Implement HL manipulation for IPv6

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/Universal/rules

@@ -6,9 +6,10 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+###################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW

Samples/Universal/shorewall.conf

@@ -29,8 +29,6 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
@@ -39,8 +37,6 @@ LOGTAGONLY=No
 
 LOGLIMIT=
 
-LOGRATE=
-
 MACLIST_LOG_LEVEL=info
 
 SFILTER_LOG_LEVEL=info
@@ -134,8 +130,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=Yes
 
 FORWARD_CLEAR_MARK=

Samples/one-interface/rules

@@ -10,9 +10,13 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
 
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
 

Samples/one-interface/shorewall.conf

@@ -40,8 +40,6 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
@@ -50,8 +48,6 @@ LOGTAGONLY=No
 
 LOGLIMIT=
 
-LOGRATE=
-
 MACLIST_LOG_LEVEL=info
 
 SFILTER_LOG_LEVEL=info
@@ -145,8 +141,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=

Samples/three-interfaces/rules

@@ -10,9 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #

Samples/three-interfaces/shorewall.conf

@@ -38,8 +38,6 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
@@ -48,8 +46,6 @@ LOGTAGONLY=No
 
 LOGLIMIT=
 
-LOGRATE=
-
 MACLIST_LOG_LEVEL=info
 
 SFILTER_LOG_LEVEL=info
@@ -143,8 +139,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=

Samples/two-interfaces/rules

@@ -10,9 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #

Samples/two-interfaces/shorewall.conf

@@ -41,8 +41,6 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
@@ -51,8 +49,6 @@ LOGTAGONLY=No
 
 LOGLIMIT=
 
-LOGRATE=
-
 MACLIST_LOG_LEVEL=info
 
 SFILTER_LOG_LEVEL=info
@@ -146,8 +142,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=

Samples6/Universal/rules

@@ -6,9 +6,10 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW

Samples6/Universal/shorewall6.conf

@@ -28,16 +28,12 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGLIMIT=
 
-LOGRATE=
-
 LOGTAGONLY=No
 
 MACLIST_LOG_LEVEL=info
@@ -125,8 +121,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=Yes
 
 FORWARD_CLEAR_MARK=

Samples6/one-interface/rules

@@ -10,9 +10,13 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
 
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
 

Samples6/one-interface/shorewall6.conf

@@ -28,16 +28,12 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGLIMIT=
 
-LOGRATE=
-
 LOGTAGONLY=No
 
 MACLIST_LOG_LEVEL=info
@@ -125,8 +121,6 @@ EXPAND_POLICIES=No
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=

Samples6/three-interfaces/rules

@@ -10,9 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #

Samples6/three-interfaces/shorewall6.conf

@@ -28,16 +28,12 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGLIMIT=
 
-LOGRATE=
-
 LOGTAGONLY=No
 
 MACLIST_LOG_LEVEL=info
@@ -125,8 +121,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=

Samples6/two-interfaces/rules

@@ -10,9 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #

Samples6/two-interfaces/shorewall6.conf

@@ -28,16 +28,12 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGLIMIT=
 
-LOGRATE=
-
 LOGTAGONLY=No
 
 MACLIST_LOG_LEVEL=info
@@ -125,8 +121,6 @@ EXPAND_POLICIES=No
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=

Shorewall-init/init.fedora.sh

@@ -0,0 +1,121 @@
+#! /bin/bash
+#
+# chkconfig: - 09 91
+# description: Initialize the shorewall firewall at boot time
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop:  $local_fs
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Initialize the shorewall firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.  
+### END INIT INFO
+prog="shorewall-init"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/shorewall-init"
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Get startup options (override default)
+OPTIONS=
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+    . /etc/sysconfig/shorewall-init
+else
+    echo "/etc/sysconfig/shorewall-init not found"
+    exit 6
+fi
+
+# Initialize the firewall
+start () {
+    local product
+    local vardir
+
+    if [ -z "$PRODUCTS" ]; then
+	echo "No firewalls configured for shorewall-init"
+	failure
+	return 6 #Not configured
+    fi
+
+    echo -n "Initializing \"Shorewall-based firewalls\": "
+    for product in $PRODUCTS; do
+	vardir=/var/lib/$product
+	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+	if [ -x ${vardir}/firewall ]; then
+	    ${vardir}/firewall stop 2>&1 | $logger
+	    retval=${PIPESTATUS[0]}
+	    [ retval -ne 0 ] && break
+	fi
+    done
+
+    if [ retval -eq 0 ]; then
+	touch $lockfile 
+	success
+    else
+	failure
+    fi
+    echo
+    return $retval
+}
+
+# Clear the firewall
+stop () {
+    local product
+    local vardir
+
+    echo -n "Clearing \"Shorewall-based firewalls\": "
+    for product in $PRODUCTS; do
+	vardir=/var/lib/$product
+	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+	if [ -x ${vardir}/firewall ]; then
+	    ${vardir}/firewall clear 2>&1 | $logger
+	    retval=${PIPESTATUS[0]}
+	    [ retval -ne 0 ] && break
+	fi
+    done
+
+    if [ retval -eq 0 ]; then
+	rm -f $lockfile
+	success
+    else
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	echo "Not implemented"
+	exit 3
+	;;
+    condrestart|try-restart)
+	echo "Not implemented"
+	exit 3
+        ;;
+    status)
+	status $prog
+	;;
+  *)
+	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	exit 1
+esac
+
+exit 0

Shorewall-init/init.sh

@@ -29,7 +29,7 @@
 # Required-start: $local_fs
 # Required-stop:  $local_fs
 # Default-Start:  2 3 5
-# Default-Stop:
+# Default-Stop:   6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.  
@@ -69,6 +69,10 @@ shorewall_start () {
       fi
   done
 
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
   return 0
 }
 
@@ -86,6 +90,13 @@ shorewall_stop () {
       fi
   done
 
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
   return 0
 }
 

Shorewall-init/install.sh

@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.20.1
+VERSION=xxx #The Build script inserts the actual version.
 
 usage() # $1 = exit status
 {
@@ -160,6 +160,8 @@ elif [ -f /etc/debian_version ]; then
     DEBIAN=yes
 elif [ -f /etc/SuSE-release ]; then
     SUSE=Yes
+elif [ -f /etc/redhat-release ]; then
+    FEDORA=Yes
 elif [ -f /etc/slackware-version ] ; then
     echo "Shorewall-init is currently not supported on Slackware" >&2
     exit 1
@@ -181,6 +183,14 @@ else
     exit 1
 fi
 
+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -202,6 +212,8 @@ fi
 #
 if [ -n "$DEBIAN" ]; then
     install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
+elif [ -n "$FEDORA" ]; then
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
 #elif [ -n "$ARCHLINUX" ]; then
 #    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 else
@@ -210,6 +222,14 @@ fi
 
 echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
 
+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
+fi
+
 #
 # Create /usr/share/shorewall-init if needed
 #
@@ -297,7 +317,11 @@ if [ -z "$DESTDIR" ]; then
 
 	    echo "Shorewall Init will start automatically at boot"
 	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if [ -n "$SYSTEMD" ]; then
+		if systemctl enable shorewall-init; then
+		    echo "Shorewall Init will start automatically at boot"
+		fi
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall-init ; then
 		    echo "Shorewall Init will start automatically at boot"
 		else

Shorewall-init/shorewall-init.service

@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+After=syslog.target
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecReload=/sbin/shorewall-init $OPTIONS restart
+ExecStop=/sbin/shorewall-init $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target

Shorewall-init/shorewall-init.spec

@@ -1,264 +0,0 @@
-%define name shorewall-init
-%define version 4.4.20
-%define release 1
-
-Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: shoreline_firewall >= 4.4.10
-
-%description
-
-The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
-(iptables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-
-Shorewall Init is a companion product to Shorewall that allows for tigher
-control of connections during boot and that integrates Shorewall with
-ifup/ifdown and NetworkManager.
-
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post
-
-if [ $1 -eq 1 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv /etc/rc.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --add shorewall-init;
-    fi
-fi
-
-if [ -f /etc/SuSE-release ]; then
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
-    if [ -d /etc/ppp ]; then
-	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	    mkdir -p /etc/ppp/$directory
-	    cp -pf /usr/share/shorewall-init/ifupdown /etc/ppp/$directory/shorewall
-	done
-    fi
-else
-    if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then
-	if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then
-	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
-	else
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-	fi
-    else
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-    fi
-
-    if [ -d /etc/ppp ]; then
-	if [ -f /etc/ppp/ip-up.local -o -f /etc/ppp/ip-down.local ]; then
-	    if ! grep -q Shorewall-based /etc/ppp/ip-up.local || ! grep -q Shorewall-based /etc/ppp//ip-down.local; then
-		echo "WARNING: /etc/ppp/ip-up.local and/or /etc/ppp/ip-down.local already exist; ppp devices will not be handled" >&2
-	    fi
-	else
-	    cp -pf /usr/share/shorewall-init/ifupdown /etc/ppp/ip-up.local
-	    cp -pf /usr/share/shorewall-init/ifupdown /etc/ppp/ip-down.local
-	fi
-    fi
-
-    if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
-	cp -pf /usr/share/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
-    fi
-fi
-
-%preun
-
-if [ $1 -eq 0 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv -r /etc/init.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --del shorewall-init
-    fi
-
-    [ -f /sbin/ifup-local ]   && grep -q Shorewall /sbin/ifup-local   && rm -f /sbin/ifup-local
-    [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local
-
-    [ -f /etc/ppp/ip-up.local ]   && grep -q Shorewall-based /etc/ppp/ip-up.local   && rm -f /etc/ppp/ip-up.local
-    [ -f /etc/ppp/ip-down.local ] && grep -q Shorewall-based /etc/ppp/ip-down.local && rm -f /etc/ppp/ip-down.local
-
-    rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
-
-%attr(0544,root,root) /etc/init.d/shorewall-init
-%attr(0755,root,root) %dir /usr/share/shorewall-init
-
-%attr(0644,root,root) /usr/share/shorewall-init/version
-%attr(0544,root,root) /usr/share/shorewall-init/ifupdown
-
-%doc COPYING changelog.txt releasenotes.txt
-
-%changelog
-* Mon Jun 06 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-1
-* Tue May 31 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0base
-* Fri May 27 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0RC1
-* Tue May 24 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta5
-* Sun May 22 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta4
-* Wed May 18 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta3
-* Wed May 18 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta2
-* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-1
-* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0base
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0RC1
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta5
-* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta4
-* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta3
-* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta1
-* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0base
-* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0RC1
-* Sun Feb 20 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta4
-* Sat Feb 19 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta3
-* Sun Feb 13 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta2
-* Sat Feb 05 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta1
-* Fri Feb 04 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0base
-* Sun Jan 30 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0RC1
-* Fri Jan 28 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta3
-* Wed Jan 19 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta2
-* Sat Jan 08 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta1
-* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0base
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0RC1
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta8
-* Sun Dec 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta7
-* Mon Dec 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta6
-* Fri Dec 10 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta5
-* Sat Dec 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta4
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta3
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta2
-* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta1
-* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0base
-* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0RC1
-* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0Beta2
-* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0Beta1
-* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0base
-* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0RC1
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta4
-* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta3
-* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta2
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Tue May 18 2010 Tom Eastep tom@shorewall.net
-- Initial version
-
-
-

Shorewall-init/sysconfig

@@ -10,3 +10,9 @@ PRODUCTS=""
 # ifup/ifdown and NetworkManager events
 #
 IFUPDOWN=0
+#
+# Set this to the name of the file that is to hold
+# ipset contents. Shorewall-init will load those ipsets
+# during 'start' and will save them there during 'stop'.
+#
+SAVE_IPSETS=""

Shorewall-init/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.20.1
+VERSION=xxx  #The Build script inserts the actual version
 
 usage() # $1 = exit status
 {
@@ -73,6 +73,8 @@ if [ -n "$INITSCRIPT" ]; then
         insserv -r $INITSCRIPT
     elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $INITSCRIPT)
+    elif [ -x /sbin/systemctl ]; then
+	systemctl disable shorewall-init
     else
 	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
     fi
@@ -93,6 +95,7 @@ remove_file /etc/network/if-down.d/shorewall
 
 remove_file /etc/sysconfig/network/if-up.d/shorewall
 remove_file /etc/sysconfig/network/if-down.d/shorewall
+remove_file /lib/systemd/system/shorewall.service
 
 if [ -d /etc/ppp ]; then
     for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do

Shorewall-lite/init.fedora.sh

@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+
+### BEGIN INIT INFO
+# Provides: shorewall-lite
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: VMware $time $named
+# Required-Stop:
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+prog="shorewall-lite"
+shorewall="/sbin/$prog"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/$prog"
+
+# Get startup options (override default)
+OPTIONS=
+
+if [ -f /etc/sysconfig/$prog ]; then
+    . /etc/sysconfig/$prog
+fi
+
+start() {
+    echo -n $"Starting Shorewall: "
+    $shorewall $OPTIONS start 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping Shorewall: "
+    $shorewall $OPTIONS stop 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	rm -f $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+# Note that we don't simply stop and start since shorewall has a built in
+# restart which stops the firewall if running and then starts it.
+    echo -n $"Restarting Shorewall: "
+    $shorewall $OPTIONS restart 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else # Failed to start, clean up lock file if present
+	rm -f $lockfile
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status(){
+    $shorewall status
+    return $?
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	restart
+	;;
+    condrestart|try-restart)
+        status_q || exit 0
+        restart
+        ;;
+    status)
+	$1
+	;;
+    *)
+	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
+	exit 1
+	;;
+esac

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.20.1
+VERSION=xxx #The Build script inserts the actual version
 
 usage() # $1 = exit status
 {
@@ -136,7 +136,6 @@ esac
 #
 # Determine where to install the firewall script
 #
-DEBIAN=
 CYGWIN=
 INSTALLD='-D'
 T='-T'
@@ -173,6 +172,8 @@ if [ -n "$DESTDIR" ]; then
     install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
     DEBIAN=yes
+elif [ -f /etc/redhat-release ]; then
+    FEDORA=yes
 elif [ -f /etc/slackware-version ] ; then
     DEST="/etc/rc.d"
     INIT="rc.firewall"
@@ -182,6 +183,14 @@ elif [ -f /etc/arch-release ] ; then
       ARCHLINUX=yes
 fi
 
+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -223,12 +232,13 @@ echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
+elif [ -n "$FEDORA" ]; then
+    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-
+    install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
 fi
 
 echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
@@ -249,6 +259,14 @@ if [ -n "$DESTDIR" ]; then
     chmod 755 ${DESTDIR}/etc/logrotate.d
 fi
 
+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall-lite.service ${DESTDIR}/lib/systemd/system/shorewall-lite.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-lite.service"
+fi
+
 #
 # Install the config file
 #
@@ -389,7 +407,11 @@ if [ -z "$DESTDIR" ]; then
 
 	    echo "Shorewall Lite will start automatically at boot"
 	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if [ -n "$SYSTEMD" ]; then
+		if systemctl enable shorewall-lite; then
+		    echo "Shorewall Lite will start automatically at boot"
+		fi
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall-lite ; then
 		    echo "Shorewall Lite will start automatically at boot"
 		else

Shorewall-lite/shorewall-lite.service

@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv4 firewall (lite)
+After=syslog.target
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-lite $OPTIONS start
+ExecReload=/sbin/shorewall-lite $OPTIONS restart
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target

Shorewall-lite/shorewall-lite.spec

@@ -1,477 +0,0 @@
-%define name shorewall-lite
-%define version 4.4.20
-%define release 1
-
-Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}
-
-%description
-
-The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
-(iptables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-
-Shorewall Lite is a companion product to Shorewall that allows network
-administrators to centralize the configuration of Shorewall-based firewalls.
-
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%pre
-
-if [ -f /etc/shorewall-lite/shorewall.conf ]; then
-    cp -fa /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall.conf.rpmsave
-fi
-
-%post
-
-if [ $1 -eq 1 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv /etc/rc.d/shorewall-lite
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --add shorewall-lite;
-    fi
-elif [ -f /etc/shorewall-lite/shorewall.conf.rpmsave ]; then
-    mv -f /etc/shorewall-lite/shorewall-lite.conf /etc/shorewall-lite/shorewall-lite.conf.rpmnew
-    mv -f /etc/shorewall-lite/shorewall.conf.rpmsave /etc/shorewall-lite/shorewall-lite.conf
-    echo "/etc/shorewall-lite/shorewall.conf retained as /etc/shorewall-lite/shorewall-lite.conf"
-    echo "/etc/shorewall-lite/shorewall-lite.conf installed as /etc/shorewall-lite/shorewall-lite.conf.rpmnew"
-fi
-
-%preun
-
-if [ $1 -eq 0 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv -r /etc/init.d/shorewall-lite
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --del shorewall-lite
-    fi
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0755,root,root) %dir /etc/shorewall-lite
-%attr(0644,root,root) %config(noreplace) /etc/shorewall-lite/shorewall-lite.conf
-%attr(0644,root,root) /etc/shorewall-lite/Makefile
-%attr(0544,root,root) /etc/init.d/shorewall-lite
-%attr(0755,root,root) %dir /usr/share/shorewall-lite
-%attr(0700,root,root) %dir /var/lib/shorewall-lite
-
-%attr(0644,root,root) /etc/logrotate.d/shorewall-lite
-
-%attr(0755,root,root) /sbin/shorewall-lite
-
-%attr(0644,root,root) /usr/share/shorewall-lite/version
-%attr(0644,root,root) /usr/share/shorewall-lite/configpath
-%attr(-   ,root,root) /usr/share/shorewall-lite/functions
-%attr(0644,root,root) /usr/share/shorewall-lite/lib.base
-%attr(0644,root,root) /usr/share/shorewall-lite/lib.cli
-%attr(0644,root,root) /usr/share/shorewall-lite/lib.common
-%attr(0644,root,root) /usr/share/shorewall-lite/modules*
-%attr(0644,root,root) /usr/share/shorewall-lite/helpers
-%attr(0544,root,root) /usr/share/shorewall-lite/shorecap
-%attr(0755,root,root) /usr/share/shorewall-lite/wait4ifup
-
-%attr(0644,root,root) %{_mandir}/man5/shorewall-lite.conf.5.gz
-%attr(0644,root,root) %{_mandir}/man5/shorewall-lite-vardir.5.gz
-
-%attr(0644,root,root) %{_mandir}/man8/shorewall-lite.8.gz
-
-%doc COPYING changelog.txt releasenotes.txt
-
-%changelog
-* Mon Jun 06 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-1
-* Tue May 31 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0base
-* Fri May 27 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0RC1
-* Tue May 24 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta5
-* Sun May 22 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta4
-* Thu May 19 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta3
-* Wed May 18 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta2
-* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta1
-* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-1
-* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0base
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0RC1
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta5
-* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta4
-* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta3
-* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta1
-* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0base
-* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0RC1
-* Sun Feb 20 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta4
-* Sat Feb 19 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta3
-* Sun Feb 13 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta2
-* Sat Feb 05 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta1
-* Fri Feb 04 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0base
-* Sun Jan 30 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0RC1
-* Fri Jan 28 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta3
-* Wed Jan 19 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta2
-* Sat Jan 08 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta1
-* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0base
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0RC1
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta8
-* Sun Dec 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta7
-* Mon Dec 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta6
-* Fri Dec 10 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta5
-* Sat Dec 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta4
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta3
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta2
-* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta1
-* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0base
-* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0RC1
-* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0Beta2
-* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0Beta1
-* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0base
-* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0RC1
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta4
-* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta3
-* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta2
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta1
-* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0base
-* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0RC2
-* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0RC1
-* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta2
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta1
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta2
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0base
-* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
-* Mon Aug 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0base
-* Tue Jul 28 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0RC2
-* Sun Jul 12 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0RC1
-* Thu Jul 09 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta4
-* Sat Jun 27 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta3
-* Mon Jun 15 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta2
-* Fri Jun 12 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta1
-* Sun Jun 07 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.13-0base
-* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.12-0base
-* Sun May 10 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.11-0base
-* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.10-0base
-* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.9-0base
-* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.8-0base
-* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.7-0base
-* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.6-0base
-* Sun Feb 22 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.5-0base
-* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.6-0base
-* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.6-0base
-* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.5-0base
-* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0base
-* Fri Dec 05 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.3-0base
-* Wed Nov 05 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.2-0base
-* Wed Oct 08 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.1-0base
-* Fri Oct 03 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0base
-* Tue Sep 23 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0RC4
-* Mon Sep 15 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0RC3
-* Mon Sep 08 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0RC2
-* Tue Aug 19 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0RC1
-* Thu Jul 03 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0Beta3
-* Mon Jun 02 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0Beta2
-* Wed May 07 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0Beta1
-* Mon Apr 28 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.1.8-0base
-* Mon Mar 24 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.1.7-0base
-* Thu Mar 13 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.1.6-0base
-* Tue Feb 05 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.1.5-0base
-* Fri Jan 04 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.1.4-0base
-* Wed Dec 12 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.1.3-0base
-* Fri Dec 07 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.1.3-1
-* Tue Nov 27 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.1.2-1
-* Wed Nov 21 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.1.1-1
-* Mon Nov 19 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.1.0-1
-* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.6-1
-* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.6-0RC3
-* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.6-0RC2
-* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.6-0RC1
-* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.5-1
-* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.4-1
-* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.3-1
-* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.2-1
-* Sat Jul 21 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.1-1
-* Wed Jul 11 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-1
-* Sun Jul 08 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0RC2
-* Mon Jul 02 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0RC1
-* Sun Jun 24 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0Beta7
-* Wed Jun 20 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0Beta6
-* Thu Jun 14 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0Beta5
-* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0Beta4
-* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0Beta3
-* Tue May 15 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0Beta1
-* Fri May 11 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.9.7-1
-* Sat May 05 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.9.6-1
-* Mon Apr 30 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.9.5-1
-* Mon Apr 23 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.9.4-1
-* Wed Apr 18 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.9.3-1
-* Sat Apr 14 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.9.2-1
-* Sat Apr 07 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.9.1-1
-* Thu Mar 15 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.1-1
-* Sat Mar 10 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.0-1
-* Sun Feb 25 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.0-0RC3
-* Sun Feb 04 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.0-0RC2
-* Wed Jan 24 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.0-0RC1
-* Mon Jan 22 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.0-0Beta3
-* Wed Jan 03 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.0-0Beta2
-- Handle rename of shorewall.conf
-* Thu Dec 14 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.4.0-0Beta1
-* Sat Nov 25 2006 Tom Eastep tom@shorewall.net
-- Added shorewall-exclusion(5)
-- Updated to 3.3.6-1
-* Sun Nov 19 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.3.5-1
-* Sun Oct 29 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.3.4-1
-* Mon Oct 16 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.3.3-1
-* Sat Sep 30 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.3.2-1
-* Wed Aug 30 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.3.1-1
-* Wed Aug 09 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.3.0-1
-* Wed Aug 09 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.3.0-1
-
-

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.20.1
+VERSION=xxx  #The Build script inserts the actual version
 
 usage() # $1 = exit status
 {
@@ -93,6 +93,8 @@ if [ -n "$FIREWALL" ]; then
         insserv -r $FIREWALL
     elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
+    elif [ -x /sbin/systemctl ]; then
+	systemctl disable shorewall-lite
     else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
     fi
@@ -112,6 +114,7 @@ rm -rf /usr/share/shorewall-lite
 rm -rf ${LIBEXEC}/shorewall-lite
 rm -rf /usr/share/shorewall-lite-*.bkout
 rm -f  /etc/logrotate.d/shorewall-lite
+rm -f  /lib/systemd/system/shorewall-lite.service
 
 echo "Shorewall Lite Uninstalled"
 

Shorewall/Macros/macro.AllowICMPs

@@ -11,5 +11,6 @@
 
 COMMENT Needed ICMP types
 
-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
+DEFAULT ACCEPT
+PARAM	-	-	icmp	fragmentation-needed
+PARAM	-	-	icmp	time-exceeded

Shorewall/Macros/macro.DropDNSrep

@@ -11,4 +11,5 @@
 
 COMMENT Late DNS Replies
 
-DROP	-	-	udp	-	53
+DEFAULT DROP
+PARAM	-	-	udp	-	53

Shorewall/Macros/macro.DropUPnP

@@ -11,4 +11,5 @@
 
 COMMENT UPnP
 
-DROP	-	-	udp	1900
+DEFAULT DROP
+PARAM	-	-	udp	1900

Shorewall/Perl/Shorewall/Accounting.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.20';
+our $VERSION = 'MODULEVERSION';
 
 #
 # Per-IP accounting tables. Each entry contains the associated network.
@@ -141,7 +141,10 @@ sub process_accounting_rule( ) {
 
     $jumpchainref = 0;
 
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File', $accounting_commands;
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
+	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
+
+    fatal_error 'ACTION must be specified' if $action eq '-';
 
     if ( $action eq 'COMMENT' ) {
 	process_comment;
@@ -205,7 +208,7 @@ sub process_accounting_rule( ) {
 		require_capability 'ACCOUNT_TARGET' , 'ACCOUNT Rules' , '';
 		my ( $table, $net, $rest ) = split/,/, $1;
 		fatal_error "Invalid Network Address (${net},${rest})" if defined $rest;
-		fatal_error "Missing Table Name"                       unless defined $table && $table ne '';;
+		fatal_error "Missing Table Name"                       unless supplied $table;
 		fatal_error "Invalid Table Name ($table)"              unless $table =~ /^([-\w.]+)$/;
 		fatal_error "Missing Network Address"                  unless defined $net;
 		fatal_error "Invalid Network Address ($net)"           unless defined $net   && $net =~ '/(\d+)$';
@@ -400,47 +403,47 @@ sub setup_accounting() {
 
 	    if ( have_bridges || $asection ) {
 		if ( $tableref->{accountin} ) {
-		    add_jump( $tableref->{INPUT}, 'accountin', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{INPUT}, j => 'accountin', 0 );
 		}
 
 		if ( $tableref->{accounting} ) {
 		    dont_optimize( 'accounting' );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
-			add_jump( $tableref->{$chain}, 'accounting', 0, '', 0, 0 );
+			insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		    }
 		}
 
 		if ( $tableref->{accountfwd} ) {
-		    add_jump( $tableref->{FORWARD}, 'accountfwd', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{FORWARD}, j => 'accountfwd', 0 );
 		}
 
 		if ( $tableref->{accountout} ) {
-		    add_jump( $tableref->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{OUTPUT}, j => 'accountout', 0 );
 		}
 
 		if ( $tableref->{accountpre} ) {
-		    add_jump( $tableref->{PREROUTING}, 'accountpre', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{PREROUTING}, j => 'accountpre' , 0 );
 		}
 
 		if ( $tableref->{accountpost} ) {
-		    add_jump( $tableref->{POSTROUTING}, 'accountpost', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
 		}
 	    } elsif ( $tableref->{accounting} ) {
 		dont_optimize( 'accounting' );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		    add_jump( $tableref->{$chain}, 'accounting', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		}
 	    }
 
 	    if ( $tableref->{accipsecin} ) {
 		for my $chain ( qw/INPUT FORWARD/ ) {
-		    add_jump( $tableref->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+		    insert_ijump( $tableref->{$chain}, j => 'accipsecin', 0 );
 		}
 	    }
 
 	    if ( $tableref->{accipsecout} ) {
 		for my $chain ( qw/FORWARD OUTPUT/ ) {
-		    add_jump( $tableref->{$chain}, 'accipsecout', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{$chain}, j => 'accipsecout', 0 );
 		}
 	    }
 

Shorewall/Perl/Shorewall/Compiler.pm

@@ -38,10 +38,12 @@ use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;
 
+use strict;
+
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_20';
+our $VERSION = 'MODULEVERSION';
 
 my $export;
 
@@ -81,11 +83,11 @@ sub generate_script_1( $ ) {
 
     if ( $script ) {
 	if ( $test ) {
-	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
+	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
 	    my $date = localtime;
 
-	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
+	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 
 	    if ( $family == F_IPV4 ) {
 		copy $globals{SHAREDIRPL} . 'prog.header';
@@ -108,7 +110,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF
 
-    for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -116,7 +118,7 @@ EOF
 	emit '}';
     }
 
-    for my $exit qw/isusable findgw/ {
+    for my $exit ( qw/isusable findgw/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file($exit, 1) or emit 'true';
@@ -263,9 +265,9 @@ sub generate_script_2() {
 	push_indent;
 
 	if ( $global_variables & NOT_RESTORE ) {
-	    emit( 'start|restart|refresh)' );
+	    emit( 'start|restart|refresh|disable|enable)' );
 	} else {
-	    emit( 'start|restart|refresh|restore)' );
+	    emit( 'start|restart|refresh|disable|enable|restore)' );
 	}
 
 	push_indent;
@@ -354,9 +356,9 @@ sub generate_script_3($) {
 
     emit '';
 
-    if ( $family == F_IPV4 ) {
-	load_ipsets;
+    load_ipsets;
 
+    if ( $family == F_IPV4 ) {
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
 	       '   run_refresh_exit' ,
 	       'else' ,
@@ -516,15 +518,15 @@ EOF
 
 }
 
-#
+#1
 #  The Compiler.
 #
 #     Arguments are named -- see %parms below.
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        );
 
     $export = 0;
     $test   = 0;
@@ -556,8 +558,10 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
-		  preview       => { store => \$preview },
-		  confess       => { store => \$confess },
+		  preview       => { store => \$preview,       validate=> \&validate_boolean    } ,    
+		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
+		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
+		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,		  
 		);
     #
     #                               P A R A M E T E R    P R O C E S S I N G
@@ -591,7 +595,7 @@ sub compiler {
     #
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
-    get_configuration( $export );
+    get_configuration( $export , $update , $annotate );
 
     report_capabilities unless $config{LOAD_HELPERS_ONLY};
 
@@ -611,7 +615,6 @@ sub compiler {
     # shorewall.conf has been processed and the capabilities have been determined.
     #
     initialize_chain_table(1);
-
     #
     # Allow user to load Perl modules
     #
@@ -693,7 +696,7 @@ sub compiler {
     if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
-	emit '}';
+	emit '}'; # End of setup_common_rules()
     }
 
     disable_script;
@@ -702,7 +705,17 @@ sub compiler {
     #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
     #
     enable_script;
-
+    #
+    # Validate the TC files so that the providers will know what interfaces have TC
+    #
+    my $tcinterfaces = process_tc;
+    #
+    # Generate a function to bring up each provider
+    #
+    process_providers( $tcinterfaces );
+    #
+    # [Re-]establish Routing
+    #
     if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
@@ -712,9 +725,7 @@ sub compiler {
 
 	push_indent;
     }
-    #
-    # [Re-]establish Routing
-    #
+
     setup_providers;
     #
     # TCRules and Traffic Shaping
@@ -723,7 +734,7 @@ sub compiler {
 
     if ( $scriptfilename || $debug ) {
 	pop_indent;
-	emit "}\n";
+	emit "}\n"; # End of setup_routing_and_traffic_shaping()
     }
 
     disable_script;
@@ -746,12 +757,12 @@ sub compiler {
 	# Setup Nat
 	#
 	setup_nat;
-	#
-	# Setup NETMAP
-	#
-	setup_netmap;
     }
 
+    #
+    # Setup NETMAP
+    #
+    setup_netmap;
     #
     # MACLIST Filtration
     #

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -80,7 +80,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_20';
+our $VERSION = 'MODULEVERSION';
 
 #
 # Some IPv4/6 useful stuff
@@ -536,6 +536,7 @@ sub valid_6address( $ ) {
     }
 
     return 0 if @address > $max;
+    return 0 unless $address =~ /^[a-f:\d]+$/;
     return 0 unless ( @address == $max ) || $address =~ /::/;
     return 0 if $address =~ /:::/ || $address =~ /::.*::/;
 

Shorewall/Perl/Shorewall/Nat.pm

@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_20';
+our $VERSION = 'MODULEVERSION';
 
 my @addresses_to_add;
 my %addresses_to_add;
@@ -54,13 +54,16 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = 
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };
 
     if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
 	return 1;
     }
 
+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
     my $pre_nat;
     my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
     my $destnets = '';
@@ -163,8 +166,8 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
-		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
-		$addresses =~ s/:random$//     and $randomize  = '--random ';
+		$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
+		$addresses =~ s/:random$//     and $randomize  = ' --random ';
 
 		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;
 
@@ -374,7 +377,7 @@ sub setup_nat() {
 
 	while ( read_a_line ) {
 
-	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
+	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };
 
 	    if ( $external eq 'COMMENT' ) {
 		process_comment;
@@ -383,8 +386,11 @@ sub setup_nat() {
 
 		$digit = defined $digit ? ":$digit" : '';
 
+		fatal_error 'EXTERNAL must be specified' if $external eq '-';
+		fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
+
 		for my $interface ( split_list $interfacelist , 'interface' ) {
-		    fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
+		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
 		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
 		}
 
@@ -403,36 +409,104 @@ sub setup_netmap() {
 
     if ( my $fn = open_file 'netmap' ) {
 
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
+	first_entry "$doing $fn...";
 
 	while ( read_a_line ) {
 
-	    my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
+	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };
 
 	    $net3 = ALLIP if $net3 eq '-';
 
 	    for my $interface ( split_list $interfacelist, 'interface' ) {
 
-		my $rulein = '';
-		my $ruleout = '';
 		my $iface = $interface;
 
 		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
-		unless ( $interfaceref->{root} ) {
-		    $rulein  = match_source_dev( $interface );
-		    $ruleout = match_dest_dev( $interface );
-		    $interface = $interfaceref->{name};
-		}
+		my @rule = do_iproto( $proto, $dport, $sport );
 
-		if ( $type eq 'DNAT' ) {
-		    add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
-		} elsif ( $type eq 'SNAT' ) {
-		    add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
+		unless ( $type =~ /:/ ) {
+		    my @rulein;
+		    my @ruleout;
+		    
+		    validate_net $net1, 0;
+		    validate_net $net2, 0;
+
+		    unless ( $interfaceref->{root} ) {
+			@rulein  = imatch_source_dev( $interface );
+			@ruleout = imatch_dest_dev( $interface );
+			$interface = $interfaceref->{name};
+		    }
+
+		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
+
+		    if ( $type eq 'DNAT' ) {
+			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) , 
+					  j => 'NETMAP' ,
+					  "--to $net2",
+					  $net1 ,
+					  @rulein  ,
+					  imatch_source_net( $net3 ) );
+		    } elsif ( $type eq 'SNAT' ) {
+			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+					   j => 'NETMAP' ,
+					   "--to $net2" ,
+					   $net1 ,
+					   @ruleout ,
+					   imatch_dest_net( $net3 ) );
+		    } else {
+			fatal_error "Invalid type ($type)";
+		    }
+		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
+		    my ( $target , $chain ) = ( $1, $2 );
+		    my $table = 'raw';
+		    my @match;
+
+		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
+
+		    validate_net $net2, 0;
+
+		    unless ( $interfaceref->{root} ) {
+			@match = imatch_dest_dev(  $interface ); 
+			$interface = $interfaceref->{name};
+		    }
+			
+		    if ( $chain eq 'P' ) {
+			$chain = prerouting_chain $interface;
+			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
+		    } elsif ( $chain eq 'O' ) {
+			$chain = output_chain $interface;
+		    } else {
+			$chain = postrouting_chain $interface;
+			$table = 'rawpost';
+		    }
+
+		    my $chainref = ensure_chain( $table, $chain );
+
+		    
+		    if ( $target eq 'DNAT' ) {
+			dest_iexclusion( $chainref ,
+					 j => 'RAWDNAT' ,
+					 "--to-dest $net2" ,
+					 $net1 ,
+					 imatch_source_net( $net3 ) ,
+					 @rule ,
+					 @match
+				       );
+		    } else {
+			source_iexclusion( $chainref ,
+					   j  => 'RAWSNAT' ,
+					   "--to-source $net2" ,
+					   $net1 ,
+					   imatch_dest_net( $net3 ) ,
+					   @rule ,
+					   @match );
+		    }
 		} else {
-		    fatal_error "Invalid type ($type)";
+		    fatal_error 'TYPE must be specified' if $type eq '-';
+		    fatal_error "Invalid TYPE ($type)";
 		}
-
+		
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
 	}

Shorewall/Perl/Shorewall/Proc.pm

@@ -40,8 +40,8 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_forwarding
 		 );
-our @EXPORT_OK = qw( );
-our $VERSION = '4.4_7';
+our @EXPORT_OK = qw( setup_interface_proc );
+our $VERSION = 'MODULEVERSION';
 
 #
 # ARP Filtering
@@ -277,4 +277,45 @@ sub setup_forwarding( $$ ) {
     }
 }
 
+sub setup_interface_proc( $ ) {
+    my $interface = shift;
+    my $physical  = get_physical $interface;
+    my $value;
+    my @emitted;
+
+    if ( interface_has_option( $interface, 'arp_filter' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter";
+    }
+	 
+    if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore";
+    }
+
+    if ( interface_has_option( $interface, 'routefilter' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/rp_filter";
+    }
+
+    if ( interface_has_option( $interface, 'logmartians' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/log_martians";
+    }
+
+    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
+    }
+
+    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
+    }
+
+    if ( @emitted ) {
+	emit( '',
+	      'if [ $COMMAND = enable ]; then' );
+	push_indent;
+	emit "$_" for @emitted;
+	pop_indent;
+	emit "fi\n";
+    }
+}
+	 
+
 1;

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -35,7 +35,7 @@ our @EXPORT = qw(
 		  );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_19';
+our $VERSION = 'MODULEVERSION';
 
 our @proxyarp;
 
@@ -122,13 +122,15 @@ sub setup_proxy_arp() {
 
 	while ( read_a_line ) {
 
-	    my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, $file_opt;
+	    my ( $address, $interface, $external, $haveroute, $persistent ) =
+		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };
 
 	    if ( $first_entry ) {
 		progress_message2 "$doing $fn...";
 		$first_entry = 0;
 	    }
 
+	    fatal_error 'EXTERNAL must be specified' if $external eq '-';
 	    fatal_error "Unknown interface ($external)" unless known_interface $external;
 	    fatal_error "Wildcard interface ($external) not allowed" if $external =~ /\+$/;
 	    $reset{$external} = 1 unless $set{$external};

Shorewall/Perl/Shorewall/Raw.pm

@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_14';
+our $VERSION = 'MODULEVERSION';
 
 #
 # Notrack
@@ -84,7 +84,7 @@ sub setup_notrack() {
 
 	while ( read_a_line ) {
 
-	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
+	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
 
 	    if ( $source eq 'COMMENT' ) {
 		process_comment;

Shorewall/Perl/Shorewall/Rules.pm

@@ -22,7 +22,7 @@
 #
 #   This module handles policies and rules. It contains:
 #
-#       process_policies() and it's associated helpers.
+#       process_() and it's associated helpers.
 #       process_rules() and it's associated helpers for handling Actions and Macros.
 #
 #   This module combines the former Policy, Rules and Actions modules.
@@ -52,7 +52,7 @@ our @EXPORT = qw(
 	       );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_20';
+our $VERSION = 'MODULEVERSION';
 #
 # Globals are documented in the initialize() function
 #
@@ -73,7 +73,24 @@ my @builtins;
 #
 # Commands that can be embedded in a basic rule and how many total tokens on the line (0 => unlimited).
 #
-my $rule_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2 };
+my $rule_commands   = { COMMENT => 0, FORMAT => 2, SECTION => 2 };
+my $action_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULTS => 2 };
+my $macro_commands  = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULT => 2 };
+
+my %rulecolumns = ( action    =>   0,
+		    source    =>   1,
+		    dest      =>   2,
+		    proto     =>   3,
+		    dport     =>   4,
+		    sport     =>   5,
+		    origdest  =>   6,
+		    rate      =>   7,
+		    user      =>   8,
+		    mark      =>   9,
+		    connlimit =>  10,
+		    time      =>  11,
+		    headers   =>  12,
+		    switch    =>  13 );
 
 use constant { MAX_MACRO_NEST_LEVEL => 5 };
 
@@ -128,7 +145,8 @@ sub initialize( $ ) {
     #
     # These are set to 1 as sections are encountered.
     #
-    %sections = ( ESTABLISHED => 0,
+    %sections = ( ALL         => 0,
+		  ESTABLISHED => 0,
 		  RELATED     => 0,
 		  NEW         => 0
 		  );
@@ -283,6 +301,9 @@ sub print_policy($$$$) {
 }
 
 sub use_policy_action( $ );
+sub normalize_action( $$$ );
+sub normalize_action_name( $ );
+
 #
 # Process an entry in the policy file.
 #
@@ -291,12 +312,17 @@ sub process_a_policy() {
     our %validpolicies;
     our @zonelist;
 
-    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = split_line 3, 6, 'policy file';
+    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
+	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
 
     $loglevel  = '' if $loglevel  eq '-';
     $synparams = '' if $synparams eq '-';
     $connlimit = '' if $connlimit eq '-';
 
+    fatal_error 'SOURCE must be specified' if $client eq '-';
+    fatal_error 'DEST must be specified'   if $server eq '-';
+    fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
+
     my $clientwild = ( "\L$client" eq 'all' );
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
@@ -324,15 +350,18 @@ sub process_a_policy() {
     }
 
     if ( $default ) {
+	my ( $def, $param ) = get_target_param( $default );
+
 	if ( "\L$default" eq 'none' ) {
 	    $default = 'none';
-	} elsif ( $actions{$default} ) {
+	} elsif ( $actions{$def} ) {
+	    $default = supplied $param ? normalize_action( $def, 'none', $param  ) : normalize_action_name $def;
 	    use_policy_action( $default );
 	} else {
 	    fatal_error "Unknown Default Action ($default)";
 	}
     } else {
-	$default = $default_actions{$policy} || '';
+	$default = $default_actions{$policy} || 'none';
     }
 
     if ( defined $queue ) {
@@ -379,7 +408,7 @@ sub process_a_policy() {
 	push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
     }
 
-    $chainref->{loglevel}  = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
+    $chainref->{loglevel}  = validate_level( $loglevel ) if supplied $loglevel;
 
     if ( $synparams ne '' || $connlimit ne '' ) {
 	my $value = '';
@@ -390,7 +419,9 @@ sub process_a_policy() {
 	$chainref->{synchain}  = $chain
     }
 
-    $chainref->{default} = $default if $default;
+    assert( $default );
+    my $chainref1 = $usedactions{$default};
+    $chainref->{default} = $chainref1 ? $chainref1->{name} : $default;
 
     if ( $clientwild ) {
 	if ( $serverwild ) {
@@ -460,18 +491,23 @@ sub process_policies()
     my $firewall = firewall_zone;
     our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
 
-    for my $option qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) {
+    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
 	my $action = $config{$option};
-	next if $action eq 'none';
-	my $actiontype = $targets{$action};
-												 
-	if ( defined $actiontype ) {
-	    fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION;
-	} else {
-	    fatal_error "Default Action $option=$action not found";
-	}
+	
+	unless ( $action eq 'none' ) {
+	    my ( $act, $param ) = get_target_param( $action );
 
-	use_policy_action( $action );
+	    if ( "\L$action" eq 'none' ) {
+		$action = 'none';
+	    } elsif ( $actions{$act} ) {
+		$action = supplied $param ? normalize_action( $act, 'none', $param  ) : normalize_action_name $act;
+		use_policy_action( $action );
+	    } elsif ( $targets{$act} ) {
+		fatal_error "Invalid setting ($action) for $option";
+	    } else {
+		fatal_error "Default Action $option=$action not found";
+	    }
+	}
 
 	$default_actions{$map{$option}} = $action;
     }
@@ -513,20 +549,13 @@ sub policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
 
     unless ( $target eq 'NONE' ) {
-	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
-	add_jump $chainref, $default, 0 if $default && $default ne 'none';
+	add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
+	add_ijump $chainref, j => $default if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 	
-	if ( $chainref->{audit} ) {
-	    if ( $config{FAKE_AUDIT} ) {
-		add_rule( $chainref , '-j AUDIT -m comment --comment "--type ' . lc $target . '"' );
-	    } else { 
-		add_rule( $chainref , '-j AUDIT --type ' . lc $target );
-	    }
-	}
-
-	add_jump( $chainref , $target eq 'REJECT' ? 'reject' : $target, 1 ) unless $target eq 'CONTINUE';
+	add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
+	add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
     }
 }
 
@@ -555,7 +584,7 @@ sub default_policy( $$$ ) {
 		report_syn_flood_protection;
 		policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	    } else {
-		add_jump $chainref,  $policyref, 1;
+		add_ijump $chainref,  g => $policyref;
 		$chainref = $policyref;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
@@ -563,7 +592,7 @@ sub default_policy( $$$ ) {
 	    policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	} else {
 	    report_syn_flood_protection if $synparams;
-	    add_jump $chainref , $policyref, 1;
+	    add_ijump $chainref , g => $policyref;
 	    $chainref = $policyref;
 	}
     }
@@ -672,7 +701,7 @@ sub setup_syn_flood_chains() {
 			    'add' ,
 			    '' )
 		if $level ne '';
-	    add_rule $synchainref, '-j DROP';
+	    add_ijump $synchainref, j => 'DROP';
 	}
     }
 }
@@ -689,7 +718,7 @@ sub optimize_policy_chains() {
     #
     my $outputrules = $filter_table->{OUTPUT}{rules};
 
-    if ( @{$outputrules} && $outputrules->[-1] =~ /-j ACCEPT/ ) {
+    if ( @{$outputrules} && $outputrules->[-1]->{target} eq 'ACCEPT' ) {
 	optimize_chain( $filter_table->{OUTPUT} );
     }
 
@@ -736,7 +765,7 @@ sub finish_chain_section ($$) {
     
     push_comment(''); #These rules should not have comments
 
-    add_rule $chainref, "$globals{STATEMATCH} $state -j ACCEPT" unless $config{FASTACCEPT};
+    add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
 
     if ($sections{NEW} ) {
 	if ( $chainref->{is_policy} ) {
@@ -744,17 +773,17 @@ sub finish_chain_section ($$) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
 		if ( $section eq 'DONE' ) {
 		    if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
-			add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
+			add_ijump $chainref, j => $synchainref, p => 'tcp --syn';
 		    }
 		} else {
-		    add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
+		    add_ijump $chainref, j => $synchainref, p => 'tcp --syn';
 		}
 	    }
 	} else {
 	    my $policychainref = $filter_table->{$chainref->{policychain}};
 	    if ( $policychainref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
-		add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
+		add_ijump $chainref, j => $synchainref, p => 'tcp --syn';
 	    }
 	}
 
@@ -824,9 +853,10 @@ sub normalize_action( $$$ ) {
 
     ( $level, my $tag ) = split ':', $level;
 
-    $level = 'none' unless defined $level && $level ne '';
+    $level = 'none' unless supplied $level;
     $tag   = ''     unless defined $tag;
     $param = ''     unless defined $param;
+    $param = ''     if $param eq '-';
 
     join( ':', $action, $level, $tag, $param );
 }
@@ -894,16 +924,20 @@ sub createlogactionchain( $$$$$ ) {
 
     $chain = substr $chain, 0, 28 if ( length $chain ) > 28;
 
-  CHECKDUP:
-    {
-	$actionref->{actchain}++ while $chain_table{filter}{'%' . $chain . $actionref->{actchain}};
-	$chain = substr( $chain, 0, 27 ), redo CHECKDUP if ( $actionref->{actchain} || 0 ) >= 10 and length $chain == 28;
+    if ( $filter_table->{$chain} ) {
+      CHECKDUP:
+	{
+	    $actionref->{actchain}++ while $chain_table{filter}{'%' . $chain . $actionref->{actchain}};
+	    $chain = substr( $chain, 0, 27 ), redo CHECKDUP if ( $actionref->{actchain} || 0 ) >= 10 and length $chain == 28;
+	}
+
+	$usedactions{$normalized} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
+
+	fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
+    } else {
+	$usedactions{$normalized} = $chainref = new_standard_chain $chain;
     }
 
-    $usedactions{$normalized} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
-
-    fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
-
     $chainref->{action} = $normalized;
 
     unless ( $targets{$action} & BUILTIN ) {
@@ -1089,7 +1123,7 @@ sub merge_macro_source_dest( $$ ) {
 sub merge_macro_column( $$ ) {
     my ( $body, $invocation ) = @_;
 
-    if ( defined $invocation && $invocation ne '' && $invocation ne '-' ) {
+    if ( supplied( $invocation ) && $invocation ne '-' ) {
 	$invocation;
     } else {
 	$body;
@@ -1133,63 +1167,6 @@ sub map_old_actions( $ ) {
     }
 }
 
-#
-# Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
-
-sub ensure_audit_chain( $;$$ ) {
-    my ( $target, $action, $tgt ) = @_;
-
-    push_comment( '' );
-
-    my $ref = $filter_table->{$target};
-
-    unless ( $ref ) {
-	$ref = new_chain 'filter', $target;
-
-	unless ( $action ) {
-	    $action = $target;
-	    $action =~ s/^A_//;
-	}
-
-	$tgt ||= $action;
-
-	if ( $config{FAKE_AUDIT} ) {
-	    add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' );
-	} else {
-	    add_rule $ref, '-j AUDIT --type ' . lc $action;
-	}
-
-	
-	if ( $tgt eq 'REJECT' ) {
-	    add_jump $ref , 'reject', 1;
-	} else {
-	    add_jump $ref , $tgt, 0;
-	}
-    }
-
-    pop_comment;
-
-    return $target;
-}
-
-#
-# Return the appropriate target based on whether the second argument is 'audit'
-#
-
-sub require_audit($$;$) {
-    my ($action, $audit, $tgt ) = @_;
-
-    return $action unless defined $audit and $audit ne '';
-
-    my $target = 'A_' . $action;
-
-    fatal_error "Invalid parameter ($audit)" unless $audit eq 'audit';
-
-    require_capability 'AUDIT_TARGET', 'audit', 's';
-
-    return ensure_audit_chain $target, $action, $tgt;
-}   
-  
 #
 # The following small functions generate rules for the builtin actions of the same name
 #
@@ -1208,7 +1185,7 @@ sub dropBcast( $$$$ ) {
 	    }
 	}
 	
-	add_jump $chainref, $target, 0, "-m addrtype --dst-type BROADCAST ";
+	add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
     } else {
 	if ( $family == F_IPV4 ) {
 	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
@@ -1218,17 +1195,17 @@ sub dropBcast( $$$$ ) {
 
 	incr_cmd_level $chainref;
 	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
-	add_jump $chainref, $target, 0, "-d \$address ";
+	add_ijump $chainref, j => $target, d => '$address';
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
-
-	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
     }
 
     if ( $family == F_IPV4 ) {
-	add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
+	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
     } else {
-	add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
+	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST . ' ' ) if $level ne '';
+	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
     }
 }
 
@@ -1243,8 +1220,7 @@ sub allowBcast( $$$$ ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	}
 
-	add_jump $chainref, $target, 0, "-m addrtype --dst-type BROADCAST ";
-	add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
+	add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
     } else {
 	if ( $family == F_IPV4 ) {
 	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
@@ -1254,17 +1230,17 @@ sub allowBcast( $$$$ ) {
 
 	incr_cmd_level $chainref;
 	log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
-	add_rule $chainref, "-d \$address -j $target";
+	add_ijump $chainref, j => $target, d => '$address';
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
+    }
 
-	if ( $family == F_IPV4 ) {
-	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-	    add_jump $chainref, $target, 0, "-d 224.0.0.0/4 ";
-	} else {
-	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
-	    add_jump $chainref, $target, 0, join ( ' ', '-d', IPv6_MULTICAST, ' ' );
-	}
+    if ( $family == F_IPV4 ) {
+	log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+	add_ijump $chainref, j => $target, d => '224.0.0.0/4';
+    } else {
+	log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
+	add_ijump $chainref, j => $target, d => IPv6_MULTICAST;
     }
 }
 
@@ -1274,7 +1250,7 @@ sub dropNotSyn ( $$$$ ) {
     my $target = require_audit( 'DROP', $audit );
 
     log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
-    add_jump $chainref , $target, 0, "-p 6 ! --syn ";
+    add_ijump $chainref , j => $target, p => '6 ! --syn';
 }
 
 sub rejNotSyn ( $$$$ ) {
@@ -1282,12 +1258,12 @@ sub rejNotSyn ( $$$$ ) {
 
     my $target = 'REJECT --reject-with tcp-reset';
 
-    if ( defined $audit && $audit ne '' ) {
+    if ( supplied $audit ) {
 	$target = require_audit( 'REJECT' , $audit );
     }
 
     log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
-    add_jump $chainref , $target, 0, '-p 6 ! --syn ';
+    add_ijump $chainref , j => $target, p => '6 ! --syn';
 }
 
 sub dropInvalid ( $$$$ ) {
@@ -1296,7 +1272,7 @@ sub dropInvalid ( $$$$ ) {
     my $target = require_audit( 'DROP', $audit );
 
     log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
-    add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
+    add_ijump $chainref , j => $target, state_imatch 'INVALID';
 }
 
 sub allowInvalid ( $$$$ ) {
@@ -1305,7 +1281,7 @@ sub allowInvalid ( $$$$ ) {
     my $target = require_audit( 'ACCEPT', $audit );
 
     log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
-    add_rule $chainref , "$globals{STATEMATCH} INVALID -j $target";
+    add_ijump $chainref , j => $target, state_imatch 'INVALID';
 }
 
 sub forwardUPnP ( $$$$ ) {
@@ -1324,8 +1300,8 @@ sub allowinUPnP ( $$$$ ) {
 	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
     }
 
-    add_jump $chainref, $target, 0, '-p 17 --dport 1900 ';
-    add_jump $chainref, $target, 0, '-p 6 --dport 49152 ';
+    add_ijump $chainref, j => $target, p => '17 --dport 1900';
+    add_ijump $chainref, j => $target, p => '6 --dport 49152';
 }
 
 sub Limit( $$$$ ) {
@@ -1352,18 +1328,18 @@ sub Limit( $$$$ ) {
 
     require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
 
-    add_rule $chainref, "-m recent --name $set --set";
+    add_irule $chainref, recent => "--name $set --set";
 
     if ( $level ne '' ) {
 	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
 	log_rule_limit $level, $xchainref, $param[0], 'DROP', '', $tag, 'add', '';
-	add_rule $xchainref, '-j DROP';
-	add_jump $chainref,  $xchainref, 0, "-m recent --name $set --update --seconds $param[2] --hitcount $count ";
+	add_ijump $xchainref, j => 'DROP';
+	add_ijump $chainref,  j => $xchainref, recent => "--name $set --update --seconds $param[2] --hitcount $count";
     } else {
-	add_rule $chainref, "-m recent --update --name $set --seconds $param[2] --hitcount $count -j DROP";
+	add_ijump $chainref, j => 'DROP', recent => "--update --name $set --seconds $param[2] --hitcount $count";
     }
 
-    add_rule $chainref, '-j ACCEPT';
+    add_ijump $chainref, j => 'ACCEPT';
 }
 
 my %builtinops = ( 'dropBcast'      => \&dropBcast,
@@ -1398,7 +1374,7 @@ sub process_actions() {
 	open_file $file;
 
 	while ( read_a_line ) {
-	    my ( $action ) = split_line 1, 1, 'action file';
+	    my ( $action ) = split_line 'action file' , { action => 0 };
 
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1426,7 +1402,7 @@ sub process_actions() {
 
 }
 
-sub process_rule1 ( $$$$$$$$$$$$$$$$ );
+sub process_rule1 ( $$$$$$$$$$$$$$$$$ );
 
 #
 # Populate an action invocation chain. As new action tuples are encountered,
@@ -1450,22 +1426,28 @@ sub process_action( $) {
 
 	push_open $actionfile;
 
-	my $oldparms = push_params( $param );
+	my $oldparms = push_action_params( $chainref, $param );
 
 	$active{$wholeaction}++;
 	push @actionstack, $wholeaction;
 
+	push_comment( '' );
+
 	while ( read_a_line ) {
 
-	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers );
+	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );
 
 	    if ( $format == 1 ) {
-		($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file', $rule_commands;
-		$origdest = $connlimit = $time = $headers = '-';
+		($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
+		    split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
+		$origdest = $connlimit = $time = $headers = $condition = '-';
 	    } else {
-		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'action file', $rule_commands;
+		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition )
+		    = split_line1 'action file', \%rulecolumns, $action_commands;
 	    }
 
+	    fatal_error 'TARGET must be specified' if $target eq '-';
+
 	    if ( $target eq 'COMMENT' ) {
 		process_comment;
 		next;
@@ -1477,6 +1459,11 @@ sub process_action( $) {
 		next;
 	    }
 
+	    if ( $target eq 'DEFAULTS' ) {
+		default_action_params( $action, split_list $source, 'defaults' ), next if $format == 2;
+		fatal_error 'DEFAULTS only allowed in FORMAT-2 actions'; 
+	    }	      
+
 	    process_rule1( $chainref,
 			   merge_levels( "$action:$level:$tag", $target ),
 			   '',
@@ -1492,17 +1479,18 @@ sub process_action( $) {
 			   $connlimit,
 			   $time,
 			   $headers,
+			   $condition,
 			   0 );
 	}
 
-	clear_comment;
+	pop_comment;
 
 	$active{$wholeaction}--;
 	pop @actionstack;
 
 	pop_open;
 
-	pop_params( $oldparms );
+	pop_action_params( $oldparms );
     }
 }
 
@@ -1510,7 +1498,7 @@ sub process_action( $) {
 # Create a policy action if it doesn't already exist
 #
 sub use_policy_action( $ ) {
-    my $ref = use_action( normalize_action_name $_[0] );
+    my $ref = use_action( $_[0] );
     
     process_action( $ref ) if $ref;
 }
@@ -1521,8 +1509,8 @@ sub use_policy_action( $ ) {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
-    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_;
+sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
+    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $wildcard ) = @_;
 
     my $nocomment = no_comment;
 
@@ -1540,15 +1528,17 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );
 
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $rule_commands;
-	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders ) = qw/- - - - -/;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
+	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders ) = split_line1 1, 13, 'macro file', $rule_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
 	}
 
+	fatal_error 'TARGET must be specified' if $mtarget eq '-';
+	
 	if ( $mtarget eq 'COMMENT' ) {
 	    process_comment unless $nocomment;
 	    next;
@@ -1560,6 +1550,11 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
 	    next;
 	}
 
+	if ( $mtarget eq 'DEFAULT' ) {
+	    $param = $msource unless supplied $param;
+	    next;
+	}
+
 	$mtarget = merge_levels $target, $mtarget;
 
 	if ( $mtarget =~ /^PARAM(:.*)?$/ ) {
@@ -1617,6 +1612,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
 				    merge_macro_column( $mconnlimit, $connlimit) ,
 				    merge_macro_column( $mtime,      $time ),
 				    merge_macro_column( $mheaders,   $headers ),
+				    merge_macro_column( $mcondition, $condition ),
 				    $wildcard
 				   );
 
@@ -1649,7 +1645,7 @@ sub verify_audit($;$$) {
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action 
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
 #
-sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
+sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
     my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $target, 
 	 $current_param,
@@ -1665,6 +1661,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	 $connlimit,
 	 $time,
 	 $headers,
+	 $condition,
 	 $wildcard ) = @_;
 
     my ( $action, $loglevel) = split_action $target;
@@ -1716,6 +1713,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 				       $connlimit,
 				       $time,
 				       $headers,
+				       $condition,
 				       $wildcard );
 
 	$macro_nest_level--;
@@ -1773,8 +1771,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	fatal_error "The $basictarget TARGET does not accept parameters" if $action =~ s/\(\)$//;
     }
 
-    if ( $inaction ) {
-	$targets{$inaction} |= NATRULE if $actiontype & (NATRULE | NONAT | NATONLY ) 
+    if ( $actiontype & (NATRULE | NONAT | NATONLY ) ) {
+	$targets{$inaction} |= NATRULE if $inaction;
+	fatal_error "NAT rules are only allowed in the NEW section" unless $section eq 'NEW';
     }
     #
     # Take care of irregular syntax and targets
@@ -1799,7 +1798,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 			  REJECT => sub { $action = 'reject'; } ,
 			  CONTINUE => sub { $action = 'RETURN'; } ,
 			  COUNT => sub { $action = ''; } ,
-			  LOG => sub { fatal_error 'LOG requires a log level' unless defined $loglevel and $loglevel ne ''; } ,
+			  LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
 		     );
 
 	my $function = $functions{ $bt };
@@ -1936,9 +1935,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    #
 	    $chainref = ensure_rules_chain $chain;
 	    #
-	    # Don't let the rules in this chain be moved elsewhere
-	    #
-	    dont_move $chainref;
+ 	    # Don't let the rules in this chain be moved elsewhere
+ 	    #
+ 	    dont_move $chainref;
 	}
     }
     #
@@ -1954,7 +1953,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		      do_user( $user ) ,
 		      do_test( $mark , $globals{TC_MASK} ) ,
 		      do_connlimit( $connlimit ),
-		      do_time( $time ) );
+		      do_time( $time ) ,
+		      do_headers( $headers ) ,
+		      do_condition( $condition ) ,
+		    );
     } else {
 	$rule = join( '',
 		      do_proto($proto, $ports, $sports),
@@ -1963,14 +1965,15 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		      do_test( $mark , $globals{TC_MASK} ) ,
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
-		      do_headers( $headers )
+		      do_headers( $headers ) ,
+		      do_condition( $condition ) ,
 		    );
     }
 
     unless ( $section eq 'NEW' || $inaction ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
-	$rule .= "$globals{STATEMATCH} $section "
+	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL';
     }
 
     #
@@ -2110,8 +2113,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    $rule = join( '',
 			  do_proto( $proto, $ports, $sports ),
 			  do_ratelimit( $ratelimit, 'ACCEPT' ),
-			  do_user $user ,
-			  do_test( $mark , $globals{TC_MASK} ) );
+			  do_user $user,
+			  do_test( $mark , $globals{TC_MASK} ),
+			  do_condition( $condition )
+			);
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';
@@ -2138,11 +2143,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	my $chn;
 
 	if ( $inaction ) {
-	    $nonat_chain = ensure_chain 'nat', $chain;
+	    $nonat_chain = ensure_chain( 'nat', $chain );
 	} elsif ( $sourceref->{type} == FIREWALL ) {
 	    $nonat_chain = $nat_table->{OUTPUT};
 	} else {
-	    $nonat_chain = ensure_chain 'nat', dnat_chain $sourcezone;
+	    $nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
 
 	    my @interfaces = keys %{zone_interfaces $sourcezone};
 
@@ -2154,7 +2159,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		    # Static NAT is defined on this interface
 		    #
 		    $chn = new_chain( 'nat', newnonatchain ) unless $chn;
-		    add_jump $chn, $nat_table->{$ichain}, 0, @interfaces > 1 ? match_source_dev( $_ )  : '';
+		    add_ijump $chn, j => $nat_table->{$ichain}, @interfaces > 1 ? imatch_source_dev( $_ )  : ();
 		}
 	    }
 
@@ -2183,6 +2188,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    }
 	}
 
+	dont_move( dont_optimize( $nonat_chain ) ) if $tgt eq 'RETURN';
+
 	expand_rule( $nonat_chain ,
 		     PREROUTE_RESTRICT ,
 		     $rule ,
@@ -2194,19 +2201,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		     $log_action ,
 		     '',
 		   );
-	#
-	# Possible optimization if the rule just generated was a simple jump to the nonat chain
-	#
-	if ( $chn && ${$nonat_chain->{rules}}[-1] eq "-A -j $tgt" ) {
-	    #
-	    # It was -- delete that rule
-	    #
-	    pop @{$nonat_chain->{rules}};
-	    #
-	    # And move the rules from the nonat chain to the zone dnat chain
-	    #
-	    move_rules ( $chn, $nonat_chain );
-	}
     }
 
     #
@@ -2217,6 +2211,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	if ( $actiontype & ACTION ) {
 	    $action = $usedactions{$normalized_target}{name};
 	    $loglevel = '';
+	} else {
+	    dont_move( dont_optimize ( $chainref ) ) if $action eq 'RETURN';
 	}
 
 	if ( $origdest ) {
@@ -2231,7 +2227,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 
 	verify_audit( $action ) if $actiontype & AUDIT;
 
-	expand_rule( ensure_chain( 'filter', $chain ) ,
+	expand_rule( $chainref ,
 		     $restriction ,
 		     $rule ,
 		     $source ,
@@ -2260,11 +2256,13 @@ sub process_section ($) {
     fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
     $sections{$sect} = 1;
 
-    if ( $sect eq 'RELATED' ) {
-	$sections{ESTABLISHED} = 1;
+    if ( $sect eq 'ESTABLISHED' ) {
+	$sections{ALL} = 1;
+    } elsif ( $sect eq 'RELATED' ) {
+	@sections{'ALL','ESTABLISHED'} = ( 1, 1);
 	finish_section 'ESTABLISHED';
     } elsif ( $sect eq 'NEW' ) {
-	@sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
+	@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
 	finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
     }
 
@@ -2284,7 +2282,7 @@ sub build_zone_list( $$$\$\$ ) {
     #
     # Handle Wildcards
     #
-    if ( $input =~ /^(all[-+]*)(![^:]+)?(:.*)?/ ) {
+    if ( $input =~ /^(all[-+]*)(![^:]+)?(:.*)?$/ ) {
 	$input   = $1;
 	$exclude = $2;
 	$rest    = $3;
@@ -2340,7 +2338,10 @@ sub build_zone_list( $$$\$\$ ) {
 # Process a Record in the rules file
 #
 sub process_rule ( ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'rules file', $rule_commands;
+    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition )
+	= split_line1 'rules file', \%rulecolumns, $rule_commands;
+
+    fatal_error 'ACTION must be specified' if $target eq '-';
 
     process_comment,            return 1 if $target eq 'COMMENT';
     process_section( $source ), return 1 if $target eq 'SECTION';
@@ -2354,7 +2355,7 @@ sub process_rule ( ) {
 	progress_message "Rule \"$currentline\" ignored.";
 	return 1;
     }
-
+    
     my $intrazone = 0;
     my $wild      = 0;
     my $thisline  = $currentline; #We must save $currentline because it is overwritten by macro expansion
@@ -2393,6 +2394,7 @@ sub process_rule ( ) {
 						 $connlimit,
 						 $time,
 						 $headers,
+						 $condition,
 						 $wild );
 		}
 	    }

Shorewall/Perl/Shorewall/Tc.pm

@@ -38,9 +38,9 @@ use Shorewall::Providers;
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_tc );
+our @EXPORT = qw( process_tc setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_20';
+our $VERSION = 'MODULEVERSION';
 
 my  %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -111,8 +111,6 @@ my  %tosoptions = ( 'tos-minimize-delay'       => '0x10/0x10' ,
 		    'tos-normal-service'       => '0x00/0x1e' );
 my  %classids;
 
-my  @deferred_rules;
-
 #
 # Perl version of Arn Bernin's 'tc4shorewall'.
 #
@@ -153,8 +151,8 @@ my  $ipp2p;
 #                                                  leaf      => 0|1
 #                                                  guarantee => <sum of rates of sub-classes>
 #                                                  options   => { tos  => [ <value1> , <value2> , ... ];
-#                                                  tcp_ack => 1 ,
-#                                                  ...
+#                                                  tcp_ack   => 1 ,
+#                                                  filters   => [ filter list ]
 #                                                }
 #                                     }
 #             }
@@ -182,7 +180,6 @@ my $family;
 sub initialize( $ ) {
     $family   = shift;
     %classids = ();
-    @deferred_rules = ();
     @tcdevices = ();
     %tcdevices = ();
     @tcclasses = ();
@@ -194,10 +191,13 @@ sub initialize( $ ) {
 }
 
 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = split_line1 2, 13, 'tcrules file';
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = 
+	split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 };
 
     our @tccmd;
 
+    fatal_error 'MARK must be specified' if $originalmark eq '-';
+
     if ( $originalmark eq 'COMMENT' ) {
 	process_comment;
 	return;
@@ -205,7 +205,15 @@ sub process_tc_rule( ) {
 
     my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
 
-    fatal_error "Invalid MARK ($originalmark)" if defined $remainder || ! defined $mark || $mark eq '';
+    fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
+
+    if ( $remainder ) { 
+	if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
+	    $mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list
+	} else {
+	    fatal_error "Invalid MARK ($originalmark)";
+	}
+    }
 
     my $chain  = $globals{MARKING_CHAIN};
     my $target = 'MARK --set-mark';
@@ -328,13 +336,13 @@ sub process_tc_rule( ) {
 			    fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
 			    $srcdst = $sd;
 
-			    if ( defined $m1 && $m1 ne '' ) {
+			    if ( supplied $m1 ) {
 				$val = numeric_value ($m1);
 				fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
 				$mask1 = in_hex ( $val & 0xffffffff );
 			    }
 
-			    if ( defined $m2 && $m2 ne '' ) {
+			    if ( supplied $m2 ) {
 				$val = numeric_value ($m2);
 				fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
 				$mask2 = in_hex ( $val & 0xffffffff );
@@ -373,16 +381,59 @@ sub process_tc_rule( ) {
 			    $port = 0;
 			}
 
-			$target .= "--on-port $port";
+			$target .= " --on-port $port";
+
+			if ( supplied $ip ) {
+			    if ( $family == F_IPV6 ) {
+				$ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
+			    }
 
-			if ( defined $ip && $ip ne '' ) {
 			    validate_address $ip, 1;
 			    $target .= " --on-ip $ip";
 			}
 
 			$target .= ' --tproxy-mark';
-		    }
+		    } elsif ( $target eq 'TTL' ) {
+			fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
+			fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
+			fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
 
+			$chain = 'tcfor';
+
+			$cmd =~ /^TTL\(([-+]?\d+)\)$/;
+
+			my $param =  $1;
+
+			fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+			if ( $1 =~ /^\+/ ) {
+			    $target .= " --ttl-inc $param";
+			} elsif ( $1 =~ /\-/ ) {
+			    $target .= " --ttl-dec $param";
+			} else {
+			    $target .= " --ttl-set $param";
+			}
+		    } elsif ( $target eq 'HL' ) {
+			fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
+			fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
+			fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
+
+			$chain = 'tcfor';
+
+			$cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+			my $param =  $1;
+
+			fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+			if ( $1 =~ /^\+/ ) {
+			    $target .= " --hl-inc $param";
+			} elsif ( $1 =~ /\-/ ) {
+			    $target .= " --hl-dec $param";
+			} else {
+			    $target .= " --hl-set $param";
+			}
+		    }
 
 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
@@ -483,8 +534,9 @@ sub process_flow($) {
 }
 
 sub process_simple_device() {
-    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces';
+    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 'tcinterfaces', { interface => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 };
 
+    fatal_error 'INTERFACE must be specified'      if $device eq '-';
     fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
     fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
 
@@ -495,6 +547,8 @@ sub process_simple_device() {
     my $physical = physical_name $device;
     my $dev      = chain_base( $physical );
 
+    push @tcdevices, $device;
+
     if ( $type ne '-' ) {
 	if ( lc $type eq 'external' ) {
 	    $type = 'nfct-src';
@@ -510,7 +564,7 @@ sub process_simple_device() {
     if ( $in_bandwidth =~ /:/ ) {
 	my ( $in_band, $burst ) = split /:/, $in_bandwidth, 2;
 
-	if ( defined $burst && $burst ne '' ) {
+	if ( supplied $burst ) {
 	    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
 	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
 	    $in_burst = $burst;
@@ -521,6 +575,15 @@ sub process_simple_device() {
 	$in_bandwidth = rate_to_kbit( $in_bandwidth );
     }
 
+    emit( '',
+	  '#',
+	  "# Setup Simple Traffic Shaping for $physical",
+	  '#',
+	  "setup_${dev}_tc() {"
+	);
+
+    push_indent;
+
     emit "if interface_is_up $physical; then";
 
     push_indent;
@@ -544,14 +607,14 @@ sub process_simple_device() {
 
 	my $command = "run_tc qdisc add dev $physical root handle $number: tbf rate ${out_bandwidth}kbit";
 
-	if ( defined $burst && $burst ne '' ) {
+	if ( supplied $burst ) {
 	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
 	    $command .= " burst $burst";
 	} else {
 	    $command .= ' burst 10kb';
 	}
 
-	if ( defined $latency && $latency ne '' ) {
+	if ( supplied $latency ) {
 	    fatal_error "Invalid latency ($latency)" unless $latency =~ /^\d+(?:\.\d+)?(s|sec|secs|ms|msec|msecs|us|usec|usecs)?$/;
 	    $command .= " latency $latency";
 	} else {
@@ -560,12 +623,12 @@ sub process_simple_device() {
 
 	$command .= ' mpu 64'; #Assume Ethernet
 
-	if ( defined $peak && $peak ne '' ) {
+	if ( supplied $peak ) {
 	    fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
 	    $command .= " peakrate $peak";
 	}
 
-	if ( defined $minburst && $minburst ne '' ) {
+	if ( supplied $minburst ) {
 	    fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
 	    $command .= " minburst $minburst";
 	}
@@ -598,15 +661,18 @@ sub process_simple_device() {
     emit qq(error_message "WARNING: Device $physical is not in the UP state -- traffic-shaping configuration skipped");
     emit "${dev}_exists=";
     pop_indent;
-    emit "fi\n";
+    emit 'fi';
+    pop_indent;
+    emit "}\n";
 
     progress_message "  Simple tcdevice \"$currentline\" $done.";
 }
 
 sub validate_tc_device( ) {
-    my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
+    my ( $device, $inband, $outband , $options , $redirected ) = split_line 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };
 
-    fatal_error "Invalid tcdevices entry" if $outband eq '-';
+    fatal_error 'INTERFACE must be specified' if $device eq '-';
+    fatal_error "Invalid tcdevices entry"     if $outband eq '-';
 
     my $devnumber;
 
@@ -679,7 +745,7 @@ sub validate_tc_device( ) {
     if ( $inband =~ /:/ ) {
 	my ( $in_band, $burst ) = split /:/, $inband, 2;
 
-	if ( defined $burst && $burst ne '' ) {
+	if ( supplied $burst ) {
 	    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
 	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
 	    $in_burst = $burst;
@@ -702,7 +768,8 @@ sub validate_tc_device( ) {
 			    qdisc         => $qdisc,
 			    guarantee     => 0,
 			    name          => $device,
-			    physical      => physical_name $device
+			    physical      => physical_name $device,
+			    filters       => []
 			  } ,
 
     push @tcdevices, $device;
@@ -766,7 +833,8 @@ sub dev_by_number( $ ) {
 }
 
 sub validate_tc_class( ) {
-    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) = split_line 4, 6, 'tcclasses file';
+    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
+	split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
     my $classnumber = 0;
     my $devref;
     my $device = $devclass;
@@ -774,6 +842,9 @@ sub validate_tc_class( ) {
     my $parentclass = 1;
     my $parentref;
 
+    fatal_error 'INTERFACE must be specified' if $devclass eq '-';
+    fatal_error 'CEIL must be specified'      if $ceil eq '-';
+
     if ( $devclass =~ /:/ ) {
 	( $device, my ($number, $subnumber, $rest ) )  = split /:/, $device, 4;
 	fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest;
@@ -987,7 +1058,9 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 sub process_tc_filter() {
 
-    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 2, 8, 'tcfilters file';
+    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
+
+    fatal_error 'CLASS must be specified' if $devclass eq '-';
 
     my ($device, $class, $rest ) = split /:/, $devclass, 3;
 
@@ -1009,6 +1082,8 @@ sub process_tc_filter() {
 
     my $tcref = $tcclasses{$device};
 
+    my $filtersref = $devref->{filters};
+
     fatal_error "No Classes were defined for INTERFACE $device" unless $tcref;
 
     my $classnum = hex_value $class;
@@ -1027,17 +1102,6 @@ sub process_tc_filter() {
 
     my $have_rule = 0;
 
-    if ( $devref->{physical} ne $lastdevice ) {
-	if ( $lastdevice ) {
-	    pop_indent;
-	    emit "fi\n";
-	}
-
-	$lastdevice = $devref->{physical};
-	emit "if interface_is_up $lastdevice; then";
-	push_indent;
-    }
-
     my $rule = "filter add dev $devref->{physical} protocol $ip parent $devnum:0 prio $prio u32";
 
     if ( $source ne '-' ) {
@@ -1092,9 +1156,9 @@ sub process_tc_filter() {
 
     if ( $portlist eq '-' && $sportlist eq '-' ) {
 	if ( $have_rule ) {
-	    emit( "\nrun_tc $rule\\" ,
-		  "   flowid $devnum:$class" ,
-		  '' );
+	    push @$filtersref , ( "\nrun_tc $rule\\" ,
+				  "   flowid $devnum:$class" ,
+				  '' );
 	} else {
 	    warning_message "Degenerate tcfilter ignored";
 	}
@@ -1120,17 +1184,17 @@ sub process_tc_filter() {
 	    $lasttnum = $tnum;
 	    $lastrule = $rule;
 
-	    emit( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol $ip prio $prio handle $tnum: u32 divisor 1" );
+	    push @$filtersref, ( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol $ip prio $prio handle $tnum: u32 divisor 1" );
 	}
 	#
 	# And link to it using the current contents of $rule
 	#
 	if ( $family == F_IPV4 ) {
-	    emit( "\nrun_tc $rule\\" ,
-		  "   link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" );
+	    push @$filtersref, ( "\nrun_tc $rule\\" ,
+				 "   link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" );
 	} else {
-	    emit( "\nrun_tc $rule\\" ,
-		  "   link $tnum:0 offset plus 40 eat" );
+	    push @$filtersref, ( "\nrun_tc $rule\\" ,
+				 "   link $tnum:0 offset plus 40 eat" );
 	}    
 	#
 	# The rule to match the port(s) will be inserted into the new table
@@ -1156,9 +1220,9 @@ sub process_tc_filter() {
 			$rule1 = "match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0" ,
 		    }
 
-		    emit( "\nrun_tc $rule\\" ,
-			  "   $rule1\\" ,
-			  "   flowid $devnum:$class" );
+		    push @$filtersref, ( "\nrun_tc $rule\\" ,
+					 "   $rule1\\" ,
+					 "   flowid $devnum:$class" );
 		}
 	    }
 	} else {
@@ -1174,9 +1238,9 @@ sub process_tc_filter() {
 
 		    my $rule1 = "   match icmp type $icmptype 0xff";
 		    $rule1   .= "\\\n   match icmp code $icmpcode 0xff" if defined $icmpcode;
-		    emit( "\nrun_tc ${rule}\\" ,
-			  "$rule1\\" ,
-			  "   flowid $devnum:$class" );
+		    push @$filtersref, ( "\nrun_tc ${rule}\\" ,
+					 "$rule1\\" ,
+					 "   flowid $devnum:$class" );
 		} elsif ( $protonumber == IPv6_ICMP ) {
 		    fatal_error "IPv6 ICMP not allowed with IPv4" unless $family == F_IPV4;
 		    fatal_error "SOURCE PORT(S) are not allowed with IPv6 ICMP" if $sportlist ne '-';
@@ -1185,9 +1249,9 @@ sub process_tc_filter() {
 
 		    my $rule1 = "   match icmp6 type $icmptype 0xff";
 		    $rule1   .= "\\\n   match icmp6 code $icmpcode 0xff" if defined $icmpcode;
-		    emit( "\nrun_tc ${rule}\\" ,
-			  "$rule1\\" ,
-			  "   flowid $devnum:$class" );
+		    push @$filtersref, ( "\nrun_tc ${rule}\\" ,
+					 "$rule1\\" ,
+					 "   flowid $devnum:$class" );
 		} else {
 		    my @portlist = expand_port_range $protonumber , $portrange;
 
@@ -1205,9 +1269,9 @@ sub process_tc_filter() {
 			}
 
 			if ( $sportlist eq '-' ) {
-			    emit( "\nrun_tc ${rule}\\" ,
-				  "   $rule1\\" ,
-				  "   flowid $devnum:$class" );
+			    push @$filtersref, ( "\nrun_tc ${rule}\\" ,
+						 "   $rule1\\" ,
+						 "   flowid $devnum:$class" );
 			} else {
 			    for my $sportrange ( split_list $sportlist , 'port list' ) {
 				my @sportlist = expand_port_range $protonumber , $sportrange;
@@ -1225,10 +1289,10 @@ sub process_tc_filter() {
 					$rule2 = "match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0" ,
 				    }
 
-				    emit( "\nrun_tc ${rule}\\",
-					  "   $rule1\\" ,
-					  "   $rule2\\" ,
-					  "   flowid $devnum:$class" );
+				    push @$filtersref, ( "\nrun_tc ${rule}\\",
+							 "   $rule1\\" ,
+							 "   $rule2\\" ,
+							 "   flowid $devnum:$class" );
 				}
 			    }
 			}
@@ -1245,30 +1309,27 @@ sub process_tc_filter() {
 	progress_message "  IPv4 TC Filter \"$currentline\" $done";
 
 	$currentline =~ s/\s+/ /g;
-
-	save_progress_message_short qq('   IPv4 TC Filter \"$currentline\" defined.');
     } else {
 	progress_message "  IPv6 TC Filter \"$currentline\" $done";
 
 	$currentline =~ s/\s+/ /g;
-
-	save_progress_message_short qq('   IPv6 TC Filter \"$currentline\" defined.');
     }
 
     emit '';
 
 }
 
+#
+# Process the tcfilter file storing the compiled filters in the %tcdevices table
+#
 sub process_tcfilters() {
 
     my $fn = open_file 'tcfilters';
 
-    our $lastdevice = '';
-
     if ( $fn ) {
 	my @family = ( $family );
 	
-	first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message q("Adding TC Filters"); } );
+	first_entry( "$doing $fn..." );
 	
 	while ( read_a_line ) {
 	    if ( $currentline =~ /^\s*IPV4\s*$/ ) {
@@ -1292,23 +1353,29 @@ sub process_tcfilters() {
 	}
 
 	Shorewall::IPAddrs::initialize( $family = pop @family );
-
-	if ( $lastdevice ) {
-	    pop_indent;
-	    emit "fi\n";
-	}
-
     }
 }
 
+#
+# Process a tcpri record
+#
 sub process_tc_priority() {
-    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';
+    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
+
+    fatal_error 'BAND must be specified' if $band eq '-';
 
     if ( $band eq 'COMMENT' ) {
 	process_comment;
 	return;
     }
 
+    fatal_error "Invalid tcpri entry" if ( $proto     eq '-' &&
+					   $ports     eq '-' &&
+					   $address   eq '-' &&
+					   $interface eq '-' &&
+					   $helper    eq '-' );
+
+
     my $val = numeric_value $band;
 
     fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
@@ -1355,27 +1422,31 @@ sub process_tc_priority() {
     }
 }
 
-sub setup_simple_traffic_shaping() {
-    my $interfaces;
-
-    save_progress_message q("Setting up Traffic Control...");
+#
+# Process tcinterfaces
+#
+sub process_tcinterfaces() {
 
     my $fn = open_file 'tcinterfaces';
 
     if ( $fn ) {
 	first_entry "$doing $fn...";
-	process_simple_device, $interfaces++ while read_a_line;
-    } else {
-	$fn = find_file 'tcinterfaces';
+	process_simple_device while read_a_line;
     }
+}
 
+#
+# Process tcpri
+#
+sub process_tcpri() {
+    my $fn  = find_file 'tcinterfaces';
     my $fn1 = open_file 'tcpri';
 
     if ( $fn1 ) {
 	first_entry
 	    sub {
 		progress_message2 "$doing $fn1...";
-		warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces || $family == F_IPV6;
+		warning_message "There are entries in $fn1 but $fn was empty" unless @tcdevices || $family == F_IPV6;
 	    };
 
 	process_tc_priority while read_a_line;
@@ -1383,16 +1454,26 @@ sub setup_simple_traffic_shaping() {
 	clear_comment;
 
 	if ( $ipp2p ) {
-	    insert_rule1 $mangle_table->{tcpost} , 0 , '-m mark --mark 0/'   . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} );
-	    add_rule     $mangle_table->{tcpost} ,     '-m mark ! --mark 0/' . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} );
+	    insert_irule( $mangle_table->{tcpost} ,
+			  j => 'CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} ) ,
+			  0 ,
+			  mark => '--mark 0/'   . in_hex( $globals{TC_MASK} )
+			);
+
+	    add_ijump( $mangle_table->{tcpost} ,
+		       j    => 'CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} ),
+		       mark => '! --mark 0/' . in_hex( $globals{TC_MASK} ) 
+		     );
 	}
     }
 }
 
-sub setup_traffic_shaping() {
-    our $lastrule = '';
+#
+# Process the compilex traffic shaping files storing the configuration in %tcdevices and %tcclasses
+#
+sub process_traffic_shaping() {
 
-    save_progress_message q("Setting up Traffic Control...");
+    our $lastrule = '';
 
     my $fn = open_file 'tcdevices';
 
@@ -1402,9 +1483,6 @@ sub setup_traffic_shaping() {
 	validate_tc_device while read_a_line;
     }
 
-    my $sfq = $devnum;
-    my $sfqinhex;
-
     $devnum = $devnum > 10 ? 10 : 1;
 
     $fn = open_file 'tcclasses';
@@ -1415,6 +1493,11 @@ sub setup_traffic_shaping() {
 	validate_tc_class while read_a_line;
     }
 
+    process_tcfilters;
+
+    my $sfq = 0;
+    my $sfqinhex;
+
     for my $device ( @tcdevices ) {
 	my $devref  = $tcdevices{$device};
 	my $defmark = in_hexp ( $devref->{default} || 0 );
@@ -1425,10 +1508,18 @@ sub setup_traffic_shaping() {
 
 	$device = physical_name $device;
 
-	my $dev = chain_base( $device );
-
 	unless ( $config{TC_ENABLED} eq 'Shared' ) {
 
+	    my $dev = chain_base( $device );
+
+	    emit( '',
+		  '#',
+		  "# Configure Traffic Shaping for $device",
+		  '#',
+		  "setup_${dev}_tc() {" );
+
+	    push_indent;
+
 	    emit "if interface_is_up $device; then";
 
 	    push_indent;
@@ -1476,6 +1567,85 @@ sub setup_traffic_shaping() {
 		emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	    }
 
+	    for my $class ( @tcclasses ) {
+		#
+		# The class number in the tcclasses array is expressed in decimal.
+		#
+		my ( $d, $decimalclassnum ) = split /:/, $class;
+
+		next unless $d eq $device;
+		#
+		# For inclusion in 'tc' commands, we also need the hex representation
+		#
+		my $classnum = in_hexp $decimalclassnum;
+		#
+		# The decimal value of the class number is also used as the key for the hash at $tcclasses{$device}
+		#
+		my $tcref    = $tcclasses{$device}{$decimalclassnum};
+		my $mark     = $tcref->{mark};
+		my $devicenumber  = in_hexp $devref->{number};
+		my $classid  = join( ':', $devicenumber, $classnum);
+		my $rate     = "$tcref->{rate}kbit";
+		my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
+
+		$classids{$classid}=$device;
+		$device = physical_name $device;
+
+		my $priority = $tcref->{priority} << 8;
+		my $parent   = in_hexp $tcref->{parent};
+		
+		emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
+
+		if ( $devref->{qdisc} eq 'htb' ) {
+		    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
+		} else {
+		    my $dmax = $tcref->{dmax};
+
+		    if ( $dmax ) {
+			my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
+			emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
+		    } else {
+			emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
+		    }
+		}
+
+		if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+		    1 while $devnums[++$sfq];
+
+		    $sfqinhex = in_hexp( $sfq);
+		    if ( $devref->{qdisc} eq 'htb' ) {
+			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
+		    } else {
+			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
+		    }
+		}
+		#
+		# add filters
+		#
+		unless ( $devref->{classify} ) {
+		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
+		}
+
+		emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
+		#
+		# options
+		#
+		emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
+
+		for my $tospair ( @{$tcref->{tos}} ) {
+		    my ( $tos, $mask ) = split q(/), $tospair;
+		    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
+		}
+		
+		save_progress_message_short qq("   TC Class $classid defined.");
+		emit '';
+
+	    }
+
+	    emit '';
+
+	    emit "$_" for @{$devref->{filters}};
+	
 	    save_progress_message_short qq("   TC Device $device defined.");
 
 	    pop_indent;
@@ -1486,111 +1656,54 @@ sub setup_traffic_shaping() {
 	    emit "${dev}_exists=";
 	    pop_indent;
 	    emit "fi\n";
+
+	    pop_indent;
+	    emit "}\n";
 	}
     }
+}
 
-    my $lastdevice = '';
-
-    for my $class ( @tcclasses ) {
-	#
-	# The class number in the tcclasses array is expressed in decimal.
-	#
-	my ( $device, $decimalclassnum ) = split /:/, $class;
-	#
-	# For inclusion in 'tc' commands, we also need the hex representation
-	#
-	my $classnum = in_hexp $decimalclassnum;
-	my $devref   = $tcdevices{$device};
-	#
-	# The decimal value of the class number is also used as the key for the hash at $tcclasses{$device}
-	#
-	my $tcref    = $tcclasses{$device}{$decimalclassnum};
-	my $mark     = $tcref->{mark};
-	my $devicenumber  = in_hexp $devref->{number};
-	my $classid  = join( ':', $devicenumber, $classnum);
-	my $rate     = "$tcref->{rate}kbit";
-	my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
-
-	$classids{$classid}=$device;
-	$device = physical_name $device;
-
-	unless ( $config{TC_ENABLED} eq 'Shared' ) {
-	    my $dev      = chain_base $device;
-	    my $priority = $tcref->{priority} << 8;
-	    my $parent   = in_hexp $tcref->{parent};
-
-	    if ( $lastdevice ne $device ) {
-		if ( $lastdevice ) {
-		    pop_indent;
-		    emit "fi\n";
-		}
-
-		emit qq(if [ -n "\$${dev}_exists" ]; then);
-		push_indent;
-		$lastdevice = $device;
-	    }
-
-	    emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
-
-	    if ( $devref->{qdisc} eq 'htb' ) {
-		emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
-	    } else {
-		my $dmax = $tcref->{dmax};
-
-		if ( $dmax ) {
-		    my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
-		    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
-		} else {
-		    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
-		}
-	    }
-
-	    if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
-		$sfqinhex = in_hexp( ++$sfq);
-		if ( $devref->{qdisc} eq 'htb' ) {
-		    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
-		} else {
-		    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
-		}
-	    }
-	    #
-	    # add filters
-	    #
-	    unless ( $devref->{classify} ) {
-		emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
-	    }
-
-	    emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
-	    #
-	    # options
-	    #
-	    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
-
-	    for my $tospair ( @{$tcref->{tos}} ) {
-		my ( $tos, $mask ) = split q(/), $tospair;
-		emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
-	    }
-
-	    save_progress_message_short qq("   TC Class $classid defined.");
-	    emit '';
-
-	}
-
+#
+# Validate the TC configuration storing basic information in %tcdevices and %tcdevices
+#
+sub process_tc() {
+    if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
+	process_traffic_shaping;
+    } elsif ( $config{TC_ENABLED} eq 'Simple' ) {
+	process_tcinterfaces;
     }
+    #
+    # The Providers module needs to know which devices are tc-enabled so that
+    # it can call the appropriate 'setup_x_tc" function when the device is
+    # enabled.
 
-    if ( $lastdevice ) {
-	pop_indent;
-	emit "fi\n";
+    my %empty;
+    
+    $config{TC_ENABLED} eq 'Shared' ? \%empty : \%tcdevices;
+}
+
+#
+# Call the setup_${dev}_tc functions
+#
+sub setup_traffic_shaping() {
+    save_progress_message q("Setting up Traffic Control...");
+
+    for my $device ( @tcdevices ) {
+	my $interfaceref = known_interface( $device );
+	my $dev          = chain_base( $interfaceref ? $interfaceref->{physical} : $device );
+
+	emit "setup_${dev}_tc";
     }
-
-    process_tcfilters;
 }
 
 #
 # Process a record in the secmarks file
 #
 sub process_secmark_rule() {
-    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' );
+    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) =
+	split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
+
+    fatal_error 'SECMARK must be specified' if $secmark eq '-';
 
     if ( $secmark eq 'COMMENT' ) {
 	process_comment;
@@ -1666,41 +1779,40 @@ sub setup_tc() {
 	    ensure_mangle_chain 'tcin';
 	}
 
-	my $mark_part = '';
+	my @mark_part;
 
 	if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
-	    $mark_part = '-m mark --mark 0/' . in_hex( $globals{PROVIDER_MASK} ) . ' ';
+	    @mark_part = ( mark => '--mark 0/' . in_hex( $globals{PROVIDER_MASK} ) );
 
 	    unless ( $config{TRACK_PROVIDERS} ) {
 		#
 		# This is overloading TRACK_PROVIDERS a bit but sending tracked packets through PREROUTING is a PITA for users
 		#
 		for my $interface ( @routemarked_interfaces ) {
-		    add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, match_source_dev( $interface );
+		    add_ijump $mangle_table->{PREROUTING} , j => 'tcpre', imatch_source_dev( $interface );
 		}
 	    }
 	}
 
-	add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part;
-	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
+	add_ijump $mangle_table->{PREROUTING} , j => 'tcpre', @mark_part;
+	add_ijump $mangle_table->{OUTPUT} ,     j => 'tcout', @mark_part;
 
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
 	    my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : '';
 
-	    add_rule( $mangle_table->{FORWARD},     "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
-	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
-	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
-	    add_jump $mangle_table->{INPUT} ,       'tcin' ,  0;
+	    add_ijump $mangle_table->{FORWARD},      j => "MARK --set-mark 0${mask}" if $config{FORWARD_CLEAR_MARK};
+	    add_ijump $mangle_table->{FORWARD} ,     j => 'tcfor';
+	    add_ijump $mangle_table->{POSTROUTING} , j => 'tcpost';
+	    add_ijump $mangle_table->{INPUT} ,       j => 'tcin';
 	}
     }
 
     if ( $globals{TC_SCRIPT} ) {
 	save_progress_message q('Setting up Traffic Control...');
 	append_file $globals{TC_SCRIPT};
-    } elsif ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
-	setup_traffic_shaping;
-    } elsif ( $config{TC_ENABLED} eq 'Simple' ) {
-	setup_simple_traffic_shaping;
+    } else {
+	process_tcpri if $config{TC_ENABLED} eq 'Simple';
+	setup_traffic_shaping unless $config{TC_ENABLED} eq 'Shared';
     }
 
     if ( $config{TC_ENABLED} ) {
@@ -1749,6 +1861,18 @@ sub setup_tc() {
 			  mark      => HIGHMARK,
 			  mask      => '',
 			  connmark  => '' },
+			{ match     => sub( $ ) { $_[0] =~ /^TTL/ },
+			  target    => 'TTL',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
+			{ match     => sub( $ ) { $_[0] =~ /^HL/ },
+			  target    => 'HL',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			} 
 		      );
 
 	if ( my $fn = open_file 'tcrules' ) {
@@ -1771,8 +1895,6 @@ sub setup_tc() {
 	    clear_comment;
 	}
 
-	add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
-
 	handle_stickiness( $sticky );
     }
 }

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_18';
+our $VERSION = 'MODULEVERSION';
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -62,22 +62,22 @@ sub setup_tunnels() {
 	    }
 	}
 
-	my $options = $globals{UNTRACKED} ? "-m state --state NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
+	my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
 
-	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => 50, @$source;
+	add_tunnel_rule $outchainref, p => 50, @$dest;
 
 	unless ( $noah ) {
-	    add_tunnel_rule $inchainref,  "-p 51 $source -j ACCEPT";
-	    add_tunnel_rule $outchainref, "-p 51 $dest   -j ACCEPT";
+	    add_tunnel_rule $inchainref,  p => 51, @$source;
+	    add_tunnel_rule $outchainref, p => 51, @$dest;
 	}
 
 	if ( $kind eq 'ipsec' ) {
-	    add_tunnel_rule $inchainref,  "-p udp $source --dport 500 $options";
-	    add_tunnel_rule $outchainref, "-p udp $dest   --dport 500 $options";
+	    add_tunnel_rule $inchainref,  p => 'udp --dport 500', @$source, @options;
+	    add_tunnel_rule $outchainref, p => 'udp --dport 500', @$dest,   @options;
 	} else {
-	    add_tunnel_rule $inchainref,  "-p udp $source -m multiport --dports 500,4500 $options";
-	    add_tunnel_rule $outchainref, "-p udp $dest   -m multiport --dports 500,4500 $options";
+	    add_tunnel_rule $inchainref,  p => 'udp', @$source, multiport => '--dports 500,4500', @options;
+	    add_tunnel_rule $outchainref, p => 'udp', @$dest,   multiport => '--dports 500,4500', @options;
 	}
 
 	unless ( $gatewayzones eq '-' ) {
@@ -88,21 +88,21 @@ sub setup_tunnels() {
 		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
 
 		unless ( have_ipsec ) {
-		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
-		    add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
+		    add_tunnel_rule $inchainref,  p => 50, @$source;
+		    add_tunnel_rule $outchainref, p => 50, @$dest;
 
 		    unless ( $noah ) {
-			add_tunnel_rule $inchainref,  "-p 51 $source -j ACCEPT";
-			add_tunnel_rule $outchainref, "-p 51 $dest -j ACCEPT";
+			add_tunnel_rule $inchainref,  p => 51, @$source;
+			add_tunnel_rule $outchainref, p => 51, @$dest;
 		    }
 		}
 
 		if ( $kind eq 'ipsec' ) {
-		    add_tunnel_rule $inchainref,  "-p udp $source --dport 500 $options";
-		    add_tunnel_rule $outchainref, "-p udp $dest --dport 500 $options";
+		    add_tunnel_rule $inchainref,  p => 'udp --dport 500', @$source, @options;
+		    add_tunnel_rule $outchainref, p => 'udp --dport 500', @$dest,   @options;
 		} else {
-		    add_tunnel_rule $inchainref,  "-p udp $source -m multiport --dports 500,4500 $options";
-		    add_tunnel_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
+		    add_tunnel_rule $inchainref,  p => 'udp', @$source, multiport => '--dports 500,4500', @options;
+		    add_tunnel_rule $outchainref, p => 'udp', @$dest,   multiport => '--dports 500,4500', @options;
 		}
 	    }
 	}
@@ -111,24 +111,24 @@ sub setup_tunnels() {
     sub setup_one_other {
 	my ($inchainref, $outchainref, $source, $dest , $protocol) = @_;
 
-	add_tunnel_rule $inchainref ,  "-p $protocol $source -j ACCEPT";
-	add_tunnel_rule $outchainref , "-p $protocol $dest -j ACCEPT";
+	add_tunnel_rule $inchainref ,  p => $protocol, @$source;
+	add_tunnel_rule $outchainref , p => $protocol, @$dest;
     }
 
     sub setup_pptp_client {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
 
-	add_tunnel_rule $outchainref,  "-p 47 $dest -j ACCEPT";
-	add_tunnel_rule $inchainref,   "-p 47 $source -j ACCEPT";
-	add_tunnel_rule $outchainref,  "-p tcp --dport 1723 $dest -j ACCEPT"
-	}
+	add_tunnel_rule $outchainref,  p => 47, @$dest;
+	add_tunnel_rule $inchainref,   p => 47, @$source;
+	add_tunnel_rule $outchainref,  p => 'tcp --dport 1723', @$dest;
+    }
 
     sub setup_pptp_server {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
 
-	add_tunnel_rule $inchainref,  "-p 47 $dest -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p 47 $source -j ACCEPT";
-	add_tunnel_rule $inchainref,  "-p tcp --dport 1723 $dest -j ACCEPT"
+	add_tunnel_rule $inchainref,  p => 47, @$dest;
+	add_tunnel_rule $outchainref, p => 47, @$source;
+	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$dest
 	}
 
     sub setup_one_openvpn {
@@ -141,10 +141,10 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;
 
-	if ( defined $p && $p ne '' ) {
+	if ( supplied $p ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( defined $proto && $proto ne '' ) {
+	} elsif ( supplied $proto ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -152,8 +152,8 @@ sub setup_tunnels() {
 	    }
 	}
 
-	add_tunnel_rule $inchainref,  "-p $protocol $source --dport $port -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => "$protocol --dport $port", @$source;
+	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;;
     }
 
     sub setup_one_openvpn_client {
@@ -166,10 +166,10 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;
 
-	if ( defined $p && $p ne '' ) {
+	if ( supplied $p ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( defined $proto && $proto ne '' ) {
+	} elsif ( supplied $proto ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -177,8 +177,8 @@ sub setup_tunnels() {
 	    }
 	}
 
-	add_tunnel_rule $inchainref,  "-p $protocol $source --sport $port -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => "$protocol --sport $port", @$source;
+	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;
     }
 
     sub setup_one_openvpn_server {
@@ -191,10 +191,10 @@ sub setup_tunnels() {
 
 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;
 
-	if ( defined $p && $p ne '' ) {
+	if ( supplied $p ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( defined $proto && $proto ne '' ) {
+	} elsif ( supplied $proto ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -202,8 +202,8 @@ sub setup_tunnels() {
 	    }
 	}
 
-	add_tunnel_rule $inchainref,  "-p $protocol $source --dport $port -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p $protocol $dest --sport $port -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => "$protocol --dport $port" , @$source;
+	add_tunnel_rule $outchainref, p => "$protocol --sport $port",  @$dest;
     }
 
     sub setup_one_l2tp {
@@ -211,8 +211,8 @@ sub setup_tunnels() {
 
 	fatal_error "Unknown option ($1)" if $kind =~ /^.*?:(.*)$/;
 
-	add_tunnel_rule $inchainref,  "-p udp $source --sport 1701 --dport 1701 -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p udp $dest   --sport 1701 --dport 1701 -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => 'udp --sport 1701 --dport 1701', @$source;
+	add_tunnel_rule $outchainref, p => 'udp --sport 1701 --dport 1701', @$dest;
     }
 
     sub setup_one_generic {
@@ -229,8 +229,8 @@ sub setup_tunnels() {
 	    ( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/;
 	}
 
-	add_tunnel_rule $inchainref,  "-p $protocol $source $port -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p $protocol $dest $port -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => "$protocol $port", @$source;
+	add_tunnel_rule $outchainref, p => "$protocol $port", @$dest;
     }
 
     sub setup_one_tunnel($$$$) {
@@ -245,21 +245,21 @@ sub setup_tunnels() {
 
 	$gateway = ALLIP if $gateway eq '-';
 
-	my $source = match_source_net $gateway;
-	my $dest   = match_dest_net   $gateway;
+	my @source = imatch_source_net $gateway;
+	my @dest   = imatch_dest_net   $gateway;
 
-	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, $source, $dest , $gatewayzones ] } ,
-			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, $source, $dest , $gatewayzones ] } ,
-			    'ipip'          => { function => \&setup_one_other,          params   => [ $source, $dest , 4 ] } ,
-			    'gre'           => { function => \&setup_one_other,          params   => [ $source, $dest , 47 ] } ,
-			    '6to4'          => { function => \&setup_one_other,          params   => [ $source, $dest , 41 ] } ,
-			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, $source, $dest ] } ,
-			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, $source, $dest ] } ,
-			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, $source, $dest ] } ,
-			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, $source, $dest ] } ,
-			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, $source, $dest ] } ,
-			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, $source, $dest ] } ,
-			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, $source, $dest ] } ,
+	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+			    'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
+			    'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
+			    '6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
+			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
+			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
+			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
 			  );
 
 	$kind = "\L$kind";
@@ -284,7 +284,10 @@ sub setup_tunnels() {
 
 	while ( read_a_line ) {
 
-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+
+	    fatal_error 'TYPE must be specified' if $kind eq '-';
+	    fatal_error 'ZONE must be specified' if $zone eq '-';
 
 	    if ( $kind eq 'COMMENT' ) {
 		process_comment;

Shorewall/Perl/Shorewall/Zones.pm

@@ -73,6 +73,7 @@ our @EXPORT = qw( NOTHING
 		  find_interfaces_by_option
 		  find_interfaces_by_option1
 		  get_interface_option
+		  interface_has_option
 		  set_interface_option
 		  interface_zones
 		  verify_required_interfaces
@@ -85,7 +86,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_20';
+our $VERSION = 'MODULEVERSION';
 
 #
 # IPSEC Option types
@@ -401,7 +402,10 @@ sub process_zone( \$ ) {
 
     my @parents;
 
-    my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
+    my ($zone, $type, $options, $in_options, $out_options ) =
+	split_line 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 };
+
+    fatal_error 'ZONE must be specified' if $zone eq '-';
 
     if ( $zone =~ /(\w+):([\w,]+)/ ) {
 	$zone = $1;
@@ -692,7 +696,7 @@ sub add_group_to_zone($$$$$)
 
 	$interfaceref->{nets}++;
 
-	fatal_error "Invalid Host List" unless defined $host and $host ne '';
+	fatal_error "Invalid Host List" unless supplied $host;
 
 	if ( substr( $host, 0, 1 ) eq '!' ) {
 	    fatal_error "Only one exclusion allowed in a host list" if $switched;
@@ -720,7 +724,7 @@ sub add_group_to_zone($$$$$)
 	}
 
 	if ( substr( $host, 0, 1 ) eq '+' ) {
-	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+[a-zA-Z]\w*$/;
+	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z]\w*$/;
 	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
 	} else {
 	    validate_host $host, 0;
@@ -745,6 +749,8 @@ sub add_group_to_zone($$$$$)
 			     hosts   => \@newnetworks,
 			     ipsec   => $type == IPSEC ? 'ipsec' : 'none' ,
 			     exclusions => \@exclusions };
+
+    $interfaces{$interface}{options}{routeback} ||= ( $type != IPSEC && $options->{routeback} );
 }
 
 #
@@ -868,7 +874,7 @@ sub process_interface( $$ ) {
     my ( $nextinum, $export ) = @_;
     my $netsref   = '';
     my $filterref = [];
-    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
+    my ($zone, $originalinterface, $bcasts, $options ) = split_line 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
     my $zoneref;
     my $bridge = '';
 
@@ -881,14 +887,16 @@ sub process_interface( $$ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
     }
 
+    fatal_error 'INTERFACE must be specified' if $originalinterface eq '-';
+
     my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
 
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
 
-    if ( defined $port && $port ne '' ) {
+    if ( supplied $port ) {
 	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
-	fatal_error "Your iptables is not recent enough to support bridge ports" unless have_capability( 'KLUDGEFREE' );
+	fatal_error "Your iptables is not recent enough to support bridge ports" unless $globals{KLUDGEFREE};
 
 	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
 	fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
@@ -1059,10 +1067,7 @@ sub process_interface( $$ ) {
 		    #
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
-		    warning_message "sfilter is ineffective with FASTACCEPT=Yes" if $config{FASTACCEPT};
-
 		    $filterref = [ split_list $value, 'address' ];
-		    
 		    validate_net( $_, 1) for @{$filterref}
 		} else {
 		    assert(0);
@@ -1088,7 +1093,7 @@ sub process_interface( $$ ) {
 	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};
 
 	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = "${zone}_" . chain_base $physical;
+	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1376,8 +1381,7 @@ sub find_interfaces_by_option1( $ ) {
     my @ints = ();
     my $wild = 0;
 
-    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} }
-			( grep $interfaces{$_}{root}, keys %interfaces ) ) {
+    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 
 	next unless defined $interfaceref->{physical};
@@ -1411,6 +1415,22 @@ sub get_interface_option( $$ ) {
     
 }
 
+#
+# Return the value of an option for an interface
+#
+sub interface_has_option( $$\$ ) {
+    my ( $interface, $option, $value ) = @_;
+
+    my $ref = $interfaces{$interface};
+
+    $ref = known_interface( $interface ) unless $ref;
+
+    if ( exists $ref->{options}{$option} ) {
+	$$value = $ref->{options}{$option};
+	1;
+    }
+}
+
 #
 # Set an option for an interface
 #
@@ -1712,7 +1732,10 @@ sub compile_updown() {
 #
 sub process_host( ) {
     my $ipsec = 0;
-    my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file';
+    my ($zone, $hosts, $options ) = split_line 'hosts file', { zone => 0, hosts => 1, options => 2 };
+
+    fatal_error 'ZONE must be specified'  if $zone eq '-';
+    fatal_error 'HOSTS must be specified' if $hosts eq '-';
 
     my $zoneref = $zones{$zone};
     my $type    = $zoneref->{type};
@@ -1726,24 +1749,26 @@ sub process_host( ) {
 	if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
 	    $interface = $1;
 	    $hosts = $2;
-
-	    if ( $hosts =~ /^\+/ ) {
-		$zoneref->{options}{complex} = 1;
-		fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
-		fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
-	    }
-
 	    fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
-    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ || $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]\s*$/   ) {
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/   ||
+	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/   ||
+	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
 	$hosts = $2;
-	$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
     } else {
-	fatal_error "Invalid HOST(S) column contents: $hosts";
+	fatal_error "Invalid HOST(S) column contents: $hosts" 
+    }
+
+    if ( $hosts =~ /^!?\+/ ) {
+	$zoneref->{options}{complex} = 1;
+	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
+	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
     }
 
     if ( $type == BPORT ) {
@@ -1802,11 +1827,11 @@ sub process_host( ) {
     if ( $hosts eq 'dynamic' ) {
 	fatal_error "Vserver zones may not be dynamic" if $type == VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = physical_name $interface;
-	$hosts = "+${zone}_${physical}";
+	my $physical = chain_base( physical_name $interface );
+	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
+	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
-	$ipsets{"${zone}_${physical}"} = 1;
-
+	$ipsets{$set} = 1;
     }
 
     #
@@ -1835,6 +1860,8 @@ sub validate_hosts_file()
 
     $have_ipsec = $ipsec || haveipseczones;
 
+    $_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
+
 }
 
 #

Shorewall/Perl/compiler.pl

@@ -61,6 +61,8 @@ sub usage( $ ) {
     [ --test ]
     [ --preview ]
     [ --family={4|6} ]
+    [ --annotate ]
+    [ --updatee ]
 ';
 
     exit shift @_;
@@ -82,6 +84,8 @@ my $help          = 0;
 my $test          = 0;
 my $family        = 4; # F_IPV4
 my $preview       = 0;
+my $annotate      = 0;
+my $update        = 0;
 
 Getopt::Long::Configure ('bundling');
 
@@ -107,6 +111,10 @@ my $result = GetOptions('h'               => \$help,
 			'family=i'        => \$family,
 			'c'               => \$confess,
 			'confess'         => \$confess,
+			'a'               => \$annotate,
+			'annotate'        => \$annotate,
+			'u'               => \$update,
+			'update'          => \$update,
 		       );
 
 usage(1) unless $result && @ARGV < 2;
@@ -125,4 +133,6 @@ compiler( script          => $ARGV[0] || '',
 	  preview         => $preview,
 	  family          => $family,
 	  confess         => $confess,
+	  update          => $update,
+	  annotate        => $annotate,
 	);

Shorewall/Perl/getparams

@@ -20,7 +20,13 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
+#
+#  Parameters:
+#
+#      $1 = Path name of params file
+#      $2 = $CONFIG_PATH
+#      $3 = Address family (4 o4 6)
+#
 if [ "$3" = 6 ]; then
     . /usr/share/shorewall6/lib.base
     . /usr/share/shorewall6/lib.cli

Shorewall/Perl/prog.footer

@@ -5,7 +5,21 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
+    echo "Usage: $0 [ options ] <command>"
+    echo 
+    echo "<command> is one of:"
+    echo "   start"
+    echo "   stop"
+    echo "   clear"
+    echo "   disable <interface>"
+    echo "   down <interface>"
+    echo "   enable <interface>"
+    echo "   reset"
+    echo "   refresh"
+    echo "   restart"
+    echo "   status"
+    echo "   up <interface>"
+    echo "   version"
     echo
     echo "Options are:"
     echo
@@ -295,6 +309,26 @@ case "$COMMAND" in
 	updown $@
 	status=0;
 	;;
+    enable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	if shorewall_is_started; then
+	    detect_configuration
+	    enable_provider $1
+	fi
+	status=0
+	;;
+    disable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	if shorewall_is_started; then
+	    detect_configuration
+	    disable_provider $1
+	fi
+	status=0
+	;;
     version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION

Shorewall/Perl/prog.footer6

@@ -21,7 +21,16 @@ usage() {
 checkkernelversion() {
     local kernel
 
-    kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+
+    case "$kernel" in 
+	*.*.*)
+	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+	    ;;
+	*)
+	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+	    ;;
+    esac
 
     if [ $kernel -lt 20624 ]; then
 	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"

Shorewall/Perl/prog.header

@@ -1,5 +1,3 @@
-#!/bin/sh
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 1999-2011 - Tom Eastep (teastep@shorewall.net)
@@ -113,6 +111,17 @@ find_device() {
     done
 }
 
+#
+# Find the value 'weight' in the passed arguments then echo the next value
+#
+
+find_weight() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xweight ] && echo $2 && return
+	shift
+    done
+}
+
 #
 # Find the value 'via' in the passed arguments then echo the next value
 #
@@ -272,7 +281,7 @@ get_interface_bcasts() # $1 = interface
 #
 del_ip_addr() # $1 = address, $2 = interface
 {
-    [ $(find_first_interface_address_if_any $2) = $1 ] || qt $IP addr del $1 dev $2
+    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
 }
 
 # Add IP Aliases
@@ -483,6 +492,8 @@ get_device_mtu1() # $1 = device
 # Undo changes to routing
 #
 undo_routing() {
+    local undofiles
+    local f
 
     if [ -z "$g_noroutes"  ]; then
 	#
@@ -495,10 +506,16 @@ undo_routing() {
 	#
 	# Restore the rest of the routing table
 	#
-	if [ -f ${VARDIR}/undo_routing ]; then
-	    . ${VARDIR}/undo_routing
-	    progress_message "Shorewall-generated routing tables and routing rules removed"
-	    rm -f ${VARDIR}/undo_routing
+	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
+
+	if [ -n "$undofiles" ]; then
+	    for f in $undofiles; do
+		. $f
+	    done
+
+	    rm -f $undofiles
+
+            progress_message "Shorewall-generated routing tables and routing rules removed"
 	fi
     fi
 
@@ -583,6 +600,60 @@ restore_default_route() # $1 = USE_DEFAULT_RT
     return $result
 }
 
+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
+{
+    local route
+    local weight
+    local delta
+    local dev
+    
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
+
+    if [ -z "$route" ]; then
+	run_ip route add default scope global table $2 $1
+    else
+	delta=$1
+
+	if ! echo $route | fgrep -q ' nexthop '; then
+	    route=`echo $route | sed 's/via/nexthop via/'`
+	    dev=$(find_device $route)
+	    if [ -f ${VARDIR}/${dev}_weight ]; then
+		weight=`cat ${VARDIR}/${dev}_weight`
+		route="$route weight $weight"
+	    fi
+	fi
+
+	run_ip route replace default scope global table $2 $route $delta
+    fi
+}
+
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+    local route
+    local gateway
+    local dev
+
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    if [ -n "$route" ]; then
+	if echo $route | fgrep -q ' nexthop '; then
+	    gateway="nexthop $gateway"
+	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+	    run_ip route replace table $2 $route
+	else
+	    dev=$(find_device $route)
+	    [ "$dev" = "$3" ] && run_ip route delete default table $2
+	fi
+    fi
+}
+
 #
 # Determine the MAC address of the passed IP through the passed interface
 #
@@ -624,8 +695,8 @@ conditionally_flush_conntrack() {
 delete_proxyarp() {
     if [ -f ${VARDIR}/proxyarp ]; then
 	while read address interface external haveroute; do
-	    qt $IP -4 neigh del proxy $address dev $external
-	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address/32 dev $interface
+	    qtnoin $IP -4 neigh del proxy $address dev $external
+	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
@@ -805,13 +876,17 @@ debug_restore_input() {
 	qt1 $IPTABLES -t mangle -P $chain ACCEPT
     done
 
-    qt1 $IPTABLES -t raw    -F
-    qt1 $IPTABLES -t raw    -X
+    qt1 $IPTABLES -t raw     -F
+    qt1 $IPTABLES -t raw     -X
+    qt1 $IPTABLES -t rawpost -F
+    qt1 $IPTABLES -t rawpost -X
 
     for chain in PREROUTING OUTPUT; do
 	qt1 $IPTABLES -t raw -P $chain ACCEPT
     done
 
+    qt1 $iptables -T rawpost -P POSTROUTING ACCEPT
+
     run_iptables -t nat -F
     run_iptables -t nat -X
 
@@ -861,6 +936,9 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
 	    '*'mangle)
 		table=mangle
 		;;

Shorewall/Perl/prog.header6

@@ -1,5 +1,3 @@
-#!/bin/sh
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 1999-2011- Tom Eastep (teastep@shorewall.net)
@@ -486,7 +484,7 @@ undo_routing() {
 	if [ -f ${VARDIR}/undo_routing ]; then
 	    . ${VARDIR}/undo_routing
 	    progress_message "Shorewall-generated routing tables and routing rules removed"
-	    rm -f ${VARDIR}/undo_routing
+	    rm -f ${VARDIR}/undo_*routing
 	fi
     fi
 
@@ -824,6 +822,9 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
 	    '*'mangle)
 		table=mangle
 		;;

Shorewall/action.Broadcast

@@ -0,0 +1,73 @@
+#
+# Shorewall 4 - Broadcast Action
+#
+#    /usr/share/shorewall/action.Broadcast
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Broadcast[([<action>|-[,{audit|-}])] 
+#
+#       Default action is DROP
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+
+my $chainref           = get_action_chain;
+my ( $level, $tag )    = get_action_logging;
+my $target             = require_audit ( $action , $audit );
+
+if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $level ne '' ) {
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
+    }	
+
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
+} else {
+    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    incr_cmd_level $chainref;
+    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+    add_jump $chainref, $target, 0, "-d \$address ";
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+}
+    
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
+
+1;
+
+END PERL;

Shorewall/action.Drop

@@ -15,9 +15,49 @@
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
+#  The action accepts five optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#           depending on the setting of the first parameter.
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
+#           A_ACCEPT depending on the first parameter.
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
+#           is DROP or A_DROP depending on the first parameter.
+#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
+FORMAT 2
+#
+# The following magic provides different defaults for $2 thru $5, when $1 is 
+# 'audit'.
+#
+BEGIN PERL;
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) { 
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
+	set_action_param( 3, 'A_DROP')     unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
+    }
+}
+
+1;
+
+END PERL;
+
+DEFAULTS -,REJECT,DROP,ACCEPT,DROP
+
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
@@ -26,31 +66,31 @@ COUNT
 #
 # Reject 'auth'
 #
-Auth(REJECT)
+Auth($2)
 #
 # Don't log broadcasts
 #
-dropBcast
+Broadcast(DROP,$1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs	-	-	icmp
+AllowICMPs($4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
-dropInvalid
+Invalid(DROP,$1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(DROP)
-DropUPnP
+SMB($3)
+DropUPnP($5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-dropNotSyn	-	-	tcp
+NotSyn(DROP,$1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep
+DropDNSrep($5)

Shorewall/action.Invalid

@@ -0,0 +1,56 @@
+#
+# Shorewall 4 - Invalid Action
+#
+#    /usr/share/shorewall/action.Invalid
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Invalid[([<action>|-[,{audit|-}])] 
+#
+#       Default action is DROP
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+
+my $chainref         = get_action_chain;
+my ( $level, $tag )  = get_action_logging;
+my $target           = require_audit ( $action , $audit );
+
+log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
+add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
+
+$chainref->{dont_optimize} = 0;
+
+1;
+
+END PERL;

Shorewall/action.NotSyn

@@ -0,0 +1,56 @@
+#
+# Shorewall 4 - NotSyn Action
+#
+#    /usr/share/shorewall/action.NotSyn
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   NotSyn[([<action>|-[,{audit|-}])] 
+#
+#       Default action is DROP
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+
+my $chainref         = get_action_chain;
+my ( $level, $tag )  = get_action_logging;
+my $target           = require_audit ( $action , $audit );
+
+log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+add_jump $chainref , $target, 0, '-p 6 ! --syn ';
+
+$chainref->{dont_optimize} = 0;
+
+1;
+
+END PERL;

Shorewall/action.Reject

@@ -12,8 +12,48 @@
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
+#  The action accepts five optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
+#           A_ACCEPT depending on the first parameter.
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
+#           is DROP or A_DROP depending on the first parameter.
+#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
+FORMAT 2
+#
+# The following magic provides different defaults for $2 thru $5, when $1 is 
+# 'audit'.
+#
+BEGIN PERL;
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) { 
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
+	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
+    }
+}
+
+1;
+
+END PERL;
+
+DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
+
 #TARGET		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
@@ -22,33 +62,33 @@ COUNT
 #
 # Don't log 'auth' -- REJECT
 #
-Auth(REJECT)
+Auth($2)
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-dropBcast
+Broadcast(DROP,$1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs	-	-	icmp
+AllowICMPs($4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
-dropInvalid
+Invalid(DROP,$1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(REJECT)
-DropUPnP
+SMB($3)
+DropUPnP($5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-dropNotSyn	-	-	tcp
+NotSyn(DROP,$1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep
+DropDNSrep($5)

Shorewall/actions.std

@@ -35,5 +35,8 @@
 #ACTION
 A_Drop 		    # Audited Default Action for DROP policy
 A_Reject	    # Audited Default action for REJECT policy
+Broadcast	    # Handles Broadcast/Multicast/Anycast
 Drop		    # Default Action for DROP policy
+Invalid             # Handles packets in the INVALID conntrack state
+NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy

Shorewall/configfiles/masq

@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-###############################################################################
+#############################################################################################
 #INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP

Shorewall/configfiles/netmap

@@ -6,5 +6,6 @@
 # See http://shorewall.net/netmap.html for an example and usage
 # information.
 #
-###############################################################################
-#TYPE	NET1			INTERFACE	NET2		NET3
+##############################################################################################
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#										PORT(S)	PORT(S)

Shorewall/configfiles/rules

@@ -6,9 +6,10 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW

Shorewall/configfiles/scfilter

@@ -1,12 +1,10 @@
-#! /bin/sh
 #
 # Shorewall version 4 - Show Connections Filter
 #
 # /etc/shorewall/scfilter
 #
 #	Replace the 'cat' command below to filter the output of
-#       'show connections. Unlike other extension scripts, this file
-#       must be executable before Shorewall will use it.
+#       'show connections.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall/configfiles/shorewall.conf

@@ -29,14 +29,10 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
 
-LOGRATE=
-
 LOGTAGONLY=No
 
 LOGLIMIT=
@@ -55,7 +51,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
 
 IPTABLES=
 
@@ -65,7 +61,7 @@ IPSET=
 
 MODULESDIR=
 
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
 
 PERL=/usr/bin/perl
 
@@ -81,11 +77,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT=none
+DROP_DEFAULT=Drop
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT=Reject
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -134,8 +130,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=
@@ -218,5 +212,3 @@ TCP_FLAGS_DISPOSITION=DROP
 ################################################################################
 
 IPSECFILE=zones
-
-#LAST LINE -- DO NOT REMOVE

Shorewall/init.fedora.sh

@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+
+### BEGIN INIT INFO
+# Provides: shorewall
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: VMware $time $named
+# Required-Stop:
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+prog="shorewall"
+shorewall="/sbin/$prog"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/$prog"
+
+# Get startup options (override default)
+OPTIONS=
+
+if [ -f /etc/sysconfig/$prog ]; then
+    . /etc/sysconfig/$prog
+fi
+
+start() {
+    echo -n $"Starting Shorewall: "
+    $shorewall $OPTIONS start 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping Shorewall: "
+    $shorewall $OPTIONS stop 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	rm -f $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+# Note that we don't simply stop and start since shorewall has a built in
+# restart which stops the firewall if running and then starts it.
+    echo -n $"Restarting Shorewall: "
+    $shorewall $OPTIONS restart 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else # Failed to start, clean up lock file if present
+	rm -f $lockfile
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status(){
+    $shorewall status
+    return $?
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	restart
+	;;
+    condrestart|try-restart)
+        status_q || exit 0
+        restart
+        ;;
+    status)
+	$1
+	;;
+    *)
+	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
+	exit 1
+	;;
+esac

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.20.1
+VERSION=xxx #The Build script inserts the actual version
 
 usage() # $1 = exit status
 {
@@ -106,11 +106,12 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall"
 fi
 
-PLAIN=Yes
+ANNOTATED=
 SPARSE=
 MANDIR=${MANDIR:-"/usr/share/man"}
 [ -n "${LIBEXEC:=/usr/share}" ]
 [ -n "${PERLLIB:=/usr/share/shorewall}" ]
+MACHOST=
 
 case "$LIBEXEC" in
     /*)
@@ -152,6 +153,7 @@ case $(uname) in
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
 	MAC=Yes
+        MACHOST=Yes
 	INSTALLD=
 	T=
 	;;
@@ -186,11 +188,11 @@ while [ $finished -eq 0 ]; do
 			option=${option#s}
 			;;
 		    a*)
-			PLAIN=
+			ANNOTATED=Yes
 			option=${option#a}
 			;;
 		    p*)
-			PLAIN=Yes
+			ANNOTATED=
 			option=${option#p}
 			;;
 		    *)
@@ -246,6 +248,9 @@ else
 	    echo "Installing Debian-specific configuration..."
 	    DEBIAN=yes
 	    SPARSE=yes
+	elif [ -f /etc/redhat-release ]; then
+	    echo "Installing Redhat/Fedora-specific configuration..."
+	    FEDORA=yes
 	elif [ -f /etc/slackware-version ] ; then
 	    echo "Installing Slackware-specific configuration..."
 	    DEST="/etc/rc.d"
@@ -260,6 +265,14 @@ else
     fi
 fi
 
+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -280,12 +293,12 @@ if [ -z "$CYGWIN" ]; then
    install_file shorewall ${DESTDIR}/sbin/shorewall 0755
    echo "shorewall control program installed in ${DESTDIR}/sbin/shorewall"
 
-   if [ -z "$MAC" ]; then
+   if [ -z "$MACHOST" ]; then
        eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall
        eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
    else
-       eval sed -i -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall
-       eval sed -i -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
+       eval sed -i \'\' -e  \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall 
+       eval sed -i \'\' -e  \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
    fi
 else
    install_file shorewall ${DESTDIR}/bin/shorewall 0755
@@ -299,6 +312,8 @@ fi
 #
 if [ -n "$DEBIAN" ]; then
     install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall 0544
+elif [ -n "$FEDORA" ]; then
+    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall 0544
 elif [ -n "$ARCHLINUX" ]; then
     install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 elif [ -n "$SLACKWARE" ]; then
@@ -323,29 +338,32 @@ chmod 755 ${DESTDIR}/etc/shorewall
 chmod 755 ${DESTDIR}/usr/share/shorewall
 chmod 755 ${DESTDIR}/usr/share/shorewall/configfiles
 
+run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+
 if [ -n "$DESTDIR" ]; then
     mkdir -p ${DESTDIR}/etc/logrotate.d
     chmod 755 ${DESTDIR}/etc/logrotate.d
 fi
 
-if [ -z "$PLAIN" ]; then
-    mkdir annotated/
-    cp configfiles/* annotated/
-    for f in annotated/*.annotated; do
-	mv $f ${f%.annotated}
-    done
-    
-    CONFIGFILES=annotated
+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall.service ${DESTDIR}/lib/systemd/system/shorewall.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall.service"
+fi
+
+if [ -n "$ANNOTATED" ]; then
+    suffix=.annotated
 else
-    CONFIGFILES=configfiles
+    suffix=
 fi
 #
 # Install the config file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/shorewall.conf ${DESTDIR}/usr/share/shorewall/configfiles
-
 if [ ! -f ${DESTDIR}/etc/shorewall/shorewall.conf ]; then
-   run_install $OWNERSHIP -m 0644 $CONFIGFILES/shorewall.conf ${DESTDIR}/etc/shorewall
+   run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf${suffix} ${DESTDIR}/etc/shorewall/shorewall.conf
 
    if [ -n "$DEBIAN" ]; then
        #
@@ -363,10 +381,11 @@ fi
 #
 # Install the zones file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/zones ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/zones           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/zones.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/zones ]; then
-    run_install $OWNERSHIP -m 0644 $CONFIGFILES/zones ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0644 configfiles/zones${suffix} ${DESTDIR}/etc/shorewall/zones
     echo "Zones file installed as ${DESTDIR}/etc/shorewall/zones"
 fi
 
@@ -396,112 +415,124 @@ echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
 #
 # Install the policy file
 #
-install_file $CONFIGFILES/policy ${DESTDIR}/usr/share/shorewall/configfiles/policy 0644
+run_install -m 0644 configfiles/policy           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install -m 0644 configfiles/policy.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/policy ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/policy ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/policy${suffix} ${DESTDIR}/etc/shorewall/policy
     echo "Policy file installed as ${DESTDIR}/etc/shorewall/policy"
 fi
 #
 # Install the interfaces file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/interfaces ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/interfaces           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/interfaces.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/interfaces ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/interfaces ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/interfaces${suffix} ${DESTDIR}/etc/shorewall/interfaces
     echo "Interfaces file installed as ${DESTDIR}/etc/shorewall/interfaces"
 fi
 
 #
 # Install the hosts file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/hosts ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/hosts           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/hosts.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/hosts ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/hosts ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/hosts${suffix} ${DESTDIR}/etc/shorewall/hosts
     echo "Hosts file installed as ${DESTDIR}/etc/shorewall/hosts"
 fi
 #
 # Install the rules file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/rules ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/rules           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/rules.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/rules ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/rules ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/rules${suffix} ${DESTDIR}/etc/shorewall/rules
     echo "Rules file installed as ${DESTDIR}/etc/shorewall/rules"
 fi
 #
 # Install the NAT file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/nat ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/nat           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/nat.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/nat ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/nat ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/nat${suffix} ${DESTDIR}/etc/shorewall/nat
     echo "NAT file installed as ${DESTDIR}/etc/shorewall/nat"
 fi
 #
 # Install the NETMAP file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/netmap ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/netmap           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/netmap.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/netmap ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/netmap ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/netmap${suffix} ${DESTDIR}/etc/shorewall/netmap
     echo "NETMAP file installed as ${DESTDIR}/etc/shorewall/netmap"
 fi
 #
 # Install the Parameters file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/params ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/params           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/params.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -f ${DESTDIR}/etc/shorewall/params ]; then
     chmod 0644 ${DESTDIR}/etc/shorewall/params
 else
-    run_install $OWNERSHIP -m 0644 $CONFIGFILES/params ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0644 configfiles/params${suffix} ${DESTDIR}/etc/shorewall/params
     echo "Parameter file installed as ${DESTDIR}/etc/shorewall/params"
 fi
 #
 # Install the proxy ARP file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/proxyarp ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/proxyarp           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/proxyarp.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/proxyarp ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/proxyarp ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/proxyarp${suffix} ${DESTDIR}/etc/shorewall/proxyarp
     echo "Proxy ARP file installed as ${DESTDIR}/etc/shorewall/proxyarp"
 fi
 #
 # Install the Stopped Routing file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/routestopped ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/routestopped           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/routestopped.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/routestopped ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/routestopped ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/routestopped${suffix} ${DESTDIR}/etc/shorewall/routestopped
     echo "Stopped Routing file installed as ${DESTDIR}/etc/shorewall/routestopped"
 fi
 #
 # Install the Mac List file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/maclist ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/maclist           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/maclist.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/maclist ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/maclist ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/maclist${suffix} ${DESTDIR}/etc/shorewall/maclist
     echo "MAC list file installed as ${DESTDIR}/etc/shorewall/maclist"
 fi
 #
 # Install the Masq file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/masq ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/masq           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/masq.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/masq ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/masq ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/masq${suffix} ${DESTDIR}/etc/shorewall/masq
     echo "Masquerade file installed as ${DESTDIR}/etc/shorewall/masq"
 fi
 #
 # Install the Notrack file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/notrack ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/notrack           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/notrack.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/notrack ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/notrack ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/notrack${suffix} ${DESTDIR}/etc/shorewall/notrack
     echo "Notrack file installed as ${DESTDIR}/etc/shorewall/notrack"
 fi
 #
@@ -524,67 +555,73 @@ echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall/helpers"
 #
 # Install the TC Rules file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/tcrules ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcrules           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcrules.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcrules ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/tcrules ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tcrules${suffix} ${DESTDIR}/etc/shorewall/tcrules
     echo "TC Rules file installed as ${DESTDIR}/etc/shorewall/tcrules"
 fi
 
 #
 # Install the TC Interfaces file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/tcinterfaces ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcinterfaces           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcinterfaces.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcinterfaces ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/tcinterfaces ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tcinterfaces${suffix} ${DESTDIR}/etc/shorewall/tcinterfaces
     echo "TC Interfaces file installed as ${DESTDIR}/etc/shorewall/tcinterfaces"
 fi
 
 #
 # Install the TC Priority file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/tcpri ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcpri           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcpri.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcpri ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/tcpri ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tcpri${suffix} ${DESTDIR}/etc/shorewall/tcpri
     echo "TC Priority file installed as ${DESTDIR}/etc/shorewall/tcpri"
 fi
 
 #
 # Install the TOS file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/tos ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tos           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tos.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tos ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/tos ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tos${suffix} ${DESTDIR}/etc/shorewall/tos
     echo "TOS file installed as ${DESTDIR}/etc/shorewall/tos"
 fi
 #
 # Install the Tunnels file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/tunnels ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tunnels           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tunnels.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tunnels ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/tunnels ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tunnels${suffix} ${DESTDIR}/etc/shorewall/tunnels
     echo "Tunnels file installed as ${DESTDIR}/etc/shorewall/tunnels"
 fi
 #
 # Install the blacklist file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/blacklist ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/blacklist           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/blacklist.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blacklist ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/blacklist ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/blacklist${suffix} ${DESTDIR}/etc/shorewall/blacklist
     echo "Blacklist file installed as ${DESTDIR}/etc/shorewall/blacklist"
 fi
 #
 # Install the findgw file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/findgw ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/findgw ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/findgw ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/findgw ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/findgw ${DESTDIR}/etc/shorewall
     echo "Find GW file installed as ${DESTDIR}/etc/shorewall/findgw"
 fi
 #
@@ -609,60 +646,66 @@ delete_file ${DESTDIR}/usr/share/shorewall/xmodules
 #
 # Install the Providers file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/providers ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/providers           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/providers.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/providers ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/providers ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/providers${suffix} ${DESTDIR}/etc/shorewall/providers
     echo "Providers file installed as ${DESTDIR}/etc/shorewall/providers"
 fi
 
 #
 # Install the Route Rules file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/route_rules ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/route_rules           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/route_rules.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/route_rules ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/route_rules ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/route_rules${suffix} ${DESTDIR}/etc/shorewall/route_rules
     echo "Routing rules file installed as ${DESTDIR}/etc/shorewall/route_rules"
 fi
 
 #
 # Install the tcclasses file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/tcclasses ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcclasses           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcclasses.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcclasses ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/tcclasses ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tcclasses${suffix} ${DESTDIR}/etc/shorewall/tcclasses
     echo "TC Classes file installed as ${DESTDIR}/etc/shorewall/tcclasses"
 fi
 
 #
 # Install the tcdevices file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/tcdevices ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcdevices           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcdevices.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcdevices ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/tcdevices ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tcdevices${suffix} ${DESTDIR}/etc/shorewall/tcdevices
     echo "TC Devices file installed as ${DESTDIR}/etc/shorewall/tcdevices"
 fi
 
 #
 # Install the tcfilters file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/tcfilters ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcfilters           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcfilters.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcfilters ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/tcfilters ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tcfilters${suffix} ${DESTDIR}/etc/shorewall/tcfilters
     echo "TC Filters file installed as ${DESTDIR}/etc/shorewall/tcfilters"
 fi
 
 #
 # Install the secmarks file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/secmarks ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/secmarks           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/secmarks.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/secmarks ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/secmarks ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/secmarks${suffix} ${DESTDIR}/etc/shorewall/secmarks
     echo "Secmarks file installed as ${DESTDIR}/etc/shorewall/secmarks"
 fi
 
@@ -674,145 +717,147 @@ echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall/confi
 #
 # Install the init file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/init ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/init ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/init ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/init ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/init ${DESTDIR}/etc/shorewall
     echo "Init file installed as ${DESTDIR}/etc/shorewall/init"
 fi
 #
 # Install the initdone file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/initdone ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/initdone ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/initdone ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/initdone ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/initdone ${DESTDIR}/etc/shorewall
     echo "Initdone file installed as ${DESTDIR}/etc/shorewall/initdone"
 fi
 #
 # Install the start file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/start ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/start ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/start ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/start ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/start ${DESTDIR}/etc/shorewall
     echo "Start file installed as ${DESTDIR}/etc/shorewall/start"
 fi
 #
 # Install the stop file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/stop ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/stop ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/stop ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/stop ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/stop ${DESTDIR}/etc/shorewall
     echo "Stop file installed as ${DESTDIR}/etc/shorewall/stop"
 fi
 #
 # Install the stopped file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/stopped ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/stopped ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/stopped ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/stopped ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/stopped ${DESTDIR}/etc/shorewall
     echo "Stopped file installed as ${DESTDIR}/etc/shorewall/stopped"
 fi
 #
 # Install the ECN file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/ecn ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/ecn           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/ecn.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/ecn ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/ecn ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/ecn${suffix} ${DESTDIR}/etc/shorewall/ecn
     echo "ECN file installed as ${DESTDIR}/etc/shorewall/ecn"
 fi
 #
 # Install the Accounting file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/accounting ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/accounting           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/accounting.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/accounting ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/accounting ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/accounting${suffix} ${DESTDIR}/etc/shorewall/accounting
     echo "Accounting file installed as ${DESTDIR}/etc/shorewall/accounting"
 fi
 #
 # Install the private library file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/lib.private ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/lib.private ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/lib.private ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/lib.private ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/lib.private ${DESTDIR}/etc/shorewall
     echo "Private library file installed as ${DESTDIR}/etc/shorewall/lib.private"
 fi
 #
 # Install the Started file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/started ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/started ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/started ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/started ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/started ${DESTDIR}/etc/shorewall
     echo "Started file installed as ${DESTDIR}/etc/shorewall/started"
 fi
 #
 # Install the Restored file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/restored ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/restored ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/restored ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/restored ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/restored ${DESTDIR}/etc/shorewall
     echo "Restored file installed as ${DESTDIR}/etc/shorewall/restored"
 fi
 #
 # Install the Clear file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/clear ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/clear ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/clear ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/clear ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/clear ${DESTDIR}/etc/shorewall
     echo "Clear file installed as ${DESTDIR}/etc/shorewall/clear"
 fi
 #
 # Install the Isusable file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/isusable ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/isusable ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/isusable ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/isusable ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/isusable ${DESTDIR}/etc/shorewall
     echo "Isusable file installed as ${DESTDIR}/etc/shorewall/isusable"
 fi
 #
 # Install the Refresh file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/refresh ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/refresh ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/refresh ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/refresh ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/refresh ${DESTDIR}/etc/shorewall
     echo "Refresh file installed as ${DESTDIR}/etc/shorewall/refresh"
 fi
 #
 # Install the Refreshed file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/refreshed ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/refreshed ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/refreshed ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/refreshed ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/refreshed ${DESTDIR}/etc/shorewall
     echo "Refreshed file installed as ${DESTDIR}/etc/shorewall/refreshed"
 fi
 #
 # Install the Tcclear file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/tcclear ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcclear ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcclear ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/tcclear ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tcclear ${DESTDIR}/etc/shorewall
     echo "Tcclear file installed as ${DESTDIR}/etc/shorewall/tcclear"
 fi
 #
 # Install the Scfilter file
 #
-run_install $OWNERSHIP -m 644 $CONFIGFILES/scfilter ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 644 configfiles/scfilter ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/scfilter ]; then
-    run_install $OWNERSHIP -m 0600 $CONFIGFILES/scfilter ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/scfilter ${DESTDIR}/etc/shorewall
     echo "Scfilter file installed as ${DESTDIR}/etc/shorewall/scfilter"
 fi
 #
@@ -824,15 +869,14 @@ echo "Standard actions file installed as ${DESTDIR}/usr/shared/shorewall/actions
 #
 # Install the Actions file
 #
-run_install $OWNERSHIP -m 0644 $CONFIGFILES/actions ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/actions           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/actions.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/actions ]; then
-    run_install $OWNERSHIP -m 0644 $CONFIGFILES/actions ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0644 configfiles/actions${suffix} ${DESTDIR}/etc/shorewall/actions
     echo "Actions file installed as ${DESTDIR}/etc/shorewall/actions"
 fi
 
-rm -rf annotated/
-
 #
 # Install the  Makefiles
 #
@@ -974,7 +1018,11 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
 	touch /var/log/shorewall-init.log
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall/shorewall.conf
     else
-	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	if [ -n "$SYSTEMD" ]; then
+	    if systemctl enable shorewall; then
+		echo "Shorewall will start automatically at boot"
+	    fi
+	elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	    if insserv /etc/init.d/shorewall ; then
 		echo "shorewall will start automatically at boot"
 		echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"

Shorewall/known_problems.txt

@@ -1,4 +0,0 @@
-1)  On systems running Upstart, shorewall-init cannot reliably secure
-    the firewall before interfaces are brought up.
-
-   

Shorewall/lib.base

@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall 4.4 -- /usr/share/shorewall/lib.base
 #
@@ -29,7 +28,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40417
+SHOREWALL_CAPVERSION=40424
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -102,6 +101,7 @@ mutex_on()
     try=0
     local lockf
     lockf=${LOCKFILE:=${VARDIR}/lock}
+    local lockpid
 
     MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
 
@@ -109,8 +109,22 @@ mutex_on()
 
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
 
+	if [ -f $lockf ]; then
+	    lockpid=`cat ${lockf} 2> /dev/null`
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} removed"
+	    elif ! qt ps p ${lockpid}; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    fi
+	fi
+
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
+	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1

Shorewall/lib.cli

@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall 4.4 -- /usr/share/shorewall/lib.cli.
 #
@@ -339,7 +338,7 @@ do_save() {
                     #
                     # Don't save an 'empty' file
                     #
-		    grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
 		fi
 	    fi
 	    ;;
@@ -399,6 +398,11 @@ show_routing() {
 	    heading "Table $table:"
 	    ip route list table $table
 	done
+
+	if [ -n "$g_routecache" ]; then
+	    heading "Route Cache"
+	    ip -4 route list cache
+	fi
     else
 	heading "Routing Table"
 	ip route list
@@ -422,7 +426,9 @@ list_zone() {
 
     [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
 
-    sets=$(find_sets $1)
+    sets=$(ipset -L -n | grep '^$1_');
+
+    [ -n "$sets" ] || sets=$(find_sets $1)
 
     for setname in $sets; do
 	echo "${setname#${1}_}:"
@@ -519,7 +525,7 @@ show_command() {
 			    [ $# -eq 1 ] && usage 1
 
 			    case $2 in
-				mangle|nat|filter|raw)
+				mangle|nat|filter|raw|rawpost)
 				    table=$2
 				    table_given=Yes
 				    ;;
@@ -535,6 +541,10 @@ show_command() {
 			    g_ipt_options1="--line-numbers"
 			    option=${option#l}
 			    ;;
+			c*)
+			    g_routecache=Yes
+			    option=${option#c}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -592,6 +602,13 @@ show_command() {
 	    show_reset
 	    $IPTABLES -t raw -L $g_ipt_options
 	    ;;
+	rawpost)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
+	    echo
+	    show_reset
+	    $IPTABLES -t rawpost -L $g_ipt_options
+	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
@@ -913,6 +930,10 @@ do_dump_command() {
 			    g_ipt_options1="--line-numbers"
 			    option=${option#l}
 			    ;;
+			c*)
+			    g_routecache=Yes
+			    option=${option#c}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1486,6 +1507,7 @@ hits_command() {
 	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
 						t
 						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do
+	    [ -z "$port" ] && port=0
 	    printf '%7d %-15s %d\n' $count $address $port
 	done
 
@@ -1670,11 +1692,13 @@ determine_capabilities() {
     OWNER_MATCH=
     IPSET_MATCH=
     OLD_IPSET_MATCH=
+    IPSET_V5=
     CONNMARK=
     XCONNMARK=
     CONNMARK_MATCH=
     XCONNMARK_MATCH=
     RAW_TABLE=
+    RAWPOST_TABLE=
     IPP2P_MATCH=
     OLD_IPP2P_MATCH=
     LENGTH_MATCH=
@@ -1707,6 +1731,8 @@ determine_capabilities() {
     HEADER_MATCH=
     ACCOUNT_TARGET=
     AUDIT_TARGET=
+    CONDITION_MATCH=
+    IPTABLES_S=
 
     chain=fooX$$
 
@@ -1810,12 +1836,22 @@ determine_capabilities() {
 	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
     fi
 
-    qt $IPTABLES -t raw	   -L -n && RAW_TABLE=Yes
+    qt $IPTABLES -t raw	    -L -n && RAW_TABLE=Yes
+    qt $IPTABLES -t rawpost -L -n && RAWPOST_TABLE=Yes
 
     if qt mywhich ipset; then
 	qt ipset -X $chain # Just in case something went wrong the last time
 
-	if qt ipset -N $chain iphash ; then
+	local have_ipset
+
+	if qt ipset -N $chain hash:ip family inet; then
+	    IPSET_V5=Yes
+	    have_ipset=Yes
+	elif qt ipset -N $chain iphash ; then
+	    have_ipset=Yes
+	fi
+
+	if [ -n "$have_ipset" ]; then
 	    if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
 		qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
@@ -1847,7 +1883,8 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
     qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
     qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
-
+    qt $IPTABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+    qt $IPTABLES -S INPUT && IPTABLES_S=Yes
     qt $IPTABLES -F $chain
     qt $IPTABLES -X $chain
     qt $IPTABLES -F $chain1
@@ -1857,7 +1894,17 @@ determine_capabilities() {
     [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
 
     CAPVERSION=$SHOREWALL_CAPVERSION
-    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+   
+    KERNELVERSION=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+
+    case "$KERNELVERSION" in 
+	*.*.*)
+	    KERNELVERSION=$(printf "%d%02d%02d" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+	    ;;
+	*)
+	    KERNELVERSION=$(printf "%d%02d00" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+	    ;;
+    esac
 }
 
 report_capabilities() {
@@ -1899,6 +1946,7 @@ report_capabilities() {
 	report_capability "Connmark Match" $CONNMARK_MATCH
 	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
 	report_capability "Raw Table" $RAW_TABLE
+	report_capability "Rawpost Table" $RAWPOST_TABLE
 	report_capability "IPP2P Match" $IPP2P_MATCH
 	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
 	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
@@ -1930,6 +1978,9 @@ report_capabilities() {
 	report_capability "Header Match" $HEADER_MATCH
         report_capability "ACCOUNT Target" $ACCOUNT_TARGET
 	report_capability "AUDIT Target" $AUDIT_TARGET
+	report_capability "ipset V5" $IPSET_V5
+	report_capability "Condition Match" $CONDITION_MATCH
+	report_capability "iptables -S" $IPTABLES_S
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1967,6 +2018,7 @@ report_capabilities1() {
     report_capability1 CONNMARK_MATCH
     report_capability1 XCONNMARK_MATCH
     report_capability1 RAW_TABLE
+    report_capability1 RAWPOST_TABLE
     report_capability1 IPP2P_MATCH
     report_capability1 OLD_IPP2P_MATCH
     report_capability1 CLASSIFY_TARGET
@@ -1998,6 +2050,9 @@ report_capabilities1() {
     report_capability1 HEADER_MATCH
     report_capability1 ACCOUNT_TARGET
     report_capability1 AUDIT_TARGET
+    report_capability1 IPSET_V5
+    report_capability1 CONDITION_MATCH
+    report_capability1 IPTABLES_S
 
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION

Shorewall/lib.common

@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall 4.4 -- /usr/share/shorewall/lib.common.
 #
@@ -164,12 +163,21 @@ qt()
     "$@" >/dev/null 2>&1
 }
 
+#
+# Suppress all output and input - mainly for preventing leaked file descriptors
+# to avoid SELinux denials
+#
+qtnoin()
+{
+    "$@" </dev/null >/dev/null 2>&1
+}
+
 qt1()
 {
     local status
 
     while [ 1 ]; do
-	"$@" >/dev/null 2>&1
+	"$@" </dev/null >/dev/null 2>&1
 	status=$?
 	[ $status -ne 4 ] && return $status
     done
@@ -179,7 +187,7 @@ qt1()
 # Determine if Shorewall is "running"
 #
 shorewall_is_started() {
-    qt $IPTABLES -L shorewall -n
+    qt1 $IPTABLES -L shorewall -n
 }
 
 #
@@ -217,7 +225,31 @@ loadmodule() # $1 = module name, $2 - * arguments
     local modulefile
     local suffix
 
-    if ! list_search $modulename $DONT_LOAD $MODULES; then
+    if [ -d /sys/module/ ]; then
+	if ! list_search $modulename $DONT_LOAD; then
+	    if [ ! -d /sys/module/$modulename ]; then
+		shift
+
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}
+
+			if [ -f $modulefile ]; then
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
+			fi
+		    done
+		done
+	    fi
+	fi
+    elif ! list_search $modulename $DONT_LOAD $MODULES; then
 	shift
 
 	for suffix in $MODULE_SUFFIX ; do
@@ -264,7 +296,7 @@ reload_kernel_modules() {
 	uname=$(uname -r) && \
 	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
 
-    MODULES=$(lsmod | cut -d ' ' -f1)
+    [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -310,7 +342,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
     [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
+	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
 	progress_message "Loading Modules..."
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then

Shorewall/modules.ipset

@@ -13,6 +13,7 @@
 #  copy.
 #
 ###############################################################################
+loadmodule xt_set
 loadmodule ip_set
 loadmodule ip_set_iphash
 loadmodule ip_set_ipmap

Shorewall/shorewall

@@ -330,7 +330,24 @@ startup_error() {
 # Determine if there are config files newer than the passed object
 #
 uptodate() {
-    [ -f $1 ] && [ -z "$(find ${CONFDIR} -newer $1)" ]
+    [ -f $1 ] || return 1
+
+    local dir
+    local ifs
+
+    ifs="$IFS"
+    IFS=':'
+
+    for dir in $CONFIG_PATH; do
+	if [ -n "$(find ${dir} -newer $1)" ]; then
+	    IFS="$ifs"
+	    return 1;
+	fi
+    done
+
+    IFS="$ifs"
+
+    return 0
 }
 
 #
@@ -380,6 +397,8 @@ compiler() {
     [ "$g_debugging" = trace ] && options="$options --debug"
     [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
     [ -n "$g_confess" ] && options="$options --confess"
+    [ -n "$g_update" ] && options="$options --update"
+    [ -n "$g_annotate" ] && options="$options --annotate"
 
     if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -669,6 +688,10 @@ check_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
+			a*)
+			    g_annotate=Yes
+			    option=${option#a}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1255,12 +1278,17 @@ reload_command() # $* = original arguments less the command.
 	[ -f $capabilities ] || getcaps=Yes
     fi
 
-    if [ -n "$getcaps" ]; then
-	if [ -f $directory/shorewall.conf ]; then
-	    . $directory/shorewall.conf
-	    ensure_config_path
+    if [ -f $directory/shorewall.conf ]; then
+	if [ -f $directory/params ]; then
+	    . $directory/params
 	fi
 
+	. $directory/shorewall.conf
+	
+	ensure_config_path
+    fi
+
+    if [ -n "$getcaps" ]; then
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
 
 	progress_message "Getting Capabilities on system $system..."
@@ -1381,7 +1409,7 @@ usage() # $1 = exit status
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    echo "   check [ -e ] [ -r ] [ <directory> ]"
+    echo "   check [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ <directory> ]"
     echo "   clear"
     echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
@@ -1407,7 +1435,7 @@ usage() # $1 = exit status
     echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
     echo "   show actions"
     echo "   show [ -f ] capabilities"
     echo "   show classifiers"
@@ -1420,7 +1448,7 @@ usage() # $1 = exit status
     echo "   show [ -m ] log [<regex>]"
     echo "   show macro <macro>"
     echo "   show macros"
-    echo "   show [ -x ] mangle|nat|raw|routing"
+    echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
     echo "   show policies"
     echo "   show tc [ device ]"
     echo "   show vardir"
@@ -1432,6 +1460,7 @@ usage() # $1 = exit status
     echo "   version [ -a ]"
     echo "   safe-start [ <directory> ]"
     echo "   safe-restart [ <directory> ]"
+    echo "   update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ <directory> ]"
     echo
     exit $1
 }
@@ -1514,6 +1543,8 @@ g_debug=
 g_export=
 g_refreshchains=:none:
 g_confess=
+g_update=
+g_annotate=
 
 #
 # Make sure that these variables are cleared
@@ -1687,7 +1718,7 @@ case "$COMMAND" in
     stop|clear)
 	[ $# -ne 1 ] && usage 1
 	get_config
-	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
+	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
 	[ -n "$nolock" ] || mutex_on
 	run_it $g_firewall $g_debugging $COMMAND
 	[ -n "$nolock" ] || mutex_off
@@ -1720,6 +1751,12 @@ case "$COMMAND" in
 	shift
 	check_command $@
 	;;
+    update)
+	get_config Yes
+	shift
+	g_update=Yes
+	check_command $@
+	;;
     show|list)
 	get_config Yes No Yes
     	shift

Shorewall/shorewall.service

@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+After=syslog.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall
+StandardOutput=syslog
+ExecStart=/sbin/shorewall $OPTIONS start
+ExecReload=/sbin/shorewall $OPTIONS restart
+ExecStop=/sbin/shorewall $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target

Shorewall/shorewall.spec

@@ -1,522 +0,0 @@
-%define name shorewall
-%define version 4.4.20
-%define release 1
-
-Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root1
-Requires: iptables iproute perl
-Provides: shoreline_firewall = %{version}-%{release}
-Obsoletes: shorewall-common shorewall-perl shorewall-shell
-
-%description
-
-The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
-(iptables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post
-
-if [ $1 -eq 1 ]; then
-	if [ -x /sbin/insserv ]; then
-		/sbin/insserv /etc/rc.d/shorewall
-	elif [ -x /sbin/chkconfig ]; then
-		/sbin/chkconfig --add shorewall;
-	fi
-fi
-
-%preun
-
-if [ $1 = 0 ]; then
-	if [ -x /sbin/insserv ]; then
-		/sbin/insserv -r /etc/init.d/shorewall
-	elif [ -x /sbin/chkconfig ]; then
-		/sbin/chkconfig --del shorewall
-	fi
-
-	rm -f /etc/shorewall/startup_disabled
-
-fi
-
-%triggerpostun  -- shorewall-common < 4.4.0
-
-if [ -x /sbin/insserv ]; then
-    /sbin/insserv /etc/rc.d/shorewall
-elif [ -x /sbin/chkconfig ]; then
-    /sbin/chkconfig --add shorewall;
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0544,root,root) /etc/init.d/shorewall
-%attr(0755,root,root) %dir /etc/shorewall
-%attr(0755,root,root) %dir /usr/share/shorewall
-%attr(0755,root,root) %dir /usr/share/shorewall/configfiles
-%attr(0700,root,root) %dir /var/lib/shorewall
-%attr(0644,root,root) %config(noreplace) /etc/shorewall/*
-
-%attr(0644,root,root) /etc/logrotate.d/shorewall
-
-%attr(0755,root,root) /sbin/shorewall
-
-%attr(0644,root,root) /usr/share/shorewall/version
-%attr(0644,root,root) /usr/share/shorewall/actions.std
-%attr(0644,root,root) /usr/share/shorewall/action.Drop
-%attr(0644,root,root) /usr/share/shorewall/action.A_Drop
-%attr(0644,root,root) /usr/share/shorewall/action.Reject
-%attr(0644,root,root) /usr/share/shorewall/action.A_Reject
-%attr(0644,root,root) /usr/share/shorewall/action.template
-%attr(-   ,root,root) /usr/share/shorewall/functions
-%attr(0644,root,root) /usr/share/shorewall/lib.base
-%attr(0644,root,root) /usr/share/shorewall/lib.cli
-%attr(0644,root,root) /usr/share/shorewall/lib.common
-%attr(0644,root,root) /usr/share/shorewall/macro.*
-%attr(0644,root,root) /usr/share/shorewall/modules*
-%attr(0644,root,root) /usr/share/shorewall/helpers
-%attr(0644,root,root) /usr/share/shorewall/configpath
-%attr(0755,root,root) /usr/share/shorewall/wait4ifup
-
-%attr(755,root,root) /usr/share/shorewall/compiler.pl
-%attr(755,root,root) /usr/share/shorewall/getparams
-%attr(0644,root,root) /usr/share/shorewall/prog.*
-%attr(0644,root,root) /usr/share/shorewall/Shorewall/*.pm
-
-%attr(0644,root,root) /usr/share/shorewall/configfiles/*
-
-%attr(0644,root,root) %{_mandir}/man5/*
-%attr(0644,root,root) %{_mandir}/man8/*
-
-%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
-
-%changelog
-* Mon Jun 06 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-1
-* Tue May 31 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0base
-* Fri May 27 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0RC1
-* Tue May 24 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta5
-* Sun May 22 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta4
-* Thu May 19 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta3
-* Wed May 18 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta2
-* Fri Apr 15 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta1
-* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-1
-* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0base
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0RC1
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta5
-* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta4
-* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta3
-* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta1
-* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0base
-* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0RC1
-* Sun Feb 20 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta4
-* Sat Feb 19 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta3
-* Sun Feb 13 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta2
-* Sat Feb 05 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta1
-* Fri Feb 04 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0base
-* Sun Jan 30 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0RC1
-* Fri Jan 28 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta3
-* Wed Jan 19 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta2
-* Sat Jan 08 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta1
-* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0base
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0RC1
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta8
-* Sun Dec 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta7
-* Mon Dec 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta6
-* Fri Dec 10 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta5
-* Sat Dec 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta4
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta3
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta2
-* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta1
-* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0base
-* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0RC1
-* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0Beta2
-* Sun Nov 14 2010 Tom Eastep tom@shorewall.net
-- Added getparams to installed files
-* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0Beta1
-* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0base
-* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0RC1
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta4
-* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta3
-* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta2
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta1
-* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0base
-* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0RC2
-* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0RC1
-* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta2
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta1
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta2
-* Thu Jan 21 2010 Tom Eastep tom@shorewall.net
-- Add /usr/share/shorewall/helpers
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0base
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
-* Sun Aug 09 2009 Tom Eastep tom@shorewall.net
-- Made Perl a dependency
-* Mon Aug 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0base
-* Tue Jul 28 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0RC2
-* Sun Jul 12 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0RC1
-* Thu Jul 09 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta4
-* Sat Jun 27 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta3
-* Mon Jun 15 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta2
-* Fri Jun 12 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta1
-* Sun Jun 07 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.13-0base
-* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.12-0base
-* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
-- Remove 'rfc1918' file
-* Sun May 10 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.11-0base
-* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.10-0base
-* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.9-0base
-* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.8-0base
-* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.7-0base
-* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.6-0base
-* Sun Feb 22 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.5-0base
-* Sat Feb 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.7-0base
-* Thu Feb 05 2009 Tom Eastep tom@shorewall.net
-- Add 'restored' script
-* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.6-0base
-* Fri Jan 30 2009 Tom Eastep tom@shorewall.net
-- Added swping files to the doc directory
-* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.6-0base
-* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.5-0base
-* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0base
-* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0RC2
-* Wed Dec 17 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0RC1
-* Tue Dec 16 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.4-0base
-* Sat Dec 13 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.3-0base
-* Fri Dec 12 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.2-0base
-* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.1-0base
-* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.1-0base
-* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.0-0base
-* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
-- Updated to 2.3.0-0base
-* Fri Dec 05 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.3-0base
-* Wed Nov 05 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.2-0base
-* Wed Oct 08 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.1-0base
-* Fri Oct 03 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0base
-* Tue Sep 23 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0RC4
-* Mon Sep 15 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0RC3
-* Mon Sep 08 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0RC2
-* Tue Aug 19 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0RC1
-* Thu Jul 03 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0Beta3
-* Mon Jun 02 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0Beta2
-* Wed May 07 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.0-0Beta1
-* Mon Apr 28 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.1.8-0base
-* Mon Mar 24 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.1.7-0base
-* Thu Mar 13 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.1.6-0base
-* Tue Feb 05 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.1.5-0base
-* Fri Jan 04 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.1.4-0base
-* Wed Dec 12 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.1.3-0base
-* Fri Dec 07 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.1.3-1
-* Tue Nov 27 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.1.2-1
-* Wed Nov 21 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.1.1-1
-* Mon Nov 19 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.1.0-1
-* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.6-1
-* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.6-0RC3
-* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.6-0RC2
-* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.6-0RC1
-* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.5-1
-* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.4-1
-* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.3-1
-* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.2-1
-* Sat Jul 21 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.1-1
-* Wed Jul 11 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-1
-* Sun Jul 08 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0RC2
-* Fri Jun 29 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0RC1
-* Sun Jun 24 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0Beta7
-* Wed Jun 20 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0Beta6
-* Thu Jun 14 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0Beta5
-* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0Beta4
-* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0Beta3
-* Tue May 15 2007 Tom Eastep tom@shorewall.net
-- Updated to 4.0.0-0Beta1
-* Fri May 11 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.9.7-1
-* Sat May 05 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.9.6-1
-* Mon Apr 30 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.9.5-1
-* Mon Apr 23 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.9.4-1
-* Wed Apr 18 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.9.3-1
-* Mon Apr 16 2007 Tom Eastep tom@shorewall.net
-- Moved lib.dynamiczones from Shorewall-shell
-* Sat Apr 14 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.9.2-1
-* Tue Apr 03 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.9.1-1
-* Thu Mar 24 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.2-1
-* Thu Mar 15 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.1-1
-* Sat Mar 10 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.0-1
-* Sun Feb 25 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.0-0RC3
-* Sun Feb 04 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.0-0RC2
-* Wed Jan 24 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.0-0RC1
-* Mon Jan 22 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.0-0Beta3
-* Wed Jan 03 2007 Tom Eastep tom@shorewall.net
-- Updated to 3.4.0-0Beta2
-* Thu Dec 14 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.4.0-0Beta1
-* Sat Nov 25 2006 Tom Eastep tom@shorewall.net
-- Added shorewall-exclusion(5)
-- Updated to 3.3.6-1
-* Sun Nov 19 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.3.5-1
-* Sat Nov 18 2006 Tom Eastep tom@shorewall.net
-- Add Man Pages.
-* Sun Oct 29 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.3.4-1
-* Mon Oct 16 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.3.3-1
-* Sat Sep 30 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.3.2-1
-* Wed Aug 30 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.3.1-1
-* Sun Aug 27 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.3.0-1
-* Fri Aug 25 2006 Tom Eastep tom@shorewall.net
-- Updated to 3.2.3-1
-
-

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.20.1
+VERSION=xxx #The Build script inserts the actual version
 
 usage() # $1 = exit status
 {
@@ -92,6 +92,8 @@ if [ -n "$FIREWALL" ]; then
 	updaterc.d shorewall remove
     elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
         insserv -r $FIREWALL
+    elif [ -x /sbin/systemctl ]; then
+	systemctl disable shorewall
     elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
     else
@@ -116,6 +118,7 @@ rm -rf /usr/share/shorewall-*.bkout
 rm -rf /usr/share/man/man5/shorewall*
 rm -rf /usr/share/man/man8/shorewall*
 rm -f  /etc/logrotate.d/shorewall
+rm -f  /lib/systemd/system/shorewall.service
 
 echo "Shorewall Uninstalled"
 

Shorewall6-lite/init.fedora.sh

@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+
+### BEGIN INIT INFO
+# Provides: shorewall6-lite
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: VMware $time $named
+# Required-Stop:
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+prog="shorewall6-lite"
+shorewall="/sbin/$prog"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/$prog"
+
+# Get startup options (override default)
+OPTIONS=
+
+if [ -f /etc/sysconfig/$prog ]; then
+    . /etc/sysconfig/$prog
+fi
+
+start() {
+    echo -n $"Starting Shorewall: "
+    $shorewall $OPTIONS start 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping Shorewall: "
+    $shorewall $OPTIONS stop 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	rm -f $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+# Note that we don't simply stop and start since shorewall has a built in
+# restart which stops the firewall if running and then starts it.
+    echo -n $"Restarting Shorewall: "
+    $shorewall $OPTIONS restart 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else # Failed to start, clean up lock file if present
+	rm -f $lockfile
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status(){
+    $shorewall status
+    return $?
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	restart
+	;;
+    condrestart|try-restart)
+        status_q || exit 0
+        restart
+        ;;
+    status)
+	$1
+	;;
+    *)
+	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
+	exit 1
+	;;
+esac

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.20.1
+VERSION=xxx #The build script will insert the actual version
 
 usage() # $1 = exit status
 {
@@ -171,6 +171,8 @@ if [ -n "$DESTDIR" ]; then
     install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
     DEBIAN=yes
+elif [ -f /etc/redhat-release ]; then
+    FEDORA=yes
 elif [ -f /etc/slackware-version ] ; then
     DEST="/etc/rc.d"
     INIT="rc.firewall"
@@ -180,6 +182,14 @@ elif [ -f /etc/arch-release ] ; then
       ARCHLINUX=yes
 fi
 
+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -222,6 +232,8 @@ echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-li
 #
 if [ -n "$DEBIAN" ]; then
     install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall6-lite 0544
+elif [ -n "$FEDORA" ]; then
+    install_file init.fedora.sh /etc/init.d/shorewall6-lite 0544
 elif [ -n "$ARCHLINUX" ]; then
     install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 
@@ -247,6 +259,14 @@ if [ -n "$DESTDIR" ]; then
     chmod 755 ${DESTDIR}/etc/logrotate.d
 fi
 
+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall6-lite.service ${DESTDIR}/lib/systemd/system/shorewall6-lite.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall6-lite.service"
+fi
+
 #
 # Install the config file
 #
@@ -380,7 +400,11 @@ if [ -z "$DESTDIR" ]; then
 
 	    echo "Shorewall6 Lite will start automatically at boot"
 	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if [ -n "$SYSTEMD" ]; then
+		if systemctl enable shorewall6-lite; then
+		    echo "Shorewall6 Lite will start automatically at boot"
+		fi
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall6-lite ; then
 		    echo "Shorewall6 Lite will start automatically at boot"
 		else

Shorewall6-lite/shorewall6-lite.service

@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv6 firewall (lite)
+After=syslog.target
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall6-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6-lite $OPTIONS start
+ExecReload=/sbin/shorewall6-lite $OPTIONS restart
+ExecStop=/sbin/shorewall6-lite $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target

Shorewall6-lite/shorewall6-lite.spec

@@ -1,360 +0,0 @@
-%define name shorewall6-lite
-%define version 4.4.20
-%define release 1
-
-Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}
-
-%description
-
-The Shoreline Firewall 6, more commonly known as "Shorewall6", is a Netfilter
-(ip6tables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-
-Shorewall6 Lite is a companion product to Shorewall6 that allows network
-administrators to centralize the configuration of Shorewall6-based firewalls.
-
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%pre
-
-%post
-
-if [ $1 -eq 1 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv /etc/rc.d/shorewall6-lite
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --add shorewall6-lite;
-    fi
-fi
-
-%preun
-
-if [ $1 -eq 0 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv -r /etc/init.d/shorewall6-lite
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --del shorewall6-lite
-    fi
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0755,root,root) %dir /etc/shorewall6-lite
-%attr(0644,root,root) %config(noreplace) /etc/shorewall6-lite/shorewall6-lite.conf
-%attr(0644,root,root) /etc/shorewall6-lite/Makefile
-%attr(0544,root,root) /etc/init.d/shorewall6-lite
-%attr(0755,root,root) %dir /usr/share/shorewall6-lite
-%attr(0700,root,root) %dir /var/lib/shorewall6-lite
-
-%attr(0644,root,root) /etc/logrotate.d/shorewall6-lite
-
-%attr(0755,root,root) /sbin/shorewall6-lite
-
-%attr(0644,root,root) /usr/share/shorewall6-lite/version
-%attr(0644,root,root) /usr/share/shorewall6-lite/configpath
-%attr(-   ,root,root) /usr/share/shorewall6-lite/functions
-%attr(0644,root,root) /usr/share/shorewall6-lite/lib.base
-%attr(0644,root,root) /usr/share/shorewall6-lite/lib.cli
-%attr(0644,root,root) /usr/share/shorewall6-lite/lib.common
-%attr(0644,root,root) /usr/share/shorewall6-lite/modules*
-%attr(0644,root,root) /usr/share/shorewall6-lite/helpers
-%attr(0544,root,root) /usr/share/shorewall6-lite/shorecap
-%attr(0755,root,root) /usr/share/shorewall6-lite/wait4ifup
-
-%attr(0644,root,root) %{_mandir}/man5/shorewall6-lite.conf.5.gz
-%attr(0644,root,root) %{_mandir}/man5/shorewall6-lite-vardir.5.gz
-
-%attr(0644,root,root) %{_mandir}/man8/shorewall6-lite.8.gz
-
-%doc COPYING changelog.txt releasenotes.txt
-
-%changelog
-* Mon Jun 06 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-1
-* Tue May 31 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0base
-* Fri May 27 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0RC1
-* Tue May 24 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta5
-* Sun May 22 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta4
-* Thu May 19 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta3
-* Wed May 18 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta2
-* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta1
-* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-1
-* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0base
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0RC1
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta5
-* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta4
-* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta3
-* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta1
-* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0base
-* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0RC1
-* Sun Feb 20 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta4
-* Sat Feb 19 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta3
-* Sun Feb 13 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta2
-* Sat Feb 05 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta1
-* Fri Feb 04 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0base
-* Sun Jan 30 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0RC1
-* Fri Jan 28 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta3
-* Wed Jan 19 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta2
-* Sat Jan 08 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta1
-* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0base
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0RC1
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta8
-* Sun Dec 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta7
-* Mon Dec 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta6
-* Fri Dec 10 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta5
-* Sat Dec 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta4
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta3
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta2
-* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta1
-* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0base
-* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0RC1
-* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0Beta2
-* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0Beta1
-* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0base
-* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0RC1
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta4
-* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta3
-* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta2
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta1
-* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0base
-* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0RC2
-* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0RC1
-* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta2
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta1
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta2
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0base
-* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
-* Mon Aug 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0base
-* Tue Jul 28 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0RC2
-* Sun Jul 12 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0RC1
-* Thu Jul 09 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta4
-* Sat Jun 27 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta3
-* Mon Jun 15 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta2
-* Fri Jun 12 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta1
-* Sun Jun 07 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.13-0base
-* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.12-0base
-* Sun May 10 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.11-0base
-* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.10-0base
-* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.9-0base
-* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.8-0base
-* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.7-0base
-* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.6-0base
-* Sun Feb 22 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.5-0base
-* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.6-0base
-* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.6-0base
-* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.5-0base
-* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0base
-* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0RC2
-* Wed Dec 17 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0RC1
-* Tue Dec 16 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.4-0base
-* Sat Dec 13 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.3-0base
-* Fri Dec 12 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.2-0base
-* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.1-0base
-* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.0-0base
-* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
-- Updated to 2.3.0-0base
-* Tue Dec 09 2008 Tom Eastep tom@shorewall.net
-- Initial Version
-
-

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.20.1
+VERSION=xxx  #The Build script inserts the actual version
 
 usage() # $1 = exit status
 {
@@ -81,6 +81,8 @@ if [ -n "$FIREWALL" ]; then
         insserv -r $FIREWALL
     elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
+    elif [ -x /sbin/systemctl ]; then
+	systemctl disable shorewall6-lite
     else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
     fi
@@ -100,6 +102,7 @@ rm -rf /usr/share/shorewall6-lite
 rm -rf ${LIBEXEC}/shorewall6-lite
 rm -rf /usr/share/shorewall6-lite-*.bkout
 rm -f  /etc/logrotate.d/shorewall6-lite
+rm -f  /lib/systemd/system/shorewall6-lite.service
 
 echo "Shorewall6 Lite Uninstalled"
 

Shorewall6/action.AllowICMPs

@@ -8,33 +8,37 @@
 ###############################################################################
 #TARGET	SOURCE		DEST	PROTO		DEST
 #						PORT(S)	
+
+FORMAT 2
+DEFAULTS ACCEPT
+
 COMMENT Needed ICMP types (RFC4890)
 
-ACCEPT	-		-	ipv6-icmp	destination-unreachable
-ACCEPT	-		-	ipv6-icmp	packet-too-big
-ACCEPT	-		-	ipv6-icmp	time-exceeded
-ACCEPT	-	-		ipv6-icmp	parameter-problem
+$1	-		-	ipv6-icmp	destination-unreachable
+$1	-		-	ipv6-icmp	packet-too-big
+$1	-		-	ipv6-icmp	time-exceeded
+$1	-		-	ipv6-icmp	parameter-problem
 
 # The following should have a ttl of 255 and must be allowed to transit a bridge
-ACCEPT	-		-	ipv6-icmp	router-solicitation
-ACCEPT	-		-	ipv6-icmp	router-advertisement
-ACCEPT	-		-	ipv6-icmp	neighbour-solicitation
-ACCEPT	-		-	ipv6-icmp	neighbour-advertisement
-ACCEPT	-		-	ipv6-icmp	137	# Redirect
-ACCEPT	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
-ACCEPT	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
+$1	-		-	ipv6-icmp	router-solicitation
+$1	-		-	ipv6-icmp	router-advertisement
+$1	-		-	ipv6-icmp	neighbour-solicitation
+$1	-		-	ipv6-icmp	neighbour-advertisement
+$1	-		-	ipv6-icmp	137	# Redirect
+$1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
+$1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
 
 # The following should have a link local source address and must be allowed to transit a bridge
-ACCEPT	fe80::/10	-	ipv6-icmp	130	# Listener query
-ACCEPT	fe80::/10	-	ipv6-icmp	131	# Listener report
-ACCEPT	fe80::/10	-	ipv6-icmp	132	# Listener done
-ACCEPT	fe80::/10	-	ipv6-icmp	143	# Listener report v2
+$1	fe80::/10	-	ipv6-icmp	130	# Listener query
+$1	fe80::/10	-	ipv6-icmp	131	# Listener report
+$1	fe80::/10	-	ipv6-icmp	132	# Listener done
+$1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
 
 # The following should be received with a ttl of 255 and must be allowed to transit a bridge
-ACCEPT	-		-	ipv6-icmp	148	# Certificate path solicitation
-ACCEPT	-		-	ipv6-icmp	149	# Certificate path advertisement
+$1	-		-	ipv6-icmp	148	# Certificate path solicitation
+$1	-		-	ipv6-icmp	149	# Certificate path advertisement
 
 # The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
-ACCEPT	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
-ACCEPT	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
-ACCEPT	fe80::/10	-	ipv6-icmp	153	# Multicast router termination
+$1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
+$1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
+$1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination

Shorewall6/action.Broadcast

@@ -0,0 +1,71 @@
+#
+# Shorewall 4 - Broadcast Action
+#
+#    /usr/share/shorewall/action.Broadcast
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Broadcast[([<action>|-[,{audit|-}])] 
+#
+#       Default action is DROP
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my $chainref           = get_action_chain;
+my ( $action, $audit ) = get_action_params( 2 );
+my ( $level, $tag )    = get_action_logging;
+my $target             = require_audit ( $action , $audit );
+
+fatal_error "Invalid parameter to action Broadcast"   if supplied $audit && $audit ne 'audit';
+
+if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $level ne '' ) {
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
+    }	
+
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
+} else {
+    add_commands $chainref, 'for address in $ALL_ACASTS; do';
+    incr_cmd_level $chainref;
+    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+    add_jump $chainref, $target, 0, "-d \$address ";
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+}
+  
+log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
+add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
+
+1;
+
+END PERL;

Shorewall6/action.Drop

@@ -15,38 +15,78 @@
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
+#  The action accepts five optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#           depending on the setting of the first parameter.
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
+#           A_ACCEPT depending on the first parameter.
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
+#           is DROP or A_DROP depending on the first parameter.
+#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
+FORMAT 2
+#
+# The following magic provides different defaults for $2 thru $5, when $1 is 
+# 'audit'.
+#
+BEGIN PERL;
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) { 
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
+	set_action_param( 3, 'A_DROP')     unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
+    }
+}
+
+1;
+
+END PERL;
+
+DEFAULTS -,REJECT,DROP,ACCEPT,DROP
+
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Reject 'auth'
 #
-Auth(REJECT)
+Auth($2)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs	-	-	ipv6-icmp
+AllowICMPs($4)	-	-	ipv6-icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-dropBcast
+Broadcast(DROP,$1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
-dropInvalid
+Invalid(DROP,$1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(DROP)
+SMB($3)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-dropNotSyn	-	-	tcp
+NotSyn(DROP,$1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep
+DropDNSrep($5)

Shorewall6/action.Reject

@@ -12,39 +12,79 @@
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
+#  The action accepts five optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
+#           A_ACCEPT depending on the first parameter.
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
+#           is DROP or A_DROP depending on the first parameter.
+#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
+FORMAT 2
+#
+# The following magic provides different defaults for $2 thru $5, when $1 is 
+# 'audit'.
+#
+BEGIN PERL;
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) { 
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
+	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
+    }
+}
+
+1;
+
+END PERL;
+
+DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
+
 #TARGET		SOURCE	DEST	PROTO
 #
 # Don't log 'auth' -- REJECT
 #
-Auth(REJECT)
+Auth($2)
 #
 # Drop Multicasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-AllowICMPs	-	-	ipv6-icmp
+AllowICMPs($4)	-	-	ipv6-icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-dropBcast
+Broadcast(DROP,$1)
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
-dropInvalid
+Invalid(DROP,$1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(REJECT)
+SMB($3)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-dropNotSyn	-	-	tcp
+NotSyn(DROP,$1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep
+DropDNSrep($5)

Shorewall6/actions.std

@@ -8,7 +8,7 @@
 #
 # Builtin Actions are:
 #
-#    allowBcasts        # Accept multicast and anycast packets
+#    allowBcasts        # Accept multicast and anycast packets 
 #    dropBcasts         # Silently Drop multicast and anycast packets
 #    dropNotSyn		# Silently Drop Non-syn TCP packets
 #    rejNotSyn		# Silently Reject Non-syn TCP packets
@@ -23,5 +23,8 @@ A_Drop	            # Audited Default Action for DROP policy
 A_Reject	    # Audited Default Action for REJECT policy
 A_AllowICMPs	    # Audited Accept needed ICMP6 types
 AllowICMPs	    # Accept needed ICMP6 types
+Broadcast           # Handles Broadcast/Multicast/Anycast
 Drop		    # Default Action for DROP policy
+Invalid		    # Handles packets in the INVALID conntrack state
+NotSyn		    # Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy

Shorewall6/configfiles/netmap

@@ -0,0 +1,11 @@
+#
+# Shorewall6 version 4	 - Netmap File
+#
+# For information about entries in this file, type "man shorewall-netmap"
+#
+# See http://shorewall.net/netmap.html for an example and usage
+# information.
+#
+##############################################################################################
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#										PORT(S)	PORT(S)

Shorewall6/configfiles/rules

@@ -6,9 +6,10 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-rules.html
 #
-#######################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME            HEADERS
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW

Shorewall6/configfiles/scfilter

@@ -1,12 +1,10 @@
-#! /bin/sh
 #
 # Shorewall version 4 - Show Connections Filter
 #
 # /etc/shorewall/scfilter
 #
 #	Replace the 'cat' command below to filter the output of
-#       'show connections. Unlike other extension scripts, this file
-#       must be executable before Shorewall will use it.
+#       'show connections. 
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.

Shorewall6/configfiles/shorewall6.conf

@@ -28,16 +28,12 @@ LOG_VERBOSITY=2
 
 LOGALLNEW=
 
-LOGBURST=
-
 LOGFILE=/var/log/messages
 
 LOGFORMAT="Shorewall:%s:%s:"
 
 LOGLIMIT=
 
-LOGRATE=
-
 LOGTAGONLY=No
 
 MACLIST_LOG_LEVEL=info
@@ -54,7 +50,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 
-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
+CONFIG_PATH="/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall"
 
 IP6TABLES=
 
@@ -66,7 +62,7 @@ MODULESDIR=
 
 PERL=/usr/bin/perl
 
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
 
 RESTOREFILE=restore
 
@@ -80,11 +76,11 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 
-ACCEPT_DEFAULT="none"
-DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
-REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT=none
+DROP_DEFAULT=Drop
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT=Reject
 
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
@@ -125,8 +121,6 @@ EXPAND_POLICIES=Yes
 
 EXPORTMODULES=Yes
 
-EXPORTPARAMS=No
-
 FASTACCEPT=No
 
 FORWARD_CLEAR_MARK=Yes
@@ -186,5 +180,3 @@ SFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 
 TCP_FLAGS_DISPOSITION=DROP
-
-#LAST LINE -- DO NOT REMOVE

Shorewall6/init.fedora.sh

@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+
+### BEGIN INIT INFO
+# Provides: shorewall6
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: VMware $time $named
+# Required-Stop:
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+prog="shorewall6"
+shorewall="/sbin/$prog"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/$prog"
+
+# Get startup options (override default)
+OPTIONS=
+
+if [ -f /etc/sysconfig/$prog ]; then
+    . /etc/sysconfig/$prog
+fi
+
+start() {
+    echo -n $"Starting Shorewall: "
+    $shorewall $OPTIONS start 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping Shorewall: "
+    $shorewall $OPTIONS stop 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	rm -f $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+# Note that we don't simply stop and start since shorewall has a built in
+# restart which stops the firewall if running and then starts it.
+    echo -n $"Restarting Shorewall: "
+    $shorewall $OPTIONS restart 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else # Failed to start, clean up lock file if present
+	rm -f $lockfile
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status(){
+    $shorewall status
+    return $?
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	restart
+	;;
+    condrestart|try-restart)
+        status_q || exit 0
+        restart
+        ;;
+    status)
+	$1
+	;;
+    *)
+	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
+	exit 1
+	;;
+esac

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.20.1
+VERSION=xxx #The build script will insert the actual version
 
 usage() # $1 = exit status
 {
@@ -106,10 +106,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall6"
 fi
 
-PLAIN=Yes
-DEBIAN=
+ANNOTATED=
 CYGWIN=
 MAC=
+MACHOST=
 MANDIR=${MANDIR:-"/usr/share/man"}
 SPARSE=
 INSTALLD='-D'
@@ -154,6 +154,7 @@ case $(uname) in
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
 	MAC=Yes
+	MACHOST=Yes
 	INSTALLD=
 	;;	
     *)
@@ -187,11 +188,11 @@ while [ $finished -eq 0 ]; do
 			option=${option#s}
 			;;
 		    a*)
-			PLAIN=
+			ANNOTATED=Yes
 			option=${option#a}
 			;;
 		    p*)
-			PLAIN=Yes
+			ANNOTATED=
 			option=${option#p}
 			;;
 		    *)
@@ -240,6 +241,9 @@ else
 	    echo "Installing Debian-specific configuration..."
 	    DEBIAN=yes
 	    SPARSE=yes
+        elif [ -f /etc/redhat-release ]; then
+	    echo "Installing Redhat/Fedora-specific configuration..."
+	    FEDORA=yes
 	elif [ -f /etc/slackware-version ] ; then
 	    echo "Installing Slackware-specific configuration..."
 	    DEST="/etc/rc.d"
@@ -254,6 +258,14 @@ else
     fi
 fi
 
+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -272,12 +284,12 @@ fi
 
 if [ -z "$CYGWIN" ]; then
    install_file shorewall6 ${DESTDIR}/sbin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
-   if [ -z "$MAC" ]; then
+   if [ -z "$MACHOST" ]; then
        eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall6
        eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall6
    else
-       eval sed -i -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall6
-       eval sed -i -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall6
+       eval sed -i \'\' -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall6
+       eval sed -i \'\' -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall6
    fi
    echo "shorewall6 control program installed in ${DESTDIR}/sbin/shorewall6"
 else
@@ -293,6 +305,8 @@ fi
 #
 if [ -n "$DEBIAN" ]; then
     install_file init.debian.sh /etc/init.d/shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+elif [ -n "$FEDORA" ]; then
+    install_file init.fedora.sh /etc/init.d/shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$SLACKWARE" ]; then
     install_file init.slackware.shorewall6.sh ${DESTDIR}${DEST}/rc.shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
@@ -321,6 +335,14 @@ if [ -n "$DESTDIR" ]; then
     chmod 755 ${DESTDIR}/etc/logrotate.d
 fi
 
+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall6.service ${DESTDIR}/lib/systemd/system/shorewall6.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall6.service"
+fi
+
 delete_file ${DESTDIR}/usr/share/shorewall6/compiler
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.accounting
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.actions
@@ -372,23 +394,23 @@ echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall6/conf
 install_file actions.std ${DESTDIR}/usr/share/shorewall6/actions.std 0644
 echo "Standard actions file installed as ${DESTDIR}/usr/shared/shorewall6/actions.std"
 
-if [ -z "$PLAIN" ]; then
-    mkdir annotated
-    cp configfiles/* annotated/
-    cd annotated
-    for f in *.annotated; do
-	mv -f $f ${f%.annotated}
-    done
+cd configfiles
+
+if [ -n "$ANNOTATED" ]; then
+    suffix=.annotated
 else
-    cd configfiles
+    suffix=
 fi
+
 #
 # Install the config file
 #
-run_install $OWNERSHIP -m 0644 shorewall6.conf ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
+run_install $OWNERSHIP -m 0644 shorewall6.conf           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 shorewall6.conf.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
+
 
 if [ ! -f ${DESTDIR}/etc/shorewall6/shorewall6.conf ]; then
-   run_install $OWNERSHIP -m 0644 shorewall6.conf ${DESTDIR}/etc/shorewall6/shorewall6.conf
+   run_install $OWNERSHIP -m 0644 shorewall6.conf${suffix} ${DESTDIR}/etc/shorewall6/shorewall6.conf
 
    if [ -n "$DEBIAN" ] && mywhich perl; then
        #
@@ -418,193 +440,214 @@ fi
 #
 # Install the zones file
 #
-run_install $OWNERSHIP -m 0644 zones ${DESTDIR}/usr/share/shorewall6/configfiles/zones
+run_install $OWNERSHIP -m 0644 zones           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 zones.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/zones ]; then
-    run_install $OWNERSHIP -m 0644 zones ${DESTDIR}/etc/shorewall6/zones
+    run_install $OWNERSHIP -m 0644 zones${suffix} ${DESTDIR}/etc/shorewall6/zones
     echo "Zones file installed as ${DESTDIR}/etc/shorewall6/zones"
 fi
 
 #
 # Install the policy file
 #
-run_install $OWNERSHIP -m 0644 policy ${DESTDIR}/usr/share/shorewall6/configfiles/policy
+run_install $OWNERSHIP -m 0644 policy           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 policy.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/policy ]; then
-    run_install $OWNERSHIP -m 0600 policy ${DESTDIR}/etc/shorewall6/policy
+    run_install $OWNERSHIP -m 0600 policy${suffix} ${DESTDIR}/etc/shorewall6/policy
     echo "Policy file installed as ${DESTDIR}/etc/shorewall6/policy"
 fi
 #
 # Install the interfaces file
 #
-run_install $OWNERSHIP -m 0644 interfaces ${DESTDIR}/usr/share/shorewall6/configfiles/interfaces
+run_install $OWNERSHIP -m 0644 interfaces           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 interfaces.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/interfaces ]; then
-    run_install $OWNERSHIP -m 0600 interfaces ${DESTDIR}/etc/shorewall6/interfaces
+    run_install $OWNERSHIP -m 0600 interfaces${suffix} ${DESTDIR}/etc/shorewall6/interfaces
     echo "Interfaces file installed as ${DESTDIR}/etc/shorewall6/interfaces"
 fi
 
 #
 # Install the hosts file
 #
-run_install $OWNERSHIP -m 0644 hosts ${DESTDIR}/usr/share/shorewall6/configfiles/hosts
+run_install $OWNERSHIP -m 0644 hosts           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 hosts.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/hosts ]; then
-    run_install $OWNERSHIP -m 0600 hosts ${DESTDIR}/etc/shorewall6/hosts
+    run_install $OWNERSHIP -m 0600 hosts${suffix} ${DESTDIR}/etc/shorewall6/hosts
     echo "Hosts file installed as ${DESTDIR}/etc/shorewall6/hosts"
 fi
 #
 # Install the rules file
 #
-run_install $OWNERSHIP -m 0644 rules ${DESTDIR}/usr/share/shorewall6/configfiles/rules
+run_install $OWNERSHIP -m 0644 rules           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 rules.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/rules ]; then
-    run_install $OWNERSHIP -m 0600 rules ${DESTDIR}/etc/shorewall6/rules
+    run_install $OWNERSHIP -m 0600 rules${suffix} ${DESTDIR}/etc/shorewall6/rules
     echo "Rules file installed as ${DESTDIR}/etc/shorewall6/rules"
 fi
 #
 # Install the Parameters file
 #
-run_install $OWNERSHIP -m 0644 params ${DESTDIR}/usr/share/shorewall6/configfiles/params
+run_install $OWNERSHIP -m 0644 params          ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 params.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -f ${DESTDIR}/etc/shorewall6/params ]; then
     chmod 0644 ${DESTDIR}/etc/shorewall6/params
 else
-    run_install $OWNERSHIP -m 0644 params ${DESTDIR}/etc/shorewall6/params
+    run_install $OWNERSHIP -m 0644 params${suffix} ${DESTDIR}/etc/shorewall6/params
     echo "Parameter file installed as ${DESTDIR}/etc/shorewall6/params"
 fi
 #
 # Install the Stopped Routing file
 #
-run_install $OWNERSHIP -m 0644 routestopped ${DESTDIR}/usr/share/shorewall6/configfiles/routestopped
+run_install $OWNERSHIP -m 0644 routestopped           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 routestopped.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/routestopped ]; then
-    run_install $OWNERSHIP -m 0600 routestopped ${DESTDIR}/etc/shorewall6/routestopped
+    run_install $OWNERSHIP -m 0600 routestopped${suffix} ${DESTDIR}/etc/shorewall6/routestopped
     echo "Stopped Routing file installed as ${DESTDIR}/etc/shorewall6/routestopped"
 fi
 #
 # Install the Mac List file
 #
-run_install $OWNERSHIP -m 0644 maclist ${DESTDIR}/usr/share/shorewall6/configfiles/maclist
+run_install $OWNERSHIP -m 0644 maclist           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 maclist.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/maclist ]; then
-    run_install $OWNERSHIP -m 0600 maclist ${DESTDIR}/etc/shorewall6/maclist
+    run_install $OWNERSHIP -m 0600 maclist${suffix} ${DESTDIR}/etc/shorewall6/maclist
     echo "MAC list file installed as ${DESTDIR}/etc/shorewall6/maclist"
 fi
+
 #
 # Install the TC Rules file
 #
-run_install $OWNERSHIP -m 0644 tcrules ${DESTDIR}/usr/share/shorewall6/configfiles/tcrules
+run_install $OWNERSHIP -m 0644 tcrules           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 tcrules.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcrules ]; then
-    run_install $OWNERSHIP -m 0600 tcrules ${DESTDIR}/etc/shorewall6/tcrules
+    run_install $OWNERSHIP -m 0600 tcrules${suffix} ${DESTDIR}/etc/shorewall6/tcrules
     echo "TC Rules file installed as ${DESTDIR}/etc/shorewall6/tcrules"
 fi
 
 #
 # Install the TC Interfaces file
 #
-run_install $OWNERSHIP -m 0644 tcinterfaces ${DESTDIR}/usr/share/shorewall6/configfiles/tcinterfaces
+run_install $OWNERSHIP -m 0644 tcinterfaces           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 tcinterfaces.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcinterfaces ]; then
-    run_install $OWNERSHIP -m 0600 tcinterfaces ${DESTDIR}/etc/shorewall6/tcinterfaces
+    run_install $OWNERSHIP -m 0600 tcinterfaces${suffix} ${DESTDIR}/etc/shorewall6/tcinterfaces
     echo "TC Interfaces file installed as ${DESTDIR}/etc/shorewall6/tcinterfaces"
 fi
 
 #
 # Install the TC Priority file
 #
-run_install $OWNERSHIP -m 0644 tcpri ${DESTDIR}/usr/share/shorewall6/configfiles/tcpri
+run_install $OWNERSHIP -m 0644 tcpri           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 tcpri.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcpri ]; then
-    run_install $OWNERSHIP -m 0600 tcpri ${DESTDIR}/etc/shorewall6/tcpri
+    run_install $OWNERSHIP -m 0600 tcpri${suffix} ${DESTDIR}/etc/shorewall6/tcpri
     echo "TC Priority file installed as ${DESTDIR}/etc/shorewall6/tcpri"
 fi
 
 #
 # Install the TOS file
 #
-run_install $OWNERSHIP -m 0644 tos ${DESTDIR}/usr/share/shorewall6/configfiles/tos
+run_install $OWNERSHIP -m 0644 tos           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 tos.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tos ]; then
-    run_install $OWNERSHIP -m 0600 tos ${DESTDIR}/etc/shorewall6/tos
+    run_install $OWNERSHIP -m 0600 tos${suffix} ${DESTDIR}/etc/shorewall6/tos
     echo "TOS file installed as ${DESTDIR}/etc/shorewall6/tos"
 fi
 #
 # Install the Tunnels file
 #
-run_install $OWNERSHIP -m 0644 tunnels ${DESTDIR}/usr/share/shorewall6/configfiles/tunnels
+run_install $OWNERSHIP -m 0644 tunnels           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 tunnels.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tunnels ]; then
-    run_install $OWNERSHIP -m 0600 tunnels ${DESTDIR}/etc/shorewall6/tunnels
+    run_install $OWNERSHIP -m 0600 tunnels${suffix} ${DESTDIR}/etc/shorewall6/tunnels
     echo "Tunnels file installed as ${DESTDIR}/etc/shorewall6/tunnels"
 fi
 #
 # Install the blacklist file
 #
-run_install $OWNERSHIP -m 0644 blacklist ${DESTDIR}/usr/share/shorewall6/configfiles/blacklist
+run_install $OWNERSHIP -m 0644 blacklist           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 blacklist.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blacklist ]; then
-    run_install $OWNERSHIP -m 0600 blacklist ${DESTDIR}/etc/shorewall6/blacklist
+    run_install $OWNERSHIP -m 0600 blacklist${suffix} ${DESTDIR}/etc/shorewall6/blacklist
     echo "Blacklist file installed as ${DESTDIR}/etc/shorewall6/blacklist"
 fi
 #
 # Install the Providers file
 #
-run_install $OWNERSHIP -m 0644 providers ${DESTDIR}/usr/share/shorewall6/configfiles/providers
+run_install $OWNERSHIP -m 0644 providers           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 providers.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/providers ]; then
-    run_install $OWNERSHIP -m 0600 providers ${DESTDIR}/etc/shorewall6/providers
+    run_install $OWNERSHIP -m 0600 providers${suffix} ${DESTDIR}/etc/shorewall6/providers
     echo "Providers file installed as ${DESTDIR}/etc/shorewall6/providers"
 fi
 
 #
 # Install the Route Rules file
 #
-run_install $OWNERSHIP -m 0644 route_rules ${DESTDIR}/usr/share/shorewall6/configfiles/route_rules
+run_install $OWNERSHIP -m 0644 route_rules           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 route_rules.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/route_rules ]; then
-    run_install $OWNERSHIP -m 0600 route_rules ${DESTDIR}/etc/shorewall6/route_rules
+    run_install $OWNERSHIP -m 0600 route_rules${suffix} ${DESTDIR}/etc/shorewall6/route_rules
     echo "Routing rules file installed as ${DESTDIR}/etc/shorewall6/route_rules"
 fi
 
 #
 # Install the tcclasses file
 #
-run_install $OWNERSHIP -m 0644 tcclasses ${DESTDIR}/usr/share/shorewall6/configfiles/tcclasses
+run_install $OWNERSHIP -m 0644 tcclasses           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 tcclasses.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcclasses ]; then
-    run_install $OWNERSHIP -m 0600 tcclasses ${DESTDIR}/etc/shorewall6/tcclasses
+    run_install $OWNERSHIP -m 0600 tcclasses${suffix} ${DESTDIR}/etc/shorewall6/tcclasses
     echo "TC Classes file installed as ${DESTDIR}/etc/shorewall6/tcclasses"
 fi
 
 #
 # Install the tcdevices file
 #
-run_install $OWNERSHIP -m 0644 tcdevices ${DESTDIR}/usr/share/shorewall6/configfiles/tcdevices
+run_install $OWNERSHIP -m 0644 tcdevices           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 tcdevices.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcdevices ]; then
-    run_install $OWNERSHIP -m 0600 tcdevices ${DESTDIR}/etc/shorewall6/tcdevices
+    run_install $OWNERSHIP -m 0600 tcdevices${suffix} ${DESTDIR}/etc/shorewall6/tcdevices
     echo "TC Devices file installed as ${DESTDIR}/etc/shorewall6/tcdevices"
 fi
 
 #
 # Install the tcfilters file
 #
-run_install $OWNERSHIP -m 0644 tcfilters ${DESTDIR}/usr/share/shorewall6/configfiles/tcfilters
+run_install $OWNERSHIP -m 0644 tcfilters           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 tcfilters.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcfilters ]; then
-    run_install $OWNERSHIP -m 0600 tcfilters ${DESTDIR}/etc/shorewall6/tcfilters
+    run_install $OWNERSHIP -m 0600 tcfilters${suffix} ${DESTDIR}/etc/shorewall6/tcfilters
     echo "TC Filters file installed as ${DESTDIR}/etc/shorewall6/tcfilters"
 fi
 
 #
 # Install the Notrack file
 #
-run_install $OWNERSHIP -m 0644 notrack ${DESTDIR}/usr/share/shorewall6/configfiles/notrack
+run_install $OWNERSHIP -m 0644 notrack           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 notrack.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/notrack ]; then
-    run_install $OWNERSHIP -m 0600 notrack ${DESTDIR}/etc/shorewall6/notrack
+    run_install $OWNERSHIP -m 0600 notrack${suffix} ${DESTDIR}/etc/shorewall6/notrack
     echo "Notrack file installed as ${DESTDIR}/etc/shorewall6/notrack"
 fi
 
@@ -647,10 +690,11 @@ fi
 #
 # Install the Accounting file
 #
-run_install $OWNERSHIP -m 0644 accounting ${DESTDIR}/usr/share/shorewall6/configfiles/accounting
+run_install $OWNERSHIP -m 0644 accounting           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 accounting.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/accounting ]; then
-    run_install $OWNERSHIP -m 0600 accounting ${DESTDIR}/etc/shorewall6/accounting
+    run_install $OWNERSHIP -m 0600 accounting${suffix} ${DESTDIR}/etc/shorewall6/accounting
     echo "Accounting file installed as ${DESTDIR}/etc/shorewall6/accounting"
 fi
 #
@@ -710,7 +754,7 @@ fi
 #
 # Install the Tcclear file
 #
-run_install $OWNERSHIP -m 0644 tcclear ${DESTDIR}/usr/share/shorewall6/configfiles/tcclear
+run_install $OWNERSHIP -m 0644 tcclear           ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcclear ]; then
     run_install $OWNERSHIP -m 0600 tcclear ${DESTDIR}/etc/shorewall6/tcclear
@@ -729,36 +773,37 @@ fi
 #
 # Install the Providers file
 #
-run_install $OWNERSHIP -m 0644 providers ${DESTDIR}/usr/share/shorewall6/configfiles/providers
+run_install $OWNERSHIP -m 0644 providers           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 providers.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/providers ]; then
-    run_install $OWNERSHIP -m 0600 providers ${DESTDIR}/etc/shorewall6/providers
+    run_install $OWNERSHIP -m 0600 providers${suffix} ${DESTDIR}/etc/shorewall6/providers
     echo "Providers file installed as ${DESTDIR}/etc/shorewall6/providers"
 fi
 #
 # Install the Proxyndp file
 #
-run_install $OWNERSHIP -m 0644 proxyndp ${DESTDIR}/usr/share/shorewall6/configfiles/proxyndp
+run_install $OWNERSHIP -m 0644 proxyndp           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 proxyndp.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/proxyndp ]; then
-    run_install $OWNERSHIP -m 0600 proxyndp ${DESTDIR}/etc/shorewall6/proxyndp
+    run_install $OWNERSHIP -m 0600 proxyndp${suffix} ${DESTDIR}/etc/shorewall6/proxyndp
     echo "Proxyndp file installed as ${DESTDIR}/etc/shorewall6/proxyndp"
 fi
 
 #
 # Install the Actions file
 #
-run_install $OWNERSHIP -m 0644 actions ${DESTDIR}/usr/share/shorewall6/configfiles/actions
+run_install $OWNERSHIP -m 0644 actions           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 actions.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
 
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/actions ]; then
-    run_install $OWNERSHIP -m 0644 actions ${DESTDIR}/etc/shorewall6/actions
+    run_install $OWNERSHIP -m 0644 actions${suffix} ${DESTDIR}/etc/shorewall6/actions
     echo "Actions file installed as ${DESTDIR}/etc/shorewall6/actions"
 fi
 
 cd ..
 
-rm -rf annotated/
-
 #
 # Install the  Makefiles
 #
@@ -849,7 +894,11 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
 	touch /var/log/shorewall6-init.log
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall6/shorewall6.conf
     else
-	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	if [ -n "$SYSTEMD" ]; then
+	    if systemctl enable shorewall6; then
+		echo "Shorewall6 will start automatically at boot"
+	    fi
+	elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	    if insserv /etc/init.d/shorewall6 ; then
 		echo "shorewall6 will start automatically at boot"
 		echo "Set STARTUP_ENABLED=Yes in /etc/shorewall6/shorewall6.conf to enable"

Shorewall6/lib.base

@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall6 4.2-- /usr/share/shorewall/lib.base
 #
@@ -33,7 +32,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40417
+SHOREWALL_CAPVERSION=40424
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -106,6 +105,7 @@ mutex_on()
     try=0
     local lockf
     lockf=${LOCKFILE:=${VARDIR}/lock}
+    local lockpid
 
     MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
 
@@ -113,8 +113,22 @@ mutex_on()
 
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
 
+	if [ -f $lockf ]; then
+	    lockpid=`cat ${lockf} 2> /dev/null`
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} removed"
+	    elif ! qt ps p ${lockpid}; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    fi
+	fi
+
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
+	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1

Shorewall6/lib.cli

@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall6 4.2 -- /usr/share/shorewall6/lib.cli.
 #
@@ -292,6 +291,46 @@ do_save() {
 	status=1
     fi
 
+    case ${SAVE_IPSETS:=No} in
+	[Yy]es)
+	    case ${IPSET:=ipset} in
+		*/*)
+		    if [ ! -x "$IPSET" ]; then
+			error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+			IPSET=
+		    fi
+		    ;;
+		*)
+		    IPSET="$(mywhich $IPSET)"
+		    [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
+		    ;;
+	    esac
+
+	    if [ -n "$IPSET" ]; then
+		if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+                    #
+                    # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+                    #
+		    hack='| grep -v /31'
+		else
+		    hack=
+		fi
+
+		if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+                    #
+                    # Don't save an 'empty' file
+                    #
+		    grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+		fi
+	    fi
+	    ;;
+	[Nn]o)
+	    ;;
+	*)
+	    error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
+	    ;;
+    esac
+
     return $status
 }
 
@@ -351,10 +390,38 @@ show_routing() {
 	    heading "Table $table:"
 	    ip -6 route list table $table
 	done
+
+	if [ -n "$g_routecache" ]; then
+	    heading "Route Cache"
+	    ip -6 route list cache
+	fi
     else
 	heading "Routing Table"
 	ip -6 route list
     fi
+
+    
+}
+
+#
+# 'list dynamic' command executor
+#
+list_zone() {
+
+    local sets
+    local setname
+
+    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
+
+    sets=$(ipset -L -n | grep "^6_$1_")
+
+    for setname in $sets; do
+	echo "${setname#${1}_}:"
+	ipset -L $setname     | awk 'BEGIN        {prnt=0;}; \
+                                    /^Members:/  {prnt=1; next; }; \
+                                    /^Bindings:/ {prnt=0; }; \
+                                                 { if (prnt == 1) print "   ", $1; };'
+    done
 }
 
 #
@@ -443,7 +510,7 @@ show_command() {
 			    [ $# -eq 1 ] && usage 1
 
 			    case $2 in
-				mangle|nat|filter|raw)
+				mangle|nat|filter|raw|rawpost)
 				    table=$2
 				    table_given=Yes
 				    ;;
@@ -459,6 +526,10 @@ show_command() {
 			    g_ipt_options1="--line-numbers"
 			    option=${option#l}
 			    ;;
+			c*)
+			    g_routecache=Yes
+			    option=${option#c}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -504,6 +575,13 @@ show_command() {
 	    show_reset
 	    $IP6TABLES -t raw -L $g_ipt_options
 	    ;;
+	rawpost)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION rawpost Table at $g_hostname - $(date)"
+	    echo
+	    show_reset
+	    $IP6TABLES -t rawpost -L $g_ipt_options
+	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
 
@@ -535,7 +613,14 @@ show_command() {
 	    [ $# -gt 2 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
 	    echo
-	    show_tc
+	    shift
+
+	    if [ -z "$1" ]; then
+		$IP6TABLES -t mangle -L -n -v
+		echo
+	    fi
+
+	    show_tc $1
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
@@ -630,9 +715,14 @@ show_command() {
 		case $1 in
 		    actions)
 			[ $# -gt 1 ] && usage 1
-			echo "allowBcast          # Accept Multicast and Anycast Packets"
-			echo "dropBcast           # Silently Drop Multicast and Anycast Packets"
+			echo "A_ACCEPT            # Audit and accept the connection"
+			echo "A_DROP              # Audit and drop the connection"
+			echo "A_REJECT            # Audit and reject the connection "
+			echo "allowBcast          # Silently Allow Broadcast/multicast"
 			echo "allowInvalid        # Accept packets that are in the INVALID conntrack state."
+			echo "allowinUPnP         # Allow UPnP inbound (to firewall) traffic"
+			echo "allowoutUPnP        # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
+			echo "dropBcast           # Silently Drop Broadcast/multicast"
 			echo "dropInvalid         # Silently Drop packets that are in the INVALID conntrack state"
 			echo "dropNotSyn          # Silently Drop Non-syn TCP packets"
 			echo "rejNotSyn           # Silently Reject Non-syn TCP packets"
@@ -643,6 +733,18 @@ show_command() {
 			    grep -Ev '^\#|^$' ${SHAREDIR}/actions.std
 			fi
 
+			return
+			;;
+		    macro)
+			[ $# -ne 2 ] && usage 1
+			for directory in $(split $CONFIG_PATH); do
+			    if [ -f ${directory}/macro.$2 ]; then
+				echo "Shorewall6 $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
+				cat ${directory}/macro.$2
+				return
+			    fi
+			done
+			echo "   WARNING: Macro $2 not found" >&2
 			return
 			;;
 		    macros)
@@ -672,13 +774,20 @@ show_command() {
 	    fi
 
 	    if [ $# -gt 0 ]; then
+		if [ $1 = dynamic -a $# -gt 1 ]; then
+		    shift
+		    [ $# -eq 1 ] || usage 1
+		    list_zone $1
+		    return;
+                fi
+
 		[ -n "$table_given" ] || for chain in $*; do
 		    if ! qt $IP6TABLES -t $table -L $chain $g_ipt_options; then
 			error_message "ERROR: Chain '$chain' is not recognized by $IP6TABLES."
 			exit 1
 		    fi
 		done
-		
+
 		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
 		echo
 		show_reset
@@ -756,6 +865,10 @@ do_dump_command() {
 			    g_ipt_options1="--line-numbers"
 			    option=${option#l}
 			    ;;
+			c*)
+			    g_routecache=Yes
+			    option=${option#c}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1086,92 +1199,188 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
 }
 
 #
-# 'hits' commmand executor
+# Replace commas with spaces and echo the result
 #
-hits_command() {
-    local finished
-    finished=0
-    local today
-    today=
+separate_list() {
+    local list
+    list="$@"
+    local part
+    local newlist
+    local firstpart
+    local lastpart
+    local enclosure
 
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			t*)
-			    today=$(date +'^%b %_d.*')
-			    option=${option#t}
+    case "$list" in
+	*,|,*|*,,*|*[[:space:]]*)
+	    #
+	    # There's been whining about us not catching embedded white space in
+	    # comma-separated lists. This is an attempt to snag some of the cases.
+	    #
+            echo "WARNING -- invalid comma-separated list \"$@\"" >&2
+	    ;;
+	*\[*\]*)
+	    #
+	    # Where we need to embed comma-separated lists within lists, we enclose them
+	    # within square brackets.
+	    #
+	    firstpart=${list%%\[*}
+	    lastpart=${list#*\[}
+	    enclosure=${lastpart%%\]*}
+	    lastpart=${lastpart#*\]}
+	    case $lastpart in
+		\,*)
+		    case $firstpart in
+			*\,)
+			    echo "$(separate_list ${firstpart%,}) [$enclosure] $(separate_list ${lastpart#,})"
 			    ;;
 			*)
-			    usage 1
+			    echo "$(separate_list $firstpart)[$enclosure] $(separate_list ${lastpart#,})"
 			    ;;
 		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
+		    ;;
+		*)
+		    case $firstpart in
+			*\,)
+			    echo "$(separate_list ${firstpart%,}) [$enclosure]$(separate_list $lastpart)"
+			    ;;
+			*)
+			    echo "$(separate_list $firstpart)[$enclosure]$(separate_list $lastpart)"
+			    ;;
+		    esac
+		    ;;
+	    esac
+	    return
+	    ;;
+    esac
+
+    list="$@"
+    part="${list%%,*}"
+    newlist="$part"
+
+    while [ "x$part" != "x$list" ]; do
+	list="${list#*,}";
+	part="${list%%,*}";
+	newlist="$newlist $part";
     done
 
-    [ $# -eq 0 ] || usage 1
+    echo "$newlist"
+}
 
-    clear_term
-    echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
-    echo
-
-    timeout=30
-
-    if $g_logread | grep -q "${today}IN=.* OUT=" ; then
-	echo "   HITS IP	        DATE"
-	echo "   ---- --------------- ------"
-	$g_logread | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn | while read count address month day; do
-	    printf '%7d %-15s %3s %2d\n' $count $address $month $day
-	done
-
-	echo ""
-
-	echo "   HITS IP	        PORT"
-	echo "   ---- --------------- -----"
-	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
-						t
-						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do
-	    printf '%7d %-15s %d\n' $count $address $port
-	done
-
-	echo ""
-
-	echo "   HITS DATE"
-	echo "   ---- ------"
-	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do
-	    printf '%7d %3s %2d\n' $count $month $day
-	done
-
-	echo ""
-
-	echo "   HITS  PORT SERVICE(S)"
-	echo "   ---- ----- ----------"
-	$g_logread | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do
-	    # List all services defined for the given port
-	    srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u)
-	    srv=$(echo $srv | sed 's/ /,/g')
-
-	    if [ -n "$srv" ] ; then
-		printf '%7d %5d %s\n' $count $port $srv
-	    else
-		printf '%7d %5d\n' $count $port
-	    fi
-	done
+#
+# add command executor
+#
+add_command() {
+    local interface host hostlist zone ipset
+    if ! shorewall6_is_started ; then
+	echo "Shorewall6 Not Started" >&2
+	exit 2
     fi
+
+    case "$IPSET" in
+	*/*)
+	    ;;
+	*)
+	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
+	    ;;
+    esac
+    #
+    # Normalize host list
+    #
+    while [ $# -gt 1 ]; do
+	interface=${1%%:*}
+	host=${1#*:}
+	[ "$host" = "$1" ] && host=
+
+	if [ -z "$host" ]; then
+	    hostlist="$hostlist $interface:::/0"
+	else
+	    for h in $(separate_list $host); do
+		hostlist="$hostlist $interface:$h"
+	    done
+	fi
+
+	shift
+    done
+
+    zone=$1
+
+    for host in $hostlist; do
+	interface=${host%%:*}
+
+	ipset=6_${zone}_${interface};
+
+	if ! qt $IPSET -L $ipset -n; then
+	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
+	fi
+
+	host=${host#*:}
+
+	if $IPSET -A $ipset $host; then
+	    echo "Host $interface:$host added to zone $zone"
+	else
+	    fatal_error "Unable to add $interface:$host to zone $zone"
+	fi
+    done
+
+}
+
+#
+# delete command executor
+#
+delete_command() {
+    local interface host hostent hostlist zone ipset
+    if ! shorewall6_is_started ; then
+	echo "Shorewall6 Not Started" >&2
+	exit 2;
+    fi
+
+    case "$IPSET" in
+	*/*)
+	    ;;
+	*)
+	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
+	    ;;
+    esac
+
+    #
+    # Normalize host list
+    #
+    while [ $# -gt 1 ]; do
+	interface=${1%%:*}
+	host=${1#*:}
+	[ "$host" = "$1" ] && host=
+
+	if [ -z "$host" ]; then
+	    hostlist="$hostlist $interface:::/0"
+	else
+	    for h in $(separate_list $host); do
+		hostlist="$hostlist $interface:$h"
+	    done
+	fi
+
+	shift
+    done
+
+    zone=$1
+
+    for hostent in $hostlist; do
+	interface=${hostent%%:*}
+
+	ipset=6_${zone}_${interface};
+
+	if ! qt $IPSET -L $ipset -n; then
+	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
+	fi
+
+	host=${hostent#*:}
+
+	if $IPSET -D $ipset $host; then
+	    echo "Host $hostent deleted from zone $zone"
+	else
+	    echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
+	fi
+    done
+
 }
 
 #
@@ -1311,11 +1520,13 @@ determine_capabilities() {
     OWNER_MATCH=
     IPSET_MATCH=
     OLD_IPSET_MATCH=
+    IPSET_V5=
     CONNMARK=
     XCONNMARK=
     CONNMARK_MATCH=
     XCONNMARK_MATCH=
     RAW_TABLE=
+    RAWPOST_TABLE=
     IPP2P_MATCH=
     OLD_IPP2P_MATCH=
     LENGTH_MATCH=
@@ -1346,6 +1557,9 @@ determine_capabilities() {
     HEADER_MATCH=
     ACCOUNT_TARGET=
     AUDIT_TARGET=
+    IPSET_V5=
+    CONDITION_MATCH=
+    IPTABLES_S=
 
     chain=fooX$$
 
@@ -1459,14 +1673,20 @@ determine_capabilities() {
     fi
 
     qt $IP6TABLES -t raw	   -L -n && RAW_TABLE=Yes
+    qt $IP6TABLES -t rawpost	   -L -n && RAWPOST_TABLE=Yes
 
     if qt mywhich ipset; then
 	qt ipset -X $chain # Just in case something went wrong the last time
 
-	if qt ipset -N $chain iphash ; then
-	    if qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
+	if qt ipset -N $chain hash:ip family inet6; then
+	    IPSET_V5=Yes
+	    if qt $IP6TABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
+		qt $IP6TABLES -D $chain -m set --match-set $chain src -j ACCEPT
+		IPSET_MATCH=Yes
+	    elif qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
 		qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
+		OLD_IPSET_MATCH=Yes
 	    fi
 	    qt ipset -X $chain
 	fi
@@ -1491,6 +1711,8 @@ determine_capabilities() {
     qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
     qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes
     qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
+    qt $IP6TABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+    qt $IP6TABLES -S INPUT && IPTABLES_S=Yes
     
 
     qt $IP6TABLES -F $chain
@@ -1502,7 +1724,17 @@ determine_capabilities() {
     [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
 
     CAPVERSION=$SHOREWALL_CAPVERSION
-    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+
+    KERNELVERSION=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+
+    case "$KERNELVERSION" in 
+	*.*.*)
+	    KERNELVERSION=$(printf "%d%02d%02d" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+	    ;;
+	*)
+	    KERNELVERSION=$(printf "%d%02d00" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+	    ;;
+    esac
 }
 
 report_capabilities() {
@@ -1543,6 +1775,7 @@ report_capabilities() {
 	report_capability "Connmark Match" $CONNMARK_MATCH
 	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
 	report_capability "Raw Table" $RAW_TABLE
+	report_capability "Rawpost Table" $RAWPOST_TABLE
 	report_capability "IPP2P Match" $IPP2P_MATCH
 	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
 	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
@@ -1572,6 +1805,9 @@ report_capabilities() {
 	report_capability "Header Match" $HEADER_MATCH
 	report_capability "ACCOUNT Target" $ACCOUNT_TARGET
 	report_capability "AUDIT Target" $AUDIT_TARGET
+	report_capability "ipset V5" $IPSET_V5
+	report_capability "Condition Match" $CONDITION_MATCH
+	report_capability "ip6tables -S" $IPTABLES_S
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1608,6 +1844,7 @@ report_capabilities1() {
     report_capability1 CONNMARK_MATCH
     report_capability1 XCONNMARK_MATCH
     report_capability1 RAW_TABLE
+    report_capability1 RAWPOST_TABLE
     report_capability1 IPP2P_MATCH
     report_capability1 OLD_IPP2P_MATCH
     report_capability1 CLASSIFY_TARGET
@@ -1637,6 +1874,9 @@ report_capabilities1() {
     report_capability1 HEADER_MATCH
     report_capability1 ACCOUNT_TARGET
     report_capability1 AUDIT_TARGET
+    report_capability1 IPSET_V5
+    report_capability1 CONDITION_MATCH
+    report_capability1 IPTABLES_S
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION    

Shorewall6/lib.common

@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall 4.4 -- /usr/share/shorewall6/lib.common.
 #
@@ -186,12 +185,21 @@ qt()
     "$@" >/dev/null 2>&1
 }
 
+#
+# Suppress all output and input - mainly for preventing leaked file descriptors
+# to avoid SELinux denials
+#
+qtnoin()
+{
+    "$@" </dev/null >/dev/null 2>&1
+}
+
 qt1()
 {
     local status
 
     while [ 1 ]; do
-	"$@" >/dev/null 2>&1
+	"$@" </dev/null >/dev/null 2>&1
 	status=$?
 	[ $status -ne 4 ] && return $status
     done
@@ -239,7 +247,31 @@ loadmodule() # $1 = module name, $2 - * arguments
     local modulefile
     local suffix
 
-    if ! list_search $modulename $MODULES $DONT_LOAD ; then
+    if [ -d /sys/module/ ]; then
+	if ! list_search $modulename $DONT_LOAD; then
+	    if [ ! -d /sys/module/$modulename ]; then
+		shift
+
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}
+
+			if [ -f $modulefile ]; then
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
+			fi
+		    done
+		done
+	    fi
+	fi
+    elif ! list_search $modulename $MODULES $DONT_LOAD ; then
 	shift
 
 	for suffix in $MODULE_SUFFIX ; do
@@ -282,7 +314,7 @@ reload_kernel_modules() {
     [ -n "${MODULE_SUFFIX:=ko ko.gz o o.gz gz}" ]
 
     [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched
-    MODULES=$(lsmod | cut -d ' ' -f1)
+    [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
 
     for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -326,7 +358,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
     [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
+	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
 	progress_message "Loading Modules..."
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then
@@ -386,7 +418,7 @@ find_first_interface_address() # $1 = interface
     #
     # get the line of output containing the first IP address
     #
-    addr=$(${IP:-ip} -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
+    addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
     #
     # If there wasn't one, bail out now
     #
@@ -403,7 +435,7 @@ find_first_interface_address_if_any() # $1 = interface
     #
     # get the line of output containing the first IP address
     #
-    addr=$(${IP:-ip} -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
+    addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
     #
     # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
     # along with everything else on the line

Shorewall6/modules

@@ -26,6 +26,10 @@ INCLUDE modules.xtables
 #
 INCLUDE helpers
 #
+# Ipset
+#
+INCLUDE modules.ipset
+#
 # Traffic Shaping
 #
 INCLUDE modules.tc

Shorewall6/modules.ipset

@@ -0,0 +1,27 @@
+#
+# Shorewall version 4 - IP Set Modules File
+#
+# /usr/share/shorewall6/modules.ipset
+#
+#	This file loads the modules that may be needed by the firewall.
+#
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
+#	before you load M2.
+#
+#  If you need to modify this file, copy it to /etc/shorewall6 and modify the
+#  copy.
+#
+###############################################################################
+loadmodule xt_set
+loadmodule ip_set
+loadmodule ip_set_iphash
+loadmodule ip_set_ipmap
+loadmodule ip_set_ipporthash
+loadmodule ip_set_iptree
+loadmodule ip_set_iptreemap
+loadmodule ip_set_macipmap
+loadmodule ip_set_nethash
+loadmodule ip_set_portmap
+loadmodule ipt_SET
+loadmodule ipt_set

Shorewall6/shorewall6

@@ -330,7 +330,24 @@ startup_error() {
 # Determine if there are config files newer than the passed object
 #
 uptodate() {
-    [ -f $1 ] && [ -z "$(find ${CONFDIR} -newer $1)" ]
+    [ -f $1 ] || return 1
+
+    local dir
+    local ifs
+
+    ifs="$IFS"
+    IFS=':'
+
+    for dir in $CONFIG_PATH; do
+	if [ -n "$(find ${dir} -newer $1)" ]; then
+	    IFS="$ifs"
+	    return 1;
+	fi
+    done
+
+    IFS="$ifs"
+
+    return 0
 }
 
 #
@@ -380,6 +397,8 @@ compiler() {
     [ "$g_debugging" = trace ] && options="$options --debug"
     [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
     [ -n "$g_confess" ] && options="$options --confess"
+    [ -n "$g_update" ] && options="$options --update"
+    [ -n "$g_annotate" ] && options="$options --annotate"
     [ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
 
     if [ -n "$PERL" ]; then
@@ -670,6 +689,10 @@ check_command() {
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
+			a*)
+			    g_annotate=Yes
+			    option=${option#a}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1256,12 +1279,17 @@ reload_command() # $* = original arguments less the command.
 	[ -f $capabilities ] || getcaps=Yes
     fi
 
-    if [ -n "$getcaps" ]; then
-	if [ -f $directory/shorewall6.conf ]; then
-	    . $directory/shorewall6.conf
-	    ensure_config_path
+    if [ -f $directory/shorewall6.conf ]; then
+	if [ -f $directory/params ]; then
+	    . $directory/params
 	fi
 
+	. $directory/shorewall6.conf
+
+	ensure_config_path
+    fi
+
+    if [ -n "$getcaps" ]; then
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
 
 	progress_message "Getting Capabilities on system $system..."
@@ -1382,7 +1410,7 @@ usage() # $1 = exit status
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
-    echo "   check [ -e ] [ -r ] [ <directory> ]"
+    echo "   check [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ <directory> ]"
     echo "   clear"
     echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
     echo "   delete <interface>[:<host-list>] ... <zone>"
@@ -1410,6 +1438,7 @@ usage() # $1 = exit status
     echo "   show classifiers"
     echo "   show config"
     echo "   show connections"
+    echo "   show dynamic <zone>"
     echo "   show filters"
     echo "   show ip"
     echo "   show [ -m ] log [<regex>]"
@@ -1427,6 +1456,7 @@ usage() # $1 = exit status
     echo "   version [ -a ]"
     echo "   safe-start [ <directory> ]"
     echo "   safe-restart [ <directory> ]"
+    echo "   update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ <directory> ]"
     echo
     exit $1
 }
@@ -1509,6 +1539,8 @@ g_debug=
 g_export=
 g_refreshchains=:none:
 g_confess=
+g_update=
+g_annotate=
 
 #
 # Make sure that these variables are cleared
@@ -1715,6 +1747,12 @@ case "$COMMAND" in
 	shift
 	check_command $@
 	;;
+    update)
+	get_config Yes
+	shift
+	g_update=Yes
+	check_command $@
+	;;
     show|list)
 	get_config Yes No Yes
     	shift
@@ -1827,6 +1865,16 @@ case "$COMMAND" in
 	get_config
 	allow_command $@
 	;;
+    add)
+	get_config
+	shift
+	add_command $@
+	;;
+    delete)
+	get_config
+	shift
+	delete_command $@
+	;;
     save)
 	get_config
 	[ -n "$g_debugging" ] && set -x

Shorewall6/shorewall6.service

@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv6 firewall
+After=syslog.target
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall6
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6 $OPTIONS start
+ExecReload=/sbin/shorewall6 $OPTIONS restart
+ExecStop=/sbin/shorewall6 $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target

Shorewall6/shorewall6.spec

@@ -1,370 +0,0 @@
-%define name shorewall6
-%define version 4.4.20
-%define release 1
-
-Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: iptables iproute shorewall >= 4.3.5
-Provides: shoreline_firewall = %{version}-%{release}
-
-%description
-
-The Shoreline Firewall 6, more commonly known as "Shorewall6", is a Netfilter
-(ip6tables) based IPv6 firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post
-
-if [ $1 -eq 1 ]; then
-	if [ -x /sbin/insserv ]; then
-		/sbin/insserv /etc/rc.d/shorewall6
-	elif [ -x /sbin/chkconfig ]; then
-		/sbin/chkconfig --add shorewall6;
-	fi
-fi
-
-%preun
-
-if [ $1 = 0 ]; then
-	if [ -x /sbin/insserv ]; then
-		/sbin/insserv -r /etc/init.d/shorewall6
-	elif [ -x /sbin/chkconfig ]; then
-		/sbin/chkconfig --del shorewall6
-	fi
-
-	rm -f /etc/shorewall/startup_disabled
-
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0544,root,root) /etc/init.d/shorewall6
-%attr(0755,root,root) %dir /etc/shorewall6
-%attr(0755,root,root) %dir /usr/share/shorewall6
-%attr(0755,root,root) %dir /usr/share/shorewall6/configfiles
-%attr(0700,root,root) %dir /var/lib/shorewall6
-%attr(0644,root,root) %config(noreplace) /etc/shorewall6/*
-%attr(0600,root,root) /etc/shorewall6/Makefile
-
-%attr(0644,root,root) /etc/logrotate.d/shorewall6
-
-%attr(0755,root,root) /sbin/shorewall6
-
-%attr(0644,root,root) /usr/share/shorewall6/version
-%attr(0644,root,root) /usr/share/shorewall6/actions.std
-%attr(0644,root,root) /usr/share/shorewall6/action.AllowICMPs
-%attr(0644,root,root) /usr/share/shorewall6/action.A_AllowICMPs
-%attr(0644,root,root) /usr/share/shorewall6/action.Drop
-%attr(0644,root,root) /usr/share/shorewall6/action.A_Drop
-%attr(0644,root,root) /usr/share/shorewall6/action.Reject
-%attr(0644,root,root) /usr/share/shorewall6/action.A_Reject
-%attr(0644,root,root) /usr/share/shorewall6/action.template
-%attr(-   ,root,root) /usr/share/shorewall6/functions
-%attr(0644,root,root) /usr/share/shorewall6/lib.base
-%attr(0644,root,root) /usr/share/shorewall6/lib.cli
-%attr(0644,root,root) /usr/share/shorewall6/lib.common
-%attr(0644,root,root) /usr/share/shorewall6/macro.*
-%attr(0644,root,root) /usr/share/shorewall6/modules*
-%attr(0644,root,root) /usr/share/shorewall6/helpers
-%attr(0644,root,root) /usr/share/shorewall6/configpath
-%attr(0755,root,root) /usr/share/shorewall6/wait4ifup
-
-%attr(0644,root,root) /usr/share/shorewall6/configfiles/*
-
-%attr(0644,root,root) %{_mandir}/man5/*
-%attr(0644,root,root) %{_mandir}/man8/shorewall6.8.gz
-
-%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
-
-%changelog
-* Mon Jun 06 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-1
-* Tue May 31 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0base
-* Fri May 27 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0RC1
-* Tue May 24 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta5
-* Sun May 22 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta4
-* Thu May 19 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta3
-* Wed May 18 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta2
-* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.20-0Beta1
-* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-1
-* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0base
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0RC1
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta5
-* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta4
-* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta3
-* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.19-0Beta1
-* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0base
-* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0RC1
-* Sun Feb 20 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta4
-* Sat Feb 19 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta3
-* Sun Feb 13 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta2
-* Sat Feb 05 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.18-0Beta1
-* Fri Feb 04 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0base
-* Sun Jan 30 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0RC1
-* Fri Jan 28 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta3
-* Wed Jan 19 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta2
-* Sat Jan 08 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.17-0Beta1
-* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0base
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0RC1
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta8
-* Sun Dec 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta7
-* Mon Dec 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta6
-* Fri Dec 10 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta5
-* Sat Dec 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta4
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta3
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta2
-* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.16-0Beta1
-* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0base
-* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0RC1
-* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0Beta2
-* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.15-0Beta1
-* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0base
-* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0RC1
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta4
-* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta3
-* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta2
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.14-0Beta1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.9-0Beta1
-* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0base
-* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0RC2
-* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0RC1
-* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta2
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.8-0Beta1
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta2
-- Added helpers file
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0base
-* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
-- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.4-0Beta1
-* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.1-0base
-* Mon Aug 03 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0base
-* Tue Jul 28 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0RC2
-* Sun Jul 12 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0RC1
-* Thu Jul 09 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta4
-* Sat Jun 27 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta3
-* Mon Jun 15 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta2
-* Fri Jun 12 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.4.0-0Beta1
-* Sun Jun 07 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.13-0base
-* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.12-0base
-* Sun May 10 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.11-0base
-* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.10-0base
-* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.9-0base
-* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.8-0base
-* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.7-0base
-* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.6-0base
-* Sun Feb 22 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.3.5-0base
-* Sat Feb 21 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.7-0base
-* Wed Feb 05 2009 Tom Eastep tom@shorewall.net
-- Added 'restored' script
-* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.6-0base
-* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.6-0base
-* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
-- Updated to 4.2.5-0base
-* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0base
-* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0RC2
-* Wed Dec 17 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.2.4-0RC1
-* Tue Dec 16 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.4-0base
-* Sat Dec 13 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.3-0base
-* Fri Dec 12 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.2-0base
-* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.1-0base
-* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
-- Updated to 4.3.0-0base
-* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
-- Updated to 2.3.0-0base
-* Tue Dec 09 2008 Tom Eastep tom@shorewall6.net
-- Initial Version