Implement HL manipulation for IPv6

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/Universal/rules

@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+###################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Samples/one-interface/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Samples/three-interfaces/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Samples/two-interfaces/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Samples6/Universal/rules

@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Samples6/one-interface/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Samples6/three-interfaces/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Samples6/two-interfaces/rules

@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/Perl/Shorewall/Accounting.pm

@@ -141,7 +141,10 @@ sub process_accounting_rule( ) {
 
     $jumpchainref = 0;
 
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File', $accounting_commands;
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
+	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
+
+    fatal_error 'ACTION must be specified' if $action eq '-';
 
     if ( $action eq 'COMMENT' ) {
 	process_comment;

Shorewall/Perl/Shorewall/Chains.pm

@@ -147,10 +147,13 @@ our %EXPORT_TAGS = (
 				       newexclusionchain
 				       newnonatchain
 				       source_exclusion
+				       source_iexclusion
 				       dest_exclusion
+				       dest_iexclusion
 				       clearrule
 				       port_count
 				       do_proto
+				       do_iproto
 				       do_mac
 				       do_imac
 				       verify_mark
@@ -166,6 +169,7 @@ our %EXPORT_TAGS = (
 				       do_connbytes
 				       do_helper
 				       do_headers
+				       do_condition
 				       have_ipset_rules
 				       record_runtime_address
 				       conditional_rule
@@ -443,31 +447,33 @@ use constant { UNIQUE      => 1,
 	       MATCH       => 8,
 	       CONTROL     => 16 };
 
-my %opttype = ( rule       => CONTROL,
-		cmd        => CONTROL,
+my %opttype = ( rule          => CONTROL,
+		cmd           => CONTROL,
 
-		dhcp       => UNIQUE,
+		dhcp          => UNIQUE,
 		
-	        mode       => CONTROL,
-		cmdlevel   => CONTROL,
-		simple     => CONTROL,
+	        mode          => CONTROL,
+		cmdlevel      => CONTROL,
+		simple        => CONTROL,
 
-	        i          => UNIQUE,
-		s          => UNIQUE,
-		o          => UNIQUE,
-		d          => UNIQUE,
-		p          => UNIQUE,
-		dport      => UNIQUE,
-		sport      => UNIQUE,
+	        i             => UNIQUE,
+		s             => UNIQUE,
+		o             => UNIQUE,
+		d             => UNIQUE,
+		p             => UNIQUE,
+		dport         => UNIQUE,
+		sport         => UNIQUE,
+		'icmp-type'   => UNIQUE,
+		'icmpv6-type' => UNIQUE,
 		
-		comment    => CONTROL,
+		comment       => CONTROL,
 
-		policy     => MATCH,
-		state      => EXCLUSIVE,
+		policy        => MATCH,
+		state         => EXCLUSIVE,
 		
-		jump       => TARGET,
-		target     => TARGET,
-		targetopts => TARGET,
+		jump          => TARGET,
+		target        => TARGET,
+		targetopts    => TARGET,
 	      );
 
 my %aliases = ( protocol        => 'p',
@@ -479,9 +485,11 @@ my %aliases = ( protocol        => 'p',
 		'out-interface' => 'o',
 		dport           => 'dport',
 		sport           => 'sport',
+		'icmp-type'     => 'icmp-type',
+		'icmpv6-type'   => 'icmpv6-type',
 	      );
 
-my @unique_options = ( qw/p dport sport s d i o/ );
+my @unique_options = ( qw/p dport sport icmp-type icmpv6-type s d i o/ );
 	     
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -2897,6 +2905,42 @@ sub source_exclusion( $$ ) {
     reftype $target ? $chainref : $chainref->{name};
 }
 
+sub source_iexclusion( $$$$$;@ ) {
+    my $chainref   = shift;
+    my $jump       = shift;
+    my $target     = shift;
+    my $targetopts = shift;
+    my $source     = shift;
+    my $table      = $chainref->{table};
+
+    my @exclusion;
+
+    if ( $source =~ /^([^!]+)!([^!]+)$/ ) {
+	$source = $1;
+	@exclusion = mysplit( $2 );
+
+	my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
+	
+	add_ijump( $chainref1 , j => 'RETURN', imatch_source_net( $_ ) ) for @exclusion;
+	
+	if ( $targetopts ) {
+	    add_ijump( $chainref1, $jump => $target, targetopts => $targetopts );
+	} else {
+	    add_ijump( $chainref1, $jump => $target );
+	}
+
+	add_ijump( $chainref , j => $chainref1, imatch_source_net( $source ),  @_ );
+    } elsif ( $targetopts ) {
+	add_ijump( $chainref,
+		   $jump      => $target,
+		   targetopts => $targetopts,
+		   imatch_source_net( $source ), 
+		   @_ );
+    } else {
+	add_ijump( $chainref, $jump => $target, imatch_source_net( $source ), @_ );
+    }
+}
+
 sub dest_exclusion( $$ ) {
     my ( $exclusions, $target ) = @_;
 
@@ -2912,6 +2956,38 @@ sub dest_exclusion( $$ ) {
     reftype $target ? $chainref : $chainref->{name};
 }
 
+sub dest_iexclusion( $$$$$;@ ) {
+    my $chainref   = shift;
+    my $jump       = shift;
+    my $target     = shift;
+    my $targetopts = shift;
+    my $dest       = shift;
+    my $table      = $chainref->{table};
+
+    my @exclusion;
+
+    if ( $dest =~ /^([^!]+)!([^!]+)$/ ) {
+	$dest = $1;
+	@exclusion = mysplit( $2 );
+
+	my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
+	
+	add_ijump( $chainref1 , j => 'RETURN', imatch_dest_net( $_ ) ) for @exclusion;
+	
+	if ( $targetopts ) {
+	    add_ijump( $chainref1, $jump => $target, targetopts => $targetopts, @_ );
+	} else {
+	    add_ijump( $chainref1, $jump => $target, @_ );
+	}
+
+	add_ijump( $chainref , j => $chainref1, imatch_dest_net( $dest ), @_ );
+    } elsif ( $targetopts ) {
+	add_ijump( $chainref, $jump => $target, imatch_dest_net( $dest ), targetopts => $targetopts , @_ );
+    } else {
+	add_ijump( $chainref, $jump => $target, imatch_dest_net( $dest ), @_ );
+    }
+}
+
 sub clearrule() {
     $iprangematch = 0;
 }
@@ -3037,6 +3113,7 @@ sub do_proto( $$$;$ )
 
 			if ( $ports =~ /,/ ) {
 			    fatal_error "An inverted ICMP list may only contain a single type" if $invert;
+			    fatal_error "An ICMP type list is not allowed in this context"     if $restricted;
 			    $types = '';
 			    for my $type ( split_list( $ports, 'ICMP type list' ) ) {
 				$types = $types ? join( ',', $types, validate_icmp( $type ) ) : $type;
@@ -3061,6 +3138,7 @@ sub do_proto( $$$;$ )
 
 			if ( $ports =~ /,/ ) {
 			    fatal_error "An inverted ICMP list may only contain a single type" if $invert;
+			    fatal_error "An ICMP type list is not allowed in this context"     if $restricted;
 			    $types = '';
 			    for my $type ( list_split( $ports, 'ICMP type list' ) ) {
 				$types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type;
@@ -3125,6 +3203,183 @@ sub do_mac( $ ) {
     "-m mac ${invert}--mac-source $mac ";
 }
 
+sub do_iproto( $$$ )
+{
+    my ($proto, $ports, $sports ) = @_;
+
+    my @output = ();
+
+    my $restricted = 1;
+
+    $proto  = '' if $proto  eq '-';
+    $ports  = '' if $ports  eq '-';
+    $sports = '' if $sports eq '-';
+
+    if ( $proto ne '' ) {
+
+	my $synonly  = ( $proto =~ s/:syn$//i );
+	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
+	my $protonum = resolve_proto $proto;
+
+	if ( defined $protonum ) {
+	    #
+	    # Protocol is numeric and <= 255 or is defined in /etc/protocols or NSS equivalent
+	    #
+	    fatal_error "'!0' not allowed in the PROTO column" if $invert && ! $protonum;
+
+	    my $pname = proto_name( $proto = $protonum );
+	    #
+	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
+	    #
+	    unless ( $synonly ) {
+		@output = ( p => "${invert}${proto}" );
+	    } else {
+		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
+		@output = ( p => "$proto --syn" );
+	    }
+
+	    fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
+
+	  PROTO:
+	    {
+		if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
+		    my $multiport = 0;
+
+		    if ( $ports ne '' ) {
+			$invert = $ports =~ s/^!// ? '! ' : '';
+			if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
+			    fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
+			    fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
+
+			    if ( port_count ( $ports ) > 15 ) {
+				if ( $restricted ) {
+				    fatal_error "A port list in this file may only have up to 15 ports";
+				} elsif ( $invert ) {
+				    fatal_error "An inverted port list may only have up to 15 ports";
+				}
+			    }
+
+			    $ports = validate_port_list $pname , $ports;
+			    push @output, multiport => "${invert}--dports ${ports}";
+			    $multiport = 1;
+			}  else {
+			    fatal_error "Missing DEST PORT" unless supplied $ports;
+			    $ports   = validate_portpair $pname , $ports;
+			    push @output, dport => "${invert}${ports}";
+			}
+		    } else {
+			$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
+		    }
+
+		    if ( $sports ne '' ) {
+			$invert = $sports =~ s/^!// ? '! ' : '';
+			if ( $multiport ) {
+
+			    if ( port_count( $sports ) > 15 ) {
+				if ( $restricted ) {
+				    fatal_error "A port list in this file may only have up to 15 ports";
+				} elsif ( $invert ) {
+				    fatal_error "An inverted port list may only have up to 15 ports";
+				}
+			    }
+
+			    $sports = validate_port_list $pname , $sports;
+			    push @output, multiport => "${invert}--sports ${sports}";
+			}  else {
+			    fatal_error "Missing SOURCE PORT" unless supplied $sports;
+			    $sports  = validate_portpair $pname , $sports;
+			    push @output, sport => "${invert}${sports}";
+			}
+		    }
+
+		    last PROTO;	}
+
+		if ( $proto == ICMP ) {
+		    fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6; #User specified proto 1 rather than 'icmp'
+		    if ( $ports ne '' ) {
+			$invert = $ports =~ s/^!// ? '! ' : '';
+
+			my $types;
+
+			if ( $ports =~ /,/ ) {
+			    fatal_error "An inverted ICMP list may only contain a single type" if $invert;
+			    fatal_error "An ICMP type list is not allowed in this context"     if $restricted;
+			    $types = '';
+			    for my $type ( split_list( $ports, 'ICMP type list' ) ) {
+				$types = $types ? join( ',', $types, validate_icmp( $type ) ) : $type;
+			    }
+			} else {
+			    $types = validate_icmp $ports;
+			}
+
+			push @output, 'icmp-type' => "${invert}${types}";
+		    }
+
+		    fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
+
+		    last PROTO; }
+
+		if ( $proto == IPv6_ICMP ) {
+		    fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4;
+		    if ( $ports ne '' ) {
+			$invert = $ports =~ s/^!// ? '! ' : '';
+
+			my $types;
+
+			if ( $ports =~ /,/ ) {
+			    fatal_error "An inverted ICMP list may only contain a single type" if $invert;
+			    fatal_error "An ICMP type list is not allowed in this context"     if $restricted;
+			    $types = '';
+			    for my $type ( split_list( $ports, 'ICMP type list' ) ) {
+				$types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type;
+			    }
+			} else {
+			    $types = validate_icmp6 $ports;
+			}
+
+			push @output, 'icmpv6-type' => "${invert}${types}";
+		    }
+
+		    fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
+
+		    last PROTO; }
+
+
+		fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne '';
+
+	    } # PROTO
+
+	} else {
+	    fatal_error '":syn" is only allowed with tcp' if $synonly;
+
+	    if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
+		my $p = $2 ? lc $3 : 'tcp';
+		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
+		$proto = '-p ' . proto_name($p) . ' ';
+
+		my $options = '';
+
+		if ( $ports ne 'ipp2p' ) {
+		    $options .= " --$_" for split /,/, $ports;
+		}
+
+		$options = have_capability( 'OLD_IPP2P_MATCH' ) ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
+
+		push @output, ipp2p => "${proto}${options}";
+	    } else {
+		fatal_error "Invalid/Unknown protocol ($proto)"
+	    }
+	}
+    } else {
+	#
+	# No protocol
+	#
+	fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO" if $ports ne '' || $sports ne '';
+    }
+
+    @output;
+}
+
 sub do_imac( $ ) {
     my $mac = $_[0];
 
@@ -3482,6 +3737,22 @@ sub do_headers( $ ) {
     "-m ipv6header ${invert}--header ${headers} ${soft}";
 }
 
+#
+# Generate a -m condition match
+#
+sub do_condition( $ ) {
+    my $condition = shift;
+
+    return '' if $condition eq '-';
+
+    my $invert = $condition =~ s/^!// ? '! ' : '';
+
+    require_capability 'CONDITION_MATCH', 'A non-empty SWITCH column', 's';
+    fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/ && length $condition <= 30;
+
+    "-m condition ${invert}--condition $condition "
+}
+
 #
 # Match Source Interface
 #
@@ -5300,12 +5571,37 @@ sub emitr1( $$ ) {
 
 sub save_dynamic_chains() {
 
-    my $tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
+    my $tool;
 
     emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
     push_indent;
 
-emit <<"EOF";
+    if ( have_capability 'IPTABLES_S' ) {
+	$tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
+
+	emit <<"EOF";
+if chain_exists 'UPnP -t nat'; then
+    $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
+else
+    rm -f \${VARDIR}/.UPnP
+fi
+
+if chain_exists forwardUPnP; then
+    $tool -S forwardUPnP | tail -n +2 > \${VARDIR}/.forwardUPnP
+else
+    rm -f \${VARDIR}/.forwardUPnP
+fi
+
+if chain_exists dynamic; then
+    $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
+else
+    rm -f \${VARDIR}/.dynamic
+fi
+EOF
+    } else {
+	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
+
+	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
     $tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
 else
@@ -5324,6 +5620,7 @@ else
     rm -f \${VARDIR}/.dynamic
 fi
 EOF
+    }
 
     pop_indent;
     emit ( 'else' );
@@ -5332,13 +5629,23 @@ EOF
 emit <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
+EOF
 
-if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then
-    if chain_exists dynamic; then
-        $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
+    if ( have_capability 'IPTABLES_S' ) {
+	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
+	      qq(    if chain_exists dynamic; then),
+	      qq(        $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
+    } else {
+	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
+	      qq(    if chain_exists dynamic; then),
+	      qq(        $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
+    }
+
+emit <<"EOF";
     fi
 fi
 EOF
+
     pop_indent;
 
     emit ( 'fi' ,

Shorewall/Perl/Shorewall/Compiler.pm

@@ -757,12 +757,12 @@ sub compiler {
 	# Setup Nat
 	#
 	setup_nat;
-	#
-	# Setup NETMAP
-	#
-	setup_netmap;
     }
 
+    #
+    # Setup NETMAP
+    #
+    setup_netmap;
     #
     # MACLIST Filtration
     #

Shorewall/Perl/Shorewall/Config.pm

@@ -280,6 +280,8 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
 		 RAWPOST_TABLE   => 'Rawpost Table',
+		 CONDITION_MATCH => 'Condition Match',
+		 IPTABLES_S      => 'iptables -S',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -383,6 +385,12 @@ my $iptables;                # Path to iptables/ip6tables
 my $tc;                      # Path to tc
 my $ip;                      # Path to ip
 
+my $shell;                   # Type of shell that processed the params file
+
+use constant { BASH    => 1,
+	       OLDBASH => 2,
+	       ASH     => 3 };
+
 use constant { MIN_VERBOSITY => -1,
 	       MAX_VERBOSITY => 2 ,
 	       F_IPV4 => 4,
@@ -438,7 +446,7 @@ sub initialize( $ ) {
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
 		    VERSION    => "4.4.22.1",
-		    CAPVERSION => 40423 ,
+		    CAPVERSION => 40424 ,
 		  );
     #
     # From shorewall.conf file
@@ -658,6 +666,8 @@ sub initialize( $ ) {
 	       HEADER_MATCH => undef,
 	       ACCOUNT_TARGET => undef,
 	       AUDIT_TARGET => undef,
+	       CONDITION_MATCH => undef,
+	       IPTABLES_S => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -1329,46 +1339,45 @@ sub supplied( $ ) {
 
 #    ensure that it has an appropriate number of columns.
 #    supply '-' in omitted trailing columns.
+#    Handles all of the supported forms of column/pair specification
 #
-sub split_line( $$$ ) {
-    my ( $mincolumns, $maxcolumns, $description ) = @_;
+sub split_line1( $$;$ ) {
+    my ( $description, $columnsref, $nopad) = @_;
 
-    fatal_error "Shorewall Configuration file entries may not contain single quotes, double quotes, single back quotes or backslashes" if $currentline =~ /["'`\\]/;
-    fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
+    my @maxcolumns = ( keys %$columnsref );
+    my $maxcolumns = @maxcolumns;
+    #
+    # First see if there is a semicolon on the line; what follows will be column/value paris
+    #
+    my ( $columns, $pairs, $rest ) = split( ';', $currentline );
 
-    my @line = split( ' ', $currentline );
+    if ( supplied $pairs ) {
+	#
+	# Found it -- be sure there wasn't more than one.
+	#
+	fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
+    } elsif ( $currentline =~ /(.*){(.*)}$/ ) {
+	#
+	# Pairs are enclosed in curly brackets.
+	#
+	$columns = $1;
+	$pairs   = $2;
+    } else {
+	$pairs = '';
+    }
 
-    my $line = @line;
+    fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
 
-    fatal_error "Invalid $description entry (too many columns)" if $line > $maxcolumns;
-
-    $line-- while $line > 0 && $line[$line-1] eq '-';
-
-    fatal_error "Invalid $description entry (too few columns)"  if $line < $mincolumns;
-
-    push @line, '-' while @line < $maxcolumns;
-
-    @line;
-}
-
-#
-# Version of 'split_line' used on files with exceptions
-#
-sub split_line1( $$$;$ ) {
-    my ( $mincolumns, $maxcolumns, $description, $nopad) = @_;
-
-    fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $currentline =~ /["`\\]/;
-    fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
-
-    my @line = split( ' ', $currentline );
+    my @line = split( ' ', $columns );
 
     $nopad = { COMMENT => 0 } unless $nopad;
 
-    my $first   = $line[0];
-    my $columns = $nopad->{$first};
+    my $first     = supplied $line[0] ? $line[0] : '-';
+    my $npcolumns = $nopad->{$first};
 
-    if ( defined $columns ) {
-	fatal_error "Invalid $first entry" if $columns && @line != $columns;
+    if ( defined $npcolumns ) {
+	fatal_error "Invalid $first entry" if $npcolumns && @line != $npcolumns;
 	return @line
     }
 
@@ -1380,13 +1389,34 @@ sub split_line1( $$$;$ ) {
 
     $line-- while $line > 0 && $line[$line-1] eq '-';
 
-    fatal_error "Invalid $description entry (too few columns)"  if $line < $mincolumns;
-
     push @line, '-' while @line < $maxcolumns;
 
+    if ( supplied $pairs ) {
+	$pairs =~ s/^\s*//;
+	$pairs =~ s/\s*$//;
+
+	my @pairs = split( /,?\s+/, $pairs );
+
+	for ( @pairs ) {
+	    fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
+	    my ( $column, $value ) = ( lc $1, $2 );
+	    fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
+	    $column = $columnsref->{$column};
+	    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
+	    $value = $1 if $value =~ /^"([^"]+)"$/;
+	    fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+	    fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
+	    $line[$column] = $value;
+	}
+    }   
+
     @line;
 }
 
+sub split_line($$) {
+    &split_line1( @_, {} );
+}
+
 #
 # Open a file, setting $currentfile. Returns the file's absolute pathname if the file
 # exists, is non-empty  and was successfully opened. Terminates with a fatal error
@@ -2665,15 +2695,24 @@ sub Account_Target() {
     }
 }
 
+sub Condition_Match() {
+    qt1( "$iptables -A $sillyname -m condition --condition foo" );
+}
+
 sub Audit_Target() {
     qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
 }
 
+sub Iptables_S() {
+    qt1( "$iptables -S INPUT" )
+}
+
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
       AUDIT_TARGET => \&Audit_Target,
       ADDRTYPE => \&Addrtype,
       CLASSIFY_TARGET => \&Classify_Target,
+      CONDITION_MATCH => \&Condition_Match,
       COMMENTS => \&Comments,
       CONNLIMIT_MATCH => \&Connlimit_Match,
       CONNMARK => \&Connmark,
@@ -2693,6 +2732,7 @@ our %detect_capability =
       IPSET_MATCH => \&IPSet_Match,
       OLD_IPSET_MATCH => \&Old_IPSet_Match,
       IPSET_V5 => \&IPSET_V5,
+      IPTABLES_S => \&Iptables_S,
       KLUDGEFREE => \&Kludgefree,
       LENGTH_MATCH => \&Length_Match,
       LOGMARK_TARGET => \&Logmark_Target,
@@ -2847,6 +2887,8 @@ sub determine_capabilities() {
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
+	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
+	$capabilities{IPTABLES_S}      = detect_capability( 'IPTABLES_S' );
 
 
 	qt1( "$iptables -F $sillyname" );
@@ -3269,6 +3311,8 @@ sub get_params() {
 	    # - Embedded double quotes are escaped with '\\'
 	    # - Valueless variables are supported (e.g., 'declare -x foo')
 	    #
+	    $shell = BASH;
+
 	    for ( @params ) {
 		if ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
@@ -3277,11 +3321,11 @@ sub get_params() {
 		} elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) {
 		    $params{$1} = '';
 		} else {
+		    chomp;
 		    if ($variable) {
 			s/"$//;
 			$params{$variable} .= $_;
 		    } else {
-			chomp;
 			warning_message "Param line ($_) ignored" unless $bug++;
 		    }
 		}	
@@ -3295,6 +3339,8 @@ sub get_params() {
 	    # - Embedded single quotes are escaped with '\'
 	    # - Valueless variables ( e.g., 'export foo') are supported
 	    #
+	    $shell = OLDBASH;
+
 	    for ( @params ) {
 		if ( /^export (.*?)="(.*[^\\])"$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
@@ -3303,11 +3349,11 @@ sub get_params() {
 		} elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) {
 		    $params{$1} = '';
 		} else {
+		    chomp;
 		    if ($variable) {
 			s/"$//;
 			$params{$variable} .= $_;
 		    } else {
-			chomp;
 			warning_message "Param line ($_) ignored" unless $bug++;
 		    }
 		}	
@@ -3320,6 +3366,8 @@ sub get_params() {
 	    # - Param values are delimited by single quotes.
 	    # - Embedded single quotes are transformed to the five characters '"'"'
 	    #
+	    $shell = ASH;
+
 	    for ( @params ) {
 		if ( /^export (.*?)='(.*'"'"')$/ ) {
 		    $params{$variable=$1}="${2}\n";		    
@@ -3328,11 +3376,11 @@ sub get_params() {
 		} elsif ( /^export (.*?)='(.*)$/ ) {
 		    $params{$variable=$1}="${2}\n";
 		} else {
+		    chomp;
 		    if ($variable) {
 			s/'$//;
 			$params{$variable} .= $_;
 		    } else {
-			chomp;
 			warning_message "Param line ($_) ignored" unless $bug++;
 		    }				
 		}
@@ -3371,15 +3419,29 @@ sub export_params() {
 	#
 	next if exists $compiler_params{$param};
 	#
+	# Values in %params are generated from the output of 'export -p'.
+	# The different shells have different conventions for delimiting
+	# the value and for escaping embedded instances of the delimiter.
+	# The following logic removes the escape characters.
+	#
+	if ( $shell == BASH ) {
+	    $value =~ s/\\"/"/g;
+	} elsif ( $shell == OLDBASH ) {
+	    $value =~ s/\\'/'/g;
+	} else {
+	    $value =~ s/'"'"'/'/g;
+	}
+	#
 	# Don't export pairs from %ENV
 	#
-	if ( exists $ENV{$param} && defined $ENV{$param} ) {
-	    next if $value eq $ENV{$param};
-	}
+	next if defined $ENV{$param} && $value eq $ENV{$param};
 
 	emit "#\n# From the params file\n#" unless $count++;
-
-	if ( $value =~ /[\s()[]/ ) {
+	#
+	# We will use double quotes and escape embedded quotes with \.
+	#
+	if ( $value =~ /[\s()['"]/ ) {
+	    $value =~ s/"/\\"/g;
 	    emit "$param='$value'";
 	} else {
 	    emit "$param=$value";
@@ -3388,9 +3450,10 @@ sub export_params() {
 }
 
 #
+# - Process the params file
 # - Read the shorewall.conf file
 # - Read the capabilities file, if any
-# - establish global hashes %config , %globals and %capabilities
+# - establish global hashes %params, %config , %globals and %capabilities
 #
 sub get_configuration( $$$ ) {
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -82,7 +82,7 @@ sub process_tos() {
 
 	while ( read_a_line ) {
 
-	    my ($src, $dst, $proto, $sports, $ports , $tos, $mark ) = split_line 6, 7, 'tos file entry';
+	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ;
 
 	    $first_entry = 0;
 
@@ -159,8 +159,9 @@ sub setup_ecn()
 
 	while ( read_a_line ) {
 
-	    my ($interface, $hosts ) = split_line 1, 2, 'ecn file entry';
+	    my ($interface, $hosts ) = split_line 'ecn file entry', { interface => 0, hosts => 1 };
 
+	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;
 
 	    $interfaces{$interface} = 1;
@@ -256,7 +257,7 @@ sub setup_blacklist() {
 		    $first_entry = 0;
 		}
 
-		my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
+		my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
 
 		if ( $options eq '-' ) {
 		    $options = 'src';
@@ -358,10 +359,12 @@ sub process_routestopped() {
 
 	while ( read_a_line ) {
 
-	    my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
+	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
+		split_line 'routestopped file', { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 };
 
 	    my $interfaceref;
 
+	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';
 
@@ -897,7 +900,7 @@ sub setup_mac_lists( $ ) {
 
 	    while ( read_a_line ) {
 
-		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 3, 4, 'maclist file';
+		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };
 
 		if ( $original_disposition eq 'COMMENT' ) {
 		    process_comment;

Shorewall/Perl/Shorewall/Nat.pm

@@ -54,13 +54,16 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = 
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };
 
     if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
 	return 1;
     }
 
+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
     my $pre_nat;
     my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
     my $destnets = '';
@@ -374,7 +377,7 @@ sub setup_nat() {
 
 	while ( read_a_line ) {
 
-	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
+	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };
 
 	    if ( $external eq 'COMMENT' ) {
 		process_comment;
@@ -383,6 +386,9 @@ sub setup_nat() {
 
 		$digit = defined $digit ? ":$digit" : '';
 
+		fatal_error 'EXTERNAL must be specified' if $external eq '-';
+		fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
+
 		for my $interface ( split_list $interfacelist , 'interface' ) {
 		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
 		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
@@ -403,14 +409,11 @@ sub setup_netmap() {
 
     if ( my $fn = open_file 'netmap' ) {
 
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
+	first_entry "$doing $fn...";
 
 	while ( read_a_line ) {
 
-	    my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
-
-	    validate_net $net1, 0;
-	    validate_net $net2, 0;
+	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };
 
 	    $net3 = ALLIP if $net3 eq '-';
 
@@ -420,30 +423,49 @@ sub setup_netmap() {
 
 		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
+		my @rule = do_iproto( $proto, $dport, $sport );
+
 		unless ( $type =~ /:/ ) {
 		    my @rulein;
 		    my @ruleout;
 		    
+		    validate_net $net1, 0;
+		    validate_net $net2, 0;
+
 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
 			@ruleout = imatch_dest_dev( $interface );
 			$interface = $interfaceref->{name};
 		    }
 
+		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
+
 		    if ( $type eq 'DNAT' ) {
-			add_ijump ensure_chain( 'nat' , input_chain $interface ) ,  j => "NETMAP --to $net2", @rulein  , imatch_source_net( $net3 ), d => $net1;
+			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) , 
+					  j => 'NETMAP' ,
+					  "--to $net2",
+					  $net1 ,
+					  @rulein  ,
+					  imatch_source_net( $net3 ) );
 		    } elsif ( $type eq 'SNAT' ) {
-			add_ijump ensure_chain( 'nat' , output_chain $interface ) , j => "NETMAP --to $net2", @ruleout , imatch_dest_net( $net3 ) ,  s => $net1;
+			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+					   j => 'NETMAP' ,
+					   "--to $net2" ,
+					   $net1 ,
+					   @ruleout ,
+					   imatch_dest_net( $net3 ) );
 		    } else {
 			fatal_error "Invalid type ($type)";
 		    }
 		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
 		    my ( $target , $chain ) = ( $1, $2 );
 		    my $table = 'raw';
-		    my @match = ();
+		    my @match;
 
 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
 
+		    validate_net $net2, 0;
+
 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface ); 
 			$interface = $interfaceref->{name};
@@ -458,24 +480,31 @@ sub setup_netmap() {
 			$chain = postrouting_chain $interface;
 			$table = 'rawpost';
 		    }
+
+		    my $chainref = ensure_chain( $table, $chain );
+
 		    
-		    if ( $target eq 'DNAT' ) { 
-			add_ijump( ensure_chain( $table, $chain ) ,
-				   j          => 'RAWDNAT',
-				   targetopts => "--to-dest $net2",
-				   imatch_source_net( $net3 ) ,
-				   imatch_dest_net( $net1 ) ,
-				   @match );
+		    if ( $target eq 'DNAT' ) {
+			dest_iexclusion( $chainref ,
+					 j => 'RAWDNAT' ,
+					 "--to-dest $net2" ,
+					 $net1 ,
+					 imatch_source_net( $net3 ) ,
+					 @rule ,
+					 @match
+				       );
 		    } else {
-			add_ijump( ensure_chain( $table, $chain ) ,
-				   j          => 'RAWSNAT',
-				   targetopts => "--to-source $net2",
-				   imatch_dest_net( $net3 ) ,
-				   imatch_source_net( $net1 ) ,
-				   @match );
+			source_iexclusion( $chainref ,
+					   j  => 'RAWSNAT' ,
+					   "--to-source $net2" ,
+					   $net1 ,
+					   imatch_dest_net( $net3 ) ,
+					   @rule ,
+					   @match );
 		    }
 		} else {
-		    fatal_error "Invalid type ($type)";
+		    fatal_error 'TYPE must be specified' if $type eq '-';
+		    fatal_error "Invalid TYPE ($type)";
 		}
 		
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";

Shorewall/Perl/Shorewall/Providers.pm

@@ -40,11 +40,12 @@ our @EXPORT = qw( process_providers
 		  handle_stickiness
 		  handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_24';
 
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
 	       DEFAULT_TABLE => 253,
+	       BALANCE_TABLE => 250,
 	       UNSPEC_TABLE  => 0
 	       };
 
@@ -93,6 +94,7 @@ sub initialize( $ ) {
     %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
+		    balance => { number => BALANCE_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    unspec  => { number => UNSPEC_TABLE  , mark => 0 , optional => 0 ,routes => [], rules => [] } );
     @providers = ();
 }
@@ -267,14 +269,17 @@ sub start_provider( $$$ ) {
 #
 sub process_a_provider() {
 
-    my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) = split_line 6, 8, 'providers file';
+    my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) =
+	split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
 
     fatal_error "Duplicate provider ($table)" if $providers{$table};
 
+    fatal_error 'NAME must be specified' if $table eq '-';
     fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
 
     my $num = numeric_value $number;
 
+    fatal_error 'NUMBER must be specified' if $number eq '-';
     fatal_error "Invalid Provider number ($number)" unless defined $num;
 
     $number = $num;
@@ -283,6 +288,8 @@ sub process_a_provider() {
 	fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
     }
 
+    fatal_error 'INTERFACE must be specified' if $interface eq '-';
+
     ( $interface, my $address ) = split /:/, $interface;
 
     my $shared = 0;
@@ -342,23 +349,17 @@ sub process_a_provider() {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' is not available in IPv6) if $family == F_IPV6;
-		if ( $config{USE_DEFAULT_RT} ) {
-		    warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes";
-		} else {
-		    $default = $1;
-		    fatal_error 'fallback must be non-zero' unless $default;
-		}
+		$default = $1;
+		$default_balance = 0;
+		fatal_error 'fallback must be non-zero' unless $default;
 	    } elsif ( $option eq 'fallback' ) {
 		fatal_error q('fallback' is not available in IPv6) if $family == F_IPV6;
-		if ( $config{USE_DEFAULT_RT} ) {
-		    warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes";
-		} else {
-		    $default = -1;
-		}
+		$default = -1;
+		$default_balance = 0;
 	    } elsif ( $option eq 'local' ) {
 		$local = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0 if$config{USE_DEFAULT_RT};
+		$default_balance = 0 if $config{USE_DEFAULT_RT};
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
@@ -554,18 +555,19 @@ sub add_a_provider( $$ ) {
 	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $number $realm";
 	    emit "run_ip route add $gateway src $address dev $physical ${mtu}table $number $realm";
 	}
-   	
+
 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
     }
 
-    balance_default_route( $balance , $gateway, $physical, $realm ) if $balance;
-
-    if ( $default > 0 ) {
+    if ( $balance ) {
+	balance_default_route( $balance , $gateway, $physical, $realm );
+    } elsif ( $default > 0 ) {
 	balance_fallback_route( $default , $gateway, $physical, $realm );
     } elsif ( $default ) {
 	emit '';
 	if ( $gateway ) {
 	    if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway dev $physical table ) . DEFAULT_TABLE;
 		emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    } else {
 		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
@@ -576,6 +578,8 @@ sub add_a_provider( $$ ) {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
 	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	}
+	
+	$fallback = 1;
     }
 
     unless ( $local ) {
@@ -615,38 +619,44 @@ sub add_a_provider( $$ ) {
 	emit $_ for @{$providers{$table}->{routes}};
     }
 
-    emit( '',
-	  'if [ $COMMAND = enable ]; then'
-	);
+    emit( '' );
 
-    push_indent;
+    my ( $tbl, $weight );
 
-    my ( $tbl, $weight ); 
-    
-    if ( $balance || $default ) {
-	$tbl    = $default || $config{USE_DEFAULT_RT} ? DEFAULT_TABLE : MAIN_TABLE;
-	$weight = $balance ? $balance : $default;
+    if ( $optional ) {
+	emit( 'if [ $COMMAND = enable ]; then' );
+
+	push_indent;
+
+	if ( $balance || $default > 0 ) {
+	    $tbl    = $default ? DEFAULT_TABLE : $config{USE_DEFAULT_RT} ? BALANCE_TABLE : MAIN_TABLE;
+	    $weight = $balance ? $balance : $default;
+
+	    if ( $gateway ) {
+		emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
+	    } else {
+		emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+	    }
 
-	if ( $gateway ) {
-	    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
 	} else {
-	    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+	    $weight = 1;
 	}
 
+	emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
+
+	emit ( qq(progress_message2 "   Provider $table ($number) Started") );
+
+	pop_indent;
+ 
+	emit( 'else' ,
+	      qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
+	      qq(    progress_message "   Provider $table ($number) Started"),
+	      qq(fi\n)
+	    );
+    } else {
+	emit( qq(progress_message "Provider $table ($number) Started") );
     }
-
-    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
-
-    emit ( qq(progress_message2 "   Provider $table ($number) Started") );
-
-    pop_indent;
-	  
-    emit( 'else',
-	  qq(    echo $weight > \${VARDIR}/${physical}_weight),
-	  qq(    progress_message "   Provider $table ($number) Started"),
-	  "fi\n"
-	);
-
+    
     pop_indent;
 
     emit 'else';
@@ -686,30 +696,40 @@ sub add_a_provider( $$ ) {
 
 	my $undo = "\${VARDIR}/undo_${table}_routing";
 
-	emit( "if [ -f $undo ]; then",
-	      "    . $undo",
-	      "    > $undo" );
+	emit( "if [ -f $undo ]; then" );
 
-	if ( $balance || $default ) {
-	    $tbl    = $fallback || ( $config{USE_DEFAULT_RT} ? DEFAULT_TABLE : MAIN_TABLE );
+	push_indent;
+
+	if ( $balance || $default > 0 ) {
+	    $tbl    = $default ? DEFAULT_TABLE : $config{USE_DEFAULT_RT} ? BALANCE_TABLE : MAIN_TABLE;
 	    $weight = $balance ? $balance : $default;
 
-	    my $via = 'via';
+	    my $via;
 
-	    $via .= " $gateway"       if $gateway;
-	    $via .= " dev $physical";
-	    $via .= " weight $weight";
+	    if ( $gateway ) {
+		$via = "via $gateway dev $physical";
+	    } else {    
+		$via = "dev $physical";
+	    }
+
+	    $via .= " weight $weight" unless $weight < 0;
 	    $via .= " $realm"         if $realm;
 
-	    emit( qq(    delete_gateway "$via" $tbl $physical) );
+	    emit( qq(delete_gateway "$via" $tbl $physical) );
 	}
-	
-	emit( '', 
-	      "    qt \$TC qdisc del dev $physical root",
-	      "    qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 
-	emit( "    progress_message2 \"Provider $table stopped\"",
-              'else',
+	emit (". $undo",
+	      "> $undo" );
+
+	emit( '', 
+	      "qt \$TC qdisc del dev $physical root",
+	      "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
+
+	emit( "progress_message2 \"Provider $table stopped\"" );
+
+	pop_indent;
+
+	emit( 'else',
 	      "    startup_error \"$undo does not exist\"",
 	      'fi'
 	    );
@@ -723,7 +743,7 @@ sub add_a_provider( $$ ) {
 }
 
 sub add_an_rtrule( ) {
-    my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
+    my ( $source, $dest, $provider, $priority ) = split_line 'route_rules file', { source => 0, dest => 1, provider => 2, priority => 3 };
 
     our $current_if;
 
@@ -798,10 +818,12 @@ sub add_an_rtrule( ) {
 }
 
 sub add_a_route( ) {
-    my ( $provider, $dest, $gateway, $device ) = split_line 2, 4, 'routes file';
+    my ( $provider, $dest, $gateway, $device ) = split_line 'routes file', { provider => 0, dest => 1, gateway => 2, device => 3 };
 
     our $current_if;
 
+    fatal_error 'PROVIDER must be specified' if $provider eq '-';
+
     unless ( $providers{$provider} ) {
 	my $found = 0;
 
@@ -820,6 +842,7 @@ sub add_a_route( ) {
 	fatal_error "Unknown provider ($provider)" unless $found;
     }
 
+    fatal_error 'DEST must be specified' if $dest eq '-';
     validate_net ( $dest, 1 );
 
     validate_address ( $gateway, 1 ) if $gateway ne '-';
@@ -900,12 +923,14 @@ sub finish_providers() {
 	my $table = MAIN_TABLE;
 
 	if ( $config{USE_DEFAULT_RT} ) {
-	    emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999',
+	    emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999',
+		   'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765',
 		   "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
-		   qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_main_routing',
-		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_main_routing',
+		   qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 32766" >> ${VARDIR}/undo_main_routing',
+		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999" >> ${VARDIR}/undo_main_routing',
+		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765" >> ${VARDIR}/undo_balance_routing',
 		   '' );
-	    $table = DEFAULT_TABLE;
+	    $table = BALANCE_TABLE;
 	}
 
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
@@ -956,6 +981,8 @@ sub finish_providers() {
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'fi',
 	      '' );
+    } elsif ( $config{USE_DEFAULT_RT} ) {
+	emit "qt \$IP -$family route del default table " . DEFAULT_TABLE;
     }
 
     unless ( $config{KEEP_RT_TABLES} ) {
@@ -968,7 +995,7 @@ sub finish_providers() {
 			      '#',
 			      LOCAL_TABLE   . "\tlocal",
 			      MAIN_TABLE    . "\tmain",
-			      DEFAULT_TABLE . "\tdefault",
+			      $config{USE_DEFAULT_RT} ? ( DEFAULT_TABLE . "\tdefault\n" . BALANCE_TABLE . "\tbalance" ) : DEFAULT_TABLE . "\tdefault",
 			      "0\tunspec",
 			      '#',
 			      '# local',

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -122,13 +122,15 @@ sub setup_proxy_arp() {
 
 	while ( read_a_line ) {
 
-	    my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, $file_opt;
+	    my ( $address, $interface, $external, $haveroute, $persistent ) =
+		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };
 
 	    if ( $first_entry ) {
 		progress_message2 "$doing $fn...";
 		$first_entry = 0;
 	    }
 
+	    fatal_error 'EXTERNAL must be specified' if $external eq '-';
 	    fatal_error "Unknown interface ($external)" unless known_interface $external;
 	    fatal_error "Wildcard interface ($external) not allowed" if $external =~ /\+$/;
 	    $reset{$external} = 1 unless $set{$external};

Shorewall/Perl/Shorewall/Raw.pm

@@ -84,7 +84,7 @@ sub setup_notrack() {
 
 	while ( read_a_line ) {
 
-	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
+	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
 
 	    if ( $source eq 'COMMENT' ) {
 		process_comment;

Shorewall/Perl/Shorewall/Rules.pm

@@ -77,6 +77,21 @@ my $rule_commands   = { COMMENT => 0, FORMAT => 2, SECTION => 2 };
 my $action_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULTS => 2 };
 my $macro_commands  = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULT => 2 };
 
+my %rulecolumns = ( action    =>   0,
+		    source    =>   1,
+		    dest      =>   2,
+		    proto     =>   3,
+		    dport     =>   4,
+		    sport     =>   5,
+		    origdest  =>   6,
+		    rate      =>   7,
+		    user      =>   8,
+		    mark      =>   9,
+		    connlimit =>  10,
+		    time      =>  11,
+		    headers   =>  12,
+		    switch    =>  13 );
+
 use constant { MAX_MACRO_NEST_LEVEL => 5 };
 
 my $macro_nest_level;
@@ -297,12 +312,17 @@ sub process_a_policy() {
     our %validpolicies;
     our @zonelist;
 
-    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = split_line 3, 6, 'policy file';
+    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
+	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;
 
     $loglevel  = '' if $loglevel  eq '-';
     $synparams = '' if $synparams eq '-';
     $connlimit = '' if $connlimit eq '-';
 
+    fatal_error 'SOURCE must be specified' if $client eq '-';
+    fatal_error 'DEST must be specified'   if $server eq '-';
+    fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
+
     my $clientwild = ( "\L$client" eq 'all' );
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
@@ -1354,7 +1374,7 @@ sub process_actions() {
 	open_file $file;
 
 	while ( read_a_line ) {
-	    my ( $action ) = split_line 1, 1, 'action file';
+	    my ( $action ) = split_line 'action file' , { action => 0 };
 
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1382,7 +1402,7 @@ sub process_actions() {
 
 }
 
-sub process_rule1 ( $$$$$$$$$$$$$$$$ );
+sub process_rule1 ( $$$$$$$$$$$$$$$$$ );
 
 #
 # Populate an action invocation chain. As new action tuples are encountered,
@@ -1415,16 +1435,19 @@ sub process_action( $) {
 
 	while ( read_a_line ) {
 
-	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers );
+	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );
 
 	    if ( $format == 1 ) {
-		($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file', $rule_commands;
-		$origdest = $connlimit = $time = $headers = '-';
+		($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
+		    split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
+		$origdest = $connlimit = $time = $headers = $condition = '-';
 	    } else {
-		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers )
-		    = split_line1 1, 13, 'action file', $action_commands;
+		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition )
+		    = split_line1 'action file', \%rulecolumns, $action_commands;
 	    }
 
+	    fatal_error 'TARGET must be specified' if $target eq '-';
+
 	    if ( $target eq 'COMMENT' ) {
 		process_comment;
 		next;
@@ -1456,6 +1479,7 @@ sub process_action( $) {
 			   $connlimit,
 			   $time,
 			   $headers,
+			   $condition,
 			   0 );
 	}
 
@@ -1485,8 +1509,8 @@ sub use_policy_action( $ ) {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
-    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_;
+sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
+    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $wildcard ) = @_;
 
     my $nocomment = no_comment;
 
@@ -1504,15 +1528,17 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
 
     while ( read_a_line ) {
 
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );
 
 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $rule_commands;
-	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders ) = qw/- - - - -/;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
+	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders ) = split_line1 1, 13, 'macro file', $rule_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
 	}
 
+	fatal_error 'TARGET must be specified' if $mtarget eq '-';
+	
 	if ( $mtarget eq 'COMMENT' ) {
 	    process_comment unless $nocomment;
 	    next;
@@ -1586,6 +1612,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
 				    merge_macro_column( $mconnlimit, $connlimit) ,
 				    merge_macro_column( $mtime,      $time ),
 				    merge_macro_column( $mheaders,   $headers ),
+				    merge_macro_column( $mcondition, $condition ),
 				    $wildcard
 				   );
 
@@ -1618,7 +1645,7 @@ sub verify_audit($;$$) {
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action 
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
 #
-sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
+sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
     my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $target, 
 	 $current_param,
@@ -1634,6 +1661,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	 $connlimit,
 	 $time,
 	 $headers,
+	 $condition,
 	 $wildcard ) = @_;
 
     my ( $action, $loglevel) = split_action $target;
@@ -1685,6 +1713,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 				       $connlimit,
 				       $time,
 				       $headers,
+				       $condition,
 				       $wildcard );
 
 	$macro_nest_level--;
@@ -1742,8 +1771,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	fatal_error "The $basictarget TARGET does not accept parameters" if $action =~ s/\(\)$//;
     }
 
-    if ( $inaction ) {
-	$targets{$inaction} |= NATRULE if $actiontype & (NATRULE | NONAT | NATONLY ) 
+    if ( $actiontype & (NATRULE | NONAT | NATONLY ) ) {
+	$targets{$inaction} |= NATRULE if $inaction;
+	fatal_error "NAT rules are only allowed in the NEW section" unless $section eq 'NEW';
     }
     #
     # Take care of irregular syntax and targets
@@ -1905,9 +1935,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    #
 	    $chainref = ensure_rules_chain $chain;
 	    #
-	    # Don't let the rules in this chain be moved elsewhere
-	    #
-	    dont_move $chainref;
+ 	    # Don't let the rules in this chain be moved elsewhere
+ 	    #
+ 	    dont_move $chainref;
 	}
     }
     #
@@ -1925,6 +1955,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
 		      do_headers( $headers ) ,
+		      do_condition( $condition ) ,
 		    );
     } else {
 	$rule = join( '',
@@ -1934,7 +1965,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		      do_test( $mark , $globals{TC_MASK} ) ,
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
-		      do_headers( $headers )
+		      do_headers( $headers ) ,
+		      do_condition( $condition ) ,
 		    );
     }
 
@@ -2081,8 +2113,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    $rule = join( '',
 			  do_proto( $proto, $ports, $sports ),
 			  do_ratelimit( $ratelimit, 'ACCEPT' ),
-			  do_user $user ,
-			  do_test( $mark , $globals{TC_MASK} ) );
+			  do_user $user,
+			  do_test( $mark , $globals{TC_MASK} ),
+			  do_condition( $condition )
+			);
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';
@@ -2109,11 +2143,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	my $chn;
 
 	if ( $inaction ) {
-	    $nonat_chain = ensure_chain 'nat', $chain;
+	    $nonat_chain = ensure_chain( 'nat', $chain );
 	} elsif ( $sourceref->{type} == FIREWALL ) {
 	    $nonat_chain = $nat_table->{OUTPUT};
 	} else {
-	    $nonat_chain = ensure_chain 'nat', dnat_chain $sourcezone;
+	    $nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
 
 	    my @interfaces = keys %{zone_interfaces $sourcezone};
 
@@ -2154,6 +2188,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    }
 	}
 
+	dont_move( dont_optimize( $nonat_chain ) ) if $tgt eq 'RETURN';
+
 	expand_rule( $nonat_chain ,
 		     PREROUTE_RESTRICT ,
 		     $rule ,
@@ -2165,19 +2201,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		     $log_action ,
 		     '',
 		   );
-	#
-	# Possible optimization if the rule just generated was a simple jump to the nonat chain
-	#
-	if ( $chn && ${$nonat_chain->{rules}}[-1] eq "-A -j $tgt" ) {
-	    #
-	    # It was -- delete that rule
-	    #
-	    pop @{$nonat_chain->{rules}};
-	    #
-	    # And move the rules from the nonat chain to the zone dnat chain
-	    #
-	    move_rules ( $chn, $nonat_chain );
-	}
     }
 
     #
@@ -2188,6 +2211,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	if ( $actiontype & ACTION ) {
 	    $action = $usedactions{$normalized_target}{name};
 	    $loglevel = '';
+	} else {
+	    dont_move( dont_optimize ( $chainref ) ) if $action eq 'RETURN';
 	}
 
 	if ( $origdest ) {
@@ -2202,7 +2227,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 
 	verify_audit( $action ) if $actiontype & AUDIT;
 
-	expand_rule( ensure_chain( 'filter', $chain ) ,
+	expand_rule( $chainref ,
 		     $restriction ,
 		     $rule ,
 		     $source ,
@@ -2313,8 +2338,10 @@ sub build_zone_list( $$$\$\$ ) {
 # Process a Record in the rules file
 #
 sub process_rule ( ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers )
-	= split_line1 1, 13, 'rules file', $rule_commands;
+    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition )
+	= split_line1 'rules file', \%rulecolumns, $rule_commands;
+
+    fatal_error 'ACTION must be specified' if $target eq '-';
 
     process_comment,            return 1 if $target eq 'COMMENT';
     process_section( $source ), return 1 if $target eq 'SECTION';
@@ -2367,6 +2394,7 @@ sub process_rule ( ) {
 						 $connlimit,
 						 $time,
 						 $headers,
+						 $condition,
 						 $wild );
 		}
 	    }

Shorewall/Perl/Shorewall/Tc.pm

@@ -191,10 +191,13 @@ sub initialize( $ ) {
 }
 
 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = split_line1 2, 13, 'tcrules file';
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = 
+	split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 };
 
     our @tccmd;
 
+    fatal_error 'MARK must be specified' if $originalmark eq '-';
+
     if ( $originalmark eq 'COMMENT' ) {
 	process_comment;
 	return;
@@ -390,8 +393,47 @@ sub process_tc_rule( ) {
 			}
 
 			$target .= ' --tproxy-mark';
-		    }
+		    } elsif ( $target eq 'TTL' ) {
+			fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
+			fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
+			fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
 
+			$chain = 'tcfor';
+
+			$cmd =~ /^TTL\(([-+]?\d+)\)$/;
+
+			my $param =  $1;
+
+			fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+			if ( $1 =~ /^\+/ ) {
+			    $target .= " --ttl-inc $param";
+			} elsif ( $1 =~ /\-/ ) {
+			    $target .= " --ttl-dec $param";
+			} else {
+			    $target .= " --ttl-set $param";
+			}
+		    } elsif ( $target eq 'HL' ) {
+			fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
+			fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
+			fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
+
+			$chain = 'tcfor';
+
+			$cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+			my $param =  $1;
+
+			fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+			if ( $1 =~ /^\+/ ) {
+			    $target .= " --hl-inc $param";
+			} elsif ( $1 =~ /\-/ ) {
+			    $target .= " --hl-dec $param";
+			} else {
+			    $target .= " --hl-set $param";
+			}
+		    }
 
 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
@@ -492,8 +534,9 @@ sub process_flow($) {
 }
 
 sub process_simple_device() {
-    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces';
+    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 'tcinterfaces', { interface => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 };
 
+    fatal_error 'INTERFACE must be specified'      if $device eq '-';
     fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
     fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
 
@@ -626,9 +669,10 @@ sub process_simple_device() {
 }
 
 sub validate_tc_device( ) {
-    my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
+    my ( $device, $inband, $outband , $options , $redirected ) = split_line 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };
 
-    fatal_error "Invalid tcdevices entry" if $outband eq '-';
+    fatal_error 'INTERFACE must be specified' if $device eq '-';
+    fatal_error "Invalid tcdevices entry"     if $outband eq '-';
 
     my $devnumber;
 
@@ -789,7 +833,8 @@ sub dev_by_number( $ ) {
 }
 
 sub validate_tc_class( ) {
-    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) = split_line 4, 6, 'tcclasses file';
+    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
+	split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
     my $classnumber = 0;
     my $devref;
     my $device = $devclass;
@@ -797,6 +842,9 @@ sub validate_tc_class( ) {
     my $parentclass = 1;
     my $parentref;
 
+    fatal_error 'INTERFACE must be specified' if $devclass eq '-';
+    fatal_error 'CEIL must be specified'      if $ceil eq '-';
+
     if ( $devclass =~ /:/ ) {
 	( $device, my ($number, $subnumber, $rest ) )  = split /:/, $device, 4;
 	fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest;
@@ -1010,7 +1058,9 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 sub process_tc_filter() {
 
-    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 2, 8, 'tcfilters file';
+    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
+
+    fatal_error 'CLASS must be specified' if $devclass eq '-';
 
     my ($device, $class, $rest ) = split /:/, $devclass, 3;
 
@@ -1310,7 +1360,9 @@ sub process_tcfilters() {
 # Process a tcpri record
 #
 sub process_tc_priority() {
-    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';
+    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
+
+    fatal_error 'BAND must be specified' if $band eq '-';
 
     if ( $band eq 'COMMENT' ) {
 	process_comment;
@@ -1456,18 +1508,18 @@ sub process_traffic_shaping() {
 
 	$device = physical_name $device;
 
-	my $dev = chain_base( $device );
-
-	emit( '',
-	      '#',
-	      "# Configure Traffic Shaping for $device",
-	      '#',
-	      "setup_${dev}_tc() {" );
-
-	push_indent;
-
 	unless ( $config{TC_ENABLED} eq 'Shared' ) {
 
+	    my $dev = chain_base( $device );
+
+	    emit( '',
+		  '#',
+		  "# Configure Traffic Shaping for $device",
+		  '#',
+		  "setup_${dev}_tc() {" );
+
+	    push_indent;
+
 	    emit "if interface_is_up $device; then";
 
 	    push_indent;
@@ -1589,25 +1641,25 @@ sub process_traffic_shaping() {
 		emit '';
 
 	    }
-	}
 
-	emit '';
+	    emit '';
 
-	emit "$_" for @{$devref->{filters}};
+	    emit "$_" for @{$devref->{filters}};
 	
-	save_progress_message_short qq("   TC Device $device defined.");
+	    save_progress_message_short qq("   TC Device $device defined.");
 
-	pop_indent;
-	emit 'else';
-	push_indent;
+	    pop_indent;
+	    emit 'else';
+	    push_indent;
 
-	emit qq(error_message "WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped");
-	emit "${dev}_exists=";
-	pop_indent;
-	emit "fi\n";
+	    emit qq(error_message "WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped");
+	    emit "${dev}_exists=";
+	    pop_indent;
+	    emit "fi\n";
 
-	pop_indent;
-	emit "}\n";
+	    pop_indent;
+	    emit "}\n";
+	}
     }
 }
 
@@ -1625,7 +1677,9 @@ sub process_tc() {
     # it can call the appropriate 'setup_x_tc" function when the device is
     # enabled.
 
-    \%tcdevices;
+    my %empty;
+    
+    $config{TC_ENABLED} eq 'Shared' ? \%empty : \%tcdevices;
 }
 
 #
@@ -1640,14 +1694,16 @@ sub setup_traffic_shaping() {
 
 	emit "setup_${dev}_tc";
     }
-
 }
 
 #
 # Process a record in the secmarks file
 #
 sub process_secmark_rule() {
-    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' );
+    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) =
+	split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
+
+    fatal_error 'SECMARK must be specified' if $secmark eq '-';
 
     if ( $secmark eq 'COMMENT' ) {
 	process_comment;
@@ -1756,7 +1812,7 @@ sub setup_tc() {
 	append_file $globals{TC_SCRIPT};
     } else {
 	process_tcpri if $config{TC_ENABLED} eq 'Simple';
-	setup_traffic_shaping;
+	setup_traffic_shaping unless $config{TC_ENABLED} eq 'Shared';
     }
 
     if ( $config{TC_ENABLED} ) {
@@ -1805,6 +1861,18 @@ sub setup_tc() {
 			  mark      => HIGHMARK,
 			  mask      => '',
 			  connmark  => '' },
+			{ match     => sub( $ ) { $_[0] =~ /^TTL/ },
+			  target    => 'TTL',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
+			{ match     => sub( $ ) { $_[0] =~ /^HL/ },
+			  target    => 'HL',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			} 
 		      );
 
 	if ( my $fn = open_file 'tcrules' ) {

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -284,7 +284,10 @@ sub setup_tunnels() {
 
 	while ( read_a_line ) {
 
-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+
+	    fatal_error 'TYPE must be specified' if $kind eq '-';
+	    fatal_error 'ZONE must be specified' if $zone eq '-';
 
 	    if ( $kind eq 'COMMENT' ) {
 		process_comment;

Shorewall/Perl/Shorewall/Zones.pm

@@ -402,7 +402,10 @@ sub process_zone( \$ ) {
 
     my @parents;
 
-    my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
+    my ($zone, $type, $options, $in_options, $out_options ) =
+	split_line 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 };
+
+    fatal_error 'ZONE must be specified' if $zone eq '-';
 
     if ( $zone =~ /(\w+):([\w,]+)/ ) {
 	$zone = $1;
@@ -871,7 +874,7 @@ sub process_interface( $$ ) {
     my ( $nextinum, $export ) = @_;
     my $netsref   = '';
     my $filterref = [];
-    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
+    my ($zone, $originalinterface, $bcasts, $options ) = split_line 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
     my $zoneref;
     my $bridge = '';
 
@@ -884,6 +887,8 @@ sub process_interface( $$ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
     }
 
+    fatal_error 'INTERFACE must be specified' if $originalinterface eq '-';
+
     my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
 
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
@@ -1727,7 +1732,10 @@ sub compile_updown() {
 #
 sub process_host( ) {
     my $ipsec = 0;
-    my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file';
+    my ($zone, $hosts, $options ) = split_line 'hosts file', { zone => 0, hosts => 1, options => 2 };
+
+    fatal_error 'ZONE must be specified'  if $zone eq '-';
+    fatal_error 'HOSTS must be specified' if $hosts eq '-';
 
     my $zoneref = $zones{$zone};
     my $type    = $zoneref->{type};

Shorewall/Perl/getparams

@@ -20,7 +20,13 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
+#
+#  Parameters:
+#
+#      $1 = Path name of params file
+#      $2 = $CONFIG_PATH
+#      $3 = Address family (4 o4 6)
+#
 if [ "$3" = 6 ]; then
     . /usr/share/shorewall6/lib.base
     . /usr/share/shorewall6/lib.cli

Shorewall/configfiles/netmap

@@ -6,5 +6,6 @@
 # See http://shorewall.net/netmap.html for an example and usage
 # information.
 #
-###############################################################################
-#TYPE	NET1			INTERFACE	NET2		NET3
+##############################################################################################
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#										PORT(S)	PORT(S)

Shorewall/configfiles/rules

@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall/lib.base

@@ -28,7 +28,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40423
+SHOREWALL_CAPVERSION=40424
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -121,8 +121,10 @@ mutex_on()
 	fi
 
 	if qt mywhich lockfile; then
-	    lockfile -r${MUTEX_TIMEOUT} -s1 ${lockf}
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1

Shorewall/lib.cli

@@ -1731,6 +1731,8 @@ determine_capabilities() {
     HEADER_MATCH=
     ACCOUNT_TARGET=
     AUDIT_TARGET=
+    CONDITION_MATCH=
+    IPTABLES_S=
 
     chain=fooX$$
 
@@ -1881,6 +1883,8 @@ determine_capabilities() {
     qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
     qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
     qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
+    qt $IPTABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+    qt $IPTABLES -S INPUT && IPTABLES_S=Yes
     qt $IPTABLES -F $chain
     qt $IPTABLES -X $chain
     qt $IPTABLES -F $chain1
@@ -1975,6 +1979,8 @@ report_capabilities() {
         report_capability "ACCOUNT Target" $ACCOUNT_TARGET
 	report_capability "AUDIT Target" $AUDIT_TARGET
 	report_capability "ipset V5" $IPSET_V5
+	report_capability "Condition Match" $CONDITION_MATCH
+	report_capability "iptables -S" $IPTABLES_S
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -2045,6 +2051,8 @@ report_capabilities1() {
     report_capability1 ACCOUNT_TARGET
     report_capability1 AUDIT_TARGET
     report_capability1 IPSET_V5
+    report_capability1 CONDITION_MATCH
+    report_capability1 IPTABLES_S
 
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION

Shorewall/lib.common

@@ -226,26 +226,28 @@ loadmodule() # $1 = module name, $2 - * arguments
     local suffix
 
     if [ -d /sys/module/ ]; then
-	if [ ! -d /sys/module/$modulename ]; then
-	    shift
+	if ! list_search $modulename $DONT_LOAD; then
+	    if [ ! -d /sys/module/$modulename ]; then
+		shift
 
-	    for suffix in $MODULE_SUFFIX ; do
-		for directory in $moduledirectories; do
-		    modulefile=$directory/${modulename}.${suffix}
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}
 
-		    if [ -f $modulefile ]; then
-			case $moduleloader in
-			    insmod)
-				insmod $modulefile $*
-				;;
-			    *)
-				modprobe $modulename $*
-				;;
-			esac
-			break 2
-		    fi
+			if [ -f $modulefile ]; then
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
+			fi
+		    done
 		done
-	    done
+	    fi
 	fi
     elif ! list_search $modulename $DONT_LOAD $MODULES; then
 	shift

Shorewall6/configfiles/netmap

@@ -0,0 +1,11 @@
+#
+# Shorewall6 version 4	 - Netmap File
+#
+# For information about entries in this file, type "man shorewall-netmap"
+#
+# See http://shorewall.net/netmap.html for an example and usage
+# information.
+#
+##############################################################################################
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#										PORT(S)	PORT(S)

Shorewall6/configfiles/rules

@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-rules.html
 #
-#######################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME            HEADERS
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED

Shorewall6/lib.base

@@ -32,7 +32,7 @@
 #
 
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40423
+SHOREWALL_CAPVERSION=40424
 
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -125,8 +125,10 @@ mutex_on()
 	fi
 
 	if qt mywhich lockfile; then
-	    lockfile -r${MUTEX_TIMEOUT} -s1 ${lockf}
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1

Shorewall6/lib.cli

@@ -575,6 +575,13 @@ show_command() {
 	    show_reset
 	    $IP6TABLES -t raw -L $g_ipt_options
 	    ;;
+	rawpost)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION rawpost Table at $g_hostname - $(date)"
+	    echo
+	    show_reset
+	    $IP6TABLES -t rawpost -L $g_ipt_options
+	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
 
@@ -1551,6 +1558,8 @@ determine_capabilities() {
     ACCOUNT_TARGET=
     AUDIT_TARGET=
     IPSET_V5=
+    CONDITION_MATCH=
+    IPTABLES_S=
 
     chain=fooX$$
 
@@ -1702,6 +1711,8 @@ determine_capabilities() {
     qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
     qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes
     qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
+    qt $IP6TABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+    qt $IP6TABLES -S INPUT && IPTABLES_S=Yes
     
 
     qt $IP6TABLES -F $chain
@@ -1795,6 +1806,8 @@ report_capabilities() {
 	report_capability "ACCOUNT Target" $ACCOUNT_TARGET
 	report_capability "AUDIT Target" $AUDIT_TARGET
 	report_capability "ipset V5" $IPSET_V5
+	report_capability "Condition Match" $CONDITION_MATCH
+	report_capability "ip6tables -S" $IPTABLES_S
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1862,6 +1875,8 @@ report_capabilities1() {
     report_capability1 ACCOUNT_TARGET
     report_capability1 AUDIT_TARGET
     report_capability1 IPSET_V5
+    report_capability1 CONDITION_MATCH
+    report_capability1 IPTABLES_S
     
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION    

Shorewall6/lib.common

@@ -247,27 +247,29 @@ loadmodule() # $1 = module name, $2 - * arguments
     local modulefile
     local suffix
 
-     if [ -d /sys/module/ ]; then
-	if [ ! -d /sys/module/$modulename ]; then
-	    shift
+    if [ -d /sys/module/ ]; then
+	if ! list_search $modulename $DONT_LOAD; then
+	    if [ ! -d /sys/module/$modulename ]; then
+		shift
 
-	    for suffix in $MODULE_SUFFIX ; do
-		for directory in $moduledirectories; do
-		    modulefile=$directory/${modulename}.${suffix}
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}
 
-		    if [ -f $modulefile ]; then
-			case $moduleloader in
-			    insmod)
-				insmod $modulefile $*
-				;;
-			    *)
-				modprobe $modulename $*
-				;;
-			esac
-			break 2
-		    fi
+			if [ -f $modulefile ]; then
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
+			fi
+		    done
 		done
-	    done
+	    fi
 	fi
     elif ! list_search $modulename $MODULES $DONT_LOAD ; then
 	shift
@@ -416,7 +418,7 @@ find_first_interface_address() # $1 = interface
     #
     # get the line of output containing the first IP address
     #
-    addr=$(${IP:-ip} -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
+    addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
     #
     # If there wasn't one, bail out now
     #
@@ -433,7 +435,7 @@ find_first_interface_address_if_any() # $1 = interface
     #
     # get the line of output containing the first IP address
     #
-    addr=$(${IP:-ip} -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
+    addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
     #
     # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
     # along with everything else on the line

docs/Anatomy.xml

@@ -122,7 +122,7 @@
         <listitem>
           <para><filename class="directory">configfiles</filename> - A
           directory containing configuration files to copy to create a <ulink
-          url="CompiledPrograms.html#Lite">Shorewall-lite export
+          url="Shorewall-Lite.html">Shorewall-lite export
           directory.</ulink></para>
         </listitem>
 
@@ -335,7 +335,7 @@
         <listitem>
           <para><filename class="directory">configfiles</filename> - A
           directory containing configuration files to copy to create a <ulink
-          url="CompiledPrograms.html#Lite">Shorewall6-lite export
+          url="Shorewall-Lite.html">Shorewall6-lite export
           directory.</ulink></para>
         </listitem>
 
@@ -535,7 +535,7 @@
         <listitem>
           <para><filename>shorecap</filename> - A shell program used for
           generating capabilities files. See the <ulink
-          url="CompiledPrograms.html#Lite">Shorewall-lite
+          url="Shorewall-Lite.html">Shorewall-lite
           documentation</ulink>.</para>
         </listitem>
 
@@ -725,7 +725,7 @@
         <listitem>
           <para><filename>shorecap</filename> - A shell program used for
           generating capabilities files. See the <ulink
-          url="CompiledPrograms.html#Lite">Shorewall-lite
+          url="Shorewall-Lite.html">Shorewall-lite
           documentation</ulink>.</para>
         </listitem>
 

docs/Documentation_Index.xml

@@ -55,7 +55,7 @@
       <tgroup align="left" cols="3">
         <tbody>
           <row>
-            <entry><ulink url="6to4.htm">6to4 and 6in4 Tunnels</ulink></entry>
+            <entry></entry>
 
             <entry><ulink url="LXC.html">Linux Containers
             (LXC)</ulink></entry>
@@ -65,7 +65,7 @@
           </row>
 
           <row>
-            <entry><ulink url="Accounting.html">Accounting</ulink></entry>
+            <entry><ulink url="6to4.htm">6to4 and 6in4 Tunnels</ulink></entry>
 
             <entry><ulink url="Vserver.html">Linux-vserver</ulink></entry>
 
@@ -74,7 +74,7 @@
           </row>
 
           <row>
-            <entry><ulink url="Actions.html">Actions</ulink></entry>
+            <entry><ulink url="Accounting.html">Accounting</ulink></entry>
 
             <entry><ulink url="ConnectionRate.html">Limiting Connection
             Rates</ulink></entry>
@@ -84,8 +84,7 @@
           </row>
 
           <row>
-            <entry><ulink url="Shorewall_and_Aliased_Interfaces.html">Aliased
-            (virtual) Interfaces (e.g., eth0:0)</ulink></entry>
+            <entry><ulink url="Actions.html">Actions</ulink></entry>
 
             <entry><ulink url="shorewall_logging.html">Logging</ulink></entry>
 
@@ -93,8 +92,8 @@
           </row>
 
           <row>
-            <entry><ulink url="Anatomy.html">Anatomy of
-            Shorewall</ulink></entry>
+            <entry><ulink url="Shorewall_and_Aliased_Interfaces.html">Aliased
+            (virtual) Interfaces (e.g., eth0:0)</ulink></entry>
 
             <entry><ulink url="Macros.html">Macros</ulink></entry>
 
@@ -104,8 +103,8 @@
           </row>
 
           <row>
-            <entry><ulink url="Audit.html">AUDIT Target
-            support</ulink></entry>
+            <entry><ulink url="Anatomy.html">Anatomy of
+            Shorewall</ulink></entry>
 
             <entry><ulink url="MAC_Validation.html">MAC
             Verification</ulink></entry>
@@ -115,8 +114,8 @@
           </row>
 
           <row>
-            <entry><ulink url="traffic_shaping.htm">Bandwidth
-            Control</ulink></entry>
+            <entry><ulink url="Audit.html">AUDIT Target
+            support</ulink></entry>
 
             <entry><ulink url="Manpages.html">Man Pages</ulink></entry>
 
@@ -125,8 +124,8 @@
           </row>
 
           <row>
-            <entry><ulink
-            url="blacklisting_support.htm">Blacklisting/Whitelisting</ulink></entry>
+            <entry><ulink url="traffic_shaping.htm">Bandwidth
+            Control</ulink></entry>
 
             <entry><ulink url="ManualChains.html">Manual
             Chains</ulink></entry>
@@ -137,8 +136,8 @@
           </row>
 
           <row>
-            <entry>Bridge: <ulink
-            url="bridge-Shorewall-perl.html">Bridge/Firewall</ulink></entry>
+            <entry><ulink
+            url="blacklisting_support.htm">Blacklisting/Whitelisting</ulink></entry>
 
             <entry><ulink
             url="two-interface.htm#SNAT">Masquerading</ulink></entry>
@@ -148,8 +147,8 @@
           </row>
 
           <row>
-            <entry>Bridge: <ulink url="SimpleBridge.html">No firewalling of
-            traffic between bridge port</ulink></entry>
+            <entry>Bridge: <ulink
+            url="bridge-Shorewall-perl.html">Bridge/Firewall</ulink></entry>
 
             <entry><ulink url="MultiISP.html">Multiple Internet Connections
             from a Single Firewall</ulink></entry>
@@ -158,8 +157,8 @@
           </row>
 
           <row>
-            <entry><ulink url="Build.html">Building Shorewall from
-            GIT</ulink></entry>
+            <entry>Bridge: <ulink url="SimpleBridge.html">No firewalling of
+            traffic between bridge port</ulink></entry>
 
             <entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
             Interface</ulink></entry>
@@ -169,19 +168,18 @@
           </row>
 
           <row>
-            <entry><ulink
-            url="starting_and_stopping_shorewall.htm">Commands</ulink></entry>
+            <entry><ulink url="Build.html">Building Shorewall from
+            GIT</ulink></entry>
 
             <entry><ulink url="MyNetwork.html">My Shorewall
             Configuration</ulink></entry>
 
-            <entry><ulink url="Accounting.html">Traffic
-            Accounting</ulink></entry>
+            <entry></entry>
           </row>
 
           <row>
-            <entry><ulink url="CompiledPrograms.html">Compiled Firewall
-            Programs</ulink></entry>
+            <entry><ulink url="CompiledPrograms.html"><ulink
+            url="starting_and_stopping_shorewall.htm">Commands</ulink></ulink></entry>
 
             <entry><ulink url="NetfilterOverview.html">Netfilter
             Overview</ulink></entry>
@@ -385,7 +383,7 @@
             <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
             Machine)</ulink></entry>
 
-            <entry><ulink url="CompiledPrograms.html#Lite">Shorewall
+            <entry><ulink url="Shorewall-Lite.html">Shorewall
             Lite</ulink></entry>
 
             <entry></entry>

docs/FAQ.xml

@@ -2417,7 +2417,7 @@ etc...</programlisting>
       <para><emphasis role="bold">Answer:</emphasis> Shorewall Lite is a
       companion product to Shorewall and is designed to allow you to maintain
       all Shorewall configuration information on a single system within your
-      network. See the <ulink url="CompiledPrograms.html#Lite">Compiled
+      network. See the <ulink url="Shorewall-Lite.html">Compiled
       Firewall script documentation</ulink> for details.</para>
     </section>
 

docs/MultiISP.xml

@@ -535,8 +535,10 @@
                   is given without a <replaceable>weight</replaceable>, a
                   separate default route is added through the provider's
                   gateway; the route has a metric equal to the provider's
-                  NUMBER. The option is ignored with a warning message if
-                  USE_DEFAULT_RT=Yes in
+                  NUMBER.</para>
+
+                  <para>Prior to Shorewall 4.4.24, the option is ignored with
+                  a warning message if USE_DEFAULT_RT=Yes in
                   <filename>shorewall.conf</filename>.</para>
                 </listitem>
               </varlistentry>

docs/OpenVZ.xml

@@ -489,6 +489,12 @@ loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1
     <section>
       <title>Shorewall Configuration on Server</title>
 
+      <warning>
+        <para>If you are running Debian Squeeze, Shorewall will not work in an
+        OpenVZ container. This is a Debian OpenVZ issue and not a Shorewall
+        issue.</para>
+      </warning>
+
       <para>I have set up Shorewall on Server (206.124.146.178) just to have
       an environment to test with. It is a quite vanilla one-interface
       configuration.</para>

docs/ProxyARP.xml

@@ -305,7 +305,7 @@ shorewall start</programlisting>
     <title>IPv6 - Proxy NDP</title>
 
     <para>The IPv6 analog of Proxy ARP is Proxy NDP (Neighbor Discovery
-    Protocol). Begiinning with Shorewall 4.4.16, Shorewall6 supports Proxy NDP
+    Protocol). Beginning with Shorewall 4.4.16, Shorewall6 supports Proxy NDP
     in a manner similar to Proxy ARP support in Shorewall:</para>
 
     <itemizedlist>
@@ -328,8 +328,8 @@ shorewall start</programlisting>
     discoverey requests for IPv6 addresses configured on the interface
     receiving the request. So if eth0 has address 2001:470:b:227::44/128 and
     eth1 has address 2001:470:b:227::1/64 then in order for eth1 to respond to
-    neighbor discovery requests for 2001:470:b:227::44, the following entry in
-    /etc/shorewall6/proxyndp is required:</para>
+    neighbor discoverey requests for 2001:470:b:227::44, the following entry
+    in /etc/shorewall6/proxyndp is required:</para>
 
     <programlisting>#ADDRESS	          INTERFACE    EXTERNAL    HAVEROUTE    PERSISTENT
 2001:470:b:227::44 -            eth1        Yes</programlisting>

docs/Shorewall-Lite.xml

@@ -0,0 +1,781 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Shorewall Lite</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2006-2011</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <caution>
+    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
+    later. If you are running a version of Shorewall earlier than Shorewall
+    4.3.5 then please see the documentation appropriate for your
+    version.</emphasis></para>
+  </caution>
+
+  <section id="Overview">
+    <title>Overview</title>
+
+    <para>Shorewall has the capability to compile a Shorewall configuration
+    and produce a runnable firewall program script. The script is a complete
+    program which can be placed on a system with <emphasis>Shorewall
+    Lite</emphasis> installed and can serve as the firewall creation script
+    for that system.</para>
+
+    <section id="Lite">
+      <title>Shorewall Lite</title>
+
+      <para>Shorewall Lite is a companion product to Shorewall and is designed
+      to allow you to maintain all Shorewall configuration information on a
+      single system within your network.</para>
+
+      <orderedlist numeration="loweralpha">
+        <listitem>
+          <para>You install the full Shorewall release on one system within
+          your network. You need not configure Shorewall there and you may
+          totally disable startup of Shorewall in your init scripts. For ease
+          of reference, we call this system the 'administrative
+          system'.</para>
+
+          <para>The administrative system may be a GNU/Linux system, a Windows
+          system running <ulink url="http://www.cygwin.com/">Cygwin</ulink> or
+          an <ulink url="http://www.apple.com/mac/">Apple MacIntosh</ulink>
+          running OS X. Install from a shell prompt <ulink
+          url="Install.htm">using the install.sh script</ulink>.</para>
+        </listitem>
+
+        <listitem>
+          <para>On each system where you wish to run a Shorewall-generated
+          firewall, you install Shorewall Lite. For ease of reference, we will
+          call these systems the 'firewall systems'.</para>
+
+          <note>
+            <para>The firewall systems do <emphasis role="bold">NOT</emphasis>
+            need to have the full Shorewall product installed but rather only
+            the Shorewall Lite product. Shorewall and Shorewall Lite may be
+            installed on the same system but that isn't encouraged.</para>
+          </note>
+        </listitem>
+
+        <listitem>
+          <para>On the administrative system you create a separate 'export
+          directory' for each firewall system. You copy the contents of
+          <filename
+          class="directory">/usr/share/shorewall/configfiles</filename> into
+          each export directory.</para>
+
+          <note>
+            <para>Users of Debian and derivatives that install the package
+            from their distribution will be disappointed to find that
+            <filename
+            class="directory">/usr/share/shorewall/configfiles</filename> does
+            not exist on their systems. They will instead need to
+            either:</para>
+
+            <itemizedlist>
+              <listitem>
+                <para>Copy the files in
+                /usr/share/doc/shorewall/default-config/ into each export
+                directory.</para>
+              </listitem>
+
+              <listitem>
+                <para>Copy /etc/shorewall/shorewall.conf into each export
+                directory and remove /etc/shorewall from the CONFIG_PATH
+                setting in the copied files.</para>
+              </listitem>
+            </itemizedlist>
+
+            <para>or</para>
+
+            <itemizedlist>
+              <listitem>
+                <para>Download the Shorewall tarball corresponding to their
+                package version.</para>
+              </listitem>
+
+              <listitem>
+                <para>Untar and copy the files from the
+                <filename>configfiles</filename> sub-directory in the untarred
+                <filename>shorewall-...</filename> directory.</para>
+              </listitem>
+            </itemizedlist>
+          </note>
+
+          <para>After copying, you may need to change two setting in the copy
+          of shorewall.conf:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>CONFIG_PATH=/usr/share/shorewall</para>
+            </listitem>
+
+            <listitem>
+              <para>STARTUP_LOG=/var/log/shorewall-lite-init.log</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>Older versions of Shorewall included copies of shorewall.conf
+          with these settings already modified. This practice was discontinued
+          in Shorewall 4.4.20.1.</para>
+        </listitem>
+
+        <listitem>
+          <para>The <filename>/etc/shorewall/shorewall.conf</filename> file is
+          used to determine the VERBOSITY setting which determines how much
+          output the compiler generates. All other settings are taken from the
+          <filename>shorewall.conf </filename>file in the remote systems
+          export directory.</para>
+
+          <caution>
+            <para>If you want to be able to allow non-root users to manage
+            remote firewall systems, then the files
+            <filename>/etc/shorewall/params</filename> and
+            <filename>/etc/shorewall/shorewall.conf</filename> must be
+            readable by all users on the administrative system. Not all
+            packages secure the files that way and you may have to change the
+            file permissions yourself.</para>
+          </caution>
+        </listitem>
+
+        <listitem id="Debian">
+          <para>On each firewall system, If you are running Debian or one of
+          its derivatives like Ubuntu then edit
+          <filename>/etc/default/shorewall-lite</filename> and set
+          startup=1.</para>
+        </listitem>
+
+        <listitem>
+          <para>On the administrative system, for each firewall system you do
+          the following (this may be done by a non-root user who has root ssh
+          access to the firewall system):</para>
+
+          <orderedlist>
+            <listitem>
+              <para>modify the files in the corresponding export directory
+              appropriately (i.e., <emphasis>just as you would if you were
+              configuring Shorewall on the firewall system itself</emphasis>).
+              It's a good idea to include the IP address of the administrative
+              system in the <ulink
+              url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
+              file</ulink>.</para>
+
+              <para>It is important to understand that with Shorewall Lite,
+              the firewall's export directory on the administrative system
+              acts as <filename class="directory">/etc/shorewall</filename>
+              for that firewall. So when the Shorewall documentation gives
+              instructions for placing entries in files in the firewall's
+              <filename class="directory">/etc/shorewall</filename>, when
+              using Shorewall Lite you make those changes in the firewall's
+              export directory on the administrative system.</para>
+
+              <para>The CONFIG_PATH variable is treated as follows:</para>
+
+              <itemizedlist>
+                <listitem>
+                  <para>The value of CONFIG_PATH in
+                  <filename>/etc/shorewall/shorewall.conf</filename> is
+                  ignored when compiling for export (the -e option in given)
+                  and when the <command>load</command> or
+                  <command>reload</command> command is being executed (see
+                  below).</para>
+                </listitem>
+
+                <listitem>
+                  <para>The value of CONFIG_PATH in the
+                  <filename>shorewall.conf</filename> file in the export
+                  directory is used to search for configuration files during
+                  compilation of that configuration.</para>
+                </listitem>
+
+                <listitem>
+                  <para>The value of CONFIG_PATH used when the script is run
+                  on the firewall system is
+                  "/etc/shorewall-lite:/usr/share/shorewall-lite".</para>
+                </listitem>
+              </itemizedlist>
+            </listitem>
+
+            <listitem>
+              <programlisting><command>cd &lt;export directory&gt;</command>
+<command>/sbin/shorewall load firewall</command></programlisting>
+
+              <para>The <ulink
+              url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
+              command compiles a firewall script from the configuration files
+              in the current working directory (using <command>shorewall
+              compile -e</command>), copies that file to the remote system via
+              scp and starts Shorewall Lite on the remote system via
+              ssh.</para>
+
+              <para>Example (firewall's DNS name is 'gateway'):</para>
+
+              <para><command>/sbin/shorewall load gateway</command><note>
+                  <para>Although scp and ssh are used by default, you can use
+                  other utilities by setting RSH_COMMAND and RCP_COMMAND in
+                  <filename>/etc/shorewall/shorewall.conf</filename>.</para>
+                </note></para>
+
+              <para>The first time that you issue a <command>load</command>
+              command, Shorewall will use ssh to run
+              <filename>/usr/share/shorewall-lite/shorecap</filename> on the
+              remote firewall to create a capabilities file in the firewall's
+              administrative direction. See <link
+              linkend="Shorecap">below</link>.</para>
+            </listitem>
+          </orderedlist>
+        </listitem>
+
+        <listitem>
+          <para>If you later need to change the firewall's configuration,
+          change the appropriate files in the firewall's export directory
+          then:</para>
+
+          <programlisting><command>cd &lt;export directory&gt;</command>
+<command>/sbin/shorewall reload firewall</command></programlisting>
+
+          <para>The <ulink
+          url="manpages/shorewall.html"><command>reload</command></ulink>
+          command compiles a firewall script from the configuration files in
+          the current working directory (using <command>shorewall compile
+          -e</command>), copies that file to the remote system via scp and
+          restarts Shorewall Lite on the remote system via ssh. The <emphasis
+          role="bold">reload</emphasis> command also supports the '-c'
+          option.</para>
+        </listitem>
+      </orderedlist>
+
+      <para>There is a <filename>shorewall-lite.conf</filename> file installed
+      as part of Shorewall Lite
+      (<filename>/etc/shorewall-lite/shorewall-lite.conf</filename>). You can
+      use that file on the firewall system to override some of the settings
+      from the shorewall.conf file in the export directory.</para>
+
+      <para>Settings that you can override are:</para>
+
+      <blockquote>
+        <simplelist>
+          <member>VERBOSITY</member>
+
+          <member>LOGFILE</member>
+
+          <member>LOGFORMAT</member>
+
+          <member>IPTABLES</member>
+
+          <member>PATH</member>
+
+          <member>SHOREWALL_SHELL</member>
+
+          <member>SUBSYSLOCK</member>
+
+          <member>RESTOREFILE</member>
+        </simplelist>
+      </blockquote>
+
+      <para>You will normally never touch
+      <filename>/etc/shorewall-lite/shorewall-lite.conf</filename> unless you
+      run Debian or one of its derivatives (see <link
+      linkend="Debian">above</link>).</para>
+
+      <para>The <filename>/sbin/shorewall-lite</filename> program included
+      with Shorewall Lite supports the same set of commands as the
+      <filename>/sbin/shorewall</filename> program in a full Shorewall
+      installation with the following exceptions:</para>
+
+      <blockquote>
+        <simplelist>
+          <member>add</member>
+
+          <member>compile</member>
+
+          <member>delete</member>
+
+          <member>refresh</member>
+
+          <member>reload</member>
+
+          <member>try</member>
+
+          <member>safe-start</member>
+
+          <member>safe-restart</member>
+
+          <member>show actions</member>
+
+          <member>show macros</member>
+        </simplelist>
+      </blockquote>
+
+      <para>On systems with only Shorewall Lite installed, I recommend that
+      you create a symbolic link <filename>/sbin/shorewall</filename> and
+      point it at <filename>/sbin/shorewall-lite</filename>. That way, you can
+      use <command>shorewall</command> as the command regardless of which
+      product is installed.</para>
+
+      <blockquote>
+        <programlisting><command>ln -sf shorewall-lite /sbin/shorewall</command></programlisting>
+      </blockquote>
+
+      <section>
+        <title>Module Loading</title>
+
+        <para>As with a normal Shorewall configuration, the shorewall.conf
+        file can specify LOAD_HELPERS_ONLY which determines if the
+        <filename>modules</filename> file (LOAD_HELPERS_ONLY=No) or
+        <filename>helpers</filename> file (LOAD_HELPERS_ONLY=Yes) is used.
+        Normally, the file on the firewall system is used. If you want to
+        specify modules at compile time on the Administrative System, then you
+        must place a copy of the appropriate file
+        (<filename>modules</filename> or <filename>helpers</filename>) in the
+        firewall's configuration directory before compilation.</para>
+
+        <para>In Shorewall 4.4.17, the EXPORTMODULES option was added to
+        shorewall.conf (and shorewall6.conf). When EXPORTMODULES=Yes, any
+        <filename>modules</filename> or <filename>helpers</filename> file
+        found on the CONFIG_PATH on the Administrative System during
+        compilation will be used.</para>
+      </section>
+
+      <section id="Converting">
+        <title>Converting a system from Shorewall to Shorewall Lite</title>
+
+        <para>Converting a firewall system that is currently running Shorewall
+        to run Shorewall Lite instead is straight-forward.</para>
+
+        <orderedlist numeration="loweralpha">
+          <listitem>
+            <para>On the administrative system, create an export directory for
+            the firewall system.</para>
+          </listitem>
+
+          <listitem>
+            <para>Copy the contents of <filename
+            class="directory">/etc/shorewall/</filename> from the firewall
+            system to the export directory on the administrative
+            system.</para>
+          </listitem>
+
+          <listitem>
+            <para>On the firewall system:</para>
+
+            <para>Be sure that the IP address of the administrative system is
+            included in the firewall's export directory
+            <filename>routestopped</filename> file.</para>
+
+            <programlisting><command>shorewall stop</command></programlisting>
+
+            <para><emphasis role="bold">We recommend that you uninstall
+            Shorewall at this point.</emphasis></para>
+          </listitem>
+
+          <listitem>
+            <para>Install Shorewall Lite on the firewall system.</para>
+
+            <para>If you are running Debian or one of its derivatives like
+            Ubuntu then edit <filename>/etc/default/shorewall-lite</filename>
+            and set startup=1.</para>
+          </listitem>
+
+          <listitem>
+            <para>On the administrative system:</para>
+
+            <para>It's a good idea to include the IP address of the
+            administrative system in the firewall system's <ulink
+            url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
+            file</ulink>.</para>
+
+            <para>Also, edit the <filename>shorewall.conf</filename> file in
+            the firewall's export directory and change the CONFIG_PATH setting
+            to remove <filename class="directory">/etc/shorewall</filename>.
+            You can replace it with <filename
+            class="directory">/usr/share/shorewall/configfiles</filename> if
+            you like.</para>
+
+            <para>Example:</para>
+
+            <blockquote>
+              <para>Before editing:</para>
+
+              <programlisting>CONFIG_PATH=<emphasis role="bold">/etc/shorewall</emphasis>:/usr/share/shorewall</programlisting>
+
+              <para>After editing:</para>
+
+              <programlisting>CONFIG_PATH=<emphasis role="bold">/usr/share/shorewall/configfiles</emphasis>:/usr/share/shorewall</programlisting>
+            </blockquote>
+
+            <para>Changing CONFIG_PATH will ensure that subsequent
+            compilations using the export directory will not include any files
+            from <filename class="directory">/etc/shorewall</filename> other
+            than <filename>shorewall.conf</filename> and
+            <filename>params</filename>.</para>
+
+            <para>If you set variables in the params file, there are a couple
+            of issues:</para>
+
+            <para>The <filename>params</filename> file is not processed at run
+            time if you set EXPORTPARAMS=No in
+            <filename>shorewall.conf</filename>. For run-time setting of shell
+            variables, use the <filename>init</filename> extension script.
+            Beginning with Shorewall 4.4.17, the variables set in the
+            <filename>params</filename> file are available in the firewall
+            script when EXPORTPARAMS=No.</para>
+
+            <para>If the <filename>params</filename> file needs to set shell
+            variables based on the configuration of the firewall system, you
+            can use this trick:</para>
+
+            <programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>
+
+            <para>The <command>shorewall-lite call</command> command allows
+            you to to call interactively any Shorewall function that you can
+            call in an extension script.</para>
+
+            <para>After having made the above changes to the firewall's export
+            directory, execute the following commands.</para>
+
+            <blockquote>
+              <programlisting><command>cd &lt;export directory&gt;</command>
+<command>/sbin/shorewall load &lt;firewall system&gt;</command>
+</programlisting>
+
+              <para>Example (firewall's DNS name is 'gateway'):</para>
+
+              <para><command>/sbin/shorewall load gateway</command></para>
+            </blockquote>
+
+            <para>The first time that you issue a <command>load</command>
+            command, Shorewall will use ssh to run
+            <filename>/usr/share/shorewall-lite/shorecap</filename> on the
+            remote firewall to create a capabilities file in the firewall's
+            administrative direction. See <link
+            linkend="Shorecap">below</link>.</para>
+
+            <para>The <ulink
+            url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
+            command compiles a firewall script from the configuration files in
+            the current working directory (using <command>shorewall compile
+            -e</command>), copies that file to the remote system via
+            <command>scp</command> and starts Shorewall Lite on the remote
+            system via <command>ssh</command>.</para>
+          </listitem>
+
+          <listitem>
+            <para>If you later need to change the firewall's configuration,
+            change the appropriate files in the firewall's export directory
+            then:</para>
+
+            <programlisting><command>cd &lt;export directory&gt;</command>
+<command>/sbin/shorewall reload firewall</command></programlisting>
+
+            <para>The <ulink
+            url="starting_and_stopping_shorewall.htm#Reload"><command>reload</command></ulink>
+            command compiles a firewall script from the configuration files in
+            the current working directory (using <command>shorewall compile
+            -e</command>), copies that file to the remote system via
+            <command>scp</command> and restarts Shorewall Lite on the remote
+            system via <command>ssh</command>.</para>
+          </listitem>
+
+          <listitem>
+            <para>If the kernel/iptables configuration on the firewall later
+            changes and you need to create a new
+            <filename>capabilities</filename> file, do the following on the
+            firewall system:</para>
+
+            <programlisting><command>/usr/share/shorewall-lite/shorecap &gt; capabilities</command>
+<command>scp capabilities &lt;admin system&gt;:&lt;this system's config dir&gt;</command></programlisting>
+
+            <para>Or simply use the -c option the next time that you use the
+            <command>reload</command> command (e.g., <command>shorewall reload
+            -c gateway</command>).</para>
+          </listitem>
+        </orderedlist>
+      </section>
+    </section>
+
+    <section id="Restrictions">
+      <title>Restrictions</title>
+
+      <para>While compiled Shorewall programs (as are used in Shorewall Lite)
+      are useful in many cases, there are some important restrictions that you
+      should be aware of before attempting to use them.</para>
+
+      <orderedlist>
+        <listitem>
+          <para>All extension scripts used are copied into the program (with
+          the exception of <ulink url="shorewall_extension_scripts.htm">those
+          executed at compile-time by the compiler</ulink>). The ramifications
+          of this are:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If you update an extension script, the compiled program
+              will not use the updated script.</para>
+            </listitem>
+
+            <listitem>
+              <para>The <filename>params</filename> file is only processed at
+              compile time if you set EXPORTPARAMS=No in
+              <filename>shorewall.conf</filename>. For run-time setting of
+              shell variables, use the <filename>init</filename> extension
+              script. Although the default setting is EXPORTPARAMS=Yes for
+              compatibility, the recommended setting is EXPORTPARAMS=No.
+              Beginning with Shorewall 4.4.17, the variables set in the
+              <filename>params</filename> file are available in the firewall
+              script when EXPORTPARAMS=No.</para>
+
+              <para>If the <filename>params</filename> file needs to set shell
+              variables based on the configuration of the firewall system, you
+              can use this trick:</para>
+
+              <programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>
+
+              <para>The <command>shorewall-lite call</command> command allows
+              you to to call interactively any Shorewall function that you can
+              call in an extension script.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+
+        <listitem>
+          <para>You must install Shorewall Lite on the system where you want
+          to run the script. You then install the compiled program in
+          /usr/share/shorewall-lite/firewall and use the /sbin/shorewall-lite
+          program included with Shorewall Lite to control the firewall just as
+          if the full Shorewall distribution was installed.</para>
+        </listitem>
+
+        <listitem>
+          <para>Beginning with Shorewall 4.4.9, the compiler detects bridges
+          and sets the <emphasis role="bold">bridge</emphasis> and <emphasis
+          role="bold">routeback</emphasis> options explicitly. That can't
+          happen when the compilation no longer occurs on the firewall
+          system.</para>
+        </listitem>
+      </orderedlist>
+    </section>
+  </section>
+
+  <section id="Compile">
+    <title>The "shorewall compile" command</title>
+
+    <para>A compiled script is produced using the <command>compile</command>
+    command:</para>
+
+    <blockquote>
+      <para><command>shorewall compile [ -e ] [ &lt;directory name&gt; ] [
+      &lt;path name&gt; ]</command></para>
+    </blockquote>
+
+    <para>where</para>
+
+    <blockquote>
+      <variablelist>
+        <varlistentry>
+          <term>-e</term>
+
+          <listitem>
+            <para>Indicates that the program is to be "exported" to another
+            system. When this flag is set, neither the "detectnets" interface
+            option nor DYNAMIC_ZONES=Yes in shorewall.conf are allowed. The
+            created program may be run on a system that has only Shorewall
+            Lite installed</para>
+
+            <para>When this flag is given, Shorewall does not probe the
+            current system to determine the kernel/iptables features that it
+            supports. It rather reads those capabilities from
+            <filename>/etc/shorewall/capabilities</filename>. See below for
+            details.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>&lt;directory name&gt;</term>
+
+          <listitem>
+            <para>specifies a directory to be searched for configuration files
+            before those directories listed in the CONFIG_PATH variable in
+            <filename>shorewall.conf</filename>.</para>
+
+            <para>When -e &lt;directory-name&gt; is included, only the
+            SHOREWALL_SHELL and VERBOSITY settings from
+            <filename>/etc/shorewall/shorewall.conf</filename> are used and
+            these apply only to the compiler itself. The settings used by the
+            compiled firewall script are determined by the contents of
+            <filename>&lt;directory name&gt;/shorewall.conf</filename>.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>&lt;path name&gt;</term>
+
+          <listitem>
+            <para>specifies the name of the script to be created. If not
+            given, ${VARDIR}/firewall is assumed (by default, ${VARDIR} is
+            <filename>/var/lib/shorewall/</filename>)</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </blockquote>
+
+    <para>The compile command can be used to stage a new compiled strict that
+    can be activated later using</para>
+
+    <simplelist>
+      <member><command>shorewall restart -f</command></member>
+    </simplelist>
+  </section>
+
+  <section id="Shorecap">
+    <title>The /etc/shorewall/capabilities file and the shorecap
+    program</title>
+
+    <para>As mentioned above, the
+    <filename>/etc/shorewall/capabilities</filename> file specifies that
+    kernel/iptables capabilities of the target system. Here is a sample
+    file:</para>
+
+    <blockquote>
+      <programlisting>#
+# Shorewall detected the following iptables/netfilter capabilities - Tue Jul 15 07:28:12 PDT 2008
+#
+NAT_ENABLED=Yes
+MANGLE_ENABLED=Yes
+MULTIPORT=Yes
+XMULTIPORT=Yes
+CONNTRACK_MATCH=Yes
+USEPKTTYPE=Yes
+POLICY_MATCH=Yes
+PHYSDEV_MATCH=Yes
+PHYSDEV_BRIDGE=Yes
+LENGTH_MATCH=Yes
+IPRANGE_MATCH=Yes
+RECENT_MATCH=Yes
+OWNER_MATCH=Yes
+IPSET_MATCH=Yes
+CONNMARK=Yes
+XCONNMARK=Yes
+CONNMARK_MATCH=Yes
+XCONNMARK_MATCH=Yes
+RAW_TABLE=Yes
+IPP2P_MATCH=
+CLASSIFY_TARGET=Yes
+ENHANCED_REJECT=Yes
+KLUDGEFREE=Yes
+MARK=Yes
+XMARK=Yes
+MANGLE_FORWARD=Yes
+COMMENTS=Yes
+ADDRTYPE=Yes
+TCPMSS_MATCH=Yes
+HASHLIMIT_MATCH=Yes
+NFQUEUE_TARGET=Yes
+REALM_MATCH=Yes
+CAPVERSION=40190</programlisting>
+    </blockquote>
+
+    <para>As you can see, the file contains a simple list of shell variable
+    assignments — the variables correspond to the capabilities listed by the
+    <command>shorewall show capabilities</command> command and they appear in
+    the same order as the output of that command.</para>
+
+    <para>To aid in creating this file, Shorewall Lite includes a
+    <command>shorecap</command> program. The program is installed in the
+    <filename class="directory">/usr/share/shorewall-lite/</filename>
+    directory and may be run as follows:</para>
+
+    <blockquote>
+      <para><command>[ IPTABLES=&lt;iptables binary&gt; ] [
+      MODULESDIR=&lt;kernel modules directory&gt; ]
+      /usr/share/shorewall-lite/shorecap &gt; capabilities</command></para>
+    </blockquote>
+
+    <para>The IPTABLES and MODULESDIR options have their <ulink
+    url="manpages/shorewall.conf.html">usual Shorewall default
+    values</ulink>.</para>
+
+    <para>The <filename>capabilities</filename> file may then be copied to a
+    system with Shorewall installed and used when compiling firewall programs
+    to run on the remote system.</para>
+
+    <para>The <filename>capabilities</filename> file may also be creating
+    using <filename>/sbin/shorewall-lite</filename>:<blockquote>
+        <para><command>shorewall-lite show -f capabilities &gt;
+        capabilities</command></para>
+      </blockquote></para>
+
+    <para>Note that unlike the <command>shorecap</command> program, the
+    <command>show capabilities</command> command shows the kernel's current
+    capabilities; it does not attempt to load additional kernel
+    modules.</para>
+  </section>
+
+  <section id="Running">
+    <title>Running compiled programs directly</title>
+
+    <para>Compiled firewall programs are complete shell programs that support
+    the following command line forms:</para>
+
+    <blockquote>
+      <simplelist>
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        start</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        stop</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        clear</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        refresh</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        reset</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        restart</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        status</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        version</command></member>
+      </simplelist>
+    </blockquote>
+
+    <para>The options have the same meanings as when they are passed to
+    <filename>/sbin/shorewall</filename> itself. The default VERBOSITY level
+    is the level specified in the <filename>shorewall.conf</filename> file
+    used when the program was compiled.</para>
+  </section>
+</article>

docs/configuration_file_basics.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2010</year>
+      <year>2001-2011</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -492,6 +492,253 @@ ACCEPT      net:\
     </example>
   </section>
 
+  <section id="Pairs">
+    <title>Alternate Specification of Column Values - Shorewall 4.4.24 and
+    Later</title>
+
+    <para>Some of the configuration files now have a large number of columns.
+    That makes it awkward to specify a value for one of the right-most columns
+    as you must have the correct number of intervening '-' columns.</para>
+
+    <para>This problem is addressed by allowing column values to be specified
+    as <replaceable>column-name</replaceable>/<replaceable>value</replaceable>
+    pairs.</para>
+
+    <para>There is considerable flexibility in how you specify the
+    pairs:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>At any point, you can enter a semicolon (';') followed by one or
+        more specifications of the following forms:</para>
+
+        <simplelist>
+          <member><replaceable>column-name</replaceable>=<replaceable>value</replaceable></member>
+
+          <member><replaceable>column-name</replaceable>=<replaceable>&gt;value</replaceable></member>
+
+          <member><replaceable>column-name</replaceable>:<replaceable>value</replaceable></member>
+        </simplelist>
+
+        <para>The value may optionally be enclosed in double quotes.</para>
+
+        <para>The pairs must be separated by white space, but you can add a
+        comma adjacent to the <replaceable>values</replaceable> for
+        readability as in:</para>
+
+        <simplelist>
+          <member><emphasis role="bold">; proto=&gt;udp,
+          port=1024</emphasis></member>
+        </simplelist>
+      </listitem>
+
+      <listitem>
+        <para>You can enclose the pairs in curly brackets ("{...}") rather
+        than separating them from columns by a semicolon:</para>
+
+        <simplelist>
+          <member><emphasis role="bold">{ proto:udp, port:1024
+          }</emphasis></member>
+        </simplelist>
+      </listitem>
+    </itemizedlist>
+
+    <para>The following table shows the column names for each of the
+    table-oriented configuration files.</para>
+
+    <note>
+      <para>Column names are <emphasis
+      role="bold">case-insensitive</emphasis>.</para>
+    </note>
+
+    <informaltable>
+      <tgroup cols="2">
+        <tbody>
+          <row>
+            <entry><emphasis role="bold">File</emphasis></entry>
+
+            <entry><emphasis role="bold">Column names</emphasis></entry>
+          </row>
+
+          <row>
+            <entry>accounting</entry>
+
+            <entry>action,chain, source, dest, proto, dport, sport, user,
+            mark, ipsec, headers</entry>
+          </row>
+
+          <row>
+            <entry>blacklist</entry>
+
+            <entry>networks,proto,port,options</entry>
+          </row>
+
+          <row>
+            <entry>ecn</entry>
+
+            <entry>interface,hosts</entry>
+          </row>
+
+          <row>
+            <entry>hosts</entry>
+
+            <entry>zone,hosts,options</entry>
+          </row>
+
+          <row>
+            <entry>interfaces</entry>
+
+            <entry>zone,interface,broadcast,options</entry>
+          </row>
+
+          <row>
+            <entry>maclist</entry>
+
+            <entry>disposition,interface,mac,addresses</entry>
+          </row>
+
+          <row>
+            <entry>masq</entry>
+
+            <entry>interface,source,address,proto,port,ipsec,mark,user</entry>
+          </row>
+
+          <row>
+            <entry>nat</entry>
+
+            <entry>external,interface,internal,allints,local</entry>
+          </row>
+
+          <row>
+            <entry>netmap</entry>
+
+            <entry>type,net1,interface,net2,net3,proto,dport,sport</entry>
+          </row>
+
+          <row>
+            <entry>notrack</entry>
+
+            <entry>source,dest,proto,dport,sport,user</entry>
+          </row>
+
+          <row>
+            <entry>policy</entry>
+
+            <entry>source,dest,policy,loglevel,limit,connlimit</entry>
+          </row>
+
+          <row>
+            <entry>providers</entry>
+
+            <entry>table,number,mark,duplicate,interface,gateway,options,copy</entry>
+          </row>
+
+          <row>
+            <entry>proxyarp and proxyndp</entry>
+
+            <entry>address,interface,external,haveroute,persistent</entry>
+          </row>
+
+          <row>
+            <entry>route_rules</entry>
+
+            <entry>source,dest,provider,priority</entry>
+          </row>
+
+          <row>
+            <entry>routes</entry>
+
+            <entry>provider,dest,gateway,device</entry>
+          </row>
+
+          <row>
+            <entry>routestopped</entry>
+
+            <entry>interface,hosts,options,proto,dport,sport</entry>
+          </row>
+
+          <row>
+            <entry>rules</entry>
+
+            <entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch</entry>
+          </row>
+
+          <row>
+            <entry>secmarks</entry>
+
+            <entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
+          </row>
+
+          <row>
+            <entry>tcclasses</entry>
+
+            <entry>interface,mark,rate,ceil,prio,options</entry>
+          </row>
+
+          <row>
+            <entry>tcdevices</entry>
+
+            <entry>interface,in_bandwidth,out_bandwidth,options,redirect</entry>
+          </row>
+
+          <row>
+            <entry>tcfilters</entry>
+
+            <entry>class,source,dest,proto,dport,sport,tos,length</entry>
+          </row>
+
+          <row>
+            <entry>tcinterfaces</entry>
+
+            <entry>interface,type,in_bandwidth,out_bandwidth</entry>
+          </row>
+
+          <row>
+            <entry>tcpri</entry>
+
+            <entry>band,proto,port,address,interface,helper</entry>
+          </row>
+
+          <row>
+            <entry>tcrules</entry>
+
+            <entry>mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
+          </row>
+
+          <row>
+            <entry>tos</entry>
+
+            <entry>source,dest,proto,dport,sport,tos,mark</entry>
+          </row>
+
+          <row>
+            <entry>tunnels</entry>
+
+            <entry>type,zone,gateway,gateway_zone</entry>
+          </row>
+
+          <row>
+            <entry>zones</entry>
+
+            <entry>zone,type,options,in_options,out_options</entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </informaltable>
+
+    <para>Example (rules file):</para>
+
+    <programlisting>#ACTION         SOURCE            DEST            PROTO   DEST 
+#                                                         PORT(S)
+DNAT            net               loc:10.0.0.1    tcp     80    ; mark="88"</programlisting>
+
+    <para>Here's the same line in several equivalent formats:</para>
+
+    <programlisting>{ action=&gt;DNAT, source=&gt;net, dest=&gt;loc:10.0.0.1, proto=&gt;tcp, dport=&gt;80, mark=&gt;88 }
+; action:"DNAT" source:"net"  dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
+DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting>
+  </section>
+
   <section>
     <title>Addresses</title>
 
@@ -705,9 +952,9 @@ ACCEPT      net:\
 
     <caution>
       <para>Prior to Shorewall 4.4.17, if you are using <ulink
-      url="CompiledPrograms.html%23Lite">Shorewall Lite</ulink> , it is not
-      advisable to use INCLUDE in the <filename>params</filename> file in an
-      export directory if you set EXPORTPARAMS=Yes in <ulink
+      url="Shorewall-Lite.html">Shorewall Lite</ulink> , it is not advisable
+      to use INCLUDE in the <filename>params</filename> file in an export
+      directory if you set EXPORTPARAMS=Yes in <ulink
       url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5). If you do
       that, you must ensure that the included file is also present on the
       firewall system's <filename
@@ -972,11 +1219,10 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
       </listitem>
 
       <listitem>
-        <para>If you are using <ulink
-        url="CompiledPrograms.html#Lite">Shorewall Lite</ulink> and if the
-        <filename>params</filename> script needs to set shell variables based
-        on the configuration of the firewall system, you can use this
-        trick:</para>
+        <para>If you are using <ulink url="Shorewall-Lite.html">Shorewall
+        Lite</ulink> and if the <filename>params</filename> script needs to
+        set shell variables based on the configuration of the firewall system,
+        you can use this trick:</para>
 
         <programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>
 
@@ -997,7 +1243,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
     time, there is no way to cause such variables to be expended at run time.
     Prior to Shorewall 4.4.17, this made it difficult (to impossible) to
     include dynamic IP addresses in a <ulink
-    url="CompiledPrograms.html">Shorewall-lite</ulink> configuration.</para>
+    url="Shorewall-Lite.html">Shorewall-lite</ulink> configuration.</para>
 
     <para>Version 4.4.17 implemented <firstterm>Run-time address
     variables</firstterm>. In configuration files, these variables are
@@ -1604,7 +1850,7 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
       LOGLIMIT.</para>
     </note>
 
-    <para>Shorewall also supports per-IP rate limiting. </para>
+    <para>Shorewall also supports per-IP rate limiting.</para>
 
     <para>Another example from <ulink
     url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
@@ -1624,6 +1870,72 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
     above.</para>
   </section>
 
+  <section id="Switches">
+    <title>Switches</title>
+
+    <para>There are times when you would like to enable or disable one or more
+    rules in the configuration without having to do a <command>shorewall
+    restart</command>. This may be accomplished using the SWITCH column in
+    <ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) or
+    <ulink url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).
+    Using this column requires that your kernel and iptables include
+    <firstterm>Condition Match Support</firstterm> and you must be running
+    Shorewall 4.4.24 or later. See the output of <command>shorewall show
+    capabilities</command> and <command>shorewall version</command> to
+    determine if you can use this feature. As of this writing, Condition Match
+    Support requires that you install xtables-addons.</para>
+
+    <para>The SWITCH column contains the name of a
+    <firstterm>switch.</firstterm> Each switch that is initially in the
+    <emphasis role="bold">off</emphasis> position. You can turn on the switch
+    named <emphasis>switch1</emphasis> by:</para>
+
+    <simplelist>
+      <member><command>echo 1 &gt;
+      /proc/net/nf_condition/switch1</command></member>
+    </simplelist>
+
+    <para>You can turn it off again by:</para>
+
+    <simplelist>
+      <member><command>echo 0 &gt;
+      /proc/net/nf_condition/switch1</command></member>
+    </simplelist>
+
+    <para>If you simply include the switch name in the SWITCH column, then the
+    rule is enabled only when the switch is <emphasis
+    role="bold">on</emphasis>. If you precede the switch name with ! (e.g.,
+    !switch1), then the rule is enabled only when the switch is <emphasis
+    role="bold">off</emphasis>. Switch settings are retained over
+    <command>shorewall restart</command>.</para>
+
+    <para>Shorewall requires that switch names:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>begin with a letter and be composed of letters, digits,
+        underscore ('_') or hyphen ('-'); and</para>
+      </listitem>
+
+      <listitem>
+        <para>be 30 characters or less in length.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Multiple rules can be controlled by the same switch.</para>
+
+    <para>Example:</para>
+
+    <blockquote>
+      <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is
+      on.</para>
+
+      <programlisting>#ACTION     SOURCE          DEST        PROTO       DEST         SOURCE    ORIGINAL   RATE      USER/     MARK    CONNLIMIT     TIME     HEADERS    SWITCH
+#                                                   PORT(S)      PORT(S)   DEST       LIMIT     GROUP
+DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down  </programlisting>
+    </blockquote>
+  </section>
+
   <section id="Logical">
     <title>Logical Interface Names</title>
 

docs/netmap.xml

@@ -22,6 +22,8 @@
 
       <year>2007</year>
 
+      <year>2011</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -113,8 +115,10 @@
         <term>NET1</term>
 
         <listitem>
-          <para>Must be expressed in CIDR format (e.g.,
-          192.168.1.0/24).</para>
+          <para>Must be expressed in CIDR format (e.g., 192.168.1.0/24).
+          Beginning with Shorewall 4.4.24, <ulink
+          url="manpages/shorewall-exclusion.html">exclusion</ulink> is
+          supported.</para>
         </listitem>
       </varlistentry>
 
@@ -135,6 +139,71 @@
           <para>A second network expressed in CIDR format.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">NET3 (Optional)</emphasis> -
+        <emphasis>network-address</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.11. If specified, qualifies INTERFACE.
+          It specifies a SOURCE network for DNAT rules and a DESTINATON
+          network for SNAT rules.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO (Optional - Added in Shorewall
+        4.4.23.2)</emphasis> -
+        <emphasis>protocol-number-or-name</emphasis></term>
+
+        <listitem>
+          <para>Only packets specifying this protocol will have their IP
+          header modified.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST PORT(S) (Optional - Added in
+        Shorewall 4.4.23.2)</emphasis> -
+        <emphasis>port-number-or-name-list</emphasis></term>
+
+        <listitem>
+          <para>Destination Ports. A comma-separated list of Port names (from
+          services(5)), <emphasis>port number</emphasis>s or <emphasis>port
+          range</emphasis>s; if the protocol is <emphasis
+          role="bold">icmp</emphasis>, this column is interpreted as the
+          destination icmp-type(s). ICMP types may be specified as a numeric
+          type, a numberic type and code separated by a slash (e.g., 3/4), or
+          a typename. See <ulink
+          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
+
+          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
+          this column is interpreted as an ipp2p option without the leading
+          "--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
+          If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
+          assumed.</para>
+
+          <para>An entry in this field requires that the PROTO column specify
+          icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
+          any of the following field is supplied.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST PORT(S) (Optional - Added in
+        Shorewall 4.4.23.2)</emphasis> -
+        <emphasis>port-number-or-name-list</emphasis></term>
+
+        <listitem>
+          <para>Source port(s). If omitted, any source port is acceptable.
+          Specified as a comma-separated list of port names, port numbers or
+          port ranges.</para>
+
+          <para>An entry in this field requires that the PROTO column specify
+          tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
+          the following fields is supplied.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
 
     <para>Referring to the figure above, lets suppose that systems in the top
@@ -167,7 +236,7 @@
         </itemizedlist>
       </important></para>
 
-    <section id="Solution">
+    <section>
       <title>If you are running Shorewall 4.4.22 or Earlier</title>
 
       <para>The entries in
@@ -311,28 +380,88 @@ DNAT   10.10.11.0/24  vpn              192.168.1.0/24
 <emphasis role="bold">SNAT:P 192.168.1.0/24 vpn              10.10.10.0/24
 DNAT:T 10.10.10.0/24  vpn              192.168.1.0/24</emphasis></programlisting>
 
-      <para>The last two entries define Stateless NAT by specifying a chain
-      designator (:P for PREROUTING and :T for POSTROUTING respectively). See
-      <ulink url="manpages/shorewall-netlink.html">shorewall-netmap</ulink>
-      (5) for details.</para>
+      <para>The last two entries define <firstterm>Stateless NAT</firstterm>
+      by specifying a chain designator (:P for PREROUTING and :T for
+      POSTROUTING respectively). See <ulink
+      url="manpages/shorewall-netlink.html">shorewall-netmap</ulink> (5) for
+      details.</para>
     </section>
   </section>
 
-  <section id="Notes">
-    <title>Author's Notes</title>
+  <section>
+    <title>IPv6</title>
 
-    <para>This could all be made a bit simpler by eliminating the TYPE field
-    and have Shorewall generate both the SNAT and DNAT rules from a single
-    entry. I have chosen to include the TYPE in order to make the
-    implementation a bit more flexible. If you find cases where you can use an
-    SNAT or DNAT entry by itself, please let <ulink
-    url="mailto:webmaster@shorewall.net">me</ulink> know and I'll add the
-    example to this page.</para>
+    <para>Beginning with Shorewall6 4.4.24, IPv6 support for Netmap is
+    included. This provides a way to use private IPv6 addresses internally and
+    still have access to the IPv6 internet.</para>
 
-    <para>In the previous section, the table in the example contains a bit of
-    a lie. Because of Netfilter's connection tracking, rules 2B and 1B aren't
-    needed to handle the replies. They ARE needed though for hosts in the
-    bottom cloud to be able to establish connections with the 192.168.1.0/24
-    network in the top cloud.</para>
+    <warning>
+      <para>IPv6 netmap is <firstterm>stateless</firstterm> which means that
+      there are no Netfilter helpers for applications that need them. As a
+      consequence, applications that require a helper (FTP, IRC, etc.) may
+      experience issues.</para>
+    </warning>
+
+    <para>For IPv6, the chain designator (:P for PREROUTING or :T for
+    POSTROUTING) is required in the TYPE column. Normally SNAT rules are
+    placed in the POSTROUTING chain while DNAT rules are placed in
+    PREROUTING.</para>
+
+    <para>To use IPv6 Netmap, your kernel and iptables must include
+    <emphasis>Rawpost Table Support</emphasis>.</para>
+
+    <para>IPv6 Netmap has been verified at shorewall.net using the
+    configuration shown below.</para>
+
+    <graphic align="center" fileref="images/Network2011b.png" />
+
+    <para>IPv6 support is supplied from Hurricane Electric; the IPv6 address
+    block is 2001:470:b:227::/64.</para>
+
+    <para>Because of the limitations of IPv6 NETMAP (no Netfilter helpers),
+    the servers in the DMZ have public addresses in the block
+    2001:470:b:227::/112. The local LAN uses the private network
+    fd00:470:b:227::/64 with the hosts autoconfigured using radvd. This block
+    is allocated from the range (fc00::/7) reserved for<firstterm> <ulink
+    url="http://en.wikipedia.org/wiki/Unique_local_address">Unique Local
+    Addresses</ulink></firstterm>.</para>
+
+    <para>The /etc/shorewall6/netmap file is as follows:</para>
+
+    <programlisting>#TYPE	NET1			INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#												PORT(S)	PORT(S)
+SNAT:T	fd00:470:b:227::/64	HE_IF		2001:470:b:227::/64
+DNAT:P  2001:470:b:227::/64!2001:470:b:227::/112\
+				HE_IF		fd00:470:b:227::/64
+</programlisting>
+
+    <para>HE_IF is the logical name for interface sit1. On output, the private
+    address block is mapped to the public block. Because autoconfiguration is
+    used, none of the local addresses falls into the range
+    fd00:470:b:227::/112. That range can therefore be excluded from
+    DNAT.</para>
+
+    <note>
+      <para>While the site local network that was used is very similar to the
+      public network (only the first word is different), that isn't a
+      requirement. We could have just as well used
+      fd00:bad:dead:beef::/64</para>
+    </note>
+
+    <note>
+      <para>The MacBook Pro running OS X Lion refused to autoconfigure when
+      radvd advertised a <ulink
+      url="http://tools.ietf.org/html/rfc3513">site-local</ulink> network
+      (fec0:470:b:227/64) but worked fine with the unique-local network
+      (fd00:470:b:227::/64). Note that site-local addresses were deprecated in
+      <ulink url="http://tools.ietf.org/html/rfc3879">RFC3879</ulink>.</para>
+    </note>
+
+    <note>
+      <para>This whole scheme isn't quite as useful as it might appear. Many
+      IPv6-enabled applications (web browsers, for example) are smart enough
+      to recognize unique local addresses and will only use IPv6 to
+      communicate with other such local addresses.</para>
+    </note>
   </section>
 </article>

docs/shorewall_features.xml

@@ -94,7 +94,7 @@
           <listitem>
             <para>Centrally generated firewall scripts run on the firewalls
             under control of <ulink
-            url="CompiledPrograms.html#Lite">Shorewall-lite</ulink>.</para>
+            url="Shorewall-Lite.html">Shorewall-lite</ulink>.</para>
           </listitem>
         </itemizedlist>
       </listitem>
@@ -274,6 +274,10 @@
           <listitem>
             <para>VirtualBox</para>
           </listitem>
+
+          <listitem>
+            <para><ulink url="LXC.html">LXC</ulink></para>
+          </listitem>
         </itemizedlist>
       </listitem>
     </itemizedlist>

docs/traffic_shaping.xml

@@ -1308,7 +1308,7 @@ SAVE     0.0.0.0/0      0.0.0.0/0       all        -             -        -
         </listitem>
 
         <listitem>
-          <para>Set TC_ENABLED=SHARED in <ulink
+          <para>Set TC_ENABLED=Shared in <ulink
           url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
           (5).</para>
         </listitem>

manpages/shorewall-accounting.xml

@@ -165,7 +165,9 @@
       </listitem>
     </itemizedlist>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax):</para>
 
     <variablelist>
       <varlistentry>
@@ -343,7 +345,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DESTINATION</emphasis> - {<emphasis
+        <term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
         role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
@@ -358,7 +360,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PROTOCOL</emphasis> - {<emphasis
+        <term><emphasis role="bold">PROTOCOL (proto)</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
@@ -377,8 +379,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S)</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
+        {<emphasis role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
 
@@ -401,8 +403,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport)-
+        {<emphasis role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
 
@@ -418,7 +420,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER/GROUP</emphasis> - [<emphasis
+        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
         role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
@@ -674,7 +676,7 @@
     the values <emphasis role="bold">-</emphasis>, <emphasis
     role="bold">any</emphasis> and <emphasis role="bold">all</emphasis> may be
     used as wildcards. Omitted trailing columns are also treated as
-    wildcards.</para>
+    wildcard.</para>
   </refsect1>
 
   <refsect1>
@@ -693,6 +695,9 @@
     <para><ulink
     url="http://shorewall.net/shorewall_logging.html">http://shorewall.net/shorewall_logging.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
     shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),

manpages/shorewall-blacklist.xml

@@ -26,12 +26,14 @@
     <para>The blacklist file is used to perform static blacklisting. You can
     blacklist by source address (IP or MAC), or by application.</para>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
-        <term><emphasis role="bold">ADDRESS/SUBNET</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">ADDRESS/SUBNET</emphasis> (networks) -
+        {<emphasis role="bold">-</emphasis>|<emphasis
         role="bold">~</emphasis><emphasis>mac-address</emphasis>|<emphasis>ip-address</emphasis>|<emphasis>address-range</emphasis>|<emphasis
         role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
 
@@ -55,34 +57,32 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PROTOCOL</emphasis> (Optional) -
-        {<emphasis
+        <term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
         role="bold">-</emphasis>|[!]<emphasis>protocol-number</emphasis>|[!]<emphasis>protocol-name</emphasis>}</term>
 
         <listitem>
-          <para>If specified, must be a protocol number or a protocol name
-          from protocols(5).</para>
+          <para>Optional - If specified, must be a protocol number or a
+          protocol name from protocols(5).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORTS</emphasis> (Optional) - {<emphasis
+        <term><emphasis role="bold">PORTS</emphasis> - {<emphasis
         role="bold">-</emphasis>|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
 
         <listitem>
-          <para>May only be specified if the protocol is TCP (6) or UDP (17).
-          A comma-separated list of destination port numbers or service names
-          from services(5).</para>
+          <para>Optional - may only be specified if the protocol is TCP (6) or
+          UDP (17). A comma-separated list of destination port numbers or
+          service names from services(5).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>OPTIONS (Optional - Added in 4.4.12) -
-        {-|{dst|src|whitelist|audit}[,...]}</term>
+        <term>OPTIONS - {-|{dst|src|whitelist|audit}[,...]}</term>
 
         <listitem>
-          <para>If specified, indicates whether traffic
-          <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
+          <para>Optional - added in 4.4.12. If specified, indicates whether
+          traffic <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
           role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
           ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
           blacklisted. The default is <emphasis role="bold">src</emphasis>. If
@@ -182,6 +182,9 @@
     <para><ulink
     url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),

manpages/shorewall-hosts.xml

@@ -271,6 +271,9 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
     shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),

manpages/shorewall-interfaces.xml

@@ -754,6 +754,9 @@ net     ppp0      -</programlisting>
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),

manpages/shorewall-maclist.xml

@@ -31,7 +31,9 @@
     url="shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration
     file.</para>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -73,17 +75,17 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">IP ADDRESSES</emphasis> (Optional) -
+        <term><emphasis role="bold">IP ADDRESSES</emphasis> (addresses) -
         [<emphasis>address</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>address</emphasis>]...]</term>
 
         <listitem>
-          <para>If specified, both the MAC and IP address must match. This
-          column can contain a comma-separated list of host and/or subnet
-          addresses. If your kernel and iptables have iprange match support
-          then IP address ranges are also allowed. Similarly, if your kernel
-          and iptables include ipset support than set names (prefixed by "+")
-          are also allowed.</para>
+          <para>Optional - if specified, both the MAC and IP address must
+          match. This column can contain a comma-separated list of host and/or
+          subnet addresses. If your kernel and iptables have iprange match
+          support then IP address ranges are also allowed. Similarly, if your
+          kernel and iptables include ipset support than set names (prefixed
+          by "+") are also allowed.</para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -101,13 +103,17 @@
     <para><ulink
     url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-masq.xml

@@ -560,6 +560,9 @@
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
     shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),

manpages/shorewall-nat.xml

@@ -35,7 +35,9 @@
       solution that one-to-one NAT.</para>
     </warning>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -101,8 +103,9 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">ALL INTERFACES</emphasis> - [<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+        <term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
+        [<emphasis role="bold">Yes</emphasis>|<emphasis
+        role="bold">No</emphasis>]</term>
 
         <listitem>
           <para>If Yes or yes, NAT will be effective from all hosts. If No or
@@ -137,13 +140,17 @@
     <para><ulink
     url="http://shorewall.net/NAT.htm">http://shorewall.net/NAT.htm</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-netmap.xml

@@ -31,7 +31,9 @@
       support included.</para>
     </warning>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -77,7 +79,10 @@
         <emphasis>network-address</emphasis></term>
 
         <listitem>
-          <para>Network in CIDR format (e.g., 192.168.1.0/24).</para>
+          <para>Network in CIDR format (e.g., 192.168.1.0/24). Beginning with
+          Shorewall 4.4.24, <ulink
+          url="shorewall-exclusion.html">exclusion</ulink> is
+          supported.</para>
         </listitem>
       </varlistentry>
 
@@ -118,6 +123,59 @@
           network for SNAT rules.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO</emphasis> -
+        <emphasis>protocol-number-or-name</emphasis></term>
+
+        <listitem>
+          <para>Optional -- added in Shorewall 4.4.23.2. Only packets
+          specifying this protocol will have their IP header modified.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
+        <emphasis>port-number-or-name-list</emphasis></term>
+
+        <listitem>
+          <para>Optional - added in Shorewall 4.4.23.2. Destination Ports. A
+          comma-separated list of Port names (from services(5)),
+          <emphasis>port number</emphasis>s or <emphasis>port
+          range</emphasis>s; if the protocol is <emphasis
+          role="bold">icmp</emphasis>, this column is interpreted as the
+          destination icmp-type(s). ICMP types may be specified as a numeric
+          type, a numberic type and code separated by a slash (e.g., 3/4), or
+          a typename. See <ulink
+          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
+
+          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
+          this column is interpreted as an ipp2p option without the leading
+          "--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
+          If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
+          assumed.</para>
+
+          <para>An entry in this field requires that the PROTO column specify
+          icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
+          any of the following field is supplied.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE PORT(S) (sport)</emphasis> -
+        <emphasis>port-number-or-name-list</emphasis></term>
+
+        <listitem>
+          <para>Optional -- added in Shorewall 4.4.23.2. Source port(s). If
+          omitted, any source port is acceptable. Specified as a
+          comma-separated list of port names, port numbers or port
+          ranges.</para>
+
+          <para>An entry in this field requires that the PROTO column specify
+          tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
+          the following fields is supplied.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -133,6 +191,9 @@
     <para><ulink
     url="http://shorewall.net/netmap.html">http://shorewall.net/netmap.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
     shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),

manpages/shorewall-notrack.xml

@@ -27,7 +27,9 @@
     connection tracking. Traffic matching entries in this file will not be
     tracked.</para>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -101,7 +103,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>DEST PORT(S) - port-number/service-name-list</term>
+        <term>DEST PORT(S) (dport) - port-number/service-name-list</term>
 
         <listitem>
           <para>A comma-separated list of port numbers and/or service names
@@ -113,7 +115,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>SOURCE PORT(S) - port-number/service-name-list</term>
+        <term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>
 
         <listitem>
           <para>A comma-separated list of port numbers and/or service names
@@ -125,7 +127,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>USER/GROUP ‒
+        <term>USER/GROUP (user) ‒
         [<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
 
         <listitem>
@@ -146,13 +148,17 @@
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-policy.xml

@@ -51,7 +51,9 @@
       in this file.</para>
     </important>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -204,14 +206,14 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">LOG LEVEL</emphasis> (Optional) -
+        <term><emphasis role="bold">LOG LEVEL</emphasis> (loglevel) -
         [<emphasis>log-level</emphasis>|<emphasis
         role="bold">ULOG|NFLOG</emphasis>]</term>
 
         <listitem>
-          <para>If supplied, each connection handled under the default POLICY
-          is logged at that level. If not supplied, no log message is
-          generated. See syslog.conf(5) for a description of log
+          <para>Optional - if supplied, each connection handled under the
+          default POLICY is logged at that level. If not supplied, no log
+          message is generated. See syslog.conf(5) for a description of log
           levels.</para>
 
           <para>You may also specify ULOG or NFLOG (must be in upper case).
@@ -225,7 +227,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">BURST:LIMIT</emphasis> -
+        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
         [{<emphasis>s</emphasis>|<emphasis
         role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
         role="bold">/</emphasis>{<emphasis
@@ -312,13 +314,17 @@
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-providers.xml

@@ -263,8 +263,10 @@
                 specified <replaceable>weight</replaceable>. If the option is
                 given without a <replaceable>weight</replaceable>, an separate
                 default route is added through the provider's gateway; the
-                route has a metric equal to the provider's NUMBER. The option
-                is ignored with a warning message if USE_DEFAULT_RT=Yes in
+                route has a metric equal to the provider's NUMBER.</para>
+
+                <para>Prior to Shorewall 4.4.24, the option is ignored with a
+                warning message if USE_DEFAULT_RT=Yes in
                 <filename>shorewall.conf</filename>.</para>
               </listitem>
             </varlistentry>
@@ -339,6 +341,9 @@
     <para><ulink
     url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
     shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),

manpages/shorewall-proxyarp.xml

@@ -134,6 +134,9 @@
     <para><ulink
     url="http://shorewall.net/ProxyARP.htm">http://shorewall.net/ProxyARP.htm</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
     shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),

manpages/shorewall-route_rules.xml

@@ -164,13 +164,17 @@
     <para><ulink
     url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-routestopped(5),
-    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-routes.xml

@@ -78,6 +78,9 @@
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
     shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),

manpages/shorewall-routestopped.xml

@@ -33,7 +33,9 @@
       restart</command> command.</para>
     </warning>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -47,27 +49,27 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">HOST(S)</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">HOST(S)</emphasis> (hosts) - [<emphasis
         role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>
 
         <listitem>
-          <para>Comma-separated list of IP/subnet addresses. If your kernel
-          and iptables include iprange match support, IP address ranges are
-          also allowed.</para>
+          <para>Optional. Comma-separated list of IP/subnet addresses. If your
+          kernel and iptables include iprange match support, IP address ranges
+          are also allowed.</para>
 
           <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">OPTIONS</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">OPTIONS</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>option</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
 
         <listitem>
-          <para>A comma-separated list of options. The order of the options is
-          not important but the list can contain no embedded whitespace. The
-          currently-supported options are:</para>
+          <para>Optional. A comma-separated list of options. The order of the
+          options is not important but the list can contain no embedded
+          whitespace. The currently-supported options are:</para>
 
           <variablelist>
             <varlistentry>
@@ -133,26 +135,26 @@
       </varlistentry>
 
       <varlistentry>
-        <term>DEST PORT(S) (Optional) ‒
+        <term>DEST PORT(S) (dport) ‒
         <replaceable>service-name/port-number-list</replaceable></term>
 
         <listitem>
-          <para>A comma-separated list of port numbers and/or service names
-          from <filename>/etc/services</filename>. May also include port
-          ranges of the form
+          <para>Optional. A comma-separated list of port numbers and/or
+          service names from <filename>/etc/services</filename>. May also
+          include port ranges of the form
           <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
           if your kernel and iptables include port range support.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>SOURCE PORT(S) (Optional) ‒
+        <term>SOURCE PORT(S) (sport) ‒
         <replaceable>service-name/port-number-list</replaceable></term>
 
         <listitem>
-          <para>A comma-separated list of port numbers and/or service names
-          from <filename>/etc/services</filename>. May also include port
-          ranges of the form
+          <para>Optional. A comma-separated list of port numbers and/or
+          service names from <filename>/etc/services</filename>. May also
+          include port ranges of the form
           <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
           if your kernel and iptables include port range support.</para>
         </listitem>
@@ -199,13 +201,17 @@
     <para><ulink
     url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-rules.xml

@@ -136,7 +136,9 @@
       </listitem>
     </itemizedlist>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -859,7 +861,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
+        <term><emphasis role="bold">PROTO</emphasis>- {<emphasis
         role="bold">-</emphasis>|<emphasis
         role="bold">tcp:syn</emphasis>|<emphasis
         role="bold">ipp2p</emphasis>|<emphasis
@@ -868,8 +870,8 @@
         role="bold">all}</emphasis></term>
 
         <listitem>
-          <para>Protocol - <emphasis role="bold">ipp2p</emphasis>* requires
-          ipp2p match support in your kernel and iptables. <emphasis
+          <para>Optional Protocol - <emphasis role="bold">ipp2p</emphasis>*
+          requires ipp2p match support in your kernel and iptables. <emphasis
           role="bold">tcp:syn</emphasis> implies <emphasis
           role="bold">tcp</emphasis> plus the SYN flag must be set and the
           RST,ACK and FIN flags must be reset.</para>
@@ -881,18 +883,18 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S) </emphasis>(Optional) -
+        <term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
         {<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
 
         <listitem>
-          <para>Destination Ports. A comma-separated list of Port names (from
-          services(5)), port numbers or port ranges; if the protocol is
-          <emphasis role="bold">icmp</emphasis>, this column is interpreted as
-          the destination icmp-type(s). ICMP types may be specified as a
-          numeric type, a numberic type and code separated by a slash (e.g.,
-          3/4), or a typename. See <ulink
+          <para>Optional destination Ports. A comma-separated list of Port
+          names (from services(5)), port numbers or port ranges; if the
+          protocol is <emphasis role="bold">icmp</emphasis>, this column is
+          interpreted as the destination icmp-type(s). ICMP types may be
+          specified as a numeric type, a numberic type and code separated by a
+          slash (e.g., 3/4), or a typename. See <ulink
           url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
           Note that prior to Shorewall 4.4.19, only a single ICMP type may be
           listsed.</para>
@@ -924,15 +926,15 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
         {<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
 
         <listitem>
-          <para>Port(s) used by the client. If omitted, any source port is
-          acceptable. Specified as a comma- separated list of port names, port
-          numbers or port ranges.</para>
+          <para>Optional port(s) used by the client. If omitted, any source
+          port is acceptable. Specified as a comma- separated list of port
+          names, port numbers or port ranges.</para>
 
           <warning>
             <para>Unless you really understand IP, you should leave this
@@ -959,19 +961,19 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional) -
+        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
         [<emphasis
         role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
-          <para>If ACTION is <emphasis role="bold">DNAT</emphasis>[<emphasis
-          role="bold">-</emphasis>] or <emphasis
-          role="bold">REDIRECT</emphasis>[<emphasis role="bold">-</emphasis>]
-          then if this column is included and is different from the IP address
-          given in the <emphasis role="bold">DEST</emphasis> column, then
-          connections destined for that address will be forwarded to the IP
-          and port specified in the <emphasis role="bold">DEST</emphasis>
-          column.</para>
+          <para>Optional. If ACTION is <emphasis
+          role="bold">DNAT</emphasis>[<emphasis role="bold">-</emphasis>] or
+          <emphasis role="bold">REDIRECT</emphasis>[<emphasis
+          role="bold">-</emphasis>] then if this column is included and is
+          different from the IP address given in the <emphasis
+          role="bold">DEST</emphasis> column, then connections destined for
+          that address will be forwarded to the IP and port specified in the
+          <emphasis role="bold">DEST</emphasis> column.</para>
 
           <para>A comma-separated list of addresses may also be used. This is
           most useful with the <emphasis role="bold">REDIRECT</emphasis>
@@ -1013,8 +1015,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">RATE LIMIT</emphasis> (Optional) -
-        [<emphasis role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) - [<emphasis
+        role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
         role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
         role="bold">/</emphasis>{<emphasis
         role="bold">sec</emphasis>|<emphasis
@@ -1023,8 +1025,8 @@
         role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>
 
         <listitem>
-          <para>You may rate-limit the rule by placing a value in this
-          column:</para>
+          <para>You may optionally rate-limit the rule by placing a value in
+          this column:</para>
 
           <para><emphasis>rate</emphasis> is the number of connections per
           interval (<emphasis role="bold">sec</emphasis> or <emphasis
@@ -1050,15 +1052,14 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
-        [<emphasis
+        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
         role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
 
         <listitem>
-          <para>This column may only be non-empty if the SOURCE is the
-          firewall itself.</para>
+          <para>This optional column may only be non-empty if the SOURCE is
+          the firewall itself.</para>
 
           <para>When this column is non-empty, the rule applies only if the
           program generating the output is running under the effective
@@ -1267,6 +1268,54 @@
           </variablelist>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">HEADERS</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.15. Not used in IPv4 configurations. If
+          you with to supply a value for one of the later columns, enter '-'
+          in this column.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable></emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.24 and allows enabling and disabling
+          the rule without requiring <command>shorewall
+          restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0. <replaceable>switch-name</replaceable> must
+          begin with a letter and be composed of letters, decimal digits,
+          underscores or hyphens. Switch names must be 30 characters or less
+          in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -1457,6 +1506,19 @@
         SSH(ACCEPT) net             all        -           -            -         -                s:1/min:3</programlisting>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>Example 12:</term>
+
+        <listitem>
+          <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
+          is on.</para>
+
+          <programlisting>        #ACTION     SOURCE          DEST        PROTO       DEST         SOURCE    ORIGINAL   RATE      USER/     MARK    CONNLIMIT     TIME     HEADERS    SWITCH
+        #                                                   PORT(S)      PORT(S)   DEST       LIMIT     GROUP
+        DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -1472,6 +1534,9 @@
     <para><ulink
     url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
     shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),

manpages/shorewall-secmarks.xml

@@ -34,7 +34,9 @@
     <para>The secmarks file is used to associate an SELinux context with
     packets. It was added in Shorewall version 4.4.13.</para>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -89,7 +91,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">CHAIN:STATE -
+        <term><emphasis role="bold">CHAIN:STATE (chain) -
         {P|I|F|O|T}[:{N|I|NI|E|ER}]</emphasis></term>
 
         <listitem>
@@ -216,14 +218,14 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORT(S)</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
 
         <listitem>
-          <para>Destination Ports. A comma-separated list of Port names (from
-          services(5)), <emphasis>port number</emphasis>s or <emphasis>port
-          range</emphasis>s; if the protocol is <emphasis
+          <para>Optional destination Ports. A comma-separated list of Port
+          names (from services(5)), <emphasis>port number</emphasis>s or
+          <emphasis>port range</emphasis>s; if the protocol is <emphasis
           role="bold">icmp</emphasis>, this column is interpreted as the
           destination icmp-type(s). ICMP types may be specified as a numeric
           type, a numberic type and code separated by a slash (e.g., 3/4), or
@@ -243,26 +245,26 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
         [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
 
         <listitem>
-          <para>Source port(s). If omitted, any source port is acceptable.
-          Specified as a comma-separated list of port names, port numbers or
-          port ranges.</para>
+          <para>Optional source port(s). If omitted, any source port is
+          acceptable. Specified as a comma-separated list of port names, port
+          numbers or port ranges.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">USER</emphasis> - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
 
         <listitem>
-          <para>This column may only be non-empty if the SOURCE is the
-          firewall itself.</para>
+          <para>This optional column may only be non-empty if the SOURCE is
+          the firewall itself.</para>
 
           <para>When this column is non-empty, the rule applies only if the
           program generating the output is running under the effective
@@ -387,6 +389,9 @@ RESTORE                               I:ER</programlisting>
     <para><ulink
     url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
     shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),

manpages/shorewall-tcclasses.xml

@@ -500,6 +500,9 @@
     <para><ulink
     url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
     shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),

manpages/shorewall-tcdevices.xml

@@ -91,7 +91,9 @@
       </listitem>
     </itemizedlist>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -120,7 +122,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">IN-BANDWIDTH</emphasis> -
+        <term><emphasis role="bold">IN-BANDWIDTH (in_bandwidth)</emphasis> -
         <replaceable>bandwidth</replaceable>[:<replaceable>burst</replaceable>]</term>
 
         <listitem>
@@ -147,7 +149,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">OUT-BANDWIDTH</emphasis> -
+        <term><emphasis role="bold">OUT-BANDWIDTH</emphasis> (out_bandwidth) -
         <emphasis>bandwidth</emphasis></term>
 
         <listitem>
@@ -178,7 +180,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">REDIRECTED INTERFACES</emphasis> -
+        <term><emphasis role="bold">REDIRECTED INTERFACES</emphasis>
+        (redirect)-
         [<emphasis>interface</emphasis>[,<emphasis>interface</emphasis>]...]</term>
 
         <listitem>
@@ -225,6 +228,9 @@
     <para><ulink
     url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
     shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),

manpages/shorewall-tcfilters.xml

@@ -57,7 +57,9 @@
       </varlistentry>
     </variablelist>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -112,25 +114,24 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT</emphasis> (Optional) -
-        [<emphasis
+        <term><emphasis role="bold">DEST PORT</emphasis> (dport) - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
 
         <listitem>
-          <para>Destination Ports. A Port name (from services(5)) or a
-          <emphasis>port number</emphasis>; if the protocol is <emphasis
+          <para>Optional destination Ports. A Port name (from services(5)) or
+          a <emphasis>port number</emphasis>; if the protocol is <emphasis
           role="bold">icmp</emphasis>, this column is interpreted as the
           destination icmp-type(s).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT</emphasis> (Optional) -
+        <term><emphasis role="bold">SOURCE PORT</emphasis> (sport) -
         [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
 
         <listitem>
-          <para>Source port.</para>
+          <para>Optional source port.</para>
         </listitem>
       </varlistentry>
 
@@ -179,12 +180,12 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">LENGTH</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">LENGTH</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>number</emphasis>]</term>
 
         <listitem>
-          <para>Must be a power of 2 between 32 and 8192 inclusive. Packets
-          with a total length that is strictly less than the specified
+          <para>Optional - Must be a power of 2 between 32 and 8192 inclusive.
+          Packets with a total length that is strictly less than the specified
           <replaceable>number</replaceable> will match the rule.</para>
         </listitem>
       </varlistentry>
@@ -238,6 +239,9 @@
     <para><ulink
     url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
     shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),

manpages/shorewall-tcinterfaces.xml

@@ -104,7 +104,9 @@
       </listitem>
     </itemizedlist>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -139,7 +141,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>IN-BANDWIDTH -
+        <term>IN-BANDWIDTH (in_bandwidth) -
         [<replaceable>rate</replaceable>[:<replaceable>burst</replaceable>]]</term>
 
         <listitem>
@@ -169,7 +171,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>OUT-BANDWIDTH -
+        <term>OUT-BANDWIDTH (out_bandwidth) -
         [<replaceable>rate</replaceable>[:[<replaceable>burst</replaceable>][:[<replaceable>latency</replaceable>][:[<replaceable>peek</replaceable>][:[<replaceable>minburst</replaceable>]]]]]]</term>
 
         <listitem>
@@ -203,12 +205,13 @@
     url="http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcpri(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcpri(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-tcpri.xml

@@ -147,13 +147,17 @@
   <refsect1>
     <title>See ALSO</title>
 
-    <para>PRIO(8), shorewall(8), shorewall-accounting(5),
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>prio(8), shorewall(8), shorewall-accounting(5),
     shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
-    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
     shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
     shorewall-zones(5)</para>
   </refsect1>

manpages/shorewall-tcrules.xml

@@ -38,11 +38,13 @@
       url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
     </important>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
-        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
+        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> (mark) -
         <replaceable>mark</replaceable></term>
 
         <listitem>
@@ -415,6 +417,25 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
                 </listitem>
               </itemizedlist>
             </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">TTL</emphasis>([<emphasis
+              role="bold">-</emphasis>|<emphasis
+              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
+
+              <para>Added in Shorewall 4.4.24. May be option followed by
+              <emphasis role="bold">:F</emphasis> but the resulting rule is
+              always added to the FORWARD chain. If <emphasis
+              role="bold">+</emphasis> is included, packets matching the rule
+              will have their TTL incremented by
+              <replaceable>number</replaceable>. Similarly, if <emphasis
+              role="bold">-</emphasis> is included, matching packets have
+              their TTL decremented by <replaceable>number</replaceable>. If
+              neither <emphasis role="bold">+</emphasis> nor <emphasis
+              role="bold">-</emphasis> is given, the TTL of matching packets
+              is set to <replaceable>number</replaceable>. The valid range of
+              values for <replaceable>number</replaceable> is 1-255.</para>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>
@@ -531,14 +552,14 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORT(S)</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
 
         <listitem>
-          <para>Destination Ports. A comma-separated list of Port names (from
-          services(5)), <emphasis>port number</emphasis>s or <emphasis>port
-          range</emphasis>s; if the protocol is <emphasis
+          <para>Optional destination Ports. A comma-separated list of Port
+          names (from services(5)), <emphasis>port number</emphasis>s or
+          <emphasis>port range</emphasis>s; if the protocol is <emphasis
           role="bold">icmp</emphasis>, this column is interpreted as the
           destination icmp-type(s). ICMP types may be specified as a numeric
           type, a numberic type and code separated by a slash (e.g., 3/4), or
@@ -558,15 +579,15 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
         [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
 
         <listitem>
-          <para>Source port(s). If omitted, any source port is acceptable.
-          Specified as a comma-separated list of port names, port numbers or
-          port ranges.</para>
+          <para>Optional source port(s). If omitted, any source port is
+          acceptable. Specified as a comma-separated list of port names, port
+          numbers or port ranges.</para>
 
           <para>An entry in this field requires that the PROTO column specify
           tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
@@ -575,14 +596,14 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">USER</emphasis> - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
         role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
 
         <listitem>
-          <para>This column may only be non-empty if the SOURCE is the
-          firewall itself.</para>
+          <para>This optional column may only be non-empty if the SOURCE is
+          the firewall itself.</para>
 
           <para>When this column is non-empty, the rule applies only if the
           program generating the output is running under the effective
@@ -635,13 +656,13 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">TEST</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">TEST</emphasis> - [<emphasis
         role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
         role="bold">:C</emphasis>]</term>
 
         <listitem>
-          <para>Defines a test on the existing packet or connection mark. The
-          rule will match only if the test returns true.</para>
+          <para>Optional - Defines a test on the existing packet or connection
+          mark. The rule will match only if the test returns true.</para>
 
           <para>If you don't want to define a test but need to specify
           anything in the following columns, place a "-" in this field.</para>
@@ -684,15 +705,15 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">LENGTH</emphasis> (Optional) -
+        <term><emphasis role="bold">LENGTH</emphasis> -
         [<emphasis>length</emphasis>|[<emphasis>min</emphasis>]<emphasis
         role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term>
 
         <listitem>
-          <para>Packet Length. This field, if present allow you to match the
-          length of a packet against a specific value or range of values. You
-          must have iptables length support for this to work. A range is
-          specified in the form
+          <para>Optional - packet Length. This field, if present allow you to
+          match the length of a packet against a specific value or range of
+          values. You must have iptables length support for this to work. A
+          range is specified in the form
           <emphasis>min</emphasis>:<emphasis>max</emphasis> where either
           <emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both)
           may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is
@@ -702,7 +723,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">TOS</emphasis> (Optional) -
+        <term><emphasis role="bold">TOS</emphasis> -
         <emphasis>tos</emphasis></term>
 
         <listitem>
@@ -718,7 +739,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">CONNBYTES</emphasis> (Optional) -
+        <term><emphasis role="bold">CONNBYTES</emphasis> -
         [!]<emphasis>min</emphasis>:[<emphasis>max</emphasis>[:{<emphasis
         role="bold">O</emphasis>|<emphasis role="bold">R</emphasis>|<emphasis
         role="bold">B</emphasis>}[:{<emphasis
@@ -726,8 +747,9 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
         role="bold">A</emphasis>}]]]</term>
 
         <listitem>
-          <para>Connection Bytes; defines a byte or packet range that the
-          connection must fall within in order for the rule to match.</para>
+          <para>Optional connection Bytes; defines a byte or packet range that
+          the connection must fall within in order for the rule to
+          match.</para>
 
           <para>A packet matches if the the packet/byte count is within the
           range defined by <emphasis>min</emphasis> and
@@ -765,7 +787,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">HELPER (Optional) -
+        <term><emphasis role="bold">HELPER -
         </emphasis><emphasis>helper</emphasis></term>
 
         <listitem>
@@ -840,6 +862,9 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
     <para><ulink
     url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
     shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),

manpages/shorewall-tos.xml

@@ -25,7 +25,9 @@
 
     <para>This file defines rules for setting Type Of Service (TOS)</para>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -59,7 +61,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PROTOCOL</emphasis> -
+        <term><emphasis role="bold">PROTOCOL</emphasis> (proto) -
         <emphasis>proto-name-or-number</emphasis></term>
 
         <listitem>
@@ -68,7 +70,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> -
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
         {-|<emphasis>port</emphasis>|<emphasis>lowport</emphasis><emphasis
         role="bold">:</emphasis><emphasis>highport</emphasis>}</term>
 
@@ -78,7 +80,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S)</emphasis> -
+        <term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
         {-|<emphasis>port</emphasis>|<emphasis>lowport</emphasis><emphasis
         role="bold">:</emphasis><emphasis>highport</emphasis>}</term>
 
@@ -159,13 +161,17 @@
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-tunnels.xml

@@ -144,16 +144,17 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">GATEWAY ZONES</emphasis> (Optional) -
+        <term><emphasis role="bold">GATEWAY ZONES</emphasis> (gateway_zone) -
         [<emphasis>zone</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>zone</emphasis>]...]</term>
 
         <listitem>
-          <para>If the gateway system specified in the third column is a
-          standalone host then this column should contain a comma-separated
-          list of the names of the zones that the host might be in. This
-          column only applies to IPSEC tunnels where it enables ISAKMP traffic
-          to flow through the tunnel to the remote gateway.</para>
+          <para>Optional. If the gateway system specified in the third column
+          is a standalone host then this column should contain a
+          comma-separated list of the names of the zones that the host might
+          be in. This column only applies to IPSEC tunnels where it enables
+          ISAKMP traffic to flow through the tunnel to the remote
+          gateway.</para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -274,13 +275,17 @@
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages/shorewall-zones.xml

@@ -28,7 +28,9 @@
     <filename>/etc/shorewall/interfaces</filename> or
     <filename>/etc/shorewall/hosts</filename>.</para>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -191,7 +193,8 @@ c:a,b     ipv4</programlisting>
 
       <varlistentry>
         <term><emphasis role="bold">OPTIONS, IN OPTIONS and OUT
-        OPTIONS</emphasis> - [<emphasis>option</emphasis>[<emphasis
+        OPTIONS</emphasis> (options, in_options, out_options) -
+        [<emphasis>option</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
 
         <listitem>
@@ -337,6 +340,9 @@ c:a,b     ipv4</programlisting>
     <para><ulink
     url="http://www.shorewall.net/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
     shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),

manpages6/shorewall6-accounting.xml

@@ -165,7 +165,9 @@
       </listitem>
     </itemizedlist>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -285,7 +287,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DESTINATION</emphasis> - {<emphasis
+        <term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
         role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><option>:[</option><emphasis>address</emphasis><option>]</option>|<emphasis>address</emphasis>}</term>
@@ -299,7 +301,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PROTOCOL</emphasis> - {<emphasis
+        <term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
         role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
@@ -318,8 +320,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S)</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
+        {<emphasis role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
 
@@ -342,8 +344,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
+        {<emphasis role="bold">-</emphasis>|<emphasis
         role="bold">any</emphasis>|<emphasis
         role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
 
@@ -359,7 +361,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER/GROUP</emphasis> - [<emphasis
+        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
         role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
@@ -728,12 +730,16 @@
     <para><ulink
     url="http://shorewall.net/shorewall_logging.html">http://shorewall.net/shorewall_logging.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
     shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
-    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-actions.xml

@@ -49,7 +49,7 @@
 
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
     shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
-    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
     shorewall6-route_rules(5), shorewall6-routestopped(5),
     shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
     shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),

manpages6/shorewall6-blacklist.xml

@@ -26,7 +26,9 @@
     <para>The blacklist file is used to perform static blacklisting. You can
     blacklist by source address (IP or MAC), or by application.</para>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -55,18 +57,17 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PROTOCOL</emphasis> (Optional) -
-        {<emphasis
+        <term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
         role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>}</term>
 
         <listitem>
-          <para>If specified, must be a protocol number or a protocol name
-          from protocols(5).</para>
+          <para>Optional - if specified, must be a protocol number or a
+          protocol name from protocols(5).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORTS</emphasis> (Optional) - {<emphasis
+        <term><emphasis role="bold">PORTS</emphasis> (port) - {<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
 
         <listitem>
@@ -77,12 +78,11 @@
       </varlistentry>
 
       <varlistentry>
-        <term>OPTIONS (Optional - Added in 4.4.12) -
-        {-|{dst|src|whitelist|audit}[,...]}</term>
+        <term>OPTIONS - {-|{dst|src|whitelist|audit}[,...]}</term>
 
         <listitem>
-          <para>If specified, indicates whether traffic
-          <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
+          <para>Optional - added in 4.4.12. If specified, indicates whether
+          traffic <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
           role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
           ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
           blacklisted. The default is <emphasis role="bold">src</emphasis>. If
@@ -194,12 +194,16 @@
     <para><ulink
     url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
-    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-exclusion.xml

@@ -103,7 +103,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
 
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
     shorewall6-providers(5), shorewall6-route_rules(5),
     shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
     shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),

manpages6/shorewall6-hosts.xml

@@ -44,7 +44,9 @@
       pair.</para>
     </warning>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -59,7 +61,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">HOST(S)</emphasis> -
+        <term><emphasis role="bold">HOST(S)</emphasis> (hosts)-
         <emphasis>interface</emphasis>:<option>[</option>{[{<emphasis>address-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...|<emphasis
         role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]<option>]</option></term>
@@ -109,13 +111,13 @@
       </varlistentry>
 
       <varlistentry>
-        <term>OPTIONS (Optional) - [<emphasis>option</emphasis>[<emphasis
+        <term>OPTIONS - [<emphasis>option</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
 
         <listitem>
-          <para>A comma-separated list of options from the following list. The
-          order in which you list the options is not significant but the list
-          must have no embedded white space.</para>
+          <para>An optional comma-separated list of options from the following
+          list. The order in which you list the options is not significant but
+          the list must have no embedded white space.</para>
 
           <variablelist>
             <varlistentry>
@@ -190,12 +192,16 @@
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
-    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-interfaces.xml

@@ -457,12 +457,16 @@ dmz     eth2      -</programlisting>
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
-    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-ipsets.xml

@@ -116,7 +116,7 @@
 
     <para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
     shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
-    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
     shorewall6-route_rules(5), shorewall6-routestopped(5),
     shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
     shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),

manpages6/shorewall6-maclist.xml

@@ -101,12 +101,16 @@
     <para><ulink
     url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
-    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-modules.xml

@@ -86,7 +86,7 @@
 
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
     shorewall6-providers(5), shorewall6-route_rules(5),
     shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
     shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),

manpages6/shorewall6-nesting.xml

@@ -109,7 +109,7 @@
 
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
     shorewall6-providers(5), shorewall6-route_rules(5),
     shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
     shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),

manpages6/shorewall6-netmap.xml

@@ -0,0 +1,196 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall6-netmap</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>netmap</refname>
+
+    <refpurpose>Shorewall6 NETMAP definition file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/netmap</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to map addresses in one network to corresponding
+    addresses in a second network. It was added in Shorewall6 iin
+    4.4.23.3.</para>
+
+    <warning>
+      <para>To use this file, your kernel and ip6tables must have RAWPOST
+      table support included.</para>
+    </warning>
+
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">TYPE</emphasis> - <emphasis
+        role="bold">{DNAT</emphasis>|<emphasis
+        role="bold">SNAT}:{P|O|T}</emphasis></term>
+
+        <listitem>
+          <para>Must be DNAT or SNAT followed by :P, :O or :T to perform
+          <firstterm>stateless NAT</firstterm>. Stateless NAT requires
+          <firstterm>Rawpost Table support</firstterm> in your kernel and
+          iptables (see the output of <command>shorewall6 show
+          capabilities</command>).</para>
+
+          <para>If DNAT:P, traffic entering INTERFACE and addressed to NET1
+          has its destination address rewritten to the corresponding address
+          in NET2.</para>
+
+          <para>If SNAT:T, traffic leaving INTERFACE with a source address in
+          NET1 has it's source address rewritten to the corresponding address
+          in NET2.</para>
+
+          <para>If DNAT:O, traffic originating on the firewall and leaving via
+          INTERFACE and addressed to NET1 has its destination address
+          rewritten to the corresponding address in NET2.</para>
+
+          <para>If DNAT:P, traffic entering via INTERFACE and addressed to
+          NET1 has its destination address rewritten to the corresponding
+          address in NET2.</para>
+
+          <para>If SNAT:P, traffic entering via INTERFACE with a destination
+          address in NET1 has it's source address rewritten to the
+          corresponding address in NET2.</para>
+
+          <para>If SNAT:O, traffic originating on the firewall and leaving via
+          INTERFACE with a source address in NET1 has it's source address
+          rewritten to the corresponding address in NET2.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">NET1</emphasis> -
+        <emphasis>network-address</emphasis></term>
+
+        <listitem>
+          <para>Network in CIDR format (e.g., 2001:470:b:227/64). Beginning in
+          Shorewall6 4.4.24, <ulink
+          url="shorewall6-exclusion.html">exclusion</ulink> is
+          supported.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INTERFACE</emphasis> -
+        <emphasis>interface</emphasis></term>
+
+        <listitem>
+          <para>The name of a network interface. The interface must be defined
+          in <ulink
+          url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
+          Shorewall allows loose matches to wildcard entries in <ulink
+          url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5).
+          For example, <filename class="devicefile">ppp0</filename> in this
+          file will match a <ulink
+          url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(8)
+          entry that defines <filename
+          class="devicefile">ppp+</filename>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">NET2</emphasis> -
+        <emphasis>network-address</emphasis></term>
+
+        <listitem>
+          <para>Network in CIDR format</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">NET3</emphasis> -
+        <emphasis>network-address</emphasis></term>
+
+        <listitem>
+          <para>Optional - added in Shorewall 4.4.11. If specified, qualifies
+          INTERFACE. It specifies a SOURCE network for DNAT rules and a
+          DESTINATON network for SNAT rules.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO (Optional</emphasis> -
+        <emphasis>protocol-number-or-name</emphasis></term>
+
+        <listitem>
+          <para>Only packets specifying this protocol will have their IP
+          header modified.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
+        <emphasis>port-number-or-name-list</emphasis></term>
+
+        <listitem>
+          <para>Destination Ports. An optional comma-separated list of Port
+          names (from services(5)), <emphasis>port number</emphasis>s or
+          <emphasis>port range</emphasis>s; if the protocol is <emphasis
+          role="bold">icmp</emphasis>, this column is interpreted as the
+          destination icmp-type(s). ICMP types may be specified as a numeric
+          type, a numberic type and code separated by a slash (e.g., 3/4), or
+          a typename. See <ulink
+          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
+
+          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
+          this column is interpreted as an ipp2p option without the leading
+          "--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
+          If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
+          assumed.</para>
+
+          <para>An entry in this field requires that the PROTO column specify
+          icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
+          any of the following field is supplied.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
+        <emphasis>port-number-or-name-list</emphasis></term>
+
+        <listitem>
+          <para>Optional source port(s). If omitted, any source port is
+          acceptable. Specified as a comma-separated list of port names, port
+          numbers or port ranges.</para>
+
+          <para>An entry in this field requires that the PROTO column specify
+          tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
+          the following fields is supplied.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/netmap</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="http://shorewall.net/netmap.html">http://shorewall.net/netmap.html</ulink></para>
+
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+  </refsect1>
+</refentry>

manpages6/shorewall6-notrack.xml

@@ -27,7 +27,9 @@
     connection tracking. Traffic matching entries in this file will not be
     tracked.</para>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -84,7 +86,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>DEST PORT(S) - port-number/service-name-list</term>
+        <term>DEST PORT(S) (dport) - port-number/service-name-list</term>
 
         <listitem>
           <para>A comma-separated list of port numbers and/or service names
@@ -96,7 +98,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>SOURCE PORT(S) - port-number/service-name-list</term>
+        <term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>
 
         <listitem>
           <para>A comma-separated list of port numbers and/or service names
@@ -108,7 +110,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>USER/GROUP ‒
+        <term>USER/GROUP (user) ‒
         [<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>
 
         <listitem>
@@ -129,13 +131,16 @@
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-ipsec(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-proxyarp(5),
+    shorewall6-ipsec(5), shoewall6-netmap(5),shorewall6-params(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
     shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
-    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall6-tunnels(5), shorewall-zones(5)</para>
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-params.xml

@@ -3,7 +3,7 @@
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
   <refmeta>
-    <refentrytitle>shorewall6-params</refentrytitle>
+    <refentrytitle>shoewall6-netmap(5),shorewall6-params</refentrytitle>
 
     <manvolnum>5</manvolnum>
   </refmeta>

manpages6/shorewall6-policy.xml

@@ -51,7 +51,9 @@
       in this file.</para>
     </important>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -204,14 +206,14 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">LOG LEVEL</emphasis> (Optional) -
+        <term><emphasis role="bold">LOG LEVEL</emphasis> (loglevel) -
         [<emphasis>log-level</emphasis>|<emphasis
         role="bold">NFLOG</emphasis>]</term>
 
         <listitem>
-          <para>If supplied, each connection handled under the default POLICY
-          is logged at that level. If not supplied, no log message is
-          generated. See syslog.conf(5) for a description of log
+          <para>Optional - if supplied, each connection handled under the
+          default POLICY is logged at that level. If not supplied, no log
+          message is generated. See syslog.conf(5) for a description of log
           levels.</para>
 
           <para>You may also specify NFLOG (must be in upper case). This will
@@ -225,7 +227,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">BURST:LIMIT</emphasis> -
+        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
         [{<emphasis>s</emphasis>|<emphasis
         role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
         role="bold">/</emphasis>{<emphasis
@@ -312,14 +314,18 @@
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
     shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
-    shorewall6-nat(5), shorewall6-netmap(5), shorewall6-params(5),
-    shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
+    shorewall6-nat(5), shorewall6-netmap(5),
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-proxyarp(5),
     shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
-    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-providers.xml

@@ -288,12 +288,16 @@
     <para><ulink
     url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
-    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
+    shorewall6-policy(5), shorewall6-route_rules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-proxyndp.xml

@@ -47,7 +47,7 @@
           <para>Local interface where system with the ip address in ADDRESS is
           connected. Only required when the HAVEROUTE column is left empty or
           is set to <emphasis role="bold">no</emphasis> or <emphasis
-          role="bold">No</emphasis>. </para>
+          role="bold">No</emphasis>.</para>
         </listitem>
       </varlistentry>
 
@@ -132,13 +132,17 @@
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5),
     shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5),
-    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-route_rules.xml

@@ -149,7 +149,7 @@
 
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
     shorewall6-providers(5), shorewall6-routestopped(5), shorewall6-rules(5),
     shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
     shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),

manpages6/shorewall6-routes.xml

@@ -78,12 +78,16 @@
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
-    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-routestopped.xml

@@ -29,7 +29,9 @@
     used, the file also determines those hosts that are accessible when the
     firewall is in the process of being [re]started.</para>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -43,27 +45,27 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">HOST(S)</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">HOST(S)</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>
 
         <listitem>
-          <para>Comma-separated list of IP/subnet addresses. If your kernel
-          and ip6tables include iprange match support, IP address ranges are
-          also allowed.</para>
+          <para>Optional comma-separated list of IP/subnet addresses. If your
+          kernel and ip6tables include iprange match support, IP address
+          ranges are also allowed.</para>
 
           <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">OPTIONS</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">OPTIONS</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>option</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
 
         <listitem>
-          <para>A comma-separated list of options. The order of the options is
-          not important but the list can contain no embedded whitespace. The
-          currently-supported options are:</para>
+          <para>An optional comma-separated list of options. The order of the
+          options is not important but the list can contain no embedded
+          whitespace. The currently-supported options are:</para>
 
           <variablelist>
             <varlistentry>
@@ -177,12 +179,15 @@
     <para><ulink
     url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-rules(5),
-    shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
-    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
-    shorewall6-zones(5)</para>
+    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-rules.xml

@@ -109,7 +109,9 @@
     appear in the file then all rules are assumed to be in the NEW
     section.</para>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -661,7 +663,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
+        <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
         role="bold">-</emphasis>|<emphasis
         role="bold">tcp:syn</emphasis>|<emphasis
         role="bold">ipp2p</emphasis>|<emphasis
@@ -670,8 +672,8 @@
         role="bold">all}</emphasis></term>
 
         <listitem>
-          <para>Protocol - <emphasis role="bold">ipp2p</emphasis>* requires
-          ipp2p match support in your kernel and ip6tables. <emphasis
+          <para>Optional protocol - <emphasis role="bold">ipp2p</emphasis>*
+          requires ipp2p match support in your kernel and ip6tables. <emphasis
           role="bold">tcp:syn</emphasis> implies <emphasis
           role="bold">tcp</emphasis> plus the SYN flag must be set and the
           RST,ACK and FIN flags must be reset.</para>
@@ -683,18 +685,18 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S) </emphasis>(Optional) -
+        <term><emphasis role="bold">DEST PORT(S) </emphasis>(dport) -
         {<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
 
         <listitem>
-          <para>Destination Ports. A comma-separated list of Port names (from
-          services(5)), port numbers or port ranges; if the protocol is
-          <emphasis role="bold">icmp</emphasis>, this column is interpreted as
-          the destination icmp-type(s). ICMP types may be specified as a
-          numeric type, a numberic type and code separated by a slash (e.g.,
-          3/4), or a typename. See <ulink
+          <para>Optional destination Ports. A comma-separated list of Port
+          names (from services(5)), port numbers or port ranges; if the
+          protocol is <emphasis role="bold">icmp</emphasis>, this column is
+          interpreted as the destination icmp-type(s). ICMP types may be
+          specified as a numeric type, a numberic type and code separated by a
+          slash (e.g., 3/4), or a typename. See <ulink
           url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
           Note that prior to Shorewall6 4.4.19, only a single ICMP type may be
           listsed.</para>
@@ -726,13 +728,13 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
         {<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>
 
         <listitem>
-          <para>Port(s) used by the client. If omitted, any source port is
+          <para>Optional source port(s). If omitted, any source port is
           acceptable. Specified as a comma- separated list of port names, port
           numbers or port ranges.</para>
 
@@ -760,7 +762,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional) -
+        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
         [<emphasis role="bold">-</emphasis>]</term>
 
         <listitem>
@@ -770,8 +772,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">RATE LIMIT</emphasis> (Optional) -
-        [<emphasis role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) - [<emphasis
+        role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
         role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
         role="bold">/</emphasis>{<emphasis
         role="bold">sec</emphasis>|<emphasis
@@ -780,8 +782,8 @@
         role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>
 
         <listitem>
-          <para>You may rate-limit the rule by placing a value in this
-          column:</para>
+          <para>You may optionally rate-limit the rule by placing a value in
+          this column:</para>
 
           <para><emphasis>rate</emphasis> is the number of connections per
           interval (<emphasis role="bold">sec</emphasis> or <emphasis
@@ -805,14 +807,13 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
-        [<emphasis
+        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
 
         <listitem>
-          <para>This column may only be non-empty if the SOURCE is the
-          firewall itself.</para>
+          <para>This optional column may only be non-empty if the SOURCE is
+          the firewall itself.</para>
 
           <para>When this column is non-empty, the rule applies only if the
           program generating the output is running under the effective
@@ -1102,6 +1103,44 @@
           role="bold">!</emphasis> is omitted.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable></emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall6 4.4.24 and allows enabling and disabling
+          the rule without requiring <command>shorewall6
+          restart</command>.</para>
+
+          <para>Enables the rule if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. Disables the rule if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0. The <replaceable>switch-name</replaceable>
+          must begin with a letter and be composed of letters, decimal digits,
+          underscores or hyphens. Switch names must be 30 characters or less
+          in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall6
+          restart</command>.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -1148,6 +1187,19 @@
         SSH(ACCEPT) net             all        -           -            -         -                s:1/min:3</programlisting>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>Example 6:</term>
+
+        <listitem>
+          <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
+          is set.</para>
+
+          <programlisting>        #ACTION     SOURCE          DEST        PROTO       DEST         SOURCE    ORIGINAL   RATE      USER/     MARK    CONNLIMIT     TIME     HEADERS    SWITCH
+        #                                                   PORT(S)      PORT(S)   DEST       LIMIT     GROUP
+        DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down</programlisting>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -1160,10 +1212,13 @@
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
     shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-secmarks(5),
     shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
     shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>

manpages6/shorewall6-secmarks.xml

@@ -34,7 +34,9 @@
     <para>The secmarks file is used to associate an SELinux context with
     packets. It was added in Shorewall6 version 4.4.13.</para>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -207,14 +209,14 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORT(S)</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
 
         <listitem>
-          <para>Destination Ports. A comma-separated list of Port names (from
-          services(5)), <emphasis>port number</emphasis>s or <emphasis>port
-          range</emphasis>s; if the protocol is <emphasis
+          <para>Optional destination Ports. A comma-separated list of Port
+          names (from services(5)), <emphasis>port number</emphasis>s or
+          <emphasis>port range</emphasis>s; if the protocol is <emphasis
           role="bold">icmp</emphasis>, this column is interpreted as the
           destination icmp-type(s). ICMP types may be specified as a numeric
           type, a numberic type and code separated by a slash (e.g., 3/4), or
@@ -234,26 +236,26 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
         [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
 
         <listitem>
-          <para>Source port(s). If omitted, any source port is acceptable.
-          Specified as a comma-separated list of port names, port numbers or
-          port ranges.</para>
+          <para>Optional source port(s). If omitted, any source port is
+          acceptable. Specified as a comma-separated list of port names, port
+          numbers or port ranges.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">USER</emphasis> - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
 
         <listitem>
-          <para>This column may only be non-empty if the SOURCE is the
-          firewall itself.</para>
+          <para>This optional column may only be non-empty if the SOURCE is
+          the firewall itself.</para>
 
           <para>When this column is non-empty, the rule applies only if the
           program generating the output is running under the effective
@@ -378,12 +380,15 @@ RESTORE                               I:ER</programlisting>
     <para><ulink
     url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
     shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
-    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
-    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-tcclasses.xml

@@ -451,10 +451,13 @@
     <para><ulink
     url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
     shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
     shorewall6-secmarks(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
     shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>

manpages6/shorewall6-tcdevices.xml

@@ -91,7 +91,9 @@
       </listitem>
     </itemizedlist>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -121,7 +123,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">IN-BANDWIDTH</emphasis> - <emphasis
+        <term><emphasis role="bold">IN-BANDWIDTH</emphasis> (in_bandwidth) -
+        <emphasis
         role="bold"><replaceable>bandwidth</replaceable>[:<replaceable>burst</replaceable>]</emphasis></term>
 
         <listitem>
@@ -148,7 +151,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">OUT-BANDWIDTH</emphasis> -
+        <term><emphasis role="bold">OUT-BANDWIDTH</emphasis> (out_bandwidth) -
         <emphasis>bandwidth</emphasis></term>
 
         <listitem>
@@ -179,7 +182,8 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">REDIRECTED INTERFACES</emphasis> -
+        <term><emphasis role="bold">REDIRECTED INTERFACES</emphasis>
+        (redirect) -
         [<emphasis>interface</emphasis>[,<emphasis>interface</emphasis>]...]</term>
 
         <listitem>
@@ -229,8 +233,8 @@
 
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
     shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
     shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcrules(5),
     shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>

manpages6/shorewall6-tcfilters.xml

@@ -57,7 +57,9 @@
       </varlistentry>
     </variablelist>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -108,34 +110,33 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">DEST PORT</emphasis> (Optional) -
-        [<emphasis
+        <term><emphasis role="bold">DEST PORT</emphasis> (dport) - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
 
         <listitem>
-          <para>Destination Ports. A Port name (from services(5)) or a
-          <emphasis>port number</emphasis>; if the protocol is <emphasis
+          <para>Optional destination Ports. A Port name (from services(5)) or
+          a <emphasis>port number</emphasis>; if the protocol is <emphasis
           role="bold">icmp</emphasis>, this column is interpreted as the
           destination icmp-type(s).</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT</emphasis> (Optional) -
+        <term><emphasis role="bold">SOURCE PORT</emphasis> (sport) -
         [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
 
         <listitem>
-          <para>Source port.</para>
+          <para>Optional source port.</para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">TOS</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">TOS</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>tos</emphasis>]</term>
 
         <listitem>
-          <para>Specifies the value of the TOS field. The
+          <para>Optional - specifies the value of the TOS field. The
           <replaceable>tos</replaceable> value can be any of the
           following:</para>
 
@@ -175,12 +176,12 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">LENGTH</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">LENGTH</emphasis> - [<emphasis
         role="bold">-</emphasis>|<emphasis>number</emphasis>]</term>
 
         <listitem>
-          <para>Must be a power of 2 between 32 and 8192 inclusive. Packets
-          with a total length that is strictly less than the specified
+          <para>Optional. Must be a power of 2 between 32 and 8192 inclusive.
+          Packets with a total length that is strictly less than the specified
           <replaceable>number</replaceable> will match the rule.</para>
         </listitem>
       </varlistentry>

manpages6/shorewall6-tcinterfaces.xml

@@ -104,7 +104,9 @@
       </listitem>
     </itemizedlist>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -139,7 +141,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>IN-BANDWIDTH -
+        <term>IN-BANDWIDTH (in_bandwidth) -
         [<replaceable>rate</replaceable>[:<replaceable>burst</replaceable>]]</term>
 
         <listitem>
@@ -169,7 +171,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term>OUT-BANDWIDTH -
+        <term>OUT-BANDWIDTH (out_bandwidth) -
         [<replaceable>rate</replaceable>[:[<replaceable>burst</replaceable>][:[<replaceable>latency</replaceable>][:[<replaceable>peek</replaceable>][:[<replaceable>minburst</replaceable>]]]]]]</term>
 
         <listitem>
@@ -204,10 +206,10 @@
 
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
-    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcpri, shorewall6-tos(5), shorewall6-tunnels(5),
-    shorewall6-zones(5)</para>
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcpri, shorewall6-tos(5),
+    shorewall6-tunnels(5), shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-tcpri.xml

@@ -149,7 +149,7 @@
 
     <para>PRIO(8), shorewall6(8), shorewall6-accounting(5),
     shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5),
-    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
     shorewall6-providers(5), shorewall6-route_rules(5),
     shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
     shorewall6-tcinterfaces(5), shorewall6-tos(5), shorewall6-tunnels(5),

manpages6/shorewall6-tcrules.xml

@@ -38,7 +38,9 @@
       url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
     </important>
 
-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
 
     <variablelist>
       <varlistentry>
@@ -312,6 +314,25 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
                 </listitem>
               </itemizedlist>
             </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">HL</emphasis>([<emphasis
+              role="bold">-</emphasis>|<emphasis
+              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
+
+              <para>Added in Shorewall 4.4.24. May be option followed by
+              <emphasis role="bold">:F</emphasis> but the resulting rule is
+              always added to the FORWARD chain. If <emphasis
+              role="bold">+</emphasis> is included, packets matching the rule
+              will have their HL (hop limit) incremented by
+              <replaceable>number</replaceable>. Similarly, if <emphasis
+              role="bold">-</emphasis> is included, matching packets have
+              their HL decremented by <replaceable>number</replaceable>. If
+              neither <emphasis role="bold">+</emphasis> nor <emphasis
+              role="bold">-</emphasis> is given, the HL of matching packets is
+              set to <replaceable>number</replaceable>. The valid range of
+              values for <replaceable>number</replaceable> is 1-255.</para>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>
@@ -402,14 +423,14 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORT(S)</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
 
         <listitem>
-          <para>Destination Ports. A comma-separated list of Port names (from
-          services(5)), <emphasis>port number</emphasis>s or <emphasis>port
-          range</emphasis>s; if the protocol is <emphasis
+          <para>Optional destination Ports. A comma-separated list of Port
+          names (from services(5)), <emphasis>port number</emphasis>s or
+          <emphasis>port range</emphasis>s; if the protocol is <emphasis
           role="bold">ipv6-icmp</emphasis>, this column is interpreted as the
           destination icmp-type(s). ICMP types may be specified as a numeric
           type, a numberic type and code separated by a slash (e.g., 3/4), or
@@ -429,15 +450,15 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
         [<emphasis
         role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
 
         <listitem>
-          <para>Source port(s). If omitted, any source port is acceptable.
-          Specified as a comma-separated list of port names, port numbers or
-          port ranges.</para>
+          <para>Optional source port(s). If omitted, any source port is
+          acceptable. Specified as a comma-separated list of port names, port
+          numbers or port ranges.</para>
 
           <para>An entry in this field requires that the PROTO column specify
           tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
@@ -446,13 +467,13 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">USER</emphasis> - [<emphasis
         role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
         role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
 
         <listitem>
-          <para>This column may only be non-empty if the SOURCE is the
-          firewall itself.</para>
+          <para>This optional column may only be non-empty if the SOURCE is
+          the firewall itself.</para>
 
           <para>When this column is non-empty, the rule applies only if the
           program generating the output is running under the effective
@@ -492,13 +513,13 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">TEST</emphasis>(Optional) - [<emphasis
+        <term><emphasis role="bold">TEST</emphasis> - [<emphasis
         role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
         role="bold">:C</emphasis>]</term>
 
         <listitem>
-          <para>Defines a test on the existing packet or connection mark. The
-          rule will match only if the test returns true.</para>
+          <para>Optional. Defines a test on the existing packet or connection
+          mark. The rule will match only if the test returns true.</para>
 
           <para>If you don't want to define a test but need to specify
           anything in the following columns, place a "-" in this field.</para>
@@ -541,15 +562,15 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">LENGTH</emphasis> (Optional) -
+        <term><emphasis role="bold">LENGTH</emphasis> -
         [<emphasis>length</emphasis>|[<emphasis>min</emphasis>]<emphasis
         role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term>
 
         <listitem>
-          <para>Packet Length. This field, if present allow you to match the
-          length of a packet against a specific value or range of values. You
-          must have ip6tables length support for this to work. A range is
-          specified in the form
+          <para>Optional packet Length. This field, if present allow you to
+          match the length of a packet against a specific value or range of
+          values. You must have ip6tables length support for this to work. A
+          range is specified in the form
           <emphasis>min</emphasis>:<emphasis>max</emphasis> where either
           <emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both)
           may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is
@@ -575,7 +596,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">CONNBYTES</emphasis> (Optional) -
+        <term><emphasis role="bold">CONNBYTES</emphasis> -
         [!]<emphasis>min</emphasis>:[<emphasis>max</emphasis>[:{<emphasis
         role="bold">O</emphasis>|<emphasis role="bold">R</emphasis>|<emphasis
         role="bold">B</emphasis>}[:{<emphasis
@@ -583,8 +604,9 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
         role="bold">A</emphasis>}]]]</term>
 
         <listitem>
-          <para>Connection Bytes; defines a byte or packet range that the
-          connection must fall within in order for the rule to match.</para>
+          <para>Optional connection Bytes; defines a byte or packet range that
+          the connection must fall within in order for the rule to
+          match.</para>
 
           <para>A packet matches if the the packet/byte count is within the
           range defined by <emphasis>min</emphasis> and
@@ -622,17 +644,17 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">HELPER (Optional) -
+        <term><emphasis role="bold">HELPER -
         </emphasis><emphasis>helper</emphasis></term>
 
         <listitem>
-          <para>Names a Netfiler protocol <firstterm>helper</firstterm> module
-          such as <option>ftp</option>, <option>sip</option>,
-          <option>amanda</option>, etc. A packet will match if it was accepted
-          by the named helper module. You can also append "-" and a port
-          number to the helper module name (e.g., <emphasis
-          role="bold">ftp-21</emphasis>) to specify the port number that the
-          original connection was made on.</para>
+          <para>Optional. Names a Netfiler protocol
+          <firstterm>helper</firstterm> module such as <option>ftp</option>,
+          <option>sip</option>, <option>amanda</option>, etc. A packet will
+          match if it was accepted by the named helper module. You can also
+          append "-" and a port number to the helper module name (e.g.,
+          <emphasis role="bold">ftp-21</emphasis>) to specify the port number
+          that the original connection was made on.</para>
 
           <para>Example: Mark all FTP data connections with mark
           4:<programlisting>#MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
@@ -791,13 +813,16 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
     <para><ulink
     url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5),
     shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
-    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tos(5),
-    shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-template.xml

@@ -54,7 +54,7 @@
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5),
     shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5),
-    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
     shorewall6-route_rules(5), shorewall6-routestopped(5),
     shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
     shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),

manpages6/shorewall6-tos.xml

@@ -159,12 +159,15 @@
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
     <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
     shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-route_rules(5),
-    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcrules(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
   </refsect1>
 </refentry>