +120,12 @@ sub process_one_masq( )
     #
     # Handle Mark
     #
-    $baserule .= do_test( $mark, 0xFF) if $mark ne '-';
-    $baserule .= do_user( $user )      if $user ne '-';
+    $baserule .= do_test( $mark, $globals{TC_MASK} ) if $mark ne '-';
+    $baserule .= do_user( $user )                    if $user ne '-';
 
     for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = '-j MASQUERADE ';
+	my $target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -195,7 +145,7 @@ sub process_one_masq( )
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
 	unless ( $interfaceref->{root} ) {
-	    $rule .= "-o $interface ";
+	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}
 
@@ -221,7 +171,7 @@ sub process_one_masq( )
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
 		    my $variable = get_interface_address $interface;
-		    $target = "-j SNAT --to-source $variable";
+		    $target = "SNAT --to-source $variable";
 
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
@@ -231,13 +181,13 @@ sub process_one_masq( )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
-		    $target = '-j RETURN';
+		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    $target = '-j SNAT ';
+			    $target = 'SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
@@ -367,12 +317,12 @@ sub do_one_nat( $$$$$ )
     fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
     unless ( $interfaceref->{root} ) {
-	$rulein  = "-i $interface ";
-	$ruleout = "-o $interface ";
+	$rulein  = match_source_dev $interface;
+	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
     }
 
-    if ( $capabilities{POLICY_MATCH} ) {
+    if ( have_ipsec ) {
 	$policyin = ' -m policy --pol none --dir in';
 	$policyout =  '-m policy --pol none --dir out';
     }
@@ -402,7 +352,6 @@ sub do_one_nat( $$$$$ )
 	    push @addresses_to_add, ( $external , $fullinterface );
 	}
     }
-
 }
 
 #
@@ -449,7 +398,9 @@ sub setup_netmap() {
 
     while ( read_a_line ) {
 
-	my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
+	my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
+
+	$net3 = ALLIP if $net3 eq '-';
 
 	for my $interface ( split_list $interfacelist, 'interface' ) {
 
@@ -457,18 +408,18 @@ sub setup_netmap() {
 	    my $ruleout = '';
 	    my $iface = $interface;
 
-	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
+	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
 	    unless ( $interfaceref->{root} ) {
-		$rulein  = "-i $interface ";
-		$ruleout = "-o $interface ";
+		$rulein  = match_source_dev( $interface );
+		$ruleout = match_dest_dev( $interface );
 		$interface = $interfaceref->{name};
 	    }
 
 	    if ( $type eq 'DNAT' ) {
-		add_rule ensure_chain( 'nat' , input_chain $interface )  , $rulein  . "-d $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
 	    } elsif ( $type eq 'SNAT' ) {
-		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
 	    } else {
 		fatal_error "Invalid type ($type)";
 	    }
@@ -481,12 +432,13 @@ sub setup_netmap() {
 
 sub add_addresses () {
     if ( @addresses_to_add ) {
+	my @addrs = @addresses_to_add;
 	my $arg = '';
 	my $addresses = 0;
 
-	while ( @addresses_to_add ) {
-	    my $addr      = shift @addresses_to_add;
-	    my $interface = shift @addresses_to_add;
+	while ( @addrs ) {
+	    my $addr      = shift @addrs;
+	    my $interface = shift @addrs;
 	    $arg = "$arg $addr $interface";
 	    unless ( $config{RETAIN_ALIASES} ) {
 		emit '' unless $addresses++;

Shorewall/Perl/Shorewall/Policy.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -32,9 +32,9 @@ use Shorewall::Actions;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_12';
 
 # @policy_chains is a list of references to policy chains in the filter table
 
@@ -66,11 +66,11 @@ sub convert_to_policy_chain($$$$$)
 #
 sub new_policy_chain($$$$)
 {
-    my ($source, $dest, $policy, $optional) = @_;
+    my ($source, $dest, $policy, $provisional) = @_;
 
-    my $chainref = new_chain( 'filter', "${source}2${dest}" );
+    my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
 
-    convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
+    convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional );
 
     $chainref;
 }
@@ -115,20 +115,20 @@ sub set_policy_chain($$$$$)
 #
 # Process the policy file
 #
-use constant { OPTIONAL => 1 };
+use constant { PROVISIONAL => 1 };
 
 sub add_or_modify_policy_chain( $$ ) {
     my ( $zone, $zone1 ) = @_;
-    my $chain    = "${zone}2${zone1}";
+    my $chain    = rules_chain( ${zone}, ${zone1} );
     my $chainref = $filter_table->{$chain};
 
     if ( $chainref ) {
 	unless( $chainref->{is_policy} ) {
-	    convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
+	    convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', PROVISIONAL );
 	    push @policy_chains, $chainref;
 	}
     } else {
-	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
+	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', PROVISIONAL );
     }
 }
 
@@ -211,7 +211,7 @@ sub process_a_policy() {
 	}
     }
 
-    my $chain = "${client}2${server}";
+    my $chain = rules_chain( ${client}, ${server} );
     my $chainref;
 
     if ( defined $filter_table->{$chain} ) {
@@ -246,25 +246,25 @@ sub process_a_policy() {
 	$chainref->{synchain}  = $chain
     }
 
-    $chainref->{default}   = $default if $default;
+    $chainref->{default} = $default if $default;
 
     if ( $clientwild ) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
+		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
+		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
+	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
 	    print_policy $client, $zone, $policy, $chain;
 	}
 
@@ -273,6 +273,21 @@ sub process_a_policy() {
     }
 }
 
+sub save_policies() {
+    for my $zone1 ( all_zones ) {
+	for my $zone2 ( all_zones ) {
+	    my $chainref  = $filter_table->{ rules_chain( $zone1, $zone2 ) };
+	    my $policyref = $filter_table->{ $chainref->{policychain} };
+
+	    if ( $policyref->{referenced} ) {
+		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy} . ' using chain ' . $policyref->{name};
+	    } elsif ( $zone1 ne $zone2 ) {
+		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy};
+	    }
+	}
+    }
+}
+
 sub validate_policy()
 {
     our %validpolicies = (
@@ -292,6 +307,7 @@ sub validate_policy()
 		 NFQUEUE_DEFAULT => 'NFQUEUE' );
 
     my $zone;
+    my $firewall = firewall_zone;
     our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
 
     for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
@@ -314,15 +330,18 @@ sub validate_policy()
     }
 
     for $zone ( all_zones ) {
-	push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );
+	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL );
+	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL ) if zone_type( $zone ) == BPORT;
 
-	if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
+	my $zoneref = find_zone( $zone );
+
+	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1 );
 		    add_or_modify_policy_chain( $zone1, $zone );
 		}
-	    }
+	    }		
 	}
     }
 
@@ -334,7 +353,7 @@ sub validate_policy()
 
     for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
+	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{rules_chain( ${zone}, ${zone1} )}{policy};
 	}
     }
 }
@@ -347,7 +366,7 @@ sub policy_rules( $$$$$ ) {
 
     unless ( $target eq 'NONE' ) {
 	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
-	add_rule $chainref, "-j $default" if $default && $default ne 'none';
+	add_jump $chainref, $default, 0 if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 
@@ -399,17 +418,29 @@ sub apply_policy_rules() {
 
     for my $chainref ( @policy_chains ) {
 	my $policy      = $chainref->{policy};
-	my $loglevel    = $chainref->{loglevel};
-	my $provisional = $chainref->{provisional};
-	my $default     = $chainref->{default};
-	my $name        = $chainref->{name};
 
-	if ( $policy ne 'NONE' ) {
-	    if ( ! $chainref->{referenced} && ( ! $provisional && $policy ne 'CONTINUE' ) ) {
-		ensure_filter_chain $name, 1;
+	unless ( $policy eq 'NONE' ) {
+	    my $loglevel    = $chainref->{loglevel};
+	    my $provisional = $chainref->{provisional};
+	    my $default     = $chainref->{default};
+	    my $name        = $chainref->{name};
+	    my $synparms    = $chainref->{synparms};
+
+	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
+		if ( $config{OPTIMIZE} & 2 ) {
+		    #
+		    # This policy chain is empty and the only thing that we would put in it is
+		    # the policy-related stuff. Don't create it if all we are going to put in it
+		    # is a single jump. Generate_matrix() will just use the policy target when
+		    # needed.
+		    #
+		    ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
+		} else {
+		    ensure_filter_chain $name, 1;
+		}
 	    }
 
-	    if ( $name =~ /^all2|2all$/ ) {
+	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		run_user_exit $chainref;
 		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
@@ -418,7 +449,7 @@ sub apply_policy_rules() {
 
     for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $filter_table->{"${zone}2${zone1}"};
+	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
 
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
@@ -440,11 +471,11 @@ sub apply_policy_rules() {
 sub complete_standard_chain ( $$$$ ) {
     my ( $stdchainref, $zone, $zone2, $default ) = @_;
 
-    add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT};
+    add_rule $stdchainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" unless $config{FASTACCEPT};
 
     run_user_exit $stdchainref;
 
-    my $ruleschainref = $filter_table->{"${zone}2${zone2}"} || $filter_table->{all2all};
+    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
     my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
     my $policychainref;
 
@@ -465,11 +496,38 @@ sub setup_syn_flood_chains() {
 	    my $level = $chainref->{loglevel};
 	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
 	    add_rule $synchainref , "${limit}-j RETURN";
-	    log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
+	    log_rule_limit( $level , 
+			    $synchainref , 
+			    $chainref->{name} , 
+			    'DROP', 
+			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , 
+			    '' , 
+			    'add' , 
+			    '' )
 		if $level ne '';
 	    add_rule $synchainref, '-j DROP';
 	}
     }
 }
 
+#
+# Optimize Policy chains with ACCEPT policy
+#
+sub optimize_policy_chains() {
+    for my $chainref ( grep $_->{policy} eq 'ACCEPT', @policy_chains ) {
+	optimize_chain ( $chainref );
+    }
+    #
+    # Often, fw->all has an ACCEPT policy. This code allows optimization in that case
+    #
+    my $outputrules = $filter_table->{OUTPUT}{rules};
+
+    if ( @{$outputrules} && $outputrules->[-1] =~ /-j ACCEPT/ ) {
+	optimize_chain( $filter_table->{OUTPUT} );
+    }
+
+    progress_message '  Policy chains optimized';
+    progress_message '';
+}
+
 1;

Shorewall/Perl/Shorewall/Proc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -41,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_12';
+our $VERSION = '4.4_7';
 
 #
 # ARP Filtering
@@ -56,27 +56,35 @@ sub setup_arp_filtering() {
 	save_progress_message "Setting up ARP filtering...";
 
 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
 	    my $value = get_interface_option $interface, 'arp_filter';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
 
 	    emit ( '',
 		   "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
 
 	for my $interface ( @$interfaces1 ) {
-	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
 	    my $value = get_interface_option $interface, 'arp_ignore';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
 
 	    assert( defined $value );
 
 	    emit ( "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
     }
@@ -88,16 +96,18 @@ sub setup_arp_filtering() {
 sub setup_route_filtering() {
 
     my $interfaces = find_interfaces_by_option 'routefilter';
+    my $config     = $config{ROUTE_FILTER};
 
-    if ( @$interfaces || $config{ROUTE_FILTER} ) {
+    if ( @$interfaces || $config ) {
 
 	progress_message2 "$doing Kernel Route Filtering...";
 
 	save_progress_message "Setting up Route Filtering...";
 
+	my $val = '';
 
-	if ( $config{ROUTE_FILTER} ) {
-	    my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
+	if ( $config{ROUTE_FILTER} ne '' ) {
+	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;
 
 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
 		   "    [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
@@ -106,25 +116,29 @@ sub setup_route_filtering() {
 	}
 
 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
 	    my $value = get_interface_option $interface, 'routefilter';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
 
-	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
-
-	if ( $config{ROUTE_FILTER} eq 'on' ) {
-	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
-	} elsif (  $config{ROUTE_FILTER} eq 'off' ) {
-	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
+	if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
+	    emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
+	} elsif ( $val ne '' ) {
+	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
 	}
 
-	emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
+	emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';
+
+	emit "[ -n \"\$g_noroutes\" ] || \$IP -4 route flush cache";
     }
 }
 
@@ -153,14 +167,18 @@ sub setup_martian_logging() {
 	}
 
 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
 	    my $value = get_interface_option $interface, 'logmartians';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless $optional;
 	    emit   "fi\n";
 	}
     }
@@ -180,13 +198,17 @@ sub setup_source_routing( $ ) {
 	save_progress_message 'Setting up Accept Source Routing...';
 
 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";
 	    my $value = get_interface_option $interface, 'sourceroute';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";
 
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
     }
@@ -227,13 +249,17 @@ sub setup_forwarding( $$ ) {
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 
 	    for my $interface ( @$interfaces ) {
-		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
 		my $value = get_interface_option $interface, 'forward';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
+		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
 
 		emit ( "if [ -f $file ]; then" ,
 		       "    echo $value > $file" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless interface_is_optional( $interface);
+		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_2';
+our $VERSION = '4.4_11';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -59,6 +59,8 @@ our @providers;
 
 our $family;
 
+our $lastmark;
+
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
 #
@@ -94,9 +96,9 @@ sub initialize( $ ) {
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
+    my $mask = in_hex( $globals{PROVIDER_MASK} );
 
-    require_capability( $_ , 'the provider \'track\' option' , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
+    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
 
     add_rule $mangle_table->{$_} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
 
@@ -108,33 +110,21 @@ sub setup_route_marking() {
 
     for my $providerref ( @routemarked_providers ) {
 	my $interface = $providerref->{interface};
+	my $physical  = $providerref->{physical};
 	my $mark      = $providerref->{mark};
-	my $base      = uc chain_base $interface;
-
-	if ( $providerref->{optional} ) {
-	    if ( $providerref->{shared} ) {
-		add_commands( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) );
-	    } else {
-		add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
-	    }
-
-	    incr_cmd_level( $chainref );
-	}
 
 	unless ( $marked_interfaces{$interface} ) {
-	    add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
-	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $interface -m mark --mark  $mark/$mask ";
+	    add_jump $mangle_table->{PREROUTING} , $chainref,  0, "-i $physical -m mark --mark 0/$mask ";
+	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark  $mark/$mask ";
 	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
 	}
 
 	if ( $providerref->{shared} ) {
-	    add_rule $chainref, " -i $interface -m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, match_source_dev( $interface ) . "-m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
 	} else {
-	    add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, match_source_dev( $interface ) . "-j MARK --set-mark $providerref->{mark}";
 	}
-
-	decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
     }
 
     add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask";
@@ -142,7 +132,9 @@ sub setup_route_marking() {
 
 sub copy_table( $$$ ) {
     my ( $duplicate, $number, $realm ) = @_;
-
+    #
+    # Hack to work around problem in iproute
+    #
     my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
 
     if ( $realm ) {
@@ -164,11 +156,21 @@ sub copy_table( $$$ ) {
 
 sub copy_and_edit_table( $$$$ ) {
     my ( $duplicate, $number, $copy, $realm) = @_;
-    
+    #
+    # Hack to work around problem in iproute
+    #
     my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
+    #
+    # Map physical names in $copy to logical names
+    #
+    $copy = join( '|' , map( physical_name($_) , split( ',' , $copy ) ) );
+    #
+    # Shell and iptables use a different wildcard character
+    #
+    $copy =~ s/\+/*/;
 
     if ( $realm ) {
-	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
     } else {
 	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
     }
@@ -274,9 +276,10 @@ sub add_a_provider( ) {
     }
 
     fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
+    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
 
-    my $provider    = chain_base $table;
-    my $base        = uc chain_base $interface;
+    my $physical    = get_physical $interface;
+    my $base        = uc chain_base $physical;
     my $gatewaycase = '';
 
     if ( $gateway eq 'detect' ) {
@@ -292,40 +295,15 @@ sub add_a_provider( ) {
 	$gateway = '';
     }
 
-    my $val = 0;
-    my $pref;
-
-    if ( $mark ne '-' ) {
-
-	$val = numeric_value $mark;
-
-	fatal_error "Invalid Mark Value ($mark)" unless defined $val;
-
-	verify_mark $mark;
-
-	if ( $val < 65535 ) {
-	    if ( $config{HIGH_ROUTE_MARKS} ) {
-		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes" if $config{WIDE_TC_MARKS};
-		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $val < 256;
-	    }
-	} else {
-	    fatal_error "Invalid Mark Value ($mark)" unless $config{HIGH_ROUTE_MARKS} && $config{WIDE_TC_MARKS};
-	}
-
-	for my $providerref ( values %providers  ) {
-	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
-	}
-
-	$pref = 10000 + $number - 1;
-
-    }
-
-    my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) =
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
 
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
 		$track = 1;
+	    } elsif ( $option eq 'notrack' ) {
+		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
 		$balance = $1;
@@ -359,12 +337,43 @@ sub add_a_provider( ) {
 		} else {
 		    $default = -1;
 		}
+	    } elsif ( $option eq 'local' ) {
+		$local = 1;
+		$track = 0           if $config{TRACK_PROVIDERS};
+		$default_balance = 0 if$config{USE_DEFAULT_RT};
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}
     }
 
+    my $val = 0;
+    my $pref;
+
+    $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
+
+    if ( $mark ne '-' ) {
+
+	$val = numeric_value $mark;
+
+	fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
+
+	verify_mark $mark;
+
+	fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val;
+
+	fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS};
+
+	for my $providerref ( values %providers  ) {
+	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
+	}
+
+	$pref = 10000 + $number - 1;
+
+	$lastmark = $val;
+
+    }
+
     unless ( $loose ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
@@ -376,6 +385,7 @@ sub add_a_provider( ) {
 			   number      => $number ,
 			   mark        => $val ? in_hex($val) : $val ,
 			   interface   => $interface ,
+			   physical    => $physical ,
 			   optional    => $optional ,
 			   gateway     => $gateway ,
 			   gatewaycase => $gatewaycase ,
@@ -403,26 +413,34 @@ sub add_a_provider( ) {
     if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
+	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
     } else {
 	if ( $optional ) {
-	    start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
+	    start_provider( $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
+	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $interface; then" );
+	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
 	}
 
 	$provider_interfaces{$interface} = $table;
 
-	emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
+	if ( $gatewaycase eq 'none' ) {
+	    if ( $local ) {
+		emit "run_ip route add local 0.0.0.0/0 dev $physical table $number";
+	    } else {
+		emit "run_ip route add default dev $physical table $number";
+	    }
+	}
     }
 
     if ( $mark ne '-' ) {
-	emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
+	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
 
-	emit ( "run_ip rule add fwmark $mark pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
+	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
+
+	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
+	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing"
 	     );
     }
 
@@ -434,8 +452,7 @@ sub add_a_provider( ) {
 	    if ( $copy eq 'none' ) {
 		$copy = $interface;
 	    } else {
-		$copy =~ tr/,/|/;
-		$copy = "$interface|$copy";
+		$copy = "$interface,$copy";
 	    }
 
 	    copy_and_edit_table( $duplicate, $number ,$copy , $realm);
@@ -447,28 +464,33 @@ sub add_a_provider( ) {
 
     if ( $gateway ) {
 	$address = get_interface_address $interface unless $address;
-	emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm";
-	emit "run_ip route add default via $gateway src $address dev $interface ${mtu}table $number $realm";
+	emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
+	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
     }
 
-    balance_default_route $balance , $gateway, $interface, $realm if $balance;
+    balance_default_route $balance , $gateway, $physical, $realm if $balance;
 
     if ( $default > 0 ) {
-	balance_fallback_route $default , $gateway, $interface, $realm;
+	balance_fallback_route $default , $gateway, $physical, $realm;
     } elsif ( $default ) {
 	emit '';
 	if ( $gateway ) {
-	    emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
+	    emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	} else {
-	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP -$family route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
+	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	}
     }
 
-    if ( $loose ) {
+    if ( $local ) {
+	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
+	fatal_error "'track' not valid with 'local'"          if $track;
+	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
+	fatal_error "MARK required with 'local'"              unless $mark;
+    } elsif ( $loose ) {
 	if ( $config{DELETE_THEN_ADD} ) {
-	    emit ( "\nfind_interface_addresses $interface | while read address; do",
+	    emit ( "\nfind_interface_addresses $physical | while read address; do",
 		   "    qt \$IP -$family rule del from \$address",
 		   'done'
 		 );
@@ -482,7 +504,7 @@ sub add_a_provider( ) {
 
 	emit "\nrulenum=0\n";
 
-	emit  ( "find_interface_addresses $interface | while read address; do" );
+	emit  ( "find_interface_addresses $physical | while read address; do" );
 	emit  (	"    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	emit  (	"    run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
 		"    echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
@@ -498,15 +520,15 @@ sub add_a_provider( ) {
 
     if ( $optional ) {
 	if ( $shared ) {
-	    emit ( "    error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" );
-	} else {
 	    emit ( "    error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
+	} else {
+	    emit ( "    error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Added\"" );
 	}
     } else {
 	if ( $shared ) {
 	    emit( "    fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" );
 	} else {
-	    emit( "    fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" );
+	    emit( "    fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Added\"" );
 	}
     }
 
@@ -517,9 +539,32 @@ sub add_a_provider( ) {
     progress_message "   Provider \"$currentline\" $done";
 }
 
+#
+# Begin an 'if' statement testing whether the passed interface is available
+#
+sub start_new_if( $ ) {
+    our $current_if = shift;
+
+    emit ( '', qq(if [ -n "\$SW_${current_if}_IS_USABLE" ]; then) );
+    push_indent;
+}
+
+#
+# Complete any current 'if' statement in the output script
+#
+sub finish_current_if() {
+    if ( our $current_if ) {
+	pop_indent;
+	emit ( "fi\n" );
+	$current_if = '';
+    }
+}
+
 sub add_an_rtrule( ) {
     my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
 
+    our $current_if;
+
     unless ( $providers{$provider} ) {
 	my $found = 0;
 
@@ -554,6 +599,7 @@ sub add_an_rtrule( ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
 	    validate_net ( $source, 0 );
+	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
 	    validate_net ( $source, 0 );
@@ -561,9 +607,10 @@ sub add_an_rtrule( ) {
 	} else {
 	    $source = "iif $source";
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
 	validate_net ($source, 0);
+	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
     } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
 	validate_net ( $source, 0 );
@@ -576,21 +623,21 @@ sub add_an_rtrule( ) {
 
     $priority = "priority $priority";
 
-    emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
+    finish_current_if, emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
 
     my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
 
     if ( $optional ) {
-	my $base = uc chain_base( $providers{$provider}{interface} );
-	emit ( '', "if [ -n \$${base}_IS_USABLE ]; then" );
-	push_indent;
+	my $base = uc chain_base( $providers{$provider}{physical} );
+	finish_current_if if $base ne $current_if;
+	start_new_if( $base ) unless $current_if;
+  } else {
+	finish_current_if;
     }
 
     emit ( "run_ip rule add $source $dest $priority table $number",
 	   "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
 
-    pop_indent, emit ( "fi\n" ) if $optional;
-
     progress_message "   Routing rule \"$currentline\" $done";
 }
 
@@ -708,12 +755,14 @@ sub finish_providers() {
 sub setup_providers() {
     my $providers = 0;
 
+    $lastmark = 0;
+
     my $fn = open_file 'providers';
 
     first_entry sub() {
-	emit "\nif [ -z \"\$NOROUTES\" ]; then";
-	push_indent;
 	progress_message2 "$doing $fn...";
+	emit "\nif [ -z \"\$g_noroutes\" ]; then";
+	push_indent;
 	start_providers; };
 
     add_a_provider, $providers++ while read_a_line;
@@ -724,25 +773,28 @@ sub setup_providers() {
 	my $fn = open_file 'route_rules';
 
 	if ( $fn ) {
+	    our $current_if = '';
 
 	    first_entry "$doing $fn...";
 
 	    emit '';
 
 	    add_an_rtrule while read_a_line;
+
+	    finish_current_if;
 	}
 
 	setup_null_routing if $config{NULL_ROUTE_RFC1918};
 	emit "\nrun_ip route flush cache";
 	#
-	# This completes the if block begun in the first_entry closure
+	# This completes the if-block begun in the first_entry closure above
 	#
 	pop_indent;
 	emit "fi\n";
 
 	setup_route_marking if @routemarked_interfaces;
     } else {
-	emit "\nif [ -z \"\$NOROUTES\" ]; then";
+	emit "\nif [ -z \"\$g_noroutes\" ]; then";
 
 	push_indent;
 
@@ -785,20 +837,34 @@ sub lookup_provider( $ ) {
 }
 
 #
-# This function is called by the compiler when it is generating the initialize() function.
-# The function emits code to set the ..._IS_USABLE interface variables appropriately for the
-# optional interfaces
+# This function is called by the compiler when it is generating the detect_configuration() function.
+# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
+# ..._IS_USABLE interface variables appropriately for the  optional interfaces
 #
-sub handle_optional_interfaces() {
+# Returns true if there were required or optional interfaces
+#
+sub handle_optional_interfaces( $ ) {
 
-    my $interfaces = find_interfaces_by_option 'optional';
+    my $returnvalue = verify_required_interfaces( shift );
+    #
+    # find_interfaces_by_option1() does not return wildcard interfaces. If an interface is defined
+    # as a wildcard in /etc/shorewall/interfaces, then only specific interfaces matching that
+    # wildcard are returned.
+    #
+    my $interfaces = find_interfaces_by_option1 'optional';
+
+    if ( $config{REQUIRE_INTERFACE} ) {
+	emit( 'HAVE_INTERFACE=' );
+	emit( '' );
+    }
 
     if ( @$interfaces ) {
 	for my $interface ( @$interfaces ) {
-	    my $base  = uc chain_base( $interface );
 	    my $provider = $provider_interfaces{$interface};
+	    my $physical = get_physical $interface;
+	    my $base     = uc chain_base( $physical );
 
-	    emit '';
+	    emit( '' );
 
 	    if ( $provider ) {
 		#
@@ -807,25 +873,52 @@ sub handle_optional_interfaces() {
 		my $providerref = $providers{$provider};
 
 		if ( $providerref->{gatewaycase} eq 'detect' ) {
-		    emit qq(if interface_is_usable $interface && [ -n "$providerref->{gateway}" ]; then);
+		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 		} else {
-		    emit qq(if interface_is_usable $interface; then);
+		    emit qq(if interface_is_usable $physical; then);
 		}
 	    } else {
 		#
 		# Not a provider interface
 		#
-		emit qq(if interface_is_usable $interface; then);
+		emit qq(if interface_is_usable $physical; then);
 	    }
 
-	    emit( "    ${base}_IS_USABLE=Yes" ,
+	    emit( '    HAVE_INTERFACE=Yes' ) if $config{REQUIRE_INTERFACE};
+
+	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'else' ,
-		  "    ${base}_IS_USABLE=" ,
+		  "    SW_${base}_IS_USABLE=" ,
 		  'fi' );
 	}
 
-	1;
+	if ( $config{REQUIRE_INTERFACE} ) {
+	    emit( '',
+		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
+		  '    case "$COMMAND" in',
+		  '        start|restart|restore|refresh)'
+		);
+
+	    if ( $family == F_IPV4 ) {
+		emit( '            if shorewall_is_started; then' );
+	    } else {
+		emit( '            if shorewall6_is_started; then' );
+	    }
+
+	    emit( '                fatal_error "No network interface available"',
+		  '            else',
+		  '                startup_error "No network interface available"',
+		  '            fi',
+		  '            ;;',
+		  '    esac',
+		  'fi'
+		);
+	}
+
+	$returnvalue = 1;
     }
+
+    $returnvalue;
 }
 
 #
@@ -834,7 +927,7 @@ sub handle_optional_interfaces() {
 #
 sub handle_stickiness( $ ) {
     my $havesticky   = shift;
-    my $mask         = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
+    my $mask         = in_hex( $globals{PROVIDER_MASK} );
     my $setstickyref = $mangle_table->{setsticky};
     my $setstickoref = $mangle_table->{setsticko};
     my $tcpreref     = $mangle_table->{tcpre};
@@ -845,9 +938,8 @@ sub handle_stickiness( $ ) {
     if ( $havesticky ) {
 	fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
 
-
 	for my $providerref ( @routemarked_providers ) {
-	    my $interface = $providerref->{interface};
+	    my $interface = $providerref->{physical};
 	    my $base      = uc chain_base $interface;
 	    my $mark      = $providerref->{mark};
 
@@ -857,9 +949,6 @@ sub handle_stickiness( $ ) {
 		my $list = sprintf "sticky%03d" , $sticky++;
 
 		for my $chainref ( $stickyref, $setstickyref ) {
-
-		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-
 		    if ( $chainref->{name} eq 'sticky' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
@@ -878,9 +967,6 @@ sub handle_stickiness( $ ) {
 			$rule2 =~ s/-A tcpre //;
 			add_rule $chainref, $rule2;
 		    }
-
-		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
-
 		}
 	    }
 
@@ -890,8 +976,6 @@ sub handle_stickiness( $ ) {
 		my $stickoref = ensure_mangle_chain 'sticko';
 
 		for my $chainref ( $stickoref, $setstickoref ) {
-		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-
 		    if ( $chainref->{name} eq 'sticko' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
@@ -910,16 +994,15 @@ sub handle_stickiness( $ ) {
 			$rule2 =~ s/-A tcout //;
 			add_rule $chainref, $rule2;
 		    }
-
-		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
 		}
 	    }
 	}
     }
 
     if ( @routemarked_providers ) {
-	purge_jump $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
-	purge_jump $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
+	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
+	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
     }
 }
+
 1;

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -35,7 +35,7 @@ our @EXPORT = qw(
 		  );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_9';
 
 our @proxyarp;
 
@@ -76,7 +76,7 @@ sub setup_one_proxy_arp( $$$$$ ) {
     }
 
     unless ( $haveroute ) {
-	emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface";
+	emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address dev $interface";
 	$haveroute = 1 if $persistent;
     }
 
@@ -117,6 +117,9 @@ sub setup_proxy_arp() {
 		    $first_entry = 0;
 		}
 
+		$interface = get_physical $interface;
+		$external  = get_physical $external;
+
 		$set{$interface}  = 1;
 		$reset{$external} = 1 unless $set{$external};
 
@@ -143,10 +146,14 @@ sub setup_proxy_arp() {
 
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyarp';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
 		emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
 		       "    echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
+		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 	}
@@ -158,10 +165,14 @@ sub setup_proxy_arp() {
 
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyndp';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
 		emit ( "if [ -f /proc/sys/net/ipv6/conf/$interface/proxy_ndp ] ; then" ,
 		   "    echo $value > /proc/sys/net/ipv6/conf/$interface/proxy_ndp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless interface_is_optional( $interface );
+		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 	}

Shorewall/Perl/Shorewall/Raw.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_11';
 
 #
 # Notrack
@@ -50,9 +50,9 @@ sub process_notrack_rule( $$$$$$ ) {
     ( my $zone, $source) = split /:/, $source, 2;
     my $zoneref  = find_zone $zone;
     my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
 
-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
     require_capability 'RAW_TABLE', 'Notrack rules', '';
 
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
@@ -64,7 +64,7 @@ sub process_notrack_rule( $$$$$$ ) {
 	$source ,
 	$dest ,
 	'' ,
-	'-j NOTRACK' ,
+	'NOTRACK' ,
 	'' ,
 	'NOTRACK' ,
 	'' ;

Shorewall/Perl/Shorewall/Tc.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_13';
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -79,48 +79,6 @@ use constant { NOMARK    => 0 ,
 	       HIGHMARK  => 2
 	       };
 
-our @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
-		 target    => 'CONNMARK --save-mark --mask' ,
-		 mark      => SMALLMARK ,
-		 mask      => '0xFF' ,
-		 connmark  => 1
-	       } ,
-	      { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
-		target    => 'CONNMARK --restore-mark --mask' ,
-		mark      => SMALLMARK ,
-		mask      => '0xFF' ,
-		connmark  => 1
-		} ,
-	      { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
-		target    => 'RETURN' ,
-		mark      => NOMARK ,
-		mask      => '' ,
-		connmark  => 0
-		} ,
-	      { match     => sub ( $ ) { $_[0] eq 'SAME' },
-		target    => 'sticky' ,
-		mark      => NOMARK ,
-		mask      => '' ,
-		connmark  => 0
-		} ,
-	      { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
-		target    => 'IPMARK' ,
-		mark      => NOMARK,
-		mask      => '',
-		connmark  => 0
-	        } ,
-	      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
-		target    => 'MARK --or-mark' ,
-		mark      => HIGHMARK ,
-		mask      => '' } ,
-	      { match     => sub ( $ ) { $_[0] =~ '&.*' },
-		target    => 'MARK --and-mark ' ,
-		mark      => HIGHMARK ,
-		mask      => '' ,
-		connmark  => 0
-		}
-	      );
-
 our %flow_keys = ( 'src'            => 1,
 		   'dst'            => 1,
 		   'proto'          => 1,
@@ -153,7 +111,7 @@ our @deferred_rules;
 #
 # TCDevices Table
 #
-# %tcdevices { <interface> -> {in_bandwidth  => <value> ,
+# %tcdevices { <interface> => {in_bandwidth  => <value> ,
 #                              out_bandwidth => <value> ,
 #                              number        => <number>,
 #                              classify      => 0|1
@@ -172,7 +130,7 @@ our %tcdevices;
 our @devnums;
 our $devnum;
 our $sticky;
-
+our $ipp2p;
 
 #
 # TCClasses Table
@@ -225,11 +183,14 @@ sub initialize( $ ) {
     @devnums   = ();
     $devnum = 0;
     $sticky = 0;
+    $ipp2p  = 0;
 }
 
 sub process_tc_rule( ) {
     my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
 
+    our @tccmd;
+
     if ( $originalmark eq 'COMMENT' ) {
 	process_comment;
 	return;
@@ -265,9 +226,9 @@ sub process_tc_rule( ) {
 		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
 	    }
 
-	    $chain    = $tcsref->{chain}  if $tcsref->{chain};
-	    $target   = $tcsref->{target} if $tcsref->{target};
-	    $mark     = "$mark/0xFF"      if $connmark = $tcsref->{connmark};
+	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
+	    $target   = $tcsref->{target}                      if $tcsref->{target};
+	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
 
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 
@@ -285,8 +246,6 @@ sub process_tc_rule( ) {
 	}
     }
 
-    my $mask = 0xffff;
-
     my ($cmd, $rest) = split( '/', $mark, 2 );
 
     $list = '';
@@ -354,8 +313,40 @@ sub process_tc_rule( ) {
 			}
 
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
+		    } elsif ( $target eq 'TPROXY ' ) {
+			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
+
+			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
+
+			$chain = 'tcpre';
+
+			$cmd =~ /TPROXY\((.+?)\)$/;
+
+			my $params = $1;
+
+			fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
+
+			( $mark, my $port, my $ip, my $bad ) = split ',', $params;
+
+			fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
+
+			if ( $port ) {
+			    $port = validate_port( 'tcp', $port );
+			} else {
+			    $port = 0;
+			}
+
+			$target .= "--on-port $port";
+
+			if ( defined $ip && $ip ne '' ) {
+			    validate_address $ip, 1;
+			    $target .= " --on-ip $ip";
+			}
+
+			$target .= ' --tproxy-mark';
 		    }
 
+
 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
 
@@ -376,12 +367,14 @@ sub process_tc_rule( ) {
 
 	    validate_mark $mark;
 
-	    if ( $config{HIGH_ROUTE_MARKS} ) {
+	    if ( $config{PROVIDER_OFFSET} ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
-		my $limit = $config{WIDE_TC_MARKS} ? 65535 : 255;
-		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
-		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
+		my $limit = $globals{TC_MASK};
+		unless ( have_capability 'FWMARK_RT_MASK' ) {
+		    fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+			if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
+		}
 	    }
 	}
     }
@@ -390,7 +383,7 @@ sub process_tc_rule( ) {
 				     $restrictions{$chain} ,
 				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
-				     do_test( $testval, $mask ) .
+				     do_test( $testval, $globals{TC_MASK} ) .
 				     do_length( $length ) .
 				     do_tos( $tos ) .
 				     do_connbytes( $connbytes ) .
@@ -398,9 +391,9 @@ sub process_tc_rule( ) {
 				     $source ,
 				     $dest ,
 				     '' ,
-				     "-j $target $mark" ,
-				     '' ,
+				     "$target $mark" ,
 				     '' ,
+				     $target ,
 				     '' ) )
 	  && $device ) {
 	#
@@ -451,6 +444,65 @@ sub process_flow($) {
     $flow;
 }
 
+sub process_simple_device() {
+    my ( $device , $type , $in_bandwidth ) = split_line 1, 3, 'tcinterfaces';
+
+    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
+    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
+
+    my $number = in_hexp( $tcdevices{$device} = ++$devnum );
+
+    my $physical = physical_name $device;
+    my $dev      = chain_base( $physical );
+
+    if ( $type ne '-' ) {
+	if ( lc $type eq 'external' ) {
+	    $type = 'nfct-src';
+	} elsif ( lc $type eq 'internal' ) {
+	    $type = 'dst';
+	} else {
+	    fatal_error "Invalid TYPE ($type)";
+	}
+    }
+
+    $in_bandwidth = rate_to_kbit( $in_bandwidth );
+
+    emit "if interface_is_up $physical; then";
+
+    push_indent;
+
+    emit ( "${dev}_exists=Yes",
+	   "qt \$TC qdisc del dev $physical root",
+	   "qt \$TC qdisc del dev $physical ingress\n"
+	 );
+
+    emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
+	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst 10k drop flowid :1\n"
+	 ) if $in_bandwidth;
+
+    emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
+
+    for ( my $i = 1; $i <= 3; $i++ ) {
+	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
+	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $number:$i";
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
+	emit '';
+    }
+
+    save_progress_message_short qq("   TC Device $physical defined.");
+
+    pop_indent;
+    emit 'else';
+    push_indent;
+
+    emit qq(error_message "WARNING: Device $physical is not in the UP state -- traffic-shaping configuration skipped");
+    emit "${dev}_exists=";
+    pop_indent;
+    emit "fi\n";
+
+    progress_message "  Simple tcdevice \"$currentline\" $done.";
+}
+
 sub validate_tc_device( ) {
     my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
 
@@ -509,13 +561,13 @@ sub validate_tc_device( ) {
     if ( @redirected ) {
 	fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband;
 	$classify = 1;
-    }
 
-    for my $rdevice ( @redirected ) {
-	fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
-	my $rdevref = $tcdevices{$rdevice};
-	fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref;
-	fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} ne '0kbit';
+	for my $rdevice ( @redirected ) {
+	    fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
+	    my $rdevref = $tcdevices{$rdevice};
+	    fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref;
+	    fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} ne '0kbit';
+	}
     }
 
     $tcdevices{$device} = { in_bandwidth  => rate_to_kbit( $inband ) . 'kbit',
@@ -531,6 +583,7 @@ sub validate_tc_device( ) {
 			    qdisc         => $qdisc,
 			    guarantee     => 0,
 			    name          => $device,
+			    physical      => physical_name $device
 			  } ,
 
     push @tcdevices, $device;
@@ -647,15 +700,17 @@ sub validate_tc_class( ) {
 	if ( $devref->{classify} ) {
 	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
 	} else {
-	    fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-fA-F]+)$/ && numeric_value( $mark ) <= 0xff;
+	    fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
 
 	    $markval = numeric_value( $mark );
 	    fatal_error "Invalid MARK ($markval)" unless defined $markval;
 
+	    fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
+
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	    } else {
-		$classnumber = $config{WIDE_TC_MARKS} ? $tcref->{nextclass}++ : hex_value( $devnum . $markval );
+		$classnumber = $config{WIDE_TC_MARKS} ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
 		fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	    }
 	}
@@ -713,6 +768,7 @@ sub validate_tc_class( ) {
 			       parent    => $parentclass,
 			       leaf      => 1,
 			       guarantee => 0,
+			       limit     => 127,
 			     };
 
     $tcref = $tcref->{$classnumber};
@@ -753,7 +809,7 @@ sub validate_tc_class( ) {
 		fatal_error q(The 'occurs' option is only valid for IPv4)           if $family == F_IPV6;
 		fatal_error q(The 'occurs' option may not be used with 'classify')  if $devref->{classify};
 		fatal_error "Invalid 'occurs' ($val)"                               unless defined $occurs && $occurs > 1 && $occurs <= 256;
-		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > ( $config{WIDE_TC_MARKS} ? 8191 : 255 );
+		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > $globals{TC_MAX};
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
 		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
@@ -761,6 +817,10 @@ sub validate_tc_class( ) {
 
 		$tcref->{occurs} = $occurs;
 		$devref->{occurs} = 1;
+	    } elsif ( $option =~ /^limit=(\d+)$/ ) {
+		warning_message "limit ignored with pfifo queuing" if $tcref->{pfifo};
+		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
+		$tcref->{limit} = $1;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -789,6 +849,7 @@ sub validate_tc_class( ) {
 					       pfifo    => $tcref->{pfifo},
 					       occurs   => 0,
 					       parent   => $parentclass,
+					       limit    => $tcref->{limit},
 					     };
 	push @tcclasses, "$device:$classnumber";
     };
@@ -825,7 +886,7 @@ sub process_tc_filter( ) {
     fatal_error "Unknown CLASS ($devclass)"                  unless $tcref && $tcref->{occurs};
     fatal_error "Filters may not specify an occurring CLASS" if $tcref->{occurs} > 1;
 
-    my $rule = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32";
+    my $rule = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32";
 
     if ( $source ne '-' ) {
 	my ( $net , $mask ) = decompose_net( $source );
@@ -896,7 +957,7 @@ sub process_tc_filter( ) {
 	    $lasttnum = $tnum;
 	    $lastrule = $rule;
 
-	    emit( "\nrun_tc filter add dev $device parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
+	    emit( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
 	}
 	#
 	# And link to it using the current contents of $rule
@@ -906,7 +967,7 @@ sub process_tc_filter( ) {
 	#
 	# The rule to match the port(s) will be inserted into the new table
 	#
-	$rule     = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
+	$rule     = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
 
 	if ( $portlist eq '-' ) {
 	    fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
@@ -1003,16 +1064,104 @@ sub process_tc_filter( ) {
 
     $currentline =~ s/\s+/ /g;
 
-    save_progress_message_short qq("   TC Filter \"$currentline\" defined.");
+    save_progress_message_short qq('   TC Filter \"$currentline\" defined.');
 
     emit '';
 
 }
 
+sub process_tc_priority() {
+    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';
+
+    if ( $band eq 'COMMENT' ) {
+	process_comment;
+	return;
+    }
+
+    my $val = numeric_value $band;
+
+    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
+
+    my $rule = do_helper( $helper ) . "-j MARK --set-mark $band";
+
+    $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
+
+    if ( $interface ne '-' ) {
+	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
+
+	my $forwardref = $mangle_table->{tcfor};
+
+	add_rule( $forwardref ,
+		  join( '', match_source_dev( $interface) , $rule ) ,
+		  1 );
+    } else {
+	my $postref = $mangle_table->{tcpost};
+
+	if ( $address ne '-' ) {
+	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
+	    add_rule( $postref ,
+		      join( '', match_source_net( $address) , $rule ) ,
+		      1 );
+	} else {
+	    add_rule( $postref ,
+		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
+		      1 );
+
+	    if ( $ports ne '-' ) {
+		my $protocol = resolve_proto $proto;
+
+		if ( $proto =~ /^ipp2p/ ) {
+		    fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
+		    $ipp2p = 1;
+		}
+
+		add_rule( $postref ,
+			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
+			  1 )
+		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
+	    }
+	}
+    }
+}
+
+sub setup_simple_traffic_shaping() {
+    my $interfaces;
+
+    save_progress_message q("Setting up Traffic Control...");
+
+    my $fn = open_file 'tcinterfaces';
+
+    if ( $fn ) {
+	first_entry "$doing $fn...";
+	process_simple_device, $interfaces++ while read_a_line;
+    } else {
+	$fn = find_file 'tcinterfaces';
+    }
+
+    my $fn1 = open_file 'tcpri';
+
+    if ( $fn1 ) {
+	first_entry
+	    sub {
+		progress_message2 "$doing $fn1...";
+		warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces;
+	    };
+
+	process_tc_priority while read_a_line;
+
+	clear_comment;
+
+	if ( $ipp2p ) {
+	    insert_rule1 $mangle_table->{tcpost} , 0 , '-m mark --mark 0/'   . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} );
+	    add_rule     $mangle_table->{tcpost} ,     '-m mark ! --mark 0/' . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} );
+	}
+    }
+}
+
 sub setup_traffic_shaping() {
     our $lastrule = '';
 
-    save_progress_message "Setting up Traffic Control...";
+    save_progress_message q("Setting up Traffic Control...");
 
     my $fn = open_file 'tcdevices';
 
@@ -1022,6 +1171,9 @@ sub setup_traffic_shaping() {
 	validate_tc_device while read_a_line;
     }
 
+    my $sfq = $devnum;
+    my $sfqinhex;
+
     $devnum = $devnum > 10 ? 10 : 1;
 
     $fn = open_file 'tcclasses';
@@ -1033,12 +1185,15 @@ sub setup_traffic_shaping() {
     }
 
     for my $device ( @tcdevices ) {
-	my $dev     = chain_base( $device );
 	my $devref  = $tcdevices{$device};
 	my $defmark = in_hexp ( $devref->{default} || 0 );
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};
 
+	$device = physical_name $device;
+
+	my $dev = chain_base( $device );
+
 	emit "if interface_is_up $device; then";
 
 	push_indent;
@@ -1088,7 +1243,7 @@ sub setup_traffic_shaping() {
 	    emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	}
 
-	save_progress_message_short "   TC Device $device defined.";
+	save_progress_message_short qq("   TC Device $device defined.");
 
 	pop_indent;
 	emit 'else';
@@ -1121,12 +1276,14 @@ sub setup_traffic_shaping() {
 	my $classid  = join( ':', in_hexp $devicenumber, $classnum);
 	my $rate     = "$tcref->{rate}kbit";
 	my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
+
+	$classids{$classid}=$device;
+	$device = physical_name $device;
+
 	my $dev      = chain_base $device;
 	my $priority = $tcref->{priority} << 8;
 	my $parent   = in_hexp $tcref->{parent};
 
-	$classids{$classid}=$device;
-
 	if ( $lastdevice ne $device ) {
 	    if ( $lastdevice ) {
 		pop_indent;
@@ -1153,17 +1310,18 @@ sub setup_traffic_shaping() {
 	    }
 	}
 
-	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
+	if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+	    $sfqinhex = in_hexp( ++$sfq);
+	    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
+	}
 	#
 	# add filters
 	#
 	unless ( $devref->{classify} ) {
-	    if ( $tcref->{occurs} == 1 ) {
-		emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid";
-	    }
+	    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
 	}
 
-	emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
+	emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
 	#
 	# options
 	#
@@ -1187,7 +1345,7 @@ sub setup_traffic_shaping() {
 	$fn = open_file 'tcfilters';
 
 	if ( $fn ) {
-	    first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message "Adding TC Filters"; } );
+	    first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message q("Adding TC Filters"); } );
 
 	    process_tc_filter while read_a_line;
 	}
@@ -1199,11 +1357,11 @@ sub setup_traffic_shaping() {
 #
 sub setup_tc() {
 
-    if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
+    if ( $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
 	ensure_mangle_chain 'tcout';
 
-	if ( $capabilities{MANGLE_FORWARD} ) {
+	if ( have_capability( 'MANGLE_FORWARD' ) ) {
 	    ensure_mangle_chain 'tcfor';
 	    ensure_mangle_chain 'tcpost';
 	}
@@ -1211,43 +1369,90 @@ sub setup_tc() {
 	my $mark_part = '';
 
 	if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
-	    $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
+	    $mark_part = '-m mark --mark 0/' . in_hex( $globals{PROVIDER_MASK} ) . ' ';
 
-	    for my $interface ( @routemarked_interfaces ) {
-		add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
+	    unless ( $config{TRACK_PROVIDERS} ) {
+		#
+		# This is overloading TRACK_PROVIDERS a bit but sending tracked packets through PREROUTING is a PITA for users
+		#
+		for my $interface ( @routemarked_interfaces ) {
+		    add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, match_source_dev( $interface );
+		}
 	    }
 	}
 
-	add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre";
-	add_rule $mangle_table->{OUTPUT} ,     "$mark_part -j tcout";
+	add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part;
+	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
 
-	if ( $capabilities{MANGLE_FORWARD} ) {
-	    add_rule $mangle_table->{FORWARD} ,     '-j tcfor';
-	    add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
-	}
+	if ( have_capability( 'MANGLE_FORWARD' ) ) {
+	    my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : '';
 
-	if ( $config{HIGH_ROUTE_MARKS} ) {
-	    for my $chain qw(INPUT FORWARD) {
-		insert_rule1 $mangle_table->{$chain}, 0, $config{WIDE_TC_MARKS} ? '-j MARK --and-mark 0xFFFF' : '-j MARK --and-mark 0xFF';
-	    }
-	    #
-	    # In POSTROUTING, we only want to clear routing mark and not IPMARK.
-	    #
-	    insert_rule1 $mangle_table->{POSTROUTING}, 0, $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFFFF -j MARK --and-mark 0' : '-m mark --mark 0/0xFF -j MARK --and-mark 0';
+	    add_rule( $mangle_table->{FORWARD},     "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
+	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
+	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
 	}
     }
 
     if ( $globals{TC_SCRIPT} ) {
-	save_progress_message 'Setting up Traffic Control...';
+	save_progress_message q('Setting up Traffic Control...');
 	append_file $globals{TC_SCRIPT};
     } elsif ( $config{TC_ENABLED} eq 'Internal' ) {
 	setup_traffic_shaping;
+    } elsif ( $config{TC_ENABLED} eq 'Simple' ) {
+	setup_simple_traffic_shaping;
     }
 
     if ( $config{TC_ENABLED} ) {
+	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+			  target    => 'CONNMARK --save-mark --mask' ,
+			  mark      => SMALLMARK ,
+			  mask      => in_hex( $globals{TC_MASK} ) ,
+			  connmark  => 1
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
+			  target    => 'CONNMARK --restore-mark --mask' ,
+			  mark      => SMALLMARK ,
+			  mask      => in_hex( $globals{TC_MASK} ) ,
+			  connmark  => 1
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
+			  target    => 'RETURN' ,
+			  mark      => NOMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] eq 'SAME' },
+			  target    => 'sticky' ,
+			  mark      => NOMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+			  target    => 'IPMARK' ,
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
+			  target    => 'MARK --or-mark' ,
+			  mark      => HIGHMARK ,
+			  mask      => '' } ,
+			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
+			  target    => 'MARK --and-mark ' ,
+			  mark      => HIGHMARK ,
+			  mask      => '' ,
+			  connmark  => 0
+			} ,
+			{ match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
+			  target    => 'TPROXY',
+			  mark      => HIGHMARK,
+			  mask      => '',
+			  connmark  => '' },
+		      );
+
 	if ( my $fn = open_file 'tcrules' ) {
 
-	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
+	    first_entry "$doing $fn...";
 
 	    process_tc_rule while read_a_line;
 

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_9';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
 
-	my $options = $globals{UNTRACKED} ? '-m state --state NEW,UNTRACKED -j ACCEPT' : '-m state --state NEW -j ACCEPT';
+	my $options = $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
 
 	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";
@@ -83,10 +83,10 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
-		$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
+		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
+		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
 
-		unless ( $capabilities{POLICY_MATCH} ) {
+		unless ( have_ipsec ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 		    add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
 
@@ -239,8 +239,8 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
 
-	my $inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
-	my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
+	my $inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
+	my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
 
 	$gateway = ALLIP if $gateway eq '-';
 

Shorewall/Perl/compiler.pl

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -36,6 +36,7 @@
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
+#         --preview                   # Preview the ruleset.
 #
 use strict;
 use FindBin;
@@ -44,7 +45,6 @@ use Shorewall::Compiler;
 use Getopt::Long;
 
 sub usage( $ ) {
-    my $returnval = shift @_;
 
     print STDERR 'usage: compiler.pl [ <option> ... ] [ <filename> ]
 
@@ -58,10 +58,11 @@ sub usage( $ ) {
     [ --log=<filename> ]
     [ --log-verbose={-1|0-2} ]
     [ --test ]
+    [ --preview ]
     [ --family={4|6} ]
 ';
 
-    $returnval;
+    exit shift @_;
 }
 
 #
@@ -78,6 +79,7 @@ my $log_verbose   = 0;
 my $help          = 0;
 my $test          = 0;
 my $family        = 4; # F_IPV4
+my $preview       = 0;
 
 Getopt::Long::Configure ('bundling');
 
@@ -98,6 +100,7 @@ my $result = GetOptions('h'               => \$help,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
 			'test'            => \$test,
+			'preview'         => \$preview,
 			'f=i'             => \$family,
 			'family=i'        => \$family,
 		       );
@@ -105,7 +108,7 @@ my $result = GetOptions('h'               => \$help,
 usage(1) unless $result && @ARGV < 2;
 usage(0) if $help;
 
-compiler( object          => defined $ARGV[0] ? $ARGV[0] : '',
+compiler( script          => $ARGV[0] || '',
 	  directory       => $shorewall_dir,
 	  verbosity       => $verbose,
 	  timestamp       => $timestamp,
@@ -115,4 +118,5 @@ compiler( object          => defined $ARGV[0] ? $ARGV[0] : '',
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
+	  preview         => $preview,
 	  family          => $family );

Shorewall/Perl/prog.footer

@@ -1,288 +1,20 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
 ###############################################################################
-#
-# Clear Proxy Arp
-#
-delete_proxyarp() {
-    if [ -f ${VARDIR}/proxyarp ]; then
-	while read address interface external haveroute; do
-	    qt arp -i $external -d $address pub
-	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
-	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyarp
-    fi
-
-    rm -f ${VARDIR}/proxyarp
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
-    if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IPTABLES ]; then
-    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
-	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
-	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
-	fi
-    fi
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$PRODUCT Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -4 $@; then
-	error_message "ERROR: Command \"$IP -4 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Get a list of all configured broadcast addresses on the system
-#
-get_all_bcasts()
-{
-    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IPTABLES -t mangle -F
-    qt1 $IPTABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t raw    -F
-    qt1 $IPTABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
-
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t filter -F
-    qt1 $IPTABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IPTABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 #
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
+    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
+    echo
+    echo "Options are:"
+    echo
+    echo "   -v and -q        Standard Shorewall verbosity controls"
+    echo "   -n               Don't unpdate routing configuration"
+    echo "   -p               Purge Conntrack Table"
+    echo "   -t               Timestamp progress Messages"
+    echo "   -V <verbosity>   Set verbosity explicitly"
+    echo "   -R <file>        Override RESTOREFILE setting"
     exit $1
 }
 ################################################################################
@@ -300,10 +32,23 @@ if [ $# -gt 1 ]; then
 	shift
     fi
 fi
+#
+# Map VERBOSE to VERBOSITY for compatibility with old Shorewall-lite installations
+#
+[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
+#
+# Map other old exported variables
+#
+g_purge=$PURGE
+g_noroutes=$NOROUTES
+g_timestamp=$TIMESTAMP
+g_recovering=$RECOVERING
 
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then
+    touch $STARTUP_LOG
+    chmod 0600 $STARTUP_LOG
     if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
@@ -326,17 +71,78 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			VERBOSE=$(($VERBOSE + 1 ))
+			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			VERBOSE=$(($VERBOSE - 1 ))
+			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
 			option=${option#q}
 			;;
 		    n*)
-			NOROUTES=Yes
+			g_noroutes=Yes
 			option=${option#n}
 			;;
+		    t*)
+			g_timestamp=Yes
+			option=${option#t}
+			;;
+		    p*)
+			g_purge=Yes
+			option=${option#p}
+			;;
+		    r*)
+			g_recovering=Yes
+			option=${option#r}
+			;;
+		    V*)
+			option=${option#V}
+
+			if [ -z "$option" -a $# -gt 0 ]; then
+			    shift
+			    option=$1
+			fi
+
+			if [ -n "$option" ]; then
+			    case $option in
+				-1|0|1|2)
+				    VERBOSITY=$option
+				    option=
+				    ;;
+				*)
+				    startup_error "Invalid -V option value ($option)"
+				    ;;
+			    esac
+			else
+			    startup_error "Missing -V option value"
+			fi
+			;;
+		    R*)
+			option=${option#R}
+
+			if [ -z "$option" -a $# -gt 0 ]; then
+			    shift
+			    option=$1
+			fi
+
+			if [ -n "$option" ]; then
+			    case $option in
+				*/*)
+	    			    startup_error "-R must specify a simple file name: $option"
+				    ;;
+				.safe|.try|NONE)
+				    ;;
+				.*)
+				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
+				    exit 2
+				    ;;
+			    esac
+			else
+			    startup_error "Missing -R option value"
+			fi
+
+			RESTOREFILE=$option
+			option=
+			;;
 		    *)
 			usage 1
 			;;
@@ -352,16 +158,14 @@ done
 
 COMMAND="$1"
 
-[ -n "${PRODUCT:=Shorewall}" ]
-
 case "$COMMAND" in
     start)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    error_message "$PRODUCT is already Running"
+	    error_message "$g_product is already Running"
 	    status=0
 	else
-	    progress_message3 "Starting $PRODUCT...."
+	    progress_message3 "Starting $g_product...."
 	    detect_configuration
 	    define_firewall
 	    status=$?
@@ -371,7 +175,7 @@ case "$COMMAND" in
 	;;
     stop)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Stopping $PRODUCT...."
+	progress_message3 "Stopping $g_product...."
 	detect_configuration
 	stop_firewall
 	status=0
@@ -380,7 +184,7 @@ case "$COMMAND" in
 	;;
     reset)
 	if ! shorewall_is_started ; then
-	    error_message "$PRODUCT is not running"
+	    error_message "$g_product is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
 	    $IPTABLES -Z
@@ -388,7 +192,7 @@ case "$COMMAND" in
 	    $IPTABLES -t mangle -Z
 	    date > ${VARDIR}/restarted
 	    status=0
-	    progress_message3 "$PRODUCT Counters Reset"
+	    progress_message3 "$g_product Counters Reset"
 	else
 	    shift
 	    status=0
@@ -410,10 +214,11 @@ case "$COMMAND" in
     restart)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    progress_message3 "Restarting $PRODUCT...."
+	    progress_message3 "Restarting $g_product...."
 	else
-	    error_message "$PRODUCT is not running"
-	    progress_message3 "Starting $PRODUCT...."
+	    error_message "$g_product is not running"
+	    progress_message3 "Starting $g_product...."
+	    COMMAND=start
 	fi
 
 	detect_configuration
@@ -427,13 +232,13 @@ case "$COMMAND" in
     refresh)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    progress_message3 "Refreshing $PRODUCT...."
+	    progress_message3 "Refreshing $g_product...."
 	    detect_configuration
 	    define_firewall
 	    status=$?
 	    progress_message3 "done."
 	else
-	    echo "$PRODUCT is not running" >&2
+	    echo "$g_product is not running" >&2
 	    status=2
 	fi
 	;;
@@ -448,28 +253,30 @@ case "$COMMAND" in
 	;;
     clear)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Clearing $PRODUCT...."
+	progress_message3 "Clearing $g_product...."
 	clear_firewall
 	status=0
-	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	if [ -n "$SUBSYSLOCK" ]; then
+	    rm -f $SUBSYSLOCK
+	fi
 	progress_message3 "done."
 	;;
     status)
 	[ $# -ne 1 ] && usage 2
-	echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
+	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	echo
 	if shorewall_is_started; then
-	    echo "$PRODUCT is running"
+	    echo "$g_product is running"
 	    status=0
 	else
-	    echo "$PRODUCT is stopped"
+	    echo "$g_product is stopped"
 	    status=4
 	fi
 
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Clear*)
+		Stopped*|lClear*)
 		    status=3
 		    ;;
 	    esac
@@ -479,9 +286,16 @@ case "$COMMAND" in
 	echo "State:$state"
 	echo
 	;;
+    up|down)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	updown $@
+	status=0;
+	;;
     version)
 	[ $# -ne 1 ] && usage 2
-	echo $VERSION
+	echo $SHOREWALL_VERSION
 	status=0
 	;;
     help)

Shorewall/Perl/prog.footer6

@@ -1,249 +1,20 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer6
 ###############################################################################
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$PRODUCT Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -6 $@; then
-	error_message "ERROR: Command \"$IP -6 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IP6TABLES -t mangle -F
-    qt1 $IP6TABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t raw    -F
-    qt1 $IP6TABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t filter -F
-    qt1 $IP6TABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IP6TABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 #
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
+    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
+    echo
+    echo "Options are:"
+    echo
+    echo "   -v and -q        Standard Shorewall verbosity controls"
+    echo "   -n               Don't unpdate routing configuration"
+    echo "   -p               Purge Conntrack Table"
+    echo "   -t               Timestamp progress Messages"
+    echo "   -V <verbosity>   Set verbosity explicitly"
+    echo "   -R <file>        Override RESTOREFILE setting"
     exit $1
 }
 ################################################################################
@@ -261,10 +32,23 @@ if [ $# -gt 1 ]; then
 	shift
     fi
 fi
+#
+# Map VERBOSE to VERBOSITY for compatibility with old Shorewall6-lite installations
+#
+[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
+#
+# Map other old exported variables
+#
+g_purge=$PURGE
+g_noroutes=$NOROUTES
+g_timestamp=$TIMESTAMP
+g_recovering=$RECOVERING
 
 initialize
 
 if [ -n "$STARTUP_LOG" ]; then
+    touch $STARTUP_LOG
+    chmod 0600 $STARTUP_LOG
     if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
@@ -287,19 +71,77 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			VERBOSE=$(($VERBOSE + 1 ))
+			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			VERBOSE=$(($VERBOSE - 1 ))
+			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
 			option=${option#q}
 			;;
 		    n*)
-			NOROUTES=Yes
+			g_noroutes=Yes
 			option=${option#n}
 			;;
-		    *)
-			usage 1
+		    t*)
+			g_timestamp=Yes
+			option=${option#t}
+			;;
+		    p*)
+			g_purge=Yes
+			option=${option#p}
+			;;
+		    r*)
+			g_recovering=Yes
+			option=${option#r}
+			;;
+		    V*)
+			option=${option#V}
+
+			if [ -z "$option" -a $# -gt 0 ]; then
+			    shift
+			    option=$1
+			fi
+
+			if [ -n "$option" ]; then
+			    case $option in
+				-1|0|1|2)
+				    VERBOSITY=$option
+				    option=
+				    ;;
+				*)
+				    startup_error "Invalid -V option value ($option)"
+				    ;;
+			    esac
+			else
+			    startup_error "Missing -V option value"
+			fi
+			;;
+		    R*)
+			option=${option#R}
+
+			if [ -z "$option" -a $# -gt 0 ]; then
+			    shift
+			    option=$1
+			fi
+
+			if [ -n "$option" ]; then
+			    case $option in
+				*/*)
+	    			    startup_error "-R must specify a simple file name: $option"
+				    ;;
+				.safe|.try|NONE)
+				    ;;
+				.*)
+				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
+				    exit 2
+				    ;;
+			    esac
+			else
+			    startup_error "Missing -R option value"
+			fi
+
+			RESTOREFILE=$option
+			option=
 			;;
 		esac
 	    done
@@ -313,21 +155,19 @@ done
 
 COMMAND="$1"
 
-[ -n "${PRODUCT:=Shorewall6}" ]
-
-kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
+kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 if [ $kernel -lt 20624 ]; then
-    error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later"
+    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
     status=2
 else
     case "$COMMAND" in
 	start)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		error_message "$PRODUCT is already Running"
+		error_message "$g_product is already Running"
 		status=0
 	    else
-		progress_message3 "Starting $PRODUCT...."
+		progress_message3 "Starting $g_product...."
 		detect_configuration
 		define_firewall
 		status=$?
@@ -337,23 +177,23 @@ else
 	    ;;
 	stop)
 	    [ $# -ne 1 ] && usage 2
-	    progress_message3 "Stopping $PRODUCT...."
+	    progress_message3 "Stopping $g_product...."
 	    detect_configuration
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
 	    ;;
-	reset)
+ 	reset)
 	    if ! shorewall6_is_started ; then
-		error_message "$PRODUCT is not running"
+		error_message "$g_product is not running"
 		status=2
 	    elif [ $# -eq 1 ]; then
 		$IP6TABLES -Z
 		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
-		progress_message3 "$PRODUCT Counters Reset"
+		progress_message3 "$g_product Counters Reset"
 	    else
 		shift
 		status=0
@@ -375,10 +215,11 @@ else
 	restart)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		progress_message3 "Restarting $PRODUCT...."
+		progress_message3 "Restarting $g_product...."
 	    else
-		error_message "$PRODUCT is not running"
-		progress_message3 "Starting $PRODUCT...."
+		error_message "$g_product is not running"
+		progress_message3 "Starting $g_product...."
+		COMMAND=start
 	    fi
 
 	    detect_configuration
@@ -392,13 +233,13 @@ else
 	refresh)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		progress_message3 "Refreshing $PRODUCT...."
+		progress_message3 "Refreshing $g_product...."
 		detect_configuration
 		define_firewall
 		status=$?
 		progress_message3 "done."
 	    else
-		echo "$PRODUCT is not running" >&2
+		echo "$g_product is not running" >&2
 		status=2
 	    fi
 	    ;;
@@ -413,21 +254,23 @@ else
 	    ;;
 	clear)
 	    [ $# -ne 1 ] && usage 2
-	    progress_message3 "Clearing $PRODUCT...."
+	    progress_message3 "Clearing $g_product...."
 	    clear_firewall
 	    status=0
-	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	    if [ -n "$SUBSYSLOCK" ]; then
+		rm -f $SUBSYSLOCK
+	    fi
 	    progress_message3 "done."
 	    ;;
 	status)
 	    [ $# -ne 1 ] && usage 2
-	    echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
+	    echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	    echo
 	    if shorewall6_is_started; then
-		echo "$PRODUCT is running"
+		echo "$g_product is running"
 		status=0
 	    else
-		echo "$PRODUCT is stopped"
+		echo "$g_product is stopped"
 		status=4
 	    fi
 
@@ -444,9 +287,16 @@ else
 	    echo "State:$state"
 	    echo
 	    ;;
+	up|down)
+	    [ $# -eq 1 ] && exit 0
+	    shift
+	    [ $# -ne 1 ] && usage 2
+	    updown $1
+	    status=0
+	    ;;
 	version)
 	    [ $# -ne 1 ] && usage 2
-	    echo $VERSION
+	    echo $SHOREWALL_VERSION
 	    status=0
 	    ;;
 	help)

Shorewall/Perl/prog.header

@@ -1,11 +1,18 @@
+#!/bin/sh
+#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
 #	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
+#           -t                            Timestamp progress messages
+#           -p                            Purge conntrack table
+#           -r                            Recover from failed start/restart
+#           -V <verbosity>                Set verbosity level explicitly
+#           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
@@ -22,14 +29,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header
 ################################################################################
-#
-# Message to stderr
-#
-error_message() # $* = Error Message
-{
-   echo "   $@" >&2
-}
-
 #
 # Conditionally produce message
 #
@@ -38,12 +37,12 @@ progress_message() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -gt 1 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSE -gt 1 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -54,12 +53,12 @@ progress_message2() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -gt 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSE -gt 0 ]; then
+    if [ $LOG_VERBOSITY -gt 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -70,93 +69,17 @@ progress_message3() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -ge 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSE -ge 0 ]; then
+    if [ $LOG_VERBOSITY -ge 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
 }
 
-#
-# Split a colon-separated list into a space-separated list
-#
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    echo $*
-    IFS=$ifs
-}
-
-#
-# Search a list looking for a match -- returns zero if a match found
-# 1 otherwise
-#
-list_search() # $1 = element to search for , $2-$n = list
-{
-    local e
-    e=$1
-
-    while [ $# -gt 1 ]; do
-	shift
-	[ "x$e" = "x$1" ] && return 0
-    done
-
-    return 1
-}
-
-#
-# Suppress all output for a command
-#
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-qt1()
-{
-    local status
-
-    while [ 1 ]; do
-	"$@" >/dev/null 2>&1
-	status=$?
-	[ $status -ne 4 ] && return $status
-    done
-}
-
-#
-# Determine if Shorewall is "running"
-#
-shorewall_is_started() {
-    qt1 $IPTABLES -L shorewall -n
-}
-
-#
-# Echos the fully-qualified name of the calling shell program
-#
-my_pathname() {
-    cd $(dirname $0)
-    echo $PWD/$(basename $0)
-}
-
-#
-# Source a user exit file if it exists
-#
-run_user_exit() # $1 = file name
-{
-    local user_exit
-    user_exit=$(find_file $1)
-
-    if [ -f $user_exit ]; then
-	progress_message "Processing $user_exit ..."
-	. $user_exit
-    fi
-}
-
 #
 # Set a standard chain's policy
 #
@@ -198,240 +121,10 @@ deleteallchains() {
 }
 
 #
-# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
-#                         a space-separated list of directories to search for
-#                         the module and that 'moduleloader' contains the
-#                         module loader command.
+# Generate a list of all network interfaces on the system
 #
-loadmodule() # $1 = module name, $2 - * arguments
-{
-    local modulename
-    modulename=$1
-    local modulefile
-    local suffix
-
-    if ! list_search $modulename $DONT_LOAD $MODULES; then
-	shift
-
-	for suffix in $MODULE_SUFFIX ; do
-	    for directory in $moduledirectories; do
-		modulefile=$directory/${modulename}.${suffix}
-
-		if [ -f $modulefile ]; then
-		    case $moduleloader in
-			insmod)
-			    insmod $modulefile $*
-			    ;;
-			*)
-			    modprobe $modulename $*
-			    ;;
-		    esac
-		    break 2
-		fi
-	    done
-	done
-    fi
-}
-
-#
-# Reload the Modules
-#
-reload_kernel_modules() {
-
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local uname
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
-
-    MODULES=$(lsmod | cut -d ' ' -f1)
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$moduledirectories" ] && while read command; do
-	eval $command
-    done
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-# Load kernel modules required for Shorewall
-#
-load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
-{
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local savemoduleinfo
-    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
-    local uname
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    modules=$(find_file modules)
-
-    if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
-	progress_message "Loading Modules..."
-	. $modules
-	if [ $savemoduleinfo = Yes ]; then
-	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
-	    cp -f $modules ${VARDIR}/.modules
-	fi
-    elif [ $savemoduleinfo = Yes ]; then
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	> ${VARDIR}/.modulesdir
-	> ${VARDIR}/.modules
-    fi
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-#  Note: The following set of IP address manipulation functions have anomalous
-#        behavior when the shell only supports 32-bit signed arithmetic and
-#        the IP address is 128.0.0.0 or 128.0.0.1.
-#
-
-LEFTSHIFT='<<'
-
-#
-# Convert an IP address in dot quad format to an integer
-#
-decodeaddr() {
-    local x
-    local temp
-    temp=0
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
-    done
-
-    echo $temp
-
-    IFS=$ifs
-}
-
-#
-# convert an integer to dot quad format
-#
-encodeaddr() {
-    addr=$1
-    local x
-    local y
-    y=$(($addr & 255))
-
-    for x in 1 2 3 ; do
-	addr=$(($addr >> 8))
-	y=$(($addr & 255)).$y
-    done
-
-    echo $y
-}
-
-#
-# Netmask from CIDR
-#
-ip_netmask() {
-    local vlsm
-    vlsm=${1#*/}
-
-    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
-}
-
-#
-# Network address from CIDR
-#
-ip_network() {
-    local decodedaddr
-    decodedaddr=$(decodeaddr ${1%/*})
-    local netmask
-    netmask=$(ip_netmask $1)
-
-    echo $(encodeaddr $(($decodedaddr & $netmask)))
-}
-
-#
-# The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives don't support XOR ("^").
-#
-ip_broadcast() {
-    local x
-    x=$(( 32 - ${1#*/} ))
-
-    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
-}
-
-#
-# Calculate broadcast address from CIDR
-#
-broadcastaddress() {
-    local decodedaddr
-    decodedaddr=$(decodeaddr ${1%/*})
-    local netmask
-    netmask=$(ip_netmask $1)
-    local broadcast
-    broadcast=$(ip_broadcast $1)
-
-    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
-}
-
-#
-# Test for network membership
-#
-in_network() # $1 = IP address, $2 = CIDR network
-{
-    local netmask
-    netmask=$(ip_netmask $2)
-    #
-    # Use string comparison to work around a broken BusyBox ash in OpenWRT
-    #
-    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
-}
-
-#
-# Query NetFilter about the existence of a filter chain
-#
-chain_exists() # $1 = chain name
-{
-    qt1 $IPTABLES -L $1 -n
+find_all_interfaces() {
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'
 }
 
 #
@@ -534,32 +227,6 @@ find_interface_by_address() {
     [ -n "$dev" ] && echo $dev
 }
 
-#
-# Find the interface with the passed MAC address
-#
-
-find_interface_by_mac() {
-    local mac
-    mac=$1
-    local first
-    local second
-    local rest
-    local dev
-
-    $IP link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
 #
 # Determine if Interface is up
 #
@@ -567,45 +234,12 @@ interface_is_up() {
     [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 
-#
-# Find interface address--returns the first IP address assigned to the passed
-# device
-#
-find_first_interface_address() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-}
-
-find_first_interface_address_if_any() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
-}
-
 #
 # Determine if interface is usable from a Netfilter prespective
 #
 interface_is_usable() # $1 = interface
 {
+    [ "$1" = lo ] && return 0
     interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
 }
 
@@ -658,71 +292,6 @@ get_interface_bcasts() # $1 = interface
     $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 
-#
-# Internal version of 'which'
-#
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-#
-# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
-#
-find_file()
-{
-    local saveifs
-    saveifs=
-    local directory
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	*)
-	    for directory in $(split $CONFIG_PATH); do
-		if [ -f $directory/$1 ]; then
-		    echo $directory/$1
-		    return
-		fi
-	    done
-
-	    echo ${CONFDIR}/$1
-	    ;;
-    esac
-}
-
-#
-# Set the Shorewall state
-#
-set_state () # $1 = state
-{
-    echo "$1 ($(date))" > ${VARDIR}/state
-}
-
-#
-# Perform variable substitution on the passed argument and echo the result
-#
-expand() # $@ = contents of variable which may be the name of another variable
-{
-    eval echo \"$@\"
-}
-
-#
-# Function for including one file into another
-#
-INCLUDE() {
-    . $(find_file $(expand $@))
-}
-
 #
 # Delete IP address
 #
@@ -875,16 +444,6 @@ disable_ipv6() {
     fi
 }
 
-# Function to truncate a string -- It uses 'cut -b -<n>'
-# rather than ${v:first:last} because light-weight shells like ash and
-# dash do not support that form of expansion.
-#
-
-truncate() # $1 = length
-{
-    cut -b -${1}
-}
-
 #
 # Clear the current traffic shaping configuration
 #
@@ -950,7 +509,7 @@ get_device_mtu1() # $1 = device
 #
 undo_routing() {
 
-    if [ -z "$NOROUTES"  ]; then
+    if [ -z "$g_noroutes"  ]; then
 	#
 	# Restore rt_tables database
 	#
@@ -974,7 +533,7 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
+    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
@@ -1017,25 +576,6 @@ restore_default_route() {
     return $result
 }
 
-#
-# Determine how to do "echo -e"
-#
-
-find_echo() {
-    local result
-
-    result=$(echo "a\tb")
-    [ ${#result} -eq 3 ] && { echo echo; return; }
-
-    result=$(echo -e "a\tb")
-    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
-
-    result=$(mywhich echo)
-    [ -n "$result" ] && { echo "$result -e"; return; }
-
-    echo echo
-}
-
 #
 # Determine the MAC address of the passed IP through the passed interface
 #
@@ -1058,11 +598,11 @@ find_mac() # $1 = IP address, $2 = interface
 }
 
 #
-# Flush the conntrack table if $PURGE is non-empty
+# Flush the conntrack table if $g_purge is non-empty
 #
 conditionally_flush_conntrack() {
 
-    if [ -n "$PURGE" ]; then
+    if [ -n "$g_purge" ]; then
 	if [ -n $(mywhich conntrack) ]; then
             conntrack -F
 	else
@@ -1071,6 +611,261 @@ conditionally_flush_conntrack() {
     fi
 }
 
+#
+# Clear Proxy Arp
+#
+delete_proxyarp() {
+    if [ -f ${VARDIR}/proxyarp ]; then
+	while read address interface external haveroute; do
+	    qt arp -i $external -d $address pub
+	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address dev $interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyarp
+    fi
+
+    rm -f ${VARDIR}/proxyarp
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    if [ -n "$DISABLE_IPV6" ]; then
+	if [ -x $IP6TABLES ]; then
+    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
+	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
+	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
+	fi
+    fi
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$g_product Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -4 $@; then
+	error_message "ERROR: Command \"$IP -4 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Get a list of all configured broadcast addresses on the system
+#
+get_all_bcasts()
+{
+    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $IPTABLES -t mangle -F
+    qt1 $IPTABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IPTABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t raw    -F
+    qt1 $IPTABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IPTABLES -t raw -P $chain ACCEPT
+    done
+
+    run_iptables -t nat -F
+    run_iptables -t nat -X
+
+    for chain in PREROUTING POSTROUTING OUTPUT; do
+	qt1 $IPTABLES -t nat -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t filter -F
+    qt1 $IPTABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IPTABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################

Shorewall/Perl/prog.header6

@@ -1,11 +1,18 @@
+#!/bin/sh
+#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2010- Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
 #	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
+#           -t                            Timestamp progress messages
+#           -p                            Purge conntrack table
+#           -r                            Recover from failed start/restart
+#           -V <verbosity>                Set verbosity level explicitly
+#           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
@@ -22,14 +29,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
-#
-# Message to stderr
-#
-error_message() # $* = Error Message
-{
-   echo "   $@" >&2
-}
-
 #
 # Conditionally produce message
 #
@@ -38,12 +37,12 @@ progress_message() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -gt 1 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSE -gt 1 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -54,12 +53,12 @@ progress_message2() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -gt 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSE -gt 0 ]; then
+    if [ $LOG_VERBOSITY -gt 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
@@ -70,117 +69,17 @@ progress_message3() # $* = Message
     local timestamp
     timestamp=
 
-    if [ $VERBOSE -ge 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
     fi
 
-    if [ $LOG_VERBOSE -ge 0 ]; then
+    if [ $LOG_VERBOSITY -ge 0 ]; then
         timestamp="$(date +'%b %_d %T') "
         echo "${timestamp}$@" >> $STARTUP_LOG
     fi
 }
 
-#
-# Split a colon-separated list into a space-separated list
-#
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    echo $*
-    IFS=$ifs
-}
-
-#
-# Undo the effect of 'split()'
-#
-join()
-{
-    local f
-    local o
-    o=
-
-    for f in $* ; do
-        o="${o:+$o:}$f"
-    done
-
-    echo $o
-}
-
-#
-# Return the number of elements in a list
-#
-list_count() # $* = list
-{
-    return $#
-}
-
-#
-# Search a list looking for a match -- returns zero if a match found
-# 1 otherwise
-#
-list_search() # $1 = element to search for , $2-$n = list
-{
-    local e
-    e=$1
-
-    while [ $# -gt 1 ]; do
-	shift
-	[ "x$e" = "x$1" ] && return 0
-    done
-
-    return 1
-}
-
-#
-# Suppress all output for a command
-#
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-qt1()
-{
-    local status
-
-    while [ 1 ]; do
-	"$@" >/dev/null 2>&1
-	status=$?
-	[ $status -ne 4 ] && return $status
-    done
-}
-
-#
-# Determine if Shorewall is "running"
-#
-shorewall6_is_started() {
-    qt1 $IP6TABLES -L shorewall -n
-}
-
-#
-# Echos the fully-qualified name of the calling shell program
-#
-my_pathname() {
-    cd $(dirname $0)
-    echo $PWD/$(basename $0)
-}
-
-#
-# Source a user exit file if it exists
-#
-run_user_exit() # $1 = file name
-{
-    local user_exit
-    user_exit=$(find_file $1)
-
-    if [ -f $user_exit ]; then
-	progress_message "Processing $user_exit ..."
-	. $user_exit
-    fi
-}
-
 #
 # Set a standard chain's policy
 #
@@ -214,128 +113,10 @@ deleteallchains() {
 }
 
 #
-# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
-#                         a space-separated list of directories to search for
-#                         the module and that 'moduleloader' contains the
-#                         module loader command.
+# Generate a list of all network interfaces on the system
 #
-loadmodule() # $1 = module name, $2 - * arguments
-{
-    local modulename
-    modulename=$1
-    local modulefile
-    local suffix
-
-    if ! list_search $modulename $DONT_LOAD $MODULES; then
-	shift
-
-	for suffix in $MODULE_SUFFIX ; do
-	    for directory in $moduledirectories; do
-		modulefile=$directory/${modulename}.${suffix}
-
-		if [ -f $modulefile ]; then
-		    case $moduleloader in
-			insmod)
-			    insmod $modulefile $*
-			    ;;
-			*)
-			    modprobe $modulename $*
-			    ;;
-		    esac
-		    break 2
-		fi
-	    done
-	done
-    fi
-}
-
-#
-# Reload the Modules
-#
-reload_kernel_modules() {
-
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
-    MODULES=$(lsmod | cut -d ' ' -f1)
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$moduledirectories" ] && while read command; do
-	eval $command
-    done
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-# Load kernel modules required for Shorewall6
-#
-load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
-{
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local savemoduleinfo
-    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    modules=$(find_file modules)
-
-    if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
-	progress_message "Loading Modules..."
-	. $modules
-	if [ $savemoduleinfo = Yes ]; then
-	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
-	    cp -f $modules ${VARDIR}/.modules
-	fi
-    elif [ $savemoduleinfo = Yes ]; then
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	> ${VARDIR}/.modulesdir
-	> ${VARDIR}/.modules
-    fi
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-# Query NetFilter about the existence of a filter chain
-#
-chain_exists() # $1 = chain name
-{
-    qt1 $IP6TABLES -L $1 -n
+find_all_interfaces() {
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'
 }
 
 #
@@ -400,71 +181,11 @@ find_default_interface() {
     done
 }
 
-#
-# Find the interface with the passed MAC address
-#
-
-find_interface_by_mac() {
-    local mac
-    mac=$1
-    local first
-    local second
-    local rest
-    local dev
-
-    $IP link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
 #
 # Determine if Interface is up
 #
 interface_is_up() {
-    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
-}
-
-#
-# Find interface address--returns the first IP address assigned to the passed
-# device
-#
-find_first_interface_address() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
-}
-
-find_first_interface_address_if_any() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    [ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo ::
+    [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 
 #
@@ -472,6 +193,7 @@ find_first_interface_address_if_any() # $1 = interface
 #
 interface_is_usable() # $1 = interface
 {
+    [ "$1" = lo ] && return 0
     interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
 }
 
@@ -681,71 +403,6 @@ get_all_acasts()
     find_interface_full_addresses | convert_to_anycast | sort -u
 }
 
-#
-# Internal version of 'which'
-#
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-#
-# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
-#
-find_file()
-{
-    local saveifs
-    saveifs=
-    local directory
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	*)
-	    for directory in $(split $CONFIG_PATH); do
-		if [ -f $directory/$1 ]; then
-		    echo $directory/$1
-		    return
-		fi
-	    done
-
-	    echo ${CONFDIR}/$1
-	    ;;
-    esac
-}
-
-#
-# Set the Shorewall state
-#
-set_state () # $1 = state
-{
-    echo "$1 ($(date))" > ${VARDIR}/state
-}
-
-#
-# Perform variable substitution on the passed argument and echo the result
-#
-expand() # $@ = contents of variable which may be the name of another variable
-{
-    eval echo \"$@\"
-}
-
-#
-# Function for including one file into another
-#
-INCLUDE() {
-    . $(find_file $(expand $@))
-}
-
 #
 # Detect the gateway through an interface
 #
@@ -771,20 +428,6 @@ detect_gateway() # $1 = interface
     [ -n "$gateway" ] && echo $gateway
 }
 
-# Function to truncate a string -- It uses 'cut -b -<n>'
-# rather than ${v:first:last} because light-weight shells like ash and
-# dash do not support that form of expansion.
-#
-
-truncate() # $1 = length
-{
-    cut -b -${1}
-}
-
-#
-# Clear the current traffic shaping configuration
-#
-
 delete_tc1()
 {
     clear_one_tc() {
@@ -846,7 +489,7 @@ get_device_mtu1() # $1 = device
 #
 undo_routing() {
 
-    if [ -z "$NOROUTES"  ]; then
+    if [ -z "$g_noroutes"  ]; then
 	#
 	# Restore rt_tables database
 	#
@@ -870,7 +513,7 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
+    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
@@ -933,11 +576,11 @@ find_echo() {
 }
 
 #
-# Flush the conntrack table if $PURGE is non-empty
+# Flush the conntrack table if $g_purge is non-empty
 #
 conditionally_flush_conntrack() {
 
-    if [ -n "$PURGE" ]; then
+    if [ -n "$g_purge" ]; then
 	if [ -n $(which conntrack) ]; then
             conntrack -F
 	else
@@ -946,6 +589,222 @@ conditionally_flush_conntrack() {
     fi
 }
 
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$g_product Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSITY -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSITY -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -6 $@; then
+	error_message "ERROR: Command \"$IP -6 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $IP6TABLES -t mangle -F
+    qt1 $IP6TABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t raw    -F
+    qt1 $IP6TABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IP6TABLES -t raw -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t filter -F
+    qt1 $IP6TABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IP6TABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################

Shorewall/changelog.txt

@@ -1,22 +1,311 @@
-Changes in Shorewall 4.4.2.4
+Changes in Shorewall 4.4.13
 
-1)  Correct optional interfaces.
+1)  Allow zone lists in rules SOURCE and DEST.
 
-Changes in Shorewall 4.4.2.3
+2)  Fix exclusion in the blacklist file.
 
-1)  Fix internal error with RETAIN_ALIASES=No.
+3)  Correct several old exclusion bugs.
 
-2)  Only detect IP configuration when needed.
+4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
 
-3)  Fix nested zones.
+Changes in Shorewall 4.4.12
 
-Changes in Shorewall 4.4.2.2
+1)  Fix IPv6 shorecap program.
 
-1)  Another fix for 'routeback' in routestopped.
+2)  Eradicate incorrect IPv6 Multicast Network
 
-Changes in Shorewall 4.4.2.1
+3)  Add ADD/DEL support.
 
-1)  Fix 'routeback' in routestopped.
+4)  Allow :random to work with REDIRECT
+
+5)  Add per-ip log rate limiting.
+
+6)  Use new hashlimit match syntax if available.
+
+7)  Add Universal sample.
+
+8)  Add COMPLETE option.
+
+9)  Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
+
+10) Support new set match syntax.
+
+11) Blacklisting by DEST IP.
+
+12) Fix duplicate rule generation with 'any'.
+
+13) Fix port range editing problem.
+
+14) Display the .conf file directory in response to the status command.
+
+15)  Correct AUTOMAKE
+
+Changes in Shorewall 4.4.11
+
+1)  Apply patch from Gabriel.
+
+2)  Fix IPSET match detection when a pathname is specified for IPSET.
+
+3)  Fix start priority of shorewall-init on Debian
+
+4)  Make IPv6 log and connections output readable.
+
+5)  Add REQUIRE_INTERFACE to shorewall*.conf
+
+6)  Avoid run-time warnings when options are not listed in
+    shorewall.conf.
+
+7)  Implement Vserver zones.
+
+8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
+    hosts file.
+
+9)  Add CLEAR_FORWARD_MARK option.
+
+10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
+
+11) Add PERL option.
+
+12) Fix nets= in Shorewall6
+
+Changes in Shorewall 4.4.10
+
+1)  Fix regression with scripts.
+
+2)  Log startup errors.
+
+3)  Implement Shorewall-init.
+
+4)  Add SAFESTOP option to /etc/default/shorewall*
+
+5)  Restore -a functionality to the version command.
+
+6)  Correct Optimization issue
+
+7)  Rename PREFIX to DESTDIR in install scripts
+
+8)  Correct handling of optional/required interfaces with wildcard names.
+
+Changes in Shorewall 4.4.9
+
+1)  Auto-detection of bridges.
+
+2)  Correct handling of a logical interface name in the EXTERNAL column
+    of proxyarp.
+
+3)  More robust 'trace'.
+
+4)  Added IPv6 mDNS macro.
+
+5)  Fix find_first_interface_address() error reporting.
+
+6)  Fix propagation of zero-valued config variables.
+
+7)  Fix OPTIMIZE 4 bug.
+
+8)  Deallocate unused rules.
+
+9)  Keep rule arrays compressed during optimization.
+
+10) Remove remaining fallback scripts.
+
+11) Rationalize startup logs.
+
+12) Optimize 8.
+
+13) Don't create output chains for BPORT zones.
+
+14) Implement 'show log ip-addr' in /sbin/shorewall and
+    /sbin/shorewall-lite/
+
+15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2.
+
+16) Change chain policy on OUTPUT chain with lone ACCEPT rule.
+
+17) Set IP before sourcing the params file.
+
+18) Fix rare optimization bug.
+
+19) Allow definition of an addressless bridge without a zone.
+
+20) In the routestopped file, assume 'routeback' if the interface has
+    'routeback'.
+
+21) Make Shorewall and Shorewall6 installable on OS X.
+
+Changes in Shorewall 4.4.8
+
+1)  Correct handling of RATE LIMIT on NAT rules.
+
+2)  Don't create a logging chain for rules with '-j RETURN'.
+
+3)  Avoid duplicate SFQ class numbers.
+
+4)  Fix low per-IP rate limits.
+
+5)  Fix Debian init script exit status
+
+6)  Fix NFQUEUE(queue-num) in policy
+
+7)  Implement -s option in install.sh
+
+8)  Add HKP Macro
+
+9)  Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE
+
+10) Eliminate up-cased variable names that aren't documented options.
+
+11) Don't show 'OLD' capabilities if they are not available.
+
+12) Attempt to flag use of '-' as a port-range separator.
+
+13) Add undocumented OPTIMIZE=-1 setting.
+
+14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES
+    default optimizations.
+
+15) Add support for UDPLITE
+
+16) Distinguish between 'Started' and 'Restored' in ${VARDIR}/state
+
+17) Issue warnings when 'blacklist' but no blacklist file entries.
+
+18) Don't optimize 'blacklst'.
+
+Changes in Shorewall 4.4.7
+
+1)  Backport optimization changes from 4.5.
+
+2)  Backport two new options from 4.5.
+
+3)  Backport TPROXY from 4.5
+
+4)  Add TC_PRIOMAP to shorewall*.conf
+
+5)  Implement LOAD_HELPERS_ONLY
+
+6)  Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes
+
+7)  Fix case where MARK target is unavailable.
+
+8)  Change default to ADD_IP_ALIASES=No
+
+9)  Correct defects in generate_matrix().
+
+10) Fix and optimize 'nosmurfs'.
+
+11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC.
+
+Changes in Shorewall 4.4.6
+
+1)  Fix for rp_filter and kernel 2.6.31.
+
+2)  Add a hack to work around a bug in Lenny + xtables-addons
+
+3)  Re-enable SAVE_IPSETS
+
+4)  Allow both <...> and [...] for IPv6 Addresses.
+
+5)  Port mark geometry change from 4.5.
+
+6)  Add Macro patch from Tuomo Soini
+
+7)  Add 'show macro' command.
+
+8)  Add -r option to check.
+
+9)  Port simplified TC from 4.5.
+
+Changes in Shorewall 4.4.5
+
+1)  Fix 15-port limit removal change.
+
+2)  Fix handling of interfaces with the 'bridge' option.
+
+3)  Generate error for port number 0
+
+4)  Allow zone::serverport in rules DEST column.
+
+5)  Fix 'show policies' in Shorewall6.
+
+6)  Auto-load tc modules.
+
+7)  Allow LOGFILE=/dev/null
+
+8)  Fix shorewall6-lite/shorecap
+
+9) Fix MODULE_SUFFIX.
+
+10) Fix ENHANCED_REJECT detection for IPv4.
+
+11) Fix DONT_LOAD vs 'reload -c'
+
+12) Fix handling of SOURCE and DEST vs macros.
+
+13) Remove silly logic in expand_rule().
+
+14) Add current and limit to Conntrack Table Heading.
+
+Changes in Shorewall 4.4.4
+
+1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
+
+2)  Fix access to uninitialized variable.
+
+3)  Add logrotate scripts.
+
+4)  Allow long port lists in /etc/shorewall/routestopped.
+
+5)  Implement 'physical' interface option.
+
+6)  Implement ZONE2ZONE option.
+
+7)  Suppress duplicate COMMENT warnings.
+
+8)  Implement 'show policies' command.
+
+9)  Fix route_rule suppression for down provider.
+
+10) Suppress redundant tests for provider availability in route rules
+    processing.
+
+11) Implement the '-l' option to the 'show' command.
+
+12) Fix class number assignment when WIDE_TC_MARKS=Yes
+
+13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
+
+Changes in Shorewall 4.4.3
+
+1)  Move Debian INITLOG initialization to /etc/default/shorewall
+
+2)  Fix 'routeback' in /etc/shorewall/routestopped.
+
+3)  Rename 'object' to 'script' in compiler and config modules.
+
+4)  Correct RETAIN_ALIASES=No.
+
+5)  Fix detection of IP config.
+
+6)  Fix nested zones.
+
+7)  Move all function declarations from prog.footer to prog.header
+
+8)  Remove superfluous variables from generated script
+
+9)  Make 'track' the default.
+
+10)  Add TRACK_PROVIDERS option.
+
+11)  Fix IPv6 address parsing bug.
+
+12)  Add hack to work around iproute IPv6 bug in route handling
+
+13)  Correct messages issued when an optional provider is not usable.
+
+14)  Fix optional interfaces.
+
+15)  Add 'limit' option to tcclasses.
 
 Changes in Shorewall 4.4.2
 

Shorewall/configfiles/accounting

@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#####################################################################################
-#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK
+#####################################################################################################
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
 #							PORT(S)		PORT(S)	GROUP

Shorewall/configfiles/blacklist

@@ -7,4 +7,5 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT
+#ADDRESS/SUBNET		PROTOCOL	PORT		OPTIONS
+

Shorewall/configfiles/findgw

@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - Filegw File
+# Shorewall version 4 - Findgw File
 #
 # /etc/shorewall/findgw
 #

Shorewall/configfiles/masq

@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###############################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP

Shorewall/configfiles/netmap

@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#TYPE	NET1			INTERFACE	NET2
+#TYPE	NET1			INTERFACE	NET2		NET3

Shorewall/configfiles/shorewall.conf

@@ -1,19 +1,10 @@
 ###############################################################################
-#  /etc/shorewall/shorewall.conf Version 4 - Change the following variables to
-#  match your setup
 #
-#  This program is under GPL
-#  [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#  This file should be placed in /etc/shorewall
-#
-#  (c) 1999,2000,2001,2002,2003,2004,2005,
-#      2006,2007,2008 - Tom Eastep (teastep@shorewall.net)
+#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
-#  Additional information is available at 
-#  http://www.shorewall.net/Documentation.htm#Conf
+#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -32,17 +23,15 @@ VERBOSITY=1
 
 LOGFILE=/var/log/messages
 
-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log
 
-LOG_VERBOSITY=
+LOG_VERBOSITY=2
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGTAGONLY=No
 
-LOGRATE=
-
-LOGBURST=
+LOGLIMIT=
 
 LOGALLNEW=
 
@@ -68,6 +57,8 @@ TC=
 
 IPSET=
 
+PERL=/usr/bin/perl
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
 SHOREWALL_SHELL=/bin/sh
@@ -107,7 +98,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 
 IP_FORWARDING=On
 
-ADD_IP_ALIASES=Yes
+ADD_IP_ALIASES=No
 
 ADD_SNAT_ALIASES=No
 
@@ -117,6 +108,8 @@ TC_ENABLED=Internal
 
 TC_EXPERT=No
 
+TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+
 CLEAR_TC=Yes
 
 MARK_IN_FORWARD_CHAIN=No
@@ -135,7 +128,7 @@ BLACKLISTNEWONLY=Yes
 
 DELAYBLACKLISTLOAD=No
 
-MODULE_SUFFIX=
+MODULE_SUFFIX=ko
 
 DISABLE_IPV6=No
 
@@ -189,6 +182,24 @@ AUTOMAKE=No
 
 WIDE_TC_MARKS=No
 
+TRACK_PROVIDERS=No
+
+ZONE2ZONE=2
+
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=No
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/configfiles/tcinterfaces

@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Tcinterfaces File
+#
+# For information about entries in this file, type "man shorewall-tcinterfaces"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#INTERFACE	TYPE		IN-BANDWIDTH
+

Shorewall/configfiles/tcpri

@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Tcpri File
+#
+# For information about entries in this file, type "man shorewall-tcpri"
+#
+# See http://shorewall.net/simple_traffic_shaping.htm for additional
+# information.
+#
+###############################################################################
+#BAND	PROTO	PORT(S)		ADDRESS		IN-INTERFACE	HELPER
+
+
+

Shorewall/default.debian

@@ -21,4 +21,16 @@ startup=0
 
 OPTIONS=""
 
+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
+#
+# Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
+# a safe state rather than to open it
+#
+
+SAFESTOP=0
+
 # EOF

Shorewall/helpers

@@ -0,0 +1,63 @@
+#
+# Shorewall version 4 - Helpers File
+#
+# /usr/share/shorewall/helpers
+#
+#	This file loads the kernel helper modules.
+#
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
+#	before you load M2.
+#
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
+#  copy.
+#
+###############################################################################
+
+# Helpers
+#
+loadmodule ip_conntrack_amanda
+loadmodule ip_conntrack_ftp
+loadmodule ip_conntrack_h323
+loadmodule ip_conntrack_irc
+loadmodule ip_conntrack_netbios_ns
+loadmodule ip_conntrack_pptp
+loadmodule ip_conntrack_sip
+loadmodule ip_conntrack_tftp
+loadmodule ip_nat_amanda
+loadmodule ip_nat_ftp
+loadmodule ip_nat_h323
+loadmodule ip_nat_irc
+loadmodule ip_nat_pptp
+loadmodule ip_nat_sip
+loadmodule ip_nat_snmp_basic
+loadmodule ip_nat_tftp
+loadmodule ip_set
+loadmodule ip_set_iphash
+loadmodule ip_set_ipmap
+loadmodule ip_set_macipmap
+loadmodule ip_set_portmap
+#
+# 2.6.20+ helpers
+#
+loadmodule nf_conntrack_ftp
+loadmodule nf_conntrack_h323
+loadmodule nf_conntrack_irc
+loadmodule nf_conntrack_netbios_ns
+loadmodule nf_conntrack_netlink
+loadmodule nf_conntrack_pptp
+loadmodule nf_conntrack_proto_gre
+loadmodule nf_conntrack_proto_sctp
+loadmodule nf_conntrack_sip         sip_direct_media=0
+loadmodule nf_conntrack_tftp
+loadmodule nf_conntrack_sane
+loadmodule nf_nat_amanda
+loadmodule nf_nat_ftp
+loadmodule nf_nat_h323
+loadmodule nf_nat_irc
+loadmodule nf_nat
+loadmodule nf_nat_pptp
+loadmodule nf_nat_proto_gre
+loadmodule nf_nat_sip
+loadmodule nf_nat_snmp_basic
+loadmodule nf_nat_tftp

Shorewall/init.debian.sh

@@ -1,8 +1,8 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          shorewall
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -15,14 +15,12 @@
 SRWL=/sbin/shorewall
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
-# Note, set INITLOG to /dev/null if you want to
-# use Shorewall's STARTUP_LOG feature.
-INITLOG=/var/log/shorewall-init.log
+test -n ${INITLOG:=/var/log/shorewall-init.log}
 
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
-	echo "INITLOG cannot be empty, please configure $0" ; 
+test -n "$INITLOG" || {
+	echo "INITLOG cannot be empty, please configure $0" ;
 	exit 1;
 }
 
@@ -34,12 +32,13 @@ fi
 
 echo_notdone () {
 
-  if [ "$INITLOG" = "/dev/null" ] ; then 
+  if [ "$INITLOG" = "/dev/null" ] ; then
 	  echo "not done."
-  else 
+  else
 	  echo "not done (check $INITLOG)."
   fi
 
+  exit 1
 }
 
 not_configured () {
@@ -49,7 +48,7 @@ not_configured () {
 	then
 		echo ""
 		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-common/README.Debian.gz."
+		echo "/usr/share/doc/shorewall/README.Debian.gz."
 	fi
 	echo "#################"
 	exit 0
@@ -72,7 +71,7 @@ fi
 
 export SHOREWALL_INIT_SCRIPT
 
-# wait for an unconfigured interface 
+# wait for an unconfigured interface
 wait_for_pppd () {
 	if [ "$wait_interface" != "" ]
 	then
@@ -94,7 +93,11 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
   echo -n "Stopping \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  if [ "$SAFESTOP" = 1 ]; then
+      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  else
+      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  fi
   return 0
 }
 
@@ -121,7 +124,7 @@ case "$1" in
      ;;
   refresh)
      shorewall_refresh
-  	  ;;
+     ;;
   force-reload|restart)
      shorewall_restart
      ;;

Shorewall/init.slackware.firewall.sh

@@ -45,7 +45,7 @@ status() {
 
 export SHOREWALL_INIT_SCRIPT=1
 
-case $1 in 
+case $1 in
 	'start')
 	start
 	;;

Shorewall/known_problems.txt

@@ -1,39 +1 @@
-1)  'shorewall check' produces an internal error if 'routeback' appears
-    in /etc/shorewall/routestopped.
-
-    You can work around this problem by using 'source' rather than
-    'routeback'.
-
-    Corrected in Shorewall 4.4.2.1.
-
-2)  'routeback' appearing in /etc/shorewall/routestopped doesn't
-    work (routeback traffic is not allowed).
-
-    You can work around this problem by using 'source' rather than
-    'routeback'.
-
-    Corrected in Shorewall 4.4.2.2.
-
-3)  If an alias IP address was added and RETAIN_ALIASES=No in
-    shorewall.conf, a compiler internal error results.
-
-    You can work around this problem by setting RETAIN_ALIASES=Yes in
-    shorewall.conf.
-
-    Corrected in Shorewall 4.4.2.3.
-
-4)  Nested zones where the parent zone is defined by a wildcard in
-    /etc/shorewall/interfaces (interface names ends in +), don't always
-    work correctly.
-
-    Corrected in Shorewall 4.4.2.3.
-
-5)  Global IP configuration variables are not being set in IPv6
-    configurations. This could cause 'shorewall6 start' to fail.
-
-    Corrected in Shorewall 4.4.2.4.
-
-6)  Under certain circumstances, optional providers are not detected
-    as being usable.
-
-    Corrected in Shorewall 4.4.2.5.
+There are no known problems in Shorewall 4.4.13-Beta2